Refactor vm-common (old ubuntu_base) role

group_vars/all/vars.yml

@@ -2,24 +2,16 @@
 # code: language=ansible
 ---
 users:
-  - name: graffen
-    comment: Jesper Hess Nielsen
-    password: '!'
+  - name: ansible
+    comment: Ansible User
+    password_lock: true
     groups: []
     ssh_keys: []
 
-  - name: valberg
-    comment: Vidir Valberg Gudmundsson
-    password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
-    groups:
-      - sudo
-    ssh_keys:
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
-
   - name: reynir
     comment: Reynir Björnsson
     password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
+    password_lock: false
     groups:
       - sudo
     ssh_keys:
@@ -29,8 +21,19 @@ users:
   - name: samsapti
     comment: Sam Al-Sapti
     password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
+    password_lock: false
     groups:
       - sudo
     ssh_keys:
       - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
+
+  - name: valberg
+    comment: Vidir Valberg Gudmundsson
+    password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
+    password_lock: false
+    groups:
+      - sudo
+    ssh_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=

host_vars/cavall.yml

@@ -1,7 +1,7 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-ansible_host: 85.209.118.134
+ansible_host: 85.209.118.134 # TODO: Change to DNS name
 ansible_port: 22
 
 hostname: "{{ inventory_hostname }}"

host_vars/folald.yml

@@ -1,9 +1,10 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-ansible_host: 85.209.118.134
+ansible_host: 85.209.118.134 # TODO: Change to DNS name
 ansible_port: 19022
 
+internal_ipv4: 10.2.1.5
 vm_host: cavall
 vm_type: control
 

host_vars/hestur.yml

@@ -1,11 +1,11 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-ansible_host: 159.223.17.241
+ansible_host: 159.223.17.241 # TODO: Change to DNS name
 ansible_port: 22
 
 vm_host: cloud
-vm_type: app
+vm_type: uptime
 
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

host_vars/poltre.yml

@@ -1,9 +1,10 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-ansible_host: 85.209.118.142
+ansible_host: 85.209.118.142 # TODO: Change to DNS name
 ansible_port: 19022
 
+internal_ipv4: 10.2.1.2
 vm_host: cavall
 vm_type: app
 

host_vars/varsa.yml

@@ -1,9 +1,10 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-ansible_host: 85.209.118.143
+ansible_host: 85.209.118.143 # TODO: Change to DNS name
 ansible_port: 19022
 
+internal_ipv4: 10.2.1.3
 vm_host: cavall
 vm_type: app
 

roles/docker/tasks/main.yml

@@ -24,14 +24,19 @@
       - docker-compose-plugin
     state: present
 
+- name: Create group for Docker socket
+  ansible.builtin.group:
+    name: docker
+    state: present
+
 - name: Configure rootful Docker
   when: not docker_rootless
   block:
     - name: Make sure Docker is running
       ansible.builtin.service:
         name: docker
-        state: started
         enabled: true
+        state: started
 
     - name: Configure cron job to prune unused Docker data weekly
       ansible.builtin.cron:
@@ -47,10 +52,10 @@
   block:
     - name: Make sure rootful Docker is stopped and disabled
       ansible.builtin.systemd_service:
-        scope: system
         name: docker
-        state: stopped
         enabled: false
+        scope: system
+        state: stopped
 
     - name: Install packages needed by rootless Docker
       ansible.builtin.apt:
@@ -62,11 +67,6 @@
           - slirp4netns
         state: present
 
-    - name: Create group for Docker socket
-      ansible.builtin.group:
-        name: docker
-        state: present
-
     - name: Create user for rootless Docker
       ansible.builtin.user:
         name: "{{ docker_rootless_user }}"
@@ -97,10 +97,10 @@
 
