From 87a9c0f77d4a2696146fc487b88ed4958cd3c0dc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 15 Nov 2023 20:30:53 +0100 Subject: [PATCH] Improvements --- host_vars/sapt-labp-app01.yml | 1 + host_vars/sapt-labp-app02.yml | 1 + host_vars/sapt-labp-db01.yml | 1 + host_vars/sapt-labr-mon01.yml | 1 + host_vars/sapt-labr-prx01.yml | 1 + host_vars/sapt-labr-prx02.yml | 1 + host_vars/sapt-labs-app01.yml | 1 + host_vars/sapt-labs-app02.yml | 1 + host_vars/sapt-labs-db01.yml | 1 + host_vars/sapt-labx-ctl01.yml | 1 + host_vars/sapt-labx-pve01.yml | 1 + inventory.ini | 22 ++++----- .../docker/files/{etc/docker => }/daemon.json | 0 roles/docker/tasks/main.yml | 16 +++--- roles/vm-common/handlers/main.yml | 5 -- roles/vm-common/tasks/base.yml | 49 ------------------- roles/vm-common/tasks/firewall.yml | 23 +++++---- roles/vm-common/tasks/main.yml | 46 ++++++++++++++--- roles/vm-common/tasks/ssh.yml | 11 ----- roles/vm-common/templates/{etc => }/hosts.j2 | 0 .../etc/ssh => vm-init/files}/sshd_config | 0 roles/vm-init/handlers/main.yml | 7 +++ .../users.yml => vm-init/tasks/main.yml} | 17 +++++++ site.yml | 41 ++++++++++++++-- 24 files changed, 143 insertions(+), 105 deletions(-) rename roles/docker/files/{etc/docker => }/daemon.json (100%) delete mode 100644 roles/vm-common/tasks/base.yml delete mode 100644 roles/vm-common/tasks/ssh.yml rename roles/vm-common/templates/{etc => }/hosts.j2 (100%) rename roles/{vm-common/files/etc/ssh => vm-init/files}/sshd_config (100%) create mode 100644 roles/vm-init/handlers/main.yml rename roles/{vm-common/tasks/users.yml => vm-init/tasks/main.yml} (62%) diff --git a/host_vars/sapt-labp-app01.yml b/host_vars/sapt-labp-app01.yml index 6e90002..3652c07 100644 --- a/host_vars/sapt-labp-app01.yml +++ b/host_vars/sapt-labp-app01.yml @@ -2,6 +2,7 @@ # code: language=ansible --- fqdn: sapt-labp-app01.prod.servers.sapti.me +ansible_host: 192.168.17.30 internal_ipv4: 10.2.16.10 apps_include: diff --git a/host_vars/sapt-labp-app02.yml b/host_vars/sapt-labp-app02.yml index ee744a2..d9f0a8a 100644 --- a/host_vars/sapt-labp-app02.yml +++ b/host_vars/sapt-labp-app02.yml @@ -2,6 +2,7 @@ # code: language=ansible --- fqdn: sapt-labp-app02.prod.servers.sapti.me +ansible_host: 192.168.17.31 internal_ipv4: 10.2.16.11 apps_include: diff --git a/host_vars/sapt-labp-db01.yml b/host_vars/sapt-labp-db01.yml index f933738..347911c 100644 --- a/host_vars/sapt-labp-db01.yml +++ b/host_vars/sapt-labp-db01.yml @@ -2,4 +2,5 @@ # code: language=ansible --- fqdn: sapt-labp-db01.prod.servers.sapti.me +ansible_host: 192.168.17.40 internal_ipv4: 10.2.16.20 diff --git a/host_vars/sapt-labr-mon01.yml b/host_vars/sapt-labr-mon01.yml index 8a8e43e..bbc0de1 100644 --- a/host_vars/sapt-labr-mon01.yml +++ b/host_vars/sapt-labr-mon01.yml @@ -2,4 +2,5 @@ # code: language=ansible --- fqdn: sapt-labr-mon01.shrd.servers.sapti.me +ansible_host: 192.168.17.20 internal_ipv4: 10.2.18.20 diff --git a/host_vars/sapt-labr-prx01.yml b/host_vars/sapt-labr-prx01.yml index 828abd8..f9d69c3 100644 --- a/host_vars/sapt-labr-prx01.yml +++ b/host_vars/sapt-labr-prx01.yml @@ -2,6 +2,7 @@ # code: language=ansible --- fqdn: sapt-labr-prx01.shrd.servers.sapti.me +ansible_host: 192.168.17.10 internal_ipv4: 10.2.18.10 proxy_mode: global diff --git a/host_vars/sapt-labr-prx02.yml b/host_vars/sapt-labr-prx02.yml index 6fc892d..01a01de 100644 --- a/host_vars/sapt-labr-prx02.yml +++ b/host_vars/sapt-labr-prx02.yml @@ -2,6 +2,7 @@ # code: language=ansible --- fqdn: sapt-labr-prx02.shrd.servers.sapti.me +ansible_host: 192.168.17.11 internal_ipv4: 