jtom38/Ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vault is now working

Browse Source 
Getting closer to having Jenkins run Ansible playbooks.
This commit is contained in:
James Tombleson 2019-05-16 15:46:19 -07:00
parent 0597719a6c
commit e9d2d3e52c
40 changed files with 657 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -12,5 +12,9 @@ hosts
win_hosts
hosts.d
# Ansible vault secret
# Used to decrypt the vault files
.ansible_vault
# Vagrant
.vagrant

29
README.md
View File

@ -2,6 +2,14 @@
This repo contains my configuration and setup for my ansible use. Use at your own risk.
1. Install Ansible on development device
2. Clone this repository to work in
3. Configure devices to remote into
4. Configure Ansible's Inventory files
5. Set Vault Secret
6. Run Connection tests
## Installers
### New hosts
@ -29,10 +37,31 @@ I have a basic configuration file in place at the root of this folder for anisbl
## Inventory
Inventory files have been moved over to .yml format. The ansibe.cfg is looking for ./dev.yml as it's default inventory file. For Prod use make another file that will contain all servers that will be managed.
I have a template file in place that should only be used as a reference. Make a copy of that file and name it hosts then update that file.
The configuration file that is active is looking for a directory that contains all of the inventory files. This way all files can be parted out rather then one big file.
## Vault Secret
The configuration file is looking for ./.ansible_vault file to contain the secret for vault entries. Git is already configured to ignore this file. You will need to make this file and place your key in it so ansible
can decrypt vaults as needed.
Run the following command and replace secret with your password. Once that is done move on to generating the encrypted strings.
```shell
echo 'secret' > ./.ansible_vault
```
To generate secure strings for the inventory file run the following command.
```shell
ansible-vault encrypt_string 'secret'
```
This will output the value that needs to be placed
### Testing Linux devices
```bash

4
ansible.cfg
View File

@ -11,7 +11,7 @@
# some basic default values...
inventory = ./hosts.d/
inventory = ./test.yml
library = /usr/share/my_modules/
module_utils = /usr/share/my_module_utils/
remote_tmp = ~/.ansible/tmp
@ -137,7 +137,7 @@ roles_path = ./roles/:/etc/ansible/roles
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file
vault_password_file = ./.ansible_vault
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.

46
dev.yml Normal file
View File

@ -0,0 +1,46 @@
---
all:
hosts:
dmi-dev01:
children:
linux:
hosts:
172.20.0.142:
vars:
ansible_user: ansible
ansible_connection: ssh
ansible_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33353561613531336536313335356236643530346538373638653330306636386435633965336136
3464366635373661383466333464663238663565343839310a376666386237313566386235633739
66323434636365303335326133396137393031396531313533326263363066636237313139353538
6134616232336365610a363033343639616563316330363966326330646162613034633532366230
3439
ansible_become_method: sudo
ansible_become_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
33353561613531336536313335356236643530346538373638653330306636386435633965336136
3464366635373661383466333464663238663565343839310a376666386237313566386235633739
66323434636365303335326133396137393031396531313533326263363066636237313139353538
6134616232336365610a363033343639616563316330363966326330646162613034633532366230
3439
ansible_python_interpreter: /usr/bin/python3
windows:
hosts:
dmi-dev01:
vars:
ansible_user: svcansible
ansible_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33353561613531336536313335356236643530346538373638653330306636386435633965336136
3464366635373661383466333464663238663565343839310a376666386237313566386235633739
66323434636365303335326133396137393031396531313533326263363066636237313139353538
6134616232336365610a363033343639616563316330363966326330646162613034633532366230
3439
ansible_connection: winrm
ansible_port: 5985
ansible_winrm_scheme: http
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

21
hosts.template
View File

@ -1,21 +0,0 @@
[linux]
192.168.0.60
[linux:vars]
ansible_user=ansible
ansible_connection=ssh
ansible_password=
ansible_become_method=sudo
ansible_become_pass=
#ansible_python_interpreter=/usr/bin/python3
[windows]
192.168.0.2
[windows:vars]
ansible_user=ansible
ansible_password=
ansible_connection=winrm
ansible_port=5986
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore

4
jenkins/README.md
View File

@ -1,4 +0,0 @@
# Jenkins
This is a folder that contains playbooks that will executed with Jenkins when code is pushed to master.

17
jenkins/auto-securityupdates.yml
View File

@ -1,17 +0,0 @@
---
- name: enable
hosts: linux
tasks:
# https://galaxy.ansible.com/jnv/unattended-upgrades
- name: unattended-upgrades
become: true
include_role:
name: jnv.unattended-upgrades
vars:
#unattended_package_blacklist: []
unattended_automatic_reboot: true

6
playbook/linux/install-jenkins.yml
View File

@ -10,6 +10,12 @@
import_role:
name: geerlingguy.java
- name: Backup Jenkins Jobs
become: yes
fetch:
src: /var/lib/jenkins/jobs/
dest: ./jenkins/jobs/
- name: Install Jenkins
become: yes
import_role:

3
roles/geerlingguy.ansible/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.retry
*/__pycache__
*.pyc

32
roles/geerlingguy.ansible/.travis.yml Normal file
View File

@ -0,0 +1,32 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: ansible
matrix:
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: fedora29
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: debian9
- MOLECULE_DISTRO: centos7
MOLECULE_PLAYBOOK: playbook-pip.yml
install:
# Install test dependencies.
- pip install molecule docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

20
roles/geerlingguy.ansible/LICENSE Normal file
View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

51
roles/geerlingguy.ansible/README.md Normal file
View File

@ -0,0 +1,51 @@
# Ansible Role: Ansible
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-ansible.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-ansible)
An Ansible Role that installs Ansible on Linux servers.
## Requirements
If using on a RedHat/CentOS-based host, make sure you've added the EPEL repository (it can easily be installed by including the `geerlingguy.repo-epel` role on Ansible Galaxy).
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
ansible_install_method: package
Whether to install Ansible via the system `package` manager (`apt`, `yum`, `dnf`, etc.), or via `pip`. If set to `pip`, you need to make sure Pip is installed prior to running this role. You can use the `geerlingguy.pip` module to install Pip easily.
ansible_install_version_pip: ''
If `ansible_install_method` is set to `pip`, the specific Ansible version to be installed via Pip. If not set, the latest version of Ansible will be installed.
## Dependencies
None.
## Example Playbook
Install from the system package manager:
- hosts: servers
roles:
- role: geerlingguy.ansible
Install from pip:
- hosts: servers
vars:
ansible_install_method: pip
ansible_install_version_pip: "2.7.0"
roles:
- role: geerlingguy.pip
- role: geerlingguy.ansible
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

8
roles/geerlingguy.ansible/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
ansible_default_release: ""
# Valid options include: 'package' or 'pip'.
ansible_install_method: package
# Used only if ansible_install_method is 'pip'. If empty, defaults to latest.
ansible_install_version_pip: ''

2
roles/geerlingguy.ansible/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1,2 @@
install_date: Tue May 14 21:40:21 2019
version: 2.0.1

30
roles/geerlingguy.ansible/meta/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
dependencies: []
galaxy_info:
author: geerlingguy
description: Ansible for RedHat/CentOS/Debian/Ubuntu.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 6
- 7
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- system
- packaging
- development
- cloud
- ansible
- automation

29
roles/geerlingguy.ansible/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,29 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
options:
config-file: molecule/default/yaml-lint.yml
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
lint:
name: ansible-lint
playbooks:
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
scenario:
name: default
verifier:
name: testinfra
lint:
name: flake8

12
roles/geerlingguy.ansible/molecule/default/playbook-pip.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Converge
hosts: all
become: true
vars:
ansible_install_method: pip
ansible_install_version_pip: "2.6.2"
roles:
- role: geerlingguy.pip
- role: geerlingguy.ansible

7
roles/geerlingguy.ansible/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
become: true
roles:
- role: geerlingguy.ansible

2
roles/geerlingguy.ansible/molecule/default/requirements.yml Normal file
View File

@ -0,0 +1,2 @@
---
- role: geerlingguy.pip

14
roles/geerlingguy.ansible/molecule/default/tests/test_default.py Normal file
View File

@ -0,0 +1,14 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_hosts_file(host):
f = host.file('/etc/hosts')
assert f.exists
assert f.user == 'root'
assert f.group == 'root'

6
roles/geerlingguy.ansible/molecule/default/yaml-lint.yml Normal file
View File

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length:
max: 120
level: warning

27
roles/geerlingguy.ansible/tasks/main.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Set the package state based on how Ansible is installed.
set_fact:
ansible_package_state: "{{ 'present' if ansible_install_method == 'package' else 'absent' }}"
# Setup/install tasks.
- name: Set up Ansible on RedHat.
include_tasks: setup-RedHat.yml
when:
- ansible_os_family == 'RedHat'
- ansible_distribution != 'Fedora'
- name: Set up Ansible on Fedora.
include_tasks: setup-Fedora.yml
when: ansible_distribution == 'Fedora'
- name: Set up Ansible on Ubuntu.
include_tasks: setup-Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
- name: Set up Ansible on Debian.
include_tasks: setup-Debian.yml
when: ansible_distribution == 'Debian'
- name: Set up Ansible using Pip.
include_tasks: setup-pip.yml
when: ansible_install_method == 'pip'

23
roles/geerlingguy.ansible/tasks/setup-Debian.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Enable Backports repository.
apt_repository:
repo: >-
deb http://ftp.debian.org/debian
{{ ansible_distribution_release }}-backports main'
state: present
filename: "{{ ansible_distribution_release }}_backports"
when: ansible_distribution_version | int < 9
- name: Update apt cache.
apt: update_cache=true cache_valid_time=86400
- name: Set the default_release option for older Debian versions.
set_fact:
ansible_default_release: "{{ ansible_distribution_release }}-backports"
when: ansible_distribution_version | int < 9
- name: Install Ansible.
apt:
name: ansible
state: "{{ ansible_package_state }}"
default_release: "{{ ansible_default_release }}"

5
roles/geerlingguy.ansible/tasks/setup-Fedora.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Install Ansible.
package:
name: ansible
state: "{{ ansible_package_state }}"

6
roles/geerlingguy.ansible/tasks/setup-RedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Install Ansible.
yum:
name: ansible
state: "{{ ansible_package_state }}"
enablerepo: epel

11
roles/geerlingguy.ansible/tasks/setup-Ubuntu.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Add ansible repository.
apt_repository: repo='ppa:ansible/ansible'
- name: Update apt cache.
apt: update_cache=true cache_valid_time=86400
- name: Install Ansible.
apt:
name: ansible
state: "{{ ansible_package_state }}"

5
roles/geerlingguy.ansible/tasks/setup-pip.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Install Ansible via Pip.
pip:
name: ansible
version: "{{ ansible_install_version_pip | default(omit) }}"

3
roles/geerlingguy.pip/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.retry
*/__pycache__
*.pyc

29
roles/geerlingguy.pip/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: pip
matrix:
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: fedora29
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.
- pip install molecule docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

20
roles/geerlingguy.pip/LICENSE Normal file
View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

76
roles/geerlingguy.pip/README.md Normal file
View File

@ -0,0 +1,76 @@
# Ansible Role: Pip (for Python)
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-pip.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-pip)
An Ansible Role that installs [Pip](https://pip.pypa.io) on Linux.
