Add minimal Ansible skeleton for perfSONAR testpoint deployment

[Copilot]

Adds idempotent Ansible automation under ansible/ to deploy perfSONAR testpoints on RHEL-family systems with optional fail2ban, SELinux, and nftables configuration.

Structure

• ansible/site.yml - Main playbook with feature toggles (all default false)
• ansible/inventory.example - Sample inventory
• ansible/group_vars/testpoints.yml - Overridable defaults
• ansible/roles/ - Four roles: testpoint, fail2ban, selinux, nftables

Key Design Choices

Feature toggles - Boolean flags control optional components:

enable_fail2ban: false  # Install fail2ban with conservative sshd jail
enable_selinux: false   # Set SELinux state (enforcing/permissive)
enable_nftables: false  # Deploy minimal firewall (DROP policy, SSH allowed)

OS guards - Tasks conditional on ansible_facts.os_family == 'RedHat' to prevent failures on unsupported platforms.

Minimal nftables ruleset - Allows only SSH (22), loopback, and established connections by default. perfSONAR ports commented out for user discretion.

Overridable services and sysctls - Variables for testpoint_services and testpoint_sysctls allow version-specific customization.

Usage

ansible-playbook -i ansible/inventory.example ansible/site.yml \
  -e enable_fail2ban=true -e enable_nftables=true

README provides complete documentation. No CI changes included per requirements.

Original prompt

Goal
Add a minimal, idempotent Ansible skeleton to this repository to help users quickly deploy a perfSONAR testpoint with optional features that can be toggled on or off: fail2ban, SELinux, and nftables. Keep scope minimal and self-contained under an ansible/ directory. Provide clear defaults and a simple example inventory so users can run a single command to provision a host.

Context

• This repository powers OSG networking documentation via MkDocs. This PR focuses only on adding automation scaffolding; documentation nav updates can come later. The added ansible/ README should give all instructions needed to try the automation now.
• Target platforms: prioritize RHEL family (RHEL/Alma/Rocky 8/9). Leave TODO markers for Debian/Ubuntu if not readily testable; keep tasks guarded to avoid breaking on unsupported platforms.

Requirements

1. New top-level directory: ansible/
2. Provide a simple inventory example, a site.yml play, roles for testpoint, fail2ban, selinux, nftables, and sane defaults via group_vars.
3. Feature toggles (booleans) to turn optional components on/off:
   • enable_fail2ban (default: false)
   • enable_selinux (default: false)
   • enable_nftables (default: false)
4. perfSONAR basics:
   • Install perfsonar-testpoint package (RHEL-family).
   • Enable/start required services (pscheduler-scheduler, pscheduler-runner). If service names differ in some versions, allow easy override via vars.
   • Apply a small set of sysctl tunings with an overridable list variable.
5. fail2ban basics:
   • Install, enable, and provide a minimal sshd jail with conservative defaults.
6. SELinux basics:
   • Provide a role that can ensure enforcing/permissive using ansible.posix.selinux when available, guarded if SELinux is not present.
   • Default to no change unless enable_selinux=true.
7. nftables basics:
   • Install nftables, deploy a minimal config that allows loopback, established/related, SSH (22), and placeholder rules for perfSONAR ports commented out by default.
   • Enable service and load rules via handler; warn in README about conflicts with other firewalls.
8. README under ansible/ with quickstart usage, toggles, and example commands.
9. Keep code style simple; no CI changes in this PR.

Please add the following files with the exact contents below.

# Ansible: perfSONAR Testpoint (Minimal Skeleton)

This minimal Ansible skeleton installs and configures a perfSONAR testpoint on RHEL-family systems with optional features you can toggle:
- fail2ban
- SELinux
- nftables

It is designed to be small, idempotent, and easy to try. Extend as needed for your environment.

