ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix some linting errors

Browse Source
This commit is contained in:
Patrick Toal
2024-02-08 13:18:07 -05:00
parent a51c8ed2ff
commit 7192063d53
16 changed files with 25 additions and 517 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,5 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.2
hooks:
- id: gitleaks

1
playbooks/build_rhel_template.yml
View File

@@ -22,7 +22,6 @@
name: "rhel8build.sandbox.toal.ca"
operatingsystem: "RedHat 8.3"
organization: "Toal.ca"
password: "{{ vault_sat6_pass }}"
server_url: "https://satellite1.mgmt.toal.ca/"
subnet: "sandbox"
username: "{{ satellite_admin_user }}"

8
playbooks/build_windows_template.yml
View File

@@ -1,12 +1,12 @@
- name: create an ovirt windows template
- name: Create an ovirt windows template
hosts: windows_template_base
gather_facts: False
gather_facts: false
connection: local
become: no
become: false
vars:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
roles:
- oatakan.windows_ovirt_template

14
playbooks/debug.yml
View File

@@ -5,25 +5,25 @@
vars:
msg: |
Module Variables ("vars"):
--------------------------
--------------------------
{{ vars | to_nice_json }}
Environment Variables ("environment"):
--------------------------------------
{{ environment | to_nice_json }}
GROUP NAMES Variables ("group_names"):
-------------------------------------
{{ group_names | to_nice_json }}
GROUPS Variables ("groups"):
----------------------------
{{ groups | to_nice_json }}
HOST Variables ("hostvars"):
----------------------------
{{ hostvars | to_nice_json }}
debug:
ansible.builtin.debug:
msg: "{{ msg.split('\n') }}"
tags: debug_info

12
playbooks/execution-environment.yml
View File

@@ -1,12 +0,0 @@
---
version: 1
build_arg_defaults:
EE_BASE_IMAGE: 'registry.redhat.io/ansible-automation-platform-21/ee-supported-rhel8:latest'
ansible_config: '../../../.ansible.cfg'
dependencies:
galaxy: collections/requirements.yml
python: requirements.txt
system: bindep.txt

41
playbooks/gitea.yml
View File

@@ -1,41 +0,0 @@
- name: Ensure Gitea is running on Zenyatta
become: yes
hosts: zenyatta.lab.toal.ca
vars:
container_state: running
container_name: gitea
container_image: gitea/gitea:latest
gitea_nfs_mountpoint: /mnt/gitea
gitea_nfs_src: nas.lab.toal.ca:/mnt/BIGPOOL/BackedUp/git
gitea_dir_owner: ptoal
gitea_dir_group: ptoal
container_run_args: >-
--rm
-p 3000:3000/tcp -p 3222:22/tcp
-v "{{ gitea_nfs_mountpoint }}:/data"
--hostname=gitea.mgmt.toal.ca
--memory=1024M
container_firewall_ports:
- 3000/tcp
- 3222/tcp
tasks:
- name: Ensure container data mount points
tags: mount
file:
path: "{{ gitea_nfs_mountpoint }}"
state: directory
- name: ensure container NFS mounts from NAS
tags: [ mount, nfs ]
mount:
src: "{{ gitea_nfs_src }}"
path: "{{ gitea_nfs_mountpoint }}"
fstype: nfs
opts: rw,rsize=8192,wsize=8192,timeo=14,intr,vers=3
state: mounted
- name: ensure container state
tags: container
import_role:
name: ikke_t.podman_container_systemd

39
playbooks/gitlab.yml
View File

@@ -1,39 +0,0 @@
- name: Ensure GitLab is installed
hosts: gitlab.lab.toal.ca
become: true
vars:
gitlab_external_url: "http://gitlab.lab.toal.ca/"
gitlab_git_data_dir: "/var/opt/gitlab/git-data"
# gitlab_edition: "gitlab-ce"
# gitlab_redirect_http_to_https: "false"
# # LDAP Configuration.
# gitlab_ldap_enabled: "true"
# gitlab_ldap_host: "idm1.mgmt.toal.ca"
# gitlab_ldap_port: "389"
# gitlab_ldap_uid: "ldapauth"
# gitlab_ldap_method: "start_tls"
# gitlab_ldap_bind_dn: "uid=ldapauth,cn=sysaccounts,cn=etc,dc=idm,dc=toal,dc=ca"
# gitlab_ldap_password: "growwaternapkin"
# gitlab_ldap_base: "cn=users,cn=accounts,dc=idm,dc=toal,dc=ca"
# # Email configuration.
# gitlab_email_enabled: "true"
# gitlab_email_from: "gitlab@takeflight.ca"
# gitlab_email_display_name: "Gitlab"
# gitlab_email_reply_to: "ptoal@takeflight.ca"
# # SMTP Configuration
# gitlab_smtp_enable: "true"
# gitlab_smtp_address: "smtp.gmail.com"
# gitlab_smtp_port: "587"
# gitlab_smtp_user_name: "server"
# gitlab_smtp_password: "ReJ3n_Dj9EB-j3b"
# gitlab_smtp_domain: "takeflight.ca"
# gitlab_smtp_authentication: "login"
# gitlab_smtp_enable_starttls_auto: "true"
# # gitlab_smtp_tls: "false"
# gitlab_smtp_openssl_verify_mode: "none"
# # gitlab_smtp_ca_path: "/etc/ssl/certs"
# # gitlab_smtp_ca_file: "/etc/ssl/certs/ca-certificates.crt"
# gitlab_nginx_listen_https: "false"
roles:
- { role: geerlingguy.gitlab }

