From b56690a33ebe1379f69333e63e4fd396047c341f Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 13 Nov 2022 19:27:45 +0100 Subject: [PATCH 01/14] Make Ansible setup testable in Vagrant Added logic to change the sshd port if not already configured, configued Vagrantfile to work properly and fixed a couple of deploy errors. --- Vagrantfile | 3 +-- playbook.yml | 2 +- roles/ubuntu_base/handlers/main.yml | 5 ++++ roles/ubuntu_base/tasks/base.yml | 14 +++++----- roles/ubuntu_base/tasks/main.yml | 3 ++- roles/ubuntu_base/tasks/ssh.yml | 42 +++++++++++++++++++++++++++++ 6 files changed, 59 insertions(+), 10 deletions(-) create mode 100644 roles/ubuntu_base/handlers/main.yml create mode 100644 roles/ubuntu_base/tasks/ssh.yml diff --git a/Vagrantfile b/Vagrantfile index 28f2e28..37c9521 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,14 +1,13 @@ Vagrant.require_version ">= 1.7.0" Vagrant.configure(2) do |config| - + config.vm.network "forwarded_port", guest: 19022, host: 19022, id: "new_ssh" config.vm.define "datacoop" do |datacoop| datacoop.vm.box = "ubuntu/bionic64" datacoop.vm.hostname = "datacoop" datacoop.vm.provider "virtualbox" do |v| v.memory = 4096 end - datacoop.vm.network "private_network", ip: "192.168.0.42" datacoop.vm.provision "ansible" do |ansible| ansible.verbose = "v" ansible.compatibility_mode = "2.0" diff --git a/playbook.yml b/playbook.yml index 1b98c5d..9a71856 100644 --- a/playbook.yml +++ b/playbook.yml @@ -9,11 +9,11 @@ services: - nginx-proxy + - postfix - openldap - nextcloud - passit - gitea - - postfix - matrix_riot - privatebin - codimd diff --git a/roles/ubuntu_base/handlers/main.yml b/roles/ubuntu_base/handlers/main.yml new file mode 100644 index 0000000..0416cca --- /dev/null +++ b/roles/ubuntu_base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart sshd + service: + name: sshd + state: restarted diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 257352b..bf4b0f1 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -4,17 +4,19 @@ name: "{{ packages }}" vars: packages: - - aptitude - - python3-pip - - apparmor - - haveged - - mosh - - srvadmin-all # Dell OpenManage + - aptitude + - python3-pip + - apparmor + - haveged + - mosh + - srvadmin-all # Dell OpenManage - name: Install necessary packages via pip pip: name: "{{ packages }}" + state: latest vars: packages: + - pip # upgrade needed for docker-compose to install - docker - docker-compose diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index d6d34a4..36c4488 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,4 +1,6 @@ --- +- import_tasks: ssh.yml + tags: [change-ssh-port] - import_tasks: custom-apt-repos.yml tags: [setup-custom-apt] - import_tasks: upgrade.yml @@ -7,4 +9,3 @@ tags: [install-base-packages] - import_tasks: users.yml tags: [setup-users] - diff --git a/roles/ubuntu_base/tasks/ssh.yml b/roles/ubuntu_base/tasks/ssh.yml new file mode 100644 index 0000000..e0bbe1e --- /dev/null +++ b/roles/ubuntu_base/tasks/ssh.yml @@ -0,0 +1,42 @@ +--- +- name: Check if SSH port is already configured + wait_for: + port: 19022 + state: started + host: "{{ inventory_hostname }}" + connect_timeout: 5 + timeout: 10 + become: false + delegate_to: localhost + ignore_errors: true + register: ssh_configured + +# If we're running in Vagrant, ansible_port is 2222 +- name: Change Ansible port to 22 if needed + set_fact: + ansible_port: 22 + when: ssh_configured is defined and + (ssh_configured.state is undefined or + (ssh_configured.state is defined and + ssh_configured.state != "started")) and + ansible_port != 2222 + +- name: Change SSH port + lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^#?Port" + line: "Port 19022" + register: ssh_changed + notify: "Restart sshd" + when: ssh_configured is defined and + (ssh_configured.state is undefined or + (ssh_configured.state is defined and + ssh_configured.state != "started")) + +- name: Ensure sshd is reloaded if needed + meta: flush_handlers + +- name: Change ansible_port 19022 + set_fact: + ansible_port: 19022 + when: ssh_changed is defined -- 2.40.1 From b310e191f8e887c49afef2d4fbaa096d3e8411f6 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 13 Nov 2022 21:42:52 +0100 Subject: [PATCH 02/14] Some Vagrant fixes Only install Dell OpenManage if not running in a VM, and fix SSH port logic. --- playbook.yml | 4 ++-- roles/ubuntu_base/tasks/base.yml | 8 ++++++-- .../{custom-apt-repos.yml => dell-apt-repo.yml} | 12 ++++-------- roles/ubuntu_base/tasks/facts.yml | 3 +++ roles/ubuntu_base/tasks/main.yml | 7 +++++-- roles/ubuntu_base/tasks/ssh.yml | 5 ++--- 6 files changed, 22 insertions(+), 17 deletions(-) rename roles/ubuntu_base/tasks/{custom-apt-repos.yml => dell-apt-repo.yml} (68%) create mode 100644 roles/ubuntu_base/tasks/facts.yml diff --git a/playbook.yml b/playbook.yml index 9a71856..949ebd3 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,6 +1,6 @@ --- - hosts: all - gather_facts: False + gather_facts: false become: true vars: base_domain: data.coop @@ -36,6 +36,6 @@ - import_role: name: ubuntu_base tags: - - base_only + - base_only - import_role: name: docker diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index bf4b0f1..13774f0 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -2,6 +2,7 @@ - name: Install necessary packages via apt apt: name: "{{ packages }}" + state: latest vars: packages: - aptitude @@ -9,7 +10,11 @@ - apparmor - haveged - mosh - - srvadmin-all # Dell OpenManage + +- name: Install Dell OpenManage + apt: + name: srvadmin-all + when: ansible_virtualization_role != "guest" - name: Install necessary packages via pip pip: @@ -17,6 +22,5 @@ state: latest vars: packages: - - pip # upgrade needed for docker-compose to install - docker - docker-compose diff --git a/roles/ubuntu_base/tasks/custom-apt-repos.yml b/roles/ubuntu_base/tasks/dell-apt-repo.yml similarity index 68% rename from roles/ubuntu_base/tasks/custom-apt-repos.yml rename to roles/ubuntu_base/tasks/dell-apt-repo.yml index 7bb042d..b7d9d48 100644 --- a/roles/ubuntu_base/tasks/custom-apt-repos.yml +++ b/roles/ubuntu_base/tasks/dell-apt-repo.yml @@ -1,15 +1,15 @@ --- -- name: import dell apt signing key +- name: Import dell apt signing key apt_key: id: "1285491434D8786F" keyserver: "keyserver.ubuntu.com" -- name: "configure dell apt repo" +- name: Configure dell apt repo apt_repository: repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main" - state: "present" + state: present -- name: "restrict dell apt repo" +- name: Restrict dell apt repo" copy: dest: "/etc/apt/preferences.d/dell" content: | @@ -17,7 +17,3 @@ Package: * Pin: origin "linux.dell.com" Pin-Priority: 400 - -- name: update apt cache - apt: - update_cache: yes diff --git a/roles/ubuntu_base/tasks/facts.yml b/roles/ubuntu_base/tasks/facts.yml new file mode 100644 index 0000000..abd9a28 --- /dev/null +++ b/roles/ubuntu_base/tasks/facts.yml @@ -0,0 +1,3 @@ +--- +- name: Gather facts + gather_facts: diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index 36c4488..ba1be61 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,8 +1,11 @@ --- - import_tasks: ssh.yml tags: [change-ssh-port] -- import_tasks: custom-apt-repos.yml - tags: [setup-custom-apt] +- import_tasks: facts.yml + tags: [gather-facts] +- import_tasks: dell-apt-repo.yml + tags: [setup-dell-apt-repo] + when: ansible_virtualization_role != "guest" - import_tasks: upgrade.yml tags: [do-full-system-upgrade] - import_tasks: base.yml diff --git a/roles/ubuntu_base/tasks/ssh.yml b/roles/ubuntu_base/tasks/ssh.yml index e0bbe1e..fa11cd1 100644 --- a/roles/ubuntu_base/tasks/ssh.yml +++ b/roles/ubuntu_base/tasks/ssh.yml @@ -2,8 +2,7 @@ - name: Check if SSH port is already configured wait_for: port: 19022 - state: started - host: "{{ inventory_hostname }}" + host: "{{ ansible_host }}" connect_timeout: 5 timeout: 10 become: false @@ -36,7 +35,7 @@ - name: Ensure sshd is reloaded if needed meta: flush_handlers -- name: Change ansible_port 19022 +- name: Change Ansible port to 19022 set_fact: ansible_port: 19022 when: ssh_changed is defined -- 2.40.1 From 1744cf758562f724e4e8a8f5c652e1817d237d17 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 13 Nov 2022 22:03:45 +0100 Subject: [PATCH 03/14] Fix SSH port logic again --- roles/ubuntu_base/tasks/ssh.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/ubuntu_base/tasks/ssh.yml b/roles/ubuntu_base/tasks/ssh.yml index fa11cd1..b3b9890 100644 --- a/roles/ubuntu_base/tasks/ssh.yml +++ b/roles/ubuntu_base/tasks/ssh.yml @@ -3,6 +3,7 @@ wait_for: port: 19022 host: "{{ ansible_host }}" + search_regex: "OpenSSH" connect_timeout: 5 timeout: 10 become: false @@ -20,7 +21,7 @@ ssh_configured.state != "started")) and ansible_port != 2222 -- name: Change SSH port +- name: Change SSH port on host lineinfile: dest: "/etc/ssh/sshd_config" regexp: "^#?Port" -- 2.40.1 From eeecfca7ef9bf6c3a6e3b4416ff27908e125b1ac Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 13 Nov 2022 22:04:37 +0100 Subject: [PATCH 04/14] Vagrant: Use same Ubuntu version as in production --- Vagrantfile | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 37c9521..5db0681 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -3,22 +3,16 @@ Vagrant.require_version ">= 1.7.0" Vagrant.configure(2) do |config| config.vm.network "forwarded_port", guest: 19022, host: 19022, id: "new_ssh" config.vm.define "datacoop" do |datacoop| - datacoop.vm.box = "ubuntu/bionic64" + datacoop.vm.box = "ubuntu/focal64" datacoop.vm.hostname = "datacoop" datacoop.vm.provider "virtualbox" do |v| v.memory = 4096 end datacoop.vm.provision "ansible" do |ansible| - ansible.verbose = "v" ansible.compatibility_mode = "2.0" ansible.playbook = "playbook.yml" ansible.ask_vault_pass = true - ansible.host_vars = { - "datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"} - } - ansible.groups = { - "all" => ["datacoop"] - } + ansible.verbose = "v" end end end -- 2.40.1 From 50fa65d55e2946324748224ebcdee2ff5b8e599d Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 13 Nov 2022 22:39:14 +0100 Subject: [PATCH 05/14] Don't use local config for Docker registry login It doesn't work when deploying in Vagrant :( --- roles/docker/tasks/services/docker_registry.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 975db50..a88a707 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -28,9 +28,8 @@ args: creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" -- name: log in to local registry +- name: log in to registry docker_login: registry: "{{ docker_registry.domain }}" username: "docker" password: "{{ docker_password }}" - config_path: "{{ docker_registry.volume_folder }}/auth/config.json" -- 2.40.1 From c74cc4413a4591c5840c5a8c3a134fbfe6ae4817 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Mon, 14 Nov 2022 00:13:24 +0100 Subject: [PATCH 06/14] Simplify config and rename some files --- roles/ubuntu_base/tasks/facts.yml | 3 --- roles/ubuntu_base/tasks/main.yml | 6 +++--- roles/ubuntu_base/tasks/{ssh.yml => ssh-port.yml} | 8 ++------ roles/ubuntu_base/tasks/virtualization.yml | 4 ++++ 4 files changed, 9 insertions(+), 12 deletions(-) delete mode 100644 roles/ubuntu_base/tasks/facts.yml rename roles/ubuntu_base/tasks/{ssh.yml => ssh-port.yml} (75%) create mode 100644 roles/ubuntu_base/tasks/virtualization.yml diff --git a/roles/ubuntu_base/tasks/facts.yml b/roles/ubuntu_base/tasks/facts.yml deleted file mode 100644 index abd9a28..0000000 --- a/roles/ubuntu_base/tasks/facts.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: Gather facts - gather_facts: diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index ba1be61..d21a74f 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,8 +1,8 @@ --- -- import_tasks: ssh.yml +- import_tasks: ssh-port.yml tags: [change-ssh-port] -- import_tasks: facts.yml - tags: [gather-facts] +- import_tasks: virtualization.yml + tags: [gather-virtualization-facts] - import_tasks: dell-apt-repo.yml tags: [setup-dell-apt-repo] when: ansible_virtualization_role != "guest" diff --git a/roles/ubuntu_base/tasks/ssh.yml b/roles/ubuntu_base/tasks/ssh-port.yml similarity index 75% rename from roles/ubuntu_base/tasks/ssh.yml rename to roles/ubuntu_base/tasks/ssh-port.yml index b3b9890..a6a598a 100644 --- a/roles/ubuntu_base/tasks/ssh.yml +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -16,9 +16,7 @@ set_fact: ansible_port: 22 when: ssh_configured is defined and - (ssh_configured.state is undefined or - (ssh_configured.state is defined