initial commit

roles/bootstrap/tasks/main.yml

@@ -0,0 +1,66 @@
+---
+- block:
+
+    - name: check if atomic
+      stat:
+        path: /run/ostree-booted
+      register: ostree
+
+    - name: check for cloud.cfg
+      stat:
+        path: /etc/cloud/cloud.cfg
+      register: cloudcfg
+
+    - name: set fact (atomic state)
+      set_fact:
+        is_atomic: "{{ ostree.stat.exists }}"
+
+    - name: set fact (cloud.cfg state)
+      set_fact:
+        is_cloudy: "{{ cloudcfg.stat.exists }}"
+
+    - name: install prereqs
+      package:
+        name: "{{ item }}"
+        state: installed
+      with_items:
+        - libselinux-python
+        - sudo
+      when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora"] and not is_atomic
+
+    - name: enable fastestmirror (fedora - non-atomic)
+      lineinfile:
+        path: /etc/dnf/dnf.conf
+        regexp: "^fastestmirror="
+        line: "fastestmirror=True"
+      when: ansible_distribution in ["Fedora"] and not is_atomic
+
+    - name: remove update_etc_hosts from cloud.cfg
+      lineinfile:
+        line: ' - update_etc_hosts'
+        path: /etc/cloud/cloud.cfg
+        state: absent
+      when: is_cloudy
+ 
+    - name: add hosts to /etc/hosts
+      lineinfile:
+        path: /etc/hosts
+        state: present
+        line: "{{ hostvars[item].ip }} {{ hostvars[item].ansible_hostname }}"
+        regexp: "^{{ hostvars[item].ip }} "
+      with_items: "{{ groups.all }}"
+
+    - name: remove requiretty
+      lineinfile:
+        regexp: '^\w+\s+requiretty'
+        path: /etc/sudoers
+        state: absent
+
+    - name: install epel
+      package:
+        name: epel-release
+        state: latest
+      when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux"] and not is_atomic
+
+  tags:
+    - bootstrap

roles/create-user/tasks/deb.yml

@@ -0,0 +1,23 @@
+---
+
+- name: creating user {{ username }} in sudo group (Debian/Ubuntu)
+  user:
+    name: "{{ username }}"
+    password: "{{ pwgen | password_hash('sha512') }}"
+    state: present
+    shell: /bin/bash
+    groups: sudo
+    append: yes
+    generate_ssh_key: yes
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+    update_password: on_create
+  register: user_created
+
+- name: enable nopasswd sudo (Debian/Ubuntu)
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^%sudo'
+    line: "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL"
+    state: present
+    validate: 'visudo -cf %s'

roles/create-user/tasks/el.yml

@@ -0,0 +1,23 @@
+---
+
+- name: creating user {{ username }} in wheel group (RHEL/CentOS/Fedora)
+  user:
+    name: "{{ username }}"
+    password: "{{ pwgen | password_hash('sha512') }}"
+    state: present
+    shell: /bin/bash
+    groups: wheel
+    append: yes
+    generate_ssh_key: yes
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+    update_password: on_create
+  register: user_created
+
+- name: enable nopasswd sudo (RHEL/CentOS/Fedora)
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^%wheel'
+    line: "%wheel       ALL=(ALL)       NOPASSWD: ALL"
+    state: present
+    validate: 'visudo -cf %s'

roles/create-user/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- include_tasks: deb.yml
+  when: ansible_distribution in ["Debian", "Ubuntu"]
+
+- include_tasks: el.yml
+  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora"]
+
+- name: print generated password for {{ username }} on each host
+  debug: var=pwgen
+  when: user_created is changed 
+
+- name: copy current pubkeys to ~{{ username }}/.ssh/authorized_keys
+  authorized_key:
+    user: "{{ username }}"
+    state: present
+    key: "{{ item }}"
+  with_items:
+    - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"
+    - "{{ lookup('file','~/.ssh/id_rsa.pub') }}"

roles/docker/files/daemon.json

@@ -0,0 +1,3 @@
+{
+    "group": "dockerroot"
+}

roles/docker/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+
+- name: install docker
+  package:
+    name: docker
+    state: latest
+  when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux"] and not is_atomic
+  register: docker_installed
+
+- name: add {{ username }} to 'dockerroot' group
+  user:
+    name: "{{ username }}"
+    groups: dockerroot
+    append: yes
+  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux"] and not is_atomic
+
+
+- name: copy daemon.json
+  copy:
+    src: roles/docker/files/daemon.json
+    dest: /etc/docker/daemon.json
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux"] and not is_atomic
+
+- name: enable/start docker
+  service:
+    name: docker
+    state: started
+    enabled: yes
+  when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux"] and not is_atomic

roles/glusterfs-client/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: install glusterfs 4.1 LTS SIG package (CentOS)
+  package:
+    name: centos-release-gluster41
+    state: latest
+  when: ansible_distribution == 'CentOS'
+
+- name: install heketi-client (CentOS/Fedora)
+  package:
+    name: heketi-client
+    state: latest
+  when: ansible_distribution in ["CentOS", "Fedora"] and not is_atomic

