From a50758d90e0202134ab9c030934a5709607eca4b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 8 Oct 2014 22:37:24 +0000
Subject: [PATCH] A basic first cut at a bastion role. Going to use on
 bastion02

---
 inventory/group_vars/bastion                  | 27 +++++++++++
 .../bastion02.phx2.fedoraproject.org          | 11 +++++
 inventory/inventory                           |  4 +-
 playbooks/groups/bastion.yml                  | 47 +++++++++++++++++++
 roles/openvpn/server/tasks/main.yml           | 17 +------
 5 files changed, 89 insertions(+), 17 deletions(-)
 create mode 100644 inventory/group_vars/bastion
 create mode 100644 inventory/host_vars/bastion02.phx2.fedoraproject.org
 create mode 100644 playbooks/groups/bastion.yml

diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
new file mode 100644
index 0000000000..b5fd2362f2
--- /dev/null
+++ b/inventory/group_vars/bastion
@@ -0,0 +1,27 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 4
+
+#
+# allow incoming openvpn and smtp
+#
+tcp_ports: [ 25, 1194 ]
+udp_ports: [ 1194 ]
+
+#
+# drop incoming traffic from less trusted vpn hosts
+#
+custom_rules: [
+    '-A INPUT -s 192.168.100/0/24 -j REJECT --reject-with icmp-host-prohibited',
+]
+#
+# allow a bunch of sysadmin groups here so they can access internal stuff
+#
+fas_client_groups: sysadmin-ask, sysadmin-web, sysadmin-main, sysadmin-cvs, sysadmin-build, sysadmin-noc, sysadmin-releng, sysadmin-dba, sysadmin-hosted, sysadmin-tools, sysadmin-spin , sysadmin-cloud, fi-apprentice, sysadmin-darkserver, sysadmin-badges, sysadmin-troubleshoot, sysadmin-qa, sysadmin-centos, sysadmin-ppc 
+
+#
+# This is a postfix gateway. This will pick up gateway postfix config in base
+#
+postfix_group: gateway
diff --git a/inventory/host_vars/bastion02.phx2.fedoraproject.org b/inventory/host_vars/bastion02.phx2.fedoraproject.org
new file mode 100644
index 0000000000..70c2990135
--- /dev/null
+++ b/inventory/host_vars/bastion02.phx2.fedoraproject.org
@@ -0,0 +1,11 @@
+---
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+
+volgroup: /dev/vg_guests00
+
+eth0_ip: 10.5.126.11
+
+vmhost: virthost05.phx2.fedoraproject.org
+datacenter: phx2
diff --git a/inventory/inventory b/inventory/inventory
index 236283c9b4..d798a81c8e 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -64,10 +64,12 @@ badges-web01.stg.phx2.fedoraproject.org
 bapp02.phx2.fedoraproject.org
 
 [bastion]
-bastion01.phx2.fedoraproject.org
 bastion02.phx2.fedoraproject.org
 bastion-comm01.qa.fedoraproject.org
 
+[oldbastion]
+bastion01.phx2.fedoraproject.org
+
 [blockerbugs]
 blockerbugs01.phx2.fedoraproject.org
 blockerbugs02.phx2.fedoraproject.org
diff --git a/playbooks/groups/bastion.yml b/playbooks/groups/bastion.yml
new file mode 100644
index 0000000000..514b4afa58
--- /dev/null
+++ b/playbooks/groups/bastion.yml
@@ -0,0 +1,47 @@
+- name: make the servers
+  hosts: bastion
+  user: root
+  gather_facts: False
+  accelerate: "{{ accelerated }}"
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the boxen be real for real
+  hosts: bastion
+  user: root
+  gather_facts: True
+  accelerate: "{{ accelerated }}"
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - { role: denyhosts, when: ansible_distribution_major_version != '7' }
+  - nagios_client
+  - hosts
+  - fas_client
+  - sudo
+  - collectd/base
+  - openvpn/server
+  - pam_shield
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml
index 1fcc9bced4..30de209594 100644
--- a/roles/openvpn/server/tasks/main.yml
+++ b/roles/openvpn/server/tasks/main.yml
@@ -42,30 +42,15 @@
   tags:
   - install
   - openvpn
-  notify:
-  - restart openvpn (Fedora)
-  - restart openvpn (RHEL7)
-  - restart openvpn (RHEL6)
 
 - name: Install the ccd files
   file: file src={{ files }}/ccd/ dest=/etc/openvpn/ccd/ recurse=true 
-  notify:
-  - "restart openvpn {{ ansible_distribution_version[0] }}"
   tags:
   - openvpn
 
-
-- name: enable openvpn service for rhel 6
-  service: name=openvpn state=running enabled=true
-  when: ansible_distribution_version[0] == 6
-  tags:
-  - service
-  - openvpn
-
 - name: enable openvpn service for rhel 7 or Fedora
   service: name=openvpn@openvpn state=running enabled=true
-  when: ansible_distribution_version[0] == 7 or is_fedora is defined
+  when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined
   tags:
   - service
   - openvpn
-