Browse Source

rework host grouping

keep-around/a4d365bd7aff61134914b70136170bffdf944c59
Loïc Dachary 1 year ago
committed by Loic Dachary
parent
commit
ece371aa00
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 1
      development-inventory/services.yml
  2. 6
      development-inventory/test-hosts.yml
  3. 4
      inventories/dachary/firewall.yml
  4. 6
      inventories/dachary/hosts.yml
  5. 5
      inventories/fpoulain-dachary/firewall.yml
  6. 7
      inventories/fpoulain-dachary/hosts.yml
  7. 38
      inventory/02-all.yml
  8. 6
      inventory/all.yml
  9. 16
      inventory/firewall.yml
  10. 118
      inventory/services.yml
  11. 2
      molecule/backup/backup-playbook.yml
  12. 13
      molecule/bind/bind-client-playbook.yml
  13. 2
      molecule/bind/bind-monitoring-playbook.yml
  14. 2
      molecule/bind/bind-playbook-gandi.yml
  15. 2
      molecule/bind/bind-playbook-restart.yml
  16. 2
      molecule/bind/bind-playbook-server.yml
  17. 3
      molecule/bind/molecule.yml
  18. 3
      molecule/bind/roles/install_ssh_records/handlers/main.yml
  19. 4
      molecule/bind/roles/monitoring-bind/handlers/main.yml
  20. 3
      molecule/bind/roles/monitoring-bind/tasks/main.yml
  21. 5
      molecule/cloud/molecule.yml
  22. 4
      molecule/enough/molecule.yml
  23. 6
      molecule/icinga/icinga-playbook.yml
  24. 2
      molecule/icinga/monitor-external-ressources-playbook.yml
  25. 6
      molecule/icinga/roles/deploy_dummy_monitoring_objects/tasks/main.yml
  26. 3
      molecule/icinga/roles/icinga2_client/handlers/main.yml
  27. 9
      molecule/icinga/roles/icinga2_client/tasks/main.yml
  28. 4
      molecule/icinga/roles/icinga2_common/handlers/main.yml
  29. 3
      molecule/icinga/roles/monitor_http_vhost/handlers/main.yml
  30. 3
      molecule/icinga/roles/monitor_http_vhost/tasks/main.yml
  31. 4
      molecule/icinga/roles/monitor_tor_http_vhost/handlers/main.yml
  32. 3
      molecule/icinga/roles/monitor_tor_http_vhost/tasks/main.yml
  33. 2
      molecule/openvpn/openvpn-client-playbook.yml
  34. 4
      molecule/openvpn/openvpn-server-playbook.yml
  35. 2
      molecule/pad/pad-playbook.yml
  36. 2
      molecule/postfix/postfix-client-playbook.yml
  37. 8
      molecule/postfix/postfix-relay-playbook.yml
  38. 3
      molecule/postfix/roles/postfix_relay_monitoring/tasks/main.yml
  39. 2
      molecule/wazuh/molecule.yml
  40. 2
      molecule/wazuh/wazuh-agent-playbook.yml
  41. 2
      molecule/wazuh/wazuh-manager-playbook.yml
  42. 2
      molecule/wekan/test-wekan-playbook.yml
  43. 4
      molecule/wekan/wekan-playbook.yml

1
development-inventory/services.yml

@ -0,0 +1 @@
../inventory/services.yml

6
development-inventory/test-hosts.yml

@ -1,5 +1,5 @@
---
all:
all-hosts:
hosts:
# infrastructure
infrastructure1-host:
@ -14,8 +14,6 @@ all:
client-host:
# openvpn
openvpnclient-host:
# wekan
wekan-host:
# misc
debian-host:
# backup
@ -32,7 +30,7 @@ firewall_web_server_group:
# wekan
wekan-host:
wekan-group:
wekan-service-group:
hosts:
wekan-host:

4
inventories/dachary/firewall.yml

@ -1,7 +1,3 @@
firewall_ssh_server_group:
hosts:
jmm-host:
firewall_web_server_group:
hosts:
jmm-host:

6
inventories/dachary/hosts.yml

@ -1,5 +1,5 @@
---
all:
all-hosts:
hosts:
# ouvreboite-host:
# authorized_keys_globs:
@ -8,10 +8,6 @@ all:
authorized_keys_globs:
- ssh_keys/dachary.pub
wazuh_agent:
hosts:
jmm-host:
enough:
hosts:
jmm-host:

5
inventories/fpoulain-dachary/firewall.yml

@ -1,8 +1,3 @@
firewall_ssh_server_group:
hosts:
wereport-host:
cloud-host:
firewall_web_server_group:
hosts:
wereport-host:

7
inventories/fpoulain-dachary/hosts.yml

@ -1,5 +1,5 @@
---
all:
all-hosts:
hosts:
wereport-host:
authorized_keys_globs:
@ -9,8 +9,3 @@ all:
authorized_keys_globs:
- ssh_keys/fpoulain.pub
- ssh_keys/dachary.pub
wazuh_agent:
hosts:
wereport-host:
cloud-host:

38
inventory/02-all.yml

@ -15,46 +15,12 @@ enough:
cloud-host:
wereport-host:
wazuh_agent:
hosts:
api-host:
bind-host:
chat-host:
forum-host:
gitlab-host:
icinga-host:
packages-host:
postfix-host:
runner-host:
weblate-host:
website-host:
gitlab:
hosts:
gitlab-host:
api-host:
api-group:
hosts:
api-host:
backup-group:
hosts:
bind-host:
pad-group:
hosts:
website-host:
wekan-group:
hosts:
website-host:
openvpn-group:
hosts:
website-host:
enough-user-group:
children:
backup-group:
api-group:
backup-service-group:
api-service-group:

6
inventory/all.yml

@ -1,14 +1,16 @@
---
all:
all-hosts:
hosts:
api-host:
bind-host:
chat-host:
cloud-host:
forum-host:
gitlab-host:
runner-host:
icinga-host:
packages-host:
postfix-host:
runner-host:
wazuh-host:
weblate-host:
website-host:

16
inventory/firewall.yml

@ -1,18 +1,7 @@
# ssh
firewall_ssh_server_group:
hosts:
api-host:
bind-host:
postfix-host:
icinga-host:
forum-host:
wazuh-host:
weblate-host:
gitlab-host:
runner-host:
packages-host:
website-host:
chat-host:
children:
all-hosts:
# postfix
firewall_postfix_server_group:
@ -51,6 +40,7 @@ firewall_web_server_group:
hosts:
api-host:
chat-host:
cloud-host:
forum-host:
gitlab-host:
icinga-host:

118
inventory/services.yml

@ -0,0 +1,118 @@
---
essential-service-group:
children:
bind-service-group:
postfix-service-group:
wazuh-service-group:
icinga-service-group:
bind-service-group:
hosts:
bind-host:
bind-client-group:
children:
all-hosts:
postfix-service-group:
hosts:
postfix-host:
postfix-client-group:
children:
all-hosts:
icinga-service-group:
hosts:
icinga-host:
icinga-client-group:
children:
all-hosts:
wazuh-service-group:
hosts:
wazuh-host:
wazuh-client-group:
children:
all-hosts:
cloud-service-group:
hosts:
cloud-host:
wereport-host:
children:
essential-service-group:
gitlab-service-group:
hosts:
gitlab-host:
children:
essential-service-group:
gitlab-runner-service-group:
hosts:
runner-host:
children:
essential-service-group:
weblate-service-group:
hosts:
weblate-host:
children:
essential-service-group:
packages-service-group:
hosts:
packages-host:
children:
essential-service-group:
chat-service-group:
hosts:
chat-host:
children:
essential-service-group:
forum-service-group:
hosts:
forum-host:
children:
essential-service-group:
website-service-group:
hosts:
website-host:
children:
essential-service-group:
api-service-group:
hosts:
api-host:
children:
essential-service-group:
wekan-service-group:
hosts:
website-host:
children:
essential-service-group:
pad-service-group:
hosts:
website-host:
children:
essential-service-group:
openvpn-service-group:
hosts:
website-host:
children:
essential-service-group:
backup-service-group:
hosts:
bind-host:
children:
essential-service-group:

2
molecule/backup/backup-playbook.yml

@ -1,5 +1,5 @@
- name: setup backup
hosts: backup-group
hosts: backup-service-group
become: true
roles:

13
molecule/bind/bind-client-playbook.yml

@ -1,6 +1,6 @@
---
- name: setup DNS client (allow-recursion)
hosts: all:!external-host
hosts: bind-client-group:!external-host
become: true
serial: 1 # so blockinfile does not race against itslef
@ -11,10 +11,11 @@
insertafter: allow-recursion {
marker: "# {mark} ansible managed {{ ansible_host }}"
content: "{{ ansible_host }};"
delegate_to: bind-host
delegate_to: "{{ item }}"
loop: "{{groups['bind-service-group']}}"
- name: setup DNS client
hosts: all:!external-host
hosts: bind-client-group:!external-host
become: true
vars:
dns_a_record: "{{ ansible_hostname }}"
@ -30,7 +31,8 @@
ttl: 1800
type: A
value: "{{ dns_a }}"
delegate_to: bind-host
delegate_to: "{{ item }}"
loop: "{{groups['bind-service-group']}}"
- name: set CNAME
nsupdate:
@ -40,7 +42,8 @@
ttl: 1800
type: CNAME
value: "{{ dns_a_record }}"
delegate_to: bind-host
delegate_to: "{{ item }}"
loop: "{{groups['bind-service-group']}}"
- debug:
msg: |

2
molecule/bind/bind-monitoring-playbook.yml

@ -1,6 +1,6 @@
---
- name: setup monitoring DNS server
hosts: bind-host
hosts: bind-service-group
become: true
roles:

2
molecule/bind/bind-playbook-gandi.yml

@ -1,7 +1,7 @@
---
- name: setup DNS server Gandi
hosts: bind-host
hosts: bind-service-group
become: true
roles:

2
molecule/bind/bind-playbook-restart.yml

@ -1,7 +1,7 @@
---
- name: restart DNS server
hosts: bind-host
hosts: bind-service-group
become: true
tasks:

2
molecule/bind/bind-playbook-server.yml

@ -1,7 +1,7 @@
---
- name: setup DNS server
hosts: bind-host
hosts: bind-service-group
become: true
roles:

3
molecule/bind/molecule.yml

@ -6,8 +6,6 @@ lint:
platforms:
- name: bind-host
- name: bind-client-host
groups:
- firewall_ssh_server_group
- name: external-host
- name: icinga-host
provisioner:
@ -37,5 +35,6 @@ verifier:
v: True
s: True
# x: True
# k: test_icinga_host
lint:
name: flake8

3
molecule/bind/roles/install_ssh_records/handlers/main.yml

@ -4,4 +4,5 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: bind-host
delegate_to: "{{ item }}"
loop: "{{groups['bind-service-group']}}"

4
molecule/bind/roles/monitoring-bind/handlers/main.yml

@ -4,4 +4,6 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"

3
molecule/bind/roles/monitoring-bind/tasks/main.yml

@ -15,7 +15,8 @@
insertafter: 'Define DNS zones and attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
marker: "/* {mark} Zone {{ bind_zone_name }} */"
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
notify: reload icinga2
- name: install sudo file for check named zone

5
molecule/cloud/molecule.yml

@ -8,11 +8,6 @@ platforms:
- name: postfix-host
- name: icinga-host
- name: cloud-host
# remove when https://github.com/ansible/molecule/issues/1650 is resolved
groups:
- enough
- firewall_ssh_server_group
- firewall_web_server_group
provisioner:
name: ansible
options:

4
molecule/enough/molecule.yml

@ -8,10 +8,6 @@ platforms:
- name: postfix-host
- name: icinga-host
- name: cloud-host
groups:
- enough
- firewall_ssh_server_group
- firewall_web_server_group
provisioner:
name: ansible
options:

6
molecule/icinga/icinga-playbook.yml

@ -2,7 +2,7 @@
- import_playbook: icinga-firewall-playbook.yml
- name: install icinga master
hosts: icinga-host
hosts: icinga-service-group
become: true
roles:
@ -35,7 +35,7 @@
certificate_installer: nginx
- name: install icinga clients
hosts: 'all:!icinga-host'
hosts: icinga-client-group:!icinga-service-group
become: true
roles:
@ -44,7 +44,7 @@
- not_monitored is undefined
- name: install icinga monitoring capabilities
hosts: 'all'
hosts: all-hosts
become: true
roles:

2
molecule/icinga/monitor-external-ressources-playbook.yml

@ -1,7 +1,7 @@
---
- name: deploy monitoring for ressources outside {{ domain }}
hosts: icinga-host
hosts: icinga-service-group
become: true
roles:
- role: monitor_tor_http_vhost

6
molecule/icinga/roles/deploy_dummy_monitoring_objects/tasks/main.yml

@ -10,7 +10,8 @@
insertafter: 'Define processes and attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
marker: "/* {mark} Systemd login process */"
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
notify: reload icinga2
- name: install git
@ -28,7 +29,8 @@
insertafter: 'Define git repos and attributes'
path: /etc/icinga2/zones.d/master/icinga-host/host.conf
marker: "/* {mark} Icinga2 Docker image git repo */"
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
- name: git clone https://github.com/jjethwa/icinga2
git:

3
molecule/icinga/roles/icinga2_client/handlers/main.yml

@ -4,7 +4,8 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
- name: reload icinga2 client
systemd:

9
molecule/icinga/roles/icinga2_client/tasks/main.yml

@ -115,17 +115,20 @@
file:
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}
state: directory
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
- name: install host definition on master
template:
src: templates/host.conf
dest: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
- name: install client zone definition on master
template:
src: templates/zones.conf.master
dest: /etc/icinga2/zones.d/{{ inventory_hostname }}.conf
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
notify: reload icinga2

4
molecule/icinga/roles/icinga2_common/handlers/main.yml

@ -4,4 +4,6 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"

3
molecule/icinga/roles/monitor_http_vhost/handlers/main.yml

@ -4,4 +4,5 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"

3
molecule/icinga/roles/monitor_http_vhost/tasks/main.yml

@ -19,5 +19,6 @@
insertafter: 'Define httpd services and attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
marker: "/* {mark} {{ http_vhost_name }} http vhost */"
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
notify: reload icinga2

4
molecule/icinga/roles/monitor_tor_http_vhost/handlers/main.yml

@ -4,4 +4,6 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"

3
molecule/icinga/roles/monitor_tor_http_vhost/tasks/main.yml

@ -2,7 +2,8 @@
apt:
name: [ tor, torsocks ]
state: present
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
- name: restart tor
service:

2
molecule/openvpn/openvpn-client-playbook.yml

@ -10,7 +10,7 @@
path: "{{ openvpn_local_directory }}"
- name: create openvpn clients
hosts: openvpn-group
hosts: openvpn-service-group
become: true
tasks:

4
molecule/openvpn/openvpn-server-playbook.yml

@ -12,10 +12,10 @@
firewall_protocols: [ udp ]
firewall_ports: [ 1194 ]
when: hostvars[item].ansible_host is defined
with_items: "{{ groups['openvpn-group'] | default([]) }}"
with_items: "{{ groups['openvpn-service-group'] | default([]) }}"
- name: install openvpn
hosts: openvpn-group
hosts: openvpn-service-group
become: true
roles:

2
molecule/pad/pad-playbook.yml

@ -1,6 +1,6 @@
---
- name: install pad
hosts: pad-group
hosts: pad-service-group
become: true
pre_tasks:

2
molecule/postfix/postfix-client-playbook.yml

@ -1,6 +1,6 @@
---
- name: install postfix clients
hosts: "all:!postfix-host"
hosts: "all-hosts:!postfix-service-group"
become: True
environment: '{{ inventory__environment | d({})

8
molecule/postfix/postfix-relay-playbook.yml

@ -1,6 +1,6 @@
---
- name: install certificate if needed
hosts: 'postfix-host'
hosts: postfix-service-group
roles:
- role: firewall
@ -31,7 +31,7 @@
become: false
- name: install and configure postfix relay
hosts: 'postfix-host'
hosts: postfix-service-group
become: true
environment: '{{ inventory__environment | d({})
@ -93,4 +93,6 @@
ttl: 1800
type: TXT
value: "v=spf1 mx ip4:{{ ansible_host }} ~all"
delegate_to: bind-host
delegate_to: "{{ item }}"
loop: "{{groups['bind-service-group']}}"

3
molecule/postfix/roles/postfix_relay_monitoring/tasks/main.yml

@ -5,5 +5,6 @@
line: ' vars.postfix_relay= true'
insertafter: 'Define host attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
delegate_to: icinga-host
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
notify: reload icinga2

2
molecule/wazuh/molecule.yml

@ -6,8 +6,6 @@ lint:
platforms:
- name: bind-host
- name: postfix-host
groups:
- wazuh_agent
- name: icinga-host
- name: wazuh-host
provisioner:

2
molecule/wazuh/wazuh-agent-playbook.yml

@ -1,6 +1,6 @@
---
- name: install wazuh-agent
hosts: wazuh_agent
hosts: all-hosts:!wazuh-service-group
become: true
vars_files:
- agent.yml

2
molecule/wazuh/wazuh-manager-playbook.yml

@ -1,6 +1,6 @@
---
- name: install wazuh-manager
hosts: wazuh-host
hosts: wazuh-service-group
become: true
vars_files:
- manager.yml

2
molecule/wekan/test-wekan-playbook.yml

@ -1,6 +1,6 @@
---
- name: encrypt and mount /srv
hosts: wekan-group
hosts: wekan-service-group
become: true
roles:

4
molecule/wekan/wekan-playbook.yml

@ -1,6 +1,6 @@
---
- name: install wekan
hosts: wekan-group
hosts: wekan-service-group
become: true
pre_tasks:
@ -13,7 +13,7 @@
ttl: 1800
type: CNAME
value: "{{ item }}.{{ domain }}."
with_items: "{{ groups['wekan-group'] | default([]) }}"
with_items: "{{ groups['wekan-service-group'] | default([]) }}"
delegate_to: bind-host
roles:

Loading…
Cancel
Save