From f654f8c86d37cc68b62d496e1f5091521529cbab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 25 Nov 2023 18:40:00 +0100 Subject: [PATCH] Add media server LXC instances --- group_vars/all/vars.yml | 9 ++ group_vars/control_infra/vars.yml | 11 --- group_vars/virtualservers/vars.yml | 16 --- host_vars/sapt-labp-app01.yml | 1 + host_vars/sapt-labp-db01.yml | 1 + host_vars/sapt-labp-mda01.yml | 7 ++ host_vars/sapt-labr-mon01.yml | 1 + host_vars/sapt-labr-prx01.yml | 1 + host_vars/sapt-labr-prx02.yml | 1 + host_vars/sapt-labs-app01.yml | 1 + host_vars/sapt-labs-db01.yml | 1 + host_vars/sapt-labs-mda01.yml | 7 ++ inventory.ini | 10 ++ roles/proxy/defaults/main.yml | 2 + .../files/sshd_config | 0 .../handlers/main.yml | 15 ++- .../tasks/firewall.yml | 0 roles/virt-common/tasks/main.yml | 98 +++++++++++++++++++ .../templates/hosts.j2 | 0 roles/vm-common/tasks/main.yml | 44 --------- roles/vm-init/handlers/main.yml | 7 -- roles/vm-init/tasks/main.yml | 44 --------- site.yml | 21 ++-- 23 files changed, 161 insertions(+), 137 deletions(-) delete mode 100644 group_vars/control_infra/vars.yml create mode 100644 host_vars/sapt-labp-mda01.yml create mode 100644 host_vars/sapt-labs-mda01.yml rename roles/{vm-init => virt-common}/files/sshd_config (100%) rename roles/{vm-common => virt-common}/handlers/main.yml (74%) rename roles/{vm-common => virt-common}/tasks/firewall.yml (100%) create mode 100644 roles/virt-common/tasks/main.yml rename roles/{vm-common => virt-common}/templates/hosts.j2 (100%) delete mode 100644 roles/vm-common/tasks/main.yml delete mode 100644 roles/vm-init/handlers/main.yml delete mode 100644 roles/vm-init/tasks/main.yml diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 79c2151..e418ec6 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -3,3 +3,12 @@ --- hostname: "{{ inventory_hostname }}" timezone: Europe/Copenhagen + +users: + - name: lab_admin + comment: System administrator + groups: + - sudo + ssh_keys: + - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332 diff --git a/group_vars/control_infra/vars.yml b/group_vars/control_infra/vars.yml deleted file mode 100644 index 708738b..0000000 --- a/group_vars/control_infra/vars.yml +++ /dev/null @@ -1,11 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -users: - - name: lab_admin - comment: System administrator - groups: - - sudo - ssh_keys: - - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332 diff --git a/group_vars/virtualservers/vars.yml b/group_vars/virtualservers/vars.yml index 44bcff0..84c0570 100644 --- a/group_vars/virtualservers/vars.yml +++ b/group_vars/virtualservers/vars.yml @@ -2,19 +2,3 @@ # code: language=ansible --- data_fs: /data - -users: - - name: lab_admin - comment: System administrator - groups: - - sudo - ssh_keys: - - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332 - - - name: ansible - comment: Ansible user - groups: - - sudo - ssh_keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyAuOqh0vcpLMBa8FFbvrTOgw8N+bcImFzyBspfQDAf ansible diff --git a/host_vars/sapt-labp-app01.yml b/host_vars/sapt-labp-app01.yml index 9a7101f..cbf4b19 100644 --- a/host_vars/sapt-labp-app01.yml +++ b/host_vars/sapt-labp-app01.yml @@ -4,3 +4,4 @@ fqdn: sapt-labp-app01.prod.servers.sapti.me ansible_host: 192.168.17.30 internal_ipv4: 10.2.16.10 +virt_type: kvm diff --git a/host_vars/sapt-labp-db01.yml b/host_vars/sapt-labp-db01.yml index 347911c..a024564 100644 --- a/host_vars/sapt-labp-db01.yml +++ b/host_vars/sapt-labp-db01.yml @@ -4,3 +4,4 @@ fqdn: sapt-labp-db01.prod.servers.sapti.me ansible_host: 192.168.17.40 internal_ipv4: 10.2.16.20 +virt_type: kvm diff --git a/host_vars/sapt-labp-mda01.yml b/host_vars/sapt-labp-mda01.yml new file mode 100644 index 0000000..8e31153 --- /dev/null +++ b/host_vars/sapt-labp-mda01.yml @@ -0,0 +1,7 @@ +# vim: ft=yaml.ansible +# code: language=ansible +--- +fqdn: sapt-labp-mda01.prod.servers.sapti.me +ansible_host: 192.168.17.35 +internal_ipv4: 10.2.16.15 +virt_type: lxc diff --git a/host_vars/sapt-labr-mon01.yml b/host_vars/sapt-labr-mon01.yml index bbc0de1..5f018df 100644 --- a/host_vars/sapt-labr-mon01.yml +++ b/host_vars/sapt-labr-mon01.yml @@ -4,3 +4,4 @@ fqdn: sapt-labr-mon01.shrd.servers.sapti.me ansible_host: 192.168.17.20 internal_ipv4: 10.2.18.20 +virt_type: kvm diff --git a/host_vars/sapt-labr-prx01.yml b/host_vars/sapt-labr-prx01.yml index f9d69c3..fb750e0 100644 --- a/host_vars/sapt-labr-prx01.yml +++ b/host_vars/sapt-labr-prx01.yml @@ -4,5 +4,6 @@ fqdn: sapt-labr-prx01.shrd.servers.sapti.me ansible_host: 192.168.17.10 internal_ipv4: 10.2.18.10 +virt_type: kvm proxy_mode: global diff --git a/host_vars/sapt-labr-prx02.yml b/host_vars/sapt-labr-prx02.yml index 01a01de..c29e6f6 100644 --- a/host_vars/sapt-labr-prx02.yml +++ b/host_vars/sapt-labr-prx02.yml @@ -4,5 +4,6 @@ fqdn: sapt-labr-prx02.shrd.servers.sapti.me ansible_host: 192.168.17.11 internal_ipv4: 10.2.18.11 +virt_type: kvm proxy_mode: local diff --git a/host_vars/sapt-labs-app01.yml b/host_vars/sapt-labs-app01.yml index eae66b7..760bda1 100644 --- a/host_vars/sapt-labs-app01.yml +++ b/host_vars/sapt-labs-app01.yml @@ -4,3 +4,4 @@ fqdn: sapt-labs-app01.stage.servers.sapti.me ansible_host: 192.168.17.50 internal_ipv4: 10.2.19.10 +virt_type: kvm diff --git a/host_vars/sapt-labs-db01.yml b/host_vars/sapt-labs-db01.yml index 37c9f58..cdeb55c 100644 --- a/host_vars/sapt-labs-db01.yml +++ b/host_vars/sapt-labs-db01.yml @@ -4,3 +4,4 @@ fqdn: sapt-labs-db01.stage.servers.sapti.me ansible_host: 192.168.17.60 internal_ipv4: 10.2.19.20 +virt_type: kvm diff --git a/host_vars/sapt-labs-mda01.yml b/host_vars/sapt-labs-mda01.yml new file mode 100644 index 0000000..22a3fe3 --- /dev/null +++ b/host_vars/sapt-labs-mda01.yml @@ -0,0 +1,7 @@ +# vim: ft=yaml.ansible +# code: language=ansible +--- +fqdn: sapt-labs-mda01.stage.servers.sapti.me +ansible_host: 192.168.17.55 +internal_ipv4: 10.2.19.15 +virt_type: lxc diff --git a/inventory.ini b/inventory.ini index d5059a5..760bf73 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,12 +1,18 @@ [app_prod] sapt-labp-app01 +[mda_prod] +sapt-labp-mda01 + [db_prod] sapt-labp-db01 [app_stage] sapt-labs-app01 +[mda_stage] +sapt-labs-mda01 + [db_stage] sapt-labs-db01 @@ -39,6 +45,10 @@ monitoring_shrd app_prod app_stage +[mediaservers:children] +mda_prod +mda_stage + [dbservers:children] db_prod db_stage diff --git a/roles/proxy/defaults/main.yml b/roles/proxy/defaults/main.yml index c893080..d11fd19 100644 --- a/roles/proxy/defaults/main.yml +++ b/roles/proxy/defaults/main.yml @@ -7,7 +7,9 @@ proxy_caddy_version: '2.7.4' proxy_vars: production: app01: "{{ hostvars['sapt-labp-app01'] }}" + mda01: "{{ hostvars['sapt-labp-mda01'] }}" staging: app01: "{{ hostvars['sapt-labs-app01'] }}" + mda01: "{{ hostvars['sapt-labs-mda01'] }}" shared: mon01: "{{ hostvars['sapt-labr-mon01'] }}" diff --git a/roles/vm-init/files/sshd_config b/roles/virt-common/files/sshd_config similarity index 100% rename from roles/vm-init/files/sshd_config rename to roles/virt-common/files/sshd_config diff --git a/roles/vm-common/handlers/main.yml b/roles/virt-common/handlers/main.yml similarity index 74% rename from roles/vm-common/handlers/main.yml rename to roles/virt-common/handlers/main.yml index 94faa92..dfc81df 100644 --- a/roles/vm-common/handlers/main.yml +++ b/roles/virt-common/handlers/main.yml @@ -1,12 +1,17 @@ # vim: ft=yaml.ansible # code: language=ansible --- -- name: Restart systemd-resolved - ansible.builtin.service: - name: systemd-resolved - state: restarted - - name: Reload firewalld ansible.builtin.service: name: firewalld state: reloaded + +- name: Restart sshd + ansible.builtin.service: + name: sshd + state: restarted + +- name: Restart systemd-resolved + ansible.builtin.service: + name: systemd-resolved + state: restarted diff --git a/roles/vm-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml similarity index 100% rename from roles/vm-common/tasks/firewall.yml rename to roles/virt-common/tasks/firewall.yml diff --git a/roles/virt-common/tasks/main.yml b/roles/virt-common/tasks/main.yml new file mode 100644 index 0000000..57ac991 --- /dev/null +++ b/roles/virt-common/tasks/main.yml @@ -0,0 +1,98 @@ +# vim: ft=yaml.ansible +# code: language=ansible +--- +- name: Set hostname + ansible.builtin.hostname: + name: "{{ hostname }}" + +- name: Set timezone + community.general.timezone: + name: "{{ timezone }}" + +- name: Copy hosts file + ansible.builtin.template: + src: hosts.j2 + dest: /etc/hosts + owner: root + mode: u=rw,g=r,o=r + +- name: Add users + ansible.builtin.user: + name: "{{ item.name }}" + comment: "{{ item.comment }}" + groups: "{{ item.groups }}" + shell: /bin/bash + state: present + loop: "{{ users }}" + +- name: Add SSH keys to users + ansible.posix.authorized_key: + user: "{{ item.name }}" + key: "{{ item.ssh_keys | join('\n') }}" + exclusive: true + loop: "{{ users }}" + +- name: Allow passwordless sudo + community.general.sudoers: + name: passwordless + group: sudo + host: ALL + commands: ALL + nopassword: true + state: present + +- name: Copy sshd_config + ansible.builtin.copy: + src: sshd_config + dest: /etc/ssh/sshd_config + owner: root + mode: u=rw,g=r,o=r + validate: /usr/sbin/sshd -t -f %s + notify: Restart sshd + +- name: Enable extra repositories + ansible.builtin.dnf: + name: + - epel-release + - rocky-release-security + state: present + +- name: Install system packages + ansible.builtin.dnf: + name: + - firewalld + - haveged + - htop + - jq + - logrotate + - mtr + - rsyslog + update_cache: true + state: present + +- name: Ensure services are enabled and running + ansible.builtin.service: + name: "{{ item }}" + enabled: true + state: started + loop: + - firewalld + - haveged + - rsyslog + +- name: LKRG installation + when: virt_type == 'kvm' + block: + - name: Install LKRG package + ansible.builtin.dnf: + name: lkrg + state: present + + - name: Ensure LKRG is enabled and running + ansible.builtin.service: + name: lkrg + enabled: true + state: started + +- name: Configure firewall + ansible.builtin.import_tasks: firewall.yml diff --git a/roles/vm-common/templates/hosts.j2 b/roles/virt-common/templates/hosts.j2 similarity index 100% rename from roles/vm-common/templates/hosts.j2 rename to roles/virt-common/templates/hosts.j2 diff --git a/roles/vm-common/tasks/main.yml b/roles/vm-common/tasks/main.yml deleted file mode 100644 index 99bd3cd..0000000 --- a/roles/vm-common/tasks/main.yml +++ /dev/null @@ -1,44 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -- name: Copy hosts file - ansible.builtin.template: - src: hosts.j2 - dest: /etc/hosts - owner: root - mode: u=rw,g=r,o=r - -- name: Enable extra repositories - ansible.builtin.dnf: - name: - - epel-release - - rocky-release-security - state: present - -- name: Install system packages - ansible.builtin.dnf: - name: - - firewalld - - haveged - - htop - - jq - - lkrg - - logrotate - - mtr - - rsyslog - update_cache: true - state: present - -- name: Ensure services are enabled and running - ansible.builtin.service: - name: "{{ item }}" - enabled: true - state: started - loop: - - firewalld - - haveged - - lkrg - - rsyslog - -- name: Configure firewall - ansible.builtin.import_tasks: firewall.yml diff --git a/roles/vm-init/handlers/main.yml b/roles/vm-init/handlers/main.yml deleted file mode 100644 index b4b66a9..0000000 --- a/roles/vm-init/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -- name: Restart sshd - ansible.builtin.service: - name: sshd - state: restarted diff --git a/roles/vm-init/tasks/main.yml b/roles/vm-init/tasks/main.yml deleted file mode 100644 index 1683d4d..0000000 --- a/roles/vm-init/tasks/main.yml +++ /dev/null @@ -1,44 +0,0 @@ -# vim: ft=yaml.ansible -# code: language=ansible ---- -- name: Set hostname - ansible.builtin.hostname: - name: "{{ hostname }}" - -- name: Set timezone - community.general.timezone: - name: "{{ timezone }}" - -- name: Add users - ansible.builtin.user: - name: "{{ item.name }}" - comment: "{{ item.comment }}" - groups: "{{ item.groups }}" - shell: /bin/bash - state: present - loop: "{{ users }}" - -- name: Add SSH keys to users - ansible.posix.authorized_key: - user: "{{ item.name }}" - key: "{{ item.ssh_keys | join('\n') }}" - exclusive: true - loop: "{{ users }}" - -- name: Allow passwordless sudo - community.general.sudoers: - name: passwordless - group: sudo - host: ALL - commands: ALL - nopassword: true - state: present - -- name: Copy sshd_config - ansible.builtin.copy: - src: sshd_config - dest: /etc/ssh/sshd_config - owner: root - mode: u=rw,g=r,o=r - validate: /usr/sbin/sshd -t -f %s - notify: Restart sshd diff --git a/site.yml b/site.yml index 56d42c7..1594a00 100644 --- a/site.yml +++ b/site.yml @@ -13,18 +13,12 @@ # roles: # - ctl-common -- name: VM initialization - hosts: virtualservers - remote_user: root - roles: - - vm-init - -- name: Base VM configuration +- name: Base configuration hosts: virtualservers remote_user: ansible become: true roles: - - vm-common + - virt-common - name: Docker hosts hosts: appservers:proxyservers:monitorservers @@ -32,14 +26,21 @@ roles: - docker -- name: App servers +- name: Application servers hosts: appservers remote_user: ansible become: true roles: - apps -- name: DB servers +# - name: Media servers +# hosts: mediaservers +# remote_user: ansible +# become: true +# roles: +# - jellyfin + +- name: Database servers hosts: dbservers remote_user: ansible become: true