perun-ansible/site.yml at master · xpavlic/perun-ansible · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
---
# Main perun orchestration playbook

# Steps to run:
# 1. change the inventories/prod file to contain your host name
# 2. create directory host_vars/<your host name>/ and copy there the files from host_vars/perun.example.com/
# 3. set all values in host_vars/<your host name>/vars.yml
# 4. edit vault by executing the command "ansible-vault -edit host_vars/<your host name>/passwords.yml" and set values in the file
# 5. change vault password by executing the command "ansible-vault rekey host_vars/<your host name>/passwords.yml"
# 6. run the playbook by executing the command "ansible-playbook -i inventories/prod --ask-vault-pass site.yml"

# you can run only specific parts of this playbook using --tags, and limit execution to selceted hosts using --limit, e.g.:
#  ansible-playbook -i inventories/all --ask-vault-pass site.yml --tags work-env,security,yubikey,unattended-upgrades --limit eduteams

- hosts: all
  remote_user: root
  pre_tasks:
    - name: Require Debian
      assert:
        that:
          - ansible_distribution == "Debian"
          - ansible_distribution_major_version in ["8", "9","10"]
        msg: "Only Debian 8+ is supported"

  roles:
    #
    # This role will set working environment to a sensible state.
    - { role: work-env, tags: work-env }
    #
    # This role will set up security measures like firewall.
    - { role: security, tags: security }
    #
    # This role will deploy authentication by hardware Yubikeys.
    - { role: yubikey, tags: yubikey }
    #
    # This role will deploy unattended upgrades of Debian OS.
    - { role: unattended-upgrades, tags: unattended-upgrades }
    #
    # This role will deploy components needed for passive checks from MetaCentrum's Nagios.
    - { role: monitoring, tags: monitoring }

- hosts: perun-servers
  remote_user: root
  pre_tasks:
  - name: Check that host's variables are loaded
    assert:
      that:
        - perun_login is defined
        - perun_hostname is defined
        - perun_email is defined
        - apache_certificate_file is defined
        - apache_certificate_key_file is defined
        - ldap_certificate_file is defined
        - ldap_certificate_key_file is defined
        - install_oracle is defined
      msg: "Create directory host_vars/{{inventory_hostname}}/, copy there file host_vars/perun.example.com/vars.yml and set all values in it"
    tags: ['perun', 'config', 'shibboleth', 'apache', 'tomcat', 'postgres', 'build', 'engine', 'wui', 'ldap' ]

  - name: Check that host's passwords are loaded
    assert:
      that:
        - password_perun_admin is defined
        - yubikey_key is defined
      msg: "Create directory host_vars/{{inventory_hostname}}/, copy there file host_vars/perun.example.com/passwords.yml and set all values in it"
    tags: ['perun', 'config', 'apache', 'tomcat', 'postgres', 'build', 'engine', 'wui', 'ldap' ]

  - name: Require Debian 9+
    assert:
      that:
        - ansible_distribution == "Debian"
        - ansible_distribution_major_version in ["9","10"]
      msg: "Only Debian 9+ is supported"
    tags: ['apache','postgres']

  - name:  Ansible 2.5+ required
    assert:
      that:
        - ansible_version is defined
        - ansible_version.full is version_compare('2.5', '>=')
      msg: "Required Ansible version is 2.5+ with import_role and package_facts"
    tags: ['shibboleth']


  roles:
    # NECESSARY ROLES
    # ---------------
    #
    # This role will check or create SSL/TLS certificates.
    - { role: certs-perun, become: true, tags: [ 'apache', 'postgres', 'ldap' ] }
    #
    # This role will create user perun and install basic software packages.
    - { role: perun, become: true, tags: [ 'perun', 'config', 'tomcat', 'postgres', 'build', 'deploy', 'ldap' ] }
    #
    # This role will create configuration files of Perun from templates.
    - { role: configuration-perun, become: true, tags: [ 'config', 'deploy', 'engine' ] }
    #
    # This role will install Shibboleth SP.
    - { role: shibboleth-perun, become: true, tags: [ 'shibboleth', 'apache' ] }
    #
    # This role will install Apache and its config files for Perun, needs Shibboleth.
    - { role: apache-perun, become: true, tags: [ 'apache', 'deploy'] }
    #
    # This role will install Tomcat and its config files for Perun.
    - { role: tomcat-perun, become: true, tags: [ 'tomcat', 'deploy' ] }
    #
    # This role will install Oracle DB drivers to Maven repo and to system Tomcat.
    - { role: oracle-perun, become: true, tags: oracle }
    #
    # This role will deploy PostgreSQL DB and create DB tables.
    - { role: postgres-perun, become: true, tags: postgres}
    #
    # This role will compile and package all Perun modules
    - { role: build-perun, become: true, tags: [ 'build', 'deploy', 'engine', 'ldap' ]}
    #
    # This role will deploy perun-rpc to Tomcat and perun-web-gui to Apache.
    - { role: deploy-perun, become: true, tags: deploy }
    #
    # This role will deploy engine with GEN/SEND scripts and CLI scripts.
    - { role: engine-perun, become: true, tags: engine }
    #
    # This role will deploy new web user interface of Perun.
    - { role: wui-perun, become: true, tags: wui}
    #
    # This role will deploy and configure LDAP server and LDAPc connector.
    - { role: ldap-perun, become: true, tags: ldap }
    #