skylab/omni-ansible
Archived
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updates to segregate configs by device class

Browse Source 
Split cloud VMs out from local VMs in 'cloud' group
Generalize networkd install/config
Generalize sshd config
Create general update playbook
Add host vm-host-nextcloud
This commit is contained in:
Ethan Paul 2018-12-30 22:54:33 -05:00
parent 9a35e992d0
commit c27460c47e
13 changed files with 175 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
groups/cloud.yml Normal file
View File

@ -0,0 +1,12 @@
---
enable_gui: False
enable_ssh: True
enable_ssh_password_auth: False
disable_sudo_password: True
enable_networkd: True
generate_keys: False

9
hosts/vm-host-nextcloud.yml Normal file
View File

@ -0,0 +1,9 @@
---
description: "Application Host: Nextcloud"
targets:
- admin
- nextcloud
networking:
eth0:

6
omni.ini
View File

@ -4,15 +4,15 @@ router
romulus romulus
remus remus
novis novis
apex
[vms] [vms]
vm-dev-nginx vm-dev-nginx
vm-host-gitea vm-host-gitea
vm-host-plex vm-host-plex
vm-host-bitwarden vm-host-bitwarden
vm-db-maria vm-host-nextcloud
vm-db-prometheus
[cloud]
nimbus-1 nimbus-1
[workstations] [workstations]

1
playbooks/dependencies.yml
View File

@ -1,6 +1,7 @@
--- ---
- hosts: all - hosts: all
name: Ansible python bindings name: Ansible python bindings
tags: always
tasks: tasks:
- import_tasks: tasks/centos/bindings.yml - import_tasks: tasks/centos/bindings.yml
when: ansible_distribution == "CentOS" when: ansible_distribution == "CentOS"

26
playbooks/provision-virtual-machine.yml
View File

@ -0,0 +1,26 @@
---
- hosts: vms
name: Replace NetworkManager with systemd-networkd
tasks:
- name: Install systemd-networkd
when: enable_networkd == true
block:
- import_tasks: tasks/centos/networkd.yml
when: ansible_distribution == "CentOS"
- import_tasks: tasks/fedora/networkd.yml
when: ansible_distribution == "Fedora"
# - import_tasks: common/debian/networkd.yml
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
- import_tasks: tasks/networkd/config.yml
- import_tasks: tasks/networkd/services.yml
- hosts: vms
name: Install ovirt agent
tasks:
- name: Install ovirt-agent
become: true
yum:
name: ovirt-guest-agent
state: latest

51
playbooks/provision.yml
View File

@ -4,6 +4,7 @@
- hosts: all - hosts: all
name: Init name: Init
tags: initialize
tasks: tasks:
- name: Set hostname - name: Set hostname
become: true become: true
@ -14,26 +15,15 @@
become: true become: true
copy: copy:
src: bashrc.sh src: bashrc.sh
dest: /etc/profile.d/30-omni-bashrc.sh dest: /etc/profile.d/global-bashrc.sh
mode: 0644 mode: 0644
- name: Install SSH Banner - import_tasks: tasks/sshd/banner.yml
become: true
template:
src: motd.j2
dest: /etc/issue.net
mode: 0644
- name: Configure SSH banner
become: true
lineinfile:
path: /etc/ssh/sshd_config
regexp: '#Banner none'
line: 'Banner /etc/issue.net'
- hosts: all - hosts: all
name: System packages name: System packages
tags: initialize
tasks: tasks:
- name: Load package variables - name: Load package variables
include_vars: include_vars:
@ -48,33 +38,10 @@
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" # when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
- import_playbook: update-system.yml #- import_playbook: provision-workstation.yml
#- import_playbook: provision-server.yml
#- import_playbook: provision-hypervisor.yml
- import_playbook: provision-virtual-machine.yml
- hosts: all - import_playbook: update.yml
name: Replace NetworkManager with systemd-networkd
tasks:
- name: Install systemd-networkd
when: enable_networkd == true
block:
- import_tasks: tasks/centos/networkd.yml
when: ansible_distribution == "CentOS"
- import_tasks: tasks/fedora/networkd.yml
when: ansible_distribution == "Fedora"
# - import_tasks: common/debian/networkd.yml
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
- import_tasks: tasks/networkd.yml
- import_playbook: update-users-local.yml
- hosts: vms
name: Install ovirt agent
tasks:
- name: Install ovirt-agent
become: true
yum:
name: ovirt-guest-agent
state: latest

