From 29d67e764c544789e74fdf3cbf4626bea758699b Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 08:42:21 -0500 Subject: move common setup from playbook into role --- README.md | 9 ++-- playbooks/archiver.yml | 9 ++-- playbooks/asterisk.yml | 7 ++- playbooks/bitwarden.yml | 7 ++- playbooks/common.yml | 112 ++------------------------------------- playbooks/cups.yml | 7 ++- playbooks/dav.yml | 7 ++- playbooks/dev_servers.yml | 9 ++-- playbooks/freeipa.yml | 7 ++- playbooks/freeipa_bootstrap.yml | 11 ++-- playbooks/freeipa_replica.yml | 9 ++-- playbooks/git.yml | 7 ++- playbooks/jellyfin.yml | 7 ++- playbooks/linux_desktops.yml | 7 ++- playbooks/linux_laptops.yml | 7 ++- playbooks/mail.yml | 14 ++--- playbooks/nagios.yml | 7 ++- playbooks/nameservers.yml | 9 ++-- playbooks/nfs.yml | 9 ++-- playbooks/photostructure.yml | 7 ++- playbooks/postgres.yml | 7 ++- playbooks/privbrowse.yml | 7 ++- playbooks/radius.yml | 9 ++-- playbooks/syncthing.yml | 7 ++- playbooks/syslog.yml | 9 ++-- playbooks/ttrss.yml | 8 ++- playbooks/turn.yml | 8 ++- playbooks/unifi.yml | 8 ++- playbooks/webserver_internal.yml | 7 ++- playbooks/webserver_public.yml | 7 ++- playbooks/wiki.yml | 7 ++- playbooks/xmpp.yml | 7 ++- playbooks/yum.yml | 7 ++- playbooks/znc.yml | 7 ++- roles/common/meta/main.yml | 109 +++++++++++++++++++++++++++++++++++++ 35 files changed, 226 insertions(+), 256 deletions(-) create mode 100644 roles/common/meta/main.yml diff --git a/README.md b/README.md index b63adb3..2ded772 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,14 @@ into it. ## Features -Modular [Ansible roles](roles) are used to manage VMs and configure each service. +Modular [Ansible roles](roles) are used to create VMs, apply common base +configuration, and configure each service. | Role | Description | --------------------------------------------|-------------| [proxmox\_instance](roles/proxmox_instance) | Automatically provisions a [Proxmox](https://www.proxmox.com/) VM with the given hardware and cloud-init configuration -[freeipa\_server](roles/freeipa_server) | [FreeIPA](https://www.freeipa.org/) provides provides identity management, access control, certificate management, and Single Sign-On for all services via Kerberos/GSSAPI +[common](roles/common) | Meta-role that pulls in common configuration roles (local repos, freeipa client, DNS/NTP, SSH keys, etc) +[freeipa\_server](roles/freeipa_server) | [FreeIPA](https://www.freeipa.org/) provides provides identity management, access control, certificate management, and single sign-on [yum\_mirror](roles/yum_mirror) | Mirrors all package repositories locally [rsyslog\_server](roles/rsyslog_server) | Centralized syslog storage using [Rsyslog](https://www.rsyslog.com/) [postfix\_server](roles/postfix_server) | Public-facing mail server using [Postfix](https://www.postfix.org/) @@ -90,9 +92,6 @@ Modular [Ansible roles](roles) are used to manage VMs and configure each service All services authenticate against the local FreeIPA domain. On a domain-joined workstation, Kerberos/GSSAPI is used for single sign-on. -The [common.yml](playbooks/common.yml) playbook is a prerequisite for all services. -It joins the host to FreeIPA, adds the local yum repos, configures DNS and NTP, etc. - ## Todo Currently, this repository is just a big pile of YAML. More documentation and diff --git a/playbooks/archiver.yml b/playbooks/archiver.yml index 9056db3..6c6e891 100644 --- a/playbooks/archiver.yml +++ b/playbooks/archiver.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: archive_servers - - name: configure archiver hosts: archive_servers tags: archive,archiver roles: - - archive_server + - role: common + tags: common + + - role: archive_server diff --git a/playbooks/asterisk.yml b/playbooks/asterisk.yml index 153176a..76bbe40 100644 --- a/playbooks/asterisk.yml +++ b/playbooks/asterisk.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: asterisk_servers - - name: configure asterisk pbx hosts: asterisk_servers tags: asterisk roles: + - role: common + tags: common + - role: asterisk - role: archive_job diff --git a/playbooks/bitwarden.yml b/playbooks/bitwarden.yml index cb9a911..1e7529d 100644 --- a/playbooks/bitwarden.yml +++ b/playbooks/bitwarden.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: bitwarden_servers - - name: configure vaultwarden hosts: bitwarden_servers tags: vaultwarden,bitwarden roles: + - role: common + tags: common + - role: vaultwarden - role: apache_vhost diff --git a/playbooks/common.yml b/playbooks/common.yml index e96be0b..c6c21fd 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -1,112 +1,6 @@ -- hosts: '{{ hostlist | default("el") }}' +- name: apply base configuration to all hosts + hosts: el gather_facts: no tags: common roles: - - role: proxmox_instance - when: '"proxmox_instances" in group_names' - tags: proxmox - - - role: dns_records - when: not (bootstrap | default(false)) - tags: dns - - - role: gather_facts - when: not ansible_facts - tags: always - - - role: udev - when: not ansible_virtualization_tech_guest - tags: udev - - - role: root_authorized_keys - tags: authorized_keys - - - role: root_password - tags: root_password - - - role: polkit - tags: polkit - - - role: grub - tags: grub - - - role: sudo - tags: sudo,sudoers - - - role: hostname - tags: hostname - - - role: timezone - tags: timezone - - - role: journald - tags: journald - - - role: yum_disable_default_repos - when: '"yum_mirrors" not in group_names' - - - role: yum - yum_repositories: - - rocky-baseos - - rocky-appstream - - rocky-extras - when: - - '"yum_mirrors" not in group_names' - - not (bootstrap | default(false)) - tags: yum - - - role: dnsmasq - when: '"freeipa_servers" not in group_names' - tags: dnsmasq - - - role: locale - tags: locale - - - role: selinux - tags: selinux - - - role: qemu_guest_agent - when: '"kvm" in ansible_virtualization_tech_guest' - tags: qemu - - - role: firewalld - tags: firewalld - - - role: chrony - tags: chrony,ntp - - - role: dnf_automatic - tags: yum - - - role: ssh - tags: ssh - - - role: tuned - tags: tuned - - - role: motd - tags: motd - - - role: packages - tags: packages - - - role: postfix_client - when: '"mail_servers" not in group_names' - tags: postfix,mail - - - role: freeipa_client - when: '"freeipa_servers" not in group_names' - tags: freeipa - - - role: rsyslog_client - when: - - '"syslog_servers" not in group_names' - - not (bootstrap | default(false)) - tags: rsyslog - - - role: nagios_client - when: - - (group_names | intersect(nagios_excluded_groups) | length) == 0 - - '"yum_mirrors" not in group_names' - - not (bootstrap | default(false)) - tags: nagios + - common diff --git a/playbooks/cups.yml b/playbooks/cups.yml index 20bed0b..ed67eb1 100644 --- a/playbooks/cups.yml +++ b/playbooks/cups.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: cups_servers - - name: configure cups hosts: cups_servers tags: cups roles: + - role: common + tags: common + - role: cups_server - role: archive_job diff --git a/playbooks/dav.yml b/playbooks/dav.yml index 21c4a97..69b6167 100644 --- a/playbooks/dav.yml +++ b/playbooks/dav.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: dav_servers - - name: configure sabredav hosts: dav_servers tags: sabredav,dav roles: + - role: common + tags: common + - role: sabredav - role: apache_vhost diff --git a/playbooks/dev_servers.yml b/playbooks/dev_servers.yml index 2602d6d..7530b05 100644 --- a/playbooks/dev_servers.yml +++ b/playbooks/dev_servers.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: dev_servers - - name: configure development environment hosts: dev_servers tags: dev roles: - - dev_environment + - role: common + tags: common + + - role: dev_environment diff --git a/playbooks/freeipa.yml b/playbooks/freeipa.yml index a83aaf6..b8ecc85 100644 --- a/playbooks/freeipa.yml +++ b/playbooks/freeipa.