From f65b31fd87132abfaa2fa13612ce93454b6b93fc Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 13 Apr 2019 11:41:57 +0200 Subject: [PATCH] Initial ansible --- .gitignore | 1 + .gitlab-ci.yml | 18 +++++++++++++++++ .yamllint.yml | 7 +++++++ README.md | 55 +++++++++++++++++++++++++++++++++++++++++++++++++- ansible.cfg | 29 ++++++++++++++++++++++++++ hosts | 38 ++++++++++++++++++++++++++++++++++ 6 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 .yamllint.yml create mode 100644 ansible.cfg create mode 100644 hosts diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a8b42eb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.retry diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 00000000..e11bdbfe --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,18 @@ +--- +image: python:3.6 + +stages: + - lint + +yamllint: + stage: lint + script: + - pip install yamllint==1.15.0 + - yamllint -c .yamllint.yml . + +ansible-lint: + stage: lint + script: + - pip install ansible-lint==4.0.0 + - ansible-lint *.yml +... diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 00000000..bcc5101e --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,7 @@ +--- +extends: default + +rules: + line-length: + level: warning +... diff --git a/README.md b/README.md index 9536b4ce..f325bfea 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,56 @@ # Ansible -Ensemble des recettes de déploiement Ansible pour les serveurs du Crans. \ No newline at end of file +Ensemble des recettes de déploiement Ansible pour les serveurs du Crans. + +Ces politiques de déployement nécessite Ansible 2.7 ou plus récent. +Le paquet dans Debian Buster est suffisamment à jour, sinon vous pouvez l'obtenir de la façon suivante : + +```bash +pip3 install --user ansible +``` + +## Exécution d'un playbook + +Pour appliquer le playbook `base.yml` : +```bash +ansible-playbook --ask-vault-pass base.yml +``` + +Il est souhaitable de faire un test avant avec `--check` si on a des doutes ! + +## FAQ + +### Mettre sa clé SSH sur une machine + +``` +ssh-copy-id -i ~/.ssh/id_rsa_crans.pub zamok.crans.org +``` + +### Automatiquement ajouter fingerprint ECDSA (dangereux !) + +Il faut changer la variable d'environnement suivante : +`ANSIBLE_HOST_KEY_CHECKING=0`. + +### Configurer la connexion au bastion + +Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)). + +On va utiliser plutôt ProxyJump. +Dans la configuration SSH : + +``` +# Use a key to log on all Aurore servers +# and use a bastion +Host 10.231.136.* *.adm.crans.org + IdentityFile ~/.ssh/id_rsa_crans + ProxyJump passerelle.crans.org +``` + +Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées +vers les serveurs puis détruites à la fin de l'exécution. + +### Lister tout ce que sait Ansible sur un hôte + +``` +ansible -i hosts zamok.crans.org -m setup --ask-vault-pass +``` diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 00000000..13173ce9 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,29 @@ +# Aurore Crans configuration + +[defaults] + +# Use Aurore inventory +inventory = ./hosts + +# Custom header in templates +ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} + +# Do not use cows (with cowsay) +nocows = 1 + +# Do more parallelism +forks = 15 + +[privilege_escalation] + +# Use sudo to get priviledge access +become = True + +# Ask for password +become_ask_pass = True + +[diff] + +# TO know what changed +always = yes + diff --git a/hosts b/hosts new file mode 100644 index 00000000..c5ed16c1 --- /dev/null +++ b/hosts @@ -0,0 +1,38 @@ +# Crans servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[crans-pve] + +[crans-container] + +[crans-vm] + +[ovh-server] + + +# everything at crans +[crans:children] +crans-pve +crans-container +crans-vm + +# everything at ovh +[ovh:children] +ovh-server + +# every LXC container +[container:children] +crans-container + +# every virtual machine +[vm:children] +crans-vm + +# every PVE +[pve:children] +crans-pve +