From ec056805ff347f77afa2a9ed158eeb2e4fb4b519 Mon Sep 17 00:00:00 2001 From: Pascal Watteel Date: Sat, 12 Dec 2020 18:13:38 +0400 Subject: [PATCH] changed the structure to reflect more modern ansible best practices moved inv vars to group vars moved roles to collections and fixed playbooks added a prepare ansible host playbook to download needed roles and playbooks modified public roles and collection paths to install inside our dir structure to keep them from global installation --- .idea/.gitignore | 8 +++ ansible/.gitignore | 11 +++ ansible/README.md | 14 ++-- ansible/ansible.cfg | 70 ++++++++++++++++++- ansible/collections/Readme.md | 1 + .../production/group_vars/ipa/main.yml | 0 .../production/group_vars/ipaclients/main.yml | 6 ++ .../group_vars/ipareplicas/main.yml | 14 ++++ .../production/group_vars/ipaservers/main.yml | 14 ++++ ansible/inventories/production/hosts.ini | 24 +++++++ ansible/inventory/idpinventory | 3 - ansible/inventory/ipainventory | 48 ------------- ansible/inventory/kvmhostsinventory | 4 -- ansible/playbooks/init-rocky-ansible-host.yml | 49 +++++++++++++ .../init-rocky-install-kvm-hosts.yml | 2 +- ansible/playbooks/requirements.yml | 7 -- ansible/playbooks/role-rocky-ipa-client.yml | 2 +- ansible/playbooks/role-rocky-ipa-replica.yml | 2 +- ansible/playbooks/role-rocky-ipa.yml | 5 +- .../tasks/variable_loader_common.yml | 2 +- ansible/roles/local/Readme.md | 1 + ansible/roles/public/Readme.md | 1 + ansible/roles/requirements.yml | 10 +++ ansible/ssh_config | 4 ++ ansible/tmp/Readme.md | 1 + 25 files changed, 228 insertions(+), 75 deletions(-) create mode 100644 .idea/.gitignore create mode 100644 ansible/.gitignore create mode 100644 ansible/collections/Readme.md create mode 100644 ansible/inventories/production/group_vars/ipa/main.yml create mode 100644 ansible/inventories/production/group_vars/ipaclients/main.yml create mode 100644 ansible/inventories/production/group_vars/ipareplicas/main.yml create mode 100644 ansible/inventories/production/group_vars/ipaservers/main.yml create mode 100644 ansible/inventories/production/hosts.ini delete mode 100644 ansible/inventory/idpinventory delete mode 100644 ansible/inventory/ipainventory delete mode 100644 ansible/inventory/kvmhostsinventory create mode 100644 ansible/playbooks/init-rocky-ansible-host.yml delete mode 100644 ansible/playbooks/requirements.yml create mode 100644 ansible/roles/local/Readme.md create mode 100644 ansible/roles/public/Readme.md create mode 100644 ansible/roles/requirements.yml create mode 100644 ansible/ssh_config create mode 100644 ansible/tmp/Readme.md diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 0000000..6fbf46f --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Datasource local storage ignored files +/../../../../../../:\Users\pwatteel\PycharmProjects\infrastructure\.idea/dataSources/ +/dataSources.local.xml +# Editor-based HTTP Client requests +/httpRequests/ diff --git a/ansible/.gitignore b/ansible/.gitignore new file mode 100644 index 0000000..7694a07 --- /dev/null +++ b/ansible/.gitignore @@ -0,0 +1,11 @@ +#keep tmp folder empty +tmp/* +!tmp/Readme.md + +#keep folder holding public roles empty +roles/public/* +!roles/public/Readme.md + +#keep fodler holding ansible collections empty +collections/* +!README.md diff --git a/ansible/README.md b/ansible/README.md index dabe5f7..f37c0e3 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -13,19 +13,23 @@ Loosely copied from the CentOS ansible infrastructure. ├── ansible.cfg ├── files -> playbooks/files ├── handlers -> playbooks/handlers -├── inventory +├── inventories +│ ├── production +│ | ├── group_vars +│ | ├── host_vars +│ | hosts +│ ├── staging +│ ├── devellopment ├── pkistore ├── playbooks │ ├── files -│ ├── group_vars -│ ├── host_vars │ ├── handlers │ ├── tasks │ ├── templates │ ├── vars -│ └── requirements.yml -├── roles +├── roles/local │ └── +| └── requirements.yml ├── tasks -> playbooks/tasks ├── templates -> playbooks/templates └── vars -> playbooks/vars diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index b7db254..516592e 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1 +1,69 @@ -# Empty +[defaults] + +######################################## +# Display settings +######################################## + +# Output display +force_color = 1 +nocows = True + + +# Note: http://docs.ansible.com/ansible/intro_configuration.html#ansible-managed +ansible_managed = Ansible managed +#ansible_managed = Ansible managed - {file} on {host} + + +# Warn when ansible think it is better to use module. +# Note: http://docs.ansible.com/ansible/intro_configuration.html#id88 +command_warnings = True + +# Enable this to debug tasks calls +display_args_to_stdout = False +display_skipped_hosts = false + +######################################## +# Playbook settings +######################################## + + +# Default strategy +strategy = free + +# Number of hosts processed in parallel +forks = 20 + + +######################################## +# Behaviour settings +######################################## + + +# Make role variables private +retry_files_enabled = True + +# Fact options +gathering = smart +#gathering = !all +#gathering = smart,network,hardware,virtual,ohai,facter +#gathering = network,!hardware,virtual,!ohai,!facter + +# facts caching +#fact_caching_connection = tmp/facts_cache +#fact_caching = json +fact_caching = memory +fact_caching_timeout = 1800 + +# Enable or disable logs +# Note put to false in prod +no_log = False + + +######################################## +# Common destinations +######################################## + +log_path = tmp/ansible.log +known_hosts = tmp/known_hosts +roles_path = roles/local:roles/public +collections_paths = collections diff --git a/ansible/collections/Readme.md b/ansible/collections/Readme.md new file mode 100644 index 0000000..f71f93c --- /dev/null +++ b/ansible/collections/Readme.md @@ -0,0 +1 @@ +Leave empty, this is a placeholder folder for ansible collections diff --git a/ansible/inventories/production/group_vars/ipa/main.yml b/ansible/inventories/production/group_vars/ipa/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/inventories/production/group_vars/ipaclients/main.yml b/ansible/inventories/production/group_vars/ipaclients/main.yml new file mode 100644 index 0000000..f7cdda5 --- /dev/null +++ b/ansible/inventories/production/group_vars/ipaclients/main.yml @@ -0,0 +1,6 @@ +--- + +ipaclient_domain = rockylinux.org +ipaadmin_principal = admin +ipaclient_no_ntp = true +ipaclient_mkhomedir = true diff --git a/ansible/inventories/production/group_vars/ipareplicas/main.yml b/ansible/inventories/production/group_vars/ipareplicas/main.yml new file mode 100644 index 0000000..e9e570e --- /dev/null +++ b/ansible/inventories/production/group_vars/ipareplicas/main.yml @@ -0,0 +1,14 @@ +--- + +ipaadmin_principal = admin +ipaclient_no_ntp = true +ipaclient_mkhomedir = true +ipaserver_realm = ROCKYLINUX.ORG +ipaserver_hostname = ipa002.rockylinux.org +ipareplica_domain = rockylinux.org +ipareplica_auto_forwarders = true +ipareplica_setup_firewalld = true +ipareplica_setup_ca = true +ipareplica_setup_kra = true +ipareplica_setup_dns = true +ipa_dns_master = 10.100.1.110 diff --git a/ansible/inventories/production/group_vars/ipaservers/main.yml b/ansible/inventories/production/group_vars/ipaservers/main.yml new file mode 100644 index 0000000..20606d7 --- /dev/null +++ b/ansible/inventories/production/group_vars/ipaservers/main.yml @@ -0,0 +1,14 @@ +--- + +ipaserver_domain = rockylinux.org +ipaserver_realm = ROCKYLINUX.ORG +ipaserver_setup_dns = true +ipaserver_setup_kra = true +ipaserver_auto_forwarders = true +ipaserver_no_host_dns = true +ipaserver_hostname = ipa001.rockylinux.org +ipaserver_allow_zone_overlap = true +ipaserver_setup_firewalld = true +ipaclient_no_ntp = true +ipaclient_mkhomedir = true +ipaserver_reverse_zones = ["1.100.10.in-addr.arpa."] diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini new file mode 100644 index 0000000..73f2170 --- /dev/null +++ b/ansible/inventories/production/hosts.ini @@ -0,0 +1,24 @@ +# Generic inventory hosts +[kvm] +kvm001 ansible_host=10.100.2.110 +kvm002 ansible_host=10.100.2.111 +kvm003 ansible_host=10.100.2.112 + +[ipa:children] +ipaserver +ipareplicas +ipaclients + +[ipsilon] +idp001 ansible_host=10.100.x.x + +# Playbook and role specific inventory hosts and groups +[ipaserver] +ipa001 ansible_host=10.100.1.110 + +[ipareplicas] +ipa002 ansible_host=10.100.1.111 + +[ipaclients] +build-a-box ansible_host=10.100.1.112 + diff --git a/ansible/inventory/idpinventory b/ansible/inventory/idpinventory deleted file mode 100644 index 29c704b..0000000 --- a/ansible/inventory/idpinventory +++ /dev/null @@ -1,3 +0,0 @@ -# Placeholder -[ipsilon] -idp.rockylinux.org diff --git a/ansible/inventory/ipainventory b/ansible/inventory/ipainventory deleted file mode 100644 index e915a91..0000000 --- a/ansible/inventory/ipainventory +++ /dev/null @@ -1,48 +0,0 @@ -[ipaservers] -ipa001.rockylinux.org ansible_host=10.100.1.110 -ipa002.rockylinux.org ansible_host=10.100.1.111 - -[ipaserver] -ipa001.rockylinux.org ansible_host=10.100.1.110 - -[ipaserver:vars] -ipaserver_domain=rockylinux.org -ipaserver_realm=ROCKYLINUX.ORG -ipaserver_setup_dns=true -ipaserver_setup_kra=true -ipaserver_auto_forwarders=true -ipaserver_no_host_dns=true -ipaserver_hostname=ipa001.rockylinux.org -ipaserver_allow_zone_overlap=true -ipaserver_setup_firewalld=true -ipaclient_no_ntp=true -ipaclient_mkhomedir=true -ipaserver_reverse_zones=["1.100.10.in-addr.arpa."] - -[ipareplicas] -ipa002.rockylinux.org ansible_host=10.100.1.111 - -[ipareplicas:vars] -ipaadmin_principal=admin -ipaclient_no_ntp=true -ipaclient_mkhomedir=true -ipaserver_realm=ROCKYLINUX.ORG -ipaserver_hostname=ipa002.rockylinux.org -ipareplica_domain=rockylinux.org -ipareplica_auto_forwarders=true -ipareplica_setup_firewalld=true -ipareplica_setup_ca=true -ipareplica_setup_kra=true -ipareplica_setup_dns=true -ipa_dns_master=10.100.1.110 - -# This is for example purposes - it is likely we'll use "all" instead of -# putting everything under an ipaclient -[ipaclients] -build-a-box.rockylinux.org ansible_host=10.100.1.112 - -[ipaclients:vars] -ipaclient_domain=rockylinux.org -ipaadmin_principal=admin -ipaclient_no_ntp=true -ipaclient_mkhomedir=true diff --git a/ansible/inventory/kvmhostsinventory b/ansible/inventory/kvmhostsinventory deleted file mode 100644 index 8380360..0000000 --- a/ansible/inventory/kvmhostsinventory +++ /dev/null @@ -1,4 +0,0 @@ -[kvmhosts] -kvm001.rockylinux.org ansible_host=10.100.2.110 -kvm002.rockylinux.org ansible_host=10.100.2.111 -kvm003.rockylinux.org ansible_host=10.100.2.112 diff --git a/ansible/playbooks/init-rocky-ansible-host.yml b/ansible/playbooks/init-rocky-ansible-host.yml new file mode 100644 index 0000000..c62e199 --- /dev/null +++ b/ansible/playbooks/init-rocky-ansible-host.yml @@ -0,0 +1,49 @@ +--- + +- hosts: localhost + connection: local + vars: + force_purge: true + roles_installation_dir: roles/public + collection_installation_dir: collections + installation_prefix: ../ + pre_tasks: +# example prepare ansible box for execution +# - name: install required pip modules on the host running ansible +# pip: +# name: +# - jmespath +# - netaddr +# - python-consul +# - pyvmomi +# - python-ldap +# - twine + + - name: Remove existing public roles + file: + path: "{{ installation_prefix }}{{ roles_installation_dir }}" + state: absent + when: force_purge | bool + + - name: Install all public roles + command: > + ansible-galaxy role install + {{ ( force_purge | bool ) | ternary('--force','') }} + --role-file {{ installation_prefix }}roles/requirements.yml + --roles-path {{ installation_prefix }}{{ roles_installation_dir }} + + - name: Install needed collections + command: > + ansible-galaxy collection install + {{ ( force_purge | bool ) | ternary('--force-with-deps','') }} + -r {{ installation_prefix }}roles/requirements.yml + -p {{ installation_prefix }}{{ collection_installation_dir }} + + - name: cleanup old ssh known_hosts + file: + path: "../tmp/known_hosts" + state: absent + - file: + path: "../tmp/known_hosts" + state: touch + diff --git a/ansible/playbooks/init-rocky-install-kvm-hosts.yml b/ansible/playbooks/init-rocky-install-kvm-hosts.yml index 06ee06e..1d737c6 100644 --- a/ansible/playbooks/init-rocky-install-kvm-hosts.yml +++ b/ansible/playbooks/init-rocky-install-kvm-hosts.yml @@ -3,7 +3,7 @@ # Created: @SherifNagy # Modified to current standards: @nazunalika - name: Configure KVM host - hosts: kvmhosts + hosts: kvm become: true pre_tasks: diff --git a/ansible/playbooks/requirements.yml b/ansible/playbooks/requirements.yml deleted file mode 100644 index 79df8b8..0000000 --- a/ansible/playbooks/requirements.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -collections: - - freeipa.ansible_freeipa - - community.general - -roles: - - name: geerlingguy.mysql diff --git a/ansible/playbooks/role-rocky-ipa-client.yml b/ansible/playbooks/role-rocky-ipa-client.yml index 0d22d46..44b83f1 100644 --- a/ansible/playbooks/role-rocky-ipa-client.yml +++ b/ansible/playbooks/role-rocky-ipa-client.yml @@ -1,6 +1,6 @@ --- # Configures an IPA client for the Rocky infrastructure -# Variables are in inventory/ipainventory + - name: Configure IPA client hosts: ipaclients become: true diff --git a/ansible/playbooks/role-rocky-ipa-replica.yml b/ansible/playbooks/role-rocky-ipa-replica.yml index 449bfe5..aa9511a 100644 --- a/ansible/playbooks/role-rocky-ipa-replica.yml +++ b/ansible/playbooks/role-rocky-ipa-replica.yml @@ -1,6 +1,6 @@ --- # Creates an IPA replica -# Variables are in inventory/ipainventory + - name: Configure IPA server hosts: ipareplicas become: true diff --git a/ansible/playbooks/role-rocky-ipa.yml b/ansible/playbooks/role-rocky-ipa.yml index 9cc9aa9..84a30c0 100644 --- a/ansible/playbooks/role-rocky-ipa.yml +++ b/ansible/playbooks/role-rocky-ipa.yml @@ -1,6 +1,5 @@ --- # Creates the first server for an IPA infrastructure -# Variables for the infrastructure are in inventory/ipainventory # Recommended specs for the IPA systems, that scale based on number of objects: # CPU: 2 cores # Memory: 4GB @@ -44,8 +43,8 @@ - reload_networkmanager roles: - - role: ipaserver - state: present + - role: freeipa.ansible_freeipa.ipaserver + state: present post_tasks: - name: Touching run file that ansible has ran here diff --git a/ansible/playbooks/tasks/variable_loader_common.yml b/ansible/playbooks/tasks/variable_loader_common.yml index a60f7b0..8c71824 100644 --- a/ansible/playbooks/tasks/variable_loader_common.yml +++ b/ansible/playbooks/tasks/variable_loader_common.yml @@ -10,7 +10,7 @@ include_vars: "{{ item }}" with_first_found: - "ipaserver.yml" - when: "'ipaservers' in group_names" + when: "'ipa' in group_names" - name: Check if system is EFI stat: diff --git a/ansible/roles/local/Readme.md b/ansible/roles/local/Readme.md new file mode 100644 index 0000000..2c0ace4 --- /dev/null +++ b/ansible/roles/local/Readme.md @@ -0,0 +1 @@ +Put all local roles here diff --git a/ansible/roles/public/Readme.md b/ansible/roles/public/Readme.md new file mode 100644 index 0000000..d5521bf --- /dev/null +++ b/ansible/roles/public/Readme.md @@ -0,0 +1 @@ +Do not put any roles here, This is a placeholder for public roles installed via galaxy diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml new file mode 100644 index 0000000..f796222 --- /dev/null +++ b/ansible/roles/requirements.yml @@ -0,0 +1,10 @@ +--- + +roles: + - name: geerlingguy.mysql + +collections: + # freeipa + - name: freeipa.ansible_freeipa + version: 0.3.1 + - name: community.general diff --git a/ansible/ssh_config b/ansible/ssh_config new file mode 100644 index 0000000..8da16ef --- /dev/null +++ b/ansible/ssh_config @@ -0,0 +1,4 @@ +ControlMaster auto +ControlPersist 30m +UserKnownHostsFile tmp/known_hosts +HashKnownHosts no diff --git a/ansible/tmp/Readme.md b/ansible/tmp/Readme.md new file mode 100644 index 0000000..095c3ee --- /dev/null +++ b/ansible/tmp/Readme.md @@ -0,0 +1 @@ +Keep folder empty