mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-21 20:51:27 +00:00
changed the structure to reflect more modern ansible best practices
moved inv vars to group vars moved roles to collections and fixed playbooks added a prepare ansible host playbook to download needed roles and playbooks modified public roles and collection paths to install inside our dir structure to keep them from global installation
This commit is contained in:
parent
4cb73e39b0
commit
ec056805ff
8
.idea/.gitignore
vendored
Normal file
8
.idea/.gitignore
vendored
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# Default ignored files
|
||||||
|
/shelf/
|
||||||
|
/workspace.xml
|
||||||
|
# Datasource local storage ignored files
|
||||||
|
/../../../../../../:\Users\pwatteel\PycharmProjects\infrastructure\.idea/dataSources/
|
||||||
|
/dataSources.local.xml
|
||||||
|
# Editor-based HTTP Client requests
|
||||||
|
/httpRequests/
|
11
ansible/.gitignore
vendored
Normal file
11
ansible/.gitignore
vendored
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#keep tmp folder empty
|
||||||
|
tmp/*
|
||||||
|
!tmp/Readme.md
|
||||||
|
|
||||||
|
#keep folder holding public roles empty
|
||||||
|
roles/public/*
|
||||||
|
!roles/public/Readme.md
|
||||||
|
|
||||||
|
#keep fodler holding ansible collections empty
|
||||||
|
collections/*
|
||||||
|
!README.md
|
@ -13,19 +13,23 @@ Loosely copied from the CentOS ansible infrastructure.
|
|||||||
├── ansible.cfg
|
├── ansible.cfg
|
||||||
├── files -> playbooks/files
|
├── files -> playbooks/files
|
||||||
├── handlers -> playbooks/handlers
|
├── handlers -> playbooks/handlers
|
||||||
├── inventory
|
├── inventories
|
||||||
|
│ ├── production
|
||||||
|
│ | ├── group_vars
|
||||||
|
│ | ├── host_vars
|
||||||
|
│ | hosts
|
||||||
|
│ ├── staging
|
||||||
|
│ ├── devellopment
|
||||||
├── pkistore
|
├── pkistore
|
||||||
├── playbooks
|
├── playbooks
|
||||||
│ ├── files
|
│ ├── files
|
||||||
│ ├── group_vars
|
|
||||||
│ ├── host_vars
|
|
||||||
│ ├── handlers
|
│ ├── handlers
|
||||||
│ ├── tasks
|
│ ├── tasks
|
||||||
│ ├── templates
|
│ ├── templates
|
||||||
│ ├── vars
|
│ ├── vars
|
||||||
│ └── requirements.yml
|
├── roles/local
|
||||||
├── roles
|
|
||||||
│ └── <role-name>
|
│ └── <role-name>
|
||||||
|
| └── requirements.yml
|
||||||
├── tasks -> playbooks/tasks
|
├── tasks -> playbooks/tasks
|
||||||
├── templates -> playbooks/templates
|
├── templates -> playbooks/templates
|
||||||
└── vars -> playbooks/vars
|
└── vars -> playbooks/vars
|
||||||
|
@ -1 +1,69 @@
|
|||||||
# Empty
|
[defaults]
