diff options
| author | Kevin Fenzi <kevin@scrye.com> | 2013-08-25 18:44:54 +0000 |
|---|---|---|
| committer | Kevin Fenzi <kevin@scrye.com> | 2013-08-25 18:44:54 +0000 |
| commit | aecec53380d5267bf8be52812359d6f13583c0cd (patch) | |
| tree | fa6217cc05d68e4b82b1a9001c0fbf9f660d8613 | |
| parent | 337614085a17d8cc30be3fdd95678fb165179450 (diff) | |
| download | ansible-aecec53380d5267bf8be52812359d6f13583c0cd.tar.gz ansible-aecec53380d5267bf8be52812359d6f13583c0cd.tar.xz ansible-aecec53380d5267bf8be52812359d6f13583c0cd.zip | |
Move base to a role.
Clean up syntax in all the base tasks.
Add CONVENTIONS file for info on where things go.
Tweak readme.
Switch add playbooks to base role instead of task.
| -rw-r--r-- | CONVENTIONS | 112 | ||||
| -rw-r--r-- | README | 22 | ||||
| -rw-r--r-- | playbooks/groups/arm-packager.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/arm-qa.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/arm-releng.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/backup-server.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/badges-backend.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/badges-web.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/beaker.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/gallery.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/kernel-qa.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/keyserver.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/koji-hub.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/mailman.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/mirrorlist.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/postgresl-server.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/sign.yml | 8 | ||||
| -rw-r--r-- | playbooks/groups/taskbot.yml | 2 | ||||
| -rw-r--r-- | playbooks/groups/virthost.yml | 2 | ||||
| -rw-r--r-- | roles/base/README | 4 | ||||
| -rw-r--r-- | roles/base/files/ansible-pub-key (renamed from files/common/ansible-pub-key) | 0 | ||||
| -rwxr-xr-x | roles/base/files/common-scripts/hardware-reinstall (renamed from files/common-scripts/hardware-reinstall) | 0 | ||||
| -rwxr-xr-x | roles/base/files/common-scripts/lock-wrapper (renamed from files/common-scripts/lock-wrapper) | 0 | ||||
| -rwxr-xr-x | roles/base/files/common-scripts/nag-once (renamed from files/common-scripts/nag-once) | 0 | ||||
| -rwxr-xr-x | roles/base/files/common-scripts/syncFiles.sh (renamed from files/common-scripts/syncFiles.sh) | 0 | ||||
| -rw-r--r-- | roles/base/files/postfix/main.cf (renamed from files/postfix/main.cf) | 0 | ||||
| -rw-r--r-- | roles/base/files/postfix/main.cf.209.132.184.113 (renamed from files/postfix/main.cf.209.132.184.113) | 0 | ||||
| -rw-r--r-- | roles/base/files/postfix/main.cf.norelay (renamed from files/postfix/main.cf.norelay) | 0 | ||||
| -rw-r--r-- | roles/base/files/postfix/main.cf.releng01 (renamed from files/postfix/main.cf.releng01) | 0 | ||||
| -rw-r--r-- | roles/base/files/postfix/main.cf.releng02 (renamed from files/postfix/main.cf.releng02) | 0 | ||||
| -rw-r--r-- | roles/base/files/postfix/main.cf.sign (renamed from files/postfix/main.cf.sign) | 0 | ||||
| -rw-r--r-- | roles/base/files/resolv.conf/ibiblio (renamed from files/resolv.conf/ibiblio) | 0 | ||||
| -rw-r--r-- | roles/base/files/resolv.conf/kojibuilder (renamed from files/resolv.conf/kojibuilder) | 0 | ||||
| -rw-r--r-- | roles/base/files/resolv.conf/osuosl (renamed from files/resolv.conf/osuosl) | 0 | ||||
| -rw-r--r-- | roles/base/files/resolv.conf/phx2 (renamed from files/resolv.conf/phx2) | 0 | ||||
| -rw-r--r-- | roles/base/files/resolv.conf/resolv.conf (renamed from files/resolv.conf/resolv.conf) | 0 | ||||
| -rw-r--r-- | roles/base/files/rsyslog/rsyslog.conf (renamed from files/rsyslog/rsyslog.conf) | 0 | ||||
| -rw-r--r-- | roles/base/files/rsyslog/rsyslog.conf.kojibuilder (renamed from files/rsyslog/rsyslog.conf.kojibuilder) | 0 | ||||
| -rw-r--r-- | roles/base/files/rsyslog/rsyslog.conf.phx2 (renamed from files/rsyslog/rsyslog.conf.phx2) | 0 | ||||
| -rw-r--r-- | roles/base/files/rsyslog/rsyslog.conf.releng (renamed from files/rsyslog/rsyslog.conf.releng) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.19 (renamed from files/ssh/sshd_config.19) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.20 (renamed from files/ssh/sshd_config.20) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.arm-releng (renamed from files/ssh/sshd_config.arm-releng) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.el6 (renamed from files/ssh/sshd_config.el6) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.f18 (renamed from files/ssh/sshd_config.f18) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.f19 (renamed from files/ssh/sshd_config.f19) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.kojibuilder (renamed from files/ssh/sshd_config.kojibuilder) | 0 | ||||
| -rw-r--r-- | roles/base/files/ssh/sshd_config.releng (renamed from files/ssh/sshd_config.releng) | 0 | ||||
| -rw-r--r-- | roles/base/tasks/main.yml | 138 | ||||
| -rw-r--r-- | roles/base/templates/iptables/iptables | 52 | ||||
| -rw-r--r-- | roles/base/templates/iptables/iptables.sign | 14 | ||||
| -rw-r--r-- | roles/base/templates/iptables/iptables.staging | 64 | ||||
| -rw-r--r-- | tasks/base.yml | 134 |
53 files changed, 416 insertions, 164 deletions
diff --git a/CONVENTIONS b/CONVENTIONS new file mode 100644 index 000000000..9e57438eb --- /dev/null +++ b/CONVENTIONS @@ -0,0 +1,112 @@ +This file describes some conventions we are going to try and use +to keep things organized and everyone on the same page. + +If you find you need to diverge from this document for something, +please discuss it on the infrastructure list and see if we can +adjust this document for that use case. + +Playbook naming +=============== +The top level playbooks directory should contain: + +* Playbooks that are generic and used by serveral groups/hosts playbooks +* Playbooks used for utility purposes from command line +* Groups and Hosts subdirs. + +Generic playbooks are included in other playbooks and perform +basic setup that is used by other groups/hosts. +Examples: cloud setup, collectd, webserver, iptables, etc + +Utility playbooks are used by sysadmins command line to perform some +specific function. Examples: host update, vhost update, vhost reboot. + +The playbooks/groups/ directory should contain one playbook per +group. This should be used in the case of multiple machines/instances +in a group. MUST include a hosts entry that describes the hosts in the group. +Examples: packages, proxy, unbound, virthost, etc. +Try and be descriptive with the name here. + +The playbooks/hosts/ directory should contain one playbook per 'host' +for when a role is handled by only one host. Hosts playbooks +MUST be FQDN.yml, MUST contain Hosts: the host or ip. +Examples: persistent cloud images, special hosts. + +Where possible groups should be used. Hosts playbooks should only +be used in specific cases where a generic group playbook would not work. + +Both groups and hosts playbooks should always include: + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - ${private}/vars.yml + - ${vars}/${ansible_distribution}.yml + +Play naming +=========== +Plays in playbooks should be a short readable description of what the play +is doing. This will be displayed to the user and/or mailed out, so think +about what you would like to see if the play you are writing failed that +would be descriptive to the reader to help fix it. + +Inventory +========= +The inventory file should add all hosts to one (or more) groups. + +When there are staging hosts for a role/service, they should be in the +main group for that role as well as a staging for the role. +FIXME: will depend on how we do staging. (see below) + +Tags +==== +Tags allow you to run just a subset of plays with a specific tag(s). + +We have some standard tags we should use on all plays: + +packages - this play installs or removes packages. + +config - this play installs config files. + +check - we could use this tag to include 'is everything running that should be' + type tasks. + +FIXME: others? + +Production vs Staging vs Development +==================================== +In the default state, we should strive to have production and staging using +the same exact playbooks. development can also do so, or just be a more +minimal free form for the developer. + +When needing to make changes to test in staging the following process should +be used: + +FIXME... :) + +Requirements: + +1. shouldn't touch prod playbook by default +2. should be easy to merge changes back to prod +3. should not require people to remember to do a bunch of steps. +4. should be easy to see exactly what changes are pending only in stg. + +Cron job/automatic execution +============================ + +We would like to get ansible running over hosts in an automated way. +A git hook could do this. + +* On commit: + If we have a way to detemine exactly what hosts are affected by a + change we could