6
playbooks/interface_config.yml
View File

@@ -1,6 +0,0 @@
---
# Configure host interface and network switch
# First use-case is bond's
#
- name: Host Network
hosts: "{{ }}"

17
playbooks/minecraft.yml
View File

@@ -1,17 +0,0 @@
- name: Minecraft Systems - MineOS
hosts: tag_mc_mineos:&tag_ansible
become: true
vars:
# nodejs_version: "8.x"
# mineos_repo: "https://github.com/sage905/mineos-node.git"
#mineos_version: "pam_auth"
roles:
- ansible-role-nodejs
- sage905.mineos
- name: Minecraft Systems - Mark2
hosts: tag_mc_mark2:&tag_ansible
become: true
roles:
- sage905.mark2
- sage905.waterfall

67
playbooks/monitoring.yml
View File

@@ -1,67 +0,0 @@
---
- name: Prometheus
hosts: monitor.mgmt.toal.ca # Hard-coded for now
become: yes
vars:
container_image: prom/prometheus
container_name: prometheus
container_state: running
container_firewall_ports:
- 8090/tcp
container_run_args: >-
-p 8090:8090
-v /home/prometheus/etc:/etc/prometheus:Z
-v /home/prometheus/data:/prometheus:Z
-v /home/prometheus/console_libraries:/usr/share/prometheus/console_libraries:Z
-v /home/prometheus/console_templates:/usr/share/prometheus/consoles:Z
roles:
- ikke_t.podman_container_systemd
pre_tasks:
- name: Directories exist
file:
path: '{{ item }}'
state: directory
owner: nobody
group: nobody
loop:
- /home/prometheus/etc
- /home/prometheus/data
- /home/prometheus/console_libraries
- /home/prometheus/console_template
post_tasks:
- name: Firewall
firewalld:
state: enabled # required. choices: enabled;disabled;present;absent. Enable or disable a setting. For ports: Should this port accept(enabled) or reject(disabled) connections. The states "present" and "absent" can only be used in zone level operations (i.e. when no other parameters but zone and state are set).
permanent: true
port: 9090/tcp
- name: Grafana
hosts: monitor.mgmt.toal.ca # Hard-coded for now
become: yes
vars:
container_image: grafana/grafana
container_name: grafana
container_state: running
container_firewall_ports:
- 3000/tcp
container_run_args: >-
-p 3000:3000
-v /home/grafana/data:/var/lib/grafana:Z
pre_tasks:
- name: Directories exist
file:
path: '{{ item }}'
state: directory
owner: nobody
group: nobody
loop:
- /home/grafana/data
roles:
- ikke_t.podman_container_systemd
post_tasks:
- name: Firewall
firewalld:
state: enabled # required. choices: enabled;disabled;present;absent. Enable or disable a setting. For ports: Should this port accept(enabled) or reject(disabled) connections. The states "present" and "absent" can only be used in zone level operations (i.e. when no other parameters but zone and state are set).
permanent: true
port: 3000/tcp

15
playbooks/podhost.yml
View File

@@ -1,15 +0,0 @@
- name: K8S installed and ready
hosts: k8s
become: yes
tasks:
- name: EPEL Repo enabled
yum:
name: epel-release
state: present
- name: Setting sebool container_manage_cgroup
seboolean:
name: container_manage_cgroup
state: yes
persistent: yes

