Ansible

Snippets
# Check nodes availability
ansible -m ping all

# Make full init of new node new-node-1
ansible-playbook -k -l new-node-1 books/init

# Update all packages on all servers:
ansible-playbook -l all books/update

# Update users on all servers
ansible-playbook -l all books/users

# Install basic soft on web servers
ansible-playbook -l web books/soft
/etc/ansible/ansible.cfg
[defaults]
hostfile        = /etc/ansible/hosts
library         = /etc/ansible/modules/
sudo_user       = root
remote_tmp      = $HOME/.ansible/tmp
log_path        = /var/log/ansible.log
#pipelining     = true
host_key_checking = false

private_key_file = /etc/ansible/priv.key
/etc/ansible/hosts
[all:vars]
ansible_connection=ssh 
ansible_ssh_user=root
[email protected]

[main]
backup  ansible_ssh_host=10.0.0.50

[web]
lb1	ansible_ssh_host=10.0.0.11
app1	ansible_ssh_host=10.0.0.21
app2	ansible_ssh_host=10.0.0.22
/etc/ansible/books/init
- include: prepare
- include: users
- include: soft
- include: ntp
- include: iptables
- include: zabbix
- include: syslog
/etc/ansible/books/vars
---

proxyaddr: http://192.168.0.254:3128
mailrelay: mail.youdomain.local
syslogserver: 192.168.0.60:1514

zabbixversion: 3.2
zabbixserver: 192.168.0.50
zabbixserveractive: 192.168.0.50

nameservers: ['8.8.4.4','8.8.8.8']
ntpservers: ['0.ru.pool.ntp.org','1.ru.pool.ntp.org','2.ru.pool.ntp.org','3.ru.pool.ntp.org']

enable_docker: false
enable_nfs: false

/etc/ansible/books/prepare
---

- name: ===== SYSPREP ======
  hosts: all
  become: true
  tasks:

   - include_vars: vars

# set hostname
   - hostname: name='{{inventory_hostname}}'

# bashrc
   - lineinfile: dest=/etc/bashrc state=present line='export http_proxy="{{ proxyaddr }}"'
   - lineinfile: dest=/etc/bashrc state=present line='export https_proxy="{{ proxyaddr }}"'

# yum
   - lineinfile: dest=/etc/yum.conf regexp=^proxy line="proxy={{ proxyaddr }}"

# disable: NetworkManager, Avahi, kdump
   - name: removing the NetworkManager package
     yum: name=NetworkManager state=absent
   - service: name=network enabled=yes
   - name: removing the avahi package
     yum: name=avahi state=absent
   - yum: name=avahi-autoipd state=absent
   - yum: name=avahi-libs state=absent
   - yum: name=kdump state=absent

# selinux
   - name: removing selinux
     yum: name=selinux state=absent
   - selinux: state=disabled

# sysctl tweaks
   - name: Configuring sysctl
     sysctl: name=kernel.panic value=5 sysctl_set=yes state=present
   - sysctl: name=net.ipv6.conf.all.disable_ipv6 value=1 sysctl_set=yes state=present
   - sysctl: name=net.ipv6.conf.default.disable_ipv6 value=1 sysctl_set=yes state=present
   - sysctl: name=net.ipv4.ip_nonlocal_bind value=1 sysctl_set=yes state=present
   - sysctl: name=fs.inotify.max_user_watches value=16777216 sysctl_set=yes state=present
   - sysctl: name=fs.inotify.max_queued_events value=65536 sysctl_set=yes state=present

# sshd tweaks
   - name: Configuring sshd tweaks
     lineinfile: dest=/etc/ssh/sshd_config regexp=^UseDNS line="UseDNS no"
   - lineinfile: dest=/etc/ssh/sshd_config regexp=^GSSAPIAuthentication line="GSSAPIAuthentication no"
#   - lineinfile: dest=/etc/ssh/sshd_config regexp=^PermitTunnel line="PermitTunnel no"
#   - lineinfile: dest=/etc/ssh/sshd_config regexp=^PermitRootLogin line="PermitRootLogin no"
   - name: restarting sshd
     service: name=sshd state=restarted

# postfix
   - name: configuring postfix
     stat: path=/etc/postfix/main.cf
     register: maincf
   - lineinfile: dest=/etc/postfix/main.cf regexp=^inet_protocols line="inet_protocols = ipv4"
     when: maincf.stat.exists == true
   - lineinfile: dest=/etc/postfix/main.cf state=present line="relayhost = [{{ mailrelay }}]"
     when: maincf.stat.exists == true
   - name: restarting postfix
     service: "name=postfix state=restarted"
     when: maincf.stat.exists == true

# resolv.conf
   - name: configuring resolv.conf
     lineinfile: dest=/etc/resolv.conf regexp=^nameserver state=absent
   - lineinfile: dest=/etc/resolv.conf state=present line="nameserver {{ item }}"
     with_items: "{{ nameservers }}"

# /etc/hosts
   - name: configuring /etc/hosts
     lineinfile: dest=/etc/hosts regexp='.*{{inventory_hostname}}$' line="{{ansible_ssh_host}} {{inventory_hostname}}" state=present
/etc/ansible/books/users
---

- name: ===== USERS ====================
  hosts: all
  user: root
  tasks:

# sudoers
    - name: configuring wheel group for sudo
      lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD:ALL'"

# add users
    - user: name=userus groups=wheel uid=1001 comment="Userus Lamikus" password="xxxxxxxPASSxHASHxxxxxxxxxxxxx" shell=/bin/bash append=yes
    - authorized_key: user=userus key="ssh-rsa xxxxxxxxxxKEYxHASHxxxxxxxxx userus" validate_certs=no

