Merge pull request #5 from osg-htc/copilot/add-ansible-skeleton

Add minimal Ansible skeleton for perfSONAR testpoint deployment.  Retrying after broken link fixes.

Author: ShawnMcKee

ansible/README.md

@@ -0,0 +1,45 @@
+# Ansible: perfSONAR Testpoint (Minimal Skeleton)
+
+This minimal Ansible skeleton installs and configures a perfSONAR testpoint on RHEL-family systems with optional features you can toggle:
+- fail2ban
+- SELinux
+- nftables
+
+It is designed to be small, idempotent, and easy to try. Extend as needed for your environment.
+
+## Prerequisites
+- Control node with Ansible >= 2.12
+- Target host: RHEL/Alma/Rocky 8/9 (sudo privileges)
+- Network access to OS and perfSONAR repos
+
+## Inventory Example
+See [inventory.example](inventory.example). Place your target host(s) in the `testpoints` group.
+
+## Feature Toggles
+These booleans can be set in group_vars, host_vars, or via `-e` extra vars:
+- `enable_fail2ban` (default: false)
+- `enable_selinux`   (default: false)
+- `enable_nftables`  (default: false)
+
+Additional variables:
+- `selinux_state`: enforcing | permissive | disabled (default: enforcing when enabled)
+- `testpoint_sysctls`: list of sysctl name/value pairs (default provided)
+- `testpoint_services`: list of services to enable/start (default provided)
+
+## Quick Start
+```bash
+# Dry run
+ansible-playbook -i ansible/inventory.example ansible/site.yml --check
+
+# Apply with optional features enabled
+ansible-playbook -i ansible/inventory.example ansible/site.yml \
+  -e enable_fail2ban=true -e enable_selinux=true -e enable_nftables=true
+```
+
+## Notes
+- nftables: This deploys a minimal ruleset to `/etc/nftables.conf` and enables the nftables service. If you already use another firewall (firewalld/iptables), test carefully and avoid conflicts.
+- SELinux: The role sets the SELinux mode only when `enable_selinux=true`. On systems without SELinux, the role is skipped.
+- Debian/Ubuntu: Not tested here. Tasks are guarded where practical; contributions welcome.
+
+## Uninstall / Revert
+- Remove packages if desired and restore prior firewall configuration manually. This skeleton does not attempt to revert system-wide firewall configuration automatically.

ansible/group_vars/testpoints.yml

@@ -0,0 +1,16 @@
+# Defaults for the testpoints group — override as needed
+enable_fail2ban: false
+enable_selinux: false
+enable_nftables: false
+
+selinux_state: enforcing
+
+# Services may vary by version; override if needed
+testpoint_services:
+  - pscheduler-scheduler
+  - pscheduler-runner
+
+# Baseline sysctl tuning (override to suit your NIC/OS)
+testpoint_sysctls:
+  - { name: 'net.core.rmem_max', value: '67108864' }
+  - { name: 'net.core.wmem_max', value: '67108864' }

ansible/inventory.example

@@ -0,0 +1,2 @@
+[testpoints]
+ps-testpoint-01.example.org ansible_user=ec2-user

ansible/roles/fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted

ansible/roles/fail2ban/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Install fail2ban
+  package:
+    name: fail2ban
+    state: present
+  tags: ['fail2ban', 'packages']
+
+- name: Enable and start fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: true
+  tags: ['fail2ban', 'services']
+
+- name: Deploy perfSONAR-friendly jail config (sshd)
+  template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.d/perfsonar.local
+    mode: '0644'
+  notify: Restart fail2ban
+  tags: ['fail2ban', 'config']

ansible/roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,5 @@
+[sshd]
+enabled = true
+bantime = 3600
+findtime = 600
+maxretry = 6

ansible/roles/nftables/files/minimal.nft

@@ -0,0 +1,17 @@
+table inet filter {
+  chains {
+    input {
+      type filter hook input priority 0;
+      policy drop;
+      ct state established,related accept
+      iif lo accept
+      tcp dport { 22 } accept
+      # perfSONAR typical ports (uncomment and adapt as needed):
+      # udp dport { 861, 876, 883, 33434-33534 } accept  # owamp, twamp, traceroute range
+      # tcp dport { 5201 } accept                         # iperf3 throughput tests
+      counter drop
+    }
+    forward { type filter hook forward priority 0; policy drop; }
+    output  { type filter hook output  priority 0; policy accept; }
+  }
+}

ansible/roles/nftables/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Reload nftables
+  command: nft -f /etc/nftables.conf
+  notify: Restart nftables
+
+- name: Restart nftables
+  service:
+    name: nftables
+    state: restarted

ansible/roles/nftables/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Install nftables
+  package:
+    name: nftables
+    state: present
+  tags: ['nftables', 'packages']
+
+- name: Deploy minimal nftables rules
+  copy:
+    src: minimal.nft
+    dest: /etc/nftables.conf
+    mode: '0644'
+    backup: true
+  notify: Reload nftables
+  tags: ['nftables', 'config']
+
+- name: Enable and start nftables
+  service:
+    name: nftables
+    state: started
+    enabled: true
+  tags: ['nftables', 'services']

ansible/roles/selinux/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Gather SELinux facts
+  setup:
+    filter: ansible_selinux
+  tags: ['selinux']
+
+- name: Ensure SELinux state as requested
+  ansible.posix.selinux:
+    policy: targeted
+    state: "{{ selinux_state }}"
+  when: ansible_facts.selinux is defined and ansible_facts.selinux.status != 'disabled'
+  tags: ['selinux']