|
|
%
|
|
|
% Ansible.tex
|
|
|
%
|
|
|
% Fork Sand IT Manual
|
|
|
%
|
|
|
% Copyright (C) 2018, Fork Sand, Inc.
|
|
|
% Copyright (C) 2017, Jeff Moe
|
|
|
%
|
|
|
% This document is licensed under the Creative Commons Attribution 4.0
|
|
|
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
|
|
%
|
|
|
\section{Ansible Cloud Management}
|
|
|
Use \texttt{ansible} for management of servers.
|
|
|
|
|
|
\begin{itemize}
|
|
|
\item Ansible ---
|
|
|
Website: \\ \url{https://ansible.com}
|
|
|
\item Ansible Github ---
|
|
|
Repo: \\ \url{https://github.com/ansible/ansible.git}
|
|
|
\item DebOps: \url{https://docs.debops.org/en/latest/index.html}
|
|
|
\end{itemize}
|
|
|
|
|
|
\subsection{Glossary}
|
|
|
An \texttt{Ansible playbook} is an organized unit of scripts that defines
|
|
|
work for a server configuration managed by the automation tool \texttt{ansible}.
|
|
|
|
|
|
\subsection{Build Ansible Debian Package}\label{ssec:bansdpac}
|
|
|
The version of Ansible is 2.2 in Debian 9 (stable/Stretch).
|
|
|
The current stable release is Ansible 2.4.
|
|
|
Below documents how to build a 2.4 package for Debian 9.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# To build a Debian package:
|
|
|
# Check here for latest version:
|
|
|
# https://packages.debian.org/sid/ansible
|
|
|
wget http://http.debian.net/debian/pool/main/a/ansible/ansible_2.4.0.0+dfsg-1.debian.tar.xz
|
|
|
wget http://http.debian.net/debian/pool/main/a/ansible/ansible_2.4.0.0+dfsg.orig.tar.gz
|
|
|
|
|
|
# Install some deps
|
|
|
apt-get install debhelper python-all python-crypto python-setuptools python-yaml asciidoc python-nose python-passlib dh-python
|
|
|
|
|
|
tar xf ansible_2.4.0.0+dfsg.orig.tar.gz
|
|
|
cd ansible-2.4.0.0/
|
|
|
tar xf ../ansible_2.4.0.0+dfsg-1.debian.tar.xz
|
|
|
|
|
|
# Update version:
|
|
|
echo -n " -- Jeff Moe <moe@blagblagblag.org> " ; date "+%a, %d %b %Y %H:%M:%S %z"
|
|
|
vim debian/changelog
|
|
|
|
|
|
dpkg-buildpackage -rfakeroot -S -uc -us -sa
|
|
|
dpkg-buildpackage -rfakeroot -b -uc
|
|
|
|
|
|
# That will produce this file to be installed:
|
|
|
dpkg -i ansible_2.4.0.0+dfsg-2_all.deb
|
|
|
apt-get -f install
|
|
|
|
|
|
# If you want the Ansible git archive:
|
|
|
git clone https://github.com/ansible/ansible.git --recursive
|
|
|
\end{minted}
|
|
|
|
|
|
\subsection{Ansible Initial Configuration}
|
|
|
Here is how to set up Ansible after initially installing it.
|
|
|
This is run on the system adminstrator's workstation.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# Quick and dirty test by setting up a host and running `uptime`.
|
|
|
mkdir -p ~/.ansible
|
|
|
echo ns1 > ~/.ansible/hosts
|
|
|
ansible -i ~/.ansible/hosts ns1 -a 'uptime'
|
|
|
\end{minted}
|
|
|
|
|
|
~/.ansible.cfg
|
|
|
\begin{minted}{sh}
|
|
|
[defaults]
|
|
|
inventory = $HOME/.ansible/hosts
|
|
|
|
|
|
[ssh_connection]
|
|
|
ssh_args = -o ControlMaster=auto -o ControlPersist=300s
|
|
|
pipelining = True
|
|
|
\end{minted}
|
|
|
|
|
|
To generate a full list of \texttt{ns} hosts, run the script:
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
cd source/resources/servers
|
|
|
echo "[ns]" > ~/.ansible/hosts
|
|
|
./ns-serverlist-ansible.sh >> ~/.ansible/hosts
|
|
|
ansible -i ~/.ansible/hosts ns -a "uptime"
