You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

475 lines
15 KiB

%
% Ansible.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Ansible Cloud Management}
Use \texttt{ansible} for management of servers.
\begin{itemize}
\item Ansible ---
Website: \\ \url{https://ansible.com}
\item Ansible Github ---
Repo: \\ \url{https://github.com/ansible/ansible.git}
\item DebOps: \url{https://docs.debops.org/en/latest/index.html}
\end{itemize}
\subsection{Glossary}
An \texttt{Ansible playbook} is an organized unit of scripts that defines
work for a server configuration managed by the automation tool \texttt{ansible}.
\subsection{Build Ansible Debian Package}\label{ssec:bansdpac}
The version of Ansible is 2.2 in Debian 9 (stable/Stretch).
The current stable release is Ansible 2.4.
Below documents how to build a 2.4 package for Debian 9.
\begin{minted}{sh}
# To build a Debian package:
# Check here for latest version:
# https://packages.debian.org/sid/ansible
wget http://http.debian.net/debian/pool/main/a/ansible/ansible_2.4.0.0+dfsg-1.debian.tar.xz
wget http://http.debian.net/debian/pool/main/a/ansible/ansible_2.4.0.0+dfsg.orig.tar.gz
# Install some deps
apt-get install debhelper python-all python-crypto python-setuptools python-yaml asciidoc python-nose python-passlib dh-python
tar xf ansible_2.4.0.0+dfsg.orig.tar.gz
cd ansible-2.4.0.0/
tar xf ../ansible_2.4.0.0+dfsg-1.debian.tar.xz
# Update version:
echo -n " -- Jeff Moe <moe@blagblagblag.org> " ; date "+%a, %d %b %Y %H:%M:%S %z"
vim debian/changelog
dpkg-buildpackage -rfakeroot -S -uc -us -sa
dpkg-buildpackage -rfakeroot -b -uc
# That will produce this file to be installed:
dpkg -i ansible_2.4.0.0+dfsg-2_all.deb
apt-get -f install
# If you want the Ansible git archive:
git clone https://github.com/ansible/ansible.git --recursive
\end{minted}
\subsection{Ansible Initial Configuration}
Here is how to set up Ansible after initially installing it.
This is run on the system adminstrator's workstation.
\begin{minted}{sh}
# Quick and dirty test by setting up a host and running `uptime`.
mkdir -p ~/.ansible
echo ns1 > ~/.ansible/hosts
ansible -i ~/.ansible/hosts ns1 -a 'uptime'
\end{minted}
~/.ansible.cfg
\begin{minted}{sh}
[defaults]
inventory = $HOME/.ansible/hosts
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=300s
pipelining = True
\end{minted}
To generate a full list of \texttt{ns} hosts, run the script:
\begin{minted}{sh}
cd source/resources/servers
echo "[ns]" > ~/.ansible/hosts
./ns-serverlist-ansible.sh >> ~/.ansible/hosts
ansible -i ~/.ansible/hosts ns -a "uptime"
# Find the failed hosts and remove them from ~/.ansible/hosts.
echo "[ns]" > ~/.ansible/hosts.tmp
ansible -f 32 -i ~/.ansible/hosts ns -a "echo" | grep ^ns | grep SUCCESS | cut -f 1 -d " " | sort -V >> ~/.ansible/hosts.tmp
mv ~/.ansible/hosts ~/.ansible/hosts.old
mv ~/.ansible/hosts.tmp ~/.ansible/hosts
# Test it works:
ansible -i ~/.ansible/hosts ns -a "uptime"
# To get a ton of info about each host:
ansible -i ~/.ansible/hosts ns -m setup
\end{minted}
XXX Fix, make sure everyone has \texttt{/usr/bin/python} available for \texttt{ansible}:
\begin{minted}{sh}
# XXXX SOME HOSTS DON'T HAVE /usr/bin/python
# JUST PYTHON3. HOSTS THAT DIDN'T HAVE /usr/bin/python:
# (ALL OVH)
# ns14 ns15 ns21 ns22
apt install python python-minimal
\end{minted}
Set up some playbooks, grab examples:
\begin{minted}{sh}
git clone https://github.com/ansible/ansible-examples.git
cd ansible-examples/
\end{minted}
\section{Ansible Debian Mail}
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
on p.\pageref{ssec:bansdpac}, the following requirements are met.
