Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

68 lines
2.0 KiB

style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
  1. # Role: gitlab
  2. Set-up a Omnibus GitLab server
  3. ## Configuration variables
  4. | Name | Description |
  5. |-------------------------|-------------------------------------------------|
  6. | `server_fqdn` | [`$hostname.$domain`] |
  7. | `ssh_port` | External SSH port. [`22`] |
  8. | `ldap_server`* | LDAP server fqdn [`'ldap1.dmz.$domain'`] |
  9. | `ldap_domain` | LDAP domain, used to derive base dn [`$domain`] |
  10. | `enable_https` | Enable HTTPS. [`false`] |
  11. | `ldap_admin_dn` | DN of a LDAP user with admin privileges. |
  12. | `ldap_admin_pw` | Bind password of that user. |
  13. | `initial_root_password` | Available only before initialization. |
  14. **Note**: The Ansible controller must have OpenLDAP properly configured
  15. with root ca set in `~/.ldaprc`.
  16. ## Minimal example
  17. group_vars/all.yaml:
  18. ---
  19. domain: 'example.com'
  20. ssl_subject_prefix: '/C=IT/L=Firenze/O=LILiK'
  21. x509_suffix: 'o=LILiK,l=Firenze,st=IT'
  22. user_ca_keys:
  23. - "ssh-ed25519 ################### CA"
  24. ssl_ca_cert: |
  25. -----BEGIN CERTIFICATE-----
  26. ###########################
  27. -----END CERTIFICATE-----
  28. hosts:
  29. vm_gateway ansible_host=10.0.2.1 ansible_user=root
  30. authorities_request ansible_host=10.0.1.8 ansible_user=request
  31. host1 ansible_host=10.0.1.1 ansible_user=root
  32. ldap1 ansible_host=10.0.2.2 ansible_user=root ansible_lxc_host=host1
  33. gitlab ansible_host=10.0.2.3 ansible_user=root ansible_lxc_host=host1
  34. playbook.yaml:
  35. ---
  36. # Configure GitLab on a Physical Host
  37. - hosts: 'host1'
  38. roles:
  39. - role: 'dns_record'
  40. - role: 'reverse_proxy'
  41. hostname: 'projects'
  42. - role: 'gitlab'
  43. Command line:
  44. ansible-playbook -i hosts playbook.yaml \
  45. -e ldap_admin_dn=<admin_dn> -e \
  46. -e ldap_amdin_pw=<admin_pw>
  47. ## Requirements
  48. On Ansible controller:
  49. - tasks/ca-dialog.yaml