Set directory structure

This commit is contained in:
2025-03-21 20:55:10 -05:00
parent e1c72629a8
commit 201839c309
50 changed files with 2851 additions and 5 deletions

View File

@@ -0,0 +1,43 @@
# README
inventory # inventory file for all servers
group_vars/
group1.yml # here we assign variables to particular groups
group2.yml
host_vars/
hostname1.yml # here we assign variables to particular systems
hostname2.yml
library/ # if any custom modules, put them here (optional)
module_utils/ # if any custom module_utils to support modules, put them here (optional)
filter_plugins/ # if any custom filter plugins, put them here (optional)
site.yml # master playbook
webservers.yml # playbook for webserver tier
dbservers.yml # playbook for dbserver tier
roles/
common/ # this hierarchy represents a "role"
tasks/ #
main.yml # <-- tasks file can include smaller files if warranted
handlers/ #
main.yml # <-- handlers file
templates/ # <-- files for use with the template resource
ntp.conf.j2 # <------- templates end in .j2
files/ #
bar.txt # <-- files for use with the copy resource
foo.sh # <-- script files for use with the script resource
vars/ #
main.yml # <-- variables associated with this role
defaults/ #
main.yml # <-- default lower priority variables for this role
meta/ #
main.yml # <-- role dependencies
library/ # roles can also include custom modules
module_utils/ # roles can also include custom module_utils
lookup_plugins/ # or other types of plugins, like lookup in this case
webtier/ # same kind of structure as "common" was above, done for the webtier role
monitoring/ # ""
fooapp/ # ""

View File

@@ -0,0 +1,13 @@
- name: "Add SSH key to servers for Ansible"
hosts: ipaserver
vars_files:
- ansible-vault.yml
roles:
- role: rywillia.ssh-copy-id
vars:
hostname: "{{ ansible_hostname }}"
username: "{{ vault_ansible_user }}"
password: "{{ vault_ansible_password }}"
ssh_public_key: "/Users/rblundon/git/MK-Labs/ansible/files/ansible"

View File

@@ -0,0 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256
37663530616632333938363737366639623261366264616231396533366432303034376365643633
3632383464666637343765366439333964646637643936380a326335353639326362366263373466
63646562353737636333653333373765363331323065386137626161633333643034323962316630
6263373464613033360a376633663236333464393866373733643839336165363761373931623761
37646139633036646435323361326366326134656630656366366434363335353165356431613731
39653364653465613066323164663261363461316662623433663637333330306663633864303862
643261393832643433326332366166383239

View File

@@ -0,0 +1,19 @@
[defaults]
# Chick-Fil-A would like a word...
nocows = True
# Installs collections into [current dir]/ansible_collections/namespace/collection_name
collections_paths = ./collections:~/.ansible/collections
# Installs roles into [current dir]/roles/namespace.rolename
roles_path = ./roles
inventory = ./inventory
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
remote_user = wed
private_key_file = ~/.ssh/ansible
allow_world_readable_tmpfiles = True

View File

@@ -0,0 +1,5 @@
---
roles: []
collections: []
# - name: community.docker

View File

@@ -0,0 +1,23 @@
- name: "Playbook to test the inventory_hostname and ansible_hostname"
hosts: ipaserver
# gather_facts: true
tasks:
- name: "What is my inventory_hostname"
ansible.builtin.debug:
var: inventory_hostname
- name: "What is my hostname"
ansible.builtin.debug:
var: hostname
- name: "What is my ansible_hostname"
ansible.builtin.debug:
var: ansible_hostname
- name: "What is my ansible_host"
ansible.builtin.debug:
var: ansible_host
# - name: "Ansible | List all known variables and facts"
# ansible.builtin.debug:
# var: hostvars[inventory_hostname]

View File

@@ -0,0 +1,14 @@
---
ipaadmin_password: "{{ vault_ipaadmin_password }}"
ipadm_password: "{{ vault_ipadm_password }}"
ipaserver_domain: int.mk-labs.cloud
ipaserver_realm: INT.MK-LABS.CLOUD
ipaserver_setup_firewalld: true
ipaserver_setup_dns: true
ipaserver_forwarders: 1.1.1.1,1.0.0.1
ipaserver_random_serial_numbers: true
#dns_ip_addresses: "{{ ansible_hostname }}"
#dns_reverse_zones:
#domain: int.mk-labs.cloud
forwarders: 1.1.1.1,1.0.0.1
#hostname: "{{ hostname }}"