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: freeipa_servers - - name: configure freeipa master hosts: freeipa_master tags: freeipa roles: + - role: common + tags: common + - role: freeipa_server - role: archive_job diff --git a/playbooks/freeipa_bootstrap.yml b/playbooks/freeipa_bootstrap.yml index 38865a1..224abe5 100644 --- a/playbooks/freeipa_bootstrap.yml +++ b/playbooks/freeipa_bootstrap.yml @@ -1,10 +1,9 @@ -- import_playbook: common.yml - vars: - hostlist: freeipa_master - bootstrap: yes - - name: configure freeipa master hosts: freeipa_master tags: freeipa roles: - - freeipa_server + - role: common + bootstrap: yes + tags: common + + - role: freeipa_server diff --git a/playbooks/freeipa_replica.yml b/playbooks/freeipa_replica.yml index adac739..a313439 100644 --- a/playbooks/freeipa_replica.yml +++ b/playbooks/freeipa_replica.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: freeipa_master - - name: configure freeipa replicas hosts: freeipa_servers:!freeipa_master tags: freeipa roles: - - freeipa_replica + - role: common + tags: common + + - role: freeipa_replica diff --git a/playbooks/git.yml b/playbooks/git.yml index 9e4c112..6833467 100644 --- a/playbooks/git.yml +++ b/playbooks/git.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: git_servers - - name: configure git repository hosts: git_servers tags: git roles: + - role: common + tags: common + - role: gitolite tags: gitolite diff --git a/playbooks/jellyfin.yml b/playbooks/jellyfin.yml index 7fa6721..4b68d82 100644 --- a/playbooks/jellyfin.yml +++ b/playbooks/jellyfin.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: jellyfin_servers - - name: configure jellyfin hosts: jellyfin_servers tags: jellyfin roles: + - role: common + tags: common + - role: jellyfin - role: apache_vhost diff --git a/playbooks/linux_desktops.yml b/playbooks/linux_desktops.yml index d7c2fee..6fa6570 100644 --- a/playbooks/linux_desktops.yml +++ b/playbooks/linux_desktops.yml @@ -1,10 +1,9 @@ -- import_playbook: common.yml - vars: - hostlist: linux_desktops - - name: configure linux desktop environment hosts: linux_desktops roles: + - role: common + tags: common + - role: dev_environment tags: dev diff --git a/playbooks/linux_laptops.yml b/playbooks/linux_laptops.yml index c841e95..a3c62a6 100644 --- a/playbooks/linux_laptops.yml +++ b/playbooks/linux_laptops.yml @@ -1,10 +1,9 @@ -- import_playbook: common.yml - vars: - hostlist: linux_laptops - - name: configure linux desktop environment hosts: linux_laptops roles: + - role: common + tags: common + - role: dev_environment tags: dev diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 6df70f3..ce272a9 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -1,6 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: rspamd_servers,mail_servers,imap_servers +- name: run common roles + hosts: rspamd_servers,mail_servers,imap_servers + tags: common + roles: + - common - name: configure rspamd hosts: rspamd_servers @@ -18,13 +20,13 @@ archive_shell: '{{ rspamd_archive_shell }}' tags: archive -- name: configure Postfix +- name: configure postfix hosts: mail_servers tags: postfix,smtp roles: - - postfix_server + - role: postfix_server -- name: configure Dovecot +- name: configure dovecot hosts: imap_servers tags: dovecot,imap roles: diff --git a/playbooks/nagios.yml b/playbooks/nagios.yml index cb13d57..d0ff488 100644 --- a/playbooks/nagios.yml +++ b/playbooks/nagios.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: nagios_servers - - name: configure nagios hosts: nagios_servers tags: nagios roles: + - role: common + tags: common + - role: nagios_server - role: apache_vhost diff --git a/playbooks/nameservers.yml b/playbooks/nameservers.yml index a977744..8241208 100644 --- a/playbooks/nameservers.yml +++ b/playbooks/nameservers.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: authoritative_nameservers - - name: configure nsd hosts: authoritative_nameservers tags: nsd roles: - - nsd + - role: common + tags: common + + - role: nsd diff --git a/playbooks/nfs.yml b/playbooks/nfs.yml index a066afb..0c96231 100644 --- a/playbooks/nfs.yml +++ b/playbooks/nfs.