forked from CESNET/perun-ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
site.yml
157 lines (148 loc) · 6.8 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
---
# Main perun orchestration playbook
# Steps to run:
# 1. change the inventories/prod file to contain your host name
# 2. create directory host_vars/<your host name>/ and copy there the files from host_vars/perun.example.com/
# 3. set all values in host_vars/<your host name>/vars.yml
# 4. edit vault by executing the command "ansible-vault -edit host_vars/<your host name>/passwords.yml" and set values in the file
# 5. change vault password by executing the command "ansible-vault rekey host_vars/<your host name>/passwords.yml"
# 6. run the playbook by executing the command "ansible-playbook -i inventories/prod --ask-vault-pass site.yml"
# you can run only specific parts of this playbook using --tags, and limit execution to selceted hosts using --limit, e.g.:
# ansible-playbook -i inventories/all --ask-vault-pass site.yml --tags work-env,security,yubikey,unattended-upgrades --limit eduteams
- hosts: all
remote_user: root
pre_tasks:
- name: Require Debian
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version in ["10"]
msg: "Only Debian 10+ is supported"
- name: Ansible 2.9+ required
assert:
that:
- ansible_version is defined
- ansible_version.full is version_compare('2.9', '>=')
msg: "Required Ansible version is 2.9+"
roles:
#
# This role will set working environment to a sensible state.
- martin_kuba.work_env
#
# This role will set up security measures like firewall.
- cesnet.firewall
#
# This role will deploy authentication by hardware Yubikeys.
-
role: cesnet.yubikeys
vars:
yubikey_lognames: "{{ create_yubikey_users }}"
sudo_root_lognames: "{{ sudo_root_users }}"
other_sudo_user: "perun"
sudo_other_lognames: "{{ sudo_perun_users }}"
#
# This role will deploy unattended upgrades of Debian OS.
- cesnet.unattended_upgrades
#
# This role will deploy components needed for passive checks from MetaCentrum's Nagios.
- cesnet.metacentrum_monitoring
- hosts: perun_servers
remote_user: root
pre_tasks:
- name: Check that host's variables are loaded
assert:
that:
- perun_login is defined
- perun_hostname is defined
- perun_email is defined
- apache_certificate_file is defined
- apache_certificate_key_file is defined
- ldap_certificate_file is defined
- ldap_certificate_key_file is defined
- install_oracle is defined
msg: "Create directory host_vars/{{inventory_hostname}}/, copy there file host_vars/perun.example.com/vars.yml and set all values in it"
tags: ['perun', 'config', 'shibboleth', 'apache', 'tomcat', 'postgres', 'build', 'engine', 'wui', 'ldap' ]
- name: Check that host's passwords are loaded
assert:
that:
- password_perun_admin is defined
- yubikey_key is defined
msg: "Create directory host_vars/{{inventory_hostname}}/, copy there file host_vars/perun.example.com/passwords.yml and set all values in it"
tags: ['perun', 'config', 'apache', 'tomcat', 'postgres', 'build', 'engine', 'wui', 'ldap' ]
- name: Require Debian 9+
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version in ["9","10"]
msg: "Only Debian 9+ is supported"
tags: ['apache','postgres']
- name: Ansible 2.5+ required
assert:
that:
- ansible_version is defined
- ansible_version.full is version_compare('2.5', '>=')
msg: "Required Ansible version is 2.5+ with import_role and package_facts"
tags: ['shibboleth']
roles:
# NECESSARY ROLES
# ---------------
#
# This role will check or create SSL/TLS certificates.
# migrated to migrated to role cesnet.perun_server/begin.yml
- { role: certs-perun, become: true, tags: [ 'apache', 'postgres', 'ldap' ] }
#
# This role will create user perun and install basic software packages.
# migrated to role cesnet.perun_server/begin.yml and deploy_perun.yml
- { role: perun, become: true, tags: [ 'perun', 'config', 'tomcat', 'postgres', 'build', 'deploy', 'ldap' ] }
#
# This role will create configuration files of Perun from templates.
#TODO migrate
- { role: configuration-perun, become: true, tags: [ 'config', 'deploy', 'engine' ] }
#
# This role will install Shibboleth SP.
#TODO migrate
- { role: shibboleth-perun, become: true, tags: [ 'shibboleth', 'apache' ] }
#
# This role will install Apache and its config files for Perun, needs Shibboleth.
#TODO migrate
- { role: apache-perun, become: true, tags: [ 'apache', 'deploy'] }
#
# This role will install Tomcat and its config files for Perun. -
# migrated to docker container perun_rpc
- { role: tomcat-perun, become: true, tags: [ 'tomcat', 'deploy' ] }
#
# This role will install Oracle DB drivers to Maven repo and to system Tomcat.
# migrated to migrated to role cesnet.perun_server/oracle_jdbc.yml
- { role: oracle-perun, become: true, tags: oracle }
#
# This role will deploy PostgreSQL DB and create DB tables.
# migrated to roles cesnet.postgresql and cesnet.perun_docker_server/tasks/perun_postgres.yml
- { role: postgres-perun, become: true, tags: postgres}
#
# This role will compile and package all Perun modules
# migrated to role cesnet.perun_server/deploy_perun.yml
- { role: build-perun, become: true, tags: [ 'build', 'deploy', 'engine', 'ldap' ]}
#
# This role will deploy perun-rpc to Tomcat and perun-web-gui to Apache.
# migrated to role cesnet.perun_server/deploy_perun.yml
- { role: deploy-perun, become: true, tags: deploy }
#
# This role will deploy engine with GEN/SEND scripts and CLI scripts.
# migrated to role cesnet.perun_server/deploy_perun.yml and deploy_services.yml
- { role: engine-perun, become: true, tags: engine }
#
# This role will deploy new web user interface of Perun.
# migrated to role cesnet.perun_server/deploy_wui.yml
- { role: wui-perun, become: true, tags: wui}
#
# This role will deploy and configure LDAP server and LDAPc connector.
#TODO migrate
- { role: ldap-perun, become: true, tags: [ 'ldap', 'install-ldap'] }
#
tasks:
- name: "enable Jenkins access to perun account"
authorized_key:
user: perun
state: present
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdvdjIeskcNga9V59c8ADMx0XyXwDCr2kbErjcm/wuXBdnrNun2clcPmAq+qsdiED3ajeJhgLflDG+WMa49NP6P80+maK10fL1gtjvp3C8Nbx4r4Objtn0QI6aKjGEcvDUMBCd+4yRtuOfmhVYu3zCr1CswQgSBbRL+PxZtApC1wIaZPkEuCMhZRUL9iNI7n9pbjmI7Ibi8lfBTEp5TeiR05049BQN5oGGP9MmxvuAK3QWfz7ISZg62xqngcvELX28fkTvGC11GMN82PwCy0gv+VvYgBUwrPW6d1mI7oid8UvWchHJQ4oleLHP1yfY413sXBYij5u3zZkg+hy/P88d [email protected]"
tags: jenkins