\subsection{Requirements}
The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.x+
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
\end{itemize}
\subsection{Quick Start}
The following steps will help quickly set up and execute this section objectives.
\texttt{Project Configuration}
The following files need to be edited and configured before executing this playbook.
\begin{table}[!htb]
\caption{Files to be edited} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ File}&
\multicolumn {1}{l|}{ Description} \\ \hline
groups\char`_vars/all.yml & Server credential information and domain variables \\ \hline
inventory.yml & List of server IPs to connect to \\ \hline
\end{tabular}
\end{table}
\texttt{Playbook Execution}
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}
\subsection{Project Structure}
The following tree depicts the high level structure of this Ansible project.
\begin{picture}(0,0)\put(-10000,0){
\gls{firewall}
}\end{picture}
\begin{minted}{sh}
|-- ansible.cfg
|-- group_vars
|<7C><> -- all.yml
|-- inventory.yml
|-- LICENSE.AGPLv3
|-- LICENSE.GPLv3
|-- README.md
|-- roles
|<7C><> |-- dkim_configuration
|<7C><> |-- dovecot_configuration
|<7C><> |-- fail2ban_configuration
|<7C><> |-- letsencrypt_configuration
|<7C><> |-- mikegleasonjr.firewall
|<7C><> |-- outputs
|<7C><> |-- postfix_configuration
|<7C><> |-- server_tasks
|<7C><> |-- spamassassin_configuration
|<7C><> -- sqlgrey_configuration
|-- playbook_execution.log
-- site.yml
\end{minted}
\texttt{File and Directory Descriptions}
The following table consists of a description of what each file and directory stands for.
\begin{table}[!htb]
\caption{File and Directory Descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ Name}&
\multicolumn {1}{l|}{ Description} \\ \hline
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
inventory.yml & Inventory file containing server IP addresses \\ \hline
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
group\char`_vars/ & Group\char`_vars directory contains variable files for the entire group. \\
& The files are named according to the group name. 'all.yml' = group 'all' \\ \hline
group\char`_vars/all.yml & Group variables for the 'all' group. Contains server connection \\
& information along with domain variables \\ \hline
roles/ & Directory containing all roles needed by this project \\ \hline
\end{tabular}
\end{table}
\texttt{Role descriptions}
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
\begin{picture}(0,0)\put(-10000,0){
\gls{firewall}
}\end{picture}
\begin{table}[!htb]
\caption{Role descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|l|}
\hline
\multicolumn {1}{|l|}{Role Name}&
\multicolumn {1}{|l|}{Role Description}&
\multicolumn {1}{l|}{Depends on} \\ \hline
server\char`_tasks & This roles performs all server tasks. Updating & mikebleasonjr.firewall \\
& server, configuring SSH, disable IPv6, etc. & \\
& Depends on the mikegleasonjr.firewall role. & \\ \hline
mikegleasonjr.firewall & This role set up iptables rules. It is called & None \\
& and ran by the server\char`_tasks roles. & \\ \hline
letsencrypt\char`_configuration & This role installs and executes let's encrypt & None \\ \hline
postfix\char`_configuration & This roles installs postfix, configures postfix & letsencrypt\char`_configuration \\
& using postconf, and sets up virtual file, & \\
& master.cf file, and aliases file & \\ \hline
dkim\char`_configuration & This roles installs OpenDKIM, OpenDMARC & None \\
& and configures them. & \\ \hline
dovecot\char`_configuration & This role installs and configures dovecot & letsencrypt\char`_configuration \\ \hline
spamassassin\char`_configuration & This role installs spamassassin. & None \\ \hline
sqlgrey\char`_configuration & This role installs sqlgrey. & None \\ \hline
fail2ban\char`_configuration & This role installs fail2ban. & None \\ \hline
outputs & This role gathers DNS information for the & None \\
& SPF, DMARC, and DKIM records and & \\
& outputs them to the screen. & \\ \hline
\end{tabular}
\end{table}
\subsection{Ansible Logging}
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
\subsection{Troubleshooting}
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
\begin{minted}{sh}
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
\end{minted}
Example execution with level 3 debug output:
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}
\section{Ansible Gitea}
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
on p.\pageref{ssec:bansdpac}, the following requirements are met.
\subsection{Requirements}
The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.x
\end{itemize}
\subsection{Quick Start}
The following steps will help quickly set up and execute this section objectives.