View File

@@ -0,0 +1,5 @@
---
unbound_do_ip6: "no"
#unbound_forward_zones:
unbound_chroot: "/etc/unbound"
#unbound_pidfile: "/etc/unbound/unbound.pid"

View File

@@ -0,0 +1,2 @@
---
hostname: infra01.int.mk-labs.cloud

View File

@@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
36383531343863313331636462653666393131633533346433343237653433633938343737363531
3330616336336635313037356130373231643531613237340a613663303764333837333438343433
38373264316533613763373634343735323764316364376138613934323339653735303562636631
6166393933356663660a393036653937386239396331653037376564663232666561306631306331
6362

View File

@@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
36393261393537313432333136623438383339303162636464353239386433316134613537336263
6462326336363562613431653435353032383064303166340a333761633530643265336465663634
65633864653830653738333563326162326430666237303362336537306238356231393761376539
3335336333316231620a633562633731396464393366323762323365383664326430323038646566
34643339303863303734623038393336313264636439636663616462613465303232643337653539
39386231373231306639343561613665626634383932393836616239643662376237353965316162
64623934616533386664333732343230626130343630393235303863366536363033323335323337
61356536323131383438

View File

@@ -0,0 +1,2 @@
---
hostname: unbound.int.mk-labs.cloud

View File

@@ -0,0 +1,2 @@
---
hostname: unbound01.int.mk-labs.cloud

View File

@@ -0,0 +1,2 @@
---
hostname: unbound02.int.mk-labs.cloud

View File

@@ -0,0 +1,10 @@
---
- name: Playbook to configure IPA server
hosts: ipaserver
become: true
vars_files:
- idm-vault.yml
roles:
- role: freeipa.ansible_freeipa.ipaserver
state: present

View File

@@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
62613936343461366134333738386435646236386662663434373563663433393437383961336634
6234303634383134623162396130623562353332313463620a373364393561633038383662643561
37636232366532623364306638373064623433626364383639353137653139353764343466386463
3237373565653262630a383633353438303934643064623464313639623963386661393562333738
39316136633733386166663433633434653636333239323236306161653864353666653137653935
34636236353635336631313432386362616462383763346162363466323432333064633336646439
38656362306337393065366362653864363438313934333235616338653934626535363266633039
38626466343338313239

View File

@@ -0,0 +1,32 @@
---
proxmox:
hosts:
pve01:
ansible_host: 10.10.21.51
pve02:
ansible_host: 10.10.21.52
pve03:
ansible_host: 10.10.21.53
unbound_servers:
hosts:
unbound:
ansible_host: 10.1.71.254
unbound01:
ansible_host: 10.1.71.254
unbound02:
ansible_host: 10.1.71.253
ipaserver:
hosts:
infra01:
ansible_host: 10.1.71.5
ipareplicas:
hosts:
# infra02.int.mk-labs.cloud:
# ansible_host: 10.1.71.6
#infra:
# hosts:
# awx.int.mk-labs.cloud:

View File

View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnSM/9fO8rz/amqkyoGUzUKNNzzmtSXPwOCr1O9zKNO ansible

