More alma changes and network fixes

2025-07-09 23:08:07 -06:00 · 2025-07-09 23:08:07 -06:00 · b842a316a8
commit b842a316a8
parent 769f2a62b4
21 changed files with 224 additions and 89 deletions
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -48,5 +48,17 @@ nfs_mounts:
  - { src: "nas:/mnt/ALEXANDRIA/school", path: "/mnt/school", opts: "defaults,nfsvers=4" }
  - { src: "nas:/mnt/ALEXANDRIA/os-images", path: "/mnt/os-images", opts: "defaults,nfsvers=4" }

-provision_mgmt_ip: 10.69.1.102
-provision_hostname: prod2
+provision_core_ip4: "10.133.7.202/22"
+provision_core_ip4_no_subnet: "10.133.7.202"
+core_net: 10.133.4.0
+core_gw4: 10.133.7.1
+
+provision_mgmt_ip4: "10.69.1.202/22"
+mgmt_net: 10.69.0.0
+mgmt_gw4: 10.69.0.1
+
+provision_dmz_ip4: "10.66.6.202/22"
+dmz_net: 10.66.6.0
+dmz_gw4: 10.66.6.1
+
+provision_hostname: prod2
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -18,4 +18,6 @@ all:
        school:
          ansible_host: school
        staging-vm:
-          ansible_host: 10.133.7.243
+          ansible_host: 10.133.7.224
+          # ansible_ssh_common_args: '-o PubkeyAuthentication=no -o PreferredAuthentications=password'
+          # ansible_ssh_private_key_file: /home/xbazzi/ansible_ed25519
--- a/playbooks/provision-alma.yml
+++ b/playbooks/provision-alma.yml
@ -4,9 +4,10 @@
  become: yes
  roles:
    - role: server/users
+    - role: server/sshkey
    - role: provision/alma/common
-    - role: provision/alma/network
-    - role: provision/alma/firewall
+    - role: server/network
+    - role: server/firewall
    - role: provision/alma/nfs
    - role: docker/install
    - role: server/reboot
--- a/playbooks/sysprep-alma.yml
+++ b/playbooks/sysprep-alma.yml
@ -2,12 +2,8 @@
  hosts: staging-vm
  become: yes
  roles:
-    - role: provision/alma/sysprep
-  tasks:
-    - name: Reboot machine and send a message
-      ansible.builtin.reboot:
-        msg: "Going down in 5..."
-    # - name: Shutdown the machine for templating
-    #   community.general.shutdown:
-    #     msg: "I must go now..."
-    #     delay: 5
+    - role: server/users
+    - role: server/sysprep
+    - role: server/sshkey
+    - role: server/network
+    - role: server/reboot
--- a/roles/docker/install/tasks/main.yml
+++ b/roles/docker/install/tasks/main.yml
@ -3,28 +3,38 @@
  ansible.builtin.dnf:
    name: 
      - dnf-plugins-core
+    state: present
+# - name: Install plugins-core to manage DNF repos
+#   ansible.builtin.command: dnf -y install dnf-plugins-core

 - name: Add Docker repo
  ansible.builtin.command: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+  register: hello
+
+- name: Verify Docker repo added
+  ansible.builtin.debug: 
+    var: docker_repo.stdout_lines

 - name: Install Docker Engine
  ansible.builtin.dnf:
    name: 
-      - install 
      - docker-ce 
      - docker-ce-cli 
      - containerd.io 
      - docker-buildx-plugin 
      - docker-compose-plugin
+    state: present

 - name: Enable and start Docker Engine
  ansible.builtin.systemd_service:
+    name: docker
    state: started
    enabled: true

 - name: Verify with Hello World
  ansible.builtin.command: docker run hello-world
-  register: docker_out
+  register: docker_hello

- ansible.builtin.debug:
-  var: docker_out
+- name: Test
+  ansible.builtin.debug:
+    var: docker_hello.stdout_lines
--- a/roles/provision/alma/firewall/tasks/main.yml
+++ b/roles/provision/alma/firewall/tasks/main.yml
@ -1,22 +0,0 @@
---
- name: Enable and start firewalld
-  ansible.builtin.systemd:
-    name: firewalld
-    enabled: yes
-    state: started
-
- name: Set internal to default
-  ansible.builtin.command: firewall-cmd --set-default-zone=internal
-
- name: Remove ens18 from public
-  ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent
-  
- name: Assign interface ens18 to "internal" zone
-  ansible.posix.firewalld:
-    interface: ens18
-    zone: internal
-    state: enabled
-    permanent: true
-
- name: Reload firewalld to apply changes
-  ansible.builtin.command: firewall-cmd --reload
--- a/roles/provision/alma/network/tasks/main.yml
+++ b/roles/provision/alma/network/tasks/main.yml
@ -1,20 +0,0 @@
---
- name: Set up MGMT interface manually
-  nmcli:
-    conn_name: mgmt
-    ip4: "{{ provision_mgmt_ip }}"
-    method4: "manual"
-    ifname: ens19
-    dns4_search: lan.xbazzi.com
-    type: ethernet
-    state: present
-
- name: Remove ens18 default connection
-  nmcli:
-    conn_name: ens18
-    state: absent
-
- name: Remove ens19 default connection
-  nmcli:
-    conn_name: Wired connection 1
-    state: absent
--- a/roles/provision/alma/firewall/defaults/main.yml
+++ b/roles/provision/alma/firewall/defaults/main.yml
--- a/roles/provision/alma/firewall/handlers/main.yml
+++ b/roles/provision/alma/firewall/handlers/main.yml
--- a/roles/server/firewall/tasks/main.yml
+++ b/roles/server/firewall/tasks/main.yml
@ -0,0 +1,43 @@
+---
+- name: Enable and start firewalld
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: yes
+    state: started
+
+- name: Assign interface ens18 to core zone
+  ansible.posix.firewalld:
+    interface: ens18
+    zone: core
+    state: enabled
+    permanent: true
+
+- name: Assign interface ens19 to mgmt zone
+  ansible.posix.firewalld:
+    interface: ens19
+    zone: mgmt
+    state: enabled
+    permanent: true
+
+- name: Assign interface ens20 to dmz zone
+  ansible.posix.firewalld:
+    interface: ens20
+    zone: dmz
+    state: enabled
+    permanent: true
+
+- name: Set core to default
+  ansible.builtin.command: firewall-cmd --set-default-zone=core --permanent
+
+- name: Remove ens18 from public
+  ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent
+  
+- name: Assign interface ens18 to "internal" zone
+  ansible.posix.firewalld:
+    interface: ens18
+    zone: internal
+    state: enabled
+    permanent: true
+
+- name: Reload firewalld to apply changes
+  ansible.builtin.command: firewall-cmd --reload
--- a/roles/provision/alma/firewall/templates/main.yml
+++ b/roles/provision/alma/firewall/templates/main.yml
--- a/roles/provision/alma/network/defaults/main.yml
+++ b/roles/provision/alma/network/defaults/main.yml
--- a/roles/provision/alma/network/handlers/main.yml
+++ b/roles/provision/alma/network/handlers/main.yml
--- a/roles/server/network/tasks/main.yml
+++ b/roles/server/network/tasks/main.yml
@ -0,0 +1,130 @@
+---
+- name: Enable and start firewalld
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: yes
+    state: started
+
+- name: Enable and start NetworkManager
+  ansible.builtin.systemd:
+    name: NetworkManager
+    enabled: yes
+    state: started
+
+- name: Check existing zones
+  ansible.builtin.command: firewall-cmd --get-zones
+  register: firewalld_zones
+
+- name: Debug output
+  ansible.builtin.debug:
+    var: firewalld_zones.stdout
+
+# - name: Create zone "core"
+#   ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
+#   loop: ["core", "mgmt"]
+#   # loop: "{{  firewalld_zones.stdout | split }}"
+#   when: item in firewalld_zones.stdout.split()
+  # (item  != "core" and
+  #       item != "dmz")
+
+- name: Create firewalld core zone
+  ansible.posix.firewalld:
+    zone: core
+    state: present
+    permanent: true
+
+- name: Create firewalld mgmt zone
+  ansible.posix.firewalld:
+    zone: mgmt
+    state: present
+    permanent: true
+
+- name: Create firewalld dmz zone
+  ansible.posix.firewalld:
+    zone: dmz
+    state: present
+    permanent: true
+
+- name: Reload firewalld to apply changes
+  ansible.builtin.command: firewall-cmd --reload
+
+- name: Enable ssh rule in core for initial ansible config
+  ansible.posix.firewalld:
+    zone: core
+    service: ssh
+    state: enabled
+    permanent: true
+
+# - name: Ensure all other zones are disabled
+#   ansible.posix.firewalld:
+#     zone: "{{ item }}"
+#     state: disabled
+#     permanent: true
+#   when: item not in zones
+#   loop: "{{ firewalld_zones.stdout | split }}"
+    
+- name: Set up CORE interface manually
+  nmcli:
+    conn_name: CORE
+    zone: core
+    type: ethernet
+    ip4: "{{ provision_core_ip4 }}"
+    gw4: "{{ core_gw4 }}"
+    dns4: "{{ core_gw4 }}"
+    method4: "manual"
+    ifname: ens18
+    dns4_search: lan.xbazzi.com
+    state: present
+  delegate_to: "{{ provision_core_ip4_no_subnet }}"
+
+- name: Set up mgmt interface manually
+  nmcli:
+    conn_name: MGMT
+    zone: mgmt
+    type: ethernet
+    ip4: "{{ provision_mgmt_ip4 }}"
+    routes4: "0.0.0.0/0 {{ mgmt_gw4 }}"
+    routing_rules4:
+      - "priority 2 from {{ mgmt_net }} table 200"
+    route_metric4: 102
+    dns4: "{{ mgmt_gw4 }}"
+    method4: "manual"
+    ifname: "ens19"
+    dns4_search: "lan.xbazzi.com"
+    state: present
+
+- name: Set up dmz interface manually
+  nmcli:
+    conn_name: DMZ
+    zone: dmz
+    type: ethernet
+    ip4: "{{ provision_dmz_ip4 }}"
+    routes4: "0.0.0.0/0 {{ dmz_gw4 }}"
+    routing_rules4:
+      - "priority 3 from {{ dmz_net }} table 300"
+    route_metric4: 103
+    dns4: "{{ dmz_gw4 }}"
+    method4: "manual"
+    ifname: "ens20"
+    dns4_search: "lan.xbazzi.com"
+    state: present
+
+- name: Remove ens18 default connection
+  nmcli:
+    conn_name: ens18
+    state: absent
+
+- name: Remove ens19 default connection
+  nmcli:
+    conn_name: ens19
+    state: absent
+
+- name: Remove ens20 default connection
+  nmcli:
+    conn_name: ens20
+    state: absent
+
+- name: Remove "Wired connection 1"
+  nmcli:
+    conn_name: Wired connection 1
+    state: absent
--- a/roles/provision/alma/network/templates/ifcfg-template.j2
+++ b/roles/provision/alma/network/templates/ifcfg-template.j2
--- a/roles/provision/alma/network/templates/main.yml
+++ b/roles/provision/alma/network/templates/main.yml
--- a/roles/server/sshkey/tasks/main.yml
+++ b/roles/server/sshkey/tasks/main.yml
@ -1,6 +1,6 @@
 ---
- name: Add SSH key for remote user
+- name: Add ansible user SSH public key
  ansible.posix.authorized_key:
-    user: javi
-    state: present
-    key: "{{ lookup('file', '/home/javi/.ssh/homelab_keypair_ed25519.pub') }}"
+    user: ansible
+    key: "{{ lookup('file', '/home/xbazzi/.ssh/ansible_ed25519.pub') }}"
+    state: present
--- a/roles/provision/alma/sysprep/defaults/main.yml
+++ b/roles/provision/alma/sysprep/defaults/main.yml
--- a/roles/provision/alma/sysprep/handlers/main.yml
+++ b/roles/provision/alma/sysprep/handlers/main.yml
--- a/roles/provision/alma/sysprep/tasks/main.yml
+++ b/roles/provision/alma/sysprep/tasks/main.yml
@ -1,12 +1,4 @@
 ---
- name: Set up initial CORE interface with DHCP
-  community.general.nmcli:
-    conn_name: core
-    method4: "auto"
-    ifname: ens18
-    type: ethernet
-    state: present
-
 - name: Set hostname to generic localhost
  ansible.builtin.hostname:
    name: localhost.localdomain
@ -26,14 +18,14 @@
    regexp: '^::1\s+localhost'
    state: absent

