2020-12-10 07:33:09 +00:00
# Ansible
2020-12-11 10:47:36 +00:00
Ansible playbooks, roles, modules, etc will come here. This wiki will reflect the layout, structure, and potential standards that should be followed when making playbooks and roles.
2020-12-10 07:42:05 +00:00
2020-12-11 10:47:36 +00:00
Each playbook should have comments or a name descriptor that explains what the playbook does or how it is used. If not available, README-... files can be used in place, especially in the case of adhoc playbooks that take input. Documentation for each playbook/role does not have to be on this wiki. Comments or README's should be sufficient.
2020-12-10 17:48:58 +00:00
2020-12-10 19:26:11 +00:00
## Management Node Structure
```
.
├── ansible.cfg
2020-12-17 02:34:13 +00:00
├── collections
2020-12-10 19:26:11 +00:00
├── files -> playbooks/files
├── handlers -> playbooks/handlers
2020-12-12 14:13:38 +00:00
├── inventories
│ ├── production
│ | ├── group_vars
│ | ├── host_vars
│ | hosts
│ ├── staging
│ ├── devellopment
2020-12-10 19:26:11 +00:00
├── pkistore
├── playbooks
│ ├── files
│ ├── handlers
│ ├── tasks
│ ├── templates
│ ├── vars
2020-12-12 14:13:38 +00:00
├── roles/local
2020-12-10 23:11:41 +00:00
│ └── < role-name >
2020-12-14 03:06:42 +00:00
│ └── requirements.yml
2020-12-10 19:26:11 +00:00
├── tasks -> playbooks/tasks
├── templates -> playbooks/templates
└── vars -> playbooks/vars
```
2020-12-10 17:48:58 +00:00
## Structure
2020-12-10 19:26:11 +00:00
What each folder represents
2020-12-10 17:48:58 +00:00
```
2020-12-11 10:30:37 +00:00
files -> As the name implies, non-templated files go here. Files that are
dropped somewhere on the file system should be laid out in a way
that represents the file system (eg. ./etc/sysconfig/)
group_vars -> Group Variables go here if they are not fulfilled in an inventory.
Recommended that group_vars be used over inventory vars.
2020-12-10 17:48:58 +00:00
host_vars -> Host variables go here
inventory -> All static inventories go here
roles -> Custom roles can go here
tasks -> Common tasks come here
templates -> Templates go here
vars -> Global variables that are called with vars_files go here. This
```
## Current Playbook Naming
```
init-* -> Starting infrastructure playbooks that run solo or import other
playbooks that start with import-
2020-12-11 10:30:37 +00:00
adhoc -> These playbooks are one-off playbooks that can be used on the CLI or
in AWX. These are typically for basic tasks.
2020-12-10 17:48:58 +00:00
import -> Playbooks that should be imported from the top level playbooks
2020-12-10 18:19:24 +00:00
role-* -> These playbooks call roles specifically for infrastructure tasks.
Playbooks that do not call a role should be named init or adhoc based
on their usage.
2020-12-10 17:48:58 +00:00
```
2020-12-10 23:11:41 +00:00
2020-12-18 06:40:14 +00:00
## Ansible Configuration
The ansible configuration declares our defaults for our ansible host. This is especially true for the "destinations", where the roles and collections are referenced.
2020-12-10 23:11:41 +00:00
## Designing Playbooks
### Pre flight and post flight
2020-12-15 05:13:04 +00:00
At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whether ansible can or has been run on a system. Some playbooks will not necessarily need this (eg if you're running an adhoc playbook to create a user). But operations done on a host should at least have these in the playbook, with an optional `handlers:` include.
2020-12-10 23:11:41 +00:00
```
2020-12-11 10:30:37 +00:00
handlers:
- include: handlers/main.yml
2020-12-10 23:11:41 +00:00
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
2021-01-02 03:14:24 +00:00
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
2020-12-10 23:11:41 +00:00
# Import roles/tasks here
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
2020-12-11 21:00:14 +00:00
mode: '0644'
owner: root
group: root
2020-12-10 23:11:41 +00:00
```
2020-12-11 10:47:36 +00:00
### Comments
Each playbook should have comments or a name descriptor that explains what the playbook does or how it is used. If not available, README-... files can be used in place, especially in the case of adhoc playbooks that take input. Documentation for each playbook/role does not have to be on this wiki. Comments or README's should be sufficient.
2020-12-11 19:15:17 +00:00
### Tags
Ensure that you use relevant tags where necessary for your tasks.