\texttt{Project Configuration}
The following files need to be edited and configured before executing this playbook.
\begin{table}[!htb]
\caption{Files to be edited} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ File}&
\multicolumn {1}{l|}{ Description} \\ \hline
roles/gitea/default/main.yml & Variables for Gitea configuration \\
& (default - standalone with sqlite) \\ \hline
roles/nginx/default/main.yml & Variables for Nginx and Letsencrypt configuration \\ \hline
inventory.yml & List of server IPs to connect to \\ \hline
\end{tabular}
\end{table}
\qquad \\
\texttt{Playbook Execution}
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}
\subsection{Project Structure}
The following tree depicts the high level structure of this Ansible project.
\begin{minted}{sh}
|-- inventory.yml
|-- LICENSE.AGPLv3
|-- LICENSE.GPLv3
|-- README.md
|-- roles
|<7C><> |-- gitea
|<7C><> -- nginx
|-- playbook_execution.log
-- site.yml
\end{minted}
\texttt{File and Directory Descriptions}
The following table consists of a description of what each file and directory stands for.
\begin{table}[!htb]
\caption{File and Directory Descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ Name}&
\multicolumn {1}{l|}{ Description} \\ \hline
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
inventory.yml & Inventory file containing server IP addresses \\ \hline
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
roles/ & Directory containing all roles needed by this project \\ \hline
\end{tabular}
\end{table}
\qquad \\
\texttt{Role descriptions}
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
\begin{table}[!htb]
\caption{Role descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|l|}
\hline
\multicolumn {1}{|l|}{Role Name}&
\multicolumn {1}{|l|}{Role Description} \\ \hline
gitea & This roles performs installation and configuration of Gitea server \\ \hline
nginx & This roles performs installation and configuration of Nginx server \\ \hline
\end{tabular}
\end{table}
\texttt{Role parameters}
\qquad \\
\texttt{\qquad Gitea role parameters}
\begin{minted}{sh}
# Application name
gitea_app_name: "Gitea"
# Application gitea_user_repo_limit
gitea_user: "gitea"
# Application home
gitea_home: "/var/lib/gitea"
# Repo Limit
gitea_user_repo_limit: -1
# Domain Name (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_domain: localhost
# Gitea url (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_root_url: http://localhost:3000
# Protocol (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_protocol: http
# listen IP (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_listen: 127.0.0.1
# Listen port (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_port: 3000
# HTTP git Options
gitea_disable_http_git: false
# Offline mode options
gitea_offline_mode: true
\end{minted}
\qquad \qquad DB details
\begin{minted}{sh}
# DB Type 'mysql', 'postgres' or 'sqlite3'
gitea_db_type: sqlite3
# DB host
gitea_db_host: 127.0.0.0:3306
# DB name
gitea_db_name: root
# DB username
gitea_db_user: gitea
# DB password
gitea_db_passord: lel
# DB ssl options
gitea_db_ssl: disable
# DB path (Not needed for postgres and mysql hash it in template file )
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
\end{minted}
\qquad \qquad SSH Details
\begin{minted}{sh}
# SSH Listen IP
gitea_ssh_listen: 0.0.0.0
# SSH domain
gitea_ssh_domain: localhost
# SSH options
gitea_start_ssh: true
# SSH post
gitea_ssh_port: 2222
\qquad \qquad Gitea secret key
\begin{minted}{sh}
# gitea key (GENERATE A NEW KEY)
gitea_secret_key: T0pS3cr31
\end{minted}
\qquad \qquad General Settings
\begin{minted}{sh}
# User email settings
gitea_show_user_email: false
# User avatar settings
gitea_disable_gravatar: true
# User register options
gitea_disable_registration: false
# User signup options
gitea_require_signin: true
# User captcha options
gitea_enable_captcha: true
\end{minted}
\qquad \\
\texttt{\qquad Nginx roles parameters}
\begin{minted}{sh}
# Domain name for the server
nginx_domain_name: "test.hostnats.com"
# Gitea listening port
gitea_http_port: 3000
# letsencrypt email address
letsencrypt_email: "test@example.com"
\end{minted}
\subsection{Ansible Logging}
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
\subsection{Troubleshooting}
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
\begin{minted}{sh}
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
\end{minted}
Example execution with level 3 debug output:
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}