initial commit

.gitignore

@@ -0,0 +1 @@
+.vscode/

README.md

@@ -1,2 +1,3 @@
-# infra-ansible
-AlmaLinux infrastructure Ansible playbooks and roles
+# AlmaLinux Infrastructure Ansible Playbooks
+
+ansible-galaxy install -r requirements.yml

ansible.cfg

@@ -0,0 +1,10 @@
+[defaults]
+remote_user = root
+
+[ssh_connection]
+pipelining = True
+
+[persistent_connection]
+connect_timeout = 30
+connect_retries = 3
+

group_vars/all.yml

@@ -0,0 +1,68 @@
+ssh_authorized_keys:
+  - "https://github.com/codyro.keys"
+  - "https://github.com/jonathanspw.keys"
+authorized_keys_managed: false # UNUSED
+whitelist_ips:
+  "{{ lookup( 'community.hashi_vault.hashi_vault', 'kv/data/infra/general-ansible-vars:whitelist_ips',
+  token=lookup('env', 'VAULT_TOKEN'), url=secrets_url ) | regex_replace('#.*$\n?', multiline=true) | replace(' ', '') | split(',') }}"
+# TODO: Listen on tailscale0 by default
+zabbix_listen_ip: "{{ ansible_eth0.ipv4.address }}"
+zabbix_listen_port: 10050
+
+# alphabetical please
+common_packages:
+  - lsof
+  - nano
+  - nload
+  - telnet
+  - vim
+  - yum-utils
+
+# common headscale/tailscale client vars
+tailscale_authkey: "{{ lookup('env', 'TAILSCALE_KEY') }}"
+tailscale_args:
+  "--reset --hostname {{ inventory_hostname }}
+  --login-server='{{ lookup('community.hashi_vault.hashi_vault',
+    'kv/data/infra/general-ansible-vars:tailscale_login_server',
+    token=lookup('env', 'VAULT_TOKEN'), url=secrets_url) }}'"
+
+# ipa client
+ipaclient_domain: ipa.almalinux.org
+ipaadmin_principal: "{{ lookup('env', 'IPA_USER') }}"
+ipaadmin_password: "{{ lookup('env', 'IPA_PASSWORD') }}"
+ipaclient_use_otp: false
+ipaclient_force_join: true
+ipaclient_kinit_attempts: 3
+ipaclient_hostname: "{{ inventory_hostname }}"
+ipaclient_no_ntp: true
+# so devsec ssh hardening doesn't break IPA features
+sshd_custom_options:
+  - "Include /etc/ssh/sshd_config.d/*"
+
+# ssh config/hardening
+ssh_gssapi_support: true
+ssh_permit_root_login: 'without-password'
+ssh_kerberos_support: true
+
+# zabbix agent
+zabbix_agent_version: 6.4
+zabbix_agent2: true
+zabbix_agent_visible_hostname: "{{ inventory_hostname }}"
+zabbix_agent_server:
+  "{{ lookup('community.hashi_vault.hashi_vault', 'kv/data/infra/general-ansible-vars:zabbix_server_url',
+  token=lookup('env', 'VAULT_TOKEN'), url=secrets_url) }}"
+zabbix_agent_serveractive:
+  "{{ lookup('community.hashi_vault.hashi_vault', 'kv/data/infra/general-ansible-vars:zabbix_server_url',
+  token=lookup('env', 'VAULT_TOKEN'), url=secrets_url) }}"
+zabbix_repo_yum_gpgcheck: true
+
+# certbot
+certbot_email:
+  "{{ lookup('community.hashi_vault.hashi_vault', 'kv/data/infra/general-ansible-vars:certbot_email',
+  token=lookup('env', 'VAULT_TOKEN'), url=secrets_url) }}"
+
+# hashivault
+hashivault_domain: secrets.almalinux.org
+# we concat this, so needs to be a string
+hashivault_port: '8200'
+secrets_url: https://{{ hashivault_domain }}:{{ hashivault_port }}