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# Display settings
|
||||||
|
########################################
|
||||||
|
|
||||||
|
# Output display
|
||||||
|
force_color = 1
|
||||||
|
nocows = True
|
||||||
|
|
||||||
|
|
||||||
|
# Note: http://docs.ansible.com/ansible/intro_configuration.html#ansible-managed
|
||||||
|
ansible_managed = Ansible managed
|
||||||
|
#ansible_managed = Ansible managed - {file} on {host}
|
||||||
|
|
||||||
|
|
||||||
|
# Warn when ansible think it is better to use module.
|
||||||
|
# Note: http://docs.ansible.com/ansible/intro_configuration.html#id88
|
||||||
|
command_warnings = True
|
||||||
|
|
||||||
|
# Enable this to debug tasks calls
|
||||||
|
display_args_to_stdout = False
|
||||||
|
display_skipped_hosts = false
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# Playbook settings
|
||||||
|
########################################
|
||||||
|
|
||||||
|
|
||||||
|
# Default strategy
|
||||||
|
strategy = free
|
||||||
|
|
||||||
|
# Number of hosts processed in parallel
|
||||||
|
forks = 20
|
||||||
|
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# Behaviour settings
|
||||||
|
########################################
|
||||||
|
|
||||||
|
|
||||||
|
# Make role variables private
|
||||||
|
retry_files_enabled = True
|
||||||
|
|
||||||
|
# Fact options
|
||||||
|
gathering = smart
|
||||||
|
#gathering = !all
|
||||||
|
#gathering = smart,network,hardware,virtual,ohai,facter
|
||||||
|
#gathering = network,!hardware,virtual,!ohai,!facter
|
||||||
|
|
||||||
|
# facts caching
|
||||||
|
#fact_caching_connection = tmp/facts_cache
|
||||||
|
#fact_caching = json
|
||||||
|
fact_caching = memory
|
||||||
|
fact_caching_timeout = 1800
|
||||||
|
|
||||||
|
# Enable or disable logs
|
||||||
|
# Note put to false in prod
|
||||||
|
no_log = False
|
||||||
|
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# Common destinations
|
||||||
|
########################################
|
||||||
|
|
||||||
|
log_path = tmp/ansible.log
|
||||||
|
known_hosts = tmp/known_hosts
|
||||||
|
roles_path = roles/local:roles/public
|
||||||
|
collections_paths = collections
|
||||||
|
1
ansible/collections/Readme.md
Normal file
1
ansible/collections/Readme.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
Leave empty, this is a placeholder folder for ansible collections
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
ipaclient_domain = rockylinux.org
|
||||||
|
ipaadmin_principal = admin
|
||||||
|
ipaclient_no_ntp = true
|
||||||
|
ipaclient_mkhomedir = true
|
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
ipaadmin_principal = admin
|
||||||
|
ipaclient_no_ntp = true
|
||||||
|
ipaclient_mkhomedir = true
|
||||||
|
ipaserver_realm = ROCKYLINUX.ORG
|
||||||
|
ipaserver_hostname = ipa002.rockylinux.org
|
||||||
|
ipareplica_domain = rockylinux.org
|
||||||
|
ipareplica_auto_forwarders = true
|
||||||
|
ipareplica_setup_firewalld = true
|
||||||
|
ipareplica_setup_ca = true
|
||||||
|
ipareplica_setup_kra = true
|
||||||
|
ipareplica_setup_dns = true
|
||||||
|
ipa_dns_master = 10.100.1.110
|
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
ipaserver_domain = rockylinux.org
|
||||||
|
ipaserver_realm = ROCKYLINUX.ORG
|
||||||
|
ipaserver_setup_dns = true
|
||||||
|
ipaserver_setup_kra = true
|
||||||
|
ipaserver_auto_forwarders = true
|
||||||
|
ipaserver_no_host_dns = true
|
||||||
|
ipaserver_hostname = ipa001.rockylinux.org
|
||||||
|
ipaserver_allow_zone_overlap = true
|
||||||
|
ipaserver_setup_firewalld = true
|
||||||
|
ipaclient_no_ntp = true
|
||||||
|
ipaclient_mkhomedir = true
|
||||||
|
ipaserver_reverse_zones = ["1.100.10.in-addr.arpa."]
|
24
ansible/inventories/production/hosts.ini
Normal file
24
ansible/inventories/production/hosts.ini
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# Generic inventory hosts
|
||||||
|
[kvm]
|
||||||
|
kvm001 ansible_host=10.100.2.110
|
||||||
|
kvm002 ansible_host=10.100.2.111
|
||||||
|
kvm003 ansible_host=10.100.2.112
|
||||||
|
|
||||||
|
[ipa:children]
|
||||||
|
ipaserver
|
||||||
|
ipareplicas
|
||||||
|
ipaclients
|
||||||
|
|
||||||
|
[ipsilon]
|
||||||
|
idp001 ansible_host=10.100.x.x
|
||||||
|
|
||||||
|
# Playbook and role specific inventory hosts and groups
|
||||||
|
[ipaserver]
|
||||||
|
ipa001 ansible_host=10.100.1.110
|
||||||
|
|
||||||
|
[ipareplicas]
|
||||||
|
ipa002 ansible_host=10.100.1.111
|
||||||
|
|
||||||
|
[ipaclients]
|
||||||
|
build-a-box ansible_host=10.100.1.112
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
# Placeholder
|
|
||||||
[ipsilon]
|
|
||||||
idp.rockylinux.org
|
|
@ -1,48 +0,0 @@
|
|||||||
[ipaservers]
|
|
||||||
ipa001.rockylinux.org ansible_host=10.100.1.110
|
|
||||||
ipa002.rockylinux.org ansible_host=10.100.1.111
|
|
||||||
|
|
||||||
[ipaserver]
|
|
||||||
ipa001.rockylinux.org ansible_host=10.100.1.110
|
|
||||||
|
|
||||||
[ipaserver:vars]
|
|
||||||
ipaserver_domain=rockylinux.org
|
|
||||||
ipaserver_realm=ROCKYLINUX.ORG
|
|
||||||
ipaserver_setup_dns=true
|
|
||||||
ipaserver_setup_kra=true
|
|
||||||
ipaserver_auto_forwarders=true
|
|
||||||
ipaserver_no_host_dns=true
|
|
||||||
ipaserver_hostname=ipa001.rockylinux.org
|
|
||||||
ipaserver_allow_zone_overlap=true
|
|
||||||
ipaserver_setup_firewalld=true
|
|
||||||
ipaclient_no_ntp=true
|
|
||||||
ipaclient_mkhomedir=true
|
|
||||||
ipaserver_reverse_zones=["1.100.10.in-addr.arpa."]
