The *freeradius* role is used to install and configure FreeRADIUS. The
configuration system for it is extremely complicated, with dozens of
files in several directories. The default configuration has a plethora
of options enabled that are not needed in most cases, so they are
disabled here. Since the initial (and perhaps only) use case I have for
RADIUS is WiFi authentication via certificates, only the EAP-TLS
mechanism is enabled currently.
Many hosts have a read-only root filesystem, as well as some other
read-only paths that need to be remounted before configuration changes
can be made. The `remount.yml` playbook can be used to remount select
filesystems as either read-write or read-only (the default). It is
intended to be used before and after other playbooks, to ensure the
filesystems are in the correct state.
The *postfix* role installs and configures the Postfix MTA. It currently
supports a number of modes, including direct transfer and relay. Relay
mode supports STARTTLS security and PLAIN authentication.
Since the location of the configuration drop-in directory can vary by
distribution, it is important to expand the `zbx_agent_config_dir`
variable in the `Include` parameter.
Apparently, the `vault_password_file` setting in `ansible.cfg` overrides
the `--vault-password-file` command-line argument, which breaks the
Jenkins `ansiblePlaybook` task.
The host *zbx0.pyrocufflink.blue* (a Raspberry Pi) runs the Zabbix
server and web UI. It has a reserved IPv4 address to simplify reverse
DNS management for now, since Samba's dynamic DNS client does not
register PTR records.
The *zabbix-agent* role installs the Zabbix monitoring agent on the
managed node, and sets it up to communicate with the Zabbix server
specified by the `zabbix_server` variable. This role "should" be
compatible with most distributions; it has been tested with Fedora and
Gentoo.
The *zabbix-server* role deploys the Zabbix server database, daemon, and
web interface. It requires the *apache* role to configure Apache HTTPD
to serve the web UI.
The *apache* role installs and configures the Apache HTTPD server and
its *mod_ssl* module. It currently only works on Fedora/RHEL-based
distributions.
These IPv6 reverse DNS zones are managed by the Samba AD DCs for the
*pyrocufflink.blue* domain. These zones correspond to the IPv6 prefixes
used by the "blue" network.
The `ad` identity mapper backend is apparently the only one that can
use shell, home directory, etc. attributes from the directory now (as of
Samba 4.6).
Many hosts (should) have `/tmp` mounted with the `noexec` flag, which
prevents Ansible modules written there from running. To work around
this, the `remote_tmp` configuration option should be set to a path
under `/var/tmp`, which is not mounted noexec.
Using a dedicated slave node instead of a Docker container has a few
advantages:
* Persistent configuration is possible, without making weird assumptions
(e.g. Jenkins UID/GID) in the Dockerfile
* Can limit concurrent deployments by controlling executor count on the
node
Dustin