## Prerequisites
- Control node with Ansible >= 2.12
- Target host: RHEL/Alma/Rocky 8/9 (sudo privileges)
- Network access to OS and perfSONAR repos

## Inventory Example
See [inventory.example](inventory.example). Place your target host(s) in the `testpoints` group.

## Feature Toggles
These booleans can be set in group_vars, host_vars, or via `-e` extra vars:
- `enable_fail2ban` (default: false)
- `enable_selinux`   (default: false)
- `enable_nftables`  (default: false)

Additional variables:
- `selinux_state`: enforcing | permissive | disabled (default: enforcing when enabled)
- `testpoint_sysctls`: list of sysctl name/value pairs (default provided)
- `testpoint_services`: list of services to enable/start (default provided)

## Quick Start
```bash
# Dry run
ansible-playbook -i ansible/inventory.example ansible/site.yml --check

# Apply with optional features enabled
ansible-playbook -i ansible/inventory.example ansible/site.yml \
  -e enable_fail2ban=true -e enable_selinux=true -e enable_nftables=true
```

## Notes
- nftables: This deploys a minimal ruleset to `/etc/nftables.conf` and enables the nftables service. If you already use another firewall (firewalld/iptables), test carefully and avoid conflicts.
- SELinux: The role sets the SELinux mode only when `enable_selinux=true`. On systems without SELinux, the role is skipped.
- Debian/Ubuntu: Not tested here. Tasks are guarded where practical; contributions welcome.

## Uninstall / Revert
- Remove packages if desired and restore prior firewall configuration manually. This skeleton does not attempt to revert system-wide firewall configuration automatically.

[testpoints]
ps-testpoint-01.example.org ansible_user=ec2-user

- hosts: testpoints
  become: true
  vars:
    enable_fail2ban: false
    enable_selinux: false
    enable_nftables: false

    # Defaults can be overridden in group_vars/ or via -e
    selinux_state: enforcing
    testpoint_services:
      - pscheduler-scheduler
      - pscheduler-runner
    testpoint_sysctls:
      - { name: 'net.core.rmem_max', value: '67108864' }
      - { name: 'net.core.wmem_max', value: '67108864' }

  roles:
    - role: testpoint
    - { role: fail2ban, when: enable_fail2ban }
    - { role: selinux,  when: enable_selinux }
    ...

</details>

*This pull request was created as a result of the following prompt from Copilot chat.*
> Goal
> Add a minimal, idempotent Ansible skeleton to this repository to help users quickly deploy a perfSONAR testpoint with optional features that can be toggled on or off: fail2ban, SELinux, and nftables. Keep scope minimal and self-contained under an ansible/ directory. Provide clear defaults and a simple example inventory so users can run a single command to provision a host.
> 
> Context
> - This repository powers OSG networking documentation via MkDocs. This PR focuses only on adding automation scaffolding; documentation nav updates can come later. The added ansible/ README should give all instructions needed to try the automation now.
> - Target platforms: prioritize RHEL family (RHEL/Alma/Rocky 8/9). Leave TODO markers for Debian/Ubuntu if not readily testable; keep tasks guarded to avoid breaking on unsupported platforms.
> 
> Requirements
> 1) New top-level directory: ansible/
> 2) Provide a simple inventory example, a site.yml play, roles for testpoint, fail2ban, selinux, nftables, and sane defaults via group_vars.
> 3) Feature toggles (booleans) to turn optional components on/off:
>    - enable_fail2ban (default: false)
>    - enable_selinux (default: false)
>    - enable_nftables (default: false)
> 4) perfSONAR basics:
>    - Install perfsonar-testpoint package (RHEL-family).
>    - Enable/start required services (pscheduler-scheduler, pscheduler-runner). If service names differ in some versions, allow easy override via vars.
>    - Apply a small set of sysctl tunings with an overridable list variable.
> 5) fail2ban basics:
>    - Install, enable, and provide a minimal sshd jail with conservative defaults.
> 6) SELinux basics:
>    - Provide a role that can ensure enforcing/permissive using ansible.posix.selinux when available, guarded if SELinux is not present.
>    - Default to no change unless enable_selinux=true.
> 7) nftables basics:
>    - Install nftables, deploy a minimal config that allows loopback, established/related, SSH (22), and placeholder rules for perfSONAR ports commented out by default.
>    - Enable service and load rules via handler; warn in README about conflicts with other firewalls.
> 8) README under ansible/ with quickstart usage, toggles, and example commands.
> 9) Keep code style simple; no CI changes in this PR.
> 
> Please add the following files with the exact contents below.
> 
> ````markdown name=ansible/README.md
> # Ansible: perfSONAR Testpoint (Minimal Skeleton)
> 
> This minimal Ansible skeleton installs and configures a perfSONAR testpoint on RHEL-family systems with optional features you can toggle:
> - fail2ban
> - SELinux
> - nftables
> 
> It is designed to be small, idempotent, and easy to try. Extend as needed for your environment.
> 
> ## Prerequisites
> - Control node with Ansible >= 2.12
> - Target host: RHEL/Alma/Rocky 8/9 (sudo privileges)
> - Network access to OS and perfSONAR repos
> 
> ## Inventory Example
> See [inventory.example](inventory.example). Place your target host(s) in the `testpoints` group.
> 
> ## Feature Toggles
> These booleans can be set in group_vars, host_vars, or via `-e` extra vars:
> - `enable_fail2ban` (default: false)
> - `enable_selinux`   (default: false)
> - `enable_nftables`  (default: false)
> 
> Additional variables:
> - `selinux_state`: enforcing | permissive | disabled (default: enforcing when enabled)
> - `testpoint_sysctls`: list of sysctl name/value pairs (default provided)
> - `testpoint_services`: list of services to enable/start (default provided)
> 
> ## Quick Start
> ```bash
> # Dry run
> ansible-playbook -i ansible/inventory.example ansible/site.yml --check
> 
> # Apply with optional features enabled
> ansible-playbook -i ansible/inventory.example ansible/site.yml \
>   -e enable_fail2ban=true -e enable_selinux=true -e enable_nftables=true
> ```
> 
> ## Notes
> - nftables: This deploys a minimal ruleset to `/etc/nftables.conf` and enables the nftables service. If you already use another firewall (firewalld/iptables), test carefully and avoid conflicts.
> - SELinux: The role sets the SELinux mode only when `enable_selinux=true`. On systems without SELinux, the role is skipped.
> - Debian/Ubuntu: Not tested here. Tasks are guarded where practical; contributions welcome.
> 
> ## Uninstall / Revert
> - Remove packages if desired and restore prior firewall configuration manually. This skeleton does not attempt to revert system-wide firewall configuration automatically.
> ````
> 
> ```ini name=ansible/inventory.example
> [testpoints]
> ps-testpoint-01.example.org ansible_user=ec2-user
> ```
> 
> ```yaml name=ansible/site.yml
> - hosts: testpoints
>   become: true
>   vars:
>     enable_fail2ban: false
>     enable_selinux: false
>     enable_nftables: false
> 
>     # Defaults can be overridden in group_vars/ or via -e
>     selinux_state: enforcing
>     testpoint_services:
>       - pscheduler-scheduler
>       - pscheduler-runner
>     testpoint_sysctls:
>       - { name: 'net.core.rmem_max', value: '67108864' }
>       - { name: 'net.core.wmem_max', value: '67108864' }
> 
>   roles:
>     - role: testpoint
>     - { role: fail2ban, when: enable_fail2ban }
>     - { role: selinux,  when: enable_selinux }
>     - { role: nftables, when: enable_nftables }
> ```
> 
> ```yaml name=ansible/group_vars/testpoints.yml
> # Defaults for the testpoints group — override as needed
> enable_fail2ban: false
> enable_selinux: false
> enable_nftables: false
> 
> selinux_state: enforcing
> 
> # Services may vary by version; override if needed
> testpoint_services:
>   - pscheduler-scheduler
>   - pscheduler-runner
> 
> # Baseline sysctl tuning (override to suit your NIC/OS)
> testpoint_sysctls:
>   - { name: 'net.core.rmem_max', value: '67108864' }
>   - { name: 'net.core.wmem_max', value: '67108864' }
> ```
> 
> ```yaml name=ansible/roles/testpoint/tasks/main.yml
> ---
> - name: Ensure perfSONAR repositories are available (RHEL-family)
>   package:
>     name: perfsonar-release
>     state: present
>   when: ansible_facts.os_family == 'RedHat'
>   tags: ['perfsonar', 'packages']
> 
> - name: Install perfSONAR testpoint packages
>   package:
>     name: perfsonar-testpoint
>     state: present
>   tags: ['perfsonar', 'packages']
> 
> - name: Enable and start perfSONAR services
>   service:
>     name: "{{ item }}"
>     state: started
>     enabled: true
>   loop: "{{ testpoint_services }}"
>   tags: ['perfsonar', 'services']
> 
> - name: Apply baseline sysctl tuning
>   sysctl:
>     name: "{{ item.name }}"
>     value: "{{ item.value }}"
>     sysctl_set: yes
>     state: present
>     reload: yes
>   loop: "{{ testpoint_sysctls }}"
>   tags: ['perfsonar', 'sysctl']
> ```
> 
> ```yaml name=ansible/roles/fail2ban/tasks/main.yml
> ---
> - name: Install fail2ban
>   package:
>     name: fail2ban
>     state: present
>   tags: ['fail2ban', 'packages']
> 
> - name: Enable and start fail2ban
>   service:
>     name: fail2ban
>     state: started
>     enabled: true
>   tags: ['fail2ban', 'services']
> 
> - name: Deploy perfSONAR-friendly jail config (sshd)
>   template:
>     src: jail.local.j2
>     dest: /etc/fail2ban/jail.d/perfsonar.local
>     mode: '0644'
>   notify: Restart fail2ban
>   tags: ['fail2ban', 'config']
> ```
> 
> ```ini name=ansible/roles/fail2ban/templates/jail.local.j2
> [sshd]
> enabled = true
> bantime = 3600
> findtime = 600
> maxretry = 6
> ```
> 
> ```yaml name=ansible/roles/fail2ban/handlers/main.yml
> ---
> - name: Restart fail2ban
>   service:
>     name: fail2ban
>     state: restarted
> ```
> 
> ```yaml name=ansible/roles/selinux/tasks/main.yml
> ---
> - name: Gather SELinux facts
>   setup:
>     filter: ansible_selinux
>   tags: ['selinux']
> 
> - name: Ensure SELinux state as requested
>   ansible.posix.selinux:
>     policy: targeted
>     state: "{{ selinux_state }}"
>   when: ansible_facts.selinux is defined and ansible_facts.selinux.status != 'disabled'
>   tags: ['selinux']
> ```
> 
> ```yaml name=ansible/roles/nftables/tasks/main.yml
> ---
> - name: Install nftables
>   package:
>     name: nftables
>     state: present
>   tags: ['nftables', 'packages']
> 
> - name: Deploy minimal nftables rules
>   copy:
>     src: minimal.nft
>     dest: /etc/nftables.conf
>     mode: '0644'
>     backup: true
>   notify: Reload nftables
>   tags: ['nftables', 'config']
> 
> - name: Enable and start nftables
>   service:
>     name: nftables
>     state: started
>     enabled: true
>   tags: ['nftables', 'services']
> ```
> 
> ```nft name=ansible/roles/nftables/files/minimal.nft
> table inet filter {
>   chains {
>     input {
>       type filter hook input priority 0;
>       policy drop;
>       ct state established,related accept
>       iif lo accept
>       tcp dport { 22 } accept
>       # perfSONAR typical ports (uncomment and adapt as needed):
>       # udp dport { 861, 876, 883, 33434-33534 } accept  # owamp, twamp, traceroute range
>       # tcp dport { 5201 } accept                         # iperf3 throughput tests
>       counter drop
>     }
>     forward { type filter hook forward priority 0; policy drop; }
>     output  { type filter hook output  priority 0; policy accept; }
>   }
> }
> ```
> 
> ```yaml name=ansible/roles/nftables/handlers/main.yml
> ---
> - name: Reload nftables
>   command: nft -f /etc/nftables.conf
>   notify: Restart nftables
> 
> - name: Restart nftables
>   service:
>     name: nftables
>     state: restarted
> ```
> 
> Acceptance criteria
> - ansible/ directory and files are added as above.
> - Running `ansible-playbook -i ansible/inventory.example ansible/site.yml --check` completes without fatal errors on a RHEL-family target (assuming connectivity and repos are available).
> - With toggles enabled via `-e`, roles apply and services come up; nftables installs and loads rules; fail2ban starts; SELinux state changes when supported.
> - Code is readable, minimal, and documented in ansible/README.md.
> 

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/osg-htc/networking/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

[ShawnMcKee]

@copilot Submit