Trying a whole buncha stuff

en1.ini

@@ -5,6 +5,7 @@ router.net.enp.one
 romulus.net.enp.one
 remus.net.enp.one
 novis.tre2.local
+jupiter.net.enp.one
 
 [vms]
 vm-db-mysql.net.enp.one

en1.toml

@@ -0,0 +1,47 @@
+[all.vars]
+ansible_user = "ansible"
+protected_users = ["root", "ansible"]
+enable_gui = false
+enable_ssh = true
+enable_ssh_password_auth = false
+disable_sudo_password = false
+enable_networkd = true
+
+[servers.hosts.jupiter]
+ansible_host = "jupiter.net.enp.one"
+description = "EN1 System Control Node"
+targets = ["admin", "network"]
+networking:
+  eno1:
+    dhcp: Yes
+  eno2:
+    addresses: ["192.168.255.10/24"]
+[servers.hosts.romulus]
+ansible_host = "romulus.net.enp.one"
+[servers.hosts.remus]
+ansible_host = "remus.net.enp.one"
+[servers.hosts.novis]
+ansible_host = "novis.tre2.local"
+[[servers.children]]
+"vms"
+
+
+[vms.vars]
+disable_sudo_password = true
+
+[vms.hosts.gitea]
+ansible_host = "vm-host-gitea.net.enp.one"
+[vms.hosts.plex]
+ansible_host = "vm-host-plex.net.enp.one"
+[vms.hosts.bitwarden]
+ansible_host = "vm-host-bitwarden.net.enp.one"
+[vms.hosts.nextcloud]
+ansible_host = "vm-host-nextcloud.net.enp.one"
+[vms.hosts.minecraft]
+ansible_host = "vm-host-minecraft.net.enp.one"
+
+
+[workstations.vars]
+enable_gui = true
+enable_ssh = false
+enable_networkd = false

en1.yaml

@@ -0,0 +1,108 @@
+---
+all:
+  vars:
+    ansible_user: ansible
+    protected_users: ["root", "ansible"]
+    enable_gui: false
+    enable_ssh: true
+    enable_ssh_password_auth: false
+    disable_sudo_password: false
+    enable_networkd: true
+network:
+  hosts:
+    router:
+      ansible_host: router.net.enp.one
+      ansible_network_os: edgeos
+      ansible_connection: network_cli
+      description: EN1 Core Gateway
+      targets: ["admin", "network"]
+servers:
+  vars:
+    required_os: centos_8
+  hosts:
+    jupiter:
+      ansible_host: jupiter.net.enp.one
+      description: EN1 System Control Server
+      targets: ["admin", "network"]
+      networking:
+        eno1:
+          dhcp: true
+        eno2:
+          addresses: ["192.168.255.10/24"]
+    romulus:
+      ansible_host: romulus.net.enp.one
+      description: EN1 Hypervisor/Datastore
+      targets: ["admin", "datastore", "hypervisor"]
+      networking:
+        em2:
+          addresses: ["192.168.255.20/24"]
+    remus:
+      ansible_host: remus.net.enp.one
+      description: EN1 Hypervisor/Datastore
+      targets: ["admin", "datastore", "hypervisor"]
+      em2:
+        addresses: ["192.168.255.30/24"]
+    novis:
+      ansible_host: novis.tre2.local
+      description: EN1 Backup Storage
+      targets: ["admin", "datastore"]
+  children: ["vms"]
+vms:
+  vars:
+    disable_sudo_password: true
+    required_os: centos_8
+  hosts:
+    gitea:
+      ansible_host: vm-host-gitea.net.enp.one
+      description: Application Host: Gitea VCS
+      targets: ["admin", "vcs"]
+      networking:
+        eth0:
+          dhcp: true
+    plex:
+      ansible_host: vm-host-plex.net.enp.one
+      description: Application Host: Plex Media Server
+      targets: ["admin", "plx"]
+      networking:
+        eth0:
+          dhcp: true
+    bitwarden:
+      ansible_host: vm-host-bitwarden.net.enp.one
+      description: Application Host: Bitwarden Password Manager
+      targets: ["admin", "ssv"]
+      networking:
+        eth0:
+          dhcp: true
+    nextcloud:
+      ansible_host: vm-host-nextcloud.net.enp.one
+      description: Application Host: Nextcloud Web Storage
+      targets: ["admin", "cfs"]
+      networking:
+        eth0:
+          dhcp: true
+workstations:
+  vars:
+    enable_gui: true
+    enable_ssh: false
+    enable_networkd: false
+  hosts:
+    omega:
+      ansible_host: localhost
+      description: Last
+      required_os: centos_7
+      targets: ["admin", "recovery"]
+    vigil-nox:
+      ansible_host: localhost
+      required_os: fedora_30
+      description: Watchman
+      targets: ["admin", "desktop"]
+    serico-nox:
+      ansible_host: localhost
+      description: Silk
+      required_os: fedora_30
+      targets: ["admin", "desktop"]
+    inerro:
+      ansible_host: localhost
+      description: Wanderer
+      required_os: fedora_30
+      targets: ["admin", "desktop"]