2020-12-10 23:11:41 +00:00
### Roles
2020-12-15 05:13:04 +00:00
If you are using roles or collections, you will need to list them in `./roles/requirements.yml` . For example, we use the `freeipa` collection and a `mysql` role from `geerlingguy` .
2020-12-10 23:11:41 +00:00
```
---
2020-12-14 03:06:42 +00:00
roles:
- name: geerlingguy.mysql
collections:
- name: freeipa.ansible_freeipa
version: 0.3.1
2020-12-10 23:11:41 +00:00
```
2020-12-15 07:31:41 +00:00
**Note**: There will be cases where you should and must specify the version you're working with, depending on the author and the amount of changes that may occur. There may be a future policy that you have to lock onto a specific version.
2020-12-14 03:06:42 +00:00
Custom roles for infrastructure use will have their own separate repository. Right now, we do not have a Ansible Galaxy presence. For this, when referencing roles under Rocky Linux, you will have to specify its location and follow the naming format. Example below.
```
roles:
- name: rockylinux.ipsilon
src: https://github.com/rocky-linux/ansible-role-ipsilon
version: main
```
2020-12-15 07:31:41 +00:00
### There's no role for...
If you have to make your own role, that's understandable. There's going to be cases like this and we would like to try to work on that case by case. If you're going to create your own role, the following things must be true:
* Follows the ansible-galaxy spec
* pre-commit runs for linting purposes
* Molecule github workflow
* The repository name following the format: ansible-role-name
The pre-commit, yamllint, and ansible-lint configurations of this repository is a good starting point for your role.
2021-08-30 02:07:07 +00:00
Please use [this role template ](https://github.com/rocky-linux/ansible-role-template ) to get started.
2020-12-15 07:31:41 +00:00
### Pre-commits / linting
When pushing to your own forked version of this repository, pre-commit must run to verify your changes. They must be passing to be pushed up. This is an absolute requirement, even for roles.
When the linter passes, the push will complete and you will be able to open a PR.
2020-12-18 06:40:14 +00:00
2021-08-30 05:02:24 +00:00
## General YAML Formatting
It is recommended that each yaml file starts with `---` and ends with `...` . This can help with linting and also stating an obvious end to the file.
### Plugin and Formatting Assistance
The YAML format is extremely easy and can be generally followed without much to think about, the same goes with ansible's syntax. Ideally, your editor can assist with these things. If you are a vim user, the following plugins can be useful:
```
stephpy/vim-yaml
pearofducks/ansible-vim
vim-syntastic/syntastic
```
These can be installed using [vim-plug ](https://github.com/junegunn/vim-plug ).
2020-12-18 06:40:14 +00:00
## Initializing the Ansible Host
When initializing the ansible host, you should be in `./infrastructure/ansible` so that the `ansible.cfg` is used. You will need to run the `init-rocky-ansible-host.yml` playbook and to get started, which will install all the roles and collections required for the playbooks to run.
```
% git clone https://github.com/rocky-linux/infrastructure
% cd infrastructure/ansible
% ansible-playbook playbooks/init-rocky-ansible-host.yml
```
2021-01-27 08:31:17 +00:00
## Initializing the environment
To get a base environment, you will need to run the playbooks in this order.
```
# Ansible host
init-rocky-ansible-host.yml
# First IPA server
role-rocky-ipa.yml
# Replicas
role-rocky-ipa-replica.yml
# Base users, groups, and DNS
init-rocky-ipa-team.yml
init-rocky-ipa-internal-dns.yml
# All clients should be listed under [ipaclients]
role-rocky-ipa-client.yml
# All systems should be hardened
init-rocky-system-config.yml
```
2021-02-01 08:22:12 +00:00
2021-07-12 04:16:19 +00:00
### Initializing a base system
```
# All clients should be listed under [ipaclients]
role-rocky-ipa-client.yml
# All systems should be hardened
init-rocky-system-config.yml
```
2021-02-01 08:22:12 +00:00
## Current Set
```
.
├── ansible.cfg
├── collections
│ └── Readme.md
├── files -> playbooks/files
├── handlers -> playbooks/handlers
├── inventories
│ ├── production
│ │ ├── group_vars
│ │ │ ├── chronyservers
│ │ │ │ └── main.yml
│ │ │ ├── ipa
│ │ │ │ └── main.yml
│ │ │ ├── ipaclients
│ │ │ │ └── main.yml
│ │ │ ├── ipareplicas
│ │ │ │ └── main.yml
│ │ │ ├── ipaserver
│ │ │ │ └── main.yml
│ │ │ └── rabbitmq
│ │ │ └── main.yml
│ │ └── hosts.ini
│ └── staging
│ ├── group_vars
│ │ ├── chronyservers
│ │ │ └── main.yml
│ │ ├── ipa
│ │ │ └── main.yml
│ │ ├── ipaclients
│ │ │ └── main.yml
│ │ ├── ipareplicas
│ │ │ └── main.yml
│ │ ├── ipaserver
│ │ │ └── main.yml
│ │ └── rabbitmq
│ │ └── main.yml
│ └── hosts.ini
├── playbooks
│ ├── adhoc-facts-refresh.yml
2021-04-25 19:55:05 +00:00
│ ├── adhoc-gitlab-creategroup.yml
│ ├── adhoc-gitlab-createproject.yml
│ ├── adhoc-gitlab-deletegroup.yml
│ ├── adhoc-gitlab-deleteproject.yml
2021-02-01 08:22:12 +00:00
│ ├── adhoc-ipabinder.yml
│ ├── adhoc-ipadnsrecord.yml
│ ├── adhoc-ipadnszone.yml
│ ├── adhoc-ipagetcert.yml
│ ├── adhoc-ipagetkeytab.yml
│ ├── adhoc-ipagroup.yml
│ ├── adhoc-ipaservice.yml
2021-04-25 19:55:05 +00:00
│ ├── adhoc-ipauser-disable-pdr.yml
2021-02-01 08:22:12 +00:00
│ ├── adhoc-ipauser-disable.yml
│ ├── adhoc-ipauser-enable.yml
│ ├── adhoc-ipauser.yml
│ ├── adhoc-rabbitmqqueue.yml
│ ├── adhoc-rabbitmquser.yml
│ ├── files
│ │ ├── etc
│ │ │ ├── authselect
│ │ │ │ └── custom
│ │ │ │ └── sssd-rocky
│ │ │ │ ├── CentOS-8-system-auth -> RedHat-8-system-auth
2021-08-27 16:49:10 +00:00
│ │ │ │ ├── RedHat-8-system-auth
│ │ │ │ └── Rocky-8-system-auth -> RedHat-8-system-auth
2021-02-01 08:22:12 +00:00
│ │ │ ├── gitlab
│ │ │ ├── pam.d
│ │ │ │ ├── CentOS-7-system-auth-ac -> RedHat-7-system-auth-ac
│ │ │ │ └── RedHat-7-system-auth-ac
│ │ │ ├── rockybanner
2021-04-25 19:55:05 +00:00
│ │ │ ├── sudoers.d
│ │ │ │ └── cis
│ │ │ └── systemd
│ │ │ └── system
│ │ │ └── noggin.service
2021-02-01 08:22:12 +00:00
│ │ ├── tmp
│ │ └── usr
│ │ └── local
│ │ └── bin
│ │ └── lock-wrapper
│ ├── handlers
│ │ └── main.yml
│ ├── import-rockygroups.yml
│ ├── import-rockyipaprivs.yml
│ ├── import-rockypwpolicy.yml
│ ├── import-rockysudo.yml
│ ├── import-rockyusers.yml
│ ├── init-rocky-account-services.yml
│ ├── init-rocky-ansible-host.yml
│ ├── init-rocky-bugzilla.yml
│ ├── init-rocky-builder-postfix.yml
│ ├── init-rocky-chrony.yml
│ ├── init-rocky-install-kvm-hosts.yml
│ ├── init-rocky-ipa-internal-dns.yml
│ ├── init-rocky-ipa-team.yml
2021-04-25 19:55:05 +00:00
│ ├── init-rocky-koji-ecosystem.yml
│ ├── init-rocky-mantisbt.yml
2021-02-01 08:22:12 +00:00
│ ├── init-rocky-noggin-theme.yml
2021-04-25 19:55:05 +00:00
│ ├── init-rocky-noggin.yml
│ ├── init-rocky-repo-servers.yml
2021-02-01 08:22:12 +00:00
│ ├── init-rocky-system-config.yml