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: nfs_servers - - name: configure nfs exports hosts: nfs_servers tags: nfs roles: - - nfs_server + - role: common + tags: common + + - role: nfs_server diff --git a/playbooks/photostructure.yml b/playbooks/photostructure.yml index 12ebe1f..d94ddc7 100644 --- a/playbooks/photostructure.yml +++ b/playbooks/photostructure.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: photostructure_servers - - name: configure photostructure hosts: photostructure_servers tags: photostructure roles: + - role: common + tags: common + - role: photostructure - role: apache_vhost diff --git a/playbooks/postgres.yml b/playbooks/postgres.yml index 72192ec..fb7f7aa 100644 --- a/playbooks/postgres.yml +++ b/playbooks/postgres.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: postgresql_servers - - name: configure postgresql hosts: postgresql_servers tags: postgres,postgresql roles: + - role: common + tags: common + - role: postgresql_server - role: archive_job diff --git a/playbooks/privbrowse.yml b/playbooks/privbrowse.yml index 8b61d5c..aaa5ee5 100644 --- a/playbooks/privbrowse.yml +++ b/playbooks/privbrowse.yml @@ -1,10 +1,9 @@ -- import_playbook: common.yml - vars: - hostlist: privbrowse_servers - - name: configure web service frontends hosts: privbrowse_servers roles: + - role: common + tags: common + - role: invidious tags: invidious diff --git a/playbooks/radius.yml b/playbooks/radius.yml index 6529365..59140b9 100644 --- a/playbooks/radius.yml +++ b/playbooks/radius.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: radius_servers - - name: configure freeradius hosts: radius_servers tags: freeradius,radius roles: - - freeradius + - role: common + tags: common + + - role: freeradius diff --git a/playbooks/syncthing.yml b/playbooks/syncthing.yml index 3fad588..e93745d 100644 --- a/playbooks/syncthing.yml +++ b/playbooks/syncthing.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: syncthing_servers - - name: configure syncthing hosts: syncthing_servers tags: syncthing roles: + - role: common + tags: common + - role: syncthing - role: archive_job diff --git a/playbooks/syslog.yml b/playbooks/syslog.yml index 2891dc6..abf3cc3 100644 --- a/playbooks/syslog.yml +++ b/playbooks/syslog.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: syslog_servers - - name: configure rsyslog server hosts: syslog_servers tags: rsyslog,syslog roles: - - rsyslog_server + - role: common + tags: common + + - role: rsyslog_server diff --git a/playbooks/ttrss.yml b/playbooks/ttrss.yml index befd157..337258e 100644 --- a/playbooks/ttrss.yml +++ b/playbooks/ttrss.yml @@ -1,12 +1,10 @@ -- import_playbook: common.yml - tags: common - vars: - hostlist: ttrss_servers - - name: configure tinytinyrss hosts: ttrss_servers tags: ttrss roles: + - role: common + tags: common + - role: ttrss - role: apache_vhost diff --git a/playbooks/turn.yml b/playbooks/turn.yml index 20b6196..42832d6 100644 --- a/playbooks/turn.yml +++ b/playbooks/turn.yml @@ -1,10 +1,8 @@ -- import_playbook: common.yml - tags: common - vars: - hostlist: turn_servers - - name: configure coturn hosts: turn_servers tags: coturn,turn roles: + - role: common + tags: common + - role: coturn diff --git a/playbooks/unifi.yml b/playbooks/unifi.yml index 1b0864d..667ff1b 100644 --- a/playbooks/unifi.yml +++ b/playbooks/unifi.yml @@ -1,12 +1,10 @@ -- import_playbook: common.yml - tags: common - vars: - hostlist: unifi_controllers - - name: configure unifi controller hosts: unifi_controllers tags: unifi roles: + - role: common + tags: common + - role: unifi - role: archive_job diff --git a/playbooks/webserver_internal.yml b/playbooks/webserver_internal.yml index eb27c97..90ffdb3 100644 --- a/playbooks/webserver_internal.yml +++ b/playbooks/webserver_internal.