Add sapt-labc-pub01

This commit is contained in:
Sam A. 2024-02-04 15:31:18 +01:00
parent 67e65e807e
commit f51540b4a1
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
19 changed files with 121 additions and 54 deletions

13
cloud-init/vps.cfg Normal file
View file

@ -0,0 +1,13 @@
# vim: ft=yaml
#cloud-config
ssh_pwauth: false
users:
- name: ansible
gecos: Ansible User
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
lock_passwd: true
ssh_authorized_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyAuOqh0vcpLMBa8FFbvrTOgw8N+bcImFzyBspfQDAf ansible"

View file

@ -0,0 +1,7 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
fqdn: sapt-labc-pub01.cloud.servers.sapti.me
ansible_host: 168.119.158.106
internal_ipv4: 10.2.3.2
instance_type: vps

View file

@ -4,4 +4,4 @@
fqdn: sapt-labp-app01.prod.servers.sapti.me fqdn: sapt-labp-app01.prod.servers.sapti.me
ansible_host: 192.168.23.30 ansible_host: 192.168.23.30
internal_ipv4: 10.2.16.10 internal_ipv4: 10.2.16.10
virt_type: qemu instance_type: qemu

View file

@ -4,4 +4,4 @@
fqdn: sapt-labp-db01.prod.servers.sapti.me fqdn: sapt-labp-db01.prod.servers.sapti.me
ansible_host: 192.168.23.40 ansible_host: 192.168.23.40
internal_ipv4: 10.2.16.20 internal_ipv4: 10.2.16.20
virt_type: qemu instance_type: qemu

View file

@ -4,4 +4,4 @@
fqdn: sapt-labp-mda01.prod.servers.sapti.me fqdn: sapt-labp-mda01.prod.servers.sapti.me
ansible_host: 192.168.23.35 ansible_host: 192.168.23.35
internal_ipv4: 10.2.16.15 internal_ipv4: 10.2.16.15
virt_type: lxc instance_type: lxc

View file

@ -1,7 +0,0 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
fqdn: sapt-labr-mon01.shrd.servers.sapti.me
ansible_host: 192.168.23.20
internal_ipv4: 10.2.18.20
virt_type: qemu

View file

@ -4,4 +4,4 @@
fqdn: sapt-labr-prx01.shrd.servers.sapti.me fqdn: sapt-labr-prx01.shrd.servers.sapti.me
ansible_host: 192.168.23.10 ansible_host: 192.168.23.10
internal_ipv4: 10.2.18.10 internal_ipv4: 10.2.18.10
virt_type: qemu instance_type: qemu

View file

@ -4,4 +4,4 @@
fqdn: sapt-labs-app01.stage.servers.sapti.me fqdn: sapt-labs-app01.stage.servers.sapti.me
ansible_host: 192.168.23.50 ansible_host: 192.168.23.50
internal_ipv4: 10.2.19.10 internal_ipv4: 10.2.19.10
virt_type: qemu instance_type: qemu

View file

@ -4,4 +4,4 @@
fqdn: sapt-labs-db01.stage.servers.sapti.me fqdn: sapt-labs-db01.stage.servers.sapti.me
ansible_host: 192.168.23.60 ansible_host: 192.168.23.60
internal_ipv4: 10.2.19.20 internal_ipv4: 10.2.19.20
virt_type: qemu instance_type: qemu

View file

@ -4,4 +4,4 @@
fqdn: sapt-labs-mda01.stage.servers.sapti.me fqdn: sapt-labs-mda01.stage.servers.sapti.me
ansible_host: 192.168.23.55 ansible_host: 192.168.23.55
internal_ipv4: 10.2.19.15 internal_ipv4: 10.2.19.15
virt_type: lxc instance_type: lxc

View file

@ -1,8 +0,0 @@
[control_infra]
sapt-labx-ctl01
[controlservers:children]
control_infra
[infrastructure:children]
controlservers

View file

@ -2,7 +2,7 @@
# code: language=ansible # code: language=ansible
--- ---
- name: Run playbook - name: Run playbook
hosts: all hosts: infrastructure
become: true become: true
gather_facts: true gather_facts: true
tasks: tasks:

View file

@ -1,3 +1,32 @@
# [control_infra]
# sapt-labx-ctl01
# [controlservers:children]
# control_infra
# [infrastructure:children]
# controlservers
[pub_cloud]
sapt-labc-pub01
# [mon_cloud]
# sapt-labc-mon01
# [sec_cloud]
# sapt-labc-sec01
[cloud:children]
pub_cloud
# mon_cloud
# sec_cloud
[prx_shrd]
sapt-labr-prx01
[shared:children]
prx_shrd
[app_prod] [app_prod]
sapt-labp-app01 sapt-labp-app01
@ -7,6 +36,11 @@ sapt-labp-db01
# [mda_prod] # [mda_prod]
# sapt-labp-mda01 # sapt-labp-mda01
[production:children]
app_prod
db_prod
# mda_prod
[app_stage] [app_stage]
sapt-labs-app01 sapt-labs-app01
@ -16,25 +50,22 @@ sapt-labs-db01
[mda_stage] [mda_stage]
sapt-labs-mda01 sapt-labs-mda01
[proxy_shrd]
sapt-labr-prx01
# [monitor_shrd]
# sapt-labr-mon01
[production:children]
app_prod
db_prod
# mda_prod
[staging:children] [staging:children]
app_stage app_stage
db_stage db_stage
mda_stage mda_stage
[shared:children] [publicservers:children]
proxy_shrd pub_cloud
# monitor_shrd
# [monitorservers:children]
# mon_cloud
# [securityservers:children]
# sec_cloud
[proxyservers:children]
prx_shrd
[appservers:children] [appservers:children]
app_prod app_prod
@ -48,13 +79,11 @@ mda_stage
db_prod db_prod
db_stage db_stage
[proxyservers:children] [home:children]
proxy_shrd shared
# [monitorservers:children]
# monitor_shrd
[virtualservers:children]
production production
staging staging
shared
[virtualservers:children]
cloud
home

View file

@ -10,6 +10,18 @@
source: 192.168.0.0/16 source: 192.168.0.0/16
permanent: true permanent: true
state: enabled state: enabled
when: instance_type != 'vps'
- name: Move home IP addresses to zone 'dmz'
ansible.posix.firewalld:
zone: dmz
source: "{{ item }}"
permanent: true
state: enabled
loop:
- '46.32.144.131'
- '2a06:4001:f02a::/48'
when: instance_type == 'vps'
- name: Move internal network to zone 'internal' - name: Move internal network to zone 'internal'
ansible.posix.firewalld: ansible.posix.firewalld:
@ -43,8 +55,9 @@
permanent: true permanent: true
state: enabled state: enabled
- name: Firewall rules for proxy servers - name: Firewall rules for proxy & public servers
when: hostname in groups['proxyservers'] when: hostname in groups['proxyservers'] or
hostname in groups['publicservers']
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Allow incoming connections to HTTP port in zones 'public' and 'dmz' - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'

View file

@ -87,7 +87,7 @@
- rsyslog - rsyslog
- name: Packages for QEMU instances - name: Packages for QEMU instances
when: virt_type == 'qemu' when: instance_type == 'qemu'
block: block:
- name: Install haveged - name: Install haveged
ansible.builtin.dnf: ansible.builtin.dnf:
@ -100,5 +100,18 @@
enabled: true enabled: true
state: started state: started
- name: Create directory '{{ data_fs }}'
ansible.builtin.file:
path: "{{ data_fs }}"
owner: root
group: root
mode: u=rwx,g=rx,o=rx
seuser: system_u
serole: object_r
setype: unlabeled_t
selevel: s0
state: directory
when: instance_type == 'vps'
- name: Configure firewall - name: Configure firewall
ansible.builtin.import_tasks: firewall.yml ansible.builtin.import_tasks: firewall.yml

View file

@ -12,7 +12,13 @@ ff02::1 ip6-allnodes
ff02::2 ip6-allrouters ff02::2 ip6-allrouters
ff02::3 ip6-allhosts ff02::3 ip6-allhosts
# Static hostnames for VMs # Static hostnames for servers
{% for host in groups['virtualservers']|sort %} {% if instance_type == 'vps' %}
{% for host in groups['cloud']|sort %}
{{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }} {{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
{% endfor %} {% endfor %}
{% else %}
{% for host in groups['home']|sort %}
{{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
{% endfor %}
{% endif %}

View file

@ -3,8 +3,8 @@
Welcome to {{ hostname }} Welcome to {{ hostname }}
============================================================== ==============================================================
- FQDN.............: {{ fqdn }} - FQDN.............: {{ fqdn }}
- LAN IPv4.........: {{ ansible_host }} - Public IPv4......: {{ ansible_host }}
- Internal IPv4....: {{ internal_ipv4 }} - Internal IPv4....: {{ internal_ipv4 }}
- Virtualization...: {{ virt_type | upper }} - Instance type....: {{ instance_type | upper }}
============================================================== ==============================================================

View file

@ -2,7 +2,7 @@
# code: language=ansible # code: language=ansible
--- ---
- name: Run playbook - name: Run playbook
hosts: all hosts: virtualservers
become: true become: true
gather_facts: true gather_facts: true
tasks: tasks:
@ -15,7 +15,8 @@
ansible.builtin.include_role: ansible.builtin.include_role:
name: docker name: docker
when: hostname in groups['appservers'] or when: hostname in groups['appservers'] or
hostname in groups['proxyservers'] hostname in groups['proxyservers'] or
hostname in groups['publicservers']
- name: Include role 'apps' - name: Include role 'apps'
ansible.builtin.include_role: ansible.builtin.include_role: