A basic first cut at a bastion role. Going to use on bastion02

2014-10-08 22:37:24 +00:00 · 2014-10-08 22:37:24 +00:00 · a50758d90e
commit a50758d90e
parent 6fb0963909
5 changed files with 89 additions and 17 deletions
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -0,0 +1,27 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 4
+
+#
+# allow incoming openvpn and smtp
+#
+tcp_ports: [ 25, 1194 ]
+udp_ports: [ 1194 ]
+
+#
+# drop incoming traffic from less trusted vpn hosts
+#
+custom_rules: [
+    '-A INPUT -s 192.168.100/0/24 -j REJECT --reject-with icmp-host-prohibited',
+]
+#
+# allow a bunch of sysadmin groups here so they can access internal stuff
+#
+fas_client_groups: sysadmin-ask, sysadmin-web, sysadmin-main, sysadmin-cvs, sysadmin-build, sysadmin-noc, sysadmin-releng, sysadmin-dba, sysadmin-hosted, sysadmin-tools, sysadmin-spin , sysadmin-cloud, fi-apprentice, sysadmin-darkserver, sysadmin-badges, sysadmin-troubleshoot, sysadmin-qa, sysadmin-centos, sysadmin-ppc 
+
+#
+# This is a postfix gateway. This will pick up gateway postfix config in base
+#
+postfix_group: gateway
--- a/inventory/host_vars/bastion02.phx2.fedoraproject.org
+++ b/inventory/host_vars/bastion02.phx2.fedoraproject.org
@ -0,0 +1,11 @@
+---
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+
+volgroup: /dev/vg_guests00
+
+eth0_ip: 10.5.126.11
+
+vmhost: virthost05.phx2.fedoraproject.org
+datacenter: phx2
--- a/inventory/inventory
+++ b/inventory/inventory
@ -64,10 +64,12 @@ badges-web01.stg.phx2.fedoraproject.org
 bapp02.phx2.fedoraproject.org

 [bastion]
-bastion01.phx2.fedoraproject.org
 bastion02.phx2.fedoraproject.org
 bastion-comm01.qa.fedoraproject.org

+[oldbastion]
+bastion01.phx2.fedoraproject.org
+
 [blockerbugs]
 blockerbugs01.phx2.fedoraproject.org
 blockerbugs02.phx2.fedoraproject.org
--- a/playbooks/groups/bastion.yml
+++ b/playbooks/groups/bastion.yml
@ -0,0 +1,47 @@
+- name: make the servers
+  hosts: bastion
+  user: root
+  gather_facts: False
+  accelerate: "{{ accelerated }}"
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the boxen be real for real
+  hosts: bastion
+  user: root
+  gather_facts: True
+  accelerate: "{{ accelerated }}"
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - { role: denyhosts, when: ansible_distribution_major_version != '7' }
+  - nagios_client
+  - hosts
+  - fas_client
+  - sudo
+  - collectd/base
+  - openvpn/server
+  - pam_shield
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
--- a/roles/openvpn/server/tasks/main.yml
+++ b/roles/openvpn/server/tasks/main.yml
@ -42,30 +42,15 @@
  tags:
  - install
  - openvpn
-  notify:
-  - restart openvpn (Fedora)
-  - restart openvpn (RHEL7)
-  - restart openvpn (RHEL6)

 - name: Install the ccd files
  file: file src={{ files }}/ccd/ dest=/etc/openvpn/ccd/ recurse=true 
-  notify:
-  - "restart openvpn {{ ansible_distribution_version[0] }}"
  tags:
  - openvpn

-
- name: enable openvpn service for rhel 6
-  service: name=openvpn state=running enabled=true
-  when: ansible_distribution_version[0] == 6
-  tags:
-  - service
-  - openvpn
-
 - name: enable openvpn service for rhel 7 or Fedora
  service: name=openvpn@openvpn state=running enabled=true
-  when: ansible_distribution_version[0] == 7 or is_fedora is defined
+  when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined
  tags:
  - service
  - openvpn
-