changed the structure to reflect more modern ansible best practices

moved inv vars to group vars
moved roles to collections and fixed playbooks
added a prepare ansible host playbook to download needed roles and playbooks
modified public roles and collection paths to install inside our dir structure to keep them from global installation

.idea/.gitignore

@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Datasource local storage ignored files
+/../../../../../../:\Users\pwatteel\PycharmProjects\infrastructure\.idea/dataSources/
+/dataSources.local.xml
+# Editor-based HTTP Client requests
+/httpRequests/

ansible/.gitignore

@@ -0,0 +1,11 @@
+#keep tmp folder empty
+tmp/*
+!tmp/Readme.md
+
+#keep folder holding public roles empty
+roles/public/*
+!roles/public/Readme.md
+
+#keep fodler holding ansible collections empty
+collections/*
+!README.md

ansible/README.md

@@ -13,19 +13,23 @@ Loosely copied from the CentOS ansible infrastructure.
 ├── ansible.cfg
 ├── files -> playbooks/files
 ├── handlers -> playbooks/handlers
-├── inventory
+├── inventories
+│   ├── production
+│   |   ├── group_vars
+│   |   ├── host_vars
+│   |   hosts
+│   ├── staging
+│   ├── devellopment
 ├── pkistore
 ├── playbooks
 │   ├── files
-│   ├── group_vars
-│   ├── host_vars
 │   ├── handlers
 │   ├── tasks
 │   ├── templates
 │   ├── vars
-│   └── requirements.yml
-├── roles
+├── roles/local
 │   └── <role-name>
+|   └── requirements.yml
 ├── tasks -> playbooks/tasks
 ├── templates -> playbooks/templates
 └── vars -> playbooks/vars

ansible/ansible.cfg

@@ -1 +1,69 @@
-# Empty
+[defaults]
+
+########################################
+# Display settings
+########################################
+
+# Output display
+force_color		= 1
+nocows			= True
+
+
+# Note: http://docs.ansible.com/ansible/intro_configuration.html#ansible-managed
+ansible_managed	= Ansible managed
+#ansible_managed	= Ansible managed - {file} on {host}
+
+
+# Warn when ansible think it is better to use module.
+# Note: http://docs.ansible.com/ansible/intro_configuration.html#id88
+command_warnings = True
+
+# Enable this to debug tasks calls
+display_args_to_stdout = False
+display_skipped_hosts	= false
+
+########################################
+# Playbook settings
+########################################
+
+
+# Default strategy
+strategy		= free
+
+# Number of hosts processed in parallel
+forks = 20
+
+
+########################################
+# Behaviour settings
+########################################
+
+
+# Make role variables private
+retry_files_enabled = True
+
+# Fact options
+gathering = smart
+#gathering = !all
+#gathering = smart,network,hardware,virtual,ohai,facter
+#gathering = network,!hardware,virtual,!ohai,!facter
+
+# facts caching
+#fact_caching_connection = tmp/facts_cache
+#fact_caching = json
+fact_caching = memory
+fact_caching_timeout = 1800
+
+# Enable or disable logs
+# Note put to false in prod
+no_log = False
+
+
+########################################
+# Common destinations
+########################################
+
+log_path		= tmp/ansible.log
+known_hosts     = tmp/known_hosts
+roles_path		= roles/local:roles/public
+collections_paths = collections

ansible/collections/Readme.md

@@ -0,0 +1 @@
+Leave empty, this is a placeholder folder for ansible collections

ansible/inventories/production/group_vars/ipaclients/main.yml

@@ -0,0 +1,6 @@
+---
+
+ipaclient_domain = rockylinux.org
+ipaadmin_principal = admin
+ipaclient_no_ntp = true
+ipaclient_mkhomedir = true

ansible/inventories/production/group_vars/ipareplicas/main.yml

@@ -0,0 +1,14 @@
+---
+
+ipaadmin_principal = admin
+ipaclient_no_ntp = true
+ipaclient_mkhomedir = true
+ipaserver_realm = ROCKYLINUX.ORG
+ipaserver_hostname = ipa002.rockylinux.org
+ipareplica_domain = rockylinux.org
+ipareplica_auto_forwarders = true
+ipareplica_setup_firewalld = true
+ipareplica_setup_ca = true
+ipareplica_setup_kra = true
+ipareplica_setup_dns = true
+ipa_dns_master = 10.100.1.110