View File

@@ -0,0 +1,4 @@
[Resolve]
DNS=127.0.0.1
DNSSEC=yes
DNSStubListener=no

View File

@@ -0,0 +1,236 @@
## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://calomel.org
#
server:
# log verbosity
verbosity: 1
chroot: ""
# specify the interfaces to answer queries from by ip-address. The default
# is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
# bind to all available interfaces. specify every interface[@port] on a new
# 'interface:' labeled line. The listen interfaces are not changed on
# reload, only on restart.
interface: 0.0.0.0
# port to answer queries from
port: 53
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: no
# Enable UDP, "yes" or "no".
do-udp: yes
# Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
# quicker to resolve as the functions related to TCP checks are not done.i
# NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
# due to their size.
do-tcp: yes
# control which client ips are allowed to make (recursive) queries to this
# server. Specify classless netblocks with /size and action. By default
# everything is refused, except for localhost. Choose deny (drop message),
# refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
# and nonrecursive ok)
access-control: 192.168.1.0/24 allow
access-control: 192.168.3.0/24 allow
access-control: 192.168.10.0/24 allow
access-control: 10.1.71.0/24 allow
# Read the root hints from this file. Default is nothing, using built in
# hints for the IN class. The file has the format of zone files, with root
# nameserver names and addresses only. The default may become outdated,
# when servers change, therefore it is good practice to use a root-hints
# file. get one from https://www.internic.net/domain/named.root
root-hints: "/etc/unbound/root.hints"
# enable to not answer id.server and hostname.bind queries.
hide-identity: yes
# enable to not answer version.server and version.bind queries.
hide-version: yes
# Will trust glue only if it is within the servers authority.
# Harden against out of zone rrsets, to avoid spoofing attempts.
# Hardening queries multiple name servers for the same data to make
# spoofing significantly harder and does not mandate dnssec.
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. Harden against receiving dnssec-stripped data. If you
# turn it off, failing to validate dnskey data for a trustanchor will trigger
# insecure mode for that zone (like without a trustanchor). Default on,
# which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# While upper and lower case letters are allowed in domain names, no significance
# is attached to the case. That is, two names with the same spelling but
# different case are to be treated as if identical. This means calomel.org is the
# same as CaLoMeL.Org which is the same as CALOMEL.ORG.
use-caps-for-id: yes
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
cache-min-ttl: 3600
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
# perform prefetching of close to expired message cache entries. If a client
# requests the dns lookup and the TTL of the cached hostname is going to
# expire in less than 10% of its TTL, unbound will (1st) return the ip of the
# host to the client and (2nd) pre-fetch the dns request from the remote dns
# server. This method has been shown to increase the amount of cached hits by
# local clients by 10% on average.
prefetch: yes
# number of threads to create. 1 disables threading. This should equal the number
# of CPU cores in the machine. Our example machine has 4 CPU cores.
num-threads: 2
## Unbound Optimization and Speed Tweaks ###
# the number of slabs to use for cache and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Increase the memory size of the cache. Use roughly twice as much rrset cache
# memory as you use msg cache memory. Due to malloc overhead, the total memory
# usage is likely to rise to double (or 2.5x) the total cache memory. The test
# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
rrset-cache-size: 256m
msg-cache-size: 128m
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
# the kernel buffer larger so that no messages are lost in spikes in the traffic.
so-rcvbuf: 1m
## Unbound Optimization and Speed Tweaks ###
# Enforce privacy of these addresses. Strips them away from answers. It may
# cause DNSSEC validation to additionally mark it as bogus. Protects against
# 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
# 'local-data' names are allowed to have these private addresses. No default.
private-address: 192.168.1.0/24
private-address: 192.168.3.0/24
private-address: 192.168.10.0/24
private-address: 10.1.71.0/24
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
private-domain: "mk-labs.cloud"
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
unwanted-reply-threshold: 10000
# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
# localhost you will want to allow the resolver to send queries to localhost.
# Make sure to set do-not-query-localhost: yes . If yes, the above default
# do-not-query-address entries are present. if no, localhost can be queried
# (for testing and debugging).
do-not-query-localhost: no
# File with trusted keys, kept up to date using RFC5011 probes, initial file
# like trust-anchor-file, then it stores metadata. Use several entries, one
# per domain name, to track multiple zones. If you use forward-zone below to
# query the Google DNS servers you MUST comment out this option or all DNS
# queries will fail.
#auto-trust-anchor-file: "/etc/unbound/root.key"
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
# account for a 70 percent share of all advertising traffic. Block them.
# local-zone: "doubleclick.net" redirect
# local-data: "doubleclick.net A 127.0.0.1"
# local-zone: "googlesyndication.com" redirect
# local-data: "googlesyndication.com A 127.0.0.1"
# local-zone: "googleadservices.com" redirect
# local-data: "googleadservices.com A 127.0.0.1"
# local-zone: "google-analytics.com" redirect
# local-data: "google-analytics.com A 127.0.0.1"
# local-zone: "ads.youtube.com" redirect
# local-data: "ads.youtube.com A 127.0.0.1"
# local-zone: "adserver.yahoo.com" redirect
# local-data: "adserver.yahoo.com A 127.0.0.1"
# local-zone: "ask.com" redirect
# local-data: "ask.com A 127.0.0.1"
# Unbound will not load if you specify the same local-zone and local-data
# servers in the main configuration as well as in this "include:" file. We
# suggest commenting out any of the local-zone and local-data lines above if
# you suspect they could be included in the unbound_ad_servers servers file.
#include: "/etc/unbound/unbound_ad_servers"
# locally served zones can be configured for the machines on the LAN.
# local-zone: "home.lan." static
# local-data: "firewall.home.lan. IN A 10.0.0.1"
# local-data-ptr: "10.0.0.1 firewall.home.lan"
# Unbound can query your NSD or BIND server for private domain queries too.
# On our NSD page we have NSD configured to serve the private domain,
# "home.lan". Here we can tell Unbound to connect to the NSD server when it
# needs to resolve a *.home.lan hostname or IP.
#
# private-domain: "home.lan"
# local-zone: "0.0.10.in-addr.arpa." nodefault
# stub-zone:
# name: "home.lan"
# stub-addr: 10.0.0.111@53
# If you have an internal or private DNS names the external DNS servers can
# not resolve, then you can assign domain name strings to be redirected to a
# seperate dns server. For example, our comapny has the domain
# organization.com and the domain name internal.organization.com can not be
# resolved by Google's public DNS, but can be resolved by our private DNS
# server located at 1.1.1.1. The following tells Unbound that any
# organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
# instead of the public dns servers.
#
forward-zone:
name: "int.mk-labs.cloud"
forward-addr: 10.1.71.5 # Internal or private DNS
# Use the following forward-zone to forward all queries to Google DNS,
# OpenDNS.com or your local ISP's dns servers for example. To test resolution
# speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
# milliseconds.
#
forward-zone:
name: "."
forward-addr: 1.0.0.1@53#one.one.one.one
forward-addr: 1.1.1.1@53#one.one.one.one
# forward-addr: 8.8.8.8@53#dns.google
# forward-addr: 9.9.9.9@53#dns.quad9.net
# forward-addr: 1.0.0.1@53#one.one.one.one
# forward-addr: 8.8.4.4@53#dns.google
# forward-addr: 149.112.112.112@53#dns.quad9.net
#
#
## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://calomel.org

