From 847c90dfbacfbbbaaf75ba2fc065ac213cd1e02b Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 23 Dec 2018 12:20:19 +0100 Subject: [PATCH] Initial commit --- .gitignore | 1 + README.md | 30 ++++++++++++++++ base.yml | 6 ++++ group_vars/all/vars.yml | 16 +++++++++ group_vars/all/vault.yml | 49 ++++++++++++++++++++++++++ group_vars/horus/ssh_through_proxy.yml | 3 ++ hosts | 36 +++++++++++++++++++ ldap.yml | 6 ++++ 8 files changed, 147 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 base.yml create mode 100644 group_vars/all/vars.yml create mode 100644 group_vars/all/vault.yml create mode 100644 group_vars/horus/ssh_through_proxy.yml create mode 100644 hosts create mode 100644 ldap.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a8b42eb --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.retry diff --git a/README.md b/README.md new file mode 100644 index 0000000..1b7ba10 --- /dev/null +++ b/README.md @@ -0,0 +1,30 @@ +# Playbook et rôles Ansible d'Aurore + +## Exécution d'un playbook + +```bash +ansible-playbook --ask-vault-pass -K -i hosts base.yml +``` + +## FAQ + +### Automatiquement ajouter fingerprint ECDSA (dangereux !) + +Il faut changer la variable d'environnement suivante : +`ANSIBLE_HOST_KEY_CHECKING=0`. + +### Configurer la connexion au bastion + +Dans la configuration SSH : + +``` +# Keep session alive only for bastion +Host proxy.auro.re + ControlMaster auto + ControlPath ~/.ssh/%r@%h:%p + +Host *.auro.re 10.128.0.* + IdentityFile ~/.ssh/id_rsa_aurore + ForwardAgent yes +``` + diff --git a/base.yml b/base.yml new file mode 100644 index 0000000..828f6a8 --- /dev/null +++ b/base.yml @@ -0,0 +1,6 @@ +--- +# Put a common configuration on all servers +- hosts: all + roles: + - baseconfig + diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml new file mode 100644 index 0000000..6b21e5f --- /dev/null +++ b/group_vars/all/vars.yml @@ -0,0 +1,16 @@ +--- +# LDAP binding +ldap_uri: 'ldap://10.128.0.11/' +ldap_base: 'dc=auro,dc=re' +ldap_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" +ldap_passwd: "{{ vault_ldap_passwd }}" + +# Scripts will tell users to go there to manage their account +intranet_url: 'https://re2o.auro.re/' + +# Users in that group will be able to `sudo` +sudo_group: 'sudoldap' + +# SSH keys for root account to use when LDAP is broken +ssh_pub_keys: "{{ vault_ssh_pub_keys }}" + diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml new file mode 100644 index 0000000..090355b --- /dev/null +++ b/group_vars/all/vault.yml @@ -0,0 +1,49 @@ +$ANSIBLE_VAULT;1.1;AES256 +32366661316664386431313536386232363262626438626631386134373733666466643833373938 +3266333865383432333531393864666564346131333764360a303439343865333935313936373337 +64353531623837663231316435653337313764613233343636323863356535626534373632383664 +3965386436666663300a656432316338363333303934313065366264343038373436323432656164 +39646438633632333730646565646230666437353837383538343035323366616635616638613330 +39383433393433663066383866383637373531613231353431663765393463366261306561363036 +35646639336161303631636662613832396539316466373635386361353266393365313636616435 +36623138343733343931623264376432303366336136396661323236346138366565333733333432 +36333062383935393733313639333735346638373166666332353065643662313766326466313935 +63626662353661666130366466316432626533306663356264306564306135323666613538363163 +62663064373032613638636533343939653435336238393966663265343064633733366563336664 +62633238373737616134303130663266656435356165623936303261326330656237623566333039 +38343637303038653133326433393939616363353537373862666138396165386665316530316165 +31323237333963343831613464663631366665663865666362636335386364313533366436383764 +36373431363465613130646535303162666564663163323534383032373731353034653435656134 +32633964643066316164643137356334336339333334363564636664343739356533343066656136 +38346135313935373533366666346564643234323464626361393861633536333730613837633634 +30663464353864386238663731336438323663656662376632316330366432366236396265376337 +30353331366266316430323131393433373762646665633738623532373562303365613763326164 +32346161613437393462616662616539623234393732633235363135663462613630343661356632 +35333532373466383762623765376231386662336435363930316338376132356637303834643932 +63636566666138373461323163303566313631393837356634353163626639346630663130646266 +38653838383034653065386432623833323564646361333333386436613064376335616661356466 +32313534376464373839356130373661633538303530643331653162623864353032626436303837 +65303430396365343138666133646432633037346435356531376161333966303032663235653339 +63373138383036656662303332656437363735336131613030663962623566356630346534646666 +30383063383634613832376363366332643035616431316232353865363037336262623261363633 +32336463656664336237393934396430336661383632336330386534626636623533663239626232 +62653161363536383734653136376135323536353430346166386134656537643537383538353865 +36336137613165393438613165303665376532346462313465313531386430336232663733323133 +36396532313061383261313561363532396161656631383239663139653834333366316362343335 +61643830363136383532613738613038323830316638333436363139373530613761386430343365 +33363732613933376238323035353932336433333536353663663231636539326535663536323533 +66393134303364383764613661313337353134656264313661373262643931656566626164366336 +35613736323761333035613163643835653338323266623465353330396539636164353864363564 +33346233323766356532393734363037346330386666653733633665326339383133633462323539 +66396537346261643664366335653431353138373033306236316534366631353262343465353963 +38653231386336646534393237343632366137373036356666613866336232636439386663633563 +61633438336461653366343039396161376638333532303565323736333134303333393239356438 +30656631303766636432343838343436316136613966346165353962656138653862653662306539 +66366133376437356638306330336163656463656631386637323032623565353539623663613065 +34303163316161353037356333393565386462383462366430323136353137666332373034396361 +38616666613435346461333361383863653138643030366137613533646236613865626437386464 +63383434343236366433316534323236616664646235336338353832383365386637336234653332 +34646436356139373463363431303361633137303831656632303133313738393339353835343365 +34616234623463643139633639616336633630363664396338643633303133633739353161623339 +33306665306566363533363431383133363162613334316566336264333663393035313161396466 +62383035616136383939 diff --git a/group_vars/horus/ssh_through_proxy.yml b/group_vars/horus/ssh_through_proxy.yml new file mode 100644 index 0000000..cbc38e5 --- /dev/null +++ b/group_vars/horus/ssh_through_proxy.yml @@ -0,0 +1,3 @@ +--- + +ansible_ssh_extra_args: -o ProxyCommand='ssh -W %h:%p -q proxy.auro.re' diff --git a/hosts b/hosts new file mode 100644 index 0000000..32510a8 --- /dev/null +++ b/hosts @@ -0,0 +1,36 @@ +# Aurore servers inventory + +[horus-pve] +#virtu.fede-aurore.net + +[horus-proxy] +proxy-web ansible_host=10.128.0.254 + +[horus-services-bdd] +services-bdd ansible_host=10.128.0.31 + +[horus-wiki] +wiki ansible_host=10.128.0.51 + +[horus-phabricator] +phabricator ansible_host=10.128.0.50 + +# everything in horus (ovh) +[horus:children] +horus-pve +horus-proxy +horus-services-bdd +horus-wiki +horus-phabricator + +# every LXC container +[container:children] +horus-proxy +horus-services-bdd +horus-wiki +horus-phabricator + +# every PVE +[pve:children] +horus-pve + diff --git a/ldap.yml b/ldap.yml new file mode 100644 index 0000000..c9dda6a --- /dev/null +++ b/ldap.yml @@ -0,0 +1,6 @@ +--- +# Plug only containers on LDAP +- hosts: container + roles: + - ldap-client +