en2.yaml

@@ -0,0 +1,17 @@
+---
+all:
+  vars:
+    ansible_user: ansible
+    protected_users: ["root", "ansible"]
+    enable_gui: false
+    enable_ssh: true
+    enable_ssh_password_auth: false
+    disable_sudo_password: false
+    enable_networkd: false
+ungrouped:
+  hosts:
+    nimbus-1:
+      ansible_host: en2.enp.one
+      description: EN2 Digitial Ocean Cloud Server
+      required_os: centos_7
+      targets: ["admin", "network"]

hosts/jupiter.net.enp.one.yml

@@ -0,0 +1,20 @@
+---
+description: "EN1 System Control Node"
+
+targets:
+  - admin
+  - network
+
+networking:
+  eno1:
+    dhcp: Yes
+  eno2:
+    addresses: ["192.168.255.10/24"]
+
+  # demo:
+  #   addresses: ["192.168.1.10/24", "192.168.100.10/24"]
+  #   dhcp: true
+  #   dhcp6: true
+  #   gateway: 192.168.1.1
+  #   dns: ["8.8.8.8", "8.8.4.4"]
+  #   vlans: ["101", "200"]

playbooks/dependencies.yml

@@ -1,9 +1,26 @@
 ---
 - hosts: all
   name: Ansible python bindings
-  tags: always
+  tags:
+    - always
+    - initialize
   tasks:
-    - import_tasks: tasks/centos/bindings.yml
+    - name: Install CentOS python bindings
       when: ansible_distribution == "CentOS"
-    - import_tasks: tasks/fedora/bindings.yml
+      become: true
+      dnf:
+        state: latest
+        name:
+          - python3-libselinux
+          - python3-policycoreutils
+          - python3-firewall
+
+    - name: Install Fedora python bindings
       when: ansible_distribution == "Fedora"
+      become: true
+      dnf:
+        state: latest
+        name:
+          - libselinux-python
+          - policycoreutils-python
+          - python3-firewall

playbooks/deploy-homepage.yml

@@ -0,0 +1,38 @@
+---
+- hosts: nimbus-1.net.enp.one
+  name: Deploy main landing page at enpaul.net
+  vars:
+    # Local directory to use for cloning and building the documentation site
+    DIR_BUILD: /tmp/docs
+    # Remote directory to install the site at
+    DIR_DEPLOY: /usr/share/nginx/enpaul.net/html
+  tasks:
+    - name: Upload static site to remote
+      copy:
+        src: "{{ DIR_BUILD }}/site/"
+        dest: "/tmp/docs/"
+    - name: Remove legacy site
+      become: true
+      file:
+        path: "{{ DIR_DEPLOY }}"
+        state: absent
+    - name: Copy static site to deployment directory
+      become: true
+      copy:
+        src: "/tmp/docs/"
+        dest: "{{ DIR_DEPLOY }}"
+        remote_src: true
+        owner: root
+        group: nginx
+        mode: 0755
+        setype: httpd_sys_content_t
+
+    - name: Clean up local build directory
+      delegate_to: 127.0.0.1
+      file:
+        path: "{{ DIR_BUILD }}"
+        state: absent
+    - name: Clean up remote temp directory
+      file:
+        path: /tmp/docs
+        state: absent

playbooks/files/bashrc.sh

@@ -1,16 +1,61 @@
+# Global network bashrc/profile file
+# Updated 2019-11-12
+
+function venv() {
+        DIR="/home/$USERNAME/.venvs"
+
+        if [ $# -eq 0 ]; then
+                echo "No command specified"
+
+        elif [ $1 = "--help" ] || [ $1 = '-h' ]; then
+                echo "Custom python Virtualenv manager
+\"Because pipenv is too hard and everything else sucks\"
+
+Commands:
+  list                 List available virtualenvs
+  show                 Alias of list
+  delete <venv>        Delete a virtualenv
+  del                  Alias of delete
+  rm                   Alias of delete
+  load <venv>          Activate a virtualenv for usage
+  new <venv> <python>  Create a new virtualenv. If <python> is not specified,
+                       then the system default python is used
+"
+        elif [ $1 = "list" ] || [ $1 = "show" ] || [ $1 = "ls" ]; then
+                ls $DIR
+        elif [ $1 = "load" ]; then
+                . $DIR/$2/bin/activate
+        elif [ $1 = "new" ]; then
+                virtualenv $DIR/$2 --python=$3
+        elif [ $1 = "delete" ] || [ $1 = "del" ] || [ $1 = "rm" ]; then
+                rm -rf $DIR/$2
+        elif [ $1 = "go" ]; then
+                cd $DIR/$2
+        fi
+}
+
+function parse_git_branch() {
+    git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/'
+}
+
 function up() { cd $(eval printf '../'%.0s {1..$1}); }
+
+function pipin() { pip freeze | grep $1; }
+
+alias bk='cd -'
 alias fuck='sudo $(history -p \!\!)'
 alias doc='cd ~/Documents'
-alias explorer='nautilus'
+alias dn='cd ~/Downloads'
 alias version='uname -orp && lsb_release -a | grep Description'
 alias activate='source ./bin/activate'
 alias ipconfig='ip address show'
 alias cls='clear'
 alias mklink='ln -s'
-alias ls='ls -lshF --color --group-directories-first --time-style=long-iso'
+alias ls='/usr/bin/ls -lshF --color --group-directories-first --time-style=long-iso'
 alias gg='cd ~/Git'
-parse_git_branch() {
-    git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/'
-}
+alias gmtime='/usr/bin/date -u --iso-8601=seconds'
+alias date='/usr/bin/date --iso-8601=seconds'
+alias whatismyip='curl https://icanhazip.com/'
 
+export rc=/home/$USERNAME/.bashrc
 export PS1="\[\e[0;97m\]\[\e[37m\]\u\[\e[1;94m\]@\[\e[94m\]\H\[\e[0;33m\]$(parse_git_branch) \[\e[37m\]\w\[\e[33m\] \[\e[0;97m\]$\[\e[0m\] "

playbooks/initialize.yml

@@ -0,0 +1,34 @@
+---
+- import_playbook: dependencies.yml
+
+- name: Setup environment
+  hosts: all:!network
+  tags:
+    - initialize
+  vars:
+    restart_services: true
+  roles:
+    - role: packages
+      vars:
+        update: true
+        exclude: [] # Override the default kernel exclusion
+        clean: true
+  tasks:
+    - name: Set hostname
+      become: true
+      hostname:
+        name: "{{ inventory_hostname }}"
+    - name: Install global bashrc
+      become: true
+      copy:
+        src: bashrc.sh
+        dest: /etc/profile.d/ZA-enpn-bashrc.sh
+        mode: 0644
+
+- name: Configure services
+  hosts: all:!network
+  tags:
+    - initialize
+  roles:
+    - role: sshd
+    - role: networkd

playbooks/provision.yml

@@ -1,29 +1,11 @@
 ---
-- import_playbook: dependencies.yml
+- import_playbook: initialize.yml
 