     - name: Make sure rootless Docker is running
       ansible.builtin.systemd_service:
-        scope: user
         name: docker.service
-        state: started
         enabled: true
+        scope: user
+        state: started
       become: true
       become_user: "{{ docker_rootless_user }}"
 

roles/vm-common/handlers/main.yml

@@ -0,0 +1,7 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+- name: Reload firewalld
+  ansible.builtin.service:
+    name: firewalld
+    state: reloaded

roles/vm-common/tasks/base.yml

@@ -1,13 +1,26 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Install necessary packages via apt
+- name: Install system packages
   ansible.builtin.apt:
-    name: "{{ packages }}"
-  vars:
-    packages:
+    name:
       - apparmor
+      - bind-utils
+      - firewalld
       - haveged
-      - mosh
-      - ufw
+      - htop
+      - jq
+      - lsof
+      - mtr
+      - telnet
       - vim
+    state: present
+
+- name: Ensure services are enabled and running
+  ansible.builtin.service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - firewalld
+    - haveged

roles/vm-common/tasks/firewall.yml

@@ -1,25 +1,23 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Setup firewall with UFW
-  community.general.ufw:
+- name: Move internal network to zone 'internal'
+  ansible.posix.firewalld:
+    zone: internal
+    source: 10.2.1.0/24
+    permanent: true
     state: enabled
-    policy: deny
 
-- name: Allow necessary ports
-  community.general.ufw:
-    rule: allow
-    port: "{{ item.port }}"
-    proto: "{{ item.proto | default('tcp') }}"
-  loop:
-    - port: 22     # Gitea SSH
-    - port: 80     # HTTP
-    - port: 443    # HTTPS
-    - port: 389    # OpenLDAP
-    - port: 636    # OpenLDAP
-    - port: 25     # Email
-    - port: 465    # Email
-    - port: 587    # Email
-    - port: 993    # Email
-    - port: 19022  # SSH
-  when: hostname in groups['virtual']
+- name: Allow incoming connections to SSH port in zone 'internal'
+  ansible.posix.firewalld:
+    zone: internal
+    port: "{{ ansible_port }}"
+    permanent: true
+    state: enabled
+
+# Until control VM is deployed
+- name: Allow incoming connections to SSH port in default zone
+  ansible.posix.firewalld:
+    port: "{{ ansible_port }}"
+    permanent: true
+    state: enabled

roles/vm-common/tasks/main.yml

@@ -1,11 +1,18 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- ansible.builtin.import_tasks: base.yml
-  tags: [install-base-packages]
+- name: Base configuration
+  ansible.builtin.import_tasks: base.yml
+  tags:
+    - install-base-packages
 
-- ansible.builtin.import_tasks: users.yml
-  tags: [setup-users]
+- name: User configuration
+  ansible.builtin.import_tasks: users.yml
+  tags:
+    - setup-users
 
-- ansible.builtin.import_tasks: firewall.yml
-  tags: [setup-firewall]
+- name: Firewall configuration
+  ansible.builtin.import_tasks: firewall.yml
+  notify: Reload firewalld
+  tags:
+    - setup-firewall

roles/vm-common/tasks/users.yml

@@ -1,25 +1,27 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: "Add users"
-  user:
+- name: Add users
+  ansible.builtin.user:
     name: "{{ item.name }}"
     comment: "{{ item.comment }}"
-    password: "{{ item.password }}"
+    password: "{{ item.password | default(omit) }}"
+    password_lock: "{{ item.password_lock }}"
     groups: "{{ item.groups }}"
     update_password: always
     shell: /bin/bash
-  loop: "{{ users | default([]) }}"
+  loop: "{{ users }}"
+  no_log: true
 
-- name: "Add ssh authorized_keys"
+- name: Add SSH keys to users
   ansible.posix.authorized_key:
     user: "{{ item.name }}"
     key: "{{ item.ssh_keys | join('\n') }}"
     exclusive: true
-  loop: "{{ users | default([]) }}"
+  loop: "{{ users }}"
 
-- name: "Add ssh authorized_keys to root user"
+- name: Add SSH keys to Ansible user
   ansible.posix.authorized_key:
-    user: "root"
-    key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}"
+    user: ansible
+    key: "{{ users | map(attribute='ssh_keys') | flatten | join('\n') }}"
     exclusive: true