Add cluster roles to inventory

Reorganize provision playbook
Split server-specific configs out into server role Add symlink to roles for playbook directory
2021-11-05 22:31:11 -04:00 · 2021-11-05 22:31:09 -04:00
10 changed files with 117 additions and 118 deletions
--- a/inventory.yaml
+++ b/inventory.yaml
@@ -28,6 +28,11 @@ en1:
  children:
    cluster:
      vars:
        skylab_roles:
          - server
          - docker-swarm-manager
          - datastore
      hosts:
        pegasus:  # jupiter
          ansible_host: 10.42.101.100
--- a/playbooks/provision.yaml
+++ b/playbooks/provision.yaml
@@ -9,57 +9,16 @@
 - name: Bootstrap remote ansible environment
  hosts: linux
  gather_facts: false
  tags:
    - always
  tasks:
-    - name: Install CentOS 8 python bindings
+    - include_tasks: tasks/meta/bootstrap-remote-env.yaml
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.dnf:
        state: present
        name:
          - python3-libselinux
          - python3-policycoreutils
          - python3-firewall
    - name: Create state directory
      become: true
      ansible.builtin.file:
        path: "{{ skylab_state_dir }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: 0755
    - name: Create bootstrap virtualenv
      ansible.builtin.command:
        cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages"
        creates: "{{ skylab_ansible_venv }}/bin/python"
    - name: Pin bootstrap virtualenv pip
      ansible.builtin.pip:
        executable: "{{ skylab_ansible_venv }}/bin/pip"
        name: pip
        state: present
        version: "{{ skylab_pip_version }}"
    - name: Copy requirements file to remote
      ansible.builtin.copy:
        src: remote-requirements.txt
        dest: "{{ skylab_ansible_venv }}/requirements.txt"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: 0644
    - name: Install remote requirements
      ansible.builtin.pip:
        executable: "{{ skylab_ansible_venv }}/bin/pip"
        requirements: "{{ skylab_ansible_venv }}/requirements.txt"
        state: present
- name: Configure common server settings
+- name: Configure common settings
  hosts: linux
  gather_facts: false
  vars_files:
    - vars/packages.yaml
  tasks:
@@ -69,6 +28,15 @@
        name: "{{ inventory_hostname }}"
        use: systemd
    - name: Install global bash config
      become: true
      ansible.builtin.copy:
        src: global.sh
        dest: /etc/profile.d/ZZ-skylab-global.sh
        owner: root
        group: "{{ ansible_user }}"
        mode: 0644
    - name: Install EPEL repository config
      when: ansible_distribution == "Rocky"
      become: true
@@ -84,25 +52,6 @@
        state: present
        key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
    - name: Disable sudo password for WHEEL group
      when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
      become: true
      ansible.builtin.copy:
        src: wheel-group-no-sudo-password
        dest: /etc/sudoers.d/30-wheel
        owner: root
        group: "{{ ansible_user }}"
        mode: 0644
    - name: Install global bash config
      become: true
      ansible.builtin.copy:
        src: global.sh
        dest: /etc/profile.d/ZZ-skylab-global.sh
        owner: root
        group: "{{ ansible_user }}"
        mode: 0644
    - name: Install universal packages
      when: ansible_distribution == "Rocky"
      become: true
@@ -111,58 +60,7 @@
        state: present
 - name: Configure SSH
  hosts: linux
  handlers:
    - name: restart-sshd
      become: true
      ansible.builtin.systemd:
        name: sshd
        state: restarted
  tasks:
    - name: Configure SSH authentication settings
      become: true
      ansible.builtin.replace:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regex }}"
        replace: "{{ item.value }}"
      notify: [restart-sshd]
      loop:
        - name: disable root login
          regex: "^.*PermitRootLogin (yes|no).*$"
          value: PermitRootLogin no
        - name: disable password auth
          regex: "^.*PasswordAuthentication (yes|no).*$"
          value: PasswordAuthentication no
        - name: disable challenge response auth
          regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
          value: ChallengeResponseAuthentication no
        - name: disable GSSAPI auth
          regex: "^.*GSSAPIAuthentication (yes|no).*$"
          value: GSSAPIAuthentication no
      loop_control:
        label: "{{ item.name }}"
    - name: Disable dynamic MOTD on debian systems
      when: ansible_os_family == "Debian"
      ansible.builtin.replace:
        path: /etc/pam.d/sshd
        regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
        replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"
    - name: Disable Cockpit activation message on Rocky
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.file:
        path: /etc/motd.d/cockpit
        state: absent
    - name: Copy MOTD to remote
      become: true
      ansible.builtin.template:
        src: motd.j2
        dest: /etc/motd
        mode: 0644
 - import_playbook: update.yaml
 - import_playbook: configure.yaml
--- a/playbooks/roles
+++ b/playbooks/roles
@@ -0,0 +1 @@
 ../roles
--- a/playbooks/update.yaml
+++ b/playbooks/update.yaml
@@ -7,6 +7,15 @@
    - include_tasks: tasks/meta/runtime-group-determination.yaml
 - name: Bootstrap remote ansible environment
  hosts: linux
  gather_facts: false
  tags:
    - always
  tasks:
    - include_tasks: tasks/meta/bootstrap-remote-env.yaml
 - name: Update system
  hosts: linux
  tags:
--- a/roles/server/files/wheel-group-no-sudo-password
+++ b/roles/server/files/wheel-group-no-sudo-password
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@@ -0,0 +1,6 @@
 ---
 - name: restart-sshd
  become: true
  ansible.builtin.systemd:
    name: sshd
    state: restarted
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -0,0 +1,6 @@
 ---
 - name: Configure sudoers file
  ansible.builtin.import_tasks: sudoers.yaml
 - name: Configure SSH server
  ansible.builtin.import_tasks: sshd.yaml
--- a/roles/server/tasks/sshd.yaml
+++ b/roles/server/tasks/sshd.yaml
@@ -0,0 +1,44 @@
 ---
 - name: Configure SSH authentication settings
  become: true
  ansible.builtin.replace:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regex }}"
    replace: "{{ item.value }}"
  notify: [restart-sshd]
  loop:
    - name: disable root login
      regex: "^.*PermitRootLogin (yes|no).*$"
      value: PermitRootLogin no
    - name: disable password auth
      regex: "^.*PasswordAuthentication (yes|no).*$"
      value: PasswordAuthentication no
    - name: disable challenge response auth
      regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
      value: ChallengeResponseAuthentication no
    - name: disable GSSAPI auth
      regex: "^.*GSSAPIAuthentication (yes|no).*$"
      value: GSSAPIAuthentication no
  loop_control:
    label: "{{ item.name }}"
 - name: Disable dynamic MOTD on debian systems
  when: ansible_os_family == "Debian"
  ansible.builtin.replace:
    path: /etc/pam.d/sshd
    regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
    replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"
 - name: Disable Cockpit activation message on Rocky
  when: ansible_distribution == "Rocky"
  become: true
  ansible.builtin.file:
    path: /etc/motd.d/cockpit
    state: absent
 - name: Copy MOTD to remote
  become: true
  ansible.builtin.template:
    src: motd.j2
    dest: /etc/motd
    mode: 0644
--- a/roles/server/tasks/sudoers.yaml
+++ b/roles/server/tasks/sudoers.yaml
@@ -0,0 +1,30 @@
 ---
 - name: Disable sudo password for WHEEL group
  when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
  become: true
  ansible.builtin.copy:
    src: wheel-group-no-sudo-password
    dest: /etc/sudoers.d/30-wheel
    owner: root
    group: "{{ ansible_user }}"
    mode: 0644
 # Note that the cleanup tasks need to be after the new installation tasks
 # since one or more files being cleaned up might be being relied on to
 # allow ansible access
 - name: Fetch content of sudoers config directory
  become: true
  changed_when: false
  ansible.builtin.command:
    cmd: /usr/bin/ls /etc/sudoers.d/
  register: _sudoers_files_raw
 - name: Remove legacy sudoers config files
  when: item.strip() not in ["30-wheel"]
  become: true
  ansible.builtin.file:
    path: /etc/sudoers.d/{{ item.strip() }}
    state: absent
  loop: "{{ _sudoers_files_raw.stdout.split(' ') }}"
  loop_control:
    label: "/etc/sudoers.d/{{ item.strip() }}"
--- a/roles/server/templates/motd.j2
+++ b/roles/server/templates/motd.j2
Author	SHA1	Message	Date
Ethan Paul	7546c88ee4	Add cluster roles to inventory	2021-11-05 22:31:11 -04:00
Ethan Paul	96ea66b77a	Reorganize provision playbook Split server-specific configs out into server role Add symlink to roles for playbook directory	2021-11-05 22:31:09 -04:00