-
-- hosts: all
-  name: Init
-  tags: initialize
-  tasks:
-    - name: Set hostname
-      become: true
-      hostname:
-        name: "{{ default_host if default_host is defined else inventory_hostname }}"
-
-    - name: Install global bashrc
-      become: true
-      copy:
-        src: bashrc.sh
-        dest: /etc/profile.d/global-bashrc.sh
-        mode: 0644
-
-    - import_tasks: tasks/sshd/banner.yml
-
-
-- hosts: all
-  name: System packages
-  tags: initialize
+- name: System packages
+  hosts: all
+  tags:
+    - provision
+    - initialize
   tasks:
     - name: Load package variables
       include_vars:

playbooks/roles

@@ -0,0 +1 @@
+../roles

playbooks/update-system.yml

@@ -2,6 +2,8 @@
 - hosts: all
   name: Upgrade packages
   tasks:
+
+
     - name: Upgrade YUM packages
       when: ansible_distribution == "CentOS"
       become: true

playbooks/update-users-network.yml

@@ -2,7 +2,12 @@
 - hosts: router.net.enp.one
   name: Configure users on router
   connection: network_cli
+<<<<<<< Updated upstream
   gather_facts: false
+=======
+  vars:
+    ansible_network_os: edgeos
+>>>>>>> Stashed changes
   tasks:
     - import_tasks: tasks/users-preprocessing.yml
 
@@ -18,9 +23,9 @@
       edgeos_config:
         lines:
           - set system login user {{ item.name }} level admin
-      with_items:
-        - "{{ local_admin_users | difference([None]) }}"
+      loop: "{{ local_admin_users | difference([None]) }}"
 
+<<<<<<< Updated upstream
     - name: Assemble loadkey files
       edgeos_command:
         commands:
@@ -32,3 +37,23 @@
         lines:
           - loadkey {{ item }} /tmp/{{ item }}.keys
       loop: "{{ local_admin_users | difference([None]) }}"
+=======
+    - name: Assemble key files for loadkey usage
+      edgeos_command:
+        commands: sudo tee /tmp/{{ item.name }}.keys<<<"{{ item.sshkeys | join('\n') }}"
+      loop: "{{ local_admin_users | difference([None]) }}"
+
+    # - name: Assemble loadkey files
+    #   copy:
+    #     src: keys/{{ item }}
+    #     dest: /tmp
+    #   with_items:
+    #     - "{{ local_admin_users | difference([None]) }}"
+
+    # - name: Load keys
+    #   edgeos_config:
+    #     lines:
+    #       - loadkey {{ item }} /tmp/{{ item }}/*.pub
+    #   with_items:
+    #     - "{{ local_admin_users | difference([None]) }}"
+>>>>>>> Stashed changes

roles/docker_host/tasks/main.yml

@@ -0,0 +1 @@
+---

roles/networkd/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+- import_tasks: packages.yml
+
+- name: Delete networkd config directory
+  become: true
+  file:
+    path: /etc/systemd/network
+    state: absent
+
+- name: Create the networkd config directory
+  become: true
+  file:
+    path: /etc/systemd/network
+    state: directory
+
+- name: Make network files
+  when: networking is defined
+  become: true
+  template:
+    src: network.j2
+    dest: "/etc/systemd/network/{{ item.key }}.network"
+  loop: "{{ networking | dict2items }}"
+
+- name: Make netdev files
+  when: networking is defined
+  become: true
+  template:
+    src: netdev.j2
+    dest: "/etc/systemd/network/{{ item.key }}.netdev"
+  loop: "{{ networking | dict2items }}"
+
+- import_tasks: services.yml
+
+- name: Symlink so systemd-resolved uses /etc/resolv.conf
+  become: true
+  file:
+    dest: /etc/resolv.conf
+    src: /run/systemd/resolve/resolv.conf
+    state: link
+    force: true
+    setype: net_conf_t
+
+- name: Symlink so /etc/resolv.conf uses systemd
+  become: true
+  file:
+    dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+    src: /usr/lib/systemd/system/systemd-resolved.service
+    state: link
+    force: true

roles/networkd/tasks/packages.yml

@@ -0,0 +1,8 @@
+---
+- name: Install systemd-networkd
+  become: true
+  dnf:
+    state: latest
+    name:
+      - systemd-resolved
+      - systemd-networkd