2021-08-27 16:49:10 +00:00
│ ├── role-rocky-bootstrap_staging.yml
│ ├── role-rocky-gitlab-ee.yml
2021-04-25 19:55:05 +00:00
│ ├── role-rocky-gitlab-runner.yml
2021-02-01 08:22:12 +00:00
│ ├── role-rocky-graylog.yml
│ ├── role-rocky-ipa-client.yml
│ ├── role-rocky-ipa-replica.yml
│ ├── role-rocky-ipa.yml
│ ├── role-rocky-ipsilon.yml
2021-04-25 19:55:05 +00:00
│ ├── role-rocky-kojid-staging.yml
2021-02-01 08:22:12 +00:00
│ ├── role-rocky-kojid.yml
2021-04-25 19:55:05 +00:00
│ ├── role-rocky-kojihub-staging.yml
2021-02-01 08:22:12 +00:00
│ ├── role-rocky-kojihub.yml
│ ├── role-rocky-monitoring.yml
│ ├── role-rocky-mqtt.yml
│ ├── role-rocky-node_exporter.yml
2021-08-27 16:49:10 +00:00
│ ├── role-rocky-pinnwand.yml
2021-02-01 08:22:12 +00:00
│ ├── role-rocky-rabbitmq.yml
2021-08-27 16:49:10 +00:00
│ ├── role-rocky-repopool.yml
2021-02-01 08:22:12 +00:00
│ ├── role-rocky-sigul-bridge.yml
│ ├── role-rocky-sigul-server.yml
2021-08-27 16:49:10 +00:00
│ ├── role-rocky-srpmproc.yml
2021-04-25 19:55:05 +00:00
│ ├── role-rocky-wikijs.yml
2021-02-01 08:22:12 +00:00
│ ├── tasks
│ │ ├── account_services.yml
│ │ ├── auditd.yml
│ │ ├── authentication.yml
2021-04-25 19:55:05 +00:00
│ │ ├── bugzilla_install.yml
│ │ ├── bugzilla.yml
2021-02-01 08:22:12 +00:00
│ │ ├── chrony.yml
2021-08-27 16:49:10 +00:00
│ │ ├── efs_mount.yml
2021-02-01 08:22:12 +00:00
│ │ ├── gitlab-reconfigure.yml
2021-04-25 19:55:05 +00:00
│ │ ├── gitlab-runner.yml
2021-02-01 08:22:12 +00:00
│ │ ├── grub.yml
│ │ ├── harden.yml
2021-04-25 19:55:05 +00:00
│ │ ├── init-koji.yml
2021-02-01 08:22:12 +00:00
│ │ ├── koji_efs.yml
│ │ ├── main.yml
2021-04-25 19:55:05 +00:00
│ │ ├── mantispatch.yml
2021-02-01 08:22:12 +00:00
│ │ ├── mantis.yml
2021-04-25 19:55:05 +00:00
│ │ ├── noggin.yml
2021-02-01 08:22:12 +00:00
│ │ ├── postfix_relay.yml
│ │ ├── rabbitmq-reconfigure.yml
2021-04-25 19:55:05 +00:00
│ │ ├── repository.yml
2021-02-01 08:22:12 +00:00
│ │ ├── scripts.yml
2021-08-27 16:49:10 +00:00
│ │ ├── srpmproc.yml
2021-02-01 08:22:12 +00:00
│ │ ├── ssh_config.yml
│ │ └── variable_loader_common.yml
│ ├── templates
│ │ ├── etc
│ │ │ ├── audit
│ │ │ │ └── rules.d
│ │ │ │ └── collection.rules.j2
│ │ │ ├── chrony.conf.j2
│ │ │ ├── gitlab
│ │ │ │ └── rocky_gitlab.rb
│ │ │ ├── httpd
│ │ │ │ └── conf.d
2021-04-25 19:55:05 +00:00
│ │ │ │ ├── bugzilla.conf.j2
2021-02-01 08:22:12 +00:00
│ │ │ │ ├── id.conf.j2
│ │ │ │ └── mantis.conf.j2
│ │ │ ├── modprobe.d
│ │ │ │ └── cis.conf.j2
│ │ │ ├── nginx
│ │ │ │ ├── conf.d
│ │ │ │ │ └── omnibus.conf.j2
│ │ │ │ └── nginx.conf.j2
│ │ │ ├── postfix
│ │ │ │ └── sasl_passwd.j2
│ │ │ ├── resolv.conf.j2
│ │ │ ├── rsyslog.d
│ │ │ ├── ssh
│ │ │ │ ├── CentOS-7-sshd_config.j2 -> RedHat-7-sshd_config.j2
│ │ │ │ ├── CentOS-8-sshd_config.j2 -> RedHat-8-sshd_config.j2