View File

@@ -0,0 +1,15 @@
---
- name: Set hostname
hosts: ipa_server
become: true
gather_facts: true
tasks:
- name: Set hostname
ansible.builtin.hostname:
name: "{{ hostname }}"
register: result
- name: Print result
ansible.builtin.debug:
var: result

View File

@@ -0,0 +1,14 @@
---
- name: Update sudoers for passwordless
hosts: unbound_servers
become: true
gather_facts: true
tasks:
- name: Update sudoers for passwordless
ansible.builtin.lineinfile:
path: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD:ALL'
validate: 'visudo -cf %s'

View File

@@ -0,0 +1,4 @@
---
# file: site.yml
#- import_playbook: webservers.yml
#- import_playbook: dbservers.yml

View File

@@ -0,0 +1,8 @@
---
- name: Playbook to unconfigure IPA servers
hosts: ipaserver
become: true
roles:
- role: freeipa.ansible_freeipa.ipaserver
state: absent

View File

@@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
66323366323966373436343163303131323239343134323434373762383539663539363464393234
3762666265303430373832333865613538316261386162640a653562666130323138313533616334
37623336653332353830306534633165626634376636396166356235353937323965616161323437
3536643537623931380a633730366330396538373836326439306566666663633932393230323563
30643032646366393530663138376638386538336466633532303563636163303637303933646465
37316239393136383638636436646230643338616438646564396238376136653639393865363666
39346337356133313938303938643866346636663737323238333762386234373563633761333166
36373063643438303930313366653436363731656163376666323330633763373361393663633631
39353232346634633836623134383861656337663062393232373932353431323730