Merge pull request 'Refactor ANSIBLE Folder' (#1) from hbaxter into master

Reviewed-on: #1

ANSIBLE/README.md

@@ -1,5 +1,50 @@
-README.md
-=========
+# README.md
+
+## Current
+
+This repository has been refactored a bit to enable the auto merging functionality of ansible inventorys and vars plugins.
+As such a brakedown of the following folders should be explained.
+
+`inventory/`:
+
+This folder should contain yaml files with host definitions, one yaml file per project / customer depending on size.
+
+`group_vars/`:
+
+This folder should be used for all groups vars.
+
+`host_vars/`:
+
+Ideally configuring host vars here should be avoided, these should be set at the group level unless specific overides are needed. However these are probbly best placed in host inventory unless the host is patten matched.
+
+Long term ideally we should have a `site.yml` that will run all the config playbooks within this repo. I would imagine we will have some other types of playbooks such as patching which will not be as sensible to include in such a playbook.
+
+### Code Quality Guidelines
+
+Ideally all commited ansible will pass ansible-lint for latest ansible core release. This does mean that full module names should be used.
+
+Role's should be using templates as much as possible to ensure that configs are idpotent as possible, please avoid file module for config files even if we dont need to template use a template with no vars.
+
+
+
+
+### CMD Example
+
+```bash
+ansible-playbook icinga.yml --ask-vault-pass --check
+# vs old 
+ansible-playbook -i hosts icinga.yml --ask-vault-pass --check
+```
+
+
+
+
+
+
+
+## Original
+
+
 
 This is an index of all of the ansible scripts used for building Telos Digital systems, as created by Peter Edmond
 

ANSIBLE/ansible.cfg

@@ -1,3 +1,2 @@
 [defaults]
-inventory = ./hosts
-remote_user = ubuntu
+inventory = inventory/

ANSIBLE/group_vars/all/all.yml

@@ -0,0 +1,5 @@
+svc_acct_name: "ubuntu"
+svc_acct_keys: 
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvM9FL5V14ciT6qOSMx4zk3+K7F1aXQh6YjO+KDu94q hbaxter@telos_digital"
+  - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAtUHnAtmjQd62/4edYxOCCSviJW7Wjn7TD/6eSYrXtRY87v9bAKYrPbUgWTQL+jMLFGCPzRoQCsEt/BZKoVASYzj9EQAatXFczYiXQQaBHlCEcRwtxYV5A2vjkAAmElwYtYAE8aKxDhFWPIlceB4DZ6x5pzlsztnaZKsLEs6PavEZ6UH/ubou6wSoBOWvFU1TZB1qwBfqD6QlkXJmjz7+Ci1MJSJ8kSAo9lFSPtE98pMfLG/NFAlYJSh4g7+qj8ghIGPFJxmmaHdvw/8+H1nY6kV38q4UoSjv9wnNeG+eOm/Uk8sUC/K9F777APRA4L7MjUrWY0m2fX8rMH+bTU/B1mdW/6o+/ooNXDPIjb6eKNpVC1cS/bP1z8Ki72pg7nbf8GRe3vN9kDj53HsDDzQ2WssOy6kt4Pq6qzUrco//VYQozNrSTfdV98mz1OzEhrq8qONvKz6rvurkne7hbfAcf0SyHM6bi1whzuuNw0gaGu0IoDNpH7HQsIxksRgwvdC9DWKA9V23piafL40OLQhAW1uqpCgO942zCGzCMiEB5OdjY/MakNU9LoQ9VQ2bJGrwLWDvudpzvYeaT70LQpnU9AEiO9fewBfVeFHX/02dFAffShp1hWso76A7Y9v5UaPmPKp/kJlhpQfDvgd6UY1w/MhkAiou9K/wm7bu0fwwZFE= telos@anothermouse.com"
+  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOnTW/kBQfw/ET5luVvHeWl/tFo1BAJk86UWOGxLbNi30sr4uo+xkNTUvKK2wL+6sRs1MVXH2qxTXa8wG4BfdEZBBOej3I8ci3Yl1fqQV8PB0c/GifP5W1Gj6oZSGvKDAOweV2nr6QUx1BhA9nqg0LZaLt1vaa2d+fgW3R5qT0QKKx5fKEBT95fsjUI99Gi4EAT/VYcmDo/aDyl6crKI+/YRn+0cuq0vLoRpF3rYtBMnqXCobchoooA1W+vZauVh/l5IzgQaN2tTaM9WU8qUUt8j8YaPGMFszX2iZoI1gylF/mSXqP7htxH4KCy0g2AOnnK+8QN6GwHIkOfG6lGu1t nataliia.bobrova.s@gmail.com "

ANSIBLE/hosts

@@ -1,8 +0,0 @@
-[web]
-monitor.telos.digital
-
-[eoq]
-eoq.telos.digital
-
-[monitor]
-monitor.telos.digital

ANSIBLE/icinga.yml

@@ -1,5 +1,4 @@
 ---
-#- import_playbook: httpd.yml
 
 - name: Install php and icinga2 web
   hosts: monitor

ANSIBLE/inventory/davismethod.yml

@@ -0,0 +1 @@
+---

ANSIBLE/inventory/telos_digital.yml

@@ -0,0 +1,12 @@
+all:
+  vars:
+    ansible_user: 'ubuntu'
+web:
+  hosts:
+    monitor.telos.digital:
+eoq:
+  hosts:
+    eoq.telos.digital:
+monitor:
+  hosts:
+    monitor.telos.digital:

ANSIBLE/roles/icinga2/tasks/icinga2-ido.yml

@@ -18,18 +18,17 @@
     column_case_sensitive: true
 
 - name: Check if IDO schema has already been imported
-  stat:
+  ansible.builtin.stat:
     path: /var/lib/icinga2/ido_schema_imported.flag
   register: ido_schema_marker
 
 - name: Import IDO schema
-  shell: |
+  ansible.builtin.shell: |
     mysql -u root -p'{{ mariadb_root_password }}' {{ icinga_db_name }} < /usr/share/icinga2-ido-mysql/schema/mysql.sql
   when: not ido_schema_marker.stat.exists
 
 - name: Mark IDO schema as imported
-  file:
+  ansible.builtin.file:
     path: /var/lib/icinga2/ido_schema_imported.flag
     state: touch
   when: not ido_schema_marker.stat.exists
-

ANSIBLE/roles/icinga2/tasks/icinga2-templates.yml

@@ -0,0 +1,88 @@
+---
+- name: Template app.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/app.conf.j2
+    dest: /etc/icinga2/conf.d/app.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template apt.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/apt.conf.j2
+    dest: /etc/icinga2/conf.d/apt.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template commands.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/commands.conf.j2
+    dest: /etc/icinga2/conf.d/commands.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template downtimes.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/downtimes.conf.j2
+    dest: /etc/icinga2/conf.d/downtimes.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template groups.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/groups.conf.j2
+    dest: /etc/icinga2/conf.d/groups.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template hosts.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/hosts.conf.j2
+    dest: /etc/icinga2/conf.d/hosts.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template notifications.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/notifications.conf.j2
+    dest: /etc/icinga2/conf.d/notifications.conf
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template services.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/services.conf.j2
+    dest: /etc/icinga2/conf.d/services.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template templates.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/templates.conf.j2
+    dest: /etc/icinga2/conf.d/templates.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template timeperiods.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/timeperiods.conf.j2
+    dest: /etc/icinga2/conf.d/timeperiods.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2
+- name: Template templates.conf
+  ansible.builtin.template:
+    src: etc/icinga2/conf.d/users.conf.j2
+    dest: /etc/icinga2/conf.d/users.conf
+    owner: nagios
+    group: nagios
+    mode: '0644'
+  notify: Restart Icinga2

ANSIBLE/roles/icinga2/tasks/main.yml

@@ -1,46 +1,46 @@
 ---
 - name: Ensure keyrings directory exists
-  file:
+  ansible.builtin.file:
     path: /etc/apt/keyrings
     state: directory
     mode: '0755'
 
 - name: Download Icinga GPG key to keyrings
-  get_url:
+  ansible.builtin.get_url:
     url: https://packages.icinga.com/icinga.key
     dest: /etc/apt/keyrings/icinga.asc
     mode: '0644'
 
 - name: Add Icinga APT repository (Ubuntu 24.04 "noble")
-  apt_repository:
+  ansible.builtin.apt_repository:
     repo: "deb [signed-by=/etc/apt/keyrings/icinga.asc] https://packages.icinga.com/ubuntu icinga-noble main"
     state: present
     filename: icinga
 
 - name: Add Icinga 2 GPG key
-  apt_key:
+  ansible.builtin.apt_key:
     url: https://packages.icinga.com/icinga.key
     state: present
 
 - name: Install Icinga 2
-  apt:
+  ansible.builtin.apt:
     name: icinga2
     state: present
-    update_cache: yes
+    update_cache: true
 
 # Include IDO DB setup tasks
 - name: Setup Icinga2 IDO DB
-  include_tasks: icinga2-ido.yml
+  ansible.builtin.include_tasks: icinga2-ido.yml
 
 - name: Start and enable icinga2 service
-  service:
+  ansible.builtin.service:
     name: icinga2
     state: started
-    enabled: yes
+    enabled: true
 
 - name: Install Icinga Web 2 and Apache (optional)
   when: icinga2_install_web
-  apt:
+  ansible.builtin.apt:
     name:
       - icingaweb2
       - icingacli
@@ -56,27 +56,27 @@
 
 - name: Enable Apache for Icinga Web
   when: icinga2_install_web
-  service:
+  ansible.builtin.service:
     name: apache2
     state: started
-    enabled: yes
+    enabled: true
 
 - name: Configure Icinga Web 2 database (optional)
   when: icinga2_install_web
-  debug:
+  ansible.builtin.debug:
     msg: "You can add DB config, MySQL setup, etc. here."
 
 - name: Install Icinga2 IDO MySQL module
-  apt:
+  ansible.builtin.apt:
     name: icinga2-ido-mysql
     state: present
 
 - name: Enable the IDO MySQL feature
-  command: icinga2 feature enable ido-mysql
+  ansible.builtin.command: icinga2 feature enable ido-mysql
   notify: Restart Icinga2
 
 - name: Configure IDO DB connection
-  template:
+  ansible.builtin.template:
     src: ido-mysql.conf.j2
     dest: /etc/icinga2/features-enabled/ido-mysql.conf
     owner: root
@@ -84,4 +84,5 @@
     mode: '0644'
   notify: Restart Icinga2
 
- 
+- name: Setup Icinga2 Templates
+  ansible.builtin.include_tasks: icinga2-templates.yml

ANSIBLE/roles/svc_acct/defaults/main.yml

@@ -0,0 +1,2 @@
+svc_acct_name: "root"
+svc_acct_keys: ""

ANSIBLE/roles/svc_acct/tasks/main.yml

@@ -0,0 +1,44 @@
+- name: Add Local User
+  ansible.builtin.user:
+    name: "{{ svc_acct_name }}"
+    comment: General Service Account
+    password_lock: true
+    shell: "/bin/bash"
+    create_home: true
+- name: Wheel Group
+  when: ansible_facts['os_family'] == "RedHat"
+  ansible.builtin.user:
+    name: servicelink
+    groups: wheel
+    append: true
+- name: Sudo Group
+  when: ansible_facts['distribution'] == "Ubuntu"
+  ansible.builtin.user:
+    name: "{{ svc_acct_name }}"
+    groups: sudo
+    append: true
+- name: Make servicelink sudo Passwordless
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    state: present
+    line: "{{ svc_acct_name }}  ALL=(ALL)       NOPASSWD: ALL"
+    validate: /usr/sbin/visudo -cf %s
+- name: "Make .ssh  dir"
+  ansible.builtin.file:
+    path: "/home/{{ svc_acct_name }}/.ssh/"
+    state: directory
+    owner: "{{ svc_acct_name }}"
+    group: "{{ svc_acct_name }}"
+    mode: "0700"
+- name: Make Authorised Key
+  ansible.builtin.file:
+    path: "/home/{{ svc_acct_name }}/.ssh/authorized_keys"
+#    state: touch
+    owner: "{{ svc_acct_name }}"
+    group: "{{ svc_acct_name }}"
+    mode: "0600"
+- name: Add Publickey
+  ansible.builtin.lineinfile:
+    path: "/home//{{ svc_acct_name }}/.ssh/authorized_keys"
+    line: "{{ item }}"
+  loop: "{{ svc_acct_keys }}"

ANSIBLE/test.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Test roles
+  hosts: eoq
+  become: true
+  gather_facts: true
+  #vars_files:
+  #  - group_vars/all.yaml
+  roles:
+    - svc_acct
+  tasks:
+    - ansible.builtin.debug:
+        msg: "Finished"
+      name: "Finished mgs"