and - ssh_configured.state != "started")) and + ssh_configured.state is undefined and ansible_port != 2222 - name: Change SSH port on host @@ -29,9 +27,7 @@ register: ssh_changed notify: "Restart sshd" when: ssh_configured is defined and - (ssh_configured.state is undefined or - (ssh_configured.state is defined and - ssh_configured.state != "started")) + ssh_configured.state is undefined - name: Ensure sshd is reloaded if needed meta: flush_handlers diff --git a/roles/ubuntu_base/tasks/virtualization.yml b/roles/ubuntu_base/tasks/virtualization.yml new file mode 100644 index 0000000..b1929d4 --- /dev/null +++ b/roles/ubuntu_base/tasks/virtualization.yml @@ -0,0 +1,4 @@ +--- +- name: Find out if running in a VM + setup: + gather_subset: virtualization_role -- 2.40.1 From c676d69fc027949d4b4c9d1a4467a755b31a6b97 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Mon, 14 Nov 2022 17:50:19 +0100 Subject: [PATCH 07/14] Naming changes --- roles/ubuntu_base/tasks/virtualization.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ubuntu_base/tasks/virtualization.yml b/roles/ubuntu_base/tasks/virtualization.yml index b1929d4..0315499 100644 --- a/roles/ubuntu_base/tasks/virtualization.yml +++ b/roles/ubuntu_base/tasks/virtualization.yml @@ -1,4 +1,4 @@ --- -- name: Find out if running in a VM +- name: Determine if running in a VM setup: gather_subset: virtualization_role -- 2.40.1 From a6cb0a8e65253ff3b92c01523ffa94a9e7f60fb9 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Mon, 14 Nov 2022 18:04:01 +0100 Subject: [PATCH 08/14] Remove state: latest --- roles/ubuntu_base/tasks/base.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 13774f0..4ff4a94 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -2,7 +2,6 @@ - name: Install necessary packages via apt apt: name: "{{ packages }}" - state: latest vars: packages: - aptitude @@ -19,7 +18,6 @@ - name: Install necessary packages via pip pip: name: "{{ packages }}" - state: latest vars: packages: - docker -- 2.40.1 From 253a21432ee229a46b729d7661454e163817cc5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Tue, 15 Nov 2022 23:05:52 +0100 Subject: [PATCH 09/14] Add ssl_certs_enabled variable and use it to avoid ssl certs when running on vagrant --- playbook.yml | 5 ++++- roles/docker/tasks/services/mailu.yml | 3 ++- roles/docker/tasks/services/nginx-proxy.yml | 1 + roles/ubuntu_base/tasks/main.yml | 4 +--- roles/ubuntu_base/tasks/virtualization.yml | 4 ---- 5 files changed, 8 insertions(+), 9 deletions(-) delete mode 100644 roles/ubuntu_base/tasks/virtualization.yml diff --git a/playbook.yml b/playbook.yml index 949ebd3..fe20a09 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,12 +1,15 @@ --- - hosts: all - gather_facts: false + gather_facts: true become: true vars: base_domain: data.coop letsencrypt_email: admin@data.coop ldap_dn: "dc=data,dc=coop" + vagrant: "{{ ansible_virtualization_role == 'guest' }}" + ssl_certs_enabled: "{{ vagrant == false }}" + services: - nginx-proxy - postfix diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index e53d92c..04f8a80 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -28,7 +28,7 @@ dest: "{{ mailu.volume_folder }}/certs/cert.pem" state: hard force: yes - + when: ssl_certs_enabled - name: hard link to Let's Encrypt TLS key file: @@ -36,6 +36,7 @@ dest: "{{ mailu.volume_folder }}/certs/key.pem" state: hard force: yes + when: ssl_certs_enabled - name: run mail server containers docker_compose: diff --git a/roles/docker/tasks/services/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml index bf9fa90..490b65f 100644 --- a/roles/docker/tasks/services/nginx-proxy.yml +++ b/roles/docker/tasks/services/nginx-proxy.yml @@ -44,4 +44,5 @@ - /var/run/docker.sock:/var/run/docker.sock:ro env: NGINX_PROXY_CONTAINER: nginx-proxy + when: ssl_certs_enabled diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index d21a74f..7313caa 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,11 +1,9 @@ --- - import_tasks: ssh-port.yml tags: [change-ssh-port] -- import_tasks: virtualization.yml - tags: [gather-virtualization-facts] - import_tasks: dell-apt-repo.yml tags: [setup-dell-apt-repo] - when: ansible_virtualization_role != "guest" + when: vagrant == false - import_tasks: upgrade.yml tags: [do-full-system-upgrade] - import_tasks: base.yml diff --git a/roles/ubuntu_base/tasks/virtualization.yml b/roles/ubuntu_base/tasks/virtualization.yml deleted file mode 100644 index 0315499..0000000 --- a/roles/ubuntu_base/tasks/virtualization.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: Determine if running in a VM - setup: - gather_subset: virtualization_role -- 2.40.1 From 57ca1e9233a2973b7b44c4e5911cddecf7058c94 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 16 Nov 2022 20:31:44 +0100 Subject: [PATCH 10/14] Create separate role for SSH and Vagrant - Added a separate role that first configures SSH, and after that gathers the ansible_virtualization_role fact, due to gathering facts requiring an SSH connection - Renamed ssl_certs_enabled to letsencrypt_enabled and moved that and the vagrant variable to the be supplied directly to the last two roles in playbook.yml - Added tags base_only and setup_services to the new role ssh_and_vagrant so that it will always be run before anything else when using deploy.sh --- playbook.yml | 15 +++++++++++---- roles/docker/tasks/services/mailu.yml | 4 ++-- roles/docker/tasks/services/nginx-proxy.yml | 2 +- .../handlers/main.yml | 0 roles/ssh_and_vagrant/tasks/main.yml | 5 +++++ .../tasks/ssh-port.yml | 4 ++-- roles/ssh_and_vagrant/tasks/virtualization.yml | 4 ++++ roles/ubuntu_base/tasks/base.yml | 2 +- roles/ubuntu_base/tasks/main.yml | 4 +--- 9 files changed, 27 insertions(+), 13 deletions(-) rename roles/{ubuntu_base => ssh_and_vagrant}/handlers/main.yml (100%) create mode 100644 roles/ssh_and_vagrant/tasks/main.yml rename roles/{ubuntu_base => ssh_and_vagrant}/tasks/ssh-port.yml (91%) create mode 100644 roles/ssh_and_vagrant/tasks/virtualization.yml diff --git a/playbook.yml b/playbook.yml index fe20a09..a9d41de 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,15 +1,12 @@ --- - hosts: all - gather_facts: true + gather_facts: false become: true vars: base_domain: data.coop letsencrypt_email: admin@data.coop ldap_dn: "dc=data,dc=coop" - vagrant: "{{ ansible_virtualization_role == 'guest' }}" - ssl_certs_enabled: "{{ vagrant == false }}" - services: - nginx-proxy - postfix @@ -36,9 +33,19 @@ smtp_port: "587" tasks: + - import_role: + name: ssh_and_vagrant + tags: + - base_only + - setup_services - import_role: name: ubuntu_base + vars: + vagrant: "{{ ansible_virtualization_role == 'guest' }}" tags: - base_only - import_role: name: docker + vars: + vagrant: "{{ ansible_virtualization_role == 'guest' }}" + letsencrypt_enabled: "{{ not vagrant }}" diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index 04f8a80..3c28dee 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -28,7 +28,7 @@ dest: "{{ mailu.volume_folder }}/certs/cert.pem" state: hard force: yes - when: ssl_certs_enabled + when: letsencrypt_enabled - name: hard link to Let's Encrypt TLS key file: @@ -36,7 +36,7 @@ dest: "{{ mailu.volume_folder }}/certs/key.pem" state: hard force: yes - when: ssl_certs_enabled + when: letsencrypt_enabled - name: run mail server containers docker_compose: diff --git a/roles/docker/tasks/services/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml index 490b65f..3f17225 100644 --- a/roles/docker/tasks/services/nginx-proxy.yml +++ b/roles/docker/tasks/services/nginx-proxy.yml @@ -44,5 +44,5 @@ - /var/run/docker.sock:/var/run/docker.sock:ro env: NGINX_PROXY_CONTAINER: nginx-proxy - when: ssl_certs_enabled + when: letsencrypt_enabled diff --git a/roles/ubuntu_base/handlers/main.yml b/roles/ssh_and_vagrant/handlers/main.yml similarity index 100% rename from roles/ubuntu_base/handlers/main.yml rename to roles/ssh_and_vagrant/handlers/main.yml diff --git a/roles/ssh_and_vagrant/tasks/main.yml b/roles/ssh_and_vagrant/tasks/main.yml new file mode 100644 index 0000000..294e74f --- /dev/null +++ b/roles/ssh_and_vagrant/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- import_tasks: ssh-port.yml + tags: [change-ssh-port] +- import_tasks: virtualization.yml + tags: [gather-virtualization-facts] diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ssh_and_vagrant/tasks/ssh-port.yml similarity index 91% rename from roles/ubuntu_base/tasks/ssh-port.yml rename to roles/ssh_and_vagrant/tasks/ssh-port.yml index a6a598a..90ae178 100644 --- a/roles/ubuntu_base/tasks/ssh-port.yml +++ b/roles/ssh_and_vagrant/tasks/ssh-port.yml @@ -11,7 +11,7 @@ ignore_errors: true register: ssh_configured -# If we're running in Vagrant, ansible_port is 2222 +# If running in Vagrant, ansible_port is always 2222 - name: Change Ansible port to 22 if needed set_fact: ansible_port: 22 @@ -22,7 +22,7 @@ - name: Change SSH port on host lineinfile: dest: "/etc/ssh/sshd_config" - regexp: "^#?Port" + regexp: "^#?Port " line: "Port 19022" register: ssh_changed notify: "Restart sshd" diff --git a/roles/ssh_and_vagrant/tasks/virtualization.yml b/roles/ssh_and_vagrant/tasks/virtualization.yml new file mode 100644 index 0000000..19883e4 --- /dev/null +++ b/roles/ssh_and_vagrant/tasks/virtualization.yml @@ -0,0 +1,4 @@ +--- +- name: Determine if running in Vagrant + setup: + gather_subset: virtualization_role diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 4ff4a94..63e452c 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -13,7 +13,7 @@ - name: Install Dell OpenManage apt: name: srvadmin-all - when: ansible_virtualization_role != "guest" + when: not vagrant - name: Install necessary packages via pip pip: diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index 7313caa..2416ea1 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,9 +1,7 @@ --- -- import_tasks: ssh-port.yml - tags: [change-ssh-port] - import_tasks: dell-apt-repo.yml tags: [setup-dell-apt-repo] - when: vagrant == false + when: not vagrant - import_tasks: upgrade.yml tags: [do-full-system-upgrade] - import_tasks: base.yml -- 2.40.1 From 9a5d780f2b156d6d9277b083ca456841689deb48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Thu, 17 Nov 2022 08:53:45 +0100 Subject: [PATCH 11/14] Keep ansible "clean" and do ssh port magic in Vagrantfile. --- Vagrantfile | 16 ++++++++++++++-- playbook.yml | 15 ++++----------- roles/ssh_and_vagrant/tasks/main.yml | 5 ----- roles/ssh_and_vagrant/tasks/virtualization.yml | 4 ---- .../handlers/main.yml | 0 roles/ubuntu_base/tasks/main.yml | 6 ++++++ .../tasks/ssh-port.yml | 0 7 files changed, 24 insertions(+), 22 deletions(-) delete mode 100644 roles/ssh_and_vagrant/tasks/main.yml delete mode 100644 roles/ssh_and_vagrant/tasks/virtualization.yml rename roles/{ssh_and_vagrant => ubuntu_base}/handlers/main.yml (100%) rename roles/{ssh_and_vagrant => ubuntu_base}/tasks/ssh-port.yml (100%) diff --git a/Vagrantfile b/Vagrantfile index 5db0681..391209e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,7 +1,11 @@ Vagrant.require_version ">= 1.7.0" - +PORT = 19022 Vagrant.configure(2) do |config| - config.vm.network "forwarded_port", guest: 19022, host: 19022, id: "new_ssh" + config.vm.network :forwarded_port, guest: PORT, host: PORT, id: "new_ssh" + # If we are trying to SSH into the VM, we need to use the new port + if ARGV[0] == "ssh" + config.ssh.guest_port = PORT + end config.vm.define "datacoop" do |datacoop| datacoop.vm.box = "ubuntu/focal64" datacoop.vm.hostname = "datacoop" @@ -13,6 +17,14 @@ Vagrant.configure(2) do |config| ansible.playbook = "playbook.yml" ansible.ask_vault_pass = true ansible.verbose = "v" + # If we are running the provision command, then we override the ansible_port + if ARGV[0] == "provision" + ansible.host_vars = { + "datacoop" => { + "ansible_port" => PORT + } + } + end end end end diff --git a/playbook.yml b/playbook.yml index a9d41de..ba93281 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,12 +1,15 @@ --- - hosts: all - gather_facts: false + gather_facts: true become: true vars: base_domain: data.coop letsencrypt_email: admin@data.coop ldap_dn: "dc=data,dc=coop" + vagrant: "{{ ansible_virtualization_role == 'guest' }}" + letsencrypt_enabled: "{{ not vagrant }}" + services: - nginx-proxy - postfix @@ -33,19 +36,9 @@ smtp_port: "587" tasks: - - import_role: - name: ssh_and_vagrant - tags: - - base_only - - setup_services - import_role: name: ubuntu_base - vars: - vagrant: "{{ ansible_virtualization_role == 'guest' }}" tags: - base_only - import_role: name: docker - vars: - vagrant: "{{ ansible_virtualization_role == 'guest' }}" - letsencrypt_enabled: "{{ not vagrant }}" diff --git a/roles/ssh_and_vagrant/tasks/main.yml b/roles/ssh_and_vagrant/tasks/main.yml deleted file mode 100644 index 294e74f..0000000 --- a/roles/ssh_and_vagrant/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- import_tasks: ssh-port.yml - tags: [change-ssh-port] -- import_tasks: virtualization.yml - tags: [gather-virtualization-facts] diff --git a/roles/ssh_and_vagrant/tasks/virtualization.yml b/roles/ssh_and_vagrant/tasks/virtualization.yml deleted file mode 100644 index 19883e4..0000000 --- a/roles/ssh_and_vagrant/tasks/virtualization.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: Determine if running in Vagrant - setup: - gather_subset: virtualization_role diff --git a/roles/ssh_and_vagrant/handlers/main.yml b/roles/ubuntu_base/handlers/main.yml similarity index 100% rename from roles/ssh_and_vagrant/handlers/main.yml rename to roles/ubuntu_base/handlers/main.yml diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index 2416ea1..3b7b4a6 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,10 +1,16 @@ --- +- import_tasks: ssh-port.yml + tags: [change-ssh-port] + - import_tasks: dell-apt-repo.yml tags: [setup-dell-apt-repo] when: not vagrant + - import_tasks: upgrade.yml tags: [do-full-system-upgrade] + - import_tasks: base.yml tags: [install-base-packages] + - import_tasks: users.yml tags: [setup-users] diff --git a/roles/ssh_and_vagrant/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml similarity index 100% rename from roles/ssh_and_vagrant/tasks/ssh-port.yml rename to roles/ubuntu_base/tasks/ssh-port.yml -- 2.40.1 From 6e383d6afac2dfb054293c75200d9ed4e40db92a Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 17 Nov 2022 22:11:32 +0100 Subject: [PATCH 12/14] Simplify SSH configuration Now that the Vagrantfile supplies SSH port information to Ansible, we no longer need to figure it out in Ansible. Also, since gather_facts (which requires an SSH connection) is set to true in playbook.yml, one needs to supply --extra-vars "ansible_port=22" on the commandline when provisioning for the first time on real hardware, because the port is hardcoded in the inventory file. --- Vagrantfile | 7 ++++++ roles/ubuntu_base/handlers/main.yml | 5 ----- roles/ubuntu_base/tasks/ssh-port.yml | 33 +++++++--------------------- 3 files changed, 15 insertions(+), 30 deletions(-) delete mode 100644 roles/ubuntu_base/handlers/main.yml diff --git a/Vagrantfile b/Vagrantfile index 391209e..7ebc9d3 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,22 +1,29 @@ Vagrant.require_version ">= 1.7.0" + PORT = 19022 + Vagrant.configure(2) do |config| config.vm.network :forwarded_port, guest: PORT, host: PORT, id: "new_ssh" + # If we are trying to SSH into the VM, we need to use the new port if ARGV[0] == "ssh" config.ssh.guest_port = PORT end + config.vm.define "datacoop" do |datacoop| datacoop.vm.box = "ubuntu/focal64" datacoop.vm.hostname = "datacoop" + datacoop.vm.provider "virtualbox" do |v| v.memory = 4096 end + datacoop.vm.provision "ansible" do |ansible| ansible.compatibility_mode = "2.0" ansible.playbook = "playbook.yml" ansible.ask_vault_pass = true ansible.verbose = "v" + # If we are running the provision command, then we override the ansible_port if ARGV[0] == "provision" ansible.host_vars = { diff --git a/roles/ubuntu_base/handlers/main.yml b/roles/ubuntu_base/handlers/main.yml deleted file mode 100644 index 0416cca..0000000 --- a/roles/ubuntu_base/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart sshd - service: - name: sshd - state: restarted diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml index 90ae178..5b708c9 100644 --- a/roles/ubuntu_base/tasks/ssh-port.yml +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -1,24 +1,4 @@ --- -- name: Check if SSH port is already configured - wait_for: - port: 19022 - host: "{{ ansible_host }}" - search_regex: "OpenSSH" - connect_timeout: 5 - timeout: 10 - become: false - delegate_to: localhost - ignore_errors: true - register: ssh_configured - -# If running in Vagrant, ansible_port is always 2222 -- name: Change Ansible port to 22 if needed - set_fact: - ansible_port: 22 - when: ssh_configured is defined and - ssh_configured.state is undefined and - ansible_port != 2222 - - name: Change SSH port on host lineinfile: dest: "/etc/ssh/sshd_config" @@ -26,13 +6,16 @@ line: "Port 19022" register: ssh_changed notify: "Restart sshd" - when: ssh_configured is defined and - ssh_configured.state is undefined -- name: Ensure sshd is reloaded if needed - meta: flush_handlers +- name: Restart sshd + service: + name: sshd + state: restarted + when: ssh_changed is defined and + ssh_changed.changed - name: Change Ansible port to 19022 set_fact: ansible_port: 19022 - when: ssh_changed is defined + when: ssh_changed is defined and + ssh_changed.changed -- 2.40.1 From d48e6846478494acbbc24e865fee7e965fd9f9e6 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 17 Nov 2022 22:17:51 +0100 Subject: [PATCH 13/14] Remove notify --- roles/ubuntu_base/tasks/ssh-port.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml index 5b708c9..1935168 100644 --- a/roles/ubuntu_base/tasks/ssh-port.yml +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -5,7 +5,6 @@ regexp: "^#?Port " line: "Port 19022" register: ssh_changed - notify: "Restart sshd" - name: Restart sshd service: -- 2.40.1 From a67d82ad88ea2d506c5d6b3e4d0dc5a498acbae0 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 23:15:56 +0100 Subject: [PATCH 14/14] Some improvements - Always use the new port if the VM is already provisioned - We're not using a multi-VM setup, so no need to define VM "datacoop" - Increase minimum required Vagrant version - Add static IP for hopefully implementing some sort of DNS in the future - Hardcode registry domain to use the real registry in Vagrant --- Vagrantfile | 55 +++++++++---------- .../docker/tasks/services/docker_registry.yml | 2 +- 2 files changed, 28 insertions(+), 29 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 7ebc9d3..7d00af1 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,37 +1,36 @@ -Vagrant.require_version ">= 1.7.0" - +Vagrant.require_version ">= 2.0.0" PORT = 19022 -Vagrant.configure(2) do |config| - config.vm.network :forwarded_port, guest: PORT, host: PORT, id: "new_ssh" +def provisioned?(vm="default", provider="virtualbox") + File.exist?(".vagrant/machines/#{vm}/#{provider}/action_provision") +end - # If we are trying to SSH into the VM, we need to use the new port - if ARGV[0] == "ssh" - config.ssh.guest_port = PORT +Vagrant.configure(2) do |config| + config.vm.network :private_network, ip: "192.168.56.10" + config.vm.network :forwarded_port, guest: PORT, host: PORT + + config.vm.box = "ubuntu/focal64" + config.vm.hostname = "datacoop" + + config.vm.provider :virtualbox do |v| + v.memory = 4096 end - config.vm.define "datacoop" do |datacoop| - datacoop.vm.box = "ubuntu/focal64" - datacoop.vm.hostname = "datacoop" + config.vm.provision :ansible do |ansible| + ansible.compatibility_mode = "2.0" + ansible.playbook = "playbook.yml" + ansible.ask_vault_pass = true + ansible.verbose = "v" + ansible.extra_vars = { + base_domain: "datacoop.devel" + } - datacoop.vm.provider "virtualbox" do |v| - v.memory = 4096 - end - - datacoop.vm.provision "ansible" do |ansible| - ansible.compatibility_mode = "2.0" - ansible.playbook = "playbook.yml" - ansible.ask_vault_pass = true - ansible.verbose = "v" - - # If we are running the provision command, then we override the ansible_port - if ARGV[0] == "provision" - ansible.host_vars = { - "datacoop" => { - "ansible_port" => PORT - } - } - end + # If the VM is already provisioned, we need to use the new port + if provisioned? + config.ssh.guest_port = PORT + ansible.extra_vars = { + ansible_port: PORT + } end end end diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index a88a707..3e53802 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -30,6 +30,6 @@ - name: log in to registry docker_login: - registry: "{{ docker_registry.domain }}" + registry: "docker.data.coop" username: "docker" password: "{{ docker_password }}" -- 2.40.1