Trying a whole buncha stuff

This commit is contained in:
Ethan Paul 2019-11-23 14:30:39 -05:00
parent 11771acc17
commit 62b95d4e22
24 changed files with 517 additions and 48 deletions

View File

@ -5,6 +5,7 @@ router.net.enp.one
romulus.net.enp.one romulus.net.enp.one
remus.net.enp.one remus.net.enp.one
novis.tre2.local novis.tre2.local
jupiter.net.enp.one
[vms] [vms]
vm-db-mysql.net.enp.one vm-db-mysql.net.enp.one

47
en1.toml Normal file
View File

@ -0,0 +1,47 @@
[all.vars]
ansible_user = "ansible"
protected_users = ["root", "ansible"]
enable_gui = false
enable_ssh = true
enable_ssh_password_auth = false
disable_sudo_password = false
enable_networkd = true
[servers.hosts.jupiter]
ansible_host = "jupiter.net.enp.one"
description = "EN1 System Control Node"
targets = ["admin", "network"]
networking:
eno1:
dhcp: Yes
eno2:
addresses: ["192.168.255.10/24"]
[servers.hosts.romulus]
ansible_host = "romulus.net.enp.one"
[servers.hosts.remus]
ansible_host = "remus.net.enp.one"
[servers.hosts.novis]
ansible_host = "novis.tre2.local"
[[servers.children]]
"vms"
[vms.vars]
disable_sudo_password = true
[vms.hosts.gitea]
ansible_host = "vm-host-gitea.net.enp.one"
[vms.hosts.plex]
ansible_host = "vm-host-plex.net.enp.one"
[vms.hosts.bitwarden]
ansible_host = "vm-host-bitwarden.net.enp.one"
[vms.hosts.nextcloud]
ansible_host = "vm-host-nextcloud.net.enp.one"
[vms.hosts.minecraft]
ansible_host = "vm-host-minecraft.net.enp.one"
[workstations.vars]
enable_gui = true
enable_ssh = false
enable_networkd = false

108
en1.yaml Normal file
View File

@ -0,0 +1,108 @@
---
all:
vars:
ansible_user: ansible
protected_users: ["root", "ansible"]
enable_gui: false
enable_ssh: true
enable_ssh_password_auth: false
disable_sudo_password: false
enable_networkd: true
network:
hosts:
router:
ansible_host: router.net.enp.one
ansible_network_os: edgeos
ansible_connection: network_cli
description: EN1 Core Gateway
targets: ["admin", "network"]
servers:
vars:
required_os: centos_8
hosts:
jupiter:
ansible_host: jupiter.net.enp.one
description: EN1 System Control Server
targets: ["admin", "network"]
networking:
eno1:
dhcp: true
eno2:
addresses: ["192.168.255.10/24"]
romulus:
ansible_host: romulus.net.enp.one
description: EN1 Hypervisor/Datastore
targets: ["admin", "datastore", "hypervisor"]
networking:
em2:
addresses: ["192.168.255.20/24"]
remus:
ansible_host: remus.net.enp.one
description: EN1 Hypervisor/Datastore
targets: ["admin", "datastore", "hypervisor"]
em2:
addresses: ["192.168.255.30/24"]
novis:
ansible_host: novis.tre2.local
description: EN1 Backup Storage
targets: ["admin", "datastore"]
children: ["vms"]
vms:
vars:
disable_sudo_password: true
required_os: centos_8
hosts:
gitea:
ansible_host: vm-host-gitea.net.enp.one
description: Application Host: Gitea VCS
targets: ["admin", "vcs"]
networking:
eth0:
dhcp: true
plex:
ansible_host: vm-host-plex.net.enp.one
description: Application Host: Plex Media Server
targets: ["admin", "plx"]
networking:
eth0:
dhcp: true
bitwarden:
ansible_host: vm-host-bitwarden.net.enp.one
description: Application Host: Bitwarden Password Manager
targets: ["admin", "ssv"]
networking:
eth0:
dhcp: true
nextcloud:
ansible_host: vm-host-nextcloud.net.enp.one
description: Application Host: Nextcloud Web Storage
targets: ["admin", "cfs"]
networking:
eth0:
dhcp: true
workstations:
vars:
enable_gui: true
enable_ssh: false
enable_networkd: false
hosts:
omega:
ansible_host: localhost
description: Last
required_os: centos_7
targets: ["admin", "recovery"]
vigil-nox:
ansible_host: localhost
required_os: fedora_30
description: Watchman
targets: ["admin", "desktop"]
serico-nox:
ansible_host: localhost
description: Silk
required_os: fedora_30
targets: ["admin", "desktop"]
inerro:
ansible_host: localhost
description: Wanderer
required_os: fedora_30
targets: ["admin", "desktop"]

