xbazzi/ansible-on-prem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More alma changes and network fixes

Browse Source
This commit is contained in:
xbazzi 2025-07-09 23:08:07 -06:00
parent 769f2a62b4
commit b842a316a8
21 changed files with 224 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
inventory/group_vars/all.yml
View File

@ -48,5 +48,17 @@ nfs_mounts:
- { src: "nas:/mnt/ALEXANDRIA/school", path: "/mnt/school", opts: "defaults,nfsvers=4" } - { src: "nas:/mnt/ALEXANDRIA/school", path: "/mnt/school", opts: "defaults,nfsvers=4" }
- { src: "nas:/mnt/ALEXANDRIA/os-images", path: "/mnt/os-images", opts: "defaults,nfsvers=4" } - { src: "nas:/mnt/ALEXANDRIA/os-images", path: "/mnt/os-images", opts: "defaults,nfsvers=4" }
provision_mgmt_ip: 10.69.1.102 provision_core_ip4: "10.133.7.202/22"
provision_hostname: prod2 provision_core_ip4_no_subnet: "10.133.7.202"
core_net: 10.133.4.0
core_gw4: 10.133.7.1
provision_mgmt_ip4: "10.69.1.202/22"
mgmt_net: 10.69.0.0
mgmt_gw4: 10.69.0.1
provision_dmz_ip4: "10.66.6.202/22"
dmz_net: 10.66.6.0
dmz_gw4: 10.66.6.1
provision_hostname: prod2

4
inventory/hosts.yml
View File

@ -18,4 +18,6 @@ all:
school: school:
ansible_host: school ansible_host: school
staging-vm: staging-vm:
ansible_host: 10.133.7.243 ansible_host: 10.133.7.224
# ansible_ssh_common_args: '-o PubkeyAuthentication=no -o PreferredAuthentications=password'
# ansible_ssh_private_key_file: /home/xbazzi/ansible_ed25519

5
playbooks/provision-alma.yml
View File

@ -4,9 +4,10 @@
become: yes become: yes
roles: roles:
- role: server/users - role: server/users
- role: server/sshkey
- role: provision/alma/common - role: provision/alma/common
- role: provision/alma/network - role: server/network
- role: provision/alma/firewall - role: server/firewall
- role: provision/alma/nfs - role: provision/alma/nfs
- role: docker/install - role: docker/install
- role: server/reboot - role: server/reboot

14
playbooks/sysprep-alma.yml
View File

@ -2,12 +2,8 @@
hosts: staging-vm hosts: staging-vm
become: yes become: yes
roles: roles:
- role: provision/alma/sysprep - role: server/users
tasks: - role: server/sysprep
- name: Reboot machine and send a message - role: server/sshkey
ansible.builtin.reboot: - role: server/network
msg: "Going down in 5..." - role: server/reboot
# - name: Shutdown the machine for templating
# community.general.shutdown:
# msg: "I must go now..."
# delay: 5

18
roles/docker/install/tasks/main.yml
View File

@ -3,28 +3,38 @@
ansible.builtin.dnf: ansible.builtin.dnf:
name: name:
- dnf-plugins-core - dnf-plugins-core
state: present
# - name: Install plugins-core to manage DNF repos
# ansible.builtin.command: dnf -y install dnf-plugins-core
- name: Add Docker repo - name: Add Docker repo
ansible.builtin.command: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo ansible.builtin.command: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
register: hello
- name: Verify Docker repo added
ansible.builtin.debug:
var: docker_repo.stdout_lines
- name: Install Docker Engine - name: Install Docker Engine
ansible.builtin.dnf: ansible.builtin.dnf:
name: name:
- install
- docker-ce - docker-ce
- docker-ce-cli - docker-ce-cli
- containerd.io - containerd.io
- docker-buildx-plugin - docker-buildx-plugin
- docker-compose-plugin - docker-compose-plugin
state: present
- name: Enable and start Docker Engine - name: Enable and start Docker Engine
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: docker
state: started state: started
enabled: true enabled: true
- name: Verify with Hello World - name: Verify with Hello World
ansible.builtin.command: docker run hello-world ansible.builtin.command: docker run hello-world
register: docker_out register: docker_hello
- ansible.builtin.debug: - name: Test
var: docker_out ansible.builtin.debug:
var: docker_hello.stdout_lines

