Beef-up provisioning of AlmaLinux and add Docker

inventory/group_vars/all.yml

@@ -35,7 +35,7 @@ iscsi_target_iqn: iqn.2005-10.org.freenas.ctl:pve-iscsi
 # Alma new VM provisioning
 # hostname: "prod3"
 timezone: "America/Denver"
-staging_ip: "10.133.7.240"
+# staging_ip: "10.133.7.240"
 # network_config:
 #   interface: "ens18"
 #   address: "{{ staging_host }}"
@@ -43,5 +43,10 @@ staging_ip: "10.133.7.240"
 #   gateway: "10.133.7.1"
 #   dns:  ["10.133.7.1"]
 
-# nfs_mounts:
-#   - { src: "nas:/mnt/media", path: "/mnt/media", opts: "defaults,nfsvers=4" }
+nfs_mounts:
+  - { src: "nas:/mnt/ALEXANDRIA/media", path: "/mnt/media", opts: "defaults,nfsvers=4" }
+  - { src: "nas:/mnt/ALEXANDRIA/school", path: "/mnt/school", opts: "defaults,nfsvers=4" }
+  - { src: "nas:/mnt/ALEXANDRIA/os-images", path: "/mnt/os-images", opts: "defaults,nfsvers=4" }
+
+provision_mgmt_ip: 10.69.1.102
+provision_hostname: prod2

inventory/hosts.yml

@@ -18,4 +18,4 @@ all:
         school:
           ansible_host: school
         staging-vm:
-          ansible_host: 10.133.7.240
+          ansible_host: 10.133.7.243

playbooks/apply-firewalld.yml

@@ -0,0 +1,5 @@
+- name: Apply firewalld config
+  hosts: staging-vm
+  become: yes
+  roles:
+    - role: provision/alma/firewall

playbooks/provision-alma.yml

@@ -1,8 +1,12 @@
-- name: Provision AlmaLinux 10 VM
-  hosts: new-vm
+---
+- name: Provision AlmaLinux 9 VM
+  hosts: staging-vm
   become: yes
   roles:
+    - role: server/users
     - role: provision/alma/common
-    # - role: provision/alma/network
-    # - role: provision/alma/nfs
-    # - role: provision/alma/docker
+    - role: provision/alma/network
+    - role: provision/alma/firewall
+    - role: provision/alma/nfs
+    - role: docker/install
+    - role: server/reboot

playbooks/sysprep-alma.yml

@@ -2,4 +2,12 @@
   hosts: staging-vm
   become: yes
   roles:
-    - role: provision/alma/sysprep
+    - role: provision/alma/sysprep
+  tasks:
+    - name: Reboot machine and send a message
+      ansible.builtin.reboot:
+        msg: "Going down in 5..."
+    # - name: Shutdown the machine for templating
+    #   community.general.shutdown:
+    #     msg: "I must go now..."
+    #     delay: 5

roles/docker/install/tasks/main.yml

@@ -1,45 +1,30 @@
 ---
-- name: Update apt cache
-  ansible.builtin.apt:
-    update_cache: yes
+- name: Install plugins-core to manage DNF repos
+  ansible.builtin.dnf:
+    name: 
+      - dnf-plugins-core
 
-- name: Install prerequisite packages
-  ansible.builtin.apt:
-    name:
-    - ca-certificates
-    - curl
-    state: present
+- name: Add Docker repo
+  ansible.builtin.command: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
 
-- name: Create apt keyrings directory
-  ansible.builtin.file:
-    path: /etc/apt/keyrings
-    state: directory
-    mode: '0755'
+- name: Install Docker Engine
+  ansible.builtin.dnf:
+    name: 
+      - install 
+      - docker-ce 
+      - docker-ce-cli 
+      - containerd.io 
+      - docker-buildx-plugin 
+      - docker-compose-plugin
 
-- name: Download Docker GPG key
-  ansible.builtin.get_url:
-    url: "https://download.docker.com/linux/ubuntu/gpg"
-    dest: /etc/apt/keyrings/docker.asc
-    mode: '0644'
+- name: Enable and start Docker Engine
+  ansible.builtin.systemd_service:
+    state: started
+    enabled: true
 
-- name: Add Docker apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [arch={{ docker_arch }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
-    filename: docker
-    state: present
-  vars:
-    docker_arch: "{{ ansible_architecture | regex_replace('x86_64', 'amd64') }}"
+- name: Verify with Hello World
+  ansible.builtin.command: docker run hello-world
+  register: docker_out
 