simply run only on those hosts. + + We might want a short delay (10m) to allow someone to see a problem + or others to note one from the commit. + +* Once a day: (more often? less often?) + + We may want to re-run on all hosts once a day and yell loudly + if anything changed. + + FIXME: perhaps we want a tag of items to run at this time? + FIXME: alternately we could have a util playbook that runs a + bunch of checks for us? + @@ -1,9 +1,15 @@ -ansible repository/structure +== ansible repository/structure == files - files and templates for use in playbooks/tasks - subdirs for specific tasks/dirs highly recommended inventory - where the inventory and additional vars is stored + - All files in this directory in ini format + - added together for total inventory + group_vars: + - per group variables set here in a file per group + host_vars: + - per host variables set here in a file per host library - library of custom local ansible modules @@ -11,6 +17,10 @@ playbooks - collections of plays we want to run on systems tasks - snippets of tasks that should be included in plays +roles - specific roles to be use in playbooks. + Each role has it's own files/templates/vars + +== Paths == public path for everything is: @@ -20,12 +30,11 @@ private path - which is sysadmin-main accessible only is: /srv/private/ansible - In general to run any ansible playbook you will want to run: sudo -i ansible-playbook /path/to/playbook.yml - +== Cloud information == cloud instances: to startup a new cloud instance and configure for basic server use run (as @@ -61,9 +70,6 @@ define these with: --extra-vars="varname=value varname1=value varname2=value" - - - Name Memory_MB Disk VCPUs m1.tiny 512 0 1 m1.small 2048 20 1 @@ -171,10 +177,6 @@ The available images can be found by running:: You should be able to run that playbook over and over again safely, it will only setup/create a new instance if the ip is not up/responding. - - - - SECURITY GROUPS - to edit security groups you must either have your own cloud account or be a member of sysadmin-main diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index 280547b56..d5279133a 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -12,6 +12,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/fas_client @@ -20,7 +21,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index ef016a3dd..3dae81e14 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -12,6 +12,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/fas_client @@ -20,7 +21,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml index 118a2ef4b..16f25b571 100644 --- a/playbooks/groups/arm-releng.yml +++ b/playbooks/groups/arm-releng.yml @@ -12,6 +12,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/fas_client - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts @@ -20,7 +21,6 @@ tasks: # this is how you include other task lists - include: $tasks/hosts.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/common_scripts.yml diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index ada24b9e1..b15a26279 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -14,6 +14,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -22,7 +23,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index 22e1d3ed8..2ddc0e29e 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -30,6 +30,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -38,7 +39,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index ec542f20a..7b0ee00e5 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -30,6 +30,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -39,7 +40,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index 8eccf6cb1..3ef3288ee 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -29,6 +29,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -38,7 +39,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index 3c78e66f6..9b973e48d 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -30,6 +30,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -38,7 +39,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml index c6bc99eb9..2b225d460 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/groups/kernel-qa.yml @@ -13,6 +13,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -22,7 +23,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index 3b80b60d2..260f4e919 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -30,6 +30,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -38,7 +39,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/openvpn_client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index decce1a2e..c8b34b969 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -31,6 +31,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -39,7 +40,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 765f5eddc..fbd4480e6 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -29,6 +29,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -39,7 +40,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index 572c841d2..27f8401df 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -39,6 +39,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -50,7 +51,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/openvpn_client.yml diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index f1049c6d4..724a9ce9d 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -31,6 +31,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -40,7 +41,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/sign.yml b/playbooks/groups/sign.yml index fca5ac579..a9ca6ea77 100644 --- a/playbooks/groups/sign.yml +++ b/playbooks/groups/sign.yml @@ -16,14 +16,14 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - /srv/web/infra/ansible/roles/base + - /srv/web/infra/ansible/roles/rkhunter + tasks: - - include: $tasks/base.yml - include: $tasks/serialgetty.yml - include: $tasks/motd.yml - include: $tasks/sign_setup.yml - roles: - - /srv/web/infra/ansible/roles/rkhunter - handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml index e13cb390a..00af1a1b8 100644 --- a/playbooks/groups/taskbot.yml +++ b/playbooks/groups/taskbot.yml @@ -29,6 +29,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -38,7 +39,6 @@ # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index c03453ebd..a4fdafb45 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -13,6 +13,7 @@ - ${vars}/${ansible_distribution}.yml roles: + - /srv/web/infra/ansible/roles/base - /srv/web/infra/ansible/roles/rkhunter - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client @@ -21,7 +22,6 @@ tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - - include: $tasks/base.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/roles/base/README b/roles/base/README new file mode 100644 index 000000000..317ef0414 --- /dev/null +++ b/roles/base/README @@ -0,0 +1,4 @@ +This role is the base setup for all our machines. + +If there's something that shouldn't be run on every single +machine, it should be in another role. diff --git a/files/common/ansible-pub-key b/roles/base/files/ansible-pub-key index 1fa0bf30b..1fa0bf30b 100644 --- a/files/common/ansible-pub-key +++ b/roles/base/files/ansible-pub-key diff --git a/files/common-scripts/hardware-reinstall b/roles/base/files/common-scripts/hardware-reinstall index 794be0215..794be0215 100755 --- a/files/common-scripts/hardware-reinstall +++ b/roles/base/files/common-scripts/hardware-reinstall diff --git a/files/common-scripts/lock-wrapper b/roles/base/files/common-scripts/lock-wrapper index f990f635e..f990f635e 100755 --- a/files/common-scripts/lock-wrapper +++ b/roles/base/files/common-scripts/lock-wrapper diff --git a/files/common-scripts/nag-once b/roles/base/files/common-scripts/nag-once index 992023cac..992023cac 100755 --- a/files/common-scripts/nag-once +++ b/roles/base/files/common-scripts/nag-once diff --git a/files/common-scripts/syncFiles.sh b/roles/base/files/common-scripts/syncFiles.sh index ef665b1d8..ef665b1d8 100755 --- a/files/common-scripts/syncFiles.sh +++ b/roles/base/files/common-scripts/syncFiles.sh diff --git a/files/postfix/main.cf b/roles/base/files/postfix/main.cf index 553d51196..553d51196 100644 --- a/files/postfix/main.cf +++ b/roles/base/files/postfix/main.cf diff --git a/files/postfix/main.cf.209.132.184.113 b/roles/base/files/postfix/main.cf.209.132.184.113 index 358a8de31..358a8de31 100644 --- a/files/postfix/main.cf.209.132.184.113 +++ b/roles/base/files/postfix/main.cf.209.132.184.113 diff --git a/files/postfix/main.cf.norelay b/roles/base/files/postfix/main.cf.norelay index f3c260f73..f3c260f73 100644 --- a/files/postfix/main.cf.norelay +++ b/roles/base/files/postfix/main.cf.norelay diff --git a/files/postfix/main.cf.releng01 b/roles/base/files/postfix/main.cf.releng01 index df11bedf8..df11bedf8 100644 --- a/files/postfix/main.cf.releng01 +++ b/roles/base/files/postfix/main.cf.releng01 diff --git a/files/postfix/main.cf.releng02 b/roles/base/files/postfix/main.cf.releng02 index df11bedf8..df11bedf8 100644 --- a/files/postfix/main.cf.releng02 +++ b/roles/base/files/postfix/main.cf.releng02 diff --git a/files/postfix/main.cf.sign b/roles/base/files/postfix/main.cf.sign index f3c260f73..f3c260f73 100644 --- a/files/postfix/main.cf.sign +++ b/roles/base/files/postfix/main.cf.sign diff --git a/files/resolv.conf/ibiblio b/roles/base/files/resolv.conf/ibiblio index 0037972e3..0037972e3 100644 --- a/files/resolv.conf/ibiblio +++ b/roles/base/files/resolv.conf/ibiblio diff --git a/files/resolv.conf/kojibuilder b/roles/base/files/resolv.conf/kojibuilder index 426f4cd7f..426f4cd7f 100644 --- a/files/resolv.conf/kojibuilder +++ b/roles/base/files/resolv.conf/kojibuilder diff --git a/files/resolv.conf/osuosl b/roles/base/files/resolv.conf/osuosl index a9d4d8ce8..a9d4d8ce8 100644 --- a/files/resolv.conf/osuosl +++ b/roles/base/files/resolv.conf/osuosl diff --git a/files/resolv.conf/phx2 b/roles/base/files/resolv.conf/phx2 index 426f4cd7f..426f4cd7f 100644 --- a/files/resolv.conf/phx2 +++ b/roles/base/files/resolv.conf/phx2 diff --git a/files/resolv.conf/resolv.conf b/roles/base/files/resolv.conf/resolv.conf index 02713fe7f..02713fe7f 100644 --- a/files/resolv.conf/resolv.conf +++ b/roles/base/files/resolv.conf/resolv.conf diff --git a/files/rsyslog/rsyslog.conf b/roles/base/files/rsyslog/rsyslog.conf index a1d425816..a1d425816 100644 --- a/files/rsyslog/rsyslog.conf +++ b/roles/base/files/rsyslog/rsyslog.conf diff --git a/files/rsyslog/rsyslog.conf.kojibuilder b/roles/base/files/rsyslog/rsyslog.conf.kojibuilder index 2c2852ddd..2c2852ddd 100644 --- a/files/rsyslog/rsyslog.conf.kojibuilder +++ b/roles/base/files/rsyslog/rsyslog.conf.kojibuilder diff --git a/files/rsyslog/rsyslog.conf.phx2 b/roles/base/files/rsyslog/rsyslog.conf.phx2 index a1d425816..a1d425816 100644 --- a/files/rsyslog/rsyslog.conf.phx2 +++ b/roles/base/files/rsyslog/rsyslog.conf.phx2 diff --git a/files/rsyslog/rsyslog.conf.releng b/roles/base/files/rsyslog/rsyslog.conf.releng index 2c2852ddd..2c2852ddd 100644 --- a/files/rsyslog/rsyslog.conf.releng +++ b/roles/base/files/rsyslog/rsyslog.conf.releng diff --git a/files/ssh/sshd_config.19 b/roles/base/files/ssh/sshd_config.19 index 080de0d1c..080de0d1c 100644 --- a/files/ssh/sshd_config.19 +++ b/roles/base/files/ssh/sshd_config.19 diff --git a/files/ssh/sshd_config.20 b/roles/base/files/ssh/sshd_config.20 index 080de0d1c..080de0d1c 100644 --- a/files/ssh/sshd_config.20 +++ b/roles/base/files/ssh/sshd_config.20 diff --git a/files/ssh/sshd_config.arm-releng b/roles/base/files/ssh/sshd_config.arm-releng index da5f79fcd..da5f79fcd 100644 --- a/files/ssh/sshd_config.arm-releng +++ b/roles/base/files/ssh/sshd_config.arm-releng diff --git a/files/ssh/sshd_config.el6 b/roles/base/files/ssh/sshd_config.el6 index 996c26257..996c26257 100644 --- a/files/ssh/sshd_config.el6 +++ b/roles/base/files/ssh/sshd_config.el6 diff --git a/files/ssh/sshd_config.f18 b/roles/base/files/ssh/sshd_config.f18 index 080de0d1c..080de0d1c 100644 --- a/files/ssh/sshd_config.f18 +++ b/roles/base/files/ssh/sshd_config.f18 diff --git a/files/ssh/sshd_config.f19 b/roles/base/files/ssh/sshd_config.f19 index 080de0d1c..080de0d1c 100644 --- a/files/ssh/sshd_config.f19 +++ b/roles/base/files/ssh/sshd_config.f19 diff --git a/files/ssh/sshd_config.kojibuilder b/roles/base/files/ssh/sshd_config.kojibuilder index da5f79fcd..da5f79fcd 100644 --- a/files/ssh/sshd_config.kojibuilder +++ b/roles/base/files/ssh/sshd_config.kojibuilder diff --git a/files/ssh/sshd_config.releng b/roles/base/files/ssh/sshd_config.releng index da5f79fcd..da5f79fcd 100644 --- a/files/ssh/sshd_config.releng +++ b/roles/base/files/ssh/sshd_config.releng diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 000000000..818331b90 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,138 @@ +--- + +# +# This is the base role for all machines. +# Things in here are things we want to do to every machine no matter what. +# + +- name: sshd_config + copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600 + first_available_file: + - ${sshd_config} + - ssh/sshd_config.{{ ansible_fqdn }} + - ssh/sshd_config.{{ host_group }} + - ssh/sshd_config.{{ dist_tag }} + - ssh/sshd_config.{{ ansible_distribution }} + - ssh/sshd_config.{{ ansible_distribution_version }} + notify: + - restart sshd + tags: + - sshd_config + - config + - sshd + +- name: set root passwd + user: name=root password={{ rootpw }} state=present + tags: + - rootpw + +- name: add ansible root key + authorized_key: user=root key="{{ item }}" + with_file: + - ansible-pub-key + tags: + - config + +- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network + lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS= + tags: + - config + +- name: global default packages to install + yum: state=installed name={{ item }} + with_items: global_pkgs_inst + tags: + - packages + +- name: dist pkgs to remove + yum: state=removed name={{ item }} + with_items: base_pkgs_erase + tags: + - packages + +- name: dist pkgs to install + yum: state=installed name={{ item }} + with_items: base_pkgs_inst + tags: + - packages + +- name: dist disabled services + service: state=stopped enabled=false name={{ item }} + with_items: service_disabled + tags: + - service + - config + +- name: dist enabled services + service: state=running enabled=true name={{ item }} + with_items: service_enabled + tags: + - service + - config + +- name: iptables + template: src={{ item }} dest=/etc/sysconfig/iptables mode=600 backup=yes + first_available_file: + - $iptables + - iptables/iptables.{{ ansible_fqdn }} + - iptables/iptables.{{ host_group }} + - iptables/iptables.{{ env }} + - iptables/iptables + notify: + - restart iptables + tags: + - iptables + - config + +# XXX fixme # a datacenter 'fact' from setup +- name: /etc/resolv.conf + copy: src={{ item }} dest=/etc/resolv.conf + first_available_file: + - ${resolvconf} + - resolv.conf/{{ ansible_fqdn }} + - resolv.conf/{{ host_group }} + - resolv.conf/{{ datacenter }} + - resolv.conf/resolv.conf + tags: + - config + - resolvconf + +- name: rsyslog.conf + copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 + first_available_file: + - $rsyslogconf + - rsyslog/rsyslog.conf.{{ ansible_fqdn }} + - rsyslog/rsyslog.conf.{{ host_group }} + - rsyslog/rsyslog.conf.{{ datacenter }} + - rsyslog/rsyslog.conf + + notify: + - restart rsyslog + tags: + - rsyslogd + - config + +- name: /etc/postfix/main.cf + copy: src={{ item }} dest=/etc/postfix/main.cf + first_available_file: + - $postfix_maincf + - postfix/main.cf.{{ ansible_fqdn }} + - postfix/main.cf.{{ host_group }} + - postfix/main.cf.{{ postfix_group }} + - postfix/main.cf + notify: + - restart postfix + tags: + - postfix + - config + +# +# This task installs some common scripts to /usr/local/bin +# scripts are under roles/base/files/common-scripts +# + +- name: Install common scripts + copy: src=$item dest=/usr/local/bin/ owner=root group=root mode=0755 + with_fileglob: common-scripts/* + tags: + - config diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables new file mode 100644 index 000000000..78b74c809 --- /dev/null +++ b/roles/base/templates/iptables/iptables @@ -0,0 +1,52 @@ +# {{ ansible_managed }} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +# allow ping and traceroute +-A INPUT -p icmp -j ACCEPT + +# localhost is fine +-A INPUT -i lo -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ssh - always +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT + +# for fireball mode - allow port 5099 from lockbox and it's ips +-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT + +# for nrpe - allow it from nocs +-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT +# FIXME - this is the global nat-ip and we need the noc01-specific ip +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT + + +# if the host/group defines incoming tcp_ports - allow them +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if the host/group defines incoming udp_ports - allow them +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if there are custom rules - put them in as-is +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} + +# otherwise kick everything out +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/roles/base/templates/iptables/iptables.sign b/roles/base/templates/iptables/iptables.sign new file mode 100644 index 000000000..f213e8855 --- /dev/null +++ b/roles/base/templates/iptables/iptables.sign @@ -0,0 +1,14 @@ +# {{ ansible_managed }} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +# Allow connections from client/server +-A INPUT -p tcp -m tcp --dport 44333:44334 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT + diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging new file mode 100644 index 000000000..8ead9b6d8 --- /dev/null +++ b/roles/base/templates/iptables/iptables.staging @@ -0,0 +1,64 @@ +# {{ ansible_managed }} +*nat +:PREROUTING ACCEPT [] +:POSTROUTING ACCEPT [] +:OUTPUT ACCEPT [] + +# Redirect staging attempts to talk to the external proxy to an internal ip. +# This is primarily for openid in staging which needs to get around