- name: Remove xbazzi user
-  ansible.builtin.user:
-    name: xbazzi
-    state: absent
-    remove: true
+# - name: Remove xbazzi user
+#   ansible.builtin.user:
+#     name: xbazzi
+#     state: absent
+#     remove: true

- name: Truncate machine-id
-  ansible.builtin.command: truncate -s 0 /etc/machine-id
+# - name: Truncate machine-id
+#   ansible.builtin.command: truncate -s 0 /etc/machine-id

 - name: Remove DBus machine-id if exists
  ansible.builtin.file:
@ -86,7 +78,6 @@

 - name: Find all SSH keys
  ansible.builtin.find:
-    # path: "{{ item }}"
    paths:
      - /etc/ssh
      - /home/
@ -113,18 +104,10 @@
  loop: "{{ ssh_files.files }}"
  # loop: "{{ ssh_keys.results | map(attribute='files') | flatten }}"

- name: Add ansible user SSH public key
-  ansible.builtin.copy:
-    dest: /home/ansible/.ssh/authorized_keys
-    content: "{{ lookup('file', '~/.ssh/lan_id_ed25519.pub') }}"
-    mode: '0600'
-    owner: "ansible"
-    group: "ansible"
-
 - name: Sync changes to disk
  ansible.builtin.command: sync

- name: Remove old local SSH known_hosts entry
+- name: Remove old local SSH known_hosts entry (necessary to avoid fingerprint warning)
  become_user: xbazzi
  local_action: 
    module: command
--- a/roles/provision/alma/sysprep/templates/main.yml
+++ b/roles/provision/alma/sysprep/templates/main.yml