samsapti/lab-ansible
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Improvements

Browse source
This commit is contained in:
Sam A. 2023-11-15 20:30:53 +01:00
parent 800ada91c4
commit 87a9c0f77d
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
24 changed files with 143 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
host_vars/sapt-labp-app01.yml
View file

@ -2,6 +2,7 @@
# code: language=ansible
---
fqdn: sapt-labp-app01.prod.servers.sapti.me
ansible_host: 192.168.17.30
internal_ipv4: 10.2.16.10
apps_include:

1
host_vars/sapt-labp-app02.yml
View file

@ -2,6 +2,7 @@
# code: language=ansible
---
fqdn: sapt-labp-app02.prod.servers.sapti.me
ansible_host: 192.168.17.31
internal_ipv4: 10.2.16.11
apps_include:

1
host_vars/sapt-labp-db01.yml
View file

@ -2,4 +2,5 @@
# code: language=ansible
---
fqdn: sapt-labp-db01.prod.servers.sapti.me
ansible_host: 192.168.17.40
internal_ipv4: 10.2.16.20

1
host_vars/sapt-labr-mon01.yml
View file

@ -2,4 +2,5 @@
# code: language=ansible
---
fqdn: sapt-labr-mon01.shrd.servers.sapti.me
ansible_host: 192.168.17.20
internal_ipv4: 10.2.18.20

1
host_vars/sapt-labr-prx01.yml
View file

@ -2,6 +2,7 @@
# code: language=ansible
---
fqdn: sapt-labr-prx01.shrd.servers.sapti.me
ansible_host: 192.168.17.10
internal_ipv4: 10.2.18.10
proxy_mode: global

1
host_vars/sapt-labr-prx02.yml
View file

@ -2,6 +2,7 @@
# code: language=ansible
---
fqdn: sapt-labr-prx02.shrd.servers.sapti.me
ansible_host: 192.168.17.11
internal_ipv4: 10.2.18.11
proxy_mode: local

1
host_vars/sapt-labs-app01.yml
View file

@ -2,6 +2,7 @@
# code: language=ansible
---
fqdn: sapt-labs-app01.stage.servers.sapti.me
ansible_host: 192.168.17.50
internal_ipv4: 10.2.19.10
apps_include:

1
host_vars/sapt-labs-app02.yml
View file

@ -2,6 +2,7 @@
# code: language=ansible
---
fqdn: sapt-labs-app02.stage.servers.sapti.me
ansible_host: 192.168.17.51
internal_ipv4: 10.2.19.11
apps_include:

1
host_vars/sapt-labs-db01.yml
View file

@ -2,4 +2,5 @@
# code: language=ansible
---
fqdn: sapt-labs-db01.stage.servers.sapti.me
ansible_host: 192.168.17.60
internal_ipv4: 10.2.19.20

1
host_vars/sapt-labx-ctl01.yml
View file

@ -2,3 +2,4 @@
# code: language=ansible
---
fqdn: sapt-labx-ctl01.infra.servers.sapti.me
ansible_host: 192.168.17.8

1
host_vars/sapt-labx-pve01.yml
View file

@ -2,3 +2,4 @@
# code: language=ansible
---
fqdn: sapt-labx-pve01.infra.servers.sapti.me
ansible_host: 192.168.17.3

22
inventory.ini
View file

@ -1,29 +1,29 @@
[app_prod]
sapt-labp-app01 ansible_host=192.168.17.30
sapt-labp-app02 ansible_host=192.168.17.31
sapt-labp-app01
sapt-labp-app02
[db_prod]
sapt-labp-db01 ansible_host=192.168.17.40
sapt-labp-db01
[app_stage]
sapt-labs-app01 ansible_host=192.168.17.50
sapt-labs-app02 ansible_host=192.168.17.51
sapt-labs-app01
sapt-labs-app02
[db_stage]
sapt-labs-db01 ansible_host=192.168.17.60
sapt-labs-db01
[proxy_shrd]
sapt-labr-prx01 ansible_host=192.168.17.10
sapt-labr-prx02 ansible_host=192.168.17.11
sapt-labr-prx01
sapt-labr-prx02
[monitor_shrd]
sapt-labr-mon01 ansible_host=192.168.17.20
sapt-labr-mon01
[proxmox_infra]
sapt-labx-pve01 ansible_host=192.168.17.3
sapt-labx-pve01
[control_infra]
sapt-labx-ctl01 ansible_host=192.168.17.8
sapt-labx-ctl01
[production:children]
app_prod

0
roles/docker/files/etc/docker/daemon.json → roles/docker/files/daemon.json
View file

16
roles/docker/tasks/main.yml
View file

@ -1,6 +1,14 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Copy Docker daemon config file
ansible.builtin.copy:
src: daemon.json
dest: /etc/docker/daemon.json
owner: root
mode: u=rw,g=r,o=r
notify: Reload Docker daemon
- name: Add Docker PGP key
ansible.builtin.rpm_key:
key: https://download.docker.com/linux/centos/gpg
@ -27,14 +35,6 @@
- containerd.io
state: present
- name: Copy Docker daemon config file
ansible.builtin.copy:
src: etc/docker/daemon.json
dest: /etc/docker/daemon.json
owner: root
mode: u=rw,g=r,o=r
notify: Reload Docker daemon
- name: Ensure Docker daemon is enabled and running
ansible.builtin.service:
name: docker