## Requirements
On RedHat/CentOS, you may need to have EPEL installed before running this role. You can use the `geerlingguy.repo-epel` role if you need a simple way to ensure it's installed.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
pip_package: python-pip
The name of the packge to install to get `pip` on the system. You can set to `python3-pip`, for example, when using Python 3 on Ubuntu.
pip_executable: pip
The role will try to autodetect the pip executable based on the `pip_package` (e.g. `pip` for Python 2 and `pip3` for Python 3). You can also override this explicitly, e.g. `pip_executable: pip3.6`.
pip_install_packages: []
A list of packages to install with pip. Examples below:
pip_install_packages:
# Specify names and versions.
- name: docker
version: "1.2.3"
- name: awscli
version: "1.11.91"
# Or specify bare packages to get the latest release.
- docker
- awscli
# Or uninstall a package.
- name: docker
state: absent
# Or update a package ot the latest version.
- name: docker
state: latest
# Or force a reinstall.
- name: docker
state: forcereinstall
# Or install a package in a particular virtualenv.
- name: docker
virtualenv: /my_app/venv
## Dependencies
None.
## Example Playbook
- hosts: all
vars:
pip_install_packages:
- name: docker
- name: awscli
roles:
- geerlingguy.pip
## License
MIT / BSD
## Author Information
This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

6
roles/geerlingguy.pip/defaults/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
# For Python 3, use python3-pip.
pip_package: python-pip
pip_executable: "{{ 'pip3' if pip_package.startswith('python3') else 'pip' }}"
pip_install_packages: []

2
roles/geerlingguy.pip/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1,2 @@
install_date: Tue May 14 21:41:10 2019
version: 1.3.0

30
roles/geerlingguy.pip/meta/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
dependencies: []
galaxy_info:
author: geerlingguy
description: Pip (Python package manager) for Linux.
issue_tracker_url: https://github.com/geerlingguy/ansible-role-pip/issues
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- system
- server
- packaging
- python
- pip
- tools

29
roles/geerlingguy.pip/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,29 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
options:
config-file: molecule/default/yaml-lint.yml
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
lint:
name: ansible-lint
playbooks:
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
scenario:
name: default
verifier:
name: testinfra
lint:
name: flake8

20
roles/geerlingguy.pip/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Converge
hosts: all
become: true
vars:
pip_install_packages:
# Test installing a specific version of a package.
- name: ipaddress
version: "1.0.18"
# Test installing a package by name.
- colorama
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
roles:
- role: geerlingguy.pip

14
roles/geerlingguy.pip/molecule/default/tests/test_default.py Normal file
View File

@ -0,0 +1,14 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_hosts_file(host):
f = host.file('/etc/hosts')
assert f.exists
assert f.user == 'root'
assert f.group == 'root'

6
roles/geerlingguy.pip/molecule/default/yaml-lint.yml Normal file
View File

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length:
max: 120
level: warning

14
roles/geerlingguy.pip/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Ensure Pip is installed.
package:
name: "{{ pip_package }}"
state: present
- name: Ensure pip_install_packages are installed.
pip:
name: "{{ item.name | default(item) }}"
version: "{{ item.version | default(omit) }}"
virtualenv: "{{ item.virtualenv | default(omit) }}"
state: "{{ item.state | default(omit) }}"
executable: "{{ pip_executable }}"
with_items: "{{ pip_install_packages }}"

28
templates/hosts.yml Normal file
View File

@ -0,0 +1,28 @@
---
all:
hosts:
dmi-dev01:
children:
linux:
hosts:
172.20.0.142:
vars:
ansible_user: ansible
ansible_connection: ssh
ansible_password:
ansible_become_method: sudo
ansible_become_pass:
ansible_python_interpreter: /usr/bin/python3
windows:
hosts:
dev01:
vars:
ansible_user: ansible
ansible_password:
ansible_connection: winrm
ansible_port: 5985
ansible_winrm_scheme: http
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore