Add monitoring roles to requirements.yml

This commit is contained in:
Chris Cowley 2020-12-12 22:12:50 +01:00
commit 9b52bb2110
31 changed files with 368 additions and 70 deletions

View file

@ -23,10 +23,10 @@ jobs:
echo 'collections_paths = ./collections' >> ansible.cfg
- name: Install role requirements
run: ansible-galaxy role install -r ansible/playbooks/requirements.yml
run: ansible-galaxy role install -r ansible/roles/requirements.yml
- name: Install collection requirements
run: ansible-galaxy collection install -r ansible/playbooks/requirements.yml
run: ansible-galaxy collection install -r ansible/roles/requirements.yml
- name: Ansible Lint
uses: ansible/ansible-lint-action@master

11
ansible/.gitignore vendored Normal file
View file

@ -0,0 +1,11 @@
#keep tmp folder empty
tmp/*
!tmp/Readme.md
#keep folder holding public roles empty
roles/public/*
!roles/public/Readme.md
#keep fodler holding ansible collections empty
collections/*
!README.md

View file

@ -13,19 +13,23 @@ Loosely copied from the CentOS ansible infrastructure.
├── ansible.cfg
├── files -> playbooks/files
├── handlers -> playbooks/handlers
├── inventory
├── inventories
│ ├── production
│ | ├── group_vars
│ | ├── host_vars
│ | hosts
│ ├── staging
│ ├── devellopment
├── pkistore
├── playbooks
│ ├── files
│ ├── group_vars
│ ├── host_vars
│ ├── handlers
│ ├── tasks
│ ├── templates
│ ├── vars
│ └── requirements.yml
├── roles
├── roles/local
│ └── <role-name>
| └── requirements.yml
├── tasks -> playbooks/tasks
├── templates -> playbooks/templates
└── vars -> playbooks/vars

View file

@ -1 +1,69 @@
# Empty
[defaults]
########################################
# Display settings
########################################
# Output display
force_color = 1
nocows = True
# Note: http://docs.ansible.com/ansible/intro_configuration.html#ansible-managed
ansible_managed = Ansible managed
#ansible_managed = Ansible managed - {file} on {host}
# Warn when ansible think it is better to use module.
# Note: http://docs.ansible.com/ansible/intro_configuration.html#id88
command_warnings = True
# Enable this to debug tasks calls
display_args_to_stdout = False
display_skipped_hosts = false
########################################
# Playbook settings
########################################
# Default strategy
strategy = free
# Number of hosts processed in parallel
forks = 20
########################################
# Behaviour settings
########################################
# Make role variables private
retry_files_enabled = True
# Fact options
gathering = smart
#gathering = !all
#gathering = smart,network,hardware,virtual,ohai,facter
#gathering = network,!hardware,virtual,!ohai,!facter
# facts caching
#fact_caching_connection = tmp/facts_cache
#fact_caching = json
fact_caching = memory
fact_caching_timeout = 1800
# Enable or disable logs
# Note put to false in prod
no_log = False
########################################
# Common destinations
########################################
log_path = tmp/ansible.log
known_hosts = tmp/known_hosts
roles_path = roles/local:roles/public
collections_paths = collections

View file

@ -0,0 +1 @@
Leave empty, this is a placeholder folder for ansible collections

View file

@ -0,0 +1,7 @@
---
ipaclient_domain = rockylinux.org
ipaclient_realm = ROCKYLINUX.ORG
ipaadmin_principal = admin
ipaclient_no_ntp = true
ipaclient_mkhomedir = true

View file

@ -0,0 +1,14 @@
---
ipaadmin_principal = admin
ipaclient_no_ntp = true
ipaclient_mkhomedir = true
ipaserver_realm = ROCKYLINUX.ORG
ipaserver_hostname = ipa002.rockylinux.org
ipareplica_domain = rockylinux.org
ipareplica_auto_forwarders = true
ipareplica_setup_firewalld = true
ipareplica_setup_ca = true
ipareplica_setup_kra = true
ipareplica_setup_dns = true
ipa_dns_master = 10.100.1.110

View file

@ -0,0 +1,14 @@
---
ipaserver_domain = rockylinux.org
ipaserver_realm = ROCKYLINUX.ORG
ipaserver_setup_dns = true
ipaserver_setup_kra = true
ipaserver_auto_forwarders = true
ipaserver_no_host_dns = true
ipaserver_hostname = ipa001.rockylinux.org
ipaserver_allow_zone_overlap = true
ipaserver_setup_firewalld = true
ipaclient_no_ntp = true
ipaclient_mkhomedir = true
ipaserver_reverse_zones = ["1.100.10.in-addr.arpa."]

View file

@ -0,0 +1,24 @@
# Generic inventory hosts
[kvm]
kvm001 ansible_host=10.100.2.110
kvm002 ansible_host=10.100.2.111
kvm003 ansible_host=10.100.2.112
[ipa:children]
ipaserver
ipareplicas
ipaclients
[ipsilon]
idp001 ansible_host=10.100.x.x
# Playbook and role specific inventory hosts and groups
[ipaserver]
ipa001 ansible_host=10.100.1.110
[ipareplicas]
ipa002 ansible_host=10.100.1.111
[ipaclients]
build-a-box ansible_host=10.100.1.112

View file

@ -1,3 +0,0 @@
# Placeholder
[ipsilon]
idp.rockylinux.org

View file

@ -1,48 +0,0 @@
[ipaservers]
ipa001.rockylinux.org ansible_host=10.100.1.110
ipa002.rockylinux.org ansible_host=10.100.1.111
[ipaserver]
ipa001.rockylinux.org ansible_host=10.100.1.110
[ipaserver:vars]
ipaserver_domain=rockylinux.org
ipaserver_realm=ROCKYLINUX.ORG
ipaserver_setup_dns=true
ipaserver_setup_kra=true
ipaserver_auto_forwarders=true
ipaserver_no_host_dns=true
ipaserver_hostname=ipa001.rockylinux.org
ipaserver_allow_zone_overlap=true
ipaserver_setup_firewalld=true
ipaclient_no_ntp=true
ipaclient_mkhomedir=true
ipaserver_reverse_zones=["1.100.10.in-addr.arpa."]
[ipareplicas]
ipa002.rockylinux.org ansible_host=10.100.1.111
[ipareplicas:vars]
ipaadmin_principal=admin
ipaclient_no_ntp=true
ipaclient_mkhomedir=true
ipaserver_realm=ROCKYLINUX.ORG
ipaserver_hostname=ipa002.rockylinux.org
ipareplica_domain=rockylinux.org
ipareplica_auto_forwarders=true
ipareplica_setup_firewalld=true
ipareplica_setup_ca=true
ipareplica_setup_kra=true
ipareplica_setup_dns=true
ipa_dns_master=10.100.1.110
# This is for example purposes - it is likely we'll use "all" instead of
# putting everything under an ipaclient
[ipaclients]
build-a-box.rockylinux.org ansible_host=10.100.1.112
[ipaclients:vars]
ipaclient_domain=rockylinux.org
ipaadmin_principal=admin
ipaclient_no_ntp=true
ipaclient_mkhomedir=true

View file

@ -1,4 +0,0 @@
[kvmhosts]
kvm001.rockylinux.org ansible_host=10.100.2.110
kvm002.rockylinux.org ansible_host=10.100.2.111
kvm003.rockylinux.org ansible_host=10.100.2.112

View file

@ -0,0 +1 @@
RedHat-8-system-auth

View file

@ -0,0 +1,40 @@
{imply "with-smartcard" if "with-smartcard-required"}
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
password requisite pam_pwhistory.so use_authok remember=5
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

View file

@ -0,0 +1 @@
RedHat-7-system-auth-ac

View file

@ -0,0 +1,34 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=bad] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 local_users_only retry=3
password requisite pam_pwhistory.so use_authok remember=5
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

View file

@ -0,0 +1,52 @@
---
- hosts: localhost
connection: local
vars:
force_purge: true
roles_installation_dir: roles/public
collection_installation_dir: collections
installation_prefix: ../
pre_tasks:
# example prepare ansible box for execution
# - name: install required pip modules on the host running ansible
# pip:
# name:
# - jmespath
# - netaddr
# - python-consul
# - pyvmomi
# - python-ldap
# - twine
- name: Remove existing public roles
file:
path: "{{ installation_prefix }}{{ roles_installation_dir }}"
state: absent
when: force_purge | bool
- name: Install all public roles
command: >
ansible-galaxy role install
{{ ( force_purge | bool ) | ternary('--force','') }}
--role-file {{ installation_prefix }}roles/requirements.yml
--roles-path {{ installation_prefix }}{{ roles_installation_dir }}
- name: Install needed collections
command: >
ansible-galaxy collection install
{{ ( force_purge | bool ) | ternary('--force-with-deps','') }}
-r {{ installation_prefix }}roles/requirements.yml
-p {{ installation_prefix }}{{ collection_installation_dir }}
- name: cleanup old ssh known_hosts - remove
file:
path: "../tmp/known_hosts"
state: absent
mode: "0644"
- name: cleanup old ssh known_hosts - blank
file:
path: "../tmp/known_hosts"
state: touch
mode: "0644"

View file

@ -3,7 +3,7 @@
# Created: @SherifNagy
# Modified to current standards: @nazunalika
- name: Configure KVM host
hosts: kvmhosts
hosts: kvm
become: true
pre_tasks:

View file

@ -30,7 +30,7 @@
- name: Configure harden settings
include: tasks/harden.yml
- name: Configure PAM and SSSD
- name: Configure PAM
include: tasks/authentication.yml
post_tasks:

View file

@ -1,6 +1,6 @@
---
# Configures an IPA client for the Rocky infrastructure
# Variables are in inventory/ipainventory
- name: Configure IPA client
hosts: ipaclients
become: true

View file

@ -1,6 +1,6 @@
---
# Creates an IPA replica
# Variables are in inventory/ipainventory
- name: Configure IPA server
hosts: ipareplicas
become: true

View file

@ -1,6 +1,5 @@
---
# Creates the first server for an IPA infrastructure
# Variables for the infrastructure are in inventory/ipainventory
# Recommended specs for the IPA systems, that scale based on number of objects:
# CPU: 2 cores
# Memory: 4GB
@ -44,7 +43,7 @@
- reload_networkmanager
roles:
- role: ipaserver
- role: freeipa.ansible_freeipa.ipaserver
state: present
post_tasks:

View file

@ -1,3 +1,65 @@
---
# Configures PAM and SSSD post-ipa client installation. It is recommended that
# that we use a custom authselect profile and build it out from there.
- name: Enterprise Linux 7 PAM Configuration
copy:
src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
dest: "{{ item }}"
mode: "0644"
owner: root
group: root
with_items:
- /etc/pam.d/system-auth-ac
- /etc/pam.d/password-auth-ac
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '7'
- name: Enterprise Linux 8 PAM Configuration
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '8'
block:
- name: Ensure Custom Profile is removed
file:
state: absent
path: /etc/authselect/custom/sssd-rocky
- name: Create custom authselect profile based on sssd
command: >
/usr/bin/authselect create-profile sssd-rocky
--base-on sssd
--symlink-dconf
--symlink-meta
--symlink=postlogin
--symlink=smartcard-auth
--symlink=fingerprint-auth
- name: Override system-auth and password-auth
copy:
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
mode: '0644'
owner: root
group: root
with_items:
- /etc/authselect/custom/sssd-aoc/system-auth
- /etc/authselect/custom/sssd-aoc/password-auth
- name: Select New Profile
command: >
/usr/bin/authselect select custom/sssd-aoc
without-nullok
with-faillock
with-mkhomedir
with-sudo
--force
- name: Apply new settings
command: /usr/bin/authselect apply-changes
- name: Enable oddjobd
service:
name: oddjobd
state: started
enabled: yes

View file

@ -10,7 +10,7 @@
include_vars: "{{ item }}"
with_first_found:
- "ipaserver.yml"
when: "'ipaservers' in group_names"
when: "'ipaserver' in group_names"
- name: Check if system is EFI
stat:

View file

@ -6,6 +6,7 @@ bin_sudo: /usr/bin/sudo
kernel_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg
ipatype: client
# Removing TFTP for now because there will likely be tftp/pxe servers
remove_packages:

View file

@ -0,0 +1 @@
Put all local roles here

View file

@ -0,0 +1 @@
Do not put any roles here, This is a placeholder for public roles installed via galaxy

View file

@ -0,0 +1,13 @@
---
roles:
- name: geerlingguy.mysql
# monitoring
- name: cloudalchemy.node-exporter
- name: cloudalchemy.prometheus
collections:
# freeipa
- name: freeipa.ansible_freeipa
version: 0.3.1
- name: community.general

4
ansible/ssh_config Normal file
View file

@ -0,0 +1,4 @@
ControlMaster auto
ControlPersist 30m
UserKnownHostsFile tmp/known_hosts
HashKnownHosts no

1
ansible/tmp/Readme.md Normal file
View file

@ -0,0 +1 @@
Keep folder empty