Overhaul playbook organizational structure
provision playbooks now establish platform-related components of the macro system configure playbooks now configure/update/establish specific subcomponents of systems deploy playbooks will eventually deploy specific applications onto the platform
This commit is contained in:
164
playbooks/configure-mgmt.yml
Normal file
164
playbooks/configure-mgmt.yml
Normal file
@@ -0,0 +1,164 @@
|
||||
---
|
||||
- name: Configure server management services
|
||||
hosts: servers
|
||||
tasks:
|
||||
- import_tasks: tasks/sshd/secure.yml
|
||||
|
||||
- name: Enable cockpit
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
become: true
|
||||
systemd:
|
||||
name: cockpit.socket
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Configure virtualization management services
|
||||
hosts: virtualization
|
||||
tasks:
|
||||
- name: Create docker group
|
||||
become: true
|
||||
group:
|
||||
name: docker
|
||||
state: present
|
||||
|
||||
- name: Configure local accounts
|
||||
hosts: all
|
||||
vars_files:
|
||||
- vars/accounts.yml
|
||||
- vars/secrets/passwords.yml
|
||||
- vars/sshkeys.yml
|
||||
tasks:
|
||||
- name: Create omni group
|
||||
become: true
|
||||
group:
|
||||
name: "{{ omni_group.name }}"
|
||||
gid: "{{ omni_group.gid }}"
|
||||
state: present
|
||||
|
||||
- name: Determine existing omni users
|
||||
changed_when: false
|
||||
shell:
|
||||
cmd: 'grep omni /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
|
||||
register: _existing_omni_users
|
||||
|
||||
- name: Delete removed user accounts
|
||||
become: true
|
||||
when: item not in (omni_users | items2dict(key_name='name', value_name='uid'))
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _existing_omni_users.stdout_lines }}"
|
||||
|
||||
- name: Delete removed user groups
|
||||
become: true
|
||||
when: item not in (omni_users | items2dict(key_name='name', value_name='uid'))
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _existing_omni_users.stdout_lines }}"
|
||||
|
||||
- name: Delete removed user home directories
|
||||
become: true
|
||||
when: item not in (omni_users | items2dict(key_name='name', value_name='uid'))
|
||||
file:
|
||||
path: "/home/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _existing_omni_users.stdout_lines }}"
|
||||
|
||||
- name: Create account groups
|
||||
become: true
|
||||
group:
|
||||
name: "{{ item.name }}"
|
||||
gid: "{{ item.uid }}"
|
||||
state: present
|
||||
loop: "{{ omni_users }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Create accounts
|
||||
become: true
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
state: present
|
||||
uid: "{{ item.uid }}"
|
||||
group: "{{ item.name }}"
|
||||
groups: >-
|
||||
{{
|
||||
[omni_group.name] +
|
||||
(['wheel' if ansible_os_family | lower == 'redhat' else 'sudo'] if item.admin | default(false) else []) +
|
||||
(['docker' if 'virtualization' in group_names else omni_group.name] if item.admin | default(false) else [])
|
||||
}}
|
||||
# The 'else omni_group.name' above is just some non-breaking value to cover the
|
||||
# false condition, it doesn't have special meaning
|
||||
comment: "{{ item.fullname | default('') }}"
|
||||
shell: "{{ '/bin/bash' if 'mgmt' in item.targets else '/bin/false' }}"
|
||||
system: "{{ item.svc | default(false) }}"
|
||||
generate_ssh_key: false
|
||||
password: "{{ omni_users_secrets[item.name] | default(none) }}"
|
||||
loop: "{{ omni_users }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Disable sudo password for ansible
|
||||
become: true
|
||||
lineinfile:
|
||||
create: true
|
||||
path: /etc/sudoers.d/30-ansible
|
||||
line: "ansible ALL=(ALL) NOPASSWD:ALL"
|
||||
mode: 0644
|
||||
|
||||
- name: Ensure proper ownership of user home directories
|
||||
become: true
|
||||
file:
|
||||
path: /home/{{ item.name }}
|
||||
state: directory
|
||||
group: "{{ item.name }}"
|
||||
owner: "{{ item.name }}"
|
||||
mode: 0700
|
||||
loop: "{{ omni_users }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Enforce root password
|
||||
become: true
|
||||
user:
|
||||
name: root
|
||||
password: "{{ omni_users_secrets.root }}"
|
||||
state: present
|
||||
|
||||
- name: Create SSH directory
|
||||
become: true
|
||||
file:
|
||||
path: /home/{{ item.name }}/.ssh
|
||||
owner: "{{ item.name }}"
|
||||
group: "{{ item.name }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
loop: "{{ omni_users }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Update authorized keys
|
||||
become: true
|
||||
when: "'mgmt' in item.targets"
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
key: "{{ omni_ssh_keys[item.name] | join('\n') }}"
|
||||
state: present
|
||||
exclusive: true
|
||||
loop: "{{ omni_users }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Enforce ownership of authorized keys
|
||||
become: true
|
||||
when: "'mgmt' in item.targets"
|
||||
file:
|
||||
path: /home/{{ item.name }}/.ssh/authorized_keys
|
||||
state: file
|
||||
owner: "{{ item.name }}"
|
||||
group: "{{ item.name }}"
|
||||
mode: 0400
|
||||
loop: "{{ omni_users }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
Reference in New Issue
Block a user