skylab
/
skylab-ansible
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

Reorganize provision playbook 

Split server-specific configs out into server role

Add symlink to roles for playbook directory
This commit is contained in:
Ethan Paul 2021-11-05 21:53:47 -04:00
parent 732cf53192
commit 96ea66b77a
No known key found for this signature in database
GPG Key ID: 6A337337DF6B5B1A
9 changed files with 112 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
playbooks/provision.yaml
View File

@ -9,57 +9,16 @@
- name: Bootstrap remote ansible environment
hosts: linux
gather_facts: false
tags:
- always
tasks:
- name: Install CentOS 8 python bindings
when: ansible_distribution == "Rocky"
become: true
ansible.builtin.dnf:
state: present
name:
- python3-libselinux
- python3-policycoreutils
- python3-firewall
- name: Create state directory
become: true
ansible.builtin.file:
path: "{{ skylab_state_dir }}"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: 0755
- name: Create bootstrap virtualenv
ansible.builtin.command:
cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages"
creates: "{{ skylab_ansible_venv }}/bin/python"
- name: Pin bootstrap virtualenv pip
ansible.builtin.pip:
executable: "{{ skylab_ansible_venv }}/bin/pip"
name: pip
state: present
version: "{{ skylab_pip_version }}"
- name: Copy requirements file to remote
ansible.builtin.copy:
src: remote-requirements.txt
dest: "{{ skylab_ansible_venv }}/requirements.txt"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: 0644
- name: Install remote requirements
ansible.builtin.pip:
executable: "{{ skylab_ansible_venv }}/bin/pip"
requirements: "{{ skylab_ansible_venv }}/requirements.txt"
state: present
- include_tasks: tasks/meta/bootstrap-remote-env.yaml
- name: Configure common server settings
- name: Configure common settings
hosts: linux
gather_facts: false
vars_files:
- vars/packages.yaml
tasks:
@ -69,6 +28,15 @@
name: "{{ inventory_hostname }}"
use: systemd
- name: Install global bash config
become: true
ansible.builtin.copy:
src: global.sh
dest: /etc/profile.d/ZZ-skylab-global.sh
owner: root
group: "{{ ansible_user }}"
mode: 0644
- name: Install EPEL repository config
when: ansible_distribution == "Rocky"
become: true
@ -84,25 +52,6 @@
state: present
key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
- name: Disable sudo password for WHEEL group
when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
become: true
ansible.builtin.copy:
src: wheel-group-no-sudo-password
dest: /etc/sudoers.d/30-wheel
owner: root
group: "{{ ansible_user }}"
mode: 0644
- name: Install global bash config
become: true
ansible.builtin.copy:
src: global.sh
dest: /etc/profile.d/ZZ-skylab-global.sh
owner: root
group: "{{ ansible_user }}"
mode: 0644
- name: Install universal packages
when: ansible_distribution == "Rocky"
become: true
@ -111,58 +60,7 @@
state: present
- name: Configure SSH
hosts: linux
handlers:
- name: restart-sshd
become: true
ansible.builtin.systemd:
name: sshd
state: restarted
tasks:
- name: Configure SSH authentication settings
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regex }}"
replace: "{{ item.value }}"
notify: [restart-sshd]
loop:
- name: disable root login
regex: "^.*PermitRootLogin (yes|no).*$"
value: PermitRootLogin no
- name: disable password auth
regex: "^.*PasswordAuthentication (yes|no).*$"
value: PasswordAuthentication no
- name: disable challenge response auth
regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
value: ChallengeResponseAuthentication no
- name: disable GSSAPI auth
regex: "^.*GSSAPIAuthentication (yes|no).*$"
value: GSSAPIAuthentication no
loop_control:
label: "{{ item.name }}"
- name: Disable dynamic MOTD on debian systems
when: ansible_os_family == "Debian"
ansible.builtin.replace:
path: /etc/pam.d/sshd
regexp: "^session optional pam_motd.so motd=/run/motd.dynamic"
replace: "#session optional pam_motd.so motd=/run/motd.dynamic"
- name: Disable Cockpit activation message on Rocky
when: ansible_distribution == "Rocky"
become: true
ansible.builtin.file:
path: /etc/motd.d/cockpit
state: absent
- name: Copy MOTD to remote
become: true
ansible.builtin.template:
src: motd.j2
dest: /etc/motd
mode: 0644
- import_playbook: update.yaml
- import_playbook: configure.yaml

1
playbooks/roles Symbolic link
View File

@ -0,0 +1 @@
../roles

9
playbooks/update.yaml
View File

@ -7,6 +7,15 @@
- include_tasks: tasks/meta/runtime-group-determination.yaml
- name: Bootstrap remote ansible environment
hosts: linux
gather_facts: false
tags:
- always
tasks:
- include_tasks: tasks/meta/bootstrap-remote-env.yaml
- name: Update system
hosts: linux
tags:

0
resources/wheel-group-no-sudo-password → roles/server/files/wheel-group-no-sudo-password
View File

6
roles/server/handlers/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart-sshd
become: true
ansible.builtin.systemd:
name: sshd
state: restarted

6
roles/server/tasks/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Configure sudoers file
ansible.builtin.import_tasks: sudoers.yaml
- name: Configure SSH server
ansible.builtin.import_tasks: sshd.yaml

44
roles/server/tasks/sshd.yaml Normal file
View File

@ -0,0 +1,44 @@
---
- name: Configure SSH authentication settings
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regex }}"
replace: "{{ item.value }}"
notify: [restart-sshd]
loop:
- name: disable root login
regex: "^.*PermitRootLogin (yes|no).*$"
value: PermitRootLogin no
- name: disable password auth
regex: "^.*PasswordAuthentication (yes|no).*$"
value: PasswordAuthentication no
- name: disable challenge response auth
regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
value: ChallengeResponseAuthentication no
- name: disable GSSAPI auth
regex: "^.*GSSAPIAuthentication (yes|no).*$"
value: GSSAPIAuthentication no
loop_control:
label: "{{ item.name }}"
- name: Disable dynamic MOTD on debian systems
when: ansible_os_family == "Debian"
ansible.builtin.replace:
path: /etc/pam.d/sshd
regexp: "^session optional pam_motd.so motd=/run/motd.dynamic"
replace: "#session optional pam_motd.so motd=/run/motd.dynamic"
- name: Disable Cockpit activation message on Rocky
when: ansible_distribution == "Rocky"
become: true
ansible.builtin.file:
path: /etc/motd.d/cockpit
state: absent
- name: Copy MOTD to remote
become: true
ansible.builtin.template:
src: motd.j2
dest: /etc/motd
mode: 0644

30
roles/server/tasks/sudoers.yaml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Disable sudo password for WHEEL group
when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
become: true
ansible.builtin.copy:
src: wheel-group-no-sudo-password
dest: /etc/sudoers.d/30-wheel
owner: root
group: "{{ ansible_user }}"
mode: 0644
# Note that the cleanup tasks need to be after the new installation tasks
# since one or more files being cleaned up might be being relied on to
# allow ansible access
- name: Fetch content of sudoers config directory
become: true
changed_when: false
ansible.builtin.command:
cmd: /usr/bin/ls /etc/sudoers.d/
register: _sudoers_files_raw
- name: Remove legacy sudoers config files
when: item.strip() not in ["30-wheel"]
become: true
ansible.builtin.file:
path: /etc/sudoers.d/{{ item.strip() }}
state: absent
loop: "{{ _sudoers_files_raw.stdout.split(' ') }}"
loop_control:
label: "/etc/sudoers.d/{{ item.strip() }}"

0
resources/motd.j2 → roles/server/templates/motd.j2
View File