dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

Compare commits

base: dustin:ddafc0983903c603255511e968811e0f1f610e6b
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master
...
compare: dustin:a02ddbb53f167946db96b8e8c8c0bfc96d46cf46
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master

9 Commits
ddafc09839 ... a02ddbb53f

Author SHA1 Message Date
Dustin a02ddbb53f roles/apache: Support setting ServerTokens 
The `apache_server_tokens` variable can now be set, which controls the
value of the `ServerTokens` directive. If the variable is set, the
`ServerTokens` directive will be added to the `00-servername.conf` file.
 2018-06-23 14:42:45 -05:00
Dustin 10d6b52460 roles/samba: Support selecting interfaces 
The `samba_interfaces` variable can now be defined to populate the
`interfaces` global configuration parameter in `smb.conf`. This
parameter controls the interfaces or addresses to which the Samba server
binds, and also the IP addresses that are registered in DNS.
 2018-06-23 14:42:45 -05:00
Dustin 9d54411d52 roles/dch-proxy: Add backend for Jenkins 
This commit configures HAProxy to proxy *jenkins.pyrocufflink.net* and
*jenkins.pyrocufflink.blue* to the Jenkins master.
 2018-06-23 14:42:45 -05:00
Dustin c95a4b7379 roles/certbot: Support using existing account data 
The *certbot* role now supports copying the data for an existing Let's
Encrypt account to the managed node using an archive. If an archive
named for the inventory hostname (typically the FQDN) of the managed
node is found in the `accounts` directory under the `files` directory of
the *certbot* role, it will be copied to the managed node and extracted
at `/var/lib/letsencrypt/accounts`. This takes the place of running
`certbot register` to sign up for a new account.
 2018-06-23 13:44:34 -05:00
Dustin 52436acb48 roles/certbot: Add some task tags 
The *install* tag is applied to any task that installs a package.

The *user* tag is applied to any task that creates an OS user or group.

The *group* tag is applied to any task that creates an OS user group.
 2018-06-23 13:43:14 -05:00
Dustin 7766cc1d05 ci: zabbix: Specify credentials 
Since the host *gw0* is not a member of the *pyrocufflink.blue* domain,
GSSAPI authentication does not work. As such, the SSH private key has to
be made available to the `ansible-playbook` process for authentication
to that host.
 2018-06-22 19:43:08 -05:00
Dustin cae9f2e3c2 ci: zabbix: Separate server, agent stages 
Separating the Zabbix server and agent playbooks into separate stages
allows better visibility into the time taken for each.
 2018-06-22 19:43:06 -05:00
Dustin 0500adadfa ci: zabbix: Use multiple sudo-pass files 
The `zabbix.yml` playbook applies to hosts that are not members of the
*pyrocufflink.blue* domain, and thus have different passwords for
`sudo`. Using the `-e` argument to `ansible-playbook` and specifying a
single Vault-encrypted file that defines the `ansible_become_password`
variable effectively forces Ansible to try to use that password on every
host. This is because variables defined on the command line, or read
from a file specified on the command line, have the highest precedence.

To use different passwords on different hosts, the normal variable
scoping rules have to be used. To that end, one `sudo-pass` file is
created in the `group_vars/pyrocufflink` directory, so it will apply to
all machines that are members of the *pyrocufflink.blue* domain.
Additionally, another `sudo-pass` file is created in the `host_vars/gw0`
directory; it will only apply to the gateway device.
 2018-06-22 19:33:23 -05:00
Dustin b809d4294f pyrocufflink: Convert variables file to directory 
Converting the *pyrocufflink* group variables definition from a file to
a directory will allow Jenkins jobs to place a Vault-envrypted file
within it that defines the `ansible_become_password` variable. In this
way, a different password can be used for machines that are members of
the *pyrocufflink.blue* domain than for other hosts. The existing
mechanism of specifying the path to the Vault-encrypted file that
defines the variable allows only a single password to be defined, so it
does not work when multiple machines in the same play have different
passwords.
 2018-06-22 19:20:22 -05:00
8 changed files with 94 additions and 34 deletions
Show Stats Expand all files Collapse all files

