From c26a0e2d21596e60654c43627e452463d388cebd Mon Sep 17 00:00:00 2001 From: richard Date: Mon, 12 Dec 2016 07:23:37 -0500 Subject: [PATCH] update requirements.yml and ansible.config start home.xai-corp.net and home02.xai-corp.net playbooks --- .idea/inspectionProfiles/Project_Default.xml | 58 +++++++++++++ .../inspectionProfiles/profiles_settings.xml | 7 ++ .idea/vcs.xml | 6 ++ .idea/webServers.xml | 21 +++++ ansible.cfg | 6 ++ ansible_user.yml | 33 +++++++ home.xai-corp.net.yml | 31 +++++-- home02.xai-corp.net.yml | 37 ++++++++ requirements.yml | 15 ++++ roles/kubernetes-vagrant/defaults/main.yml | 10 +++ roles/kubernetes-vagrant/tasks/main.yml | 75 ++++++++++++++++ roles/ns.xai-corp.net/defaults/main.yml | 3 + roles/ns.xai-corp.net/handlers/main.yml | 2 +- roles/ns.xai-corp.net/tasks/main.yml | 31 +++++-- .../templates/named.conf.default-zones.j2 | 30 +++++++ .../templates/named.conf.local.j2 | 85 +++++++++++++++++++ .../templates/named.conf.options.j2 | 81 ++++++++++++++++++ .../templates/xai-corp.net.internal.j2 | 6 +- roles/td-agent-bit/handlers/main.yml | 6 ++ roles/td-agent-bit/tasks/main.yml | 24 ++++++ 20 files changed, 549 insertions(+), 18 deletions(-) create mode 100644 .idea/inspectionProfiles/Project_Default.xml create mode 100644 .idea/inspectionProfiles/profiles_settings.xml create mode 100644 .idea/vcs.xml create mode 100644 .idea/webServers.xml create mode 100644 ansible.cfg create mode 100644 ansible_user.yml create mode 100644 home02.xai-corp.net.yml create mode 100644 requirements.yml create mode 100644 roles/kubernetes-vagrant/defaults/main.yml create mode 100644 roles/kubernetes-vagrant/tasks/main.yml create mode 100644 roles/ns.xai-corp.net/templates/named.conf.default-zones.j2 create mode 100644 roles/ns.xai-corp.net/templates/named.conf.local.j2 create mode 100644 roles/ns.xai-corp.net/templates/named.conf.options.j2 create mode 100644 roles/td-agent-bit/handlers/main.yml create mode 100644 roles/td-agent-bit/tasks/main.yml diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml new file mode 100644 index 0000000..06e7eb4 --- /dev/null +++ b/.idea/inspectionProfiles/Project_Default.xml @@ -0,0 +1,58 @@ + + + + \ No newline at end of file diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml new file mode 100644 index 0000000..3b31283 --- /dev/null +++ b/.idea/inspectionProfiles/profiles_settings.xml @@ -0,0 +1,7 @@ + + + + \ No newline at end of file diff --git a/.idea/vcs.xml b/.idea/vcs.xml new file mode 100644 index 0000000..94a25f7 --- /dev/null +++ b/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/.idea/webServers.xml b/.idea/webServers.xml new file mode 100644 index 0000000..98008e8 --- /dev/null +++ b/.idea/webServers.xml @@ -0,0 +1,21 @@ + + + + + + \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..ccfc432 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,6 @@ +# local ansible config file + +[defaults] + +ask-become = True +roles_path = ./roles:./roles/vendor diff --git a/ansible_user.yml b/ansible_user.yml new file mode 100644 index 0000000..2afd2c2 --- /dev/null +++ b/ansible_user.yml @@ -0,0 +1,33 @@ +# playbook for home02 + + +- hosts: managed +# remote_user: anansibsible + gather_facts: yes + become: true + + vars: + - users: + - name: "ansible" + state: present + shell: /bin/bash + createhome: yes + password: "$6$7z7PfYwduXom0o73$DEiy3K15URNNjmKkOQIwx8/mFKArUNYkFn8D/4q6t/eP9hf1X9jnG4YuSjI7q1Dnp1HwukZUxZY7cF2JK5DO/." + ssh_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmJSdmj03d4fnZUuRByevPDNiReEk1fRL+7F9WPCo5zn+r5Oj84HXxd4P03DNXeGSBYmUAnsTqYEGdkjkpSrKfMm9bv8amL7hUC+Mzb+wOmXmyX1cw/SearYCBQRCz1s5p7I9+PO7XWaC0VJ99LUm1Bp4JM149U5X0Y3M2j2XV+0= RSA-1024 + uid: "1001" + groups: + - sudo + - users_groups: + + roles: + - novuso.users + + tasks: + - name: add ansible to sudoers + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^ansible ALL=' + line: 'ansible ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' diff --git a/home.xai-corp.net.yml b/home.xai-corp.net.yml index d6523d2..0d547e9 100644 --- a/home.xai-corp.net.yml +++ b/home.xai-corp.net.yml @@ -1,11 +1,32 @@ --- - # playbook to install django test on home.xai-corp.net + # playbook to install tools on home.xai-corp.net - hosts: home - remote_user: anansibsible - gather_facts: no + remote_user: ansible + gather_facts: true become: true + vars: + datadog_api_key: ca0faf176c4aedd4f547ed7cf85615eb + datadog_checks: + system: + init_config: [] + instances: [] + disk: + init_config: + instances: + - use_mount: yes + excluded_filesystems: + - sysfs + - cgroup + - tracefs + - debugfs + - proc + - securityfs + excluded_mountpoint_re: /[media/richard|run/user].* + + roles: - - home.xai-corp.net - - ns.xai-corp.net + - Datadog.datadog + + post_tasks: diff --git a/home02.xai-corp.net.yml b/home02.xai-corp.net.yml new file mode 100644 index 0000000..64ee8eb --- /dev/null +++ b/home02.xai-corp.net.yml @@ -0,0 +1,37 @@ +--- +# playbook for home02 + + +- hosts: home2 + remote_user: ansible + gather_facts: yes + become: true + + vars: + datadog_api_key: ca0faf176c4aedd4f547ed7cf85615eb + datadog_checks: + system: + init_config: [] + instances: [] + disk: + init_config: + instances: + - use_mount: yes + excluded_filesystems: + - sysfs + - cgroup + - tracefs + - debugfs + - proc + - securityfs + excluded_mountpoint_re: /[media/richard|run/user].* + + + roles: + - Datadog.datadog + - ns.xai-corp.net + - td-agent-bit + + post_tasks: +# - name: check service is up +# service: name={{ bind.service }} state=started diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..8a6ee14 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,15 @@ +--- +# import required roles + +- src: jmcvetta.debian-upgrade-reboot + path: roles/vendor/ + +- src: novuso.users + path: roles/vendor/ + +- src: Datadog.datadog + path: roles/vendor/ + +- src: resmo.bind + path: roles/vendor/ + diff --git a/roles/kubernetes-vagrant/defaults/main.yml b/roles/kubernetes-vagrant/defaults/main.yml new file mode 100644 index 0000000..416bdf7 --- /dev/null +++ b/roles/kubernetes-vagrant/defaults/main.yml @@ -0,0 +1,10 @@ +--- +#default values + +vagrant_installer_url: https://releases.hashicorp.com/vagrant/1.8.6/vagrant_1.8.6_x86_64.deb +vagrant_installer_path: /tmp/vagrant_installer.deb + +kubernetes_kubectl_url: https://storage.googleapis.com/kubernetes-release/release/v1.4.3/bin/linux/amd64/kubectl +kubernetes_kubectl_path: /usr/local/bin/kubectl + +kubernates_vagrant_config_path: /opt/home.xai-corp.net/coreos-kubernetes/multi-node/vagrant diff --git a/roles/kubernetes-vagrant/tasks/main.yml b/roles/kubernetes-vagrant/tasks/main.yml new file mode 100644 index 0000000..80a4d73 --- /dev/null +++ b/roles/kubernetes-vagrant/tasks/main.yml @@ -0,0 +1,75 @@ +--- +# main tasks for kubernetes role + +# install required system packages +- name: install system packages + apt: + state: present + name: "{{item}}" + update_cache: yes + with_items: + - git + - virtualbox + +# install vagrant +- stat: path=/usr/bin/vagrant + register: vagrant_exe + +- name: download vagrant package + get_url: + dest: "{{ vagrant_installer_path }}" + url: "{{ vagrant_installer_url }}" + when: vagrant_exe.stat.exists == False + +- name: install vagrant deb from download + apt: + deb: "{{ vagrant_installer_path }}" + when: vagrant_exe.stat.exists == False + +- name: remove vagrant installer + file: + state: absent + path: "{{ vagrant_installer_path }}" + + +# install kubectl +- stat: path="{{kubernetes_kubectl_path}}" + register: kubectl_exe + +- name: download kubectl + get_url: + url: "{{ kubernetes_kubectl_url }}" + dest: "{{kubernetes_kubectl_path}}" + mode: 0755 + when: kubectl_exe.stat.exists == False + +# get vagrant file from git +- name: fetch vagrantfile + git: + repo: https://github.com/coreos/coreos-kubernetes.git + dest: /opt/home.xai-corp.net/coreos-kubernetes + +- stat: path="{{kubernates_vagrant_config_path}}/config.rb" + register: k8s_config + +- name: create k8s config + command: cp {{kubernates_vagrant_config_path}}/config.rb.sample {{kubernates_vagrant_config_path}}/config.rb + +# update vagrant box +- name: update vagrant box + command: vagrant box update + args: + chdir: "{{kubernates_vagrant_config_path}}" + +- name: vagrant up + command: vagrant up + args: + chdir: "{{kubernates_vagrant_config_path}}" + +- name: configure kubectl + command: "{{ item }}" + with_items: + - kubectl config set-cluster vagrant-multi-cluster --server=https://172.17.4.99:443 --certificate-authority=${PWD}/ssl/ca.pem + - kubectl config set-credentials vagrant-multi-admin --certificate-authority=${PWD}/ssl/ca.pem --client-key=${PWD}/ssl/admin-key.pem --client-certificate=${PWD}/ssl/admin.pem + - kubectl config set-context vagrant-multi --cluster=vagrant-multi-cluster --user=vagrant-multi-admin + - kubectl config use-context vagrant-multi diff --git a/roles/ns.xai-corp.net/defaults/main.yml b/roles/ns.xai-corp.net/defaults/main.yml index 734b43e..9a4f947 100644 --- a/roles/ns.xai-corp.net/defaults/main.yml +++ b/roles/ns.xai-corp.net/defaults/main.yml @@ -3,6 +3,9 @@ # define default variable values here bind: + user: root + group: bind + service: bind9 zonefiles: - xai-corp.net.internal - localhost.zone diff --git a/roles/ns.xai-corp.net/handlers/main.yml b/roles/ns.xai-corp.net/handlers/main.yml index f8b2e0e..486d3af 100644 --- a/roles/ns.xai-corp.net/handlers/main.yml +++ b/roles/ns.xai-corp.net/handlers/main.yml @@ -9,4 +9,4 @@ # service: name= state=stopped - name: restart bind - service: name=named state=restarted \ No newline at end of file + service: name={{ bind.service }} state=restarted diff --git a/roles/ns.xai-corp.net/tasks/main.yml b/roles/ns.xai-corp.net/tasks/main.yml index 2e07bbe..f48c394 100644 --- a/roles/ns.xai-corp.net/tasks/main.yml +++ b/roles/ns.xai-corp.net/tasks/main.yml @@ -2,22 +2,35 @@ # tasks/main.yml # define tasks here -- name: set correct permissions on dirs - file: state=directory path=/var/bind/{{ item }} owner=root group=named mode=0770 +- name: install bind package + apt: + name: "{{ item }}" + update_cache: yes + state: latest with_items: - - pri - - sec - - dyn + - bind9 + +- name: set correct permissions for logging + file: + state=directory + path=/var/log/named/ + owner={{ bind.user }} + group={{ bind.group }} + mode=0777 notify: - restart bind -- name: copy zone files to /var/bind/pri - template: src={{ item }}.j2 dest=/var/bind/pri/{{ item }} owner=root group=named mode=0750 +- name: copy zone files to /etc/bind/ + template: src={{ item }}.j2 dest=/etc/bind/db.{{ item }} owner={{ bind.user }} group={{ bind.group }} mode=0644 with_items: "{{ bind.zonefiles }}" notify: - restart bind -- name: copy named.conf to /etc/bind/ - template: src=named.conf.j2 dest=/etc/bind/named.conf owner=root group=named mode=0640 +- name: copy named.confs to /etc/bind/ + template: src={{ item }}.j2 dest=/etc/bind/{{ item }} owner={{ bind.user }} group={{ bind.group }} mode=0640 + with_items: + - named.conf.local + - named.conf.options + - named.conf.default-zones notify: - restart bind diff --git a/roles/ns.xai-corp.net/templates/named.conf.default-zones.j2 b/roles/ns.xai-corp.net/templates/named.conf.default-zones.j2 new file mode 100644 index 0000000..6594de1 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/named.conf.default-zones.j2 @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +view "defaults" { + zone "." { + type hint; + file "/etc/bind/db.root"; + }; + + // be authoritative for the localhost forward and reverse zones, and for + // broadcast zones as per RFC 1912 + + zone "localhost" { + type master; + file "/etc/bind/db.local"; + }; + + zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; + }; + + zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; + }; + + zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; + }; +}; diff --git a/roles/ns.xai-corp.net/templates/named.conf.local.j2 b/roles/ns.xai-corp.net/templates/named.conf.local.j2 new file mode 100644 index 0000000..8ec9be5 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/named.conf.local.j2 @@ -0,0 +1,85 @@ +# named.conf.local +# +# - local zones and views + +view "internal" { + match-clients { trusted; }; + recursion yes; + + // zone "." in { + // type hint; + // file "/etc/bind/named.cache"; + // }; + + zone "localhost" IN { + type master; + file "/etc/bind/db.127"; + notify no; + }; + + zone "127.in-addr.arpa" IN { + type master; + file "/etc/bind/db.127"; + notify no; + }; + + zone "xai-corp.net." IN { + type master; + file "/etc/bind/db.xai-corp.net.internal"; + allow-transfer { none; }; + }; + + zone "2.168.192.in-addr.arpa." IN { + type master; + file "/etc/bind/db.xai-corp.net.reverse"; + allow-update { none; }; + }; + +}; + +view "external" { + match-clients { none; }; + recursion no; + + +// zone "xai-corp.net" { +// type master; +// file "/etc/bind/db.xai-corp.net.external"; +// allow-query { none; }; +// allow-transfer { 127.0.0.1; }; +// }; +}; + +/* + * Briefly, a zone which has been declared delegation-only will be effectively + * limited to containing NS RRs for subdomains, but no actual data beyond its + * own apex (for example, its SOA RR and apex NS RRset). This can be used to + * filter out "wildcard" or "synthesized" data from NAT boxes or from + * authoritative name servers whose undelegated (in-zone) data is of no + * interest. + * See http://www.isc.org/software/bind/delegation-only for more info + */ + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +//zone "YOUR-DOMAIN.TLD" { +// type master; +// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone"; +// allow-query { any; }; +// allow-transfer { xfer; }; +//}; + +//zone "YOUR-SLAVE.TLD" { +// type slave; +// file "/var/bind/sec/YOUR-SLAVE.TLD.zone"; +// masters { ; }; + + /* Anybody is allowed to query but transfer should be controlled by the master. */ +// allow-query { any; }; +// allow-transfer { none; }; + + /* The master should be the only one who notifies the slaves, shouldn't it? */ +// allow-notify { ; }; +// notify no; +//}; diff --git a/roles/ns.xai-corp.net/templates/named.conf.options.j2 b/roles/ns.xai-corp.net/templates/named.conf.options.j2 new file mode 100644 index 0000000..bf5ae57 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/named.conf.options.j2 @@ -0,0 +1,81 @@ +/* + * Refer to the named.conf(5) and named(8) man pages, and the documentation + * in /usr/share/doc/bind-9 for more details. + * Online versions of the documentation can be found here: + * http://www.isc.org/software/bind/documentation + * + * If you are going to set up an authoritative server, make sure you + * understand the hairy details of how DNS works. Even with simple mistakes, + * you can break connectivity for affected parties, or cause huge amounts of + * useless Internet traffic. + */ + +acl "xfer" { + /* Deny transfers by default except for the listed hosts. + * If we have other name servers, place them here. + */ + none; +}; + +/* + * You might put in here some ips which are allowed to use the cache or + * recursive queries + */ +acl "trusted" { + 127.0.0.0/8; + 192.168.2.0/24; + ::1/128; +}; + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forward first; + forwarders { + // 207.164.234.129; // Your ISP NS + // 207.164.234.193; // Your ISP NS + // 4.2.2.1; // Level3 Public DNS + // 4.2.2.2; // Level3 Public DNS + 8.8.8.8; // Google Open DNS + 8.8.4.4; // Google Open DNS + }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + + + +logging { + channel default_log { + file "/var/log/named/named.log" versions 3 size 5M; + severity notice; + print-time yes; + print-severity yes; + print-category yes; + }; + + category default { default_log; }; + category general { default_log; }; +}; + + +include "/etc/bind/rndc.key"; +controls { + inet 127.0.0.1 port 953 allow { 127.0.0.1/24; ::1/128; } keys { "rndc-key"; }; +}; diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 index 2038bb7..a5b0192 100644 --- a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 +++ b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 @@ -8,9 +8,9 @@ $TTL 1D xai-corp.net. IN NS ns.xai-corp.net. xai-corp.net. IN MX 0 mail.xai-corp.net. -xai-corp.net. IN TXT "v=spf1 ip4:192.168.2.12/32 mx ptr mx:mail.xai-corp.net ~all" -ns IN A 192.168.2.12 -mail IN A 192.168.2.12 +xai-corp.net. IN TXT "v=spf1 ip4:192.168.2.11/32 mx ptr mx:mail.xai-corp.net ~all" +ns IN A 192.168.2.22 +mail IN A 192.168.2.11 getafix IN CNAME ns test IN CNAME ns home IN CNAME ns diff --git a/roles/td-agent-bit/handlers/main.yml b/roles/td-agent-bit/handlers/main.yml new file mode 100644 index 0000000..30a7dd6 --- /dev/null +++ b/roles/td-agent-bit/handlers/main.yml @@ -0,0 +1,6 @@ +--- +# handlers for td-agent-bit + + +- name: restart td-agent-bit + service: name=td-agent-bit state=restarted diff --git a/roles/td-agent-bit/tasks/main.yml b/roles/td-agent-bit/tasks/main.yml new file mode 100644 index 0000000..5b10a4e --- /dev/null +++ b/roles/td-agent-bit/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# install fluentd td-agent bit log forwarder + + +- name: install GPG key + apt_key: + state: present + url: http://packages.fluentbit.io/fluentbit.key + +- name: install repo + apt_repository: + state: present + repo: deb http://packages.fluentbit.io/ubuntu xenial main + + +- name: update database + apt: + update_cache: true + +- name: install package + apt: + state: present + name: td-agent-bit + notify: restart td-agent-bit