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: www1 - - name: configure internal web servers hosts: www1 tags: apache roles: + - role: common + tags: common + - role: apache_vhost apache_default_vhost: yes apache_config: | diff --git a/playbooks/webserver_public.yml b/playbooks/webserver_public.yml index 17221e6..b362eed 100644 --- a/playbooks/webserver_public.yml +++ b/playbooks/webserver_public.yml @@ -1,10 +1,9 @@ -- import_playbook: common.yml - vars: - hostlist: dmz-www1 - - name: configure public web server hosts: dmz-www1 roles: + - role: common + tags: common + - role: apache_vhost apache_server_name: www.example.com apache_server_aliases: [example.com] diff --git a/playbooks/wiki.yml b/playbooks/wiki.yml index 794eb74..bb7d25d 100644 --- a/playbooks/wiki.yml +++ b/playbooks/wiki.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: wiki_servers - - name: configure mediawiki hosts: wiki_servers tags: wiki,mediawiki roles: + - role: common + tags: common + - role: mediawiki - role: apache_vhost diff --git a/playbooks/xmpp.yml b/playbooks/xmpp.yml index 38d0ce4..6d86a88 100644 --- a/playbooks/xmpp.yml +++ b/playbooks/xmpp.yml @@ -1,9 +1,8 @@ -- import_playbook: common.yml - vars: - hostlist: xmpp_servers - - name: configure prosody hosts: xmpp_servers tags: xmpp,prosody roles: + - role: common + tags: common + - role: prosody diff --git a/playbooks/yum.yml b/playbooks/yum.yml index e0c829f..9f93b8f 100644 --- a/playbooks/yum.yml +++ b/playbooks/yum.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: yum_mirrors - - name: configure yum mirrors hosts: yum_mirrors tags: yum roles: + - role: common + tags: common + - role: yum_mirror - role: apache_vhost diff --git a/playbooks/znc.yml b/playbooks/znc.yml index 79f3721..34d6ada 100644 --- a/playbooks/znc.yml +++ b/playbooks/znc.yml @@ -1,11 +1,10 @@ -- import_playbook: common.yml - vars: - hostlist: znc_servers - - name: configure znc hosts: znc_servers tags: znc roles: + - role: common + tags: common + - role: znc - role: archive_job diff --git a/roles/common/meta/main.yml b/roles/common/meta/main.yml new file mode 100644 index 0000000..5b009f3 --- /dev/null +++ b/roles/common/meta/main.yml @@ -0,0 +1,109 @@ +dependencies: + - role: proxmox_instance + when: '"proxmox_instances" in group_names' + tags: proxmox + + - role: dns_records + when: not (bootstrap | default(false)) + tags: dns + + - role: gather_facts + when: not ansible_facts + tags: always + + - role: udev + when: not ansible_virtualization_tech_guest + tags: udev + + - role: root_authorized_keys + tags: authorized_keys + + - role: root_password + tags: root_password + + - role: polkit + tags: polkit + + - role: grub + tags: grub + + - role: sudo + tags: sudo,sudoers + + - role: hostname + tags: hostname + + - role: timezone + tags: timezone + + - role: journald + tags: journald + + - role: yum_disable_default_repos + when: '"yum_mirrors" not in group_names' + + - role: yum + yum_repositories: + - rocky-baseos + - rocky-appstream + - rocky-extras + when: + - '"yum_mirrors" not in group_names' + - not (bootstrap | default(false)) + tags: yum + + - role: dnsmasq + when: '"freeipa_servers" not in group_names' + tags: dnsmasq + + - role: locale + tags: locale + + - role: selinux + tags: selinux + + - role: qemu_guest_agent + when: '"kvm" in ansible_virtualization_tech_guest' + tags: qemu + + - role: firewalld + tags: firewalld + + - role: chrony + tags: chrony,ntp + + - role: dnf_automatic + tags: yum + + - role: ssh + tags: ssh + + - role: tuned + tags: tuned + + - role: motd + tags: motd + + - role: packages + tags: packages + + - role: postfix_client + when: '"mail_servers" not in group_names' + tags: postfix,mail + + - role: freeipa_client + when: '"freeipa_servers" not in group_names' + tags: freeipa + + - role: rsyslog_client + when: + - '"syslog_servers" not in group_names' + - not (bootstrap | default(false)) + tags: rsyslog + + - role: nagios_client + when: + - (group_names | intersect(nagios_excluded_groups) | length) == 0 + - '"yum_mirrors" not in group_names' + - not (bootstrap | default(false)) + tags: nagios -- cgit