diff --git a/.github/workflows/ce-provision-build-docs.yml b/.github/workflows/ce-provision-build-docs.yml index bbd1c649f..f9c050cf5 100644 --- a/.github/workflows/ce-provision-build-docs.yml +++ b/.github/workflows/ce-provision-build-docs.yml @@ -33,6 +33,7 @@ jobs: git checkout documentation contribute/toc.sh git add docs + git add roles git diff --quiet && git diff --staged --quiet || git commit -am 'GitHub Actions - Rebuilt documentation.' && git push origin documentation shell: bash diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index eabeca1c3..8afab2dcf 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -3,16 +3,12 @@ - [Install](/install) - [Usage](/scripts) - [Roles](roles) - - [Init role](/roles/_init) - - ["Meta" roles that group individual roles together.](/roles/_meta) - - [AWS account](/roles/_meta/aws_account) - - [AWS client](/roles/_meta/aws_client_instance) - - [AWS region](/roles/_meta/aws_region) - - [\_overrides.](/roles/_overrides) - [Ansible](/roles/ansible) - [Extra packages](/roles/apt_extra_packages) + - [AWS Cloudwatch agent](/roles/aws_cloudwatch_agent) - [AWS Infrastructure](/roles/aws) - - [AMI Debian Buster](/roles/aws/ami_debian_buster) + - [AWS Certificate Manager](/roles/aws/aws_acm) + - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) - [AWS CLI](/roles/aws/aws_cli) - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) @@ -20,9 +16,9 @@ - [Amazon credentials](/roles/aws/aws_credentials) - [Autoscale cluster](/roles/aws/aws_ec2_autoscale_cluster) - [EC2 CloudWatch Metric Alarm](/roles/aws/aws_ec2_metric_alarm) - - [AMI Debian Buster](/roles/aws/aws_ec2_with_eip) - - [AWS EFS](/roles/aws/aws_efs) + - [EC2 instance with EIP](/roles/aws/aws_ec2_with_eip) - [EFS client](/roles/aws/aws_efs_client) + - [AWS EFS](/roles/aws/aws_efs) - [AWS IAM EC2](/roles/aws/aws_iam_role) - [AWS IAM SAML](/roles/aws/aws_iam_saml) - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair) @@ -32,32 +28,37 @@ - [VPC](/roles/aws/aws_vpc) - [Update main route for a given VPC](/roles/aws/aws_vpc_route) - [VPC](/roles/aws/aws_vpc_subnet) - - [AWS Cloudwatch agent](/roles/aws_cloudwatch_agent) - [AWS SSM agent](/roles/aws_ssm_agent) - [ce-deploy](/roles/ce_deploy) - [Extra packages](/roles/ce_dev) + - [Automated patching](/roles/ce_patcher) - [ce-provision](/roles/ce_provision) - - [ClamAV Clamscan](/roles/clamav_clamscan) - - [ClamAV Daemon](/roles/clamav_daemon) - - [UFW Firewall](/roles/firewall) - [Firewall Config](/roles/firewall_config) - [Frontail](/roles/frontail) + - [Ansible Role: Apache Solr](/roles/geerlingguy.solr) - [Gitlab](/roles/gitlab) - [Gitlab Runner](/roles/gitlab_runner) - [GPG Key](/roles/gpg_key) - [HA Proxy](/roles/haproxy) - [Managed /etc/hosts](/roles/hosts) + - [Init role](/roles/_init) - [Jenkins](/roles/jenkins) - [Jitsi](/roles/jitsi) - [LDAP Server](/roles/ldap_server) - [LHCI](/roles/lhci) + - ["Meta" roles that group individual roles together.](/roles/_meta) + - [AWS account](/roles/_meta/aws_account) + - [AWS client](/roles/_meta/aws_client_instance) + - [AWS region](/roles/_meta/aws_region) - [Mount sync](/roles/mount_sync) - [MariaDB Client](/roles/mysql_client) - [NGINX](/roles/nginx) - [NodeJS](/roles/nodejs) - [opcache](/roles/opcache) - - [[openvpn](#openvpn)](/roles/openvpn) + - [OpenVPN Config](/roles/openvpn_config) - [OSSEC](/roles/ossec) + - [\_overrides.](/roles/_overrides) + - [PHP Composer](/roles/php_composer) - [PHP XDebug](/roles/php_xdebug) - [Postfix](/roles/postfix) - [Process Manager](/roles/process_manager) diff --git a/docs/roles.md b/docs/roles.md index ff25712aa..7d27820f6 100644 --- a/docs/roles.md +++ b/docs/roles.md @@ -2,3 +2,9 @@ Ansible roles and group of roles that constitute the deploy stack. + +# Required variables +You must pass the following variables into an Ansible play before running it with ce-provision: + +* `_aws_profile` - the Boto3 profile to use +* `_aws_region` - the AWS region to act in diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 32bccf15a..7b965bf81 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -13,10 +13,12 @@ _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. vars_dirs: [] + force_play: false -# ce_provision vars are sometimes needed even when the role isn't used so we define them here +# ce_provision vars are sometimes needed even when the role isn't used so we define them here. +# If you are using ce_provision and *not* using _init you can copy these vars to your playbook. _ce_provision: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" + username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" ce_provision: username: "{{ _ce_provision.username }}" diff --git a/docs/roles/aws/aws_acm.md b/docs/roles/aws/aws_acm.md new file mode 100644 index 000000000..2e20aa219 --- /dev/null +++ b/docs/roles/aws/aws_acm.md @@ -0,0 +1,32 @@ +# AWS Certificate Manager + +Fork from https://github.com/FairwindsOps/ansible-acm + +Creates AWS certificate requests. Allows for passing a validation domain. From the AWS [documentation](http://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html): + +> To ensure that email is sent to the administrative addresses for an apex domain, such as example.com, rather than to the administrative addresses for a subdomain, such as test.example.com, specify the ValidationDomain option in the RequestCertificate API or the request-certificate AWS CLI command. This feature is not currently supported in the console. + +Additionally, this role attempts to be idempotent by running `aws acm list-certificates` and ensuring that the domain of the cert being requested is not included in the current list of certificates. + + + + + +## Default variables +```yaml +--- +aws_acm: + region: "{{ _aws_region }}" + aws_profile: "{{ _aws_profile }}" + tags: "{{ _aws_tags }}" + domain_name: subdomain.example.com + validate: true # you need to set this to false if the validation zone is not in Route 53 or you do not have CLI access + export: true + route_53: + aws_profile: "{{ _aws_profile }}" # the zone might not be in the same account as the certificate + state: present + zone: example.com + +``` + + diff --git a/docs/roles/aws/ami_debian_buster.md b/docs/roles/aws/aws_ami.md similarity index 74% rename from docs/roles/aws/ami_debian_buster.md rename to docs/roles/aws/aws_ami.md index bdf9f753d..3f002801d 100644 --- a/docs/roles/aws/ami_debian_buster.md +++ b/docs/roles/aws/aws_ami.md @@ -1,5 +1,5 @@ -# AMI Debian Buster -Creates an image from Debian Buster base with Packer, provisioned with an Ansible Playbook. +# AWS AMI +Creates an image from a selected base with Packer, provisioned with an Ansible Playbook. ## Dependencies This requires boto and Packer on the "provisioning" server. @@ -10,11 +10,15 @@ This requires boto and Packer on the "provisioning" server. ## Default variables ```yaml --- -ami_debian_buster: +aws_ami: aws_profile: "{{ _aws_profile }}" - region: us-east-2 + region: "{{ _aws_region }}" instance_type: t2.micro + virtualization_type: hvm + root_device_type: ebs + name_filter: "debian-10-amd64-*" ami_name: "example" + owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official encrypt_boot: false playbook_file: "{{ playbook_dir }}/base-playbook.yml" # Path to a playbook used to provision the image. # Operation can be one of: diff --git a/docs/roles/aws/aws_backup.md b/docs/roles/aws/aws_backup.md index 48cb43a65..562c755c9 100644 --- a/docs/roles/aws/aws_backup.md +++ b/docs/roles/aws/aws_backup.md @@ -17,7 +17,7 @@ aws_backup: # copy_vault: # name: "Default" # encryption_key: "Default" # An Amazon Resource Name (ARN) that identifies the encryption key to use in the copy region. If 'default', the default AWS encryption key will be used. If NOT 'default', the key must already exist so the ARN can be passed in. - # region: "eu-central-1" + # region: "{{ _aws_region }}" plans: [] # A list of backup plans. See below for usage example. # plans: # - name: "ExampleDev" @@ -49,7 +49,7 @@ aws_backup: # delete_after_days: 0 # Specifies the number of days after creation that a recovery point is deleted. # continuous_backup: false # Specifies whether Backup creates continuous backups. backup: - iam_role_arn: "Default" # Set to the ARN of an existing IAM role or leave as 'Default' to use the AWSBackupDefaultServiceRole role. + iam_role_arn: "Default" # Set to the ARN of an existing IAM role or leave as 'Default' to create a role with the name '_infra_name-backup'. backup_plan_name: "" # Name of the backup plan to use. Must match one in the plans list. selection_name: "" # Name of the resource assignation; this is set in the roles which create the resources such as aws/aws_ec2_with_eip and aws/aws_efs. resource_id: "" # The unique ID of the resource. For EC2, this is the instance ID. For EFS, the filesystem ID. For RDS, the DB identifier. @@ -69,6 +69,7 @@ aws_backup: subscriptions: - endpoint: "admin@example.com" protocol: "email" + ``` diff --git a/docs/roles/aws/aws_cloudwatch_log_group.md b/docs/roles/aws/aws_cloudwatch_log_group.md index d75070ba0..d390942eb 100644 --- a/docs/roles/aws/aws_cloudwatch_log_group.md +++ b/docs/roles/aws/aws_cloudwatch_log_group.md @@ -11,7 +11,7 @@ Manage log groups states and retention policies. --- aws_cloudwatch_log_group: aws_profile: "{{ _aws_profile }}" - region: "eu-west-3" + region: "{{ _aws_region }}" tags: {} state: present # Number of days to keep logs, in days. diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 70ef33636..55e302552 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -8,7 +8,7 @@ ```yaml aws_ec2_autoscale_cluster: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: "example" vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc @@ -95,12 +95,14 @@ aws_ec2_autoscale_cluster: # Hosts to peer with. This will gather vpc info from the Name tag and create a peering connection and route tables. peering: - name: utility-server.example.com - region: eu-west-3 + region: "{{ _aws_region }}" # Associated RDS instance. rds: rds: false # wether to create an instance. db_instance_class: db.m5.large + #db_cluster_identifier: example-aurora-cluster engine: mariadb + aurora_reader: false #engine_version: 5.7.9 allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md index 366b836bf..e9e4d614c 100644 --- a/docs/roles/aws/aws_ec2_with_eip.md +++ b/docs/roles/aws/aws_ec2_with_eip.md @@ -1,6 +1,6 @@ -# AMI Debian Buster +# EC2 instance with EIP -Creates an image from Debian Buster base with Packer, provisioned with an Ansible Playbook. +Creates a new EC2 instance at AWS with a static IP address. @@ -11,15 +11,18 @@ Creates an image from Debian Buster base with Packer, provisioned with an Ansibl --- aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" instance_type: t2.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. ami_name: "{{ _domain_name }}" # The name of an AMI image to use. Image must exists in the same region. ami_owner: self # Default to self-created image. - vpc_subnet_id: subnet-xxx + # vpc_subnet_id: subnet-xxx # One of vpc_subnet_id or vpc_name + vpc_subnet_profile is mandatory. + vpc_name: "{{ _infra_name }}" + vpc_subnet_profile: core # if you are looking up subnets we need a Profile tag to search against # An IAM Role name to associate with the instance. iam_role_name: "example" - state: present + state: started + termination_protection: false # set to true to disable termination and avoid accidents instance_name: "{{ _domain_name }}" root_volume_size: 80 ebs_optimized: true @@ -29,6 +32,7 @@ aws_ec2_with_eip: # Add an A record tied to the EIP. # Set the zone to empty to skip. route_53: + state: present zone: "example.com" record: "{{ _domain_name }}" aws_profile: another # Not necessarily the same as the "target" one. diff --git a/docs/roles/aws/aws_efs.md b/docs/roles/aws/aws_efs.md index 9e0cf8667..8be3cece3 100644 --- a/docs/roles/aws/aws_efs.md +++ b/docs/roles/aws/aws_efs.md @@ -10,7 +10,7 @@ Creates or update an EFS volume. ```yaml aws_efs: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: example # If false, we omit tags enterly and leave them as is. purge_tags: false diff --git a/docs/roles/aws/aws_efs_client.md b/docs/roles/aws/aws_efs_client.md index 684bd4f52..3e09a5958 100644 --- a/docs/roles/aws/aws_efs_client.md +++ b/docs/roles/aws/aws_efs_client.md @@ -10,7 +10,7 @@ It uses the "Name" tag for a given volume to retrieve the volume path. --- aws_efs_client: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" version: 1.26.2 # Version of AWS EFS utils to use. # See https://docs.ansible.com/ansible/latest/modules/mount_module.html mounts: diff --git a/docs/roles/aws/aws_iam_role.md b/docs/roles/aws/aws_iam_role.md index 6ba01eb13..768a845d2 100644 --- a/docs/roles/aws/aws_iam_role.md +++ b/docs/roles/aws/aws_iam_role.md @@ -14,7 +14,7 @@ aws_iam_role: # Pass either names or ARNs for the role. managed_policies: [] # Which document policy to apply. - # Current options are 'ec2' or 'ecs' + # Current options are 'ec2', 'ecs' or 'backup' policy_document: ec2 purge_policies: true # set to false if you want to add policies to an existing role tags: diff --git a/docs/roles/aws/aws_iam_saml.md b/docs/roles/aws/aws_iam_saml.md index 15212d8de..de01d6004 100644 --- a/docs/roles/aws/aws_iam_saml.md +++ b/docs/roles/aws/aws_iam_saml.md @@ -69,7 +69,7 @@ This requires boto and AWS-CLI on the provisioning server. ```yaml aws_iam_saml: aws_profile: "{{ _aws_profile }}" # Boto profile to use for AWS connections - region: "eu-west-2" # AWS region to use + region: "{{ _aws_region }}" # AWS region to use tags: {} # Dict of AWS tags to apply #Tagname: "TagValue" aws_account_alias: "" # IAM account alias - human readable name to order SSO page diff --git a/docs/roles/aws/aws_provision_ec2_keypair.md b/docs/roles/aws/aws_provision_ec2_keypair.md index 42e045ddb..5267a111c 100644 --- a/docs/roles/aws/aws_provision_ec2_keypair.md +++ b/docs/roles/aws/aws_provision_ec2_keypair.md @@ -9,7 +9,7 @@ Creates a key pair for the current "provision user" --- aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" ``` diff --git a/docs/roles/aws/aws_rds.md b/docs/roles/aws/aws_rds.md index a1ad86e2d..88e4f5e7a 100644 --- a/docs/roles/aws/aws_rds.md +++ b/docs/roles/aws/aws_rds.md @@ -1,5 +1,14 @@ # AWS RDS Creates an RDS instance and associated ressources. + +If the `engine` variable is set to **aurora-mysql**, you'll need to manually create the Aurora cluster first. Typically, a controller will already exist, so something like this can be run from the controller: + +``` +AWS_PROFILE=example aws rds create-db-cluster --db-cluster-identifier example-aurora-cluster --engine aurora-mysql --engine-version 5.7.mysql_aurora.2.10.2 --db-subnet-group-name example-aurora --vpc-security-group-ids sg-abcdefghijklmnop --storage-encrypted --master-username "auroradev" --master-user-password "aurora12345" +``` + +You'll need to have created the subnet group first as well as the security groups. + @@ -8,7 +17,7 @@ Creates an RDS instance and associated ressources. ```yaml aws_rds: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" multi_az: true subnets: - subnet-aaaaaaaa @@ -19,7 +28,13 @@ aws_rds: state: present description: example engine: mariadb + aurora_reader: false # If true, an Aurora reader instance will be created. # engine_version: '5.7.2' # Omit to use latest. + # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html + # db_parameter_group_name: "example" # Omit to use default + # db_parameter_group_description: "Custom parameter group" # Description of parameter group + # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' + # db_parameters: {} # dictionary of available parameters allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. storage_encrypted: false # Whether to encrypt the RDS instance or not. diff --git a/docs/roles/aws/aws_s3_bucket.md b/docs/roles/aws/aws_s3_bucket.md index f34b71671..e34828770 100644 --- a/docs/roles/aws/aws_s3_bucket.md +++ b/docs/roles/aws/aws_s3_bucket.md @@ -10,7 +10,7 @@ Creates an S3 bucket and a matching policy. ```yaml aws_s3_bucket: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: "example" tags: Name: "example" diff --git a/docs/roles/aws/aws_sns.md b/docs/roles/aws/aws_sns.md index e04826061..b3b65ec63 100644 --- a/docs/roles/aws/aws_sns.md +++ b/docs/roles/aws/aws_sns.md @@ -9,7 +9,7 @@ Creates an SNS topic and subscription. --- aws_sns: name: "alarms" # Name of the topic. - region: "eu-west-2" # The region to create the SNS topic. + region: "{{ _aws_region }}" # The region to create the SNS topic. display_name: "" # Display name for the topic, for when the topic is owned by this AWS account. purge_subscriptions: true # Purge subscriptions not specified in the subscriptions list. policy: "" # A dictionary containing the policy to use when creating the topic diff --git a/docs/roles/aws/aws_vpc.md b/docs/roles/aws/aws_vpc.md index da6687d57..979232cc6 100644 --- a/docs/roles/aws/aws_vpc.md +++ b/docs/roles/aws/aws_vpc.md @@ -8,7 +8,7 @@ Creates a VPC and associated subnets. ```yaml aws_vpc: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: example-vpc-2 cidr_block: "10.0.0.0/16" tags: {} diff --git a/docs/roles/aws/aws_vpc_route.md b/docs/roles/aws/aws_vpc_route.md index 621a4329e..2bf20b0d2 100644 --- a/docs/roles/aws/aws_vpc_route.md +++ b/docs/roles/aws/aws_vpc_route.md @@ -9,7 +9,7 @@ This will add/update routes on the "main" route table for a given VPC, leaving e # @todo Support associating route with several subnets. aws_vpc_route: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" # Beware when calling this on "peering" routes, not to override tags with the target peer's one. # tags: # Name: "example" diff --git a/docs/roles/aws/aws_vpc_subnet.md b/docs/roles/aws/aws_vpc_subnet.md index 588531c0b..a576977f7 100644 --- a/docs/roles/aws/aws_vpc_subnet.md +++ b/docs/roles/aws/aws_vpc_subnet.md @@ -10,7 +10,7 @@ aws_vpc_subnet: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" subnets: - cidr_block: "10.0.0.0/24" az: b diff --git a/docs/roles/aws_cloudwatch_agent.md b/docs/roles/aws_cloudwatch_agent.md index 55fa36c6f..133e15f9f 100644 --- a/docs/roles/aws_cloudwatch_agent.md +++ b/docs/roles/aws_cloudwatch_agent.md @@ -26,7 +26,7 @@ aws_cloudwatch_agent: credentials: aws_access_key_id: XXX aws_secret_access_key: XXX - region: "eu-west-3" + region: "{{ _aws_region }}" ``` diff --git a/docs/roles/aws_ssm_agent.md b/docs/roles/aws_ssm_agent.md index 3779a2504..18117d2cf 100644 --- a/docs/roles/aws_ssm_agent.md +++ b/docs/roles/aws_ssm_agent.md @@ -10,7 +10,7 @@ Install and configure the SSM agent. ```yaml --- aws_ssm_agent: - region: "eu-west-2" + region: "{{ _aws_region }}" ``` diff --git a/docs/roles/ce_patcher.md b/docs/roles/ce_patcher.md new file mode 100644 index 000000000..7699d8d82 --- /dev/null +++ b/docs/roles/ce_patcher.md @@ -0,0 +1,16 @@ +# Automated patching +Runs automated patching for apt-based package management systems. + + + + + +## Default variables +```yaml +--- +ce_patcher: + username: controller + reboot: false +``` + + diff --git a/docs/roles/clamav_clamscan.md b/docs/roles/clamav_clamscan.md deleted file mode 100644 index adbac2052..000000000 --- a/docs/roles/clamav_clamscan.md +++ /dev/null @@ -1,22 +0,0 @@ -# ClamAV Clamscan - - - -## Configuration -This role will install the ClamAV base package which will allow us to run clamscan on demand and email scan reports to an email address. -NOTE: This approach will not install clamd. Check the clamav_daemon role if this is what you are looking for. - - -## Default variables -```yaml ---- -# defaults file for clamav - -clamav_clamscan: - email: "admins@example.com" - schedule: "0 0 * * *" - path: "/var/www" - -``` - - diff --git a/docs/roles/clamav_daemon.md b/docs/roles/clamav_daemon.md deleted file mode 100644 index 00f9582d1..000000000 --- a/docs/roles/clamav_daemon.md +++ /dev/null @@ -1,20 +0,0 @@ -# ClamAV Daemon - - - -## Configuration -This role will install the ClamAV daemon. If you want to install clamscan and generate reports check the clamav_clamscan role. - - -## Default variables -```yaml ---- -# defaults file for clamav - -clamav_daemon: - host: "127.0.0.1" - port: "3310" - -``` - - diff --git a/docs/roles/firewall.md b/docs/roles/firewall.md deleted file mode 100644 index 9e8351c42..000000000 --- a/docs/roles/firewall.md +++ /dev/null @@ -1,52 +0,0 @@ -# UFW Firewall - - - - - - -## Default variables -```yaml ---- -# rules: -# - { [port: ""] [rule: allow] [proto: any] [from_ip: any] [to_ip: any] [comment: 'rule comment']} -# -# https://docs.ansible.com/ansible/latest/modules/ufw_module.html#parameters -# - -firewall: - # Define any custom rule. - rules: [] - # - { to_ip: any, direction: out, port: '123', rule: 'allow', proto: udp, comment: 'Allow outgoing NTP' } - # - { from_ip: any, direction: in, port: '53', rule: 'allow', comment: 'Allow DNS' } - - input_policy: DROP - output_policy: ACCEPT - forward_policy: ACCEPT - application_policy: SKIP - ipv6: "yes" - ipt_modules: "nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" - nat: false - # Defaults IPs to whitelist. Do not override directly in playbooks, but set them in group_vars from your "private" config. - _outbound_defaults: [] - _inbound_defaults: [] - # _inbound_defaults: - # - port: '22' - # proto: tcp - # comment: 'Allow SSH access' - # ips: - # - '8.8.8.8' - # - '1.1.1.1' - # - port: '443' - # proto: tcp - # comment: 'Allow HTTPS access' - # ips: - # - '8.8.8.8' - # - '1.1.1.1' - # Additional IPs to whitelist for a given playbooks. Those will be merged into the defaults above. - outbound: [] - inbound: [] - -``` - - diff --git a/docs/roles/firewall_config.md b/docs/roles/firewall_config.md index a4ef8a05b..b0390b774 100644 --- a/docs/roles/firewall_config.md +++ b/docs/roles/firewall_config.md @@ -84,10 +84,21 @@ firewall_config: firewall_allowed_tcp_ports: - "989" - "990" + letsencrypt: + firewall_allowed_tcp_ports: + - "80" ossec: firewall_allowed_udp_ports: - "1514" - "1515" + openvpn: + firewall_allowed_udp_ports: + - "1194" + firewall_additional_rules: + - "echo 1 > /proc/sys/net/ipv4/ip_forward" # Enable forwarding of IP + - "iptables -A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT" # Accept traffic from the VPN on all interfaces - change this if you change openvpn_config default addresses + - "iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT" # Forward traffic from the VPN interface out via eth0 + - "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" # Replace the source IP with the eth0 public IP when forwarding outbound ``` diff --git a/docs/roles/gitlab.md b/docs/roles/gitlab.md index 292222b85..17973d335 100644 --- a/docs/roles/gitlab.md +++ b/docs/roles/gitlab.md @@ -27,11 +27,14 @@ gitlab: unicorn_worker_processes: 2 puma_worker_processes: 2 initial_root_password: "" - ldap: false + ldap: false # enable/disable LDAP integration ldap_endpoint: "{{ ldap_client.endpoints[0] }}" ldap_lookup_base: "{{ ldap_client.lookup_base }}" ldap_binddn: "{{ ldap_client.binddn }}" ldap_bindpw: "{{ ldap_client.bindpw }}" + prometheus: "true" # enable/disable built-in Prometheus + node_exporter: "true" # enable/disable built-in Prometheus Node Exporter + alertmanager: "true" # enable/disable built-in Prometheus Alertmanager nginx: listen_port: 8881 listen_https: nil diff --git a/docs/roles/gitlab_runner.md b/docs/roles/gitlab_runner.md index 643664948..5443e588f 100644 --- a/docs/roles/gitlab_runner.md +++ b/docs/roles/gitlab_runner.md @@ -40,10 +40,14 @@ gitlab_runner: # cleanup_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "cleanup"]' install_fargate: false restart: true # set to false if you're applying settings to a server responsible for its own runners + username: "{{ _ce_deploy.username }}" + docker_group: "docker" + runner_workingdir: "/home/{{ _ce_deploy.username }}/build" + runner_config: "/etc/gitlab-runner/config.toml" # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name - region: "eu-west-1" + region: "{{ _aws_region }}" subnet: "subnet-abcdef123456" # subnet ID security_group: "sg-abcdef123456" # SG ID task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest diff --git a/docs/roles/gpg_key.md b/docs/roles/gpg_key.md index 7730c0731..66f867ba5 100644 --- a/docs/roles/gpg_key.md +++ b/docs/roles/gpg_key.md @@ -7,6 +7,9 @@ Generates a passwordless GPG key for a given user or users. ## Default variables ```yaml --- +gpg_key_servers: + - hkps://pgp.mit.edu + - hkps://keys.openpgp.org gpg_key: - username: example # Must exist already on the server. publish: false # Whether to publish to HKS public servers. diff --git a/docs/roles/ldap_server.md b/docs/roles/ldap_server.md index fb44b0f0e..bb30ec656 100644 --- a/docs/roles/ldap_server.md +++ b/docs/roles/ldap_server.md @@ -80,9 +80,19 @@ ldap_server: # Execution order can be important, so ensure your files are named in alphabetical order. path: "{{ _ce_provision_base_dir }}/config/files/ldap_server/config" purge: false + backup: false # set to true to create local backups of LDAP + backup_path: /opt/slap-bak + backup_minute: "45" + backup_hour: "23" + # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. + # If you use 'manual' SSL handling you need to provide a separate CA certificate. + # If you use 'letsencrypt' SSL handling then the LDAP TLS settings in your imported config should be as follows: + # olcTLSCACertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/chain.pem + # olcTLSCertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/cert.pem + # olcTLSCertificateKeyFile: /etc/letsencrypt/live/{{ _domain_name }}/privkey.pem ssl: # @see the 'ssl' role - does nothing by default. domain: "{{ _domain_name }}" - handling: "unmanaged" # LDAP needs to use 'manual' handling for SSL because a separate CA certificate is required. + handling: "unmanaged" key: "" cert: "" ca_cert: "" diff --git a/docs/roles/mysql_client.md b/docs/roles/mysql_client.md index 74b587e3b..9a6b518a8 100644 --- a/docs/roles/mysql_client.md +++ b/docs/roles/mysql_client.md @@ -13,6 +13,9 @@ mysql_client: host: "rds.example.com" user: "user" password: "password" + creds_file_dest: "/home/{{ user_deploy.username }}/.mysql.creds" + creds_file_owner: "{{ user_deploy.username }}" + creds_file_group: "{{ user_deploy.username }}" ``` diff --git a/docs/roles/openvpn.md b/docs/roles/openvpn.md deleted file mode 100644 index c8468b756..000000000 --- a/docs/roles/openvpn.md +++ /dev/null @@ -1,137 +0,0 @@ -# [openvpn](#openvpn) - -Install and configure openvpn server or client on your system. - -|GitHub|GitLab|Quality|Downloads|Version| -|------|------|-------|---------|-------| -|[![github](https://github.com/robertdebock/ansible-role-openvpn/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-openvpn/actions)|[![gitlab](https://gitlab.com/robertdebock/ansible-role-openvpn/badges/master/pipeline.svg)](https://gitlab.com/robertdebock/ansible-role-openvpn)|[![quality](https://img.shields.io/ansible/quality/37845)](https://galaxy.ansible.com/robertdebock/openvpn)|[![downloads](https://img.shields.io/ansible/role/d/37845)](https://galaxy.ansible.com/robertdebock/openvpn)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-openvpn.svg)](https://github.com/robertdebock/ansible-role-openvpn/releases/)| - -## [Example Playbook](#example-playbook) - -This example is taken from `molecule/resources/converge.yml` and is tested on each push, pull request and release. -```yaml ---- -- name: Converge - hosts: all - become: yes - gather_facts: yes - - tasks: - - name: create openvpn server - ansible.builtin.include_role: - name: robertdebock.openvpn - vars: - openvpn_role: "server" - - - name: copy certificates and keys from the server to the client - ansible.builtin.copy: - src: /etc/openvpn/easy-rsa/pki/{{ item }} - dest: /etc/openvpn/client/{{ item | basename }} - mode: "0640" - remote_src: yes - loop: - - ca.crt - - issued/client.crt - - private/client.key - - ta.key - - - name: create openvpn client - ansible.builtin.include_role: - name: robertdebock.openvpn - vars: - openvpn_role: "client" - openvpn_client_server: 127.0.0.1 -``` - -The machine needs to be prepared in CI this is done using `molecule/resources/prepare.yml`: -```yaml ---- -- name: Prepare server - hosts: all - gather_facts: no - become: yes - - roles: - - role: robertdebock.bootstrap - # - role: robertdebock.buildtools - - role: robertdebock.epel - # - role: robertdebock.python_pip - # - role: robertdebock.openssl -``` - -Also see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles. - -## [Role Variables](#role-variables) - -These variables are set in `defaults/main.yml`: -```yaml ---- -# defaults file for openvpn - -# You can setup both a client and a server using this role. -# Use `server` or `client` for `openvpn_role`. - -openvpn_role: server - -# If you are configuring a client, setup these variables: -# openvpn_role: client -# openvpn_client_server: vpn.example.com -``` - -## [Requirements](#requirements) - -- pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-openvpn/blob/master/requirements.txt). - -## [Status of requirements](#status-of-requirements) - -The following roles are used to prepare a system. You may choose to prepare your system in another way, I have tested these roles as well. - -| Requirement | GitHub | GitLab | -|-------------|--------|--------| -|[robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![Build Status GitLab ](https://gitlab.com/robertdebock/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock/ansible-role-bootstrap)| -|[robertdebock.epel](https://galaxy.ansible.com/robertdebock/epel)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-epel/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-epel/actions)|[![Build Status GitLab ](https://gitlab.com/robertdebock/ansible-role-epel/badges/master/pipeline.svg)](https://gitlab.com/robertdebock/ansible-role-epel)| - -## [Context](#context) - -This role is a part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information. - -Here is an overview of related roles: -![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-openvpn/png/requirements.png "Dependencies") - -## [Compatibility](#compatibility) - -This role has been tested on these [container images](https://hub.docker.com/u/robertdebock): - -|container|tags| -|---------|----| -|amazon|Candidate| -|debian|buster, bullseye| -|el|8| -|fedora|all| -|debian|buster, bullseye| -|ubuntu|focal| - -The minimum version of Ansible required is 2.10, tests have been done to: - -- The previous version. -- The current version. -- The development version. - - - -If you find issues, please register them in [GitHub](https://github.com/robertdebock/ansible-role-openvpn/issues) - -## [License](#license) - -Apache-2.0 - - -## [Author Information](#author-information) - -[Robert de Bock](https://robertdebock.nl/) - -Please consider [sponsoring me](https://github.com/sponsors/robertdebock). - -## [Forked for ce-provision-project](#fork) - -This is a slightly modified version of the original by Code Enigma for its ce-provision project. diff --git a/docs/roles/openvpn_config.md b/docs/roles/openvpn_config.md new file mode 100644 index 000000000..02bbd8167 --- /dev/null +++ b/docs/roles/openvpn_config.md @@ -0,0 +1,69 @@ +# OpenVPN Config +This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: + +* https://galaxy.ansible.com/robertdebock/openvpn + + + + + +## Default variables +```yaml +--- +openvpn_config: + install: true # set to false if we do not want to overwrite the existing VPN certs + + # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml + configuration_directory: /etc/openvpn + easyrsa_path: /usr/share/easy-rsa + service: "openvpn@server" + server_ip_range: "server 10.8.0.0 255.255.255.0" + # Additional options + force_redirect_gateway: true + compress: true + no_client_cert: true + custom_directives: [] # optional list of directives, i.e. push routes + # - directive 1 + # - directive 2 + # - directive N + + # easy-rsa vars for generating VPN certs + certs: + cn: "{{ _domain_name }}" + dn_mode: org # choices are org or cn_only + country: US + province: California + city: San Francisco + org: Copyleft Certificate Co + email: me@example.com + org_unit: My Organizational Unit + + # LDAP configuration + ldap: + install: false + url: ldaps://ldap.example.com,ldaps://ldap2.example.com + tls: false # set to true to use TLS on port 389 / ldap:// + tls_cert: /etc/ldap/ssl/ldap.CA.pem + tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target + timeout: '15' + basedn: dc=example,dc=com + search_filter: (&(objectClass=posixAccount)(uid=%u)) + require_group: true # set to false to allow any valid user in the basedn to login + group_basedn: ou=Groups,dc=example,dc=com + group_filter: (|(cn=vpnguests)(cn=sysadmins)) + + # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config + # By default we assume the pam_ldap role is installed and configured + # VPN auth will be carried out against the nslcd daemon settings + pam: + install: false + pam_config: | + auth sufficient pam_ldap.so + auth required pam_deny.so + + account required pam_ldap.so + account required pam_permit.so + +``` + + diff --git a/docs/roles/php_composer.md b/docs/roles/php_composer.md new file mode 100644 index 000000000..0da26c999 --- /dev/null +++ b/docs/roles/php_composer.md @@ -0,0 +1,22 @@ +# PHP Composer +This role is used to install the Composer package manager for PHP. It wraps the Galaxy role from Jeff Geerling which can be found here: + +* https://github.com/geerlingguy/ansible-role-composer + + + + + +## Default variables +```yaml +php_composer: + # Abstractions of default variables which can be found here: + # https://github.com/geerlingguy/ansible-role-composer/blob/master/defaults/main.yml + version: '1.8.4' # Buster apt package is 'Composer 1.8.4 2019-02-11 10:52:10' + keep_updated: false + version_branch: '' + github_oauth_token: '' + +``` + + diff --git a/roles/README.md b/roles/README.md index ff25712aa..7d27820f6 100644 --- a/roles/README.md +++ b/roles/README.md @@ -2,3 +2,9 @@ Ansible roles and group of roles that constitute the deploy stack. + +# Required variables +You must pass the following variables into an Ansible play before running it with ce-provision: + +* `_aws_profile` - the Boto3 profile to use +* `_aws_region` - the AWS region to act in diff --git a/roles/_init/README.md b/roles/_init/README.md index 32bccf15a..7b965bf81 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -13,10 +13,12 @@ _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. vars_dirs: [] + force_play: false -# ce_provision vars are sometimes needed even when the role isn't used so we define them here +# ce_provision vars are sometimes needed even when the role isn't used so we define them here. +# If you are using ce_provision and *not* using _init you can copy these vars to your playbook. _ce_provision: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" + username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" ce_provision: username: "{{ _ce_provision.username }}" diff --git a/roles/aws/aws_acm/README.md b/roles/aws/aws_acm/README.md index 67c41267a..2e20aa219 100644 --- a/roles/aws/aws_acm/README.md +++ b/roles/aws/aws_acm/README.md @@ -16,8 +16,16 @@ Additionally, this role attempts to be idempotent by running `aws acm list-certi ```yaml --- aws_acm: - acm_domain_name: subdomain.example.com - acm_validation_domain: example.com + region: "{{ _aws_region }}" + aws_profile: "{{ _aws_profile }}" + tags: "{{ _aws_tags }}" + domain_name: subdomain.example.com + validate: true # you need to set this to false if the validation zone is not in Route 53 or you do not have CLI access + export: true + route_53: + aws_profile: "{{ _aws_profile }}" # the zone might not be in the same account as the certificate + state: present + zone: example.com ``` diff --git a/roles/aws/aws_ami/README.md b/roles/aws/aws_ami/README.md index 1371a1585..3f002801d 100644 --- a/roles/aws/aws_ami/README.md +++ b/roles/aws/aws_ami/README.md @@ -12,9 +12,13 @@ This requires boto and Packer on the "provisioning" server. --- aws_ami: aws_profile: "{{ _aws_profile }}" - region: us-east-2 + region: "{{ _aws_region }}" instance_type: t2.micro + virtualization_type: hvm + root_device_type: ebs + name_filter: "debian-10-amd64-*" ami_name: "example" + owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official encrypt_boot: false playbook_file: "{{ playbook_dir }}/base-playbook.yml" # Path to a playbook used to provision the image. # Operation can be one of: diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml index e6edd560d..541e34f69 100644 --- a/roles/aws/aws_ami/defaults/main.yml +++ b/roles/aws/aws_ami/defaults/main.yml @@ -1,7 +1,7 @@ --- aws_ami: aws_profile: "{{ _aws_profile }}" - region: us-east-2 + region: "{{ _aws_region }}" instance_type: t2.micro virtualization_type: hvm root_device_type: ebs diff --git a/roles/aws/aws_backup/README.md b/roles/aws/aws_backup/README.md index 48cb43a65..562c755c9 100644 --- a/roles/aws/aws_backup/README.md +++ b/roles/aws/aws_backup/README.md @@ -17,7 +17,7 @@ aws_backup: # copy_vault: # name: "Default" # encryption_key: "Default" # An Amazon Resource Name (ARN) that identifies the encryption key to use in the copy region. If 'default', the default AWS encryption key will be used. If NOT 'default', the key must already exist so the ARN can be passed in. - # region: "eu-central-1" + # region: "{{ _aws_region }}" plans: [] # A list of backup plans. See below for usage example. # plans: # - name: "ExampleDev" @@ -49,7 +49,7 @@ aws_backup: # delete_after_days: 0 # Specifies the number of days after creation that a recovery point is deleted. # continuous_backup: false # Specifies whether Backup creates continuous backups. backup: - iam_role_arn: "Default" # Set to the ARN of an existing IAM role or leave as 'Default' to use the AWSBackupDefaultServiceRole role. + iam_role_arn: "Default" # Set to the ARN of an existing IAM role or leave as 'Default' to create a role with the name '_infra_name-backup'. backup_plan_name: "" # Name of the backup plan to use. Must match one in the plans list. selection_name: "" # Name of the resource assignation; this is set in the roles which create the resources such as aws/aws_ec2_with_eip and aws/aws_efs. resource_id: "" # The unique ID of the resource. For EC2, this is the instance ID. For EFS, the filesystem ID. For RDS, the DB identifier. @@ -69,6 +69,7 @@ aws_backup: subscriptions: - endpoint: "admin@example.com" protocol: "email" + ``` diff --git a/roles/aws/aws_backup/defaults/main.yml b/roles/aws/aws_backup/defaults/main.yml index e99fd33cc..de45dedbe 100644 --- a/roles/aws/aws_backup/defaults/main.yml +++ b/roles/aws/aws_backup/defaults/main.yml @@ -7,7 +7,7 @@ aws_backup: # copy_vault: # name: "Default" # encryption_key: "Default" # An Amazon Resource Name (ARN) that identifies the encryption key to use in the copy region. If 'default', the default AWS encryption key will be used. If NOT 'default', the key must already exist so the ARN can be passed in. - # region: "eu-central-1" + # region: "{{ _aws_region }}" plans: [] # A list of backup plans. See below for usage example. # plans: # - name: "ExampleDev" @@ -58,4 +58,4 @@ aws_backup: delivery_policy_disable_subscription_overrides: false subscriptions: - endpoint: "admin@example.com" - protocol: "email" \ No newline at end of file + protocol: "email" diff --git a/roles/aws/aws_cloudwatch_log_group/README.md b/roles/aws/aws_cloudwatch_log_group/README.md index d75070ba0..d390942eb 100644 --- a/roles/aws/aws_cloudwatch_log_group/README.md +++ b/roles/aws/aws_cloudwatch_log_group/README.md @@ -11,7 +11,7 @@ Manage log groups states and retention policies. --- aws_cloudwatch_log_group: aws_profile: "{{ _aws_profile }}" - region: "eu-west-3" + region: "{{ _aws_region }}" tags: {} state: present # Number of days to keep logs, in days. diff --git a/roles/aws/aws_cloudwatch_log_group/defaults/main.yml b/roles/aws/aws_cloudwatch_log_group/defaults/main.yml index 6a2f6c69f..edb8a842b 100644 --- a/roles/aws/aws_cloudwatch_log_group/defaults/main.yml +++ b/roles/aws/aws_cloudwatch_log_group/defaults/main.yml @@ -1,7 +1,7 @@ --- aws_cloudwatch_log_group: aws_profile: "{{ _aws_profile }}" - region: "eu-west-3" + region: "{{ _aws_region }}" tags: {} state: present # Number of days to keep logs, in days. diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 70ef33636..55e302552 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -8,7 +8,7 @@ ```yaml aws_ec2_autoscale_cluster: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: "example" vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc @@ -95,12 +95,14 @@ aws_ec2_autoscale_cluster: # Hosts to peer with. This will gather vpc info from the Name tag and create a peering connection and route tables. peering: - name: utility-server.example.com - region: eu-west-3 + region: "{{ _aws_region }}" # Associated RDS instance. rds: rds: false # wether to create an instance. db_instance_class: db.m5.large + #db_cluster_identifier: example-aurora-cluster engine: mariadb + aurora_reader: false #engine_version: 5.7.9 allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 6c35e8845..3faf901c3 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -1,6 +1,6 @@ aws_ec2_autoscale_cluster: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: "example" vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc @@ -87,7 +87,7 @@ aws_ec2_autoscale_cluster: # Hosts to peer with. This will gather vpc info from the Name tag and create a peering connection and route tables. peering: - name: utility-server.example.com - region: eu-west-3 + region: "{{ _aws_region }}" # Associated RDS instance. rds: rds: false # wether to create an instance. diff --git a/roles/aws/aws_ec2_with_eip/README.md b/roles/aws/aws_ec2_with_eip/README.md index 5b67e29a3..e9e4d614c 100644 --- a/roles/aws/aws_ec2_with_eip/README.md +++ b/roles/aws/aws_ec2_with_eip/README.md @@ -11,15 +11,18 @@ Creates a new EC2 instance at AWS with a static IP address. --- aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" instance_type: t2.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. ami_name: "{{ _domain_name }}" # The name of an AMI image to use. Image must exists in the same region. ami_owner: self # Default to self-created image. - vpc_subnet_id: subnet-xxx + # vpc_subnet_id: subnet-xxx # One of vpc_subnet_id or vpc_name + vpc_subnet_profile is mandatory. + vpc_name: "{{ _infra_name }}" + vpc_subnet_profile: core # if you are looking up subnets we need a Profile tag to search against # An IAM Role name to associate with the instance. iam_role_name: "example" - state: present + state: started + termination_protection: false # set to true to disable termination and avoid accidents instance_name: "{{ _domain_name }}" root_volume_size: 80 ebs_optimized: true @@ -29,6 +32,7 @@ aws_ec2_with_eip: # Add an A record tied to the EIP. # Set the zone to empty to skip. route_53: + state: present zone: "example.com" record: "{{ _domain_name }}" aws_profile: another # Not necessarily the same as the "target" one. diff --git a/roles/aws/aws_ec2_with_eip/defaults/main.yml b/roles/aws/aws_ec2_with_eip/defaults/main.yml index 72c90c231..537527cd3 100644 --- a/roles/aws/aws_ec2_with_eip/defaults/main.yml +++ b/roles/aws/aws_ec2_with_eip/defaults/main.yml @@ -1,7 +1,7 @@ --- aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" instance_type: t2.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. ami_name: "{{ _domain_name }}" # The name of an AMI image to use. Image must exists in the same region. diff --git a/roles/aws/aws_efs/README.md b/roles/aws/aws_efs/README.md index 9e0cf8667..8be3cece3 100644 --- a/roles/aws/aws_efs/README.md +++ b/roles/aws/aws_efs/README.md @@ -10,7 +10,7 @@ Creates or update an EFS volume. ```yaml aws_efs: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: example # If false, we omit tags enterly and leave them as is. purge_tags: false diff --git a/roles/aws/aws_efs/defaults/main.yml b/roles/aws/aws_efs/defaults/main.yml index a576966f2..a4029ef68 100644 --- a/roles/aws/aws_efs/defaults/main.yml +++ b/roles/aws/aws_efs/defaults/main.yml @@ -1,6 +1,6 @@ aws_efs: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: example # If false, we omit tags enterly and leave them as is. purge_tags: false diff --git a/roles/aws/aws_efs_client/README.md b/roles/aws/aws_efs_client/README.md index 684bd4f52..3e09a5958 100644 --- a/roles/aws/aws_efs_client/README.md +++ b/roles/aws/aws_efs_client/README.md @@ -10,7 +10,7 @@ It uses the "Name" tag for a given volume to retrieve the volume path. --- aws_efs_client: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" version: 1.26.2 # Version of AWS EFS utils to use. # See https://docs.ansible.com/ansible/latest/modules/mount_module.html mounts: diff --git a/roles/aws/aws_efs_client/defaults/main.yml b/roles/aws/aws_efs_client/defaults/main.yml index 148267b3f..2a5df0275 100644 --- a/roles/aws/aws_efs_client/defaults/main.yml +++ b/roles/aws/aws_efs_client/defaults/main.yml @@ -1,7 +1,7 @@ --- aws_efs_client: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" version: 1.26.2 # Version of AWS EFS utils to use. # See https://docs.ansible.com/ansible/latest/modules/mount_module.html mounts: diff --git a/roles/aws/aws_iam_role/README.md b/roles/aws/aws_iam_role/README.md index 6ba01eb13..768a845d2 100644 --- a/roles/aws/aws_iam_role/README.md +++ b/roles/aws/aws_iam_role/README.md @@ -14,7 +14,7 @@ aws_iam_role: # Pass either names or ARNs for the role. managed_policies: [] # Which document policy to apply. - # Current options are 'ec2' or 'ecs' + # Current options are 'ec2', 'ecs' or 'backup' policy_document: ec2 purge_policies: true # set to false if you want to add policies to an existing role tags: diff --git a/roles/aws/aws_iam_saml/README.md b/roles/aws/aws_iam_saml/README.md index 15212d8de..de01d6004 100644 --- a/roles/aws/aws_iam_saml/README.md +++ b/roles/aws/aws_iam_saml/README.md @@ -69,7 +69,7 @@ This requires boto and AWS-CLI on the provisioning server. ```yaml aws_iam_saml: aws_profile: "{{ _aws_profile }}" # Boto profile to use for AWS connections - region: "eu-west-2" # AWS region to use + region: "{{ _aws_region }}" # AWS region to use tags: {} # Dict of AWS tags to apply #Tagname: "TagValue" aws_account_alias: "" # IAM account alias - human readable name to order SSO page diff --git a/roles/aws/aws_iam_saml/defaults/main.yml b/roles/aws/aws_iam_saml/defaults/main.yml index 2c43fbd41..0b829a539 100644 --- a/roles/aws/aws_iam_saml/defaults/main.yml +++ b/roles/aws/aws_iam_saml/defaults/main.yml @@ -1,6 +1,6 @@ aws_iam_saml: aws_profile: "{{ _aws_profile }}" # Boto profile to use for AWS connections - region: "eu-west-2" # AWS region to use + region: "{{ _aws_region }}" # AWS region to use tags: {} # Dict of AWS tags to apply #Tagname: "TagValue" aws_account_alias: "" # IAM account alias - human readable name to order SSO page diff --git a/roles/aws/aws_provision_ec2_keypair/README.md b/roles/aws/aws_provision_ec2_keypair/README.md index 42e045ddb..5267a111c 100644 --- a/roles/aws/aws_provision_ec2_keypair/README.md +++ b/roles/aws/aws_provision_ec2_keypair/README.md @@ -9,7 +9,7 @@ Creates a key pair for the current "provision user" --- aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" ``` diff --git a/roles/aws/aws_provision_ec2_keypair/defaults/main.yml b/roles/aws/aws_provision_ec2_keypair/defaults/main.yml index 27fe91470..51e053f91 100644 --- a/roles/aws/aws_provision_ec2_keypair/defaults/main.yml +++ b/roles/aws/aws_provision_ec2_keypair/defaults/main.yml @@ -1,5 +1,5 @@ --- aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" diff --git a/roles/aws/aws_rds/README.md b/roles/aws/aws_rds/README.md index b448714aa..88e4f5e7a 100644 --- a/roles/aws/aws_rds/README.md +++ b/roles/aws/aws_rds/README.md @@ -17,7 +17,7 @@ You'll need to have created the subnet group first as well as the security group ```yaml aws_rds: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" multi_az: true subnets: - subnet-aaaaaaaa @@ -28,7 +28,13 @@ aws_rds: state: present description: example engine: mariadb + aurora_reader: false # If true, an Aurora reader instance will be created. # engine_version: '5.7.2' # Omit to use latest. + # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html + # db_parameter_group_name: "example" # Omit to use default + # db_parameter_group_description: "Custom parameter group" # Description of parameter group + # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' + # db_parameters: {} # dictionary of available parameters allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. storage_encrypted: false # Whether to encrypt the RDS instance or not. diff --git a/roles/aws/aws_rds/defaults/main.yml b/roles/aws/aws_rds/defaults/main.yml index f5bb2a831..7a79ee93b 100644 --- a/roles/aws/aws_rds/defaults/main.yml +++ b/roles/aws/aws_rds/defaults/main.yml @@ -1,6 +1,6 @@ aws_rds: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" multi_az: true subnets: - subnet-aaaaaaaa diff --git a/roles/aws/aws_s3_bucket/README.md b/roles/aws/aws_s3_bucket/README.md index f34b71671..e34828770 100644 --- a/roles/aws/aws_s3_bucket/README.md +++ b/roles/aws/aws_s3_bucket/README.md @@ -10,7 +10,7 @@ Creates an S3 bucket and a matching policy. ```yaml aws_s3_bucket: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: "example" tags: Name: "example" diff --git a/roles/aws/aws_s3_bucket/defaults/main.yml b/roles/aws/aws_s3_bucket/defaults/main.yml index fe42d533a..f198e14e4 100644 --- a/roles/aws/aws_s3_bucket/defaults/main.yml +++ b/roles/aws/aws_s3_bucket/defaults/main.yml @@ -1,6 +1,6 @@ aws_s3_bucket: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: "example" tags: Name: "example" diff --git a/roles/aws/aws_sns/README.md b/roles/aws/aws_sns/README.md index e04826061..b3b65ec63 100644 --- a/roles/aws/aws_sns/README.md +++ b/roles/aws/aws_sns/README.md @@ -9,7 +9,7 @@ Creates an SNS topic and subscription. --- aws_sns: name: "alarms" # Name of the topic. - region: "eu-west-2" # The region to create the SNS topic. + region: "{{ _aws_region }}" # The region to create the SNS topic. display_name: "" # Display name for the topic, for when the topic is owned by this AWS account. purge_subscriptions: true # Purge subscriptions not specified in the subscriptions list. policy: "" # A dictionary containing the policy to use when creating the topic diff --git a/roles/aws/aws_sns/defaults/main.yml b/roles/aws/aws_sns/defaults/main.yml index 43d6cb4ef..233156143 100644 --- a/roles/aws/aws_sns/defaults/main.yml +++ b/roles/aws/aws_sns/defaults/main.yml @@ -1,7 +1,7 @@ --- aws_sns: name: "alarms" # Name of the topic. - region: "eu-west-2" # The region to create the SNS topic. + region: "{{ _aws_region }}" # The region to create the SNS topic. display_name: "" # Display name for the topic, for when the topic is owned by this AWS account. purge_subscriptions: true # Purge subscriptions not specified in the subscriptions list. policy: "" # A dictionary containing the policy to use when creating the topic diff --git a/roles/aws/aws_vpc/README.md b/roles/aws/aws_vpc/README.md index da6687d57..979232cc6 100644 --- a/roles/aws/aws_vpc/README.md +++ b/roles/aws/aws_vpc/README.md @@ -8,7 +8,7 @@ Creates a VPC and associated subnets. ```yaml aws_vpc: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: example-vpc-2 cidr_block: "10.0.0.0/16" tags: {} diff --git a/roles/aws/aws_vpc/defaults/main.yml b/roles/aws/aws_vpc/defaults/main.yml index 8f077b29c..cd3ce4093 100644 --- a/roles/aws/aws_vpc/defaults/main.yml +++ b/roles/aws/aws_vpc/defaults/main.yml @@ -1,6 +1,6 @@ aws_vpc: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" name: example-vpc-2 cidr_block: "10.0.0.0/16" tags: {} diff --git a/roles/aws/aws_vpc_route/README.md b/roles/aws/aws_vpc_route/README.md index 621a4329e..2bf20b0d2 100644 --- a/roles/aws/aws_vpc_route/README.md +++ b/roles/aws/aws_vpc_route/README.md @@ -9,7 +9,7 @@ This will add/update routes on the "main" route table for a given VPC, leaving e # @todo Support associating route with several subnets. aws_vpc_route: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" # Beware when calling this on "peering" routes, not to override tags with the target peer's one. # tags: # Name: "example" diff --git a/roles/aws/aws_vpc_route/defaults/main.yml b/roles/aws/aws_vpc_route/defaults/main.yml index 761688753..9481a06ab 100644 --- a/roles/aws/aws_vpc_route/defaults/main.yml +++ b/roles/aws/aws_vpc_route/defaults/main.yml @@ -1,7 +1,7 @@ # @todo Support associating route with several subnets. aws_vpc_route: aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" # Beware when calling this on "peering" routes, not to override tags with the target peer's one. # tags: # Name: "example" diff --git a/roles/aws/aws_vpc_subnet/README.md b/roles/aws/aws_vpc_subnet/README.md index 588531c0b..a576977f7 100644 --- a/roles/aws/aws_vpc_subnet/README.md +++ b/roles/aws/aws_vpc_subnet/README.md @@ -10,7 +10,7 @@ aws_vpc_subnet: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" subnets: - cidr_block: "10.0.0.0/24" az: b diff --git a/roles/aws/aws_vpc_subnet/defaults/main.yml b/roles/aws/aws_vpc_subnet/defaults/main.yml index 751a5ecf6..812525289 100644 --- a/roles/aws/aws_vpc_subnet/defaults/main.yml +++ b/roles/aws/aws_vpc_subnet/defaults/main.yml @@ -2,7 +2,7 @@ aws_vpc_subnet: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" - region: eu-west-3 + region: "{{ _aws_region }}" subnets: - cidr_block: "10.0.0.0/24" az: b diff --git a/roles/aws_cloudwatch_agent/README.md b/roles/aws_cloudwatch_agent/README.md index 55fa36c6f..133e15f9f 100644 --- a/roles/aws_cloudwatch_agent/README.md +++ b/roles/aws_cloudwatch_agent/README.md @@ -26,7 +26,7 @@ aws_cloudwatch_agent: credentials: aws_access_key_id: XXX aws_secret_access_key: XXX - region: "eu-west-3" + region: "{{ _aws_region }}" ``` diff --git a/roles/aws_cloudwatch_agent/defaults/main.yml b/roles/aws_cloudwatch_agent/defaults/main.yml index 222df4c88..f73385114 100644 --- a/roles/aws_cloudwatch_agent/defaults/main.yml +++ b/roles/aws_cloudwatch_agent/defaults/main.yml @@ -13,4 +13,4 @@ aws_cloudwatch_agent: credentials: aws_access_key_id: XXX aws_secret_access_key: XXX - region: "eu-west-3" + region: "{{ _aws_region }}" diff --git a/roles/aws_ssm_agent/README.md b/roles/aws_ssm_agent/README.md index 3779a2504..18117d2cf 100644 --- a/roles/aws_ssm_agent/README.md +++ b/roles/aws_ssm_agent/README.md @@ -10,7 +10,7 @@ Install and configure the SSM agent. ```yaml --- aws_ssm_agent: - region: "eu-west-2" + region: "{{ _aws_region }}" ``` diff --git a/roles/aws_ssm_agent/defaults/main.yml b/roles/aws_ssm_agent/defaults/main.yml index cd6277397..4b9e1736f 100644 --- a/roles/aws_ssm_agent/defaults/main.yml +++ b/roles/aws_ssm_agent/defaults/main.yml @@ -1,3 +1,3 @@ --- aws_ssm_agent: - region: "eu-west-2" + region: "{{ _aws_region }}" diff --git a/roles/ce_patcher/README.md b/roles/ce_patcher/README.md index 60af6178a..7699d8d82 100644 --- a/roles/ce_patcher/README.md +++ b/roles/ce_patcher/README.md @@ -5,4 +5,12 @@ Runs automated patching for apt-based package management systems. +## Default variables +```yaml +--- +ce_patcher: + username: controller + reboot: false +``` + diff --git a/roles/firewall_config/README.md b/roles/firewall_config/README.md index a4ef8a05b..b0390b774 100644 --- a/roles/firewall_config/README.md +++ b/roles/firewall_config/README.md @@ -84,10 +84,21 @@ firewall_config: firewall_allowed_tcp_ports: - "989" - "990" + letsencrypt: + firewall_allowed_tcp_ports: + - "80" ossec: firewall_allowed_udp_ports: - "1514" - "1515" + openvpn: + firewall_allowed_udp_ports: + - "1194" + firewall_additional_rules: + - "echo 1 > /proc/sys/net/ipv4/ip_forward" # Enable forwarding of IP + - "iptables -A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT" # Accept traffic from the VPN on all interfaces - change this if you change openvpn_config default addresses + - "iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT" # Forward traffic from the VPN interface out via eth0 + - "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" # Replace the source IP with the eth0 public IP when forwarding outbound ``` diff --git a/roles/gitlab/README.md b/roles/gitlab/README.md index 292222b85..17973d335 100644 --- a/roles/gitlab/README.md +++ b/roles/gitlab/README.md @@ -27,11 +27,14 @@ gitlab: unicorn_worker_processes: 2 puma_worker_processes: 2 initial_root_password: "" - ldap: false + ldap: false # enable/disable LDAP integration ldap_endpoint: "{{ ldap_client.endpoints[0] }}" ldap_lookup_base: "{{ ldap_client.lookup_base }}" ldap_binddn: "{{ ldap_client.binddn }}" ldap_bindpw: "{{ ldap_client.bindpw }}" + prometheus: "true" # enable/disable built-in Prometheus + node_exporter: "true" # enable/disable built-in Prometheus Node Exporter + alertmanager: "true" # enable/disable built-in Prometheus Alertmanager nginx: listen_port: 8881 listen_https: nil diff --git a/roles/gitlab_runner/README.md b/roles/gitlab_runner/README.md index 643664948..5443e588f 100644 --- a/roles/gitlab_runner/README.md +++ b/roles/gitlab_runner/README.md @@ -40,10 +40,14 @@ gitlab_runner: # cleanup_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "cleanup"]' install_fargate: false restart: true # set to false if you're applying settings to a server responsible for its own runners + username: "{{ _ce_deploy.username }}" + docker_group: "docker" + runner_workingdir: "/home/{{ _ce_deploy.username }}/build" + runner_config: "/etc/gitlab-runner/config.toml" # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name - region: "eu-west-1" + region: "{{ _aws_region }}" subnet: "subnet-abcdef123456" # subnet ID security_group: "sg-abcdef123456" # SG ID task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest diff --git a/roles/gitlab_runner/defaults/main.yml b/roles/gitlab_runner/defaults/main.yml index 69c9bb004..44f949470 100644 --- a/roles/gitlab_runner/defaults/main.yml +++ b/roles/gitlab_runner/defaults/main.yml @@ -35,7 +35,7 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name - region: "eu-west-1" + region: "{{ _aws_region }}" subnet: "subnet-abcdef123456" # subnet ID security_group: "sg-abcdef123456" # SG ID task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest diff --git a/roles/gpg_key/README.md b/roles/gpg_key/README.md index 7730c0731..66f867ba5 100644 --- a/roles/gpg_key/README.md +++ b/roles/gpg_key/README.md @@ -7,6 +7,9 @@ Generates a passwordless GPG key for a given user or users. ## Default variables ```yaml --- +gpg_key_servers: + - hkps://pgp.mit.edu + - hkps://keys.openpgp.org gpg_key: - username: example # Must exist already on the server. publish: false # Whether to publish to HKS public servers. diff --git a/roles/ldap_server/README.md b/roles/ldap_server/README.md index fb44b0f0e..bb30ec656 100644 --- a/roles/ldap_server/README.md +++ b/roles/ldap_server/README.md @@ -80,9 +80,19 @@ ldap_server: # Execution order can be important, so ensure your files are named in alphabetical order. path: "{{ _ce_provision_base_dir }}/config/files/ldap_server/config" purge: false + backup: false # set to true to create local backups of LDAP + backup_path: /opt/slap-bak + backup_minute: "45" + backup_hour: "23" + # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. + # If you use 'manual' SSL handling you need to provide a separate CA certificate. + # If you use 'letsencrypt' SSL handling then the LDAP TLS settings in your imported config should be as follows: + # olcTLSCACertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/chain.pem + # olcTLSCertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/cert.pem + # olcTLSCertificateKeyFile: /etc/letsencrypt/live/{{ _domain_name }}/privkey.pem ssl: # @see the 'ssl' role - does nothing by default. domain: "{{ _domain_name }}" - handling: "unmanaged" # LDAP needs to use 'manual' handling for SSL because a separate CA certificate is required. + handling: "unmanaged" key: "" cert: "" ca_cert: "" diff --git a/roles/openvpn_config/README.md b/roles/openvpn_config/README.md index c246be9dc..02bbd8167 100644 --- a/roles/openvpn_config/README.md +++ b/roles/openvpn_config/README.md @@ -9,6 +9,60 @@ This role is used to install an OpenVPN server with an Ansible Galaxy role and c ## Default variables ```yaml +--- +openvpn_config: + install: true # set to false if we do not want to overwrite the existing VPN certs + + # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml + configuration_directory: /etc/openvpn + easyrsa_path: /usr/share/easy-rsa + service: "openvpn@server" + server_ip_range: "server 10.8.0.0 255.255.255.0" + # Additional options + force_redirect_gateway: true + compress: true + no_client_cert: true + custom_directives: [] # optional list of directives, i.e. push routes + # - directive 1 + # - directive 2 + # - directive N + + # easy-rsa vars for generating VPN certs + certs: + cn: "{{ _domain_name }}" + dn_mode: org # choices are org or cn_only + country: US + province: California + city: San Francisco + org: Copyleft Certificate Co + email: me@example.com + org_unit: My Organizational Unit + + # LDAP configuration + ldap: + install: false + url: ldaps://ldap.example.com,ldaps://ldap2.example.com + tls: false # set to true to use TLS on port 389 / ldap:// + tls_cert: /etc/ldap/ssl/ldap.CA.pem + tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target + timeout: '15' + basedn: dc=example,dc=com + search_filter: (&(objectClass=posixAccount)(uid=%u)) + require_group: true # set to false to allow any valid user in the basedn to login + group_basedn: ou=Groups,dc=example,dc=com + group_filter: (|(cn=vpnguests)(cn=sysadmins)) + + # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config + # By default we assume the pam_ldap role is installed and configured + # VPN auth will be carried out against the nslcd daemon settings + pam: + install: false + pam_config: | + auth sufficient pam_ldap.so + auth required pam_deny.so + + account required pam_ldap.so + account required pam_permit.so ```