Updates to segregate configs by device class

Split cloud VMs out from local VMs in 'cloud' group
Generalize networkd install/config
Generalize sshd config
Create general update playbook
Add host vm-host-nextcloud

groups/cloud.yml

@@ -0,0 +1,12 @@
+---
+enable_gui: False
+
+enable_ssh: True
+
+enable_ssh_password_auth: False
+
+disable_sudo_password: True
+
+enable_networkd: True
+
+generate_keys: False

hosts/vm-host-nextcloud.yml

@@ -0,0 +1,9 @@
+---
+description: "Application Host: Nextcloud"
+
+targets:
+  - admin
+  - nextcloud
+
+networking:
+  eth0:

omni.ini

@@ -4,15 +4,15 @@ router
 romulus
 remus
 novis
-apex
 
 [vms]
 vm-dev-nginx
 vm-host-gitea
 vm-host-plex
 vm-host-bitwarden
-vm-db-maria
-vm-db-prometheus
+vm-host-nextcloud
+
+[cloud]
 nimbus-1
 
 [workstations]

playbooks/dependencies.yml

@@ -1,6 +1,7 @@
 ---
 - hosts: all
   name: Ansible python bindings
+  tags: always
   tasks:
     - import_tasks: tasks/centos/bindings.yml
       when: ansible_distribution == "CentOS"

playbooks/provision-virtual-machine.yml

@@ -0,0 +1,26 @@
+---
+- hosts: vms
+  name: Replace NetworkManager with systemd-networkd
+  tasks:
+    - name: Install systemd-networkd
+      when: enable_networkd == true
+      block:
+        - import_tasks: tasks/centos/networkd.yml
+          when: ansible_distribution == "CentOS"
+        - import_tasks: tasks/fedora/networkd.yml
+          when: ansible_distribution == "Fedora"
+        # - import_tasks: common/debian/networkd.yml
+        #   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
+
+    - import_tasks: tasks/networkd/config.yml
+    - import_tasks: tasks/networkd/services.yml
+
+
+- hosts: vms
+  name: Install ovirt agent
+  tasks:
+    - name: Install ovirt-agent
+      become: true
+      yum:
+        name: ovirt-guest-agent
+        state: latest

playbooks/provision.yml

@@ -4,6 +4,7 @@
 
 - hosts: all
   name: Init
+  tags: initialize
   tasks:
     - name: Set hostname
       become: true
@@ -14,26 +15,15 @@
       become: true
       copy:
         src: bashrc.sh
-        dest: /etc/profile.d/30-omni-bashrc.sh
+        dest: /etc/profile.d/global-bashrc.sh
         mode: 0644
 
-    - name: Install SSH Banner
-      become: true
-      template:
-        src: motd.j2
-        dest: /etc/issue.net
-        mode: 0644
-
-    - name: Configure SSH banner
-      become: true
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        regexp: '#Banner none'
-        line: 'Banner /etc/issue.net'
+    - import_tasks: tasks/sshd/banner.yml
 
 
 - hosts: all
   name: System packages
+  tags: initialize
   tasks:
     - name: Load package variables
       include_vars:
@@ -48,33 +38,10 @@
     #   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
 
 
-- import_playbook: update-system.yml
+#- import_playbook: provision-workstation.yml
+#- import_playbook: provision-server.yml
+#- import_playbook: provision-hypervisor.yml
+- import_playbook: provision-virtual-machine.yml
 
 
-- hosts: all
-  name: Replace NetworkManager with systemd-networkd
-  tasks:
-    - name: Install systemd-networkd
-      when: enable_networkd == true
-      block:
-        - import_tasks: tasks/centos/networkd.yml
-          when: ansible_distribution == "CentOS"
-        - import_tasks: tasks/fedora/networkd.yml
-          when: ansible_distribution == "Fedora"
-        # - import_tasks: common/debian/networkd.yml
-        #   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
-
-        - import_tasks: tasks/networkd.yml
-
-
-- import_playbook: update-users-local.yml
-
-
-- hosts: vms
-  name: Install ovirt agent
-  tasks:
-    - name: Install ovirt-agent
-      become: true
-      yum:
-        name: ovirt-guest-agent
-        state: latest
+- import_playbook: update.yml

playbooks/update-users-local.yml

@@ -159,3 +159,9 @@
         state: directory
       with_items:
         - "{{ local_users | difference([None]) }}"
+
+- hosts: all
+  name: Disable SSH password authentication
+  tasks:
+    - import_tasks: tasks/sshd/disable-password-auth.yml
+      when: enable_ssh_password_auth|bool == false

playbooks/update.yml

@@ -0,0 +1,5 @@
+---
+- import_playbook: dependencies.yml
+
+- import_playbook: update-system.yml
+- import_playbook: update-users-local.yml

tasks/networkd/config.yml

@@ -0,0 +1,22 @@
+---
+# The directory is deleted ahead of creation to ensure that no old configs
+# remain after runnign ansible
+- name: Delete networkd config directory
+  become: true
+  file:
+    path: /etc/systemd/network
+    state: absent
+
+- name: Create the networkd config directory
+  become: true
+  file:
+    path: /etc/systemd/network
+    state: directory
+
+- name: Make .network files
+  when: networking is defined
+  become: true
+  template:
+    src: network.j2
+    dest: "/etc/systemd/network/{{ item.key }}.network"
+  with_dict: "{{ networking }}"

tasks/networkd/services.yml

@@ -0,0 +1,38 @@
+---
+- name: Disable network scripts and NetworkManager
+  become: true
+  service:
+    name: "{{ item }}"
+    enabled: false
+  with_items:
+    - network
+    - NetworkManager
+    - NetworkManager-wait-online
+
+- name: Enable systemd-networkd and systemd-resolved
+  become: true
+  service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  with_items:
+    - systemd-networkd
+    - systemd-resolved
+    - systemd-networkd-wait-online
+
+- name: Symlink so systemd-resolved uses /etc/resolv.conf
+  become: true
+  file:
+    dest: /etc/resolv.conf
+    src: /run/systemd/resolve/resolv.conf
+    state: link
+    force: true
+    setype: net_conf_t
+
+- name: Symlink so /etc/resolv.conf uses systemd
+  become: true
+  file:
+    dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+    src: /usr/lib/systemd/system/systemd-resolved.service
+    state: link
+    force: true

tasks/sshd/banner.yml

@@ -0,0 +1,13 @@
+- name: Install SSH Banner
+  become: true
+  template:
+    src: motd.j2
+    dest: /etc/issue.net
+    mode: 0644
+
+- name: Configure SSH banner
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '#Banner none'
+    line: 'Banner /etc/issue.net'

tasks/sshd/disable-password-auth.yml

@@ -0,0 +1,25 @@
+- name: Turn off password authentication
+  become: true
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: "PasswordAuthentication yes"
+    replace: "PasswordAuthentication no"
+
+- name: Turn off challenge response authentication
+  become: true
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: "ChallengeResponseAuthentication yes"
+    replace: "ChallengeResponseAuthentication no"
+
+- name: Turn off GSSAPI authentication
+  become: true
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: "GSSAPIAuthentication yes"
+    replace: "GSSAPIAuthentication no"
+
+- name: Restart sshd
+  service:
+    name: sshd
+    state: restarted

vars/users.yml

@@ -29,6 +29,7 @@ users:
       - plex
       - admin
       - vpn
+      - nextcloud
     admin: True
     svc: True
 
@@ -73,6 +74,7 @@ users:
       - plex
       - admin
       - vpn
+      - nextcloud
     admin: True
 
   - name: kaisersjr
@@ -84,6 +86,7 @@ users:
       - bitwarden
       - vpn
       - workstations
+      - nextcloud
     admin: False
 
   - name: notsoninja
@@ -94,6 +97,7 @@ users:
       - gitea
       - vpn
       - workstations
+      - nextcloud
     admin: False
 
   - name: avalonburned
@@ -104,6 +108,7 @@ users:
       - gitea
       - vpn
       - workstations
+      - nextcloud
     admin: False
 
   - name: sglagovitch
@@ -114,4 +119,5 @@ users:
       - gitea
       - vpn
       - workstations
+      - nextcloud
     admin: False