roles/networkd/tasks/services.yml

@@ -0,0 +1,41 @@
+---
+- name: Disable NetworkManager
+  become: true
+  systemd:
+    name: "{{ item }}"
+    enabled: false
+  loop:
+    - network
+    - NetworkManager
+    - NetworkManager-wait-online
+
+- name: Enable systemd-networkd
+  become: true
+  systemd:
+    name: "{{ item }}"
+    enabled: true
+  loop:
+    - systemd-networkd
+    - systemd-resolved
+    - systemd-networkd-wait-online
+
+- name: Stop NetworkManager
+  when: restart_services | default(false) == true
+  become: true
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+  loop:
+    - network
+    - NetworkManager
+    - NetworkManager-wait-online
+
+- name: Start systemd-networkd
+  become: true
+  systemd:
+    name: "{{ item }}"
+    state: started
+  loop:
+    - systemd-networkd
+    - systemd-resolved
+    - systemd-networkd-wait-online

roles/networkd/templates/netdev.j2

@@ -0,0 +1,11 @@
+# ANSIBLE MANAGED FILE - DO NOT EDIT
+[NetDev]
+Name={{ item.key }}
+Kind=vlan
+{% if item.value['kind'] == 'vlan' %}
+
+[VLAN]
+Id={{ item.value['vlan'] }}
+{% endif %}
+
+# EOF

roles/networkd/templates/network.j2

@@ -0,0 +1,27 @@
+# ANSIBLE MANAGED FILE - DO NOT EDIT
+[Match]
+Name={{ item.key }}
+
+[Network]
+DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }}
+IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }}
+{% if item.value['addresses'] is defined %}
+{% for ip_addr in item.value['addresses'] %}
+Address={{ ip_addr }}
+{% endfor %}
+{% endif %}
+{% if item.value['dns'] is defined %}
+{% for dns_server in item.value['dns'] %}
+DNS={{ dns_server }}
+{% endfor %}
+{% endif %}
+{% if item.value['gateway'] is defined %}
+Gateway={{ item.value['gateway'] }}
+{% endif %}
+{% if item.value['vlans'] is defined %}
+{% for vlan_tag in item.value['vlans'] %}
+VLAN={{ item.key }}.{{ vlan_tag }}
+{% endfor %}
+{% endif %}
+
+# EOF

tasks/centos/bindings.yml

@@ -1,9 +1,9 @@
 ---
-- name: Install python bindings using YUM
+- name: Install CentOS python bindings
   become: true
-  yum:
+  dnf:
     state: latest
     name:
-      - libselinux-python
-      - policycoreutils-python
-      - python-firewall
+      - python3-libselinux
+      - python3-policycoreutils
+      - python3-firewall

tasks/centos/repositories.yml

@@ -1,7 +1,7 @@
 ---
 - name: Enable Extra Packages for Enterprise Linux
   become: true
-  yum_repository:
+  dnf_repository:
     name: epel
     description: Extra Packages for Enterprise Linux
     baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
@@ -12,12 +12,6 @@
     state: present
     key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 
-- name: Enable Inline with Upstream Stable
-  become: true
-  yum:
-    state: latest
-    name: https://centos7.iuscommunity.org/ius-release.rpm
-
 - name: Disable yum subscription-manager
   become: true
   lineinfile:

tasks/fedora/bindings.yml

@@ -1,5 +1,5 @@
 ---
-- name: Install python bindings using DNF
+- name: Install Fedora python bindings
   become: true
   dnf:
     state: latest

tasks/sshd/banner.yml

@@ -1,3 +1,4 @@
+---
 - name: Install SSH Banner
   become: true
   template:

vars/packages.yml

@@ -12,6 +12,7 @@ packages_global:
   - policycoreutils-python
   - python-devel
   - python-virtualenv
+  - systemd-devel
   - unzip
   - vim
   - vim-minimal
@@ -24,5 +25,4 @@ packages_yum:
   - bash-completion-extras
   - nc
   - nfs-utils
-  - python36u
   - wget