|
|
|
# Find the failed hosts and remove them from ~/.ansible/hosts.
|
|
|
echo "[ns]" > ~/.ansible/hosts.tmp
|
|
|
ansible -f 32 -i ~/.ansible/hosts ns -a "echo" | grep ^ns | grep SUCCESS | cut -f 1 -d " " | sort -V >> ~/.ansible/hosts.tmp
|
|
|
mv ~/.ansible/hosts ~/.ansible/hosts.old
|
|
|
mv ~/.ansible/hosts.tmp ~/.ansible/hosts
|
|
|
# Test it works:
|
|
|
ansible -i ~/.ansible/hosts ns -a "uptime"
|
|
|
# To get a ton of info about each host:
|
|
|
ansible -i ~/.ansible/hosts ns -m setup
|
|
|
\end{minted}
|
|
|
|
|
|
XXX Fix, make sure everyone has \texttt{/usr/bin/python} available for \texttt{ansible}:
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# XXXX SOME HOSTS DON'T HAVE /usr/bin/python
|
|
|
# JUST PYTHON3. HOSTS THAT DIDN'T HAVE /usr/bin/python:
|
|
|
# (ALL OVH)
|
|
|
# ns14 ns15 ns21 ns22
|
|
|
apt install python python-minimal
|
|
|
\end{minted}
|
|
|
|
|
|
Set up some playbooks, grab examples:
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
git clone https://github.com/ansible/ansible-examples.git
|
|
|
cd ansible-examples/
|
|
|
\end{minted}
|
|
|
|
|
|
\section{Ansible Debian Mail}
|
|
|
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
|
|
|
on p.\pageref{ssec:bansdpac}, the following requirements are met.
|
|
|
|
|
|
\subsection{Requirements}
|
|
|
The following applications are required to utilize this this section objectives.
|
|
|
Ansible can be installed using Python PIP.
|
|
|
\begin{itemize}
|
|
|
\item \texttt{Ansible} 2.4.x+
|
|
|
\item \texttt{Python} 2.7.9+
|
|
|
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
|
|
|
\end{itemize}
|
|
|
|
|
|
\subsection{Quick Start}
|
|
|
The following steps will help quickly set up and execute this section objectives.
|
|
|
|
|
|
\texttt{Project Configuration}
|
|
|
|
|
|
The following files need to be edited and configured before executing this playbook.
|
|
|
|
|
|
\begin{table}[!htb]
|
|
|
\caption{Files to be edited} % \label{tab:tech}
|
|
|
\begin{tabular}{|l|l|}
|
|
|
\hline
|
|
|
\multicolumn {1}{|l|}{ File}&
|
|
|
\multicolumn {1}{l|}{ Description} \\ \hline
|
|
|
groups\char`_vars/all.yml & Server credential information and domain variables \\ \hline
|
|
|
inventory.yml & List of server IPs to connect to \\ \hline
|
|
|
\end{tabular}
|
|
|
\end{table}
|
|
|
|
|
|
\texttt{Playbook Execution}
|
|
|
|
|
|
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
ansible-playbook -i inventory.yml site.yml -vvv
|
|
|
\end{minted}
|
|
|
|
|
|
\subsection{Project Structure}
|
|
|
The following tree depicts the high level structure of this Ansible project.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
|-- ansible.cfg
|
|
|
|-- group_vars
|
|
|
|<7C><> -- all.yml
|
|
|
|-- inventory.yml
|
|
|
|-- LICENSE.AGPLv3
|
|
|
|-- LICENSE.GPLv3
|
|
|
|-- README.md
|
|
|
|-- roles
|
|
|
|<7C><> |-- dkim_configuration
|
|
|
|<7C><> |-- dovecot_configuration
|
|
|
|<7C><> |-- fail2ban_configuration
|
|
|
|<7C><> |-- letsencrypt_configuration
|
|
|
|<7C><> |-- mikegleasonjr.firewall
|
|
|
|<7C><> |-- outputs
|
|
|
|<7C><> |-- postfix_configuration
|
|
|
|<7C><> |-- server_tasks
|
|
|
|<7C><> |-- spamassassin_configuration
|
|
|
|<7C><> -- sqlgrey_configuration
|
|
|
|-- playbook_execution.log
|
|
|
-- site.yml
|
|
|
\end{minted}
|
|
|
|
|
|
\texttt{File and Directory Descriptions}
|
|
|
|
|
|
The following table consists of a description of what each file and directory stands for.