22
roles/provision/alma/firewall/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Enable and start firewalld
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started
- name: Set internal to default
ansible.builtin.command: firewall-cmd --set-default-zone=internal
- name: Remove ens18 from public
ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent
- name: Assign interface ens18 to "internal" zone
ansible.posix.firewalld:
interface: ens18
zone: internal
state: enabled
permanent: true
- name: Reload firewalld to apply changes
ansible.builtin.command: firewall-cmd --reload

20
roles/provision/alma/network/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Set up MGMT interface manually
nmcli:
conn_name: mgmt
ip4: "{{ provision_mgmt_ip }}"
method4: "manual"
ifname: ens19
dns4_search: lan.xbazzi.com
type: ethernet
state: present
- name: Remove ens18 default connection
nmcli:
conn_name: ens18
state: absent
- name: Remove ens19 default connection
nmcli:
conn_name: Wired connection 1
state: absent

0
roles/provision/alma/firewall/defaults/main.yml → roles/server/firewall/defaults/main.yml
View File

0
roles/provision/alma/firewall/handlers/main.yml → roles/server/firewall/handlers/main.yml
View File

43
roles/server/firewall/tasks/main.yml Normal file
View File

@ -0,0 +1,43 @@
---
- name: Enable and start firewalld
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started
- name: Assign interface ens18 to core zone
ansible.posix.firewalld:
interface: ens18
zone: core
state: enabled
permanent: true
- name: Assign interface ens19 to mgmt zone
ansible.posix.firewalld:
interface: ens19
zone: mgmt
state: enabled
permanent: true
- name: Assign interface ens20 to dmz zone
ansible.posix.firewalld:
interface: ens20
zone: dmz
state: enabled
permanent: true
- name: Set core to default
ansible.builtin.command: firewall-cmd --set-default-zone=core --permanent
- name: Remove ens18 from public
ansible.builtin.command: firewall-cmd --zone=public --remove-interface=ens18 --permanent
- name: Assign interface ens18 to "internal" zone
ansible.posix.firewalld:
interface: ens18
zone: internal
state: enabled
permanent: true
- name: Reload firewalld to apply changes
ansible.builtin.command: firewall-cmd --reload

0
roles/provision/alma/firewall/templates/main.yml → roles/server/firewall/templates/main.yml
View File

0
roles/provision/alma/network/defaults/main.yml → roles/server/network/defaults/main.yml
View File

0
roles/provision/alma/network/handlers/main.yml → roles/server/network/handlers/main.yml
View File

130
roles/server/network/tasks/main.yml Normal file
View File

@ -0,0 +1,130 @@
---
- name: Enable and start firewalld
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started
- name: Enable and start NetworkManager
ansible.builtin.systemd:
name: NetworkManager
enabled: yes
state: started
- name: Check existing zones
ansible.builtin.command: firewall-cmd --get-zones
register: firewalld_zones
- name: Debug output
ansible.builtin.debug:
var: firewalld_zones.stdout
# - name: Create zone "core"
# ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
# loop: ["core", "mgmt"]
# # loop: "{{ firewalld_zones.stdout | split }}"
# when: item in firewalld_zones.stdout.split()
# (item != "core" and
# item != "dmz")
- name: Create firewalld core zone
ansible.posix.firewalld:
zone: core
state: present
permanent: true
- name: Create firewalld mgmt zone
ansible.posix.firewalld:
zone: mgmt
state: present
permanent: true
- name: Create firewalld dmz zone
ansible.posix.firewalld:
zone: dmz
state: present
permanent: true
- name: Reload firewalld to apply changes
ansible.builtin.command: firewall-cmd --reload
- name: Enable ssh rule in core for initial ansible config
ansible.posix.firewalld:
zone: core
service: ssh
state: enabled
permanent: true
# - name: Ensure all other zones are disabled
# ansible.posix.firewalld:
# zone: "{{ item }}"
# state: disabled
# permanent: true
# when: item not in zones
# loop: "{{ firewalld_zones.stdout | split }}"
- name: Set up CORE interface manually
nmcli:
conn_name: CORE
zone: core
type: ethernet
ip4: "{{ provision_core_ip4 }}"
gw4: "{{ core_gw4 }}"
dns4: "{{ core_gw4 }}"
method4: "manual"
ifname: ens18
dns4_search: lan.xbazzi.com
state: present
delegate_to: "{{ provision_core_ip4_no_subnet }}"
- name: Set up mgmt interface manually
nmcli:
conn_name: MGMT
zone: mgmt
type: ethernet
ip4: "{{ provision_mgmt_ip4 }}"
routes4: "0.0.0.0/0 {{ mgmt_gw4 }}"
routing_rules4:
- "priority 2 from {{ mgmt_net }} table 200"
route_metric4: 102
dns4: "{{ mgmt_gw4 }}"
method4: "manual"
ifname: "ens19"
dns4_search: "lan.xbazzi.com"
state: present
- name: Set up dmz interface manually
nmcli:
conn_name: DMZ
zone: dmz
type: ethernet
ip4: "{{ provision_dmz_ip4 }}"
routes4: "0.0.0.0/0 {{ dmz_gw4 }}"
routing_rules4:
- "priority 3 from {{ dmz_net }} table 300"
route_metric4: 103
dns4: "{{ dmz_gw4 }}"
method4: "manual"
ifname: "ens20"
dns4_search: "lan.xbazzi.com"
state: present
- name: Remove ens18 default connection
nmcli:
conn_name: ens18
state: absent
- name: Remove ens19 default connection
nmcli:
conn_name: ens19
state: absent
- name: Remove ens20 default connection
nmcli:
conn_name: ens20
state: absent
- name: Remove "Wired connection 1"
nmcli:
conn_name: Wired connection 1
state: absent