6
playbooks/update-users-local.yml
View File

@ -159,3 +159,9 @@
state: directory state: directory
with_items: with_items:
- "{{ local_users | difference([None]) }}" - "{{ local_users | difference([None]) }}"
- hosts: all
name: Disable SSH password authentication
tasks:
- import_tasks: tasks/sshd/disable-password-auth.yml
when: enable_ssh_password_auth|bool == false

5
playbooks/update.yml Normal file
View File

@ -0,0 +1,5 @@
---
- import_playbook: dependencies.yml
- import_playbook: update-system.yml
- import_playbook: update-users-local.yml

22
tasks/networkd/config.yml Normal file
View File

@ -0,0 +1,22 @@
---
# The directory is deleted ahead of creation to ensure that no old configs
# remain after runnign ansible
- name: Delete networkd config directory
become: true
file:
path: /etc/systemd/network
state: absent
- name: Create the networkd config directory
become: true
file:
path: /etc/systemd/network
state: directory
- name: Make .network files
when: networking is defined
become: true
template:
src: network.j2
dest: "/etc/systemd/network/{{ item.key }}.network"
with_dict: "{{ networking }}"

38
tasks/networkd/services.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Disable network scripts and NetworkManager
become: true
service:
name: "{{ item }}"
enabled: false
with_items:
- network
- NetworkManager
- NetworkManager-wait-online
- name: Enable systemd-networkd and systemd-resolved
become: true
service:
name: "{{ item }}"
enabled: true
state: started
with_items:
- systemd-networkd
- systemd-resolved
- systemd-networkd-wait-online
- name: Symlink so systemd-resolved uses /etc/resolv.conf
become: true
file:
dest: /etc/resolv.conf
src: /run/systemd/resolve/resolv.conf
state: link
force: true
setype: net_conf_t
- name: Symlink so /etc/resolv.conf uses systemd
become: true
file:
dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
src: /usr/lib/systemd/system/systemd-resolved.service
state: link
force: true

13
tasks/sshd/banner.yml Normal file
View File

@ -0,0 +1,13 @@
- name: Install SSH Banner
become: true
template:
src: motd.j2
dest: /etc/issue.net
mode: 0644
- name: Configure SSH banner
become: true
lineinfile:
path: /etc/ssh/sshd_config
regexp: '#Banner none'
line: 'Banner /etc/issue.net'

25
tasks/sshd/disable-password-auth.yml Normal file
View File

@ -0,0 +1,25 @@
- name: Turn off password authentication
become: true
replace:
path: /etc/ssh/sshd_config
regexp: "PasswordAuthentication yes"
replace: "PasswordAuthentication no"
- name: Turn off challenge response authentication
become: true
replace:
path: /etc/ssh/sshd_config
regexp: "ChallengeResponseAuthentication yes"
replace: "ChallengeResponseAuthentication no"
- name: Turn off GSSAPI authentication
become: true
replace:
path: /etc/ssh/sshd_config
regexp: "GSSAPIAuthentication yes"
replace: "GSSAPIAuthentication no"
- name: Restart sshd
service:
name: sshd
state: restarted

6
vars/users.yml
View File

@ -29,6 +29,7 @@ users:
- plex - plex
- admin - admin
- vpn - vpn
- nextcloud
admin: True admin: True
svc: True svc: True
@ -73,6 +74,7 @@ users:
- plex - plex
- admin - admin
- vpn - vpn
- nextcloud
admin: True admin: True
- name: kaisersjr - name: kaisersjr
@ -84,6 +86,7 @@ users:
- bitwarden - bitwarden
- vpn - vpn
- workstations - workstations
- nextcloud
admin: False admin: False
- name: notsoninja - name: notsoninja
@ -94,6 +97,7 @@ users:
- gitea - gitea
- vpn - vpn
- workstations - workstations
- nextcloud
admin: False admin: False
- name: avalonburned - name: avalonburned
@ -104,6 +108,7 @@ users:
- gitea - gitea
- vpn - vpn
- workstations - workstations
- nextcloud
admin: False admin: False
- name: sglagovitch - name: sglagovitch
@ -114,4 +119,5 @@ users:
- gitea - gitea
- vpn - vpn
- workstations - workstations
- nextcloud
admin: False admin: False