ansible/inventories/production/group_vars/ipaservers/main.yml

@@ -0,0 +1,14 @@
+---
+
+ipaserver_domain = rockylinux.org
+ipaserver_realm = ROCKYLINUX.ORG
+ipaserver_setup_dns = true
+ipaserver_setup_kra = true
+ipaserver_auto_forwarders = true
+ipaserver_no_host_dns = true
+ipaserver_hostname = ipa001.rockylinux.org
+ipaserver_allow_zone_overlap = true
+ipaserver_setup_firewalld = true
+ipaclient_no_ntp = true
+ipaclient_mkhomedir = true
+ipaserver_reverse_zones = ["1.100.10.in-addr.arpa."]

ansible/inventories/production/hosts.ini

@@ -0,0 +1,24 @@
+# Generic inventory hosts
+[kvm]
+kvm001 ansible_host=10.100.2.110
+kvm002 ansible_host=10.100.2.111
+kvm003 ansible_host=10.100.2.112
+
+[ipa:children]
+ipaserver
+ipareplicas
+ipaclients
+
+[ipsilon]
+idp001 ansible_host=10.100.x.x
+
+# Playbook and role specific inventory hosts and groups
+[ipaserver]
+ipa001 ansible_host=10.100.1.110
+
+[ipareplicas]
+ipa002 ansible_host=10.100.1.111
+
+[ipaclients]
+build-a-box ansible_host=10.100.1.112
+

ansible/inventory/idpinventory

@@ -1,3 +0,0 @@
-# Placeholder
-[ipsilon]
-idp.rockylinux.org

ansible/inventory/ipainventory

@@ -1,48 +0,0 @@
-[ipaservers]
-ipa001.rockylinux.org ansible_host=10.100.1.110
-ipa002.rockylinux.org ansible_host=10.100.1.111
-
-[ipaserver]
-ipa001.rockylinux.org ansible_host=10.100.1.110
-
-[ipaserver:vars]
-ipaserver_domain=rockylinux.org
-ipaserver_realm=ROCKYLINUX.ORG
-ipaserver_setup_dns=true
-ipaserver_setup_kra=true
-ipaserver_auto_forwarders=true
-ipaserver_no_host_dns=true
-ipaserver_hostname=ipa001.rockylinux.org
-ipaserver_allow_zone_overlap=true
-ipaserver_setup_firewalld=true
-ipaclient_no_ntp=true
-ipaclient_mkhomedir=true
-ipaserver_reverse_zones=["1.100.10.in-addr.arpa."]
-
-[ipareplicas]
-ipa002.rockylinux.org ansible_host=10.100.1.111
-
-[ipareplicas:vars]
-ipaadmin_principal=admin
-ipaclient_no_ntp=true
-ipaclient_mkhomedir=true
-ipaserver_realm=ROCKYLINUX.ORG
-ipaserver_hostname=ipa002.rockylinux.org
-ipareplica_domain=rockylinux.org
-ipareplica_auto_forwarders=true
-ipareplica_setup_firewalld=true
-ipareplica_setup_ca=true
-ipareplica_setup_kra=true
-ipareplica_setup_dns=true
-ipa_dns_master=10.100.1.110
-
-# This is for example purposes - it is likely we'll use "all" instead of
-# putting everything under an ipaclient
-[ipaclients]
-build-a-box.rockylinux.org ansible_host=10.100.1.112
-
-[ipaclients:vars]
-ipaclient_domain=rockylinux.org
-ipaadmin_principal=admin
-ipaclient_no_ntp=true
-ipaclient_mkhomedir=true

ansible/inventory/kvmhostsinventory

@@ -1,4 +0,0 @@
-[kvmhosts]
-kvm001.rockylinux.org ansible_host=10.100.2.110
-kvm002.rockylinux.org ansible_host=10.100.2.111
-kvm003.rockylinux.org ansible_host=10.100.2.112

ansible/playbooks/init-rocky-ansible-host.yml

@@ -0,0 +1,49 @@
+---
+
+- hosts: localhost
+  connection: local
+  vars:
+    force_purge: true
+    roles_installation_dir: roles/public
+    collection_installation_dir: collections
+    installation_prefix: ../
+  pre_tasks:
+# example prepare ansible box for execution
+#    - name: install required pip modules on the host running ansible
+#      pip:
+#        name:
+#          - jmespath
+#          - netaddr
+#          - python-consul
+#          - pyvmomi
+#          - python-ldap
+#          - twine
+
+    - name: Remove existing public roles
+      file:
+        path: "{{ installation_prefix }}{{ roles_installation_dir }}"
+        state: absent
+      when: force_purge | bool
+
+    - name: Install all public roles
+      command: >
+        ansible-galaxy role install
+        {{ ( force_purge | bool ) | ternary('--force','') }}
+        --role-file {{ installation_prefix }}roles/requirements.yml
+        --roles-path {{ installation_prefix }}{{ roles_installation_dir }}
+
+    - name: Install needed collections
+      command: >
+        ansible-galaxy collection install
+        {{ ( force_purge | bool ) | ternary('--force-with-deps','') }}
+        -r {{ installation_prefix }}roles/requirements.yml
+        -p {{ installation_prefix }}{{ collection_installation_dir }}
+
+    - name: cleanup old ssh known_hosts
+      file:
+        path: "../tmp/known_hosts"
+        state: absent
+    - file:
+        path: "../tmp/known_hosts"
+        state: touch
+

ansible/playbooks/init-rocky-install-kvm-hosts.yml

@@ -3,7 +3,7 @@
 # Created: @SherifNagy
 # Modified to current standards: @nazunalika
 - name: Configure KVM host
-  hosts: kvmhosts
+  hosts: kvm
   become: true
 
   pre_tasks:

ansible/playbooks/requirements.yml

@@ -1,7 +0,0 @@
----
-collections:
-  - freeipa.ansible_freeipa
-  - community.general
-
-roles:
-  - name: geerlingguy.mysql

ansible/playbooks/role-rocky-ipa-client.yml

@@ -1,6 +1,6 @@
 ---
 # Configures an IPA client for the Rocky infrastructure
-# Variables are in inventory/ipainventory
+
 - name: Configure IPA client
   hosts: ipaclients
   become: true

ansible/playbooks/role-rocky-ipa-replica.yml

@@ -1,6 +1,6 @@
 ---
 # Creates an IPA replica
-# Variables are in inventory/ipainventory
+
 - name: Configure IPA server
   hosts: ipareplicas
   become: true

ansible/playbooks/role-rocky-ipa.yml

@@ -1,6 +1,5 @@
 ---
 # Creates the first server for an IPA infrastructure
-# Variables for the infrastructure are in inventory/ipainventory
 # Recommended specs for the IPA systems, that scale based on number of objects:
 # CPU: 2 cores
 # Memory: 4GB
@@ -44,8 +43,8 @@
         - reload_networkmanager
 
   roles:
-    - role: ipaserver
-      state: present
+  - role: freeipa.ansible_freeipa.ipaserver
+    state: present
 
   post_tasks:
     - name: Touching run file that ansible has ran here

ansible/playbooks/tasks/variable_loader_common.yml

@@ -10,7 +10,7 @@
       include_vars: "{{ item }}"
       with_first_found:
         - "ipaserver.yml"
-      when: "'ipaservers' in group_names"
+      when: "'ipa' in group_names"
 
     - name: Check if system is EFI
       stat:

ansible/roles/local/Readme.md

@@ -0,0 +1 @@
+Put all local roles here

ansible/roles/public/Readme.md

@@ -0,0 +1 @@
+Do not put any roles here, This is a placeholder for public roles installed via galaxy

ansible/roles/requirements.yml

@@ -0,0 +1,10 @@
+---
+
+roles:
+  - name: geerlingguy.mysql
+
+collections:
+  # freeipa
+  - name: freeipa.ansible_freeipa
+    version: 0.3.1
+  - name: community.general

ansible/ssh_config

@@ -0,0 +1,4 @@
+ControlMaster auto
+ControlPersist 30m
+UserKnownHostsFile tmp/known_hosts
+HashKnownHosts no

ansible/tmp/Readme.md

@@ -0,0 +1 @@
+Keep folder empty