17
en2.yaml Normal file
View File

@ -0,0 +1,17 @@
---
all:
vars:
ansible_user: ansible
protected_users: ["root", "ansible"]
enable_gui: false
enable_ssh: true
enable_ssh_password_auth: false
disable_sudo_password: false
enable_networkd: false
ungrouped:
hosts:
nimbus-1:
ansible_host: en2.enp.one
description: EN2 Digitial Ocean Cloud Server
required_os: centos_7
targets: ["admin", "network"]

View File

@ -0,0 +1,20 @@
---
description: "EN1 System Control Node"
targets:
- admin
- network
networking:
eno1:
dhcp: Yes
eno2:
addresses: ["192.168.255.10/24"]
# demo:
# addresses: ["192.168.1.10/24", "192.168.100.10/24"]
# dhcp: true
# dhcp6: true
# gateway: 192.168.1.1
# dns: ["8.8.8.8", "8.8.4.4"]
# vlans: ["101", "200"]

View File

@ -1,9 +1,26 @@
--- ---
- hosts: all - hosts: all
name: Ansible python bindings name: Ansible python bindings
tags: always tags:
- always
- initialize
tasks: tasks:
- import_tasks: tasks/centos/bindings.yml - name: Install CentOS python bindings
when: ansible_distribution == "CentOS" when: ansible_distribution == "CentOS"
- import_tasks: tasks/fedora/bindings.yml become: true
dnf:
state: latest
name:
- python3-libselinux
- python3-policycoreutils
- python3-firewall
- name: Install Fedora python bindings
when: ansible_distribution == "Fedora" when: ansible_distribution == "Fedora"
become: true
dnf:
state: latest
name:
- libselinux-python
- policycoreutils-python
- python3-firewall

View File

@ -0,0 +1,38 @@
---
- hosts: nimbus-1.net.enp.one
name: Deploy main landing page at enpaul.net
vars:
# Local directory to use for cloning and building the documentation site
DIR_BUILD: /tmp/docs
# Remote directory to install the site at
DIR_DEPLOY: /usr/share/nginx/enpaul.net/html
tasks:
- name: Upload static site to remote
copy:
src: "{{ DIR_BUILD }}/site/"
dest: "/tmp/docs/"
- name: Remove legacy site
become: true
file:
path: "{{ DIR_DEPLOY }}"
state: absent
- name: Copy static site to deployment directory
become: true
copy:
src: "/tmp/docs/"
dest: "{{ DIR_DEPLOY }}"
remote_src: true
owner: root
group: nginx
mode: 0755
setype: httpd_sys_content_t
- name: Clean up local build directory
delegate_to: 127.0.0.1
file:
path: "{{ DIR_BUILD }}"
state: absent
- name: Clean up remote temp directory
file:
path: /tmp/docs
state: absent