0
roles/provision/alma/network/templates/ifcfg-template.j2 → roles/server/network/templates/ifcfg-template.j2
View File

0
roles/provision/alma/network/templates/main.yml → roles/server/network/templates/main.yml
View File

8
roles/server/sshkey/tasks/main.yml Executable file → Normal file
View File

@ -1,6 +1,6 @@
--- ---
- name: Add SSH key for remote user - name: Add ansible user SSH public key
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: javi user: ansible
state: present key: "{{ lookup('file', '/home/xbazzi/.ssh/ansible_ed25519.pub') }}"
key: "{{ lookup('file', '/home/javi/.ssh/homelab_keypair_ed25519.pub') }}" state: present

0
roles/provision/alma/sysprep/defaults/main.yml → roles/server/sysprep/defaults/main.yml
View File

0
roles/provision/alma/sysprep/handlers/main.yml → roles/server/sysprep/handlers/main.yml
View File

33
roles/provision/alma/sysprep/tasks/main.yml → roles/server/sysprep/tasks/main.yml
View File

@ -1,12 +1,4 @@
--- ---
- name: Set up initial CORE interface with DHCP
community.general.nmcli:
conn_name: core
method4: "auto"
ifname: ens18
type: ethernet
state: present
- name: Set hostname to generic localhost - name: Set hostname to generic localhost
ansible.builtin.hostname: ansible.builtin.hostname:
name: localhost.localdomain name: localhost.localdomain
@ -26,14 +18,14 @@
regexp: '^::1\s+localhost' regexp: '^::1\s+localhost'
state: absent state: absent
- name: Remove xbazzi user # - name: Remove xbazzi user
ansible.builtin.user: # ansible.builtin.user:
name: xbazzi # name: xbazzi
state: absent # state: absent
remove: true # remove: true
- name: Truncate machine-id # - name: Truncate machine-id
ansible.builtin.command: truncate -s 0 /etc/machine-id # ansible.builtin.command: truncate -s 0 /etc/machine-id
- name: Remove DBus machine-id if exists - name: Remove DBus machine-id if exists
ansible.builtin.file: ansible.builtin.file:
@ -86,7 +78,6 @@
- name: Find all SSH keys - name: Find all SSH keys
ansible.builtin.find: ansible.builtin.find:
# path: "{{ item }}"
paths: paths:
- /etc/ssh - /etc/ssh
- /home/ - /home/
@ -113,18 +104,10 @@
loop: "{{ ssh_files.files }}" loop: "{{ ssh_files.files }}"
# loop: "{{ ssh_keys.results | map(attribute='files') | flatten }}" # loop: "{{ ssh_keys.results | map(attribute='files') | flatten }}"
- name: Add ansible user SSH public key
ansible.builtin.copy:
dest: /home/ansible/.ssh/authorized_keys
content: "{{ lookup('file', '~/.ssh/lan_id_ed25519.pub') }}"
mode: '0600'
owner: "ansible"
group: "ansible"
- name: Sync changes to disk - name: Sync changes to disk
ansible.builtin.command: sync ansible.builtin.command: sync
- name: Remove old local SSH known_hosts entry - name: Remove old local SSH known_hosts entry (necessary to avoid fingerprint warning)
become_user: xbazzi become_user: xbazzi
local_action: local_action:
module: command module: command

0
roles/provision/alma/sysprep/templates/main.yml → roles/server/sysprep/templates/main.yml
View File