diff options
| -rw-r--r-- | inventory.yaml | 8 | ||||
| -rw-r--r-- | playbook.yml | 28 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 8 | ||||
| -rw-r--r-- | roles/jumpcloud/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/podman/tasks/main.yml | 7 | ||||
| -rw-r--r-- | roles/postgres/tasks/main.yml | 8 | ||||
| -rw-r--r-- | roles/ufw/tasks/main.yml | 10 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 16 |
8 files changed, 71 insertions, 20 deletions
diff --git a/inventory.yaml b/inventory.yaml index 03b2af7..6e2f382 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -15,5 +15,13 @@ all: neumann: ansible_host: neumann.box.pydis.wtf wireguard_subnet: 10.5.0.0/16 + + children: + podman: + hosts: + turing: + lovelace: + hopper: + ritchie: vars: wireguard_port: 46850 diff --git a/playbook.yml b/playbook.yml index c7de2b9..784f023 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,29 +1,17 @@ -- hosts: all +- name: Deploy common services + hosts: all roles: - common - tags: - - common - -- hosts: all - roles: - jumpcloud - tags: - - jumpcloud - -- hosts: all - roles: - - ufw - tags: - ufw + - wireguard -- hosts: all +- name: Deploy podman to container service hosts + hosts: podman roles: - - wireguard - tags: - - wireguard + - podman -- hosts: lovelace +- name: Deploy our PostgreSQL database hosts + hosts: lovelace roles: - postgres - tags: - - postgres diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 827e5e7..b3f375b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,6 +1,8 @@ - name: Update hostname to match Ansible inventory hostname: name: "{{ inventory_hostname }}" + tags: + - role::common - name: Update /etc/hosts to match Ansible inventory template: @@ -9,6 +11,8 @@ mode: '0644' owner: root group: root + tags: + - role::common - name: Disable SSH password authentication lineinfile: @@ -18,6 +22,8 @@ state: present notify: - restart ssh + tags: + - role::common - name: Set timezone to UTC file: @@ -28,3 +34,5 @@ group: root notify: - restart systemd-timesyncd + tags: + - role::common diff --git a/roles/jumpcloud/tasks/main.yml b/roles/jumpcloud/tasks/main.yml index 6dda981..6630f53 100644 --- a/roles/jumpcloud/tasks/main.yml +++ b/roles/jumpcloud/tasks/main.yml @@ -1,5 +1,7 @@ - name: Fetch service facts service_facts: + tags: + - role::jumpcloud - name: Check if JumpCloud service is installed set_fact: @@ -13,9 +15,13 @@ return_content: true register: jc_install_script when: not jumpcloud_installed + tags: + - role::jumpcloud - name: Execute JumpCloud install script command: sh -s -- -y args: stdin: "{{ jc_install_script.content }}" when: not jumpcloud_installed + tags: + - role::jumpcloud diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml new file mode 100644 index 0000000..e0cdb09 --- /dev/null +++ b/roles/podman/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: install podman + package: + name: podman + state: present + tags: + - role::podman diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index f947d2e..01638af 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -6,21 +6,29 @@ - postgresql-contrib-{{ postgresql_version }} - libpq-dev state: present + tags: + - role::postgres - name: Check postgres is started and enabled on boot. service: name: '{{ postgresql_daemon }}' state: started enabled: true + tags: + - role::postgres - name: Add postgres users. community.postgresql.postgresql_user: "{{ item }}" with_items: "{{ postgresql_users }}" become: true become_user: "{{ postgresql_user }}" + tags: + - role::postgres - name: Add postgres databases. community.postgresql.postgresql_db: "{{ item }}" with_items: "{{ postgresql_databases }}" become: true become_user: "{{ postgresql_user }}" + tags: + - role::postgres diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml index ae6093b..1204060 100644 --- a/roles/ufw/tasks/main.yml +++ b/roles/ufw/tasks/main.yml @@ -4,16 +4,22 @@ cache_valid_time: 3600 pkg: - ufw + tags: + - role::ufw - name: Allow OpenSSH community.general.ufw: rule: allow name: OpenSSH + tags: + - role::ufw - name: Enable UFW and deny all traffic by default community.general.ufw: state: enabled policy: deny + tags: + - role::ufw - name: Allow WireGuard community.general.ufw: @@ -21,7 +27,11 @@ proto: udp port: "{{ wireguard_port }}" comment: "Allow WireGuard" + tags: + - role::ufw - name: Apply service-specific rules community.general.ufw: "{{ item }}" with_items: "{{ rules }}" + tags: + - role::ufw diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index f8495cd..46ff3e9 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -6,18 +6,24 @@ - wireguard - wireguard-tools - linux-headers-{{ ansible_kernel }} + tags: + - role::wireguard - name: Generate WireGuard private key shell: set -o pipefail && wg genkey > /etc/wireguard/key.priv args: executable: /bin/bash creates: /etc/wireguard/key.priv + tags: + - role::wireguard - name: Generate WireGuard public key shell: set -o pipefail && cat /etc/wireguard/key.priv | wg pubkey > /etc/wireguard/key.pub args: executable: /bin/bash creates: /etc/wireguard/key.pub + tags: + - role::wireguard - name: Ensure file permissions for keys set correctly file: @@ -28,16 +34,22 @@ with_items: - /etc/wireguard/key.priv - /etc/wireguard/key.pub + tags: + - role::wireguard - name: Fetch private key for all hosts slurp: src: /etc/wireguard/key.priv register: wg_priv_key + tags: + - role::wireguard - name: Fetch public key for all hosts slurp: src: /etc/wireguard/key.pub register: wg_pub_key + tags: + - role::wireguard - name: Generate WireGuard configuration file template: @@ -48,9 +60,13 @@ owner: root notify: - reload wg-quick + tags: + - role::wireguard - name: Start and enable the WireGuard service service: name: wg-quick@wg0 enabled: true state: started + tags: + - role::wireguard |