roles/glusterfs-server/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- name: install glusterfs 4.1 LTS SIG package (CentOS)
+  package:
+    name: centos-release-gluster41
+    state: latest
+  when: ansible_distribution == 'CentOS'
+
+- name: install glusterfs-server
+  package:
+    name: glusterfs-server
+    state: present
+  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora"] and not is_atomic
+  register: gluster_installed
+ 
+- name: start glusterd
+  service:
+    name: glusterd
+    state: started
+    enabled: yes
+  when: gluster_installed is changed
+
+- name: add hosts to /etc/hosts
+  lineinfile:
+    path: /etc/hosts
+    state: present
+    line: "{{ hostvars[item].ip }} {{ hostvars[item].gluster_hostname }}"
+    regexp: "^{{ hostvars[item].ip }} "
+  with_items: "{{ groups.all }}"
+
+- name: create glusterfs-server container (atomic)
+  docker_container:
+    name: glusterfs-server
+    image: gluster/gluster-centos:gluster4u0_centos7
+    hostname: glusterfs-server
+    network_mode: host
+    privileged: yes
+    restart_policy: always
+    shm_size: 2G
+    devices:
+      - "{{ gluster_dev }}:{{ gluster_dev }}:rwo"
+  when: is_atomic

roles/hardening/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart sshd
+  systemd: name=sshd state=restarted

roles/hardening/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+#- name: Disallow root SSH access
+#  lineinfile:
+#    dest: /etc/ssh/sshd_config 
+#    regexp: "^PermitRootLogin"
+#    line: "PermitRootLogin no"
+#    state: present
+#  notify: Restart ssh
+
+
+# untested on debian/ubuntu
+- name: disable services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  with_items:
+    - postfix
+    - rpcbind
+    - rsyncd.service
+    - rsyncd.socket
+  ignore_errors: true
+
+- name: disable password auth
+  lineinfile:
+    dest: /etc/ssh/sshd_config 
+    regexp: "^PasswordAuthentication" 
+    line: "PasswordAuthentication no"
+    state: present
+  notify: restart sshd
+
+

roles/install-packages/tasks/deb.yml

@@ -0,0 +1,9 @@
+---
+
+- name: install packages (Debian/Ubuntu)
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+  - "{{ common_pkgs }}"
+  - dnsutils

roles/install-packages/tasks/el.yml

@@ -0,0 +1,14 @@
+---
+
+- name: install packages (RHEL/CentOS/Fedora)
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+  - "{{ common_pkgs }}"
+  - iperf3
+  - nmap
+  - lvm2
+  - bind-utils
+  - psmisc # may work on deb/ubuntu also? - provides killall
+  - wget

roles/install-packages/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- include_tasks: deb.yml
+  when: ansible_distribution in ["Debian", "Ubuntu"]
+ 
+- include_tasks: el.yml
+  when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora"] and not is_atomic
+
+# Need an idempotent way to install packages on atomic
+# command module isn't idempotent and the package module insists on installing containers.
+
+#- name: install packages (fedora - atomic)
+#  command: rpm-ostree install '{{ item }}'
+#  with_items:
+#  - htop
+#  - vim
+#  - iperf3
+#  - strace
+#  - nmap
+#  when: ansible_distribution == 'Fedora' and is_atomic

roles/rke/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: enable net.bridge.bridge-nf-call-iptables
+  sysctl:
+    name: net.bridge.bridge-nf-call-iptables
+    value: 1

roles/sysctl/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: raise somaxconn
+  sysctl:
+    name: net.core.somaxconn
+    value: 512

roles/tuned/tasks/el.yml

@@ -0,0 +1,15 @@
+---
+
+- name: install packages
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+  - tuned
+  - tuned-utils
+  
+- name: start service
+  service:
+    name: tuned
+    enabled: yes
+    state: started

roles/tuned/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- include_tasks: deb.yml
+  when: ansible_distribution in ["Debian", "Ubuntu"]
+ 
+- include_tasks: el.yml
+  when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora"] and not is_atomic

roles/update-packages/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- block:
+
+    - name: update packages (atomic)
+      atomic_host:
+        revision: latest
+      when: ansible_distribution == 'Fedora' and is_atomic
+      register: atomic_host_upgraded
+
+    - name: update packages (non-atomic)
+      package:
+        name: '*'
+        state: latest
+      when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora", "Debian", "Ubuntu"] and not is_atomic
+      register: host_upgraded
+
+    - name: reboot updated hosts
+      shell: nohup bash -c "sleep 2 && shutdown -r now" &
+      register: host_reset
+      when: (atomic_host_upgraded is changed) or (host_upgraded is changed)
+
+    - name: wait for rebooted host to return
+      wait_for_connection:
+        timeout: 300
+        delay: 20
+      when: host_reset is changed
+
+  tags:
+    - update

roles/zfs/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+
+- name: install zfs-release package (RHEL/CentOS)
+  yum:
+    name: "http://download.zfsonlinux.org/epel/zfs-release.el7_5.noarch.rpm"
+    state: present
+  when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux" ]
+
+- name: install zfs-release package (Fedora)
+  dnf:
+    name: "http://download.zfsonlinux.org/fedora/zfs-release.fc29.noarch.rpm"
+    state: present
+  when: ansible_distribution in ["Fedora"] and not is_atomic
+
+- name: install zfs and dkms
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - kernel-devel
+  - "@Development tools"
+  - dkms
+  - zfs
+  register: zfs_installed
+  when: not is_atomic
+
+- name: load zfs module
+  modprobe:
+    name: zfs
+    state: present
+
+- name: add zfs to modules-load.d
+  copy:
+    dest: "/etc/modules-load.d/zfs.conf"
+    content: |
+      zfs
+
+#- name: set zfs_arc_max to 75% installed memory ({{ arc_size_bytes }} bytes)
+#  lineinfile:
+#    path: "/etc/modprobe.d/zfs.conf"
+#    regexp: '^options zfs zfs_arc_max='
+#    line: 'options zfs zfs_arc_max="{{ arc_size_bytes }}"'
+#    create: yes
+#    commented out, does not adjust to 75% of each host, leading to disproportionate allocations