From b842a316a83ff0b41940e9a2bf33250bc22b9966 Mon Sep 17 00:00:00 2001 From: xbazzi Date: Wed, 9 Jul 2025 23:08:07 -0600 Subject: [PATCH] More alma changes and network fixes --- inventory/group_vars/all.yml | 16 ++- inventory/hosts.yml | 4 +- playbooks/provision-alma.yml | 5 +- playbooks/sysprep-alma.yml | 14 +- roles/docker/install/tasks/main.yml | 18 ++- roles/provision/alma/firewall/tasks/main.yml | 22 --- roles/provision/alma/network/tasks/main.yml | 20 --- .../firewall/defaults/main.yml | 0 .../firewall/handlers/main.yml | 0 roles/server/firewall/tasks/main.yml | 43 ++++++ .../firewall/templates/main.yml | 0 .../alma => server}/network/defaults/main.yml | 0 .../alma => server}/network/handlers/main.yml | 0 roles/server/network/tasks/main.yml | 130 ++++++++++++++++++ .../network/templates/ifcfg-template.j2 | 0 .../network/templates/main.yml | 0 roles/server/sshkey/tasks/main.yml | 8 +- .../alma => server}/sysprep/defaults/main.yml | 0 .../alma => server}/sysprep/handlers/main.yml | 0 .../alma => server}/sysprep/tasks/main.yml | 33 ++--- .../sysprep/templates/main.yml | 0 21 files changed, 224 insertions(+), 89 deletions(-) delete mode 100644 roles/provision/alma/firewall/tasks/main.yml delete mode 100644 roles/provision/alma/network/tasks/main.yml rename roles/{provision/alma => server}/firewall/defaults/main.yml (100%) rename roles/{provision/alma => server}/firewall/handlers/main.yml (100%) create mode 100644 roles/server/firewall/tasks/main.yml rename roles/{provision/alma => server}/firewall/templates/main.yml (100%) rename roles/{provision/alma => server}/network/defaults/main.yml (100%) rename roles/{provision/alma => server}/network/handlers/main.yml (100%) create mode 100644 roles/server/network/tasks/main.yml rename roles/{provision/alma => server}/network/templates/ifcfg-template.j2 (100%) rename roles/{provision/alma => server}/network/templates/main.yml (100%) mode change 100755 => 100644 roles/server/sshkey/tasks/main.yml rename roles/{provision/alma => server}/sysprep/defaults/main.yml (100%) rename roles/{provision/alma => server}/sysprep/handlers/main.yml (100%) rename roles/{provision/alma => server}/sysprep/tasks/main.yml (78%) rename roles/{provision/alma => server}/sysprep/templates/main.yml (100%) diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index e511d19..dfab080 100755 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -48,5 +48,17 @@ nfs_mounts: - { src: "nas:/mnt/ALEXANDRIA/school", path: "/mnt/school", opts: "defaults,nfsvers=4" } - { src: "nas:/mnt/ALEXANDRIA/os-images", path: "/mnt/os-images", opts: "defaults,nfsvers=4" } -provision_mgmt_ip: 10.69.1.102 -provision_hostname: prod2 +provision_core_ip4: "10.133.7.202/22" +provision_core_ip4_no_subnet: "10.133.7.202" +core_net: 10.133.4.0 +core_gw4: 10.133.7.1 + +provision_mgmt_ip4: "10.69.1.202/22" +mgmt_net: 10.69.0.0 +mgmt_gw4: 10.69.0.1 + +provision_dmz_ip4: "10.66.6.202/22" +dmz_net: 10.66.6.0 +dmz_gw4: 10.66.6.1 + +provision_hostname: prod2 \ No newline at end of file diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 85e852b..fa170cd 100755 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -18,4 +18,6 @@ all: school: ansible_host: school staging-vm: - ansible_host: 10.133.7.243 + ansible_host: 10.133.7.224 + # ansible_ssh_common_args: '-o PubkeyAuthentication=no -o PreferredAuthentications=password' + # ansible_ssh_private_key_file: /home/xbazzi/ansible_ed25519 diff --git a/playbooks/provision-alma.yml b/playbooks/provision-alma.yml index f63c858..bf0a4d0 100644 --- a/playbooks/provision-alma.yml +++ b/playbooks/provision-alma.yml @@ -4,9 +4,10 @@ become: yes roles: - role: server/users + - role: server/sshkey - role: provision/alma/common - - role: provision/alma/network - - role: provision/alma/firewall + - role: server/network + - role: server/firewall - role: provision/alma/nfs - role: docker/install - role: server/reboot \ No newline at end of file diff --git a/playbooks/sysprep-alma.yml b/playbooks/sysprep-alma.yml index b914705..4802778 100644 --- a/playbooks/sysprep-alma.yml +++ b/playbooks/sysprep-alma.yml @@ -2,12 +2,8 @@ hosts: staging-vm become: yes roles: - - role: provision/alma/sysprep - tasks: - - name: Reboot machine and send a message - ansible.builtin.reboot: - msg: "Going down in 5..." - # - name: Shutdown the machine for templating - # community.general.shutdown: - # msg: "I must go now..." - # delay: 5 \ No newline at end of file + - role: server/users + - role: server/sysprep + - role: server/sshkey + - role: server/network + - role: server/reboot \ No newline at end of file diff --git a/roles/docker/install/tasks/main.yml b/roles/docker/install/tasks/main.yml index f2ad28d..6451600 100755 --- a/roles/docker/install/tasks/main.yml +++ b/roles/docker/install/tasks/main.yml @@ -3,28 +3,38 @@ ansible.builtin.dnf: name: - dnf-plugins-core + state: present +# - name: Install plugins-core to manage DNF repos +# ansible.builtin.command: dnf -y install dnf-plugins-core - name: Add Docker repo ansible.builtin.command: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo + register: hello + +- name: Verify Docker repo added + ansible.builtin.debug: + var: docker_repo.stdout_lines - name: Install Docker Engine ansible.builtin.dnf: name: - - install - docker-ce - docker-ce-cli - containerd.io - docker-buildx-plugin - docker-compose-plugin + state: present - name: Enable and start Docker Engine ansible.builtin.systemd_service: + name: docker state: started enabled: true - name: Verify with Hello World ansible.builtin.command: docker run hello-world - register: docker_out + register: docker_hello -- ansible.builtin.debug: - var: docker_out +- name: Test + ansible.builtin.debug: + var: docker_hello.stdout_lines diff --git a/roles/provision/alma/firewall/tasks/main.yml b/roles/provision/alma/firewall/tasks/main.yml deleted file mode 100644 index 5865bc6..0000000 --- a/roles/provision/alma/firewall/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Enable and start firewalld - ansible.builtin.systemd: - name: firewalld - enabled: yes - state: started - -- name: Set internal to default - ansible.builtin.command: firewall-cmd --set-default-zone=internal - -- name: Remove ens18 from public - ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent - -- name: Assign interface ens18 to "internal" zone - ansible.posix.firewalld: - interface: ens18 - zone: internal - state: enabled - permanent: true - -- name: Reload firewalld to apply changes - ansible.builtin.command: firewall-cmd --reload diff --git a/roles/provision/alma/network/tasks/main.yml b/roles/provision/alma/network/tasks/main.yml deleted file mode 100644 index 937d8a1..0000000 --- a/roles/provision/alma/network/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Set up MGMT interface manually - nmcli: - conn_name: mgmt - ip4: "{{ provision_mgmt_ip }}" - method4: "manual" - ifname: ens19 - dns4_search: lan.xbazzi.com - type: ethernet - state: present - -- name: Remove ens18 default connection - nmcli: - conn_name: ens18 - state: absent - -- name: Remove ens19 default connection - nmcli: - conn_name: Wired connection 1 - state: absent \ No newline at end of file diff --git a/roles/provision/alma/firewall/defaults/main.yml b/roles/server/firewall/defaults/main.yml similarity index 100% rename from roles/provision/alma/firewall/defaults/main.yml rename to roles/server/firewall/defaults/main.yml diff --git a/roles/provision/alma/firewall/handlers/main.yml b/roles/server/firewall/handlers/main.yml similarity index 100% rename from roles/provision/alma/firewall/handlers/main.yml rename to roles/server/firewall/handlers/main.yml diff --git a/roles/server/firewall/tasks/main.yml b/roles/server/firewall/tasks/main.yml new file mode 100644 index 0000000..3bfdbe6 --- /dev/null +++ b/roles/server/firewall/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Enable and start firewalld + ansible.builtin.systemd: + name: firewalld + enabled: yes + state: started + +- name: Assign interface ens18 to core zone + ansible.posix.firewalld: + interface: ens18 + zone: core + state: enabled + permanent: true + +- name: Assign interface ens19 to