│ │ │ │ ├── RedHat-7-sshd_config.j2
2021-08-27 16:49:10 +00:00
│ │ │ │ ├── RedHat-8-sshd_config.j2
│ │ │ │ └── Rocky-8-sshd_config.j2 -> RedHat-8-sshd_config.j2
2021-02-01 08:22:12 +00:00
│ │ │ └── sssd
│ │ ├── hidden
2021-04-25 19:55:05 +00:00
│ │ │ ├── home
│ │ │ │ └── noggin
│ │ │ │ └── noggin.cfg
│ │ │ └── README.md
│ │ ├── opt
│ │ │ └── noggin
│ │ │ ├── noggin.cfg
│ │ │ └── start_noggin.sh.j2
2021-02-01 08:22:12 +00:00
│ │ ├── tmp
2021-04-25 19:55:05 +00:00
│ │ │ ├── binder_template.update
2021-02-01 08:22:12 +00:00
│ │ │ ├── binder.update
2021-04-25 19:55:05 +00:00
│ │ │ └── mantis_import.sql.j2
2021-08-27 16:49:10 +00:00
│ │ ├── usr
│ │ │ └── local
│ │ │ └── bin
│ │ │ └── fix_gitlab_certs.sh
2021-02-01 08:22:12 +00:00
│ │ └── var
│ │ └── www
2021-04-25 19:55:05 +00:00
│ │ ├── bugzilla
│ │ │ ├── answer
│ │ │ └── localconfig.j2
2021-02-01 08:22:12 +00:00
│ │ └── mantis
│ │ └── config
│ │ └── config_inc.php.j2
│ └── vars
2021-04-25 19:55:05 +00:00
│ ├── bugzilla.yml
2021-02-01 08:22:12 +00:00
│ ├── buildsys.yml
2021-04-25 19:55:05 +00:00
│ ├── CentOS.yml -> RedHat.yml
2021-02-01 08:22:12 +00:00
│ ├── chronyserver.yml
2021-04-25 19:55:05 +00:00
│ ├── chrony.yml
2021-02-01 08:22:12 +00:00
│ ├── common.yml
2021-04-25 19:55:05 +00:00
│ ├── gitlab_runner.yml
2021-02-01 08:22:12 +00:00
│ ├── gitlab.yml
│ ├── graylog.yml
│ ├── ipa
│ │ ├── adminusers.yml
│ │ ├── agreements.yml
│ │ ├── fdns.yml
│ │ ├── groups.yml
│ │ ├── ipaclient.yml
│ │ ├── ipaprivs.yml
│ │ ├── ipareplica.yml
│ │ ├── ipaserver.yml
│ │ ├── rdns.yml
│ │ ├── sudorules.yml
│ │ ├── svcusers.yml
│ │ └── users.yml
│ ├── ipaserver.yml
│ ├── ipsilon.yml
│ ├── mantis.yml
│ ├── matterbridge.yml
│ ├── monitoring
│ │ └── README.md
│ ├── monitoring.yml
2021-08-27 16:49:10 +00:00
│ ├── mounts
│ │ ├── bootstrap_staging.yml
│ │ ├── repopool.yml
│ │ └── srpmproc.yml
2021-02-01 08:22:12 +00:00
│ ├── mqtt.yml
2021-08-27 16:49:10 +00:00
│ ├── pinnwand.yml
2021-04-25 19:55:05 +00:00
│ ├── production
│ │ ├── koji-common.yml
│ │ ├── kojid.yml
│ │ └── kojihub.yml
2021-02-01 08:22:12 +00:00
│ ├── rabbitmq.yml
2021-04-25 19:55:05 +00:00
│ ├── RedHat.yml
2021-08-27 16:49:10 +00:00
│ ├── Rocky.yml -> RedHat.yml
2021-02-01 08:22:12 +00:00
│ ├── sigul_bridge.yml
│ ├── sigul_server.yml
2021-04-25 19:55:05 +00:00
│ ├── staging
│ │ ├── koji-common.yml
│ │ ├── kojid.yml
│ │ └── kojihub.yml
│ ├── vaults
│ │ └── README.md
│ └── wikijs.yml
├── README.md
2021-02-01 08:22:12 +00:00
├── roles
│ ├── local
│ │ └── Readme.md
│ ├── public
│ │ └── Readme.md
│ └── requirements.yml
├── ssh_config
├── tasks -> playbooks/tasks
├── templates -> playbooks/templates
├── tmp
2021-04-25 19:55:05 +00:00
│ ├── ansible.log
│ └── Readme.md
2021-02-01 08:22:12 +00:00
└── vars -> playbooks/vars
```