# del users
    - user: name=fireduser1 state=absent remove=yes
    - user: name=fireduser2 state=absent remove=yes
/etc/ansible/books/soft
---

- name: ===== SOFTWARE INSTALLATION =====
  hosts: all
  become: true
  tasks:
    - include_vars: vars

    - name: updating yum cache
      yum: "name=* state=latest"
      ignore_errors: True

    - name: installing epel-release
      yum: name=epel-release state=latest

    - name: installing yum-utils
      yum: name=yum-utils state=latest

    - name: installing mlocate
      yum: name=mlocate state=latest

    - name: installing vim
      yum: name=vim-enhanced state=latest

    - name: installing whois
      yum: name=whois state=latest

    - name: installing mc
      yum: name=mc state=latest

    - name: installing htop
      yum: name=htop state=latest

    - name: installing atop
      yum: name=atop state=latest

    - name: installing iotop
      yum: name=iotop state=latest

    - name: installing iftop
      yum: name=iftop state=latest

    - name: installing gdisk
      yum: name=gdisk state=latest

    - name: installing bind-utils
      yum: name=bind-utils state=latest

    - name: installing tree
      yum: name=tree state=latest

    - name: installing git
      yum: name=git state=latest

    - name: installing ftp
      yum: name=ftp state=latest

    - name: installing unzip
      yum: name=unzip state=latest

    - name: installing openssl
      yum: name=openssl state=latest

    - name: installing traceroute
      yum: name=traceroute state=latest

    - name: installing telnet
      yum: name=telnet state=latest

    - name: installing rsync
      yum: name=rsync state=latest

    - name: installing openssh-clients
      yum: name=openssh-clients state=latest

    - name: installing wget
      yum: name=wget state=latest

    - name: installing man
      yum: name=man state=latest

    - name: installing tcpdump
      yum: name=tcpdump state=latest

    - name: installing tmux
      yum: name=tmux state=latest

    - name: installing net-tools
      yum: name=net-tools state=latest

    - name: installing psutils
      yum: name=psutils state=latest

    - name: installing moreutils
      yum: name=moreutils state=latest

    - name: installing lsof
      yum: name=lsof state=latest

    - name: installing curl
      yum: name=curl state=latest

    - name: installing bash-completion
      yum: name=bash-completion state=latest
    - file: path='/etc/bash_completion.d/lxc' state=absent

    - name: installing qemu-guest-agent
      yum: name=qemu-guest-agent state=latest
#      yum: name=open-vm-tools state=latest

    - name: installing nfs-utils
      yum: name=nfs-utils state=latest
      when: enable_nfs
    - lineinfile: dest=/etc/netconfig regexp=^udp6 line="#udp6"
      when: enable_nfs
    - lineinfile: dest=/etc/netconfig regexp=^tcp6 line="#tcp6"
      when: enable_nfs

    - name: installing docker
      yum: name=docker-io state=latest
      when: (ansible_distribution == "CentOS" and ansible_distribution_major_version == "6" and enable_docker)

    - name: installing docker
      yum: name=docker state=latest
      when: (ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" and enable_docker)

    - name: installing etckeeper
      yum: name=etckeeper state=latest
    - shell: "etckeeper init"
    - shell: "etckeeper commit Init"
/etc/ansible/books/ntp
---

- name: ===== NTP INSTALLATION =====
  hosts: all
  become: true
  tasks:
    - include_vars: vars
    - name: removing the chrony package
      yum: name=chrony state=absent
    - name: installing ntp
      yum: name=ntp state=latest
    - name: configuring ntpd
      file: path=/etc/ntp.conf state=absent
    - file: path=/etc/ntp.conf state=touch
    - name: adding deafult params
      lineinfile: dest=/etc/ntp.conf state=present line="tinker panic 0"
    - lineinfile: dest=/etc/ntp.conf state=present line="driftfile /var/lib/ntp/drift"
    - lineinfile: dest=/etc/ntp.conf state=present line="logfile /var/log/ntp.log"
    - lineinfile: dest=/etc/ntp.conf state=present line="disable monitor"
    - lineinfile: dest=/etc/ntp.conf state=present line="restrict default kod nomodify notrap nopeer noquery"
    - lineinfile: dest=/etc/ntp.conf state=present line="restrict ::1"
    - lineinfile: dest=/etc/ntp.conf state=present line="restrict 127.0.0.1"
    - lineinfile: dest=/etc/ntp.conf state=present line="restrict 172.16.0.0 mask 255.240.0.0 nomodify notrap"
    - lineinfile: dest=/etc/ntp.conf state=present line="restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap"
    - lineinfile: dest=/etc/ntp.conf state=present line="restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap"
    - name: adding ntp servers
      lineinfile: dest=/etc/ntp.conf state=present line="server {{ item }} iburst"
      with_items: "{{ ntpservers }}"
    - name: enabling ntpd
      service: name=ntpd state=restarted enabled=yes
/etc/ansible/books/iptables
---

- name: ===== IPTABLES CONFIGURE =====
  hosts: all
  become: true
  tasks:
    - name: removing firewalld
      yum: name=firewalld state=absent
      when: (ansible_distribution == "CentOS" and ansible_distribution_major_version == "7")
    - name: installing iptables for centos 7
      yum: name=iptables-services state=latest
      when: (ansible_distribution == "CentOS" and ansible_distribution_major_version == "7")
    - name: flush iptables configuration
      iptables: flush=true
    - name: save iptables rules
      shell: "iptables-save > /etc/sysconfig/iptables"
    - name: restarting iptables
      service: name=iptables state=restarted enabled=yes
/etc/ansible/books/