79
ci/zabbix.jenkinsfile
View File

@ -17,53 +17,65 @@ pipeline {
variable: 'KEYTAB')]) {
sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
}
withCredentials([file(
credentialsId: 'vault-jenkins@pyrocufflink.blue',
variable: 'SUDO_PASS_FILE'
)]) {
sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
}
withCredentials([file(
credentialsId: 'vault-jenkins@gw0',
variable: 'SUDO_PASS_FILE'
)]) {
sh 'cp -f "${SUDO_PASS_FILE}" host_vars/gw0/sudo-pass'
}
}
}
stage('Remount R/W') {
steps {
withCredentials([file(
credentialsId: 'vault-jenkins@pyrocufflink.blue',
variable: 'SUDO_PASS_FILE')]) {
ansiblePlaybook \
playbook: 'remount.yml',
limit: 'zabbix',
become: true,
vaultCredentialsId: 'ansible-vault',
extraVars: [
remount_state: 'rw',
],
extras: '-e@"${SUDO_PASS_FILE}"'
}
ansiblePlaybook \
playbook: 'remount.yml',
limit: 'zabbix',
become: true,
credentialsId: 'jenkins-ssh',
vaultCredentialsId: 'ansible-vault',
extraVars: [
remount_state: 'rw',
]
}
}
stage('Zabbix') {
stage('Zabbix Server') {
steps {
withCredentials([file(
credentialsId: 'vault-jenkins@pyrocufflink.blue',
variable: 'SUDO_PASS_FILE')]) {
ansiblePlaybook \
playbook: 'zabbix.yml',
become: true,
vaultCredentialsId: 'ansible-vault',
extras: '-e@"${SUDO_PASS_FILE}" --diff'
}
ansiblePlaybook \
playbook: 'zabbix-server.yml',
become: true,
vaultCredentialsId: 'ansible-vault',
extras: '--diff'
}
}
stage('Zabbix Agent') {
steps {
ansiblePlaybook \
playbook: 'zabbix-agent.yml',
limit: '!gw0',
become: true,
credentialsId: 'jenkins-ssh',
vaultCredentialsId: 'ansible-vault',
extras: '--diff'
}
}
stage('Remount R/O') {
steps {
withCredentials([file(
credentialsId: 'vault-jenkins@pyrocufflink.blue',
variable: 'SUDO_PASS_FILE')]) {
ansiblePlaybook \
playbook: 'remount.yml',
limit: 'zabbix',
become: true,
vaultCredentialsId: 'ansible-vault',
extras: '-e@"${SUDO_PASS_FILE}"'
}
ansiblePlaybook \
playbook: 'remount.yml',
limit: 'zabbix',
become: true,
credentialsId: 'jenkins-ssh',
vaultCredentialsId: 'ansible-vault'
}
}
@ -72,6 +84,7 @@ pipeline {
post {
always {
sh 'kdestroy'
sh 'find . -name sudo-pass -delete'
}
failure {
emailext \

0
group_vars/pyrocufflink.yml → group_vars/pyrocufflink/main.yml
View File

4
roles/apache/templates/servername.httpd.conf.j2
View File

@ -10,3 +10,7 @@ ServerName {{ apache_server_name }}
{% else %}
#ServerName www.example.com:80
{% endif %}
{% if apache_server_tokens is defined %}
ServerTokens {{ apache_server_tokens }}
{% endif %}

23
roles/certbot/tasks/main.yml
View File

@ -2,11 +2,16 @@
package:
name=certbot
state=present
tags:
- install
- name: ensure certbot group exists
group:
name=certbot
system=yes
tags:
- group
- user
- name: ensure certbot user exists
user:
name=certbot
@ -15,6 +20,8 @@
home=/var/lib/letsencrypt
createhome=no
state=present
tags:
- user
- name: ensure certbot data directory exists
file:
@ -23,6 +30,13 @@
owner=certbot
group=certbot
state=directory
- name: ensure certbot accounts directory exists
file:
path=/var/lib/letsencrypt/accounts
mode=0700
owner=certbot
group=certbot
state=directory
- name: ensure certbot log directory exists
file:
path=/var/log/letsencrypt
@ -45,7 +59,14 @@
mode=0644
notify: reload httpd
- name: ensure certbot account is registered
- name: ensure letsencrypt account data are installed
become: true
become_user: certbot
unarchive:
src={{ item }}
dest=/var/lib/letsencrypt/accounts/
with_fileglob: accounts/{{ inventory_hostname }}.tar.xz
- name: ensure letsencrypt account is registered
become: true
become_user: certbot
command:

7
roles/dch-proxy/tasks/main.yml
View File

@ -18,3 +18,10 @@
dest=/etc/haproxy/70-backend-gitea.cfg
mode=0644
notify: reload haproxy
- name: ensure jenkins haproxy backend is configured
template:
src=backend-jenkins.haproxy.cfg.j2
dest=/etc/haproxy/70-backend-jenkins.cfg
mode=0644
notify: reload haproxy

7
roles/dch-proxy/templates/backend-jenkins.haproxy.cfg.j2 Normal file
View File

@ -0,0 +1,7 @@
backend jenkins
server jenkins jenkins.pyrocufflink.blue:80 check
backend jenkins-tls
mode tcp
server jenkins jenkins.pyrocufflink.blue:443 check

4
roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
View File

@ -3,6 +3,8 @@ frontend main
use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.blue }
use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.net }
default_backend myala
@ -16,4 +18,6 @@ frontend main-tls
use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.blue }
use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.net }
use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.blue }
use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.net }
default_backend myala-tls

4
roles/samba/templates/smb.conf.j2
View File

@ -11,6 +11,10 @@ server role = {{ samba_server_role }}
{% else %}
security = {{ samba_security }}
{% endif %}
{% if samba_interfaces is defined %}
interfaces = {{ samba_interfaces|join(' ') }}
{% endif %}
{% if samba_options is defined %}
{% for option in samba_options %}