10.2.18.11 proxy_mode: local diff --git a/host_vars/sapt-labs-app01.yml b/host_vars/sapt-labs-app01.yml index ad8d862..e93af9d 100644 --- a/host_vars/sapt-labs-app01.yml +++ b/host_vars/sapt-labs-app01.yml @@ -2,6 +2,7 @@ # code: language=ansible --- fqdn: sapt-labs-app01.stage.servers.sapti.me +ansible_host: 192.168.17.50 internal_ipv4: 10.2.19.10 apps_include: diff --git a/host_vars/sapt-labs-app02.yml b/host_vars/sapt-labs-app02.yml index 7387783..df051fe 100644 --- a/host_vars/sapt-labs-app02.yml +++ b/host_vars/sapt-labs-app02.yml @@ -2,6 +2,7 @@ # code: language=ansible --- fqdn: sapt-labs-app02.stage.servers.sapti.me +ansible_host: 192.168.17.51 internal_ipv4: 10.2.19.11 apps_include: diff --git a/host_vars/sapt-labs-db01.yml b/host_vars/sapt-labs-db01.yml index 862823b..37c9f58 100644 --- a/host_vars/sapt-labs-db01.yml +++ b/host_vars/sapt-labs-db01.yml @@ -2,4 +2,5 @@ # code: language=ansible --- fqdn: sapt-labs-db01.stage.servers.sapti.me +ansible_host: 192.168.17.60 internal_ipv4: 10.2.19.20 diff --git a/host_vars/sapt-labx-ctl01.yml b/host_vars/sapt-labx-ctl01.yml index 1ea0cd3..8861370 100644 --- a/host_vars/sapt-labx-ctl01.yml +++ b/host_vars/sapt-labx-ctl01.yml @@ -2,3 +2,4 @@ # code: language=ansible --- fqdn: sapt-labx-ctl01.infra.servers.sapti.me +ansible_host: 192.168.17.8 diff --git a/host_vars/sapt-labx-pve01.yml b/host_vars/sapt-labx-pve01.yml index d17409d..c7b7c62 100644 --- a/host_vars/sapt-labx-pve01.yml +++ b/host_vars/sapt-labx-pve01.yml @@ -2,3 +2,4 @@ # code: language=ansible --- fqdn: sapt-labx-pve01.infra.servers.sapti.me +ansible_host: 192.168.17.3 diff --git a/inventory.ini b/inventory.ini index 7680bd9..ca985f8 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,29 +1,29 @@ [app_prod] -sapt-labp-app01 ansible_host=192.168.17.30 -sapt-labp-app02 ansible_host=192.168.17.31 +sapt-labp-app01 +sapt-labp-app02 [db_prod] -sapt-labp-db01 ansible_host=192.168.17.40 +sapt-labp-db01 [app_stage] -sapt-labs-app01 ansible_host=192.168.17.50 -sapt-labs-app02 ansible_host=192.168.17.51 +sapt-labs-app01 +sapt-labs-app02 [db_stage] -sapt-labs-db01 ansible_host=192.168.17.60 +sapt-labs-db01 [proxy_shrd] -sapt-labr-prx01 ansible_host=192.168.17.10 -sapt-labr-prx02 ansible_host=192.168.17.11 +sapt-labr-prx01 +sapt-labr-prx02 [monitor_shrd] -sapt-labr-mon01 ansible_host=192.168.17.20 +sapt-labr-mon01 [proxmox_infra] -sapt-labx-pve01 ansible_host=192.168.17.3 +sapt-labx-pve01 [control_infra] -sapt-labx-ctl01 ansible_host=192.168.17.8 +sapt-labx-ctl01 [production:children] app_prod diff --git a/roles/docker/files/etc/docker/daemon.json b/roles/docker/files/daemon.json similarity index 100% rename from roles/docker/files/etc/docker/daemon.json rename to roles/docker/files/daemon.json diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 98210e9..90bce14 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,6 +1,14 @@ # vim: ft=yaml.ansible # code: language=ansible --- +- name: Copy Docker daemon config file + ansible.builtin.copy: + src: daemon.json + dest: /etc/docker/daemon.json + owner: root + mode: u=rw,g=r,o=r + notify: Reload Docker daemon + - name: Add Docker PGP key ansible.builtin.rpm_key: key: https://download.docker.com/linux/centos/gpg @@ -27,14 +35,6 @@ - containerd.io state: present -- name: Copy Docker daemon config file - ansible.builtin.copy: - src: etc/docker/daemon.json - dest: /etc/docker/daemon.json - owner: root - mode: u=rw,g=r,o=r - notify: Reload Docker daemon - - name: Ensure Docker daemon is enabled and running ansible.builtin.service: name: docker