Refactor vm-common (old ubuntu_base) role
This commit is contained in:
parent
23735ac517
commit
7476dba0e6
|
@ -2,24 +2,16 @@
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
users:
|
users:
|
||||||
- name: graffen
|
- name: ansible
|
||||||
comment: Jesper Hess Nielsen
|
comment: Ansible User
|
||||||
password: '!'
|
password_lock: true
|
||||||
groups: []
|
groups: []
|
||||||
ssh_keys: []
|
ssh_keys: []
|
||||||
|
|
||||||
- name: valberg
|
|
||||||
comment: Vidir Valberg Gudmundsson
|
|
||||||
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
|
|
||||||
groups:
|
|
||||||
- sudo
|
|
||||||
ssh_keys:
|
|
||||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
|
|
||||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
|
|
||||||
|
|
||||||
- name: reynir
|
- name: reynir
|
||||||
comment: Reynir Björnsson
|
comment: Reynir Björnsson
|
||||||
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
|
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
|
||||||
|
password_lock: false
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
|
@ -29,8 +21,19 @@ users:
|
||||||
- name: samsapti
|
- name: samsapti
|
||||||
comment: Sam Al-Sapti
|
comment: Sam Al-Sapti
|
||||||
password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
|
password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
|
||||||
|
password_lock: false
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
|
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
|
||||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
|
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
|
||||||
|
|
||||||
|
- name: valberg
|
||||||
|
comment: Vidir Valberg Gudmundsson
|
||||||
|
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
|
||||||
|
password_lock: false
|
||||||
|
groups:
|
||||||
|
- sudo
|
||||||
|
ssh_keys:
|
||||||
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
|
||||||
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
ansible_host: 85.209.118.134
|
ansible_host: 85.209.118.134 # TODO: Change to DNS name
|
||||||
ansible_port: 22
|
ansible_port: 22
|
||||||
|
|
||||||
hostname: "{{ inventory_hostname }}"
|
hostname: "{{ inventory_hostname }}"
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
ansible_host: 85.209.118.134
|
ansible_host: 85.209.118.134 # TODO: Change to DNS name
|
||||||
ansible_port: 19022
|
ansible_port: 19022
|
||||||
|
|
||||||
|
internal_ipv4: 10.2.1.5
|
||||||
vm_host: cavall
|
vm_host: cavall
|
||||||
vm_type: control
|
vm_type: control
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
ansible_host: 159.223.17.241
|
ansible_host: 159.223.17.241 # TODO: Change to DNS name
|
||||||
ansible_port: 22
|
ansible_port: 22
|
||||||
|
|
||||||
vm_host: cloud
|
vm_host: cloud
|
||||||
vm_type: app
|
vm_type: uptime
|
||||||
|
|
||||||
hostname: "{{ inventory_hostname }}"
|
hostname: "{{ inventory_hostname }}"
|
||||||
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"
|
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
ansible_host: 85.209.118.142
|
ansible_host: 85.209.118.142 # TODO: Change to DNS name
|
||||||
ansible_port: 19022
|
ansible_port: 19022
|
||||||
|
|
||||||
|
internal_ipv4: 10.2.1.2
|
||||||
vm_host: cavall
|
vm_host: cavall
|
||||||
vm_type: app
|
vm_type: app
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
ansible_host: 85.209.118.143
|
ansible_host: 85.209.118.143 # TODO: Change to DNS name
|
||||||
ansible_port: 19022
|
ansible_port: 19022
|
||||||
|
|
||||||
|
internal_ipv4: 10.2.1.3
|
||||||
vm_host: cavall
|
vm_host: cavall
|
||||||
vm_type: app
|
vm_type: app
|
||||||
|
|
||||||
|
|
|
@ -24,14 +24,19 @@
|
||||||
- docker-compose-plugin
|
- docker-compose-plugin
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Create group for Docker socket
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: docker
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Configure rootful Docker
|
- name: Configure rootful Docker
|
||||||
when: not docker_rootless
|
when: not docker_rootless
|
||||||
block:
|
block:
|
||||||
- name: Make sure Docker is running
|
- name: Make sure Docker is running
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: docker
|
name: docker
|
||||||
state: started
|
|
||||||
enabled: true
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
- name: Configure cron job to prune unused Docker data weekly
|
- name: Configure cron job to prune unused Docker data weekly
|
||||||
ansible.builtin.cron:
|
ansible.builtin.cron:
|
||||||
|
@ -47,10 +52,10 @@
|
||||||
block:
|
block:
|
||||||
- name: Make sure rootful Docker is stopped and disabled
|
- name: Make sure rootful Docker is stopped and disabled
|
||||||
ansible.builtin.systemd_service:
|
ansible.builtin.systemd_service:
|
||||||
scope: system
|
|
||||||
name: docker
|
name: docker
|
||||||
state: stopped
|
|
||||||
enabled: false
|
enabled: false
|
||||||
|
scope: system
|
||||||
|
state: stopped
|
||||||
|
|
||||||
- name: Install packages needed by rootless Docker
|
- name: Install packages needed by rootless Docker
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
@ -62,11 +67,6 @@
|
||||||
- slirp4netns
|
- slirp4netns
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Create group for Docker socket
|
|
||||||
ansible.builtin.group:
|
|
||||||
name: docker
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Create user for rootless Docker
|
- name: Create user for rootless Docker
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ docker_rootless_user }}"
|
name: "{{ docker_rootless_user }}"
|
||||||
|
@ -97,10 +97,10 @@
|
||||||
|
|
||||||
- name: Make sure rootless Docker is running
|
- name: Make sure rootless Docker is running
|
||||||
ansible.builtin.systemd_service:
|
ansible.builtin.systemd_service:
|
||||||
scope: user
|
|
||||||
name: docker.service
|
name: docker.service
|
||||||
state: started
|
|
||||||
enabled: true
|
enabled: true
|
||||||
|
scope: user
|
||||||
|
state: started
|
||||||
become: true
|
become: true
|
||||||
become_user: "{{ docker_rootless_user }}"
|
become_user: "{{ docker_rootless_user }}"
|
||||||
|
|
||||||
|
|
7
roles/vm-common/handlers/main.yml
Normal file
7
roles/vm-common/handlers/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
# code: language=ansible
|
||||||
|
---
|
||||||
|
- name: Reload firewalld
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: firewalld
|
||||||
|
state: reloaded
|
|
@ -1,13 +1,26 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
- name: Install necessary packages via apt
|
- name: Install system packages
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "{{ packages }}"
|
name:
|
||||||
vars:
|
|
||||||
packages:
|
|
||||||
- apparmor
|
- apparmor
|
||||||
|
- bind-utils
|
||||||
|
- firewalld
|
||||||
- haveged
|
- haveged
|
||||||
- mosh
|
- htop
|
||||||
- ufw
|
- jq
|
||||||
|
- lsof
|
||||||
|
- mtr
|
||||||
|
- telnet
|
||||||
- vim
|
- vim
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Ensure services are enabled and running
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ item }}"
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
loop:
|
||||||
|
- firewalld
|
||||||
|
- haveged
|
||||||
|
|
|
@ -1,25 +1,23 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
- name: Setup firewall with UFW
|
- name: Move internal network to zone 'internal'
|
||||||
community.general.ufw:
|
ansible.posix.firewalld:
|
||||||
|
zone: internal
|
||||||
|
source: 10.2.1.0/24
|
||||||
|
permanent: true
|
||||||
state: enabled
|
state: enabled
|
||||||
policy: deny
|
|
||||||
|
|
||||||
- name: Allow necessary ports
|
- name: Allow incoming connections to SSH port in zone 'internal'
|
||||||
community.general.ufw:
|
ansible.posix.firewalld:
|
||||||
rule: allow
|
zone: internal
|
||||||
port: "{{ item.port }}"
|
port: "{{ ansible_port }}"
|
||||||
proto: "{{ item.proto | default('tcp') }}"
|
permanent: true
|
||||||
loop:
|
state: enabled
|
||||||
- port: 22 # Gitea SSH
|
|
||||||
- port: 80 # HTTP
|
# Until control VM is deployed
|
||||||
- port: 443 # HTTPS
|
- name: Allow incoming connections to SSH port in default zone
|
||||||
- port: 389 # OpenLDAP
|
ansible.posix.firewalld:
|
||||||
- port: 636 # OpenLDAP
|
port: "{{ ansible_port }}"
|
||||||
- port: 25 # Email
|
permanent: true
|
||||||
- port: 465 # Email
|
state: enabled
|
||||||
- port: 587 # Email
|
|
||||||
- port: 993 # Email
|
|
||||||
- port: 19022 # SSH
|
|
||||||
when: hostname in groups['virtual']
|
|
||||||
|
|
|
@ -1,11 +1,18 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
- ansible.builtin.import_tasks: base.yml
|
- name: Base configuration
|
||||||
tags: [install-base-packages]
|
ansible.builtin.import_tasks: base.yml
|
||||||
|
tags:
|
||||||
|
- install-base-packages
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: users.yml
|
- name: User configuration
|
||||||
tags: [setup-users]
|
ansible.builtin.import_tasks: users.yml
|
||||||
|
tags:
|
||||||
|
- setup-users
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: firewall.yml
|
- name: Firewall configuration
|
||||||
tags: [setup-firewall]
|
ansible.builtin.import_tasks: firewall.yml
|
||||||
|
notify: Reload firewalld
|
||||||
|
tags:
|
||||||
|
- setup-firewall
|
||||||
|
|
|
@ -1,25 +1,27 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
# code: language=ansible
|
# code: language=ansible
|
||||||
---
|
---
|
||||||
- name: "Add users"
|
- name: Add users
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
comment: "{{ item.comment }}"
|
comment: "{{ item.comment }}"
|
||||||
password: "{{ item.password }}"
|
password: "{{ item.password | default(omit) }}"
|
||||||
|
password_lock: "{{ item.password_lock }}"
|
||||||
groups: "{{ item.groups }}"
|
groups: "{{ item.groups }}"
|
||||||
update_password: always
|
update_password: always
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
loop: "{{ users | default([]) }}"
|
loop: "{{ users }}"
|
||||||
|
no_log: true
|
||||||
|
|
||||||
- name: "Add ssh authorized_keys"
|
- name: Add SSH keys to users
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "{{ item.name }}"
|
user: "{{ item.name }}"
|
||||||
key: "{{ item.ssh_keys | join('\n') }}"
|
key: "{{ item.ssh_keys | join('\n') }}"
|
||||||
exclusive: true
|
exclusive: true
|
||||||
loop: "{{ users | default([]) }}"
|
loop: "{{ users }}"
|
||||||
|
|
||||||
- name: "Add ssh authorized_keys to root user"
|
- name: Add SSH keys to Ansible user
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "root"
|
user: ansible
|
||||||
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}"
|
key: "{{ users | map(attribute='ssh_keys') | flatten | join('\n') }}"
|
||||||
exclusive: true
|
exclusive: true
|
||||||
|
|
Loading…
Reference in a new issue