|
|
||||||
|
|
||||||
[ipareplicas]
|
|
||||||
ipa002.rockylinux.org ansible_host=10.100.1.111
|
|
||||||
|
|
||||||
[ipareplicas:vars]
|
|
||||||
ipaadmin_principal=admin
|
|
||||||
ipaclient_no_ntp=true
|
|
||||||
ipaclient_mkhomedir=true
|
|
||||||
ipaserver_realm=ROCKYLINUX.ORG
|
|
||||||
ipaserver_hostname=ipa002.rockylinux.org
|
|
||||||
ipareplica_domain=rockylinux.org
|
|
||||||
ipareplica_auto_forwarders=true
|
|
||||||
ipareplica_setup_firewalld=true
|
|
||||||
ipareplica_setup_ca=true
|
|
||||||
ipareplica_setup_kra=true
|
|
||||||
ipareplica_setup_dns=true
|
|
||||||
ipa_dns_master=10.100.1.110
|
|
||||||
|
|
||||||
# This is for example purposes - it is likely we'll use "all" instead of
|
|
||||||
# putting everything under an ipaclient
|
|
||||||
[ipaclients]
|
|
||||||
build-a-box.rockylinux.org ansible_host=10.100.1.112
|
|
||||||
|
|
||||||
[ipaclients:vars]
|
|
||||||
ipaclient_domain=rockylinux.org
|
|
||||||
ipaadmin_principal=admin
|
|
||||||
ipaclient_no_ntp=true
|
|
||||||
ipaclient_mkhomedir=true
|
|
@ -1,4 +0,0 @@
|
|||||||
[kvmhosts]
|
|
||||||
kvm001.rockylinux.org ansible_host=10.100.2.110
|
|
||||||
kvm002.rockylinux.org ansible_host=10.100.2.111
|
|
||||||
kvm003.rockylinux.org ansible_host=10.100.2.112
|
|
49
ansible/playbooks/init-rocky-ansible-host.yml
Normal file
49
ansible/playbooks/init-rocky-ansible-host.yml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
vars:
|
||||||
|
force_purge: true
|
||||||
|
roles_installation_dir: roles/public
|
||||||
|
collection_installation_dir: collections
|
||||||
|
installation_prefix: ../
|
||||||
|
pre_tasks:
|
||||||
|
# example prepare ansible box for execution
|
||||||
|
# - name: install required pip modules on the host running ansible
|
||||||
|
# pip:
|
||||||
|
# name:
|
||||||
|
# - jmespath
|
||||||
|
# - netaddr
|
||||||
|
# - python-consul
|
||||||
|
# - pyvmomi
|
||||||
|
# - python-ldap
|
||||||
|
# - twine
|
||||||
|
|
||||||
|
- name: Remove existing public roles
|
||||||
|
file:
|
||||||
|
path: "{{ installation_prefix }}{{ roles_installation_dir }}"
|
||||||
|
state: absent
|
||||||
|
when: force_purge | bool
|
||||||
|
|
||||||
|
- name: Install all public roles
|
||||||
|
command: >
|
||||||
|
ansible-galaxy role install
|
||||||
|
{{ ( force_purge | bool ) | ternary('--force','') }}
|
||||||
|
--role-file {{ installation_prefix }}roles/requirements.yml
|
||||||
|
--roles-path {{ installation_prefix }}{{ roles_installation_dir }}
|
||||||
|
|
||||||
|
- name: Install needed collections
|
||||||
|
command: >
|
||||||
|
ansible-galaxy collection install
|
||||||
|
{{ ( force_purge | bool ) | ternary('--force-with-deps','') }}
|
||||||
|
-r {{ installation_prefix }}roles/requirements.yml
|
||||||
|
-p {{ installation_prefix }}{{ collection_installation_dir }}
|
||||||
|
|
||||||
|
- name: cleanup old ssh known_hosts
|
||||||
|
file:
|
||||||
|
path: "../tmp/known_hosts"
|
||||||
|
state: absent
|
||||||
|
- file:
|
||||||
|
path: "../tmp/known_hosts"
|
||||||
|
state: touch
|
||||||
|
|
@ -3,7 +3,7 @@
|
|||||||
# Created: @SherifNagy
|
# Created: @SherifNagy
|
||||||
# Modified to current standards: @nazunalika
|
# Modified to current standards: @nazunalika
|
||||||
- name: Configure KVM host
|
- name: Configure KVM host
|
||||||
hosts: kvmhosts
|
hosts: kvm
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
|
@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
collections:
|
|
||||||
- freeipa.ansible_freeipa
|
|
||||||
- community.general
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- name: geerlingguy.mysql
|
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
# Configures an IPA client for the Rocky infrastructure
|
# Configures an IPA client for the Rocky infrastructure
|
||||||
# Variables are in inventory/ipainventory
|
|
||||||
- name: Configure IPA client
|
- name: Configure IPA client
|
||||||
hosts: ipaclients
|
hosts: ipaclients
|
||||||
become: true
|
become: true
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
# Creates an IPA replica
|
# Creates an IPA replica
|
||||||
# Variables are in inventory/ipainventory
|
|
||||||
- name: Configure IPA server
|
- name: Configure IPA server
|
||||||
hosts: ipareplicas
|
hosts: ipareplicas
|
||||||
become: true
|
become: true
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
---
|
---
|
||||||
# Creates the first server for an IPA infrastructure
|
# Creates the first server for an IPA infrastructure
|
||||||
# Variables for the infrastructure are in inventory/ipainventory
|
|
||||||
# Recommended specs for the IPA systems, that scale based on number of objects:
|
# Recommended specs for the IPA systems, that scale based on number of objects:
|
||||||
# CPU: 2 cores
|
# CPU: 2 cores
|
||||||
# Memory: 4GB
|
# Memory: 4GB
|
||||||
@ -44,8 +43,8 @@
|
|||||||
- reload_networkmanager
|
- reload_networkmanager
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- role: ipaserver
|
- role: freeipa.ansible_freeipa.ipaserver
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Touching run file that ansible has ran here
|
- name: Touching run file that ansible has ran here
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
include_vars: "{{ item }}"
|
include_vars: "{{ item }}"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- "ipaserver.yml"
|
- "ipaserver.yml"
|
||||||
when: "'ipaservers' in group_names"
|
when: "'ipa' in group_names"
|
||||||
|
|
||||||
- name: Check if system is EFI
|
- name: Check if system is EFI
|
||||||
stat:
|
stat:
|
||||||
|
1
ansible/roles/local/Readme.md
Normal file
1
ansible/roles/local/Readme.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
Put all local roles here
|
1
ansible/roles/public/Readme.md
Normal file
1
ansible/roles/public/Readme.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
Do not put any roles here, This is a placeholder for public roles installed via galaxy
|
10
ansible/roles/requirements.yml
Normal file
10
ansible/roles/requirements.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- name: geerlingguy.mysql
|
||||||
|
|
||||||
|
collections:
|
||||||
|
# freeipa
|
||||||
|
- name: freeipa.ansible_freeipa
|
||||||
|
version: 0.3.1
|
||||||
|
- name: community.general
|
4
ansible/ssh_config
Normal file
4
ansible/ssh_config
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
ControlMaster auto
|
||||||
|
ControlPersist 30m
|
||||||
|
UserKnownHostsFile tmp/known_hosts
|
||||||
|
HashKnownHosts no
|
1
ansible/tmp/Readme.md
Normal file
1
ansible/tmp/Readme.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
Keep folder empty
|
Loading…
Reference in New Issue
Block a user