proxy +# redirects. +-A OUTPUT -d 209.132.181.14 -j DNAT --to-destination 10.5.126.89 + +COMMIT + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +# allow ping and traceroute +-A INPUT -p icmp -j ACCEPT + +# localhost is fine +-A INPUT -i lo -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ssh - always +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT + +# for fireball mode - allow port 5099 from lockbox and it's ips +-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT + +# for nrpe - allow it from nocs +-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT +# FIXME - this is the global nat-ip and we need the noc01-specific ip +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT + + +# if the host/group defines incoming tcp_ports - allow them +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if the host/group defines incoming udp_ports - allow them +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if there are custom rules - put them in as-is +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} + +# otherwise kick everything out +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/tasks/base.yml b/tasks/base.yml deleted file mode 100644 index 6f06eba63..000000000 --- a/tasks/base.yml +++ /dev/null @@ -1,134 +0,0 @@ ---- - -- name: sshd_config - copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600 - first_available_file: - - ${sshd_config} - - ${files}/ssh/sshd_config.{{ ansible_fqdn }} - - ${files}/ssh/sshd_config.{{ host_group }} - - ${files}/ssh/sshd_config.{{ dist_tag }} - - ${files}/ssh/sshd_config.{{ ansible_distribution }} - - ${files}/ssh/sshd_config.{{ ansible_distribution_version }} - notify: - - restart sshd - tags: - - sshd_config - - config - - sshd - -- name: set root passwd - action: user name=root password={{ rootpw }} state=present - tags: - - rootpw - -- name: add ansible root key - action: authorized_key user=root key="{{ item }}" - with_file: - - ${files}/common/ansible-pub-key - tags: - - config - -- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network - lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS= - tags: - - config - -- name: global default packages to install - action: yum state=installed name=$item - with_items: $global_pkgs_inst - tags: - - packages - -- name: dist pkgs to remove - action: yum state=removed name=$item - with_items: $base_pkgs_erase - tags: - - packages - -- name: dist pkgs to install - action: yum state=installed name=$item - with_items: $base_pkgs_inst - tags: - - packages - -- name: dist disabled services - action: service state=stopped enabled=false name=$item - with_items: $service_disabled - tags: - - service - - config - -- name: dist enabled services - action: service state=running enabled=true name=$item - with_items: $service_enabled - tags: - - service - - config - - -- name: iptables - action: template src=$item dest=/etc/sysconfig/iptables mode=600 backup=yes - first_available_file: - - $iptables - - $files/iptables/iptables.${ansible_fqdn} - - $files/iptables/iptables.${host_group} - - $files/iptables/iptables.${env} - - $files/iptables/iptables - notify: - - restart iptables - tags: - - iptables - - config - -# XXX fixme # a datacenter 'fact' from setup -- name: /etc/resolv.conf - action: copy src=$item dest=/etc/resolv.conf - first_available_file: - - ${resolvconf} - - $files/resolv.conf/${ansible_fqdn} - - $files/resolv.conf/${host_group} - - $files/resolv.conf/${datacenter} - - $files/resolv.conf/resolv.conf - tags: - - config - - resolvconf - -- name: rsyslog.conf - action: copy src=$item dest=/etc/rsyslog.conf mode=644 - first_available_file: - - $rsyslogconf - - $files/rsyslog/rsyslog.conf.${ansible_fqdn} - - $files/rsyslog/rsyslog.conf.${host_group} - - $files/rsyslog/rsyslog.conf.${datacenter} - - $files/rsyslog/rsyslog.conf - - notify: - - restart rsyslog - tags: - - rsyslogd - - config - -- name: /etc/postfix/main.cf - action: copy src=$item dest=/etc/postfix/main.cf - first_available_file: - - $postfix_maincf - - $files/postfix/main.cf.${ansible_fqdn} - - $files/postfix/main.cf.${host_group} - - $files/postfix/main.cf.${postfix_group} - - $files/postfix/main.cf - notify: - - restart postfix - tags: - - postfix - - config - -# -# This task installs some common scripts to /usr/local/bin -# scripts are under $files/common-scripts -# - -- name: Install common scripts - action: copy src=$item dest=/usr/local/bin/ owner=root group=root mode=0755 - with_fileglob: $files/common-scripts/* - tags: - - config |