Reorganize provision playbook

Split server-specific configs out into server role Add symlink to roles for playbook directory
2021-11-05 21:53:47 -04:00
parent 732cf53192
commit 96ea66b77a
9 changed files with 112 additions and 118 deletions
--- a/playbooks/provision.yaml
+++ b/playbooks/provision.yaml
@@ -9,57 +9,16 @@

 - name: Bootstrap remote ansible environment
  hosts: linux
+  gather_facts: false
  tags:
    - always
  tasks:
-    - name: Install CentOS 8 python bindings
-      when: ansible_distribution == "Rocky"
-      become: true
-      ansible.builtin.dnf:
-        state: present
-        name:
-          - python3-libselinux
-          - python3-policycoreutils
-          - python3-firewall
-
-    - name: Create state directory
-      become: true
-      ansible.builtin.file:
-        path: "{{ skylab_state_dir }}"
-        state: directory
-        owner: "{{ ansible_user }}"
-        group: "{{ ansible_user }}"
-        mode: 0755
-
-    - name: Create bootstrap virtualenv
-      ansible.builtin.command:
-        cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages"
-        creates: "{{ skylab_ansible_venv }}/bin/python"
-
-    - name: Pin bootstrap virtualenv pip
-      ansible.builtin.pip:
-        executable: "{{ skylab_ansible_venv }}/bin/pip"
-        name: pip
-        state: present
-        version: "{{ skylab_pip_version }}"
-
-    - name: Copy requirements file to remote
-      ansible.builtin.copy:
-        src: remote-requirements.txt
-        dest: "{{ skylab_ansible_venv }}/requirements.txt"
-        owner: "{{ ansible_user }}"
-        group: "{{ ansible_user }}"
-        mode: 0644
-
-    - name: Install remote requirements
-      ansible.builtin.pip:
-        executable: "{{ skylab_ansible_venv }}/bin/pip"
-        requirements: "{{ skylab_ansible_venv }}/requirements.txt"
-        state: present
+    - include_tasks: tasks/meta/bootstrap-remote-env.yaml


- name: Configure common server settings
+- name: Configure common settings
  hosts: linux
+  gather_facts: false
  vars_files:
    - vars/packages.yaml
  tasks:
@@ -69,6 +28,15 @@
        name: "{{ inventory_hostname }}"
        use: systemd

+    - name: Install global bash config
+      become: true
+      ansible.builtin.copy:
+        src: global.sh
+        dest: /etc/profile.d/ZZ-skylab-global.sh
+        owner: root
+        group: "{{ ansible_user }}"
+        mode: 0644
+
    - name: Install EPEL repository config
      when: ansible_distribution == "Rocky"
      become: true
@@ -84,25 +52,6 @@
        state: present
        key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}

-    - name: Disable sudo password for WHEEL group
-      when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
-      become: true
-      ansible.builtin.copy:
-        src: wheel-group-no-sudo-password
-        dest: /etc/sudoers.d/30-wheel
-        owner: root
-        group: "{{ ansible_user }}"
-        mode: 0644
-
-    - name: Install global bash config
-      become: true
-      ansible.builtin.copy:
-        src: global.sh
-        dest: /etc/profile.d/ZZ-skylab-global.sh
-        owner: root
-        group: "{{ ansible_user }}"
-        mode: 0644
-
    - name: Install universal packages
      when: ansible_distribution == "Rocky"
      become: true
@@ -111,58 +60,7 @@
        state: present


- name: Configure SSH
-  hosts: linux
-  handlers:
-    - name: restart-sshd
-      become: true
-      ansible.builtin.systemd:
-        name: sshd
-        state: restarted
-  tasks:
-    - name: Configure SSH authentication settings
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "{{ item.regex }}"
-        replace: "{{ item.value }}"
-      notify: [restart-sshd]
-      loop:
-        - name: disable root login
-          regex: "^.*PermitRootLogin (yes|no).*$"
-          value: PermitRootLogin no
-        - name: disable password auth
-          regex: "^.*PasswordAuthentication (yes|no).*$"
-          value: PasswordAuthentication no
-        - name: disable challenge response auth
-          regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
-          value: ChallengeResponseAuthentication no
-        - name: disable GSSAPI auth
-          regex: "^.*GSSAPIAuthentication (yes|no).*$"
-          value: GSSAPIAuthentication no
-      loop_control:
-        label: "{{ item.name }}"
-
-    - name: Disable dynamic MOTD on debian systems
-      when: ansible_os_family == "Debian"
-      ansible.builtin.replace:
-        path: /etc/pam.d/sshd
-        regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
-        replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"
-
-    - name: Disable Cockpit activation message on Rocky
-      when: ansible_distribution == "Rocky"
-      become: true
-      ansible.builtin.file:
-        path: /etc/motd.d/cockpit
-        state: absent
-
-    - name: Copy MOTD to remote
-      become: true
-      ansible.builtin.template:
-        src: motd.j2
-        dest: /etc/motd
-        mode: 0644
-
-
 - import_playbook: update.yaml
+
+
+- import_playbook: configure.yaml
--- a/playbooks/roles
+++ b/playbooks/roles
@@ -0,0 +1 @@
+../roles
--- a/playbooks/update.yaml
+++ b/playbooks/update.yaml
@@ -7,6 +7,15 @@
    - include_tasks: tasks/meta/runtime-group-determination.yaml


+- name: Bootstrap remote ansible environment
+  hosts: linux
+  gather_facts: false
+  tags:
+    - always
+  tasks:
+    - include_tasks: tasks/meta/bootstrap-remote-env.yaml
+
+
 - name: Update system
  hosts: linux
  tags: