diff --git a/cloud.cfg b/cloud-init/proxmox.cfg similarity index 100% rename from cloud.cfg rename to cloud-init/proxmox.cfg diff --git a/cloud-init/vps.cfg b/cloud-init/vps.cfg new file mode 100644 index 0000000..28ae128 --- /dev/null +++ b/cloud-init/vps.cfg @@ -0,0 +1,13 @@ +# vim: ft=yaml + +#cloud-config +ssh_pwauth: false + +users: + - name: ansible + gecos: Ansible User + sudo: ALL=(ALL) NOPASSWD:ALL + shell: /bin/bash + lock_passwd: true + ssh_authorized_keys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyAuOqh0vcpLMBa8FFbvrTOgw8N+bcImFzyBspfQDAf ansible" diff --git a/host_vars/sapt-labc-pub01.yml b/host_vars/sapt-labc-pub01.yml new file mode 100644 index 0000000..2bb5ee7 --- /dev/null +++ b/host_vars/sapt-labc-pub01.yml @@ -0,0 +1,7 @@ +# vim: ft=yaml.ansible +# code: language=ansible +--- +fqdn: sapt-labc-pub01.cloud.servers.sapti.me +ansible_host: 168.119.158.106 +internal_ipv4: 10.2.3.2 +instance_type: vps diff --git a/host_vars/sapt-labp-app01.yml b/host_vars/sapt-labp-app01.yml index 71f6321..4343b09 100644 --- a/host_vars/sapt-labp-app01.yml +++ b/host_vars/sapt-labp-app01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labp-app01.prod.servers.sapti.me ansible_host: 192.168.23.30 internal_ipv4: 10.2.16.10 -virt_type: qemu +instance_type: qemu diff --git a/host_vars/sapt-labp-db01.yml b/host_vars/sapt-labp-db01.yml index 1cd6ed0..9a64647 100644 --- a/host_vars/sapt-labp-db01.yml +++ b/host_vars/sapt-labp-db01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labp-db01.prod.servers.sapti.me ansible_host: 192.168.23.40 internal_ipv4: 10.2.16.20 -virt_type: qemu +instance_type: qemu diff --git a/host_vars/sapt-labp-mda01.yml b/host_vars/sapt-labp-mda01.yml index c36bb41..2d1d557 100644 --- a/host_vars/sapt-labp-mda01.yml +++ b/host_vars/sapt-labp-mda01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labp-mda01.prod.servers.sapti.me ansible_host: 192.168.23.35 internal_ipv4: 10.2.16.15 -virt_type: lxc +instance_type: lxc diff --git a/host_vars/sapt-labr-mon01.yml b/host_vars/sapt-labr-mon01.yml deleted file mode 100644 index 9992bef..0000000 --- a/host_vars/sapt-labr-mon01.yml +++ /dev/null @@ -1,7 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -fqdn: sapt-labr-mon01.shrd.servers.sapti.me -ansible_host: 192.168.23.20 -internal_ipv4: 10.2.18.20 -virt_type: qemu diff --git a/host_vars/sapt-labr-prx01.yml b/host_vars/sapt-labr-prx01.yml index 97576ed..3d0d83d 100644 --- a/host_vars/sapt-labr-prx01.yml +++ b/host_vars/sapt-labr-prx01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labr-prx01.shrd.servers.sapti.me ansible_host: 192.168.23.10 internal_ipv4: 10.2.18.10 -virt_type: qemu +instance_type: qemu diff --git a/host_vars/sapt-labs-app01.yml b/host_vars/sapt-labs-app01.yml index 26ff6d3..885f1a9 100644 --- a/host_vars/sapt-labs-app01.yml +++ b/host_vars/sapt-labs-app01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labs-app01.stage.servers.sapti.me ansible_host: 192.168.23.50 internal_ipv4: 10.2.19.10 -virt_type: qemu +instance_type: qemu diff --git a/host_vars/sapt-labs-db01.yml b/host_vars/sapt-labs-db01.yml index aac67ae..b0e3571 100644 --- a/host_vars/sapt-labs-db01.yml +++ b/host_vars/sapt-labs-db01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labs-db01.stage.servers.sapti.me ansible_host: 192.168.23.60 internal_ipv4: 10.2.19.20 -virt_type: qemu +instance_type: qemu diff --git a/host_vars/sapt-labs-mda01.yml b/host_vars/sapt-labs-mda01.yml index 3bf41d6..7a4b050 100644 --- a/host_vars/sapt-labs-mda01.yml +++ b/host_vars/sapt-labs-mda01.yml @@ -4,4 +4,4 @@ fqdn: sapt-labs-mda01.stage.servers.sapti.me ansible_host: 192.168.23.55 internal_ipv4: 10.2.19.15 -virt_type: lxc +instance_type: lxc diff --git a/infra.ini b/infra.ini deleted file mode 100644 index 4bbc01b..0000000 --- a/infra.ini +++ /dev/null @@ -1,8 +0,0 @@ -[control_infra] -sapt-labx-ctl01 - -[controlservers:children] -control_infra - -[infrastructure:children] -controlservers diff --git a/infra.yml b/infra.yml index f2ee307..f4f26be 100644 --- a/infra.yml +++ b/infra.yml @@ -2,7 +2,7 @@ # code: language=ansible --- - name: Run playbook - hosts: all + hosts: infrastructure become: true gather_facts: true tasks: diff --git a/inventory.ini b/inventory.ini index e2769ac..b10cfaa 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,3 +1,32 @@ +# [control_infra] +# sapt-labx-ctl01 + +# [controlservers:children] +# control_infra + +# [infrastructure:children] +# controlservers + +[pub_cloud] +sapt-labc-pub01 + +# [mon_cloud] +# sapt-labc-mon01 + +# [sec_cloud] +# sapt-labc-sec01 + +[cloud:children] +pub_cloud +# mon_cloud +# sec_cloud + +[prx_shrd] +sapt-labr-prx01 + +[shared:children] +prx_shrd + [app_prod] sapt-labp-app01 @@ -7,6 +36,11 @@ sapt-labp-db01 # [mda_prod] # sapt-labp-mda01 +[production:children] +app_prod +db_prod +# mda_prod + [app_stage] sapt-labs-app01 @@ -16,25 +50,22 @@ sapt-labs-db01 [mda_stage] sapt-labs-mda01 -[proxy_shrd] -sapt-labr-prx01 - -# [monitor_shrd] -# sapt-labr-mon01 - -[production:children] -app_prod -db_prod -# mda_prod - [staging:children] app_stage db_stage mda_stage -[shared:children] -proxy_shrd -# monitor_shrd +[publicservers:children] +pub_cloud + +# [monitorservers:children] +# mon_cloud + +# [securityservers:children] +# sec_cloud + +[proxyservers:children] +prx_shrd [appservers:children] app_prod @@ -48,13 +79,11 @@ mda_stage db_prod db_stage -[proxyservers:children] -proxy_shrd - -# [monitorservers:children] -# monitor_shrd - -[virtualservers:children] +[home:children] +shared production staging -shared + +[virtualservers:children] +cloud +home diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml index 03dc312..93a955a 100644 --- a/roles/virt-common/tasks/firewall.yml +++ b/roles/virt-common/tasks/firewall.yml @@ -10,6 +10,18 @@ source: 192.168.0.0/16 permanent: true state: enabled + when: instance_type != 'vps' + + - name: Move home IP addresses to zone 'dmz' + ansible.posix.firewalld: + zone: dmz + source: "{{ item }}" + permanent: true + state: enabled + loop: + - '46.32.144.131' + - '2a06:4001:f02a::/48' + when: instance_type == 'vps' - name: Move internal network to zone 'internal' ansible.posix.firewalld: @@ -43,8 +55,9 @@ permanent: true state: enabled -- name: Firewall rules for proxy servers - when: hostname in groups['proxyservers'] +- name: Firewall rules for proxy & public servers + when: hostname in groups['proxyservers'] or + hostname in groups['publicservers'] notify: Reload firewalld block: - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz' diff --git a/roles/virt-common/tasks/main.yml b/roles/virt-common/tasks/main.yml index 75a0d24..b80c99d 100644 --- a/roles/virt-common/tasks/main.yml +++ b/roles/virt-common/tasks/main.yml @@ -87,7 +87,7 @@ - rsyslog - name: Packages for QEMU instances - when: virt_type == 'qemu' + when: instance_type == 'qemu' block: - name: Install haveged ansible.builtin.dnf: @@ -100,5 +100,18 @@ enabled: true state: started +- name: Create directory '{{ data_fs }}' + ansible.builtin.file: + path: "{{ data_fs }}" + owner: root + group: root + mode: u=rwx,g=rx,o=rx + seuser: system_u + serole: object_r + setype: unlabeled_t + selevel: s0 + state: directory + when: instance_type == 'vps' + - name: Configure firewall ansible.builtin.import_tasks: firewall.yml diff --git a/roles/virt-common/templates/hosts.j2 b/roles/virt-common/templates/hosts.j2 index 10141ae..4e6d575 100644 --- a/roles/virt-common/templates/hosts.j2 +++ b/roles/virt-common/templates/hosts.j2 @@ -12,7 +12,13 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts -# Static hostnames for VMs -{% for host in groups['virtualservers']|sort %} +# Static hostnames for servers +{% if instance_type == 'vps' %} +{% for host in groups['cloud']|sort %} {{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }} {% endfor %} +{% else %} +{% for host in groups['home']|sort %} +{{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }} +{% endfor %} +{% endif %} diff --git a/roles/virt-common/templates/motd.j2 b/roles/virt-common/templates/motd.j2 index a249b08..d5b0549 100644 --- a/roles/virt-common/templates/motd.j2 +++ b/roles/virt-common/templates/motd.j2 @@ -3,8 +3,8 @@ Welcome to {{ hostname }} ============================================================== - FQDN.............: {{ fqdn }} - - LAN IPv4.........: {{ ansible_host }} + - Public IPv4......: {{ ansible_host }} - Internal IPv4....: {{ internal_ipv4 }} - - Virtualization...: {{ virt_type | upper }} + - Instance type....: {{ instance_type | upper }} ============================================================== diff --git a/site.yml b/site.yml index 61b52ca..006248e 100644 --- a/site.yml +++ b/site.yml @@ -2,7 +2,7 @@ # code: language=ansible --- - name: Run playbook - hosts: all + hosts: virtualservers become: true gather_facts: true tasks: @@ -15,7 +15,8 @@ ansible.builtin.include_role: name: docker when: hostname in groups['appservers'] or - hostname in groups['proxyservers'] + hostname in groups['proxyservers'] or + hostname in groups['publicservers'] - name: Include role 'apps' ansible.builtin.include_role: