Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

39 lines
1.0 KiB

style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
  1. ---
  2. # 1) Deploy the lxc container(s)
  3. - hosts: 'ldap'
  4. # The host may not exist yet: do not gather facts
  5. gather_facts: false
  6. tags:
  7. - 'lxc'
  8. tasks:
  9. # Delegate lxc container deployment to `ansible_lxc_host`
  10. - import_role: name='lxc_guest'
  11. vars:
  12. vm_name: '{{ inventory_hostname }}'
  13. vm_size: '1G'
  14. delegate_to: '{{ ansible_lxc_host }}'
  15. # The host may not be directly reachable: use `ssh_lxc` proxy to
  16. # gather facts (setup) and configure SSH.
  17. - set_fact: ansible_connection='ssh_lxc'
  18. - setup:
  19. - import_role: name='ssh_server'
  20. # Now the host should be ssh-reachable
  21. - set_fact: ansible_connection='ssh'
  22. # 2) Deploy LDAP server(s)
  23. - hosts: 'ldap'
  24. roles:
  25. - role: 'dns_record'
  26. - role: 'ldap'
  27. ldap_organization: 'LILiK'
  28. virtual_domains:
  29. - '{{ domain }}'
  30. # Default values:
  31. #ldap_tls_enabled: true
  32. #renew_rootdn_pw: true
  33. #check_tree: true
  34. # 3) Enable monitoring
  35. - hosts: 'status'
  36. roles:
  37. - role: 'icinga2-monitoring'