-- name: Update apt cache after adding Docker repository
-  ansible.builtin.apt:
-    update_cache: true
-
-- name: Install Docker packages
-  ansible.builtin.apt:
-    name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
-    - docker-buildx-plugin
-    - docker-compose-plugin
-    state: present
+- ansible.builtin.debug:
+  var: docker_out

roles/docker/install/tasks/main2.yml

@@ -0,0 +1,45 @@
+---
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: yes
+
+- name: Install prerequisite packages
+  ansible.builtin.apt:
+    name:
+    - ca-certificates
+    - curl
+    state: present
+
+- name: Create apt keyrings directory
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+
+- name: Download Docker GPG key
+  ansible.builtin.get_url:
+    url: "https://download.docker.com/linux/ubuntu/gpg"
+    dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
+
+- name: Add Docker apt repository
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ docker_arch }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    filename: docker
+    state: present
+  vars:
+    docker_arch: "{{ ansible_architecture | regex_replace('x86_64', 'amd64') }}"
+
+- name: Update apt cache after adding Docker repository
+  ansible.builtin.apt:
+    update_cache: true
+
+- name: Install Docker packages
+  ansible.builtin.apt:
+    name:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-buildx-plugin
+    - docker-compose-plugin
+    state: present

roles/docker/remove/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Remove old docker stuff 
+  ansible.builtin.dnf:
+    name: 
+      - docker
+      - docker-client
+      - docker-client-latest 
+      - docker-common 
+      - docker-latest 
+      - docker-latest-logrotate 
+      - docker-logrotate 
+      - docker-engine
+    state: absent

roles/provision/alma/common/tasks/main.yml

@@ -4,9 +4,10 @@
   register: output
   changed_when: output.rc != 0
 
-# - name: Set hostname
-#   ansible.builtin.hostname:
-#     name: "{{ hostname }}"
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ provision_hostname }}"
+    use: systemd
 
 - name: Upgrade all packages
   ansible.builtin.dnf:

roles/provision/alma/firewall/tasks/main.yml

@@ -1,5 +1,22 @@
+---
 - name: Enable and start firewalld
-  ansible.builtin.service:
+  ansible.builtin.systemd:
     name: firewalld
     enabled: yes
     state: started
+
+- name: Set internal to default
+  ansible.builtin.command: firewall-cmd --set-default-zone=internal
+
+- name: Remove ens18 from public
+  ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent
+  
+- name: Assign interface ens18 to "internal" zone
+  ansible.posix.firewalld:
+    interface: ens18
+    zone: internal
+    state: enabled
+    permanent: true
+
+- name: Reload firewalld to apply changes
+  ansible.builtin.command: firewall-cmd --reload

roles/provision/alma/network/tasks/main.yml

@@ -1,15 +1,20 @@
-- name: Configure static network
-  ansible.builtin.template:
-    src: ifcfg-template.j2
-    dest: "/etc/sysconfig/network-scripts/ifcfg-{{ network_config.interface }}"
-  # notify: Restart network
+---
+- name: Set up MGMT interface manually
+  nmcli:
+    conn_name: mgmt
+    ip4: "{{ provision_mgmt_ip }}"
+    method4: "manual"
+    ifname: ens19
+    dns4_search: lan.xbazzi.com
+    type: ethernet
+    state: present
 
-# - name: Ensure NetworkManager is enabled
-#   ansible.builtin.service:
-#     name: NetworkManager
-#     enabled: true
-#     state: restarted
+- name: Remove ens18 default connection
+  nmcli:
+    conn_name: ens18
+    state: absent
 
-  # handlers:
-  #   - name: Restart network
-  #     command: nmcli connection reload
+- name: Remove ens19 default connection
+  nmcli:
+    conn_name: Wired connection 1
+    state: absent

roles/provision/alma/nfs/tasks/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Install NFS client
   ansible.builtin.dnf:
     name: nfs-utils
@@ -7,8 +8,8 @@
   ansible.builtin.file:
     path: "{{ item.path }}"
     state: directory
-    owner: root
-    group: root
+    owner: nfsuser
+    group: nfsuser
     mode: '0755'
   loop: "{{ nfs_mounts }}"
 

roles/provision/alma/sysprep/tasks/main.yml

@@ -124,14 +124,9 @@
 - name: Sync changes to disk
   ansible.builtin.command: sync
 
-- name: Shutdown the machine for templating
-  community.general.shutdown:
-    delay: 5
-
 - name: Remove old local SSH known_hosts entry
   become_user: xbazzi
   local_action: 
     module: command
     args:
       cmd: ssh-keygen -R "{{ hostvars['staging-vm'].ansible_host }}"
-

roles/server/reboot/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+  - name: Reboot machine and send a message
+    ansible.builtin.reboot:
+      msg: "Going down in 5..."

roles/server/users/tasks/main.yml

@@ -0,0 +1,46 @@
+---
+- name: Add xbazzi group
+  ansible.builtin.group:
+    name: xbazzi
+    state: present
+    gid: 1337
+
+- name: Add xbazzi user
+  ansible.builtin.user:
+    name: xbazzi
+    create_home: true
+    shell: /bin/bash
+    groups: wheel,xbazzi
+    state: present
+    uid: 1337
+
+
+# - name: Add ansible group
+#   ansible.builtin.group:
+#     name: ansible
+#     state: present
+#     gid: 1001
+
+# - name: Add ansible user
+#   ansible.builtin.user:
+#     name: ansible
+#     create_home: true
+#     shell: /bin/bash
+#     groups: wheel,ansible
+#     state: present
+#     uid: 1001
+
+- name: Add nfsuser group
+  ansible.builtin.group:
+    name: nfsuser
+    state: present
+    gid: 3005
+
+- name: Add nfsuser user
+  ansible.builtin.user:
+    name: nfsuser
+    create_home: true
+    shell: /bin/bash
+    groups: wheel
+    state: present
+    uid: 3005