169 lines
4.4 KiB
Markdown
169 lines
4.4 KiB
Markdown
# Ansible Playbooks
|
|
|
|
## Usage
|
|
|
|
The inventory defines labs, nodes and their group based on function.
|
|
|
|
Playbooks run Roles against node groups.
|
|
|
|
Roles define set of Tasks.
|
|
|
|
### Install both roles and collections
|
|
`ansible-galaxy install -r requirements.yml`
|
|
|
|
|
|
|
|
## Playbooks
|
|
|
|
Launch playbooks from present folder in order to use [default config file](ansible.cfg).
|
|
|
|
**Site** playbook launches them all.
|
|
**Bootstrap** is to be run first on new installations.
|
|
**NameServer** configures a BIND DNS
|
|
**OPNSense** configure a OPNSense edge node
|
|
|
|
### Site
|
|
This playbook recalls all the following playbooks in the stated order.
|
|
|
|
##### Nodes
|
|
Basic checks connectivity for **all**
|
|
|
|
|
|
##### Swarms
|
|
|
|
##### NextCloud
|
|
Installs Nextcloud AIO using SSE Lab / dockerized / nextcloud-aio
|
|
Calls role nextcloud_aio, dependent on docker role.
|
|
- Downloads SSE-Lab Repo
|
|
- Runs compose up (using ansible plugins)
|
|
|
|
E.g.
|
|
|
|
```ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml```
|
|
|
|
### Bootstrap ###
|
|
Creates sudoer user ansible, necessitates of sudoer user.
|
|
Use
|
|
|
|
```ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K```
|
|
|
|
|
|
### NameServer ###
|
|
Configures a BIND DNS. Uses collection bodsch.dns.
|
|
NB DNS configuration comes from variable file.
|
|
|
|
### OPNSense ###
|
|
Configures a OPNSense edge node features :
|
|
|
|
- BIND DNS
|
|
- FIREWALL
|
|
- Wireguard VPN
|
|
|
|
NB runs locally so python intepreter needs to be specified
|
|
E.g.
|
|
|
|
```ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
|
|
```
|
|
|
|
### VPN Server ###
|
|
Configures a VPN Server (only wireguard supported at the moment) for the specified 'wg_peers'.
|
|
|
|
The server acts as a gateway into a site, tunneling each connection and allowing only traffic into allowed subnets.
|
|
|
|
|
|
Needed parameters and configuration example :
|
|
|
|
```
|
|
wg_interface: wg0
|
|
wg_port: 51820
|
|
wg_server_address: 192.168.99.1/32
|
|
wg_peers:
|
|
- name: fabio_test
|
|
publicKey: "9a3tgXpF5CAOffbHZdW1QBEJgSLFnBDVbD1JaMPgzkM="
|
|
ip: "192.168.99.4/32"
|
|
allowedIPs :
|
|
- "192.168.99.0/24"
|
|
- "10.22.0.0/16"
|
|
- name: missing_key_test
|
|
ip: "192.168.99.5/32"
|
|
allowedIPs :
|
|
- "192.168.99.0/24"
|
|
- "10.22.0.0/16"
|
|
- name: forced_missing_key_test
|
|
forceRegeneration: True
|
|
ip: "192.168.99.6/32"
|
|
allowedIPs :
|
|
- "192.168.99.0/24"
|
|
- "10.22.0.0/16"
|
|
|
|
```
|
|
|
|
#### Wg-peers items ####
|
|
|
|
Each item represents a client [**Peer**] with :
|
|
|
|
- *name* [**Mandatory**] : a unique label for the client configuration
|
|
- *publicKey*: public key used by the client. If missing, the playbook generates both public and private keys, if needed.
|
|
- *ip* [**Mandatory**]: reserved ip for the client
|
|
- *allowedIPs* [**Mandatory**]: subnets to which the server allows traffic to for the present client
|
|
- *forceRegeneration*: force regeneration of public / private keys pair.
|
|
|
|
#### Client configurations ####
|
|
The playbook generates client configurations at the following path
|
|
|
|
> "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}/{{ item.name }}.conf"
|
|
|
|
**NB** Client configurations are ready to be imported in wireguard client if the playbook generated both public and private keys. Otherwise only the client's public key is reported and the user is expected to fill the configuration properly with their private key.
|
|
|
|
|
|
#### Key pair generation policy ####
|
|
|
|
In order to configure peers to connect to the server, public/private key pairs are needed.
|
|
|
|
The playbook evalutes the need for key generation as following :
|
|
- If *forceRegeneration* is set to *True*, keys are generated
|
|
- If *publicKey* is declared, that key is used
|
|
- If a public Key is already configured on the server for that Peer's name, that key is used
|
|
- If no public key is declared nor found, a new private / public key pair is generated and reported in client's configuration
|
|
|
|
|
|
## Inventories
|
|
|
|
### Main Lab
|
|
Main lab used for experimenting and development [check](main-lab)
|
|
|
|
### Externals
|
|
Management of extra infra nodes [check](non-infra)
|
|
|
|
### Production
|
|
Management of production services, beware!
|
|
|
|
Hosts are commented by default
|
|
|
|
|
|
### Sifi
|
|
Macchine per il gruppo di lavoro Sistemi Fiscali
|
|
|
|
|
|
### Prox1_lab
|
|
Prox mox laboratory
|
|
|
|
|
|
|
|
## TODO
|
|
* K8s cluster
|
|
* Ensure micro on operating nodes
|
|
* Swarm clusters
|
|
* Enabling
|
|
* Bind
|
|
* CEPH storage
|
|
* Monitoring
|
|
* Nagios
|
|
* Swarm 1
|
|
|
|
* GOD
|
|
* terraform
|
|
* ansible
|
|
* puppetmaster
|
|
* ...
|