salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: salt:004bc2a612b17f0439c8ffc3b61f679d46d4ae45
Branches Tags
salt:master
salt:kopia
salt:cleanup
salt:rewrite
...
compare: salt:b10ee60b744960797797ce9aa5107f63bb040ef3
Branches Tags
salt:master
salt:kopia
salt:cleanup
salt:rewrite

3 Commits
004bc2a612 ... b10ee60b74

Author SHA1 Message Date
Salt
b10ee60b74 Dump private.pem to file before beginning a play 2021-08-26 03:39:45 -05:00
Salt
7d34d5e931 Experiment with moving secrets to NetBox 2021-08-26 03:35:11 -05:00
Salt
579b2fa296 Move "all" configuration into its own playbook 2021-08-26 02:39:17 -05:00
5 changed files with 51 additions and 42 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
*.swp *.swp
.cache .cache
private.pem

4
.gitlab-ci.yml
View File

@ -17,6 +17,10 @@ before_script:
- touch /vaultpw - touch /vaultpw
- chmod 0600 /vaultpw - chmod 0600 /vaultpw
- echo "$ANSIBLE_VAULT_PASSWORD" > /vaultpw - echo "$ANSIBLE_VAULT_PASSWORD" > /vaultpw
# Dump the Netbox key
- touch private.pem
- chmod 0600 private.pem
- echo "$NETBOX_USER_KEY" > private.pem
# Fix perms on the playbook root # Fix perms on the playbook root
- chmod -R 0750 . - chmod -R 0750 .
# Join the Zerotier management network # Join the Zerotier management network

15
inventory/group_vars/all.yml
View File

@ -64,13 +64,14 @@ apache_ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
##RESERVED ##RESERVED
# For gulagbot # For gulagbot
secret_gulagbot_db_pass: !vault | secret_gulagbot_db_pass: "{{ query('netbox.netbox.nb_lookup', 'secrets', api_filter='name=secret_gulagbot_db_pass', api_endpoint='https://netbox.desu.ltd', token=netbox_token, key_file='private.pem')[0].value.plaintext }}"
$ANSIBLE_VAULT;1.1;AES256 #secret_gulagbot_db_pass: !vault |
63386534643137613234643962663831353461356464363732613030626364366661626134643837 # $ANSIBLE_VAULT;1.1;AES256
6466653931366539656662323330333363633732613061360a306565643932613635353435663039 # 63386534643137613234643962663831353461356464363732613030626364366661626134643837
61386334626437323934366634343162643932393834313235356664623537636162376464613061 # 6466653931366539656662323330333363633732613061360a306565643932613635353435663039
3966393761626133320a646465376235346239333036326530363538306238626438653232623632 # 61386334626437323934366634343162643932393834313235356664623537636162376464613061
37616561326538636534393533613037336665333865613735646532656163373233 # 3966393761626133320a646465376235346239333036326530363538306238626438653232623632
# 37616561326538636534393533613037336665333865613735646532656163373233
secret_gulagbot_discord_token: !vault | secret_gulagbot_discord_token: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
37613664393766353738353139323365346639393538653834643633613564646537616532316336 37613664393766353738353139323365346639393538653834643633613564646537616532316336

37
playbooks/all.yml Executable file
View File

@ -0,0 +1,37 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
# Preambulatory system configuration
- hosts: all
tasks:
- name: collect service facts
service_facts:
tags: [ always ]
roles:
- role: common
tags: [ common ]
- role: adminuser
tags: [ adminuser, common ]
- role: docker
tags: [ docker, common, skip-pull ]
- role: motd
vars:
motd_watch_services_extra:
- docker
- kubelet
- postgresql
tags: [ motd, common ]
- role: sshd
vars:
sshd:
AcceptEnv: "LANG LC_*"
ChallengeResponseAuthentication: no
Compression: yes
PasswordAuthentication: no
PermitRootLogin: no
PrintMotd: no
PubkeyAuthentication: yes
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes
X11Forwarding: no
tags: [ sshd, common ]

36
site.yml
View File

@ -2,41 +2,7 @@
# vim:ft=ansible: # vim:ft=ansible:
--- ---
# Preambulatory system configuration # Preambulatory system configuration
- hosts: all - import_playbook: playbooks/all.yml
tasks:
- name: collect service facts
service_facts:
tags: [ always ]
roles:
- role: common
tags: [ common ]
- role: adminuser
tags: [ adminuser, common ]
- role: docker
tags: [ docker, common, skip-pull ]
- role: motd
vars:
motd_watch_services_extra:
- apache2
- docker
- kubelet
- php7.4-fpm
- postgresql
tags: [ motd, common ]
- role: sshd
vars:
sshd:
AcceptEnv: "LANG LC_*"
ChallengeResponseAuthentication: no
Compression: yes
PasswordAuthentication: no
PermitRootLogin: no
PrintMotd: no
PubkeyAuthentication: yes
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes
X11Forwarding: no
tags: [ sshd, common ]
# Manufacturer configuration # Manufacturer configuration
- import_playbook: playbooks/manufacturers_raspi.yml - import_playbook: playbooks/manufacturers_raspi.yml
- import_playbook: playbooks/manufacturers_s76.yml - import_playbook: playbooks/manufacturers_s76.yml