View File

@ -1,16 +1,61 @@
# Global network bashrc/profile file
# Updated 2019-11-12
function venv() {
DIR="/home/$USERNAME/.venvs"
if [ $# -eq 0 ]; then
echo "No command specified"
elif [ $1 = "--help" ] || [ $1 = '-h' ]; then
echo "Custom python Virtualenv manager
\"Because pipenv is too hard and everything else sucks\"
Commands:
list List available virtualenvs
show Alias of list
delete <venv> Delete a virtualenv
del Alias of delete
rm Alias of delete
load <venv> Activate a virtualenv for usage
new <venv> <python> Create a new virtualenv. If <python> is not specified,
then the system default python is used
"
elif [ $1 = "list" ] || [ $1 = "show" ] || [ $1 = "ls" ]; then
ls $DIR
elif [ $1 = "load" ]; then
. $DIR/$2/bin/activate
elif [ $1 = "new" ]; then
virtualenv $DIR/$2 --python=$3
elif [ $1 = "delete" ] || [ $1 = "del" ] || [ $1 = "rm" ]; then
rm -rf $DIR/$2
elif [ $1 = "go" ]; then
cd $DIR/$2
fi
}
function parse_git_branch() {
git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/'
}
function up() { cd $(eval printf '../'%.0s {1..$1}); } function up() { cd $(eval printf '../'%.0s {1..$1}); }
function pipin() { pip freeze | grep $1; }
alias bk='cd -'
alias fuck='sudo $(history -p \!\!)' alias fuck='sudo $(history -p \!\!)'
alias doc='cd ~/Documents' alias doc='cd ~/Documents'
alias explorer='nautilus' alias dn='cd ~/Downloads'
alias version='uname -orp && lsb_release -a | grep Description' alias version='uname -orp && lsb_release -a | grep Description'
alias activate='source ./bin/activate' alias activate='source ./bin/activate'
alias ipconfig='ip address show' alias ipconfig='ip address show'
alias cls='clear' alias cls='clear'
alias mklink='ln -s' alias mklink='ln -s'
alias ls='ls -lshF --color --group-directories-first --time-style=long-iso' alias ls='/usr/bin/ls -lshF --color --group-directories-first --time-style=long-iso'
alias gg='cd ~/Git' alias gg='cd ~/Git'
parse_git_branch() { alias gmtime='/usr/bin/date -u --iso-8601=seconds'
git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/' alias date='/usr/bin/date --iso-8601=seconds'
} alias whatismyip='curl https://icanhazip.com/'
export rc=/home/$USERNAME/.bashrc
export PS1="\[\e[0;97m\]\[\e[37m\]\u\[\e[1;94m\]@\[\e[94m\]\H\[\e[0;33m\]$(parse_git_branch) \[\e[37m\]\w\[\e[33m\] \[\e[0;97m\]$\[\e[0m\] " export PS1="\[\e[0;97m\]\[\e[37m\]\u\[\e[1;94m\]@\[\e[94m\]\H\[\e[0;33m\]$(parse_git_branch) \[\e[37m\]\w\[\e[33m\] \[\e[0;97m\]$\[\e[0m\] "

34
playbooks/initialize.yml Normal file
View File

@ -0,0 +1,34 @@
---
- import_playbook: dependencies.yml
- name: Setup environment
hosts: all:!network
tags:
- initialize
vars:
restart_services: true
roles:
- role: packages
vars:
update: true
exclude: [] # Override the default kernel exclusion
clean: true
tasks:
- name: Set hostname
become: true
hostname:
name: "{{ inventory_hostname }}"
- name: Install global bashrc
become: true
copy:
src: bashrc.sh
dest: /etc/profile.d/ZA-enpn-bashrc.sh
mode: 0644
- name: Configure services
hosts: all:!network
tags:
- initialize
roles:
- role: sshd
- role: networkd

View File

@ -1,29 +1,11 @@
--- ---
- import_playbook: dependencies.yml - import_playbook: initialize.yml
- name: System packages
- hosts: all hosts: all
name: Init tags:
tags: initialize - provision
tasks: - initialize
- name: Set hostname
become: true
hostname:
name: "{{ default_host if default_host is defined else inventory_hostname }}"
- name: Install global bashrc
become: true
copy:
src: bashrc.sh
dest: /etc/profile.d/global-bashrc.sh
mode: 0644
- import_tasks: tasks/sshd/banner.yml
- hosts: all
name: System packages
tags: initialize
tasks: tasks:
- name: Load package variables - name: Load package variables
include_vars: include_vars:

1
playbooks/roles Symbolic link
View File

@ -0,0 +1 @@
../roles

View File

@ -2,6 +2,8 @@
- hosts: all - hosts: all
name: Upgrade packages name: Upgrade packages
tasks: tasks:
- name: Upgrade YUM packages - name: Upgrade YUM packages
when: ansible_distribution == "CentOS" when: ansible_distribution == "CentOS"
become: true become: true

View File

@ -2,7 +2,12 @@
- hosts: router.net.enp.one - hosts: router.net.enp.one
name: Configure users on router name: Configure users on router
connection: network_cli connection: network_cli
<<<<<<< Updated upstream
gather_facts: false gather_facts: false
=======
vars:
ansible_network_os: edgeos
>>>>>>> Stashed changes
tasks: tasks:
- import_tasks: tasks/users-preprocessing.yml - import_tasks: tasks/users-preprocessing.yml
@ -18,9 +23,9 @@
edgeos_config: edgeos_config:
lines: lines:
- set system login user {{ item.name }} level admin - set system login user {{ item.name }} level admin
with_items: loop: "{{ local_admin_users | difference([None]) }}"
- "{{ local_admin_users | difference([None]) }}"
<<<<<<< Updated upstream
- name: Assemble loadkey files - name: Assemble loadkey files
edgeos_command: edgeos_command:
commands: commands:
@ -32,3 +37,23 @@
lines: lines:
- loadkey {{ item }} /tmp/{{ item }}.keys - loadkey {{ item }} /tmp/{{ item }}.keys
loop: "{{ local_admin_users | difference([None]) }}" loop: "{{ local_admin_users | difference([None]) }}"
=======
- name: Assemble key files for loadkey usage
edgeos_command:
commands: sudo tee /tmp/{{ item.name }}.keys<<<"{{ item.sshkeys | join('\n') }}"
loop: "{{ local_admin_users | difference([None]) }}"
# - name: Assemble loadkey files
# copy:
# src: keys/{{ item }}
# dest: /tmp
# with_items:
# - "{{ local_admin_users | difference([None]) }}"
# - name: Load keys
# edgeos_config:
# lines:
# - loadkey {{ item }} /tmp/{{ item }}/*.pub
# with_items:
# - "{{ local_admin_users | difference([None]) }}"
>>>>>>> Stashed changes

View File

@ -0,0 +1 @@
---

View File

@ -0,0 +1,49 @@
---
- import_tasks: packages.yml
- name: Delete networkd config directory
become: true
file:
path: /etc/systemd/network
state: absent
- name: Create the networkd config directory
become: true
file:
path: /etc/systemd/network
state: directory
- name: Make network files
when: networking is defined
become: true
template:
src: network.j2
dest: "/etc/systemd/network/{{ item.key }}.network"
loop: "{{ networking | dict2items }}"
- name: Make netdev files
when: networking is defined
become: true
template:
src: netdev.j2
dest: "/etc/systemd/network/{{ item.key }}.netdev"
loop: "{{ networking | dict2items }}"
- import_tasks: services.yml
- name: Symlink so systemd-resolved uses /etc/resolv.conf
become: true
file:
dest: /etc/resolv.conf
src: /run/systemd/resolve/resolv.conf
state: link
force: true
setype: net_conf_t
- name: Symlink so /etc/resolv.conf uses systemd
become: true
file:
dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
src: /usr/lib/systemd/system/systemd-resolved.service
state: link
force: true

View File

@ -0,0 +1,8 @@
---
- name: Install systemd-networkd
become: true
dnf:
state: latest
name:
- systemd-resolved
- systemd-networkd

View File

@ -0,0 +1,41 @@
---
- name: Disable NetworkManager
become: true
systemd:
name: "{{ item }}"
enabled: false
loop:
- network
- NetworkManager
- NetworkManager-wait-online
- name: Enable systemd-networkd
become: true
systemd:
name: "{{ item }}"
enabled: true
loop:
- systemd-networkd
- systemd-resolved
- systemd-networkd-wait-online
- name: Stop NetworkManager
when: restart_services | default(false) == true
become: true
systemd:
name: "{{ item }}"
state: stopped
loop:
- network
- NetworkManager
- NetworkManager-wait-online
- name: Start systemd-networkd
become: true
systemd:
name: "{{ item }}"
state: started
loop:
- systemd-networkd
- systemd-resolved
- systemd-networkd-wait-online

View File

@ -0,0 +1,11 @@
# ANSIBLE MANAGED FILE - DO NOT EDIT
[NetDev]
Name={{ item.key }}
Kind=vlan
{% if item.value['kind'] == 'vlan' %}
[VLAN]
Id={{ item.value['vlan'] }}
{% endif %}
# EOF

View File

@ -0,0 +1,27 @@
# ANSIBLE MANAGED FILE - DO NOT EDIT
[Match]
Name={{ item.key }}
[Network]
DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }}
IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }}
{% if item.value['addresses'] is defined %}
{% for ip_addr in item.value['addresses'] %}
Address={{ ip_addr }}
{% endfor %}
{% endif %}
{% if item.value['dns'] is defined %}
{% for dns_server in item.value['dns'] %}
DNS={{ dns_server }}
{% endfor %}
{% endif %}
{% if item.value['gateway'] is defined %}
Gateway={{ item.value['gateway'] }}
{% endif %}
{% if item.value['vlans'] is defined %}
{% for vlan_tag in item.value['vlans'] %}
VLAN={{ item.key }}.{{ vlan_tag }}
{% endfor %}
{% endif %}
# EOF

View File

@ -1,9 +1,9 @@
--- ---
- name: Install python bindings using YUM - name: Install CentOS python bindings
become: true become: true
yum: dnf:
state: latest state: latest
name: name:
- libselinux-python - python3-libselinux
- policycoreutils-python - python3-policycoreutils
- python-firewall - python3-firewall

View File

@ -1,7 +1,7 @@
--- ---
- name: Enable Extra Packages for Enterprise Linux - name: Enable Extra Packages for Enterprise Linux
become: true become: true
yum_repository: dnf_repository:
name: epel name: epel
description: Extra Packages for Enterprise Linux description: Extra Packages for Enterprise Linux
baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/ baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
@ -12,12 +12,6 @@
state: present state: present
key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
- name: Enable Inline with Upstream Stable
become: true
yum:
state: latest
name: https://centos7.iuscommunity.org/ius-release.rpm
- name: Disable yum subscription-manager - name: Disable yum subscription-manager
become: true become: true
lineinfile: lineinfile:

View File

@ -1,5 +1,5 @@
--- ---
- name: Install python bindings using DNF - name: Install Fedora python bindings
become: true become: true
dnf: dnf:
state: latest state: latest

View File

@ -1,3 +1,4 @@
---
- name: Install SSH Banner - name: Install SSH Banner
become: true become: true
template: template:

View File

@ -12,6 +12,7 @@ packages_global:
- policycoreutils-python - policycoreutils-python
- python-devel - python-devel
- python-virtualenv - python-virtualenv
- systemd-devel
- unzip - unzip
- vim - vim
- vim-minimal - vim-minimal
@ -24,5 +25,4 @@ packages_yum:
- bash-completion-extras - bash-completion-extras
- nc - nc
- nfs-utils - nfs-utils
- python36u
- wget - wget