group_vars/hashivault.yml

@@ -0,0 +1,55 @@
+---
+firewalld_extra_allow_ports:
+  - "{{ hashivault_port }}/tcp"
+firewalld_extra_rich_rules:
+  - rule family="ipv4" source address="10.0.0.0/16" port protocol="tcp" port="8201" accept
+
+auth_ldap_userdn: cn=users,cn=accounts,dc=almalinux,dc=org
+auth_ldap_groupdn: cn=groups,cn=accounts,dc=almalinux,dc=org
+auth_ldap_binddn: uid=secrets,cn=sysaccounts,cn=etc,dc=almalinux,dc=org
+auth_ldap_url: >
+  ldaps://ipa01.awsuseast1.ipa.almalinux.org,ldaps://ipa02.awsuseast1.ipa.almalinux.org,
+  ldaps://ipa03.azureussouthcentral.ipa.almalinux.org,ldaps://ipa04.azureussouthcentral.ipa.almalinux.org
+auth_ldap_groupfilter: "{% raw %}(&(objectClass=posixGroup)(member=uid={{.Username}},cn=users,cn=accounts,dc=almalinux,dc=org)){% endraw %}"
+auth_ldap_groupattr: cn
+auth_ldap_userattr: uid
+auth_ldap_userfilter: |
+  "{% raw %}
+    (&
+      ({{.UserAttr}}={{.Username}})(objectClass=posixAccount)
+      (|
+        (memberOf=cn=sysadmin,cn=groups,cn=accounts,dc=almalinux,dc=org)
+        (memberOf=cn=admins,cn=groups,cn=accounts,dc=almalinux,dc=org)
+      )
+    )
+  {% endraw %}"
+auth_ldap_certificate_file: /etc/ipa/ca.crt
+
+hashivault_vault_listener_address: 0.0.0.0:{{ hashivault_port }}
+
+hashivault_policies:
+  sysadmin:
+    - path: /*
+      capabilities:
+        - create
+        - update
+        - patch
+        - read
+        - delete
+        - list
+  monitoring:
+    - path: /sys/metrics
+      capabilities:
+        - read
+        - list
+    - path: /auth/token/lookup-accessor
+      capabilities:
+        - read
+        - update
+
+hashivault_ldap_groups:
+  - name: sysadmin
+    policies:
+      - sysadmin
+
+hashivault_private_subnet: 10.0.0.0/16

group_vars/mirrors.yml

@@ -0,0 +1 @@
+mirror_dev_fs: /dev/nvme1n1

hashivault.yml

@@ -0,0 +1,44 @@
+---
+- name: Check required vars
+  hosts: localhost
+  tasks:
+    - name: Check if var is set - {{ item }}
+      ansible.builtin.assert:
+        that: "{{ lookup('env', item) | length > 0 }}"
+        fail_msg: "{{ item }} is not set"
+      loop:
+        - TAILSCALE_KEY
+        - IPA_USER
+        - IPA_PASSWORD
+
+- name: Hashicorp Vault
+  hosts: hashivault
+  environment:
+    VAULT_ADDR: "{{ vault_url }}"
+    VAULT_TOKEN: "{{ lookup('env', 'VAULT_TOKEN') }}"
+  roles:
+    - common
+    - ipa_client
+    - hashivault
+    - community.zabbix.zabbix_agent
+    - devsec.hardening.os_hardening
+    - devsec.hardening.ssh_hardening
+
+# this is done like this so we can delay restarts as to maintain quorum
+- name: Restart Vault
+  hosts: hashivault
+  serial: 1
+  tasks:
+    - name: Restart vault
+      ansible.builtin.systemd_service:
+        name: vault
+        state: restarted
+      when: config_written.changed
+      register: vault_restarted
+      tags: skip_ansible_lint
+
+    - name: Pause after restart
+      ansible.builtin.pause:
+        seconds: 30
+      when: vault_restarted.changed
+      tags: skip_ansible_lint

host_vars/almalinux-mirror.yucca.net.yml

@@ -0,0 +1,3 @@
+---
+mirror_path_use_subdir: false
+mirror_create_fs: false

host_vars/chat.almalinux.org.yml

@@ -0,0 +1,4 @@
+---
+host_public_ports:
+  # zabbix
+  - 10050/tcp

host_vars/zabbix.almalinux.org.yml

@@ -0,0 +1,4 @@
+---
+host_public_ports:
+  - 10050/tcp
+  - 10051/tcp

hosts

@@ -0,0 +1,41 @@
+#[freeipa]
+#ipa01.awsuseast1.ipa ansible_host=35.169.194.8
+#ipa02.awsuseast1.ipa ansible_host=184.72.121.220
+
+#[noggin]
+#accounts.almalinux.org ansible_host=44.210.221.240
+
+# id.almalinux.org
+#[keycloak]
+#keycloak01.awsuseast1.ipa.almalinux.org
+#keycloak02.azureussouthcentral.ipa.almalinux.org
+#keycloak03.knownhostga.ipa.almalinux.org
+
+#[web]
+#zabbix.almalinux.org
+#chat.almalinux.org
+
+#[web:children]
+#keycloak
+
+[aws_mirrors]
+
+
+[azure_mirrors]
+
+
+[external_managed_mirrors]
+almalinux-mirror.yucca.net
+
+[mirrors:children]
+aws_mirrors
+azure_mirrors
+external_managed_mirrors
+
+[mirrors_tier0]
+#atl.rsync.repo.almalinux.org
+#sea.rsync.repo.almalinux.org
+#fra.rsync.repo.almalinux.org
+
+[hashivault]
+vault[01:05].secrets.almalinux.org

