migrate instance setup to individual playbooks for olam

Author: bgraef

olam/check_instance_available.yml

@@ -0,0 +1,40 @@
+---
+# Copyright (c) 2024 2025 Oracle and/or its affiliates.
+# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0.
+# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl)
+# See LICENSE.TXT for details.
+
+- name: Configure new instances
+  hosts: all:!localhost
+  gather_facts: false
+  vars_files:
+    - default_vars.yml
+    - oci_vars.yml
+
+  tasks:
+
+    - name: Wait for systems to become reachable using ssh
+      ansible.builtin.wait_for:
+        port: 22
+        host: '{{ (ansible_ssh_host | default(ansible_host)) | default(inventory_hostname) }}'
+        search_regex: OpenSSH
+        delay: 10
+        timeout: 300
+
+    - name: Get a set of all available facts
+      ansible.builtin.setup:
+
+    - name: Print in-memory inventory # noqa: run-once[task]
+      ansible.builtin.debug:
+        msg: "{{ groups['all'] }}"
+      delegate_to: localhost
+      run_once: true
+      when: debug_enabled
+
+    - name: Print all variables/facts known for a host # noqa: run-once[task]
+      ansible.builtin.debug:
+        msg: "{{ hostvars[item] }}"
+      loop: "{{ groups['all'] | flatten(levels=1) }}"
+      delegate_to: localhost
+      run_once: true
+      when: debug_enabled

olam/configure_passwordless_ssh.yml

@@ -0,0 +1,85 @@
+---
+# Copyright (c) 2024 Oracle and/or its affiliates.
+# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0.
+# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl)
+# See LICENSE.TXT for details.
+
+- name: Configure passwordless ssh between hosts
+  hosts: all:!localhost
+  vars_files:
+    - default_vars.yml
+    - oci_vars.yml
+
+  tasks:
+
+    - name: Generate ssh keypair for user
+      community.crypto.openssh_keypair:
+        path: ~/.ssh/id_rsa
+        size: 2048
+        comment: ol ssh keypair
+      become: true
+      become_user: "{{ username }}"
+
+    - name: Fetch public key file
+      ansible.builtin.fetch:
+        src: "~/.ssh/id_rsa.pub"
+        dest: "buffer/{{ inventory_hostname }}-id_rsa.pub"
+        flat: true
+      become: true
+      become_user: "{{ username }}"
+
+    - name: Copy public key to each destination
+      ansible.posix.authorized_key:
+        user: "{{ username }}"
+        state: present
+        key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}"
+      # loop: "{{ groups['all'] | flatten(levels=1) }}"
+      loop: "{{ ansible_play_hosts_all | difference(['localhost']) }}"
+      become: true
+
+    # - name: Copy public key to each destination for root
+    #   ansible.posix.authorized_key:
+    #     user: "root"
+    #     state: present
+    #     key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}"
+    #   loop: "{{ groups['all'] | flatten(levels=1) }}"
+    #   become: true
+
+    - name: Print hostvars for groups
+      ansible.builtin.debug:
+        msg: "{{ hostvars[item] }}"
+      # loop: "{{ groups['all'] | flatten(levels=1) }}"
+      loop: "{{ ansible_play_hosts_all | difference(['localhost']) }}"
+      when: debug_enabled
+
+    - name: Print vcn subnet_domain_name
+      ansible.builtin.debug:
+        var: my_subnet1_domain_name
+      when: debug_enabled
+
+    - name: Accept new ssh fingerprints
+      ansible.builtin.shell: |
+        ssh-keyscan -t ecdsa-sha2-nistp256 \
+        {{ hostvars[item].ansible_hostname }},\
+        {{ hostvars[item].ansible_default_ipv4.address }},\
+        {{ hostvars[item].ansible_hostname + '.' + my_subnet1_domain_name }} >> ~/.ssh/known_hosts
+      with_items:
+        # - "{{ groups['all'] }}"
+        "{{ ansible_play_hosts_all | difference(['localhost']) }}"
+      become: true
+      become_user: "{{ username }}"
+      register: result
+      changed_when: result.rc == 0
+
+    # - name: Accept new ssh fingerprints for root
+    #   ansible.builtin.shell: |
+    #     ssh-keyscan -t ecdsa-sha2-nistp256 \
+    #     {{ hostvars[item].ansible_hostname }},\
+    #     {{ hostvars[item].ansible_default_ipv4.address }},\
+    #     {{ hostvars[item].ansible_hostname + '.' + my_subnet1_domain_name }} >> ~/.ssh/known_hosts
+    #   with_items:
+    #     - "{{ groups['all'] }}"
+    #   become: true
+    #   become_user: "root"
+    #   register: result
+    #   changed_when: result.rc == 0

olam/create_instance.yml

@@ -261,70 +261,18 @@
       ansible.builtin.include_tasks: "build.yml"
       loop: "{{ lookup('dict', compute_instances, wantlist=True) }}"
 
-- name: Configure new instances
-  hosts: all
-  become: true
-  gather_facts: false
-  vars_files:
-    - default_vars.yml
-    - oci_vars.yml
-  vars:
-    username: "oracle"
-    user_default_password: "oracle"
-    private_key: "id_rsa"
-    debug_enabled: false
+- name: Check if instances are available
+  ansible.builtin.import_playbook: "check_instance_available.yml"
 