mgmt zone + ansible.posix.firewalld: + interface: ens19 + zone: mgmt + state: enabled + permanent: true + +- name: Assign interface ens20 to dmz zone + ansible.posix.firewalld: + interface: ens20 + zone: dmz + state: enabled + permanent: true + +- name: Set core to default + ansible.builtin.command: firewall-cmd --set-default-zone=core --permanent + +- name: Remove ens18 from public + ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent + +- name: Assign interface ens18 to "internal" zone + ansible.posix.firewalld: + interface: ens18 + zone: internal + state: enabled + permanent: true + +- name: Reload firewalld to apply changes + ansible.builtin.command: firewall-cmd --reload diff --git a/roles/provision/alma/firewall/templates/main.yml b/roles/server/firewall/templates/main.yml similarity index 100% rename from roles/provision/alma/firewall/templates/main.yml rename to roles/server/firewall/templates/main.yml diff --git a/roles/provision/alma/network/defaults/main.yml b/roles/server/network/defaults/main.yml similarity index 100% rename from roles/provision/alma/network/defaults/main.yml rename to roles/server/network/defaults/main.yml diff --git a/roles/provision/alma/network/handlers/main.yml b/roles/server/network/handlers/main.yml similarity index 100% rename from roles/provision/alma/network/handlers/main.yml rename to roles/server/network/handlers/main.yml diff --git a/roles/server/network/tasks/main.yml b/roles/server/network/tasks/main.yml new file mode 100644 index 0000000..2d00754 --- /dev/null +++ b/roles/server/network/tasks/main.yml @@ -0,0 +1,130 @@ +--- +- name: Enable and start firewalld + ansible.builtin.systemd: + name: firewalld + enabled: yes + state: started + +- name: Enable and start NetworkManager + ansible.builtin.systemd: + name: NetworkManager + enabled: yes + state: started + +- name: Check existing zones + ansible.builtin.command: firewall-cmd --get-zones + register: firewalld_zones + +- name: Debug output + ansible.builtin.debug: + var: firewalld_zones.stdout + +# - name: Create zone "core" +# ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}" +# loop: ["core", "mgmt"] +# # loop: "{{ firewalld_zones.stdout | split }}" +# when: item in firewalld_zones.stdout.split() + # (item != "core" and + # item != "dmz") + +- name: Create firewalld core zone + ansible.posix.firewalld: + zone: core + state: present + permanent: true + +- name: Create firewalld mgmt zone + ansible.posix.firewalld: + zone: mgmt + state: present + permanent: true + +- name: Create firewalld dmz zone + ansible.posix.firewalld: + zone: dmz + state: present + permanent: true + +- name: Reload firewalld to apply changes + ansible.builtin.command: firewall-cmd --reload + +- name: Enable ssh rule in core for initial ansible config + ansible.posix.firewalld: + zone: core + service: ssh + state: enabled + permanent: true + +# - name: Ensure all other zones are disabled +# ansible.posix.firewalld: +# zone: "{{ item }}" +# state: disabled +# permanent: true +# when: item not in zones +# loop: "{{ firewalld_zones.stdout | split }}" + +- name: Set up CORE interface manually + nmcli: + conn_name: CORE + zone: core + type: ethernet + ip4: "{{ provision_core_ip4 }}" + gw4: "{{ core_gw4 }}" + dns4: "{{ core_gw4 }}" + method4: "manual" + ifname: ens18 + dns4_search: lan.xbazzi.com + state: present + delegate_to: "{{ provision_core_ip4_no_subnet }}" + +- name: Set up mgmt interface manually + nmcli: + conn_name: MGMT + zone: mgmt + type: ethernet + ip4: "{{ provision_mgmt_ip4 }}" + routes4: "0.0.0.0/0 {{ mgmt_gw4 }}" + routing_rules4: + - "priority 2 from {{ mgmt_net }} table 200" + route_metric4: 102 + dns4: "{{ mgmt_gw4 }}" + method4: "manual" + ifname: "ens19" + dns4_search: "lan.xbazzi.com" + state: present + +- name: Set up dmz interface manually + nmcli: + conn_name: DMZ + zone: dmz + type: ethernet + ip4: "{{ provision_dmz_ip4 }}" + routes4: "0.0.0.0/0 {{ dmz_gw4 }}" + routing_rules4: + - "priority 3 from {{ dmz_net }} table 300" + route_metric4: 103 + dns4: "{{ dmz_gw4 }}" + method4: "manual" + ifname: "ens20" + dns4_search: "lan.xbazzi.com" + state: present + +- name: Remove ens18 default connection + nmcli: + conn_name: ens18 + state: absent + +- name: Remove ens19 default connection + nmcli: + conn_name: ens19 + state: absent + +- name: Remove ens20 default connection + nmcli: + conn_name: ens20 + state: absent + +- name: Remove "Wired connection 1" + nmcli: + conn_name: Wired connection 1 + state: absent diff --git a/roles/provision/alma/network/templates/ifcfg-template.j2 b/roles/server/network/templates/ifcfg-template.j2 similarity index 100% rename from roles/provision/alma/network/templates/ifcfg-template.j2 rename to roles/server/network/templates/ifcfg-template.j2 diff --git a/roles/provision/alma/network/templates/main.yml b/roles/server/network/templates/main.yml similarity index 100% rename from roles/provision/alma/network/templates/main.yml rename to roles/server/network/templates/main.yml diff --git a/roles/server/sshkey/tasks/main.yml b/roles/server/sshkey/tasks/main.yml old mode 100755 new mode 100644 index fbb2fa0..b3f6fc7 --- a/roles/server/sshkey/tasks/main.yml +++ b/roles/server/sshkey/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: Add SSH key for remote user +- name: Add ansible user SSH public key ansible.posix.authorized_key: - user: javi - state: present - key: "{{ lookup('file', '/home/javi/.ssh/homelab_keypair_ed25519.pub') }}" \ No newline at end of file + user: ansible + key: "{{ lookup('file', '/home/xbazzi/.ssh/ansible_ed25519.pub') }}" + state: present \ No newline at end of file diff --git a/roles/provision/alma/sysprep/defaults/main.yml b/roles/server/sysprep/defaults/main.yml similarity index 100% rename from roles/provision/alma/sysprep/defaults/main.yml rename to roles/server/sysprep/defaults/main.yml diff --git a/roles/provision/alma/sysprep/handlers/main.yml b/roles/server/sysprep/handlers/main.yml similarity index 100% rename from roles/provision/alma/sysprep/handlers/main.yml rename to roles/server/sysprep/handlers/main.yml diff --git a/roles/provision/alma/sysprep/tasks/main.yml b/roles/server/sysprep/tasks/main.yml similarity index 78% rename from roles/provision/alma/sysprep/tasks/main.yml rename to roles/server/sysprep/tasks/main.yml index 7737dc7..b3f8f0e 100644 --- a/roles/provision/alma/sysprep/tasks/main.yml +++ b/roles/server/sysprep/tasks/main.yml @@ -1,12 +1,4 @@ --- -- name: Set up initial CORE interface with DHCP - community.general.nmcli: - conn_name: core - method4: "auto" - ifname: ens18 - type: ethernet - state: present - - name: Set hostname to generic localhost ansible.builtin.hostname: name: localhost.localdomain @@ -26,14 +18,14 @@ regexp: '^::1\s+localhost' state: absent -- name: Remove xbazzi user - ansible.builtin.user: - name: xbazzi - state: absent - remove: true +# - name: Remove xbazzi user +# ansible.builtin.user: +# name: xbazzi +# state: absent +# remove: true -- name: Truncate machine-id - ansible.builtin.command: truncate -s 0 /etc/machine-id +# - name: Truncate machine-id +# ansible.builtin.command: truncate -s 0 /etc/machine-id - name: Remove DBus machine-id if exists ansible.builtin.file: @@ -86,7 +78,6 @@ - name: Find all SSH keys ansible.builtin.find: - # path: "{{ item }}" paths: - /etc/ssh - /home/ @@ -113,18 +104,10 @@ loop: "{{ ssh_files.files }}" # loop: "{{ ssh_keys.results | map(attribute='files') | flatten }}" -- name: Add ansible user SSH public key - ansible.builtin.copy: - dest: /home/ansible/.ssh/authorized_keys - content: "{{ lookup('file', '~/.ssh/lan_id_ed25519.pub') }}" - mode: '0600' - owner: "ansible" - group: "ansible" - - name: Sync changes to disk ansible.builtin.command: sync -- name: Remove old local SSH known_hosts entry +- name: Remove old local SSH known_hosts entry (necessary to avoid fingerprint warning) become_user: xbazzi local_action: module: command diff --git a/roles/provision/alma/sysprep/templates/main.yml b/roles/server/sysprep/templates/main.yml similarity index 100% rename from roles/provision/alma/sysprep/templates/main.yml rename to roles/server/sysprep/templates/main.yml