# Ansible Playbooks ## Usage The inventory defines labs, nodes and their group based on function. Playbooks run Roles against node groups. Roles define set of Tasks. ### Install both roles and collections `ansible-galaxy install -r requirements.yml` ## Playbooks Launch playbooks from present folder in order to use [default config file](ansible.cfg). **Site** playbook launches them all. **Bootstrap** is to be run first on new installations. **NameServer** configures a BIND DNS **OPNSense** configure a OPNSense edge node ### Site This playbook recalls all the following playbooks in the stated order. ##### Nodes Basic checks connectivity for **all** ##### Swarms ##### NextCloud Installs Nextcloud AIO using SSE Lab / dockerized / nextcloud-aio Calls role nextcloud_aio, dependent on docker role. - Downloads SSE-Lab Repo - Runs compose up (using ansible plugins) E.g. ```ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml``` ### Bootstrap ### Creates sudoer user ansible, necessitates of sudoer user. Use ```ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K``` ### NameServer ### Configures a BIND DNS. Uses collection bodsch.dns. NB DNS configuration comes from variable file. ### OPNSense ### Configures a OPNSense edge node features : - BIND DNS - FIREWALL - Wireguard VPN NB runs locally so python intepreter needs to be specified E.g. ```ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)" ``` ### VPN Server ### Configures a VPN Server (only wireguard supported at the moment) for the specified 'wg_peers'. The server acts as a gateway into a site, tunneling each connection and allowing only traffic into allowed subnets. Needed parameters and configuration example : ``` wg_interface: wg0 wg_port: 51820 wg_server_address: 192.168.99.1/32 wg_peers: - name: fabio_test publicKey: "9a3tgXpF5CAOffbHZdW1QBEJgSLFnBDVbD1JaMPgzkM=" ip: "192.168.99.4/32" allowedIPs : - "192.168.99.0/24" - "10.22.0.0/16" - name: missing_key_test ip: "192.168.99.5/32" allowedIPs : - "192.168.99.0/24" - "10.22.0.0/16" - name: forced_missing_key_test forceRegeneration: True ip: "192.168.99.6/32" allowedIPs : - "192.168.99.0/24" - "10.22.0.0/16" ``` #### Wg-peers items #### Each item represents a client [**Peer**] with : - *name* [**Mandatory**] : a unique label for the client configuration - *publicKey*: public key used by the client. If missing, the playbook generates both public and private keys, if needed. - *ip* [**Mandatory**]: reserved ip for the client - *allowedIPs* [**Mandatory**]: subnets to which the server allows traffic to for the present client - *forceRegeneration*: force regeneration of public / private keys pair. #### Client configurations #### The playbook generates client configurations at the following path > "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}/{{ item.name }}.conf" **NB** Client configurations are ready to be imported in wireguard client if the playbook generated both public and private keys. Otherwise only the client's public key is reported and the user is expected to fill the configuration properly with their private key. #### Key pair generation policy #### In order to configure peers to connect to the server, public/private key pairs are needed. The playbook evalutes the need for key generation as following : - If *forceRegeneration* is set to *True*, keys are generated - If *publicKey* is declared, that key is used - If a public Key is already configured on the server for that Peer's name, that key is used - If no public key is declared nor found, a new private / public key pair is generated and reported in client's configuration ## Inventories ### Main Lab Main lab used for experimenting and development [check](main-lab) ### Externals Management of extra infra nodes [check](non-infra) ### Production Management of production services, beware! Hosts are commented by default ### Sifi Macchine per il gruppo di lavoro Sistemi Fiscali ### Prox1_lab Prox mox laboratory ## TODO * K8s cluster * Ensure micro on operating nodes * Swarm clusters * Enabling * Bind * CEPH storage * Monitoring * Nagios * Swarm 1 * GOD * terraform * ansible * puppetmaster * ...