-  tasks:
-
-    - name: Wait for systems to become reachable
-      ansible.builtin.wait_for_connection:
-      vars:
-        python_version: "/usr/bin/python3"
-        ansible_python_interpreter: "{{ python_version if localhost_python_interpreter is defined | default(omit) }}"
+- name: Setup and configure instance basics
+  ansible.builtin.import_playbook: "provision_instance_basics.yml"
 
-    - name: Get a set of all available facts
-      ansible.builtin.setup:
+- name: Configure passwordless SSH
+  ansible.builtin.import_playbook: "configure_passwordless_ssh.yml"
 
-    - name: Print in-memory inventory
-      ansible.builtin.debug:
-        msg: "{{ groups['all'] }}"
-      delegate_to: localhost
-      when:
-        - debug_enabled
-        - inventory_hostname == ansible_play_hosts_all[0]
-
-    - name: Print all variables/facts known for a host
-      ansible.builtin.debug:
-        msg: "{{ hostvars[item] }}"
-      loop: "{{ groups['all'] | flatten(levels=1) }}"
-      delegate_to: localhost
-      when:
-        - debug_enabled
-        - inventory_hostname == ansible_play_hosts_all[0]
-
-    - name: Configure instance
-      ansible.builtin.include_tasks: "host_setup.yml"
-      when: >-
-        inventory_hostname in
-          groups['control']|default([])
-          + groups['server']|default([])
-          + groups['execution']|default([])
-          + groups['db']|default([])
-
-    - name: Configure passwordless SSH
-      ansible.builtin.include_tasks: "passwordless_setup.yml"
-      when: passwordless_ssh
-
-    - name: Install Oracle Linux Automation Engine
-      ansible.builtin.dnf:
-        name:
-          - ansible-core
-        state: present
-      retries: 5
-      delay: 10
-      when:
-        - inventory_hostname in groups['control']|default([])
-        - use_olae_only
+- name: Install Oracle Linux Automation Engine
+  ansible.builtin.import_playbook: "deploy_olae.yml"
+  when: use_olae_only
 
 - name: Install Oracle Linux Automation Manager
   vars:

olam/deploy_olae.yml

@@ -0,0 +1,22 @@
+---
+# Copyright (c) 2024 2025 Oracle and/or its affiliates.
+# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0.
+# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl)
+# See LICENSE.TXT for details.
+
+
+- name: Install Oracle Linux Automation Engine
+  hosts: control
+  vars_files:
+    - default_vars.yml
+  become: true
+
+  tasks:
+
+    - name: Install ansible-core package
+      ansible.builtin.dnf:
+        name:
+          - ansible-core
+        state: present
+      retries: 5
+      delay: 10

olam/provision_instance_basics.yml

@@ -0,0 +1,77 @@
+---
+# Copyright (c) 2024 2025 Oracle and/or its affiliates.
+# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0.
+# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl)
+# See LICENSE.TXT for details.
+
+- name: Provision instance basics
+  hosts: control:server:execution:db
+  vars_files:
+    - default_vars.yml
+    - oci_vars.yml
+
+  tasks:
+
+    - name: Grow the root filesystem
+      ansible.builtin.shell: |
+        /usr/libexec/oci-growfs -y
+      become: true
+      register: result
+      changed_when: result.rc == 0
+
+    - name: Add user account with access to sudo
+      ansible.builtin.user:
+        name: "{{ username }}"
+        password: "{{ user_default_password | password_hash('sha512') }}"
+        comment: Ansible created user
+        groups: wheel
+        append: true
+        update_password: on_create
+      become: true
+
+    - name: Set authorized key for user using local public key file
+      ansible.posix.authorized_key:
+        user: "{{ username }}"
+        state: present
+        key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}"
+      become: true
+
+    - name: Set user with passwordless sudo access
+      vars:
+        sudo_content: "{{ username }} ALL=(ALL:ALL) NOPASSWD: ALL"
+      ansible.builtin.lineinfile:
+        path: "/etc/sudoers.d/{{ username }}"
+        regexp: "{{ username }} ALL="
+        line: "{{ sudo_content }}"
+        state: present
+        create: true
+        mode: "0644"
+      become: true
+
+    - name: Create the ansible tmp directory if it does not exist
+      ansible.builtin.file:
+        path: ~/.ansible/tmp
+        state: directory
+        mode: '0700'
+      become: true
+      become_user: "{{ username }}"
+
+    - name: Add locale settings to .bashrc
+      ansible.builtin.lineinfile:
+        dest: ~/.bashrc
+        line: "{{ item }}"
+      with_items:
+        - 'export LC_ALL="en_US.UTF-8"'
+        - 'export LC_CTYPE="en_US.UTF-8"'
+      become: true
+      become_user: "{{ username }}"
+
+    - name: Configure firewall to log denied packets
+      ansible.builtin.command:
+        cmd: firewall-cmd --set-log-denied=all
+      when: debug_enabled
+      register: firewall_result
+      changed_when: firewall_result.rc == 0
+      become: true
+
+    # Check denied packets with "journalctl -x -e" or with "dmesg | grep -i REJECT"