32
playbooks/reset_port.yml
View File

@@ -1,32 +0,0 @@
- name: Reset Port
hosts: switch01
become_method: enable
become: yes
connection: network_cli
gather_facts: no
vars:
switch_port: GigabitEthernet2/0/13
tasks:
- name: Simple Debug Task
debug:
msg: "Hello World"
- name: Shut down port
ios_interface:
name: "{{ switch_port }}"
enabled: False
state: down
delay: 20
- name: Pause for 5 seconds
pause:
seconds: 5
- name: Bring up port
ios_interface:
name: "{{ switch_port }}"
enabled: True
delay: 20

222
playbooks/rhv_setup.yml
View File

@@ -1,222 +0,0 @@
---
- name: Check for existing cert
hosts: rhv.mgmt.toal.ca
connection: local
vars:
ansible_python_interpreter: "/usr/bin/python3"
tasks:
- name: Information from existing key
community.crypto.x509_certificate_info:
path: "keys/{{ acme_certificate_domains|first }}.pem"
ignore_errors: yes
register: key_info
- set_fact: have_valid_cert=false
- set_fact:
have_valid_cert: "{{ (key_info.not_after|to_datetime('%Y%m%d%H%M%SZ')).timestamp() > ansible_date_time.epoch|int + 2592000 }}"
when:
- not key_info.failed
# Probably want to split this out into a proper certificate management role for Toal.ca
- name: Request TLS Certificate from LetsEncrypt
hosts: rhv.mgmt.toal.ca
connection: local
gather_facts: false
# This doesn't belong here
#vars:
# acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
pre_tasks:
- name: Ensure Let's Encrypt Account Exists
acme_account:
state: present
acme_directory: "{{ acme_directory }}"
terms_agreed: true
allow_creation: true
contact:
- mailto:ptoal@takeflight.ca
account_key_content: "{{ acme_key }}"
acme_version: 2
- name: tmpfile for Account Key
tempfile:
state: file
register: acme_tmp_key
- name: Account Key to File
copy:
dest: "{{ acme_tmp_key.path }}"
content: "{{ acme_key }}"
mode: "600"
- set_fact:
acme_certificate_acme_account: "{{ acme_tmp_key.path }}"
roles:
- name: felixfontein.acme_certificate
when: have_valid_cert is defined and not have_valid_cert
post_tasks:
- name: Remove tempfile
file:
path: "{{ acme_tmp_key.path }}"
state: absent
- name: Install custom CA Certificate in RHV-M
hosts: rhv.mgmt.toal.ca
become: true
vars:
key_files_prefix: "keys/{{ acme_certificate_domains|first }}"
ansible_python_interpreter: "/usr/bin/python3"
tasks:
- name: Certificate trust in store
copy:
src: "{{ key_files_prefix}}-rootchain.pem"
dest: /etc/pki/ca-trust/source/anchors/
register: rootchain_result
notify:
- update ca-trust
- restart httpd
- name: Certificate store updated
command: /usr/bin/update-ca-trust
when: rootchain_result.changed
notify: restart httpd
- name: Apache CA is file, not link
file:
path: /etc/pki/ovirt-engine/apache-ca.pem
state: file
register: apache_ca_stat
- name: Apache CA link is removed
file:
path: /etc/pki/ovirt-engine/apache-ca.pem
state: absent
when: apache_ca_stat.state == "file"
- name: CA Rootchain in Apache config
copy:
src: "{{ key_files_prefix }}-rootchain.pem"
dest: /etc/pki/ovirt-engine/apache-ca.pem
backup: yes
notify: restart httpd
- name: Private key installed
copy:
src: "{{ key_files_prefix }}.key"
dest: "{{ item }}"
backup: yes
owner: root
group: ovirt
mode: 0640
notify: restart httpd
loop:
- /etc/pki/ovirt-engine/keys/apache.key.nopass
- /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
- name: Certificate installed
copy:
src: "{{ key_files_prefix }}.pem"
dest: "{{ item }}"
backup: yes
owner: root
group: ovirt
mode: 0644
notify: restart httpd
loop:
- /etc/pki/ovirt-engine/certs/websocket-proxy.cer
- /etc/pki/ovirt-engine/certs/apache.cer
- name: Trust Store Configuration
copy:
dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
content: |
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
notify:
- restart ovn
- restart ovirt-engine
- name: Websocket Proxy configuration
lineinfile:
path: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
state: present
backup: yes
line: "{{ item.name }}={{ item.value }}"
regexp: "^{{ item.name }}="
loop:
- name: SSL_CERTIFICATE
value: /etc/pki/ovirt-engine/certs/websocket-proxy.cer
- name: SSL_KEY
value: /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
# - SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
# - SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
notify:
- restart ovirt-websocket-proxy
handlers:
- name: restart httpd
service:
name: httpd
state: restarted
- name: update ca-trust
command: update-ca-trust
- name: restart ovn
service:
name: ovirt-provider-ovn
state: restarted
- name: restart ovirt-engine
service:
name: ovirt-engine
state: restarted
- name: restart ovirt-websocket-proxy
service:
name: ovirt-websocket-proxy
state: restarted
- name: Create RHV/ovirt VLANs
hosts: rhv.mgmt.toal.ca
connection: local
vars:
# Hack to work around virtualenv python interpreter
ansible_python_interpreter: "{{ ansible_playbook_python }}"
tasks:
- name: Obtain SSO token for RHV
ovirt_auth:
state: present
insecure: true
- ovirt_network:
auth: "{{ ovirt_auth }}"
fetch_nested: true
data_center: "{{ item.data_center }}"
name: "{{ item.name }}"
vlan_tag: "{{ item.vlan_tag|default(omit) }}"
vm_network: "{{ item.vm_network }}"
mtu: "{{ item.mtu }}"
description: "{{ item.description }}"
loop: "{{ ovirt_networks }}"
register: networkinfo
- debug: msg="{{networkinfo}}"
- name: Reminder
hosts: localhost
connection: local
tasks:
- name: Reminder
debug:
msg: "Don't forget to add tso off gro off gso off lro off to i217-LM NIC's (eg: Dell Optiplex)!"
# https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/sect-hosts_and_networking#Editing_Host_Network_Interfaces_and_Assigning_Logical_Networks_to_Hosts

10
playbooks/switch_config.yml
View File

@@ -2,8 +2,6 @@
- name: Collect Netbox Data
hosts: role_core-switch
gather_facts: false
collections:
- netbox.netbox
vars:
api_endpoint: "{{ lookup('env','NETBOX_API') }}"
api_token: "{{ lookup('env', 'NETBOX_TOKEN') }}"
@@ -11,9 +9,11 @@
tasks:
# - name: Gather Device Information
# set_fact:
# device_info: "{{ query('netbox.netbox.nb_lookup', 'devices', api_filter='name=' + inventory_hostname, api_endpoint=api_endpoint, token=api_token )[0] }}"
- debug:
var: interfaces
# device_info: "{{ query('netbox.netbox.nb_lookup', 'devices', api_filter='name=' + inventory_hostname, api_endpoint=api_endpoint,\
# token=api_token )[0] }}"
- name: Dump debug info
ansible.builtin.debug:
var: interfaces
# - name: Obtain list of devices from Netbox
# debug:

45
playbooks/t.yml
View File

@@ -1,45 +0,0 @@
---
- name: DHCP Server
hosts: service_dhcp
connection: local
pre_tasks:
# - name: Gather interfaces for dhcp service
# set_fact:
# dhcp_interfaces:
# - name: Gather subnets
# set_fact:
# subnets: ""
# prefixes: "{{ query('netbox.netbox.nb_lookup', 'prefixes', api_endpoint=netbox_api, token=netbox_token) }}"
# - ip: 192.168.222.0
# netmask: 255.255.255.128
# domain_name_servers:
# - 10.0.2.3
# - 10.0.2.4
# range_begin: 192.168.222.50
# range_end: 192.168.222.127
# - ip: 192.168.222.128
# default_lease_time: 3600
# max_lease_time: 7200
# netmask: 255.255.255.128
# domain_name_servers: 10.0.2.3
# routers: 192.168.222.129
roles:
- name: sage905.netbox-to-dhcp
# tasks:
# - debug:
# var: services
# # - name: Collect Prefix information for interfaces in DHCP Service
# - name: Collect host interfaces
# set_fact:
# dhcp_prefixes: "{{ query('netbox.netbox.nb_lookup', 'prefixes', api_filter='', api_endpoint=netbox_api, token=netbox_token) }}"
# - name: Test
# debug: var=dhcp_service
{% for interface in (services|selectattr('name','eq','dhcp')|first).ipaddresses %}
{% set prefix=(query('netbox.netbox.nb_lookup', 'prefixes', api_filter='q=' + interface.address, api_endpoint=netbox_api, token=netbox_token)|first).value %}
subnet {{ prefix.prefix|ipaddr('net') }} netmask {{ prefix.prefix|ipaddr('netmask') }} {

8
playbooks/windows_ad.yml
View File

@@ -1,16 +1,16 @@
- name: Create Windows AD Server
hosts: WinAD
gather_facts: False
gather_facts: false
connection: local
become: no
become: false
vars:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
roles:
- oatakan.ansible-role-ovirt
- name: Configure AD Controller
hosts: WinAD
become: yes
become: false
- oatakan.ansible-role-windows-ad-controller