5
roles/vm-common/handlers/main.yml
View file

@ -6,11 +6,6 @@
name: systemd-resolved
state: restarted
- name: Restart sshd
ansible.builtin.service:
name: sshd
state: restarted
- name: Reload firewalld
ansible.builtin.service:
name: firewalld

49
roles/vm-common/tasks/base.yml
View file

@ -1,49 +0,0 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Set hostname
ansible.builtin.hostname:
name: "{{ hostname }}"
- name: Set timezone
community.general.timezone:
name: "{{ timezone }}"
- name: Copy hosts file
ansible.builtin.template:
src: etc/hosts.j2
dest: /etc/hosts
owner: root
mode: u=rw,g=r,o=r
- name: Enable extra repositories
ansible.builtin.dnf:
name:
- epel-release
- rocky-release-security
state: present
- name: Install system packages
ansible.builtin.dnf:
name:
- firewalld
- haveged
- htop
- jq
- lkrg
- logrotate
- mtr
- rsyslog
update_cache: true
state: present
- name: Ensure services are enabled and running
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: started
loop:
- firewalld
- haveged
- lkrg
- rsyslog

23
roles/vm-common/tasks/firewall.yml
View file

@ -68,24 +68,29 @@
# state: enabled
# loop: "{{ groups['control_infra'] }}"
- name: Firewall rules for production and staging
loop:
- prod
- stage
loop_control:
loop_var: env
- name: Firewall rules for DB servers
when: hostname in groups['production'] or hostname in groups['staging']
notify: Reload firewalld
block:
- name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
- name: Production | Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
ansible.posix.firewalld:
zone: internal
source: "{{ hostvars[item].internal_ipv4 }}"
service: postgresql
permanent: true
state: enabled
loop: "{{ groups['app_' + env] }}"
when: hostname in groups['db_' + env]
loop: "{{ groups['app_prod'] }}"
when: hostname in groups['db_prod']
- name: Staging | Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
ansible.posix.firewalld:
zone: internal
source: "{{ hostvars[item].internal_ipv4 }}"
service: postgresql
permanent: true
state: enabled
loop: "{{ groups['app_stage'] }}"
when: hostname in groups['db_stage']
- name: Firewall rules for proxy servers
when: hostname in group['proxyservers']

46
roles/vm-common/tasks/main.yml
View file

@ -1,14 +1,44 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Configure system base
ansible.builtin.import_tasks: base.yml
- name: Copy hosts file
ansible.builtin.template:
src: hosts.j2
dest: /etc/hosts
owner: root
mode: u=rw,g=r,o=r
- name: Enable extra repositories
ansible.builtin.dnf:
name:
- epel-release
- rocky-release-security
state: present
- name: Install system packages
ansible.builtin.dnf:
name:
- firewalld
- haveged
- htop
- jq
- lkrg
- logrotate
- mtr
- rsyslog
update_cache: true
state: present
- name: Ensure services are enabled and running
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: started
loop:
- firewalld
- haveged
- lkrg
- rsyslog
- name: Configure firewall
ansible.builtin.import_tasks: firewall.yml
- name: Configure user accounts
ansible.builtin.import_tasks: users.yml
- name: Configure SSH
ansible.builtin.import_tasks: ssh.yml

11
roles/vm-common/tasks/ssh.yml
View file

@ -1,11 +0,0 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Copy sshd_config
ansible.builtin.copy:
src: etc/ssh/sshd_config
dest: /etc/ssh/sshd_config
owner: root
mode: u=rw,g=r,o=r
validate: /usr/sbin/sshd -t -f %s
notify: Restart sshd

0
roles/vm-common/templates/etc/hosts.j2 → roles/vm-common/templates/hosts.j2
View file

0
roles/vm-common/files/etc/ssh/sshd_config → roles/vm-init/files/sshd_config
View file

7
roles/vm-init/handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Restart sshd
ansible.builtin.service:
name: sshd
state: restarted

17
roles/vm-common/tasks/users.yml → roles/vm-init/tasks/main.yml
View file

@ -1,6 +1,14 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Set hostname
ansible.builtin.hostname:
name: "{{ hostname }}"
- name: Set timezone
community.general.timezone:
name: "{{ timezone }}"
- name: Add users
ansible.builtin.user:
name: "{{ item.name }}"
@ -25,3 +33,12 @@
commands: ALL
nopassword: true
state: present
- name: Copy sshd_config
ansible.builtin.copy:
src: sshd_config
dest: /etc/ssh/sshd_config
owner: root
mode: u=rw,g=r,o=r
validate: /usr/sbin/sshd -t -f %s
notify: Restart sshd

41
site.yml
View file

@ -1,28 +1,61 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Base VM configuration
- name: Proxmox servers
hosts: proxmox_infra
remote_user: root
roles:
- pve-common
# - name: Control servers
# hosts: control_infra
# remote_user: root
# roles:
# - ctl-common
- name: VM initialization
hosts: virtualservers
remote_user: root
roles:
- vm-init
- name: Base VM configuration
hosts: virtualservers
remote_user: ansible
become: true
roles:
- vm-common
- name: Docker hosts
hosts: appservers:proxyservers:monitorservers
become: true
roles:
- docker
- name: App servers
hosts: appservers
remote_user: ansible
become: true
roles:
- docker
- apps
- name: Database servers
- name: DB servers
hosts: dbservers
remote_user: ansible
become: true
roles:
- postgresql
- name: Proxy servers
hosts: proxyservers
remote_user: ansible
become: true
roles:
- docker
- proxy
# - name: Monitoring servers
# hosts: monitorservers
# remote_user: ansible
# become: true
# roles:
# - monitoring