|
|
|
|
|
|
\begin{table}[!htb]
|
|
|
\caption{File and Directory Descriptions} % \label{tab:tech}
|
|
|
\begin{tabular}{|l|l|}
|
|
|
\hline
|
|
|
\multicolumn {1}{|l|}{ Name}&
|
|
|
\multicolumn {1}{l|}{ Description} \\ \hline
|
|
|
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
|
|
|
inventory.yml & Inventory file containing server IP addresses \\ \hline
|
|
|
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
|
|
|
group\char`_vars/ & Group\char`_vars directory contains variable files for the entire group. \\
|
|
|
& The files are named according to the group name. 'all.yml' = group 'all' \\ \hline
|
|
|
group\char`_vars/all.yml & Group variables for the 'all' group. Contains server connection \\
|
|
|
& information along with domain variables \\ \hline
|
|
|
roles/ & Directory containing all roles needed by this project \\ \hline
|
|
|
\end{tabular}
|
|
|
\end{table}
|
|
|
|
|
|
\texttt{Role descriptions}
|
|
|
|
|
|
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
|
|
|
|
|
|
\begin{table}[!htb]
|
|
|
\caption{Role descriptions} % \label{tab:tech}
|
|
|
\begin{tabular}{|l|l|l|}
|
|
|
\hline
|
|
|
\multicolumn {1}{|l|}{Role Name}&
|
|
|
\multicolumn {1}{|l|}{Role Description}&
|
|
|
\multicolumn {1}{l|}{Depends on} \\ \hline
|
|
|
server\char`_tasks & This roles performs all server tasks. Updating & mikebleasonjr.firewall \\
|
|
|
& server, configuring SSH, disable IPv6, etc. & \\
|
|
|
& Depends on the mikegleasonjr.firewall role. & \\ \hline
|
|
|
mikegleasonjr.firewall & This role set up iptables rules. It is called & None \\
|
|
|
& and ran by the server\char`_tasks roles. & \\ \hline
|
|
|
letsencrypt\char`_configuration & This role installs and executes let's encrypt & None \\ \hline
|
|
|
postfix\char`_configuration & This roles installs postfix, configures postfix & letsencrypt\char`_configuration \\
|
|
|
& using postconf, and sets up virtual file, & \\
|
|
|
& master.cf file, and aliases file & \\ \hline
|
|
|
dkim\char`_configuration & This roles installs OpenDKIM, OpenDMARC & None \\
|
|
|
& and configures them. & \\ \hline
|
|
|
dovecot\char`_configuration & This role installs and configures dovecot & letsencrypt\char`_configuration \\ \hline
|
|
|
spamassassin\char`_configuration & This role installs spamassassin. & None \\ \hline
|
|
|
sqlgrey\char`_configuration & This role installs sqlgrey. & None \\ \hline
|
|
|
fail2ban\char`_configuration & This role installs fail2ban. & None \\ \hline
|
|
|
outputs & This role gathers DNS information for the & None \\
|
|
|
& SPF, DMARC, and DKIM records and & \\
|
|
|
& outputs them to the screen. & \\ \hline
|
|
|
\end{tabular}
|
|
|
\end{table}
|
|
|
|
|
|
\subsection{Ansible Logging}
|
|
|
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
|
|
|
|
|
|
\subsection{Troubleshooting}
|
|
|
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
Level 1: `-v`
|
|
|
|
|
|
Level 2: `-vv`
|
|
|
|
|
|
Level 3: `-vvv`
|
|
|
|
|
|
Level 4: `-vvvv`
|
|
|
|
|
|
Level 5: `-vvvvv`
|
|
|
\end{minted}
|
|
|
|
|
|
Example execution with level 3 debug output:
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
ansible-playbook -i inventory.yml site.yml -vvv
|
|
|
\end{minted}
|
|
|
|
|
|
\section{Ansible Gitea}
|
|
|
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
|
|
|
on p.\pageref{ssec:bansdpac}, the following requirements are met.
|
|
|
|
|
|
\subsection{Requirements}
|
|
|
The following applications are required to utilize this this section objectives.
|
|
|
Ansible can be installed using Python PIP.
|
|
|
\begin{itemize}
|
|
|
\item \texttt{Ansible} 2.4.x+
|
|
|
\item \texttt{Python} 2.7.x
|
|
|
\end{itemize}
|
|
|
|
|
|
\subsection{Quick Start}
|
|
|
The following steps will help quickly set up and execute this section objectives.
|
|
|
|
|
|
\texttt{Project Configuration}
|
|
|
|
|
|
The following files need to be edited and configured before executing this playbook.
|
|
|
|
|
|
\begin{table}[!htb]
|
|
|
\caption{Files to be edited} % \label{tab:tech}
|
|
|
\begin{tabular}{|l|l|}
|
|
|
\hline
|
|
|
\multicolumn {1}{|l|}{ File}&
|
|
|
\multicolumn {1}{l|}{ Description} \\ \hline
|
|
|
roles/gitea/default/main.yml & Variables for Gitea configuration \\
|
|
|
& (default - standalone with sqlite) \\ \hline
|
|
|
roles/nginx/default/main.yml & Variables for Nginx and Letsencrypt configuration \\ \hline
|
|
|
inventory.yml & List of server IPs to connect to \\ \hline
|
|
|
\end{tabular}
|
|
|
\end{table}
|
|
|
|
|
|
\qquad \\
|
|
|
\texttt{Playbook Execution}
|
|
|
|
|
|
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
ansible-playbook -i inventory.yml site.yml -vvv
|
|
|
\end{minted}
|
|
|
|
|
|
\subsection{Project Structure}
|
|
|
The following tree depicts the high level structure of this Ansible project.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
|-- inventory.yml
|
|
|
|-- LICENSE.AGPLv3
|
|
|
|-- LICENSE.GPLv3
|
|
|
|-- README.md
|
|
|
|-- roles
|
|
|
|<7C><> |-- gitea
|
|
|
|<7C><> -- nginx
|
|
|
|-- playbook_execution.log
|
|
|
-- site.yml
|
|
|
\end{minted}
|
|
|
|
|
|
\texttt{File and Directory Descriptions}
|
|
|
|
|
|
The following table consists of a description of what each file and directory stands for.
|
|
|
|
|
|
\begin{table}[!htb]
|
|
|
\caption{File and Directory Descriptions} % \label{tab:tech}
|
|
|
\begin{tabular}{|l|l|}
|
|
|
\hline
|
|
|
\multicolumn {1}{|l|}{ Name}&
|
|
|
\multicolumn {1}{l|}{ Description} \\ \hline
|
|
|
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
|
|
|
inventory.yml & Inventory file containing server IP addresses \\ \hline
|
|
|
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
|
|
|
roles/ & Directory containing all roles needed by this project \\ \hline
|
|
|
\end{tabular}
|
|
|
\end{table}
|
|
|
|
|
|
\qquad \\
|
|
|
|
|
|
\texttt{Role descriptions}
|
|
|
|
|
|
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
|
|
|
|
|
|
\begin{table}[!htb]
|
|
|
\caption{Role descriptions} % \label{tab:tech}
|
|
|
\begin{tabular}{|l|l|l|}
|
|
|
\hline
|
|
|
\multicolumn {1}{|l|}{Role Name}&
|
|
|
\multicolumn {1}{|l|}{Role Description} \\ \hline
|
|
|
gitea & This roles performs installation and configuration of Gitea server \\ \hline
|
|
|
nginx & This roles performs installation and configuration of Nginx server \\ \hline
|
|
|
\end{tabular}
|
|
|
\end{table}
|
|
|
|
|
|
\texttt{Role parameters}
|
|
|
|
|
|
\qquad \\
|
|
|
|
|
|
\texttt{\qquad Gitea role parameters}
|
|
|
\begin{minted}{sh}
|
|
|
# Application name
|
|
|
gitea_app_name: "Gitea"
|
|
|
# Application gitea_user_repo_limit
|
|
|
gitea_user: "gitea"
|
|
|
# Application home
|
|
|
gitea_home: "/var/lib/gitea"
|
|
|
# Repo Limit
|
|
|
gitea_user_repo_limit: -1
|
|
|
# Domain Name (FOR REVER PROXY LEAVE AS DEFAULT)
|
|
|
gitea_http_domain: localhost
|
|
|
# Gitea url (FOR REVER PROXY LEAVE AS DEFAULT)
|
|
|
gitea_root_url: http://localhost:3000
|
|
|
# Protocol (FOR REVER PROXY LEAVE AS DEFAULT)
|
|
|
gitea_protocol: http
|
|
|
# listen IP (FOR REVER PROXY LEAVE AS DEFAULT)
|
|
|
gitea_http_listen: 127.0.0.1
|
|
|
# Listen port (FOR REVER PROXY LEAVE AS DEFAULT)
|
|
|
gitea_http_port: 3000
|
|
|
# HTTP git Options
|
|
|
gitea_disable_http_git: false
|
|
|
# Offline mode options
|
|
|
gitea_offline_mode: true
|
|
|
\end{minted}
|
|
|
|
|
|
\qquad \qquad DB details
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# DB Type 'mysql', 'postgres' or 'sqlite3'
|
|
|
gitea_db_type: sqlite3
|
|
|
# DB host
|
|
|
gitea_db_host: 127.0.0.0:3306
|
|
|
# DB name
|
|
|
gitea_db_name: root
|
|
|
# DB username
|
|
|
gitea_db_user: gitea
|
|
|
# DB password
|
|
|
gitea_db_passord: lel
|
|
|
# DB ssl options
|
|
|
gitea_db_ssl: disable
|
|
|
# DB path (Not needed for postgres and mysql hash it in template file )
|
|
|
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
|
|
|
\end{minted}
|
|
|
|
|
|
\qquad \qquad SSH Details
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# SSH Listen IP
|
|
|
gitea_ssh_listen: 0.0.0.0
|
|
|
# SSH domain
|
|
|
gitea_ssh_domain: localhost
|
|
|
# SSH options
|
|
|
gitea_start_ssh: true
|
|
|
# SSH post
|
|
|
gitea_ssh_port: 2222
|
|
|
|
|
|
\qquad \qquad Gitea secret key
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# gitea key (GENERATE A NEW KEY)
|
|
|
gitea_secret_key: T0pS3cr31
|
|
|
\end{minted}
|
|
|
|
|
|
\qquad \qquad General Settings
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
# User email settings
|
|
|
gitea_show_user_email: false
|
|
|
# User avatar settings
|
|
|
gitea_disable_gravatar: true
|
|
|
# User register options
|
|
|
gitea_disable_registration: false
|
|
|
# User signup options
|
|
|
gitea_require_signin: true
|
|
|
# User captcha options
|
|
|
gitea_enable_captcha: true
|
|
|
\end{minted}
|
|
|
|
|
|
\qquad \\
|
|
|
|
|
|
\texttt{\qquad Nginx roles parameters}
|
|
|
\begin{minted}{sh}
|
|
|
# Domain name for the server
|
|
|
nginx_domain_name: "test.hostnats.com"
|
|
|
# Gitea listening port
|
|
|
gitea_http_port: 3000
|
|
|
# letsencrypt email address
|
|
|
letsencrypt_email: "test@example.com"
|
|
|
\end{minted}
|
|
|
|
|
|
\subsection{Ansible Logging}
|
|
|
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
|
|
|
|
|
|
\subsection{Troubleshooting}
|
|
|
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
Level 1: `-v`
|
|
|
|
|
|
Level 2: `-vv`
|
|
|
|
|
|
Level 3: `-vvv`
|
|
|
|
|
|
Level 4: `-vvvv`
|
|
|
|
|
|
Level 5: `-vvvvv`
|
|
|
\end{minted}
|
|
|
|
|
|
Example execution with level 3 debug output:
|
|
|
|
|
|
\begin{minted}{sh}
|
|
|
ansible-playbook -i inventory.yml site.yml -vvv
|
|
|
\end{minted}
|
|
|
|