vincent/homelab
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'retour'

Browse Source
This commit is contained in:
vincent 2022-09-13 20:43:38 +02:00
commit 15dc6226c5
8 changed files with 62 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/ansible.cfg
View File

@ -275,7 +275,7 @@ retry_files_enabled = False
# turn this on to have behaviour more like Ansible prior to 2.1.x. See # turn this on to have behaviour more like Ansible prior to 2.1.x. See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user # https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option. # for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False allow_world_readable_tmpfiles = True
# controls the compression level of variables sent to # controls the compression level of variables sent to
# worker processes. At the default of 0, no compression # worker processes. At the default of 0, no compression

4
ansible/group_vars/all/sssd
View File

@ -3,3 +3,7 @@ sssd_configure: true
ldap_search_base: "dc=ducamps,dc=win" ldap_search_base: "dc=ducamps,dc=win"
ldap_uri: "ldaps://ldap.ducamps.win" ldap_uri: "ldaps://ldap.ducamps.win"
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win" ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win"
ldap_default_bind_dn : "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win"
ldap_password : "{{lookup('hashi_vault', 'secret=secrets/data/ansible/other:vaulserviceaccount')}}"

2
ansible/group_vars/dhcp
View File

@ -45,7 +45,7 @@ dhcpd_hosts:
- hostname: 'oscar' - hostname: 'oscar'
address: '192.168.1.40' address: '192.168.1.40'
ethernet: '84:39:be:12:05:69' ethernet: '7C:83:34:B3:49:9A'
- hostname: 'VMAS-HML' - hostname: 'VMAS-HML'
address: '192.168.1.50' address: '192.168.1.50'

9
ansible/host_vars/gerard
View File

@ -1,18 +1,19 @@
--- ---
ansible_host: "192.168.1.41" ansible_host: "192.168.1.41"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: "/usr/bin/python3"
wireguard_address: "10.0.0.5/24" wireguard_address: "10.0.0.6/24"
wireguard_allowed_ips: "10.0.0.5/32,192.168.1.0/24" wireguard_byhost_allowed_ips:
merlin: 10.0.0.6,192.168.1.41
perrsistent_keepalive: "30" perrsistent_keepalive: "30"
wireguard_endpoint: "" wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

47
ansible/host_vars/oscar
View File

@ -1,16 +1,57 @@
--- ---
wireguard_address: "10.0.0.2/24" wireguard_address: "10.0.0.2/24"
wireguard_allowed_ips: "10.0.0.2/32,192.168.1.0/24" wireguard_byhost_allowed_ips:
merlin: 10.0.0.2,192.168.1.40,192.168.1.0/24
perrsistent_keepalive: "30" perrsistent_keepalive: "30"
wireguard_endpoint: "" wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
consul_snapshot: True consul_snapshot: True
partition_table:
- device: "/dev/sda"
label: gpt
settings:
- number: 1
part_end: 300MB
flags: [boot, esp]
fstype: vfat
format: yes
- number: 2
part_start: 512MB
part_end: 1524MB
flags: []
fstype: swap
format: yes
- number: 3
part_start: 1524MB
flags: [lvm]
fstype: ext4
format: yes
#- device: "/dev/sdb"
#settings:
#- number: 1
#name: home
#fstype: ext4
#format:
mount_table:
- device: "/dev/sda"
settings:
- number: 3
mountpath: /mnt
fstype: ext4
- number: 1
mountpath: /mnt/boot
fstype: vfat
#need vfat boot partition with esp label
provissionning_UEFI_Enable: True

3
ansible/playbooks/bootstrap.yml
View File

@ -1,4 +1,7 @@
--- ---
- hosts: all - hosts: all
remote_user: root
vars:
ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
roles: roles:
- ansible_bootstrap - ansible_bootstrap

1
ansible/production
View File

@ -18,7 +18,6 @@ gerard
[database] [database]
oscar oscar
merlin
[rsyncd] [rsyncd]
oscar oscar

6
ansible/provisionning.yml
View File

@ -1,6 +1,8 @@
--- ---
- hosts: all - hosts: all
remote_user: root remote_user: root
vars:
provissionning_default_root: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
roles: roles:
- ansible-arch-provissionning - ansible-arch-provissionning
@ -11,5 +13,5 @@
roles: roles:
- ansible_bootstrap - ansible_bootstrap
- remote_user: "{{ user.name }}" #- remote_user: "{{ user.name }}"
import_playbook: site.yml #import_playbook: site.yml