ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a51c8ed2ff6cfe28876c06916bc27fb6362a5ac1
toallab-automation/playbooks/rhv_setup.yml
Patrick Toal a51c8ed2ff Clean up some cruft
2024-02-08 12:57:28 -05:00

223 lines
6.1 KiB
YAML
Raw Blame History

---
- name: Check for existing cert
hosts: rhv.mgmt.toal.ca
connection: local
vars:
ansible_python_interpreter: "/usr/bin/python3"
tasks:
- name: Information from existing key
community.crypto.x509_certificate_info:
path: "keys/{{ acme_certificate_domains|first }}.pem"
ignore_errors: yes
register: key_info
- set_fact: have_valid_cert=false
- set_fact:
have_valid_cert: "{{ (key_info.not_after|to_datetime('%Y%m%d%H%M%SZ')).timestamp() > ansible_date_time.epoch|int + 2592000 }}"
when:
- not key_info.failed
# Probably want to split this out into a proper certificate management role for Toal.ca
- name: Request TLS Certificate from LetsEncrypt
hosts: rhv.mgmt.toal.ca
connection: local
gather_facts: false
# This doesn't belong here
#vars:
# acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
pre_tasks:
- name: Ensure Let's Encrypt Account Exists
acme_account:
state: present
acme_directory: "{{ acme_directory }}"
terms_agreed: true
allow_creation: true
contact:
- mailto:ptoal@takeflight.ca
account_key_content: "{{ acme_key }}"
acme_version: 2
- name: tmpfile for Account Key
tempfile:
state: file
register: acme_tmp_key
- name: Account Key to File
copy:
dest: "{{ acme_tmp_key.path }}"
content: "{{ acme_key }}"
mode: "600"
- set_fact:
acme_certificate_acme_account: "{{ acme_tmp_key.path }}"
roles:
- name: felixfontein.acme_certificate
when: have_valid_cert is defined and not have_valid_cert
post_tasks:
- name: Remove tempfile
file:
path: "{{ acme_tmp_key.path }}"
state: absent
- name: Install custom CA Certificate in RHV-M
hosts: rhv.mgmt.toal.ca
become: true
vars:
key_files_prefix: "keys/{{ acme_certificate_domains|first }}"
ansible_python_interpreter: "/usr/bin/python3"
tasks:
- name: Certificate trust in store
copy:
src: "{{ key_files_prefix}}-rootchain.pem"
dest: /etc/pki/ca-trust/source/anchors/
register: rootchain_result
notify:
- update ca-trust
- restart httpd
- name: Certificate store updated
command: /usr/bin/update-ca-trust
when: rootchain_result.changed
notify: restart httpd
- name: Apache CA is file, not link
file:
path: /etc/pki/ovirt-engine/apache-ca.pem
state: file
register: apache_ca_stat
- name: Apache CA link is removed
file:
path: /etc/pki/ovirt-engine/apache-ca.pem
state: absent
when: apache_ca_stat.state == "file"
- name: CA Rootchain in Apache config
copy:
src: "{{ key_files_prefix }}-rootchain.pem"
dest: /etc/pki/ovirt-engine/apache-ca.pem
backup: yes
notify: restart httpd
- name: Private key installed
copy:
src: "{{ key_files_prefix }}.key"
dest: "{{ item }}"
backup: yes
owner: root
group: ovirt
mode: 0640
notify: restart httpd
loop:
- /etc/pki/ovirt-engine/keys/apache.key.nopass
- /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
- name: Certificate installed
copy:
src: "{{ key_files_prefix }}.pem"
dest: "{{ item }}"
backup: yes
owner: root
group: ovirt
mode: 0644
notify: restart httpd
loop:
- /etc/pki/ovirt-engine/certs/websocket-proxy.cer
- /etc/pki/ovirt-engine/certs/apache.cer
- name: Trust Store Configuration
copy:
dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
content: |
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
notify:
- restart ovn
- restart ovirt-engine
- name: Websocket Proxy configuration
lineinfile:
path: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
state: present
backup: yes
line: "{{ item.name }}={{ item.value }}"
regexp: "^{{ item.name }}="
loop:
- name: SSL_CERTIFICATE
value: /etc/pki/ovirt-engine/certs/websocket-proxy.cer
- name: SSL_KEY
value: /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
# - SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
# - SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
notify:
- restart ovirt-websocket-proxy
handlers:
- name: restart httpd
service:
name: httpd
state: restarted
- name: update ca-trust
command: update-ca-trust
- name: restart ovn
service:
name: ovirt-provider-ovn
state: restarted
- name: restart ovirt-engine
service:
name: ovirt-engine
state: restarted
- name: restart ovirt-websocket-proxy
service:
name: ovirt-websocket-proxy
state: restarted
- name: Create RHV/ovirt VLANs
hosts: rhv.mgmt.toal.ca
connection: local
vars:
# Hack to work around virtualenv python interpreter
ansible_python_interpreter: "{{ ansible_playbook_python }}"
tasks:
- name: Obtain SSO token for RHV
ovirt_auth:
state: present
insecure: true
- ovirt_network:
auth: "{{ ovirt_auth }}"
fetch_nested: true
data_center: "{{ item.data_center }}"
name: "{{ item.name }}"
vlan_tag: "{{ item.vlan_tag|default(omit) }}"
vm_network: "{{ item.vm_network }}"
mtu: "{{ item.mtu }}"
description: "{{ item.description }}"
loop: "{{ ovirt_networks }}"
register: networkinfo
- debug: msg="{{networkinfo}}"
- name: Reminder
hosts: localhost
connection: local
tasks:
- name: Reminder
debug:
msg: "Don't forget to add tso off gro off gso off lro off to i217-LM NIC's (eg: Dell Optiplex)!"
# https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/sect-hosts_and_networking#Editing_Host_Network_Interfaces_and_Assigning_Logical_Networks_to_Hosts
Reference in New Issue View Git Blame Copy Permalink