diff --git a/roles/vm-common/handlers/main.yml b/roles/vm-common/handlers/main.yml index e5c48aa..94faa92 100644 --- a/roles/vm-common/handlers/main.yml +++ b/roles/vm-common/handlers/main.yml @@ -6,11 +6,6 @@ name: systemd-resolved state: restarted -- name: Restart sshd - ansible.builtin.service: - name: sshd - state: restarted - - name: Reload firewalld ansible.builtin.service: name: firewalld diff --git a/roles/vm-common/tasks/base.yml b/roles/vm-common/tasks/base.yml deleted file mode 100644 index 79c8ad3..0000000 --- a/roles/vm-common/tasks/base.yml +++ /dev/null @@ -1,49 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -- name: Set hostname - ansible.builtin.hostname: - name: "{{ hostname }}" - -- name: Set timezone - community.general.timezone: - name: "{{ timezone }}" - -- name: Copy hosts file - ansible.builtin.template: - src: etc/hosts.j2 - dest: /etc/hosts - owner: root - mode: u=rw,g=r,o=r - -- name: Enable extra repositories - ansible.builtin.dnf: - name: - - epel-release - - rocky-release-security - state: present - -- name: Install system packages - ansible.builtin.dnf: - name: - - firewalld - - haveged - - htop - - jq - - lkrg - - logrotate - - mtr - - rsyslog - update_cache: true - state: present - -- name: Ensure services are enabled and running - ansible.builtin.service: - name: "{{ item }}" - enabled: true - state: started - loop: - - firewalld - - haveged - - lkrg - - rsyslog diff --git a/roles/vm-common/tasks/firewall.yml b/roles/vm-common/tasks/firewall.yml index a3e4576..d0f791b 100644 --- a/roles/vm-common/tasks/firewall.yml +++ b/roles/vm-common/tasks/firewall.yml @@ -68,24 +68,29 @@ # state: enabled # loop: "{{ groups['control_infra'] }}" -- name: Firewall rules for production and staging - loop: - - prod - - stage - loop_control: - loop_var: env +- name: Firewall rules for DB servers when: hostname in groups['production'] or hostname in groups['staging'] notify: Reload firewalld block: - - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal' + - name: Production | Allow incoming connections from app servers to PostgreSQL port in zone 'internal' ansible.posix.firewalld: zone: internal source: "{{ hostvars[item].internal_ipv4 }}" service: postgresql permanent: true state: enabled - loop: "{{ groups['app_' + env] }}" - when: hostname in groups['db_' + env] + loop: "{{ groups['app_prod'] }}" + when: hostname in groups['db_prod'] + + - name: Staging | Allow incoming connections from app servers to PostgreSQL port in zone 'internal' + ansible.posix.firewalld: + zone: internal + source: "{{ hostvars[item].internal_ipv4 }}" + service: postgresql + permanent: true + state: enabled + loop: "{{ groups['app_stage'] }}" + when: hostname in groups['db_stage'] - name: Firewall rules for proxy servers when: hostname in group['proxyservers'] diff --git a/roles/vm-common/tasks/main.yml b/roles/vm-common/tasks/main.yml index 5ecff15..99bd3cd 100644 --- a/roles/vm-common/tasks/main.yml +++ b/roles/vm-common/tasks/main.yml @@ -1,14 +1,44 @@ # vim: ft=yaml.ansible # code: language=ansible --- -- name: Configure system base - ansible.builtin.import_tasks: base.yml +- name: Copy hosts file + ansible.builtin.template: + src: hosts.j2 + dest: /etc/hosts + owner: root + mode: u=rw,g=r,o=r + +- name: Enable extra repositories + ansible.builtin.dnf: + name: + - epel-release + - rocky-release-security + state: present + +- name: Install system packages + ansible.builtin.dnf: + name: + - firewalld + - haveged + - htop + - jq + - lkrg + - logrotate + - mtr + - rsyslog + update_cache: true + state: present + +- name: Ensure services are enabled and running + ansible.builtin.service: + name: "{{ item }}" + enabled: true + state: started + loop: + - firewalld + - haveged + - lkrg + - rsyslog - name: Configure firewall ansible.builtin.import_tasks: firewall.yml - -- name: Configure user accounts - ansible.builtin.import_tasks: users.yml - -- name: Configure SSH - ansible.builtin.import_tasks: ssh.yml diff --git a/roles/vm-common/tasks/ssh.yml b/roles/vm-common/tasks/ssh.yml deleted file mode 100644 index abddb1e..0000000 --- a/roles/vm-common/tasks/ssh.yml +++ /dev/null @@ -1,11 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -- name: Copy sshd_config - ansible.builtin.copy: - src: etc/ssh/sshd_config - dest: /etc/ssh/sshd_config - owner: root - mode: u=rw,g=r,o=r - validate: /usr/sbin/sshd -t -f %s - notify: Restart sshd diff --git a/roles/vm-common/templates/etc/hosts.j2 b/roles/vm-common/templates/hosts.j2 similarity index 100% rename from roles/vm-common/templates/etc/hosts.j2 rename to roles/vm-common/templates/hosts.j2 diff --git a/roles/vm-common/files/etc/ssh/sshd_config b/roles/vm-init/files/sshd_config similarity index 100% rename from roles/vm-common/files/etc/ssh/sshd_config rename to roles/vm-init/files/sshd_config diff --git a/roles/vm-init/handlers/main.yml b/roles/vm-init/handlers/main.yml new file mode 100644 index 0000000..b4b66a9 --- /dev/null +++ b/roles/vm-init/handlers/main.yml @@ -0,0 +1,7 @@ +# vim: ft=yaml.ansible +# code: language=ansible +--- +- name: Restart sshd + ansible.builtin.service: + name: sshd + state: restarted diff --git a/roles/vm-common/tasks/users.yml b/roles/vm-init/tasks/main.yml similarity index 62% rename from roles/vm-common/tasks/users.yml rename to roles/vm-init/tasks/main.yml index 550eaeb..1683d4d 100644 --- a/roles/vm-common/tasks/users.yml +++ b/roles/vm-init/tasks/main.yml @@ -1,6 +1,14 @@ # vim: ft=yaml.ansible # code: language=ansible --- +- name: Set hostname + ansible.builtin.hostname: + name: "{{ hostname }}" + +- name: Set timezone + community.general.timezone: + name: "{{ timezone }}" + - name: Add users ansible.builtin.user: name: "{{ item.name }}" @@ -25,3 +33,12 @@ commands: ALL nopassword: true state: present + +- name: Copy sshd_config + ansible.builtin.copy: + src: sshd_config + dest: /etc/ssh/sshd_config + owner: root + mode: u=rw,g=r,o=r + validate: /usr/sbin/sshd -t -f %s + notify: Restart sshd diff --git a/site.yml b/site.yml index 02cb54f..56d42c7 100644 --- a/site.yml +++ b/site.yml @@ -1,28 +1,61 @@ # vim: ft=yaml.ansible # code: language=ansible --- -- name: Base VM configuration +- name: Proxmox servers + hosts: proxmox_infra + remote_user: root + roles: + - pve-common + +# - name: Control servers +# hosts: control_infra +# remote_user: root +# roles: +# - ctl-common + +- name: VM initialization hosts: virtualservers remote_user: root + roles: + - vm-init + +- name: Base VM configuration + hosts: virtualservers + remote_user: ansible + become: true roles: - vm-common +- name: Docker hosts + hosts: appservers:proxyservers:monitorservers + become: true + roles: + - docker + - name: App servers hosts: appservers remote_user: ansible + become: true roles: - - docker - apps -- name: Database servers +- name: DB servers hosts: dbservers remote_user: ansible + become: true roles: - postgresql - name: Proxy servers hosts: proxyservers remote_user: ansible + become: true roles: - - docker - proxy + +# - name: Monitoring servers +# hosts: monitorservers +# remote_user: ansible +# become: true +# roles: +# - monitoring