diff --git a/ansible/README.md b/ansible/README.md index f402d95..dab6bb7 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -188,6 +188,15 @@ role-rocky-ipa-client.yml init-rocky-system-config.yml ``` +### Initializing a base system + +``` +# All clients should be listed under [ipaclients] +role-rocky-ipa-client.yml +# All systems should be hardened +init-rocky-system-config.yml +``` + ## Current Set ``` diff --git a/ansible/playbooks/import-rockypwpolicy.yml b/ansible/playbooks/import-rockypwpolicy.yml index 01c675f..0759fea 100644 --- a/ansible/playbooks/import-rockypwpolicy.yml +++ b/ansible/playbooks/import-rockypwpolicy.yml @@ -5,7 +5,7 @@ ipaadmin_password: "{{ ipaadmin_password }}" name: "{{ item.group }}" minlife: "{{ item.minlife | default(0) }}" - maxlife: "{{ item.maxlife | default(84) }}" + maxlife: "{{ item.maxlife | default(0) }}" history: "{{ item.history | default(5) }}" priority: "{{ item.priority | default(1) }}" lockouttime: "{{ item.lockout | default(300) }}" diff --git a/ansible/playbooks/role-rocky-bootstrap_staging.yml b/ansible/playbooks/role-rocky-bootstrap_staging.yml new file mode 100644 index 0000000..7154846 --- /dev/null +++ b/ansible/playbooks/role-rocky-bootstrap_staging.yml @@ -0,0 +1,40 @@ +--- +# Manage bootstrap hosts +# +- name: Manage and configure bootstrap hosts + hosts: bootstrap_staging + become: true + vars_files: + - vars/mounts/bootstrap_staging.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - include_tasks: tasks/efs_mount.yml + loop: "{{ mounts }}" + + - include_tasks: tasks/srpmproc.yml + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-monitoring.yml b/ansible/playbooks/role-rocky-monitoring.yml index 274d7b1..3743cfe 100644 --- a/ansible/playbooks/role-rocky-monitoring.yml +++ b/ansible/playbooks/role-rocky-monitoring.yml @@ -37,8 +37,8 @@ state: present roles: - - role: rockylinux.ipagetcert - state: present + #- role: rockylinux.ipagetcert + # state: present - role: cloudalchemy.prometheus state: present - role: cloudalchemy.alertmanager @@ -61,24 +61,3 @@ mode: '0644' owner: root group: root - -- name: Install Prometheus Node Exporter - hosts: all - become: true - - pre_tasks: - - name: Install SELinux packages - package: - name: python3-policycoreutils.noarch - state: present - - roles: - - role: cloudalchemy.node-exporter - state: present - - post_tasks: - - name: Open firewall for node-exporter - ansible.posix.firewalld: - port: 9100/tcp - permanent: true - state: enabled diff --git a/ansible/playbooks/role-rocky-pinnwand.yml b/ansible/playbooks/role-rocky-pinnwand.yml new file mode 100644 index 0000000..aae89e9 --- /dev/null +++ b/ansible/playbooks/role-rocky-pinnwand.yml @@ -0,0 +1,66 @@ +--- +# pinnwand +- name: Install pinnwand + hosts: pinnwand + become: true + vars_files: + - vars/vaults/hostman.yml + - vars/vaults/pinnwand.yml + - vars/pinnwand.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Install SELinux packages + package: + name: python3-policycoreutils.noarch + state: present + + tasks: + #- include_tasks: tasks/pinnwand.yml + # tags: ['includetasks'] + + roles: + - role: rockylinux.ipagetcert + state: present + tags: ['certs'] + + - role: rockylinux.pinnwand + state: present + tags: ['role_pinnwand'] + + # Define variables in vars/matomo/nginx.yml + - role: nginxinc.nginx_core.nginx + tags: ['nginx'] + #- role: nginxinc.nginx_core.nginx_config + # tags: ['nginx'] + + post_tasks: + - name: Open firewalld ports + ansible.posix.firewalld: + port: "{{ item.port }}" + permanent: "{{ item.permanent | default(yes) }}" + state: "{{ item.state | default(present) }}" + loop: "{{ firewall_rules }}" + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-repopool.yml b/ansible/playbooks/role-rocky-repopool.yml new file mode 100644 index 0000000..b0dae60 --- /dev/null +++ b/ansible/playbooks/role-rocky-repopool.yml @@ -0,0 +1,41 @@ +--- +# Configures an instance to function as a HTTP serving member of repopool +- name: Configure Repo Pool hosts + hosts: repopool + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/mounts/repopool.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - name: "Setup shared filesystem mount" + include_tasks: tasks/efs_mount.yml + with_items: "{{ mounts }}" + tags: ["koji_efs_mount"] + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-srpmproc.yml b/ansible/playbooks/role-rocky-srpmproc.yml new file mode 100644 index 0000000..ca6241f --- /dev/null +++ b/ansible/playbooks/role-rocky-srpmproc.yml @@ -0,0 +1,40 @@ +--- +# Manage srpmproc +# +- name: Manage and configure srpmproc + hosts: srpmproc + become: true + vars_files: + - vars/mounts/srpmproc.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - include_tasks: tasks/efs_mount.yml + loop: "{{ mounts }}" + + - include_tasks: tasks/srpmproc.yml + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/tasks/efs_mount.yml b/ansible/playbooks/tasks/efs_mount.yml new file mode 100644 index 0000000..dc0eb3a --- /dev/null +++ b/ansible/playbooks/tasks/efs_mount.yml @@ -0,0 +1,46 @@ +--- +# Requires amazon-efs-utils; included, but should probably be split out? +# + +- name: "Installing amazon-efs-utils" + become: yes + become_user: root + yum: + name: 'https://git.rockylinux.org/neil/efs-utils/-/jobs/5/artifacts/raw/build/amazon-efs-utils-1.30.1-1.el8.noarch.rpm?inline=false' + disable_gpg_check: yes + validate_certs: yes + state: present + tags: + - amazon_efs_utils + - packages + - mounts + + +- name: "Gathering ec2 facts" + amazon.aws.ec2_metadata_facts: + tags: + - mounts + +# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1 +- name: "Install custom hosts file because fmlC-w amazon said so." + become: yes + become_user: root + ansible.builtin.lineinfile: + path: /etc/hosts + line: "{{ item.ip_map[ansible_ec2_placement_availability_zone] }} {{ item.fsid }}.efs.{{ ansible_ec2_placement_region }}.amazonaws.com" + create: yes + tags: + - mounts + + +- name: "Creating and mounting {{ item.fsid }} at {{ item.mount_point }}" + become: yes + become_user: root + ansible.posix.mount: + path: "{{ item.mount_point }}" + src: "{{ item.fsid }}:/" + fstype: "{{ item.fstype }}" + opts: "{{ item.fsopts | join(',') }}" + state: "{{ item.state | default('mounted') }}" + tags: + - mounts diff --git a/ansible/playbooks/tasks/srpmproc.yml b/ansible/playbooks/tasks/srpmproc.yml new file mode 100644 index 0000000..c15207e --- /dev/null +++ b/ansible/playbooks/tasks/srpmproc.yml @@ -0,0 +1,9 @@ +--- +- name: Configure SELinux booleans + ansible.posix.seboolean: + name: "{{ item }}" + persistent: true + state: true + with_items: + - httpd_can_network_connect_db + - httpd_can_network_connect diff --git a/ansible/playbooks/vars/mounts/bootstrap_staging.yml b/ansible/playbooks/vars/mounts/bootstrap_staging.yml new file mode 100644 index 0000000..3618d8a --- /dev/null +++ b/ansible/playbooks/vars/mounts/bootstrap_staging.yml @@ -0,0 +1,18 @@ +--- +x-efs_fs_opts_common: &common_fs_opts + fstype: efs + fsopts: + - _netdev + - tls + - iam + - rw + +mounts: + - name: prod-build-compose + <<: *common_fs_opts + fsid: fs-XXXXXXXX + mount_point: /mnt/compose + ip_map: + us-east-2a: 10.100.100.250 + us-east-2b: 10.100.101.250 + us-east-2c: 10.100.102.250 diff --git a/ansible/playbooks/vars/mounts/repopool.yml b/ansible/playbooks/vars/mounts/repopool.yml new file mode 100644 index 0000000..0af64c0 --- /dev/null +++ b/ansible/playbooks/vars/mounts/repopool.yml @@ -0,0 +1,26 @@ +--- +x-efs_fs_opts_common: &common_fs_opts + fstype: efs + fsopts: + - _netdev + - tls + - iam + - rw + +mounts: + - name: prod-build-repos-staging + <<: *common_fs_opts + fsid: fs-XXXXXXXX + mount_point: /mnt/repos-staging + ip_map: + us-east-2a: 10.101.100.249 + us-east-2b: 10.101.101.249 + us-east-2c: 10.101.102.249 + - name: prod-build-repos-production + <<: *common_fs_opts + fsid: fs-YYYYYYYY + mount_point: /mnt/repos-production + ip_map: + us-east-2a: 10.101.100.246 + us-east-2b: 10.101.101.246 + us-east-2c: 10.101.102.246 diff --git a/ansible/playbooks/vars/mounts/srpmproc.yml b/ansible/playbooks/vars/mounts/srpmproc.yml new file mode 100644 index 0000000..c98df6b --- /dev/null +++ b/ansible/playbooks/vars/mounts/srpmproc.yml @@ -0,0 +1,50 @@ +--- +x-efs_fs_opts_common: &common_fs_opts + fstype: efs + fsopts: + - _netdev + - tls + - iam + - rw + +mounts: + - name: prod-build-repos-internal + <<: *common_fs_opts + fsid: fs-XXXXXXX1 + mount_point: /mnt/repos-internal + ip_map: + us-east-2a: 10.101.100.248 + us-east-2b: 10.101.101.248 + us-east-2c: 10.101.102.248 + - name: prod-koji + <<: *common_fs_opts + fsid: fs-XXXXXXX2 + mount_point: /mnt/koji + ip_map: + us-east-2a: 10.101.100.247 + us-east-2b: 10.101.101.247 + us-east-2c: 10.101.102.247 + - name: prod-build-compose + <<: *common_fs_opts + fsid: fs-XXXXXXX3 + mount_point: /mnt/compose + ip_map: + us-east-2a: 10.101.100.250 + us-east-2b: 10.101.101.250 + us-east-2c: 10.101.102.250 + - name: prod-build-repos-staging + <<: *common_fs_opts + fsid: fs-XXXXXXX4 + mount_point: /mnt/repos-staging + ip_map: + us-east-2a: 10.101.100.249 + us-east-2b: 10.101.101.249 + us-east-2c: 10.101.102.249 + - name: prod-build-repos-production + <<: *common_fs_opts + fsid: fs-XXXXXXX5 + mount_point: /mnt/repos-production + ip_map: + us-east-2a: 10.101.100.246 + us-east-2b: 10.101.101.246 + us-east-2c: 10.101.102.246 diff --git a/ansible/playbooks/vars/pinnwand.yml b/ansible/playbooks/vars/pinnwand.yml new file mode 100644 index 0000000..773d0af --- /dev/null +++ b/ansible/playbooks/vars/pinnwand.yml @@ -0,0 +1,64 @@ +--- +# pinnwand + +firewall_rules: + - port: 443/tcp + permanent: true + state: enabled + - port: 9100/tcp + permanent: true + state: enabled + +tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt" +tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: nginx + key_location: "{{ tls_key }}" + cert_location: "{{ tls_cert }}" + postcmd: "/bin/systemctl reload nginx" + +pinnwand_config: + database: + scheme: postgresql + username: pinnwand + password: "{{ _pinnwand_db_rw_pass }}" + hostname: "db.rockylinux.org" + port: 5432 + database: pinnwand_db + paste_size: 10485760 + preferred_lexers: [] + logo_path: /opt/pinnwand/logo.png + page_path: /tmp + page_list: + - about + - removal + - expiry + footer: '' + paste_help: '' + report_email: 'abuse@rockylinux.org' + expiries: + - name: 1hour + time: 3600 + - name: 1day + time: 86400 + - name: 1week + time: 604800 + - name: forever + time: 4294967294 + ratelimits: + - name: read + capacity: 100 + consume: 1 + refill: 2 + - name: create + capacity: 2 + consume: 2 + refill: 1 + - name: delete + capacity: 2 + consume: 2 + refill: 1 + spamscore: 50