diff --git a/install.sh b/install.sh index a022783d3..b74950a87 100755 --- a/install.sh +++ b/install.sh @@ -138,7 +138,7 @@ fi git ca-certificates git-lfs \ openssh-client nfs-common stunnel4 \ python3-venv python3-debian \ - zip unzip gzip tar dnsutils net-tools + acl zip unzip gzip tar dnsutils net-tools /usr/bin/echo "-------------------------------------------------" # Install Ansible in a Python virtual environment. diff --git a/plays/aws_ec2_standalone/mysql_client.yml b/plays/aws_ec2_standalone/mysql_client.yml index b39135fbc..002ef98df 100644 --- a/plays/aws_ec2_standalone/mysql_client.yml +++ b/plays/aws_ec2_standalone/mysql_client.yml @@ -22,7 +22,7 @@ profile: "{{ _aws_profile }}" db_instance_identifier: "{{ _aws_resource_name }}" become: true - become_user: "{{ user_provision.username }}" + become_user: "{{ _ce_provision_username }}" delegate_to: localhost # needs to run on controller register: _database_info # Install MySQL client diff --git a/plays/launcher/README.md b/plays/launcher/README.md new file mode 100644 index 000000000..bc46c32a9 --- /dev/null +++ b/plays/launcher/README.md @@ -0,0 +1,24 @@ +# Base playbook to configure a new target server +This playbook configures a new target server, and should just work if you have followed the installation and configuration instructions [in our GitHub wiki](https://github.com/codeenigma/ce-provision/wiki/Installation). It will add the server to `hosts` in your config repository and install Ansible dependencies and the controller user on the target host. Once this is done you can orchestrate its future configuration with ce-provision. + +## Prerequisites +* You have followed the official installation instructions for your controller +* Your new target server has the controller's SSH public key assigned to a Linux user +* Your new target server has port 22 open to the controller +* Your Ansible `hosts` inventory file has `ansible_connection=local` set for your controller at `localhost` + +## Usage +On your controller server: + +```shell +sudo su -l controller +cd /home/controller/ce-provision && \ + ./scripts/provision.sh \ + --workspace /home/controller/ce-provision \ + --repo none --branch none \ + --playbook plays/launcher/configure.yml \ + --ansible-extra-vars "_provision_host=1.2.3.4 _target_username=admin" \ + --force +``` + +Change the value of `1.2.3.4` on the last line to match your IP address or hostname. Change the value of `admin` to whatever the Linux username is installed by default with your SSH public key attached. This may vary, see your provider's documentation for details. diff --git a/plays/launcher/configure.yml b/plays/launcher/configure.yml index 4c802bb72..87ab1f688 100644 --- a/plays/launcher/configure.yml +++ b/plays/launcher/configure.yml @@ -6,34 +6,44 @@ # ./scripts/provision.sh --workspace /home/controller/ce-provision \ # --repo none --branch none \ # --playbook /home/controller/ce-provision/plays/launcher/configure.yml \ -# --ansible-extra-vars "_provision_host=X.X.X.X" +# --ansible-extra-vars "_provision_host=X.X.X.X _target_username=admin" \ +# --force # # Replace X.X.X.X with your hostname or IP address. +# Replace admin with the username that has your SSH public key, see provider docs for details. - hosts: localhost vars: _ce_provision_username: controller - _add_host: true # set to false if you do not want to add the new server to hosts.yml + _add_host: true # set to false if you do not want to add the new server to hosts file _ce_provision_config_branch: 2.x # change this if you didn't use our example config and have a different main branch name tasks: - name: Add the server to Ansible hosts in memory. ansible.builtin.add_host: hostname: "{{ _provision_host }}" - - name: Add the server to hosts.yml. - when: _add_host + - name: Check if the hosts INI file exists. + ansible.builtin.stat: + path: "/home/{{ _ce_provision_username }}/ce-provision/config/hosts/hosts" + register: _hosts_ini_file + + - name: Add the server to hosts if INI file exists. + when: + - _add_host + - _hosts_ini_file.stat.exists block: - - name: Edit hosts.yml file. + - name: Edit hosts file. ansible.builtin.lineinfile: - path: "/home/{{ _ce_provision_username }}/ce-provision/config/hosts/hosts.yml" - line: "{{ _provision_host }}:" - create: true + path: "/home/{{ _ce_provision_username }}/ce-provision/config/hosts/hosts" + line: "{{ _provision_host }}" + insertafter: "### ce-provision launcher hosts - do not remove" + state: present - - name: Add hosts.yml changes. + - name: Add hosts changes. ansible.builtin.command: git add . args: chdir: "/home/{{ _ce_provision_username }}/ce-provision/config" - - name: Commit hosts.yml changes. + - name: Commit hosts changes. ansible.builtin.shell: "git diff --staged --quiet || git commit -m 'Ansible autogenerated - host {{ _provision_host }} added.'" args: chdir: "/home/{{ _ce_provision_username }}/ce-provision/config" @@ -45,7 +55,7 @@ - hosts: "{{ _provision_host }}" vars: - ansible_user: admin + ansible_user: "{{ _target_username }}" _ce_provision_build_id: 0 become: true tasks: diff --git a/roles/_exit/tasks/allowed_vars.yml b/roles/_exit/tasks/allowed_vars.yml index 4746460bc..11f6a6c1f 100644 --- a/roles/_exit/tasks/allowed_vars.yml +++ b/roles/_exit/tasks/allowed_vars.yml @@ -22,6 +22,8 @@ ansible.builtin.command: "git status -s" args: chdir: "{{ _ce_provision_build_tmp_dir }}/extra" + become: true + become_user: "{{ _ce_provision_username }}" delegate_to: localhost register: _ce_provision_extra_vars_git_changed @@ -30,7 +32,7 @@ args: chdir: "{{ _ce_provision_build_tmp_dir }}/extra" become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ _ce_provision_username }}" delegate_to: localhost when: - ce_provision_extra_vars_computed is defined @@ -41,7 +43,7 @@ args: chdir: "{{ _ce_provision_build_tmp_dir }}/extra" become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ _ce_provision_username }}" delegate_to: localhost when: - ce_provision_extra_vars_computed is defined @@ -52,7 +54,7 @@ args: chdir: "{{ _ce_provision_build_tmp_dir }}/extra" become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ _ce_provision_username }}" delegate_to: localhost when: - ce_provision_extra_vars_computed is defined diff --git a/roles/_init/tasks/allowed_vars.yml b/roles/_init/tasks/allowed_vars.yml index ecf99b7c7..d550c1d5d 100644 --- a/roles/_init/tasks/allowed_vars.yml +++ b/roles/_init/tasks/allowed_vars.yml @@ -5,14 +5,14 @@ version: "{{ _init.ce_provision_extra_repository_branch }}" delegate_to: localhost become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ _ce_provision_username }}" - name: Check if file exists. ansible.builtin.stat: path: "{{ _ce_provision_build_tmp_dir }}/extra/{{ _init.ce_provision_extra_repository_vars_file }}" delegate_to: localhost become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ _ce_provision_username }}" register: _extra_repository_vars_file - name: Include custom variables. @@ -21,7 +21,7 @@ name: _ce_provision_extra_vars delegate_to: localhost become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ _ce_provision_username }}" when: - _extra_repository_vars_file.stat.exists diff --git a/roles/debian/aws_efs_client/tasks/fstab.yml b/roles/debian/aws_efs_client/tasks/fstab.yml index 0b7aac6bb..b1e498849 100644 --- a/roles/debian/aws_efs_client/tasks/fstab.yml +++ b/roles/debian/aws_efs_client/tasks/fstab.yml @@ -5,8 +5,8 @@ region: "{{ aws_efs_client.region }}" name: "{{ mount.src }}" become: true - become_user: "{{ user_provision.username }}" - delegate_to: "localhost" + become_user: "{{ _ce_provision_username }}" + delegate_to: localhost register: aws_efs_client_efs_volume - name: Make sure mount point exists. diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index 766ec8097..17975ed07 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -1,33 +1,32 @@ --- -- name: Add a DNS record for GitLab - amazon.aws.route53: - state: "{{ gitlab.gitlab_route_53.state }}" - profile: "{{ gitlab.gitlab_route_53.aws_profile }}" - zone: "{{ gitlab.gitlab_route_53.zone }}" - record: "{{ gitlab.server_name }}" - type: "{{ gitlab.gitlab_route_53.type }}" - value: "{{ gitlab.gitlab_route_53.value }}" - overwrite: true - delegate_to: localhost - become: false +- name: Add DNS records. when: - gitlab.gitlab_route_53.zone is defined - gitlab.gitlab_route_53.zone | length > 0 - -- name: Add a DNS record for Mattermost - amazon.aws.route53: - state: "{{ gitlab.mattermost_route_53.state }}" - profile: "{{ gitlab.mattermost_route_53.aws_profile }}" - zone: "{{ gitlab.mattermost_route_53.zone }}" - record: "{{ gitlab.mattermost_url }}" - type: CNAME - value: "{{ gitlab.server_name }}" - overwrite: true - delegate_to: localhost - become: false - when: - - gitlab.mattermost_route_53.zone is defined - - gitlab.mattermost_route_53.zone | length > 0 + block: + - name: Add a DNS record for GitLab. + amazon.aws.route53: + state: "{{ gitlab.gitlab_route_53.state }}" + profile: "{{ gitlab.gitlab_route_53.aws_profile }}" + zone: "{{ gitlab.gitlab_route_53.zone }}" + record: "{{ gitlab.server_name }}" + type: "{{ gitlab.gitlab_route_53.type }}" + value: "{{ gitlab.gitlab_route_53.value }}" + overwrite: true + delegate_to: localhost + become: false + + - name: Add a DNS record for Mattermost. + amazon.aws.route53: + state: "{{ gitlab.mattermost_route_53.state }}" + profile: "{{ gitlab.mattermost_route_53.aws_profile }}" + zone: "{{ gitlab.mattermost_route_53.zone }}" + record: "{{ gitlab.mattermost_url }}" + type: CNAME + value: "{{ gitlab.server_name }}" + overwrite: true + delegate_to: localhost + become: false - name: Add GitLab repository and key. ansible.builtin.include_role: @@ -50,19 +49,18 @@ enabled: true key_refresh_timer_OnCalendar: "Mon *-*-* 00:20:00" -- name: Add GitLab repository to unattended-upgrades origins list. - ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab.apt_origin] }}" - when: - - apt_unattended_upgrades.enable is defined - - apt_unattended_upgrades.enable - -- name: Install the unattended-upgrades config. - ansible.builtin.include_role: - name: debian/apt_unattended_upgrades +- name: Set up unattended-upgrades. when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable + block: + - name: Add GitLab repository to unattended-upgrades origins list. + ansible.builtin.set_fact: + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab.apt_origin] }}" + + - name: Install the unattended-upgrades config. + ansible.builtin.include_role: + name: debian/apt_unattended_upgrades - name: Ensure Gitlab is installed. ansible.builtin.apt: diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index e42627c74..424539ad8 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -20,19 +20,18 @@ enabled: true key_refresh_timer_OnCalendar: "Mon *-*-* 00:30:00" -- name: Add GitLab Runner repository to unattended-upgrades origins list. - ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab_runner.apt_origin] }}" +- name: Set up unattended-upgrades. when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable + block: + - name: Add GitLab Runner repository to unattended-upgrades origins list. + ansible.builtin.set_fact: + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab_runner.apt_origin] }}" -- name: Install the unattended-upgrades config. - ansible.builtin.include_role: - name: debian/apt_unattended_upgrades - when: - - apt_unattended_upgrades.enable is defined - - apt_unattended_upgrades.enable + - name: Install the unattended-upgrades config. + ansible.builtin.include_role: + name: debian/apt_unattended_upgrades - name: Ensure Gitlab Runner is installed. ansible.builtin.apt: diff --git a/roles/debian/gpg_key/tasks/gpg.yml b/roles/debian/gpg_key/tasks/gpg.yml index f779e870d..4d28c0314 100644 --- a/roles/debian/gpg_key/tasks/gpg.yml +++ b/roles/debian/gpg_key/tasks/gpg.yml @@ -38,7 +38,7 @@ - gpg_user.publish - not user_ansible_gpg_key_exists.stdout -- name: Publish GPG key to openpgp.org. +- name: Publish GPG key to key servers. ansible.builtin.command: cmd: "gpg --keyserver {{ server }} --send-keys {{ user_ansible_gpg_key.stdout_lines[1] }}" become: true diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index 0ad8fcde6..11cccb3c1 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -67,6 +67,8 @@ ansible.builtin.stat: path: "{{ ldap_server.config.path }}" register: _ldap_server_ldifs + become_user: "{{ _ce_provision_username }}" + become: true delegate_to: localhost - name: Copy LDAP schemas from config repo. diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 0d950c9cb..340cb30f0 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -10,6 +10,8 @@ - name: Generate certificates. ansible.builtin.import_role: name: "contrib/{{ wazuh.path }}/roles/wazuh/wazuh-indexer" + become_user: "{{ _ce_provision_username }}" + become: true delegate_to: localhost vars: indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}"