Apply fixes after testing

This commit is contained in:
Sam A. 2023-12-25 00:58:55 +01:00
parent 8b640de728
commit a49db2006d
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
9 changed files with 33 additions and 30 deletions

View file

@ -3,6 +3,5 @@ ask_vault_pass = True
inventory = inventory.ini
interpreter_python = /usr/bin/python3
remote_user = ansible
remote_tmp = /tmp/.ansible
use_persistent_connections = True
forks = 10

View file

@ -8,7 +8,7 @@ users:
- name: lab_admin
comment: System administrator
groups:
- sudo
- wheel
ssh_keys:
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

View file

@ -38,7 +38,7 @@ db_stage
[shared:children]
proxy_shrd
monitoring_shrd
monitor_shrd
[appservers:children]
app_prod

View file

@ -6,8 +6,6 @@
name: "{{ db_vars.username }}"
password: "{{ db_vars.password }}"
state: present
environment:
PGOPTIONS: '-c password_encryption=scram-sha-256'
- name: Create database '{{ db_name }}'
community.postgresql.postgresql_db:
@ -21,5 +19,6 @@
community.postgresql.postgresql_privs:
database: "{{ db_name }}"
roles: "{{ db_vars.username }}"
type: database
privs: ALL
state: present

View file

@ -1,27 +1,26 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Import RPM key for PostgreSQL repository
ansible.builtin.rpm_key:
key: https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG
state: present
- name: Add PostgreSQL repository
ansible.builtin.dnf:
name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm
state: present
- name: Disable built-in PostgreSQL module
community.general.ini_file:
path: /etc/dnf/modules.d/postgresql.module
section: postgresql
option: state
value: disabled
no_extra_spaces: true
create: false
state: present
ansible.builtin.command:
cmd: dnf -qy module disable postgresql
creates: /etc/dnf/modules.d/postgresql.module
- name: Install PostgreSQL {{ postgresql_version }}
ansible.builtin.dnf:
name:
- postgresql{{ postgresql_version }}-server
- python{{ ansible_python.version.major }}-psycopg2
- python{{ ansible_python.version.major }}-ipaddress
update_cache: true
state: present
@ -46,7 +45,7 @@
- name: Create PGDATA folder
ansible.builtin.file:
path: "{{ postgresql_pgdata }}"
owner: root
owner: postgres
mode: u=rwx,g=rx,o=rx
state: directory
@ -54,8 +53,6 @@
ansible.builtin.command:
cmd: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb
creates: "{{ postgresql_pgdata }}/base"
become: true
become_user: postgres
- name: Copy postgresql.conf
ansible.builtin.template:
@ -73,6 +70,9 @@
mode: u=rw,go=
notify: Reload PostgreSQL
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure PostgreSQL is enabled and running
ansible.builtin.service:
name: "{{ postgresql_service }}"
@ -80,8 +80,13 @@
state: started
- name: Set up databases
ansible.builtin.include_tasks: database.yml
ansible.builtin.include_tasks:
file: database.yml
apply:
become: true
become_user: postgres
vars:
db_name: "{{ item.key }}"
db_vars: "{{ item.value }}"
loop: "{{ databases | dict2items }}"
no_log: true

View file

@ -2,8 +2,8 @@
# code: language=ansible-jinja
# TYPE DATABASE USER ADDRESS METHOD
local all all scram-sha-256
local all postgres peer
local all all scram-sha-256
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256

View file

@ -24,12 +24,15 @@
- 192.168.1.0/24
- 192.168.8.0/24
- name: Move Lab LAN network to zone 'public'
- name: Move Secure LAN and Lab LAN networks to zone 'public'
ansible.posix.firewalld:
zone: public
source: 192.168.17.0/24
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.17.0/24
- 192.168.23.0/24
- name: Move internal network to zone 'internal'
ansible.posix.firewalld:
@ -46,7 +49,7 @@
state: disabled
loop:
- drop
- dmz
# - dmz
- public
- internal
@ -62,26 +65,23 @@
# - name: Allow incoming connections from control machines to SSH port in zone 'public'
# ansible.posix.firewalld:
# zone: public
# source: "{{ hostvars[item].ansible_host }}"
# service: ssh
# permanent: true
# state: enabled
# loop: "{{ groups['control_infra'] }}"
- name: Firewall rules for database servers
when: hostname in groups['dbservers']
notify: Reload firewalld
block:
- name: Allow incoming connections from internal subnet to PostgreSQL port in zone 'internal'
- name: Allow incoming connections to PostgreSQL port in zone 'internal'
ansible.posix.firewalld:
zone: internal
source: "{{ internal_subnet }}"
service: postgresql
permanent: true
state: enabled
- name: Firewall rules for proxy servers
when: hostname in group['proxyservers']
when: hostname in groups['proxyservers']
notify: Reload firewalld
block:
- name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'

View file

@ -35,7 +35,7 @@
- name: Allow passwordless sudo
community.general.sudoers:
name: passwordless
group: sudo
group: wheel
host: ALL
commands: ALL
nopassword: true

View file

@ -2,7 +2,7 @@
# code: language=ansible-jinja
127.0.0.1 localhost
127.0.1.1 {{ hostname }} {{ fqdn }}
{{ ansible_host }} {{ fqdn }} {{ hostname }}
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
@ -13,6 +13,6 @@ ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
# Static hostnames for VMs
{% for host in groups['virtualservers'] %}
{% for host in groups['virtualservers']|sort %}
{{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
{% endfor %}