mirrors.yml

@@ -0,0 +1,9 @@
+---
+- name: Configure mirrors
+  hosts: mirrors
+  roles:
+    - common
+    - mirror
+    - community.zabbix.zabbix_agent
+    - devsec.hardening.os_hardening
+    - devsec.hardening.ssh_hardening

requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+    - name: devsec.hardening
+    - name: freeipa.ansible_freeipa
+    - name: community.hashi_vault
+
+roles:
+    - name: artis3n.tailscale
+    - name: ansible-modules-hashivault
+      src: git+https://github.com/TerryHowe/ansible-modules-hashivault.git

roles/common/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+- ansible.builtin.import_tasks: zabbix_handler.yml # noqa name[missing]

roles/common/handlers/zabbix_handler.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart zabbix-agent2
+  ansible.builtin.systemd:
+    name: zabbix-agent2
+    state: restarted

roles/common/tasks/firewalld.yml

@@ -0,0 +1,83 @@
+---
+- name: Install firewalld
+  ansible.builtin.dnf:
+    name:
+      - firewalld
+      - python3-firewall
+    state: present
+  tags:
+    - firewalld
+
+- name: Enable/start firewalld
+  ansible.builtin.systemd:
+    name: firewalld.service
+    state: started
+    enabled: true
+  tags:
+    - firewalld
+
+- name: Remove default services from public zone
+  ansible.posix.firewalld:
+    zone: public
+    state: disabled
+    permanent: true
+    immediate: true
+    service: "{{ item }}"
+  loop:
+    - cockpit
+    - dhcpv6-client
+  tags:
+    - firewalld
+
+- name: Allow SSH 22/tcp traffic
+  ansible.posix.firewalld:
+    zone: public
+    state: enabled
+    permanent: true
+    immediate: true
+    service: ssh
+  tags:
+    - firewalld
+
+# TODO: Cleanup how this is handled
+# whitelist_ips variable
+# - name: Combine host_vars/group_vars whitelist_ips
+#  ansible.builtin.set_fact:
+#    whitelist_ips: "{{ group_whitelist_ips|default([]) + host_whitelist_ips|default([]) }}"
+#  tags:
+#    - firewalld
+
+- name: Allow whitelist IP's in trusted zone
+  ansible.posix.firewalld:
+    zone: trusted
+    state: enabled
+    permanent: true
+    immediate: true
+    source: "{{ item }}"
+  loop: "{{ whitelist_ips }}"
+  tags:
+    - firewalld
+
+- name: Allow extra ports
+  ansible.posix.firewalld:
+    zone: public
+    state: enabled
+    permanent: true
+    immediate: true
+    port: "{{ item }}"
+  tags:
+    - firewalld
+  loop: "{{ firewalld_extra_allow_ports }}"
+  when: firewalld_extra_allow_ports is defined
+
+- name: Extra rich rules
+  ansible.posix.firewalld:
+    zone: public
+    state: enabled
+    permanent: true
+    immediate: true
+    rich_rule: "{{ item }}"
+  tags:
+    - firewalld
+  loop: "{{ firewalld_extra_rich_rules }}"
+  when: firewalld_extra_rich_rules is defined

roles/common/tasks/headscale.yml

@@ -0,0 +1,26 @@
+---
+# - name: Enable headscale Copr repository
+#  community.general.copr:
+#    chroot: rhel9-x86_64
+#    host: copr.fedorainfracloud.org
+#    state: enabled
+#    name: jonathanspw/headscale
+#  tags:
+#    - headscale
+
+
+- name: Enable headscale copr repository
+  ansible.builtin.yum_repository:
+    name: copr:copr.fedorainfracloud.org:jonathanspw:headscale
+    description: Copr repo for headscale owned by jonathanspw
+    baseurl: https://download.copr.fedorainfracloud.org/results/jonathanspw/headscale/rhel-9-$basearch/
+    gpgkey: https://download.copr.fedorainfracloud.org/results/jonathanspw/headscale/pubkey.gpg
+    enabled: true
+    gpgcheck: true
+
+- name: Install headscale
+  ansible.builtin.dnf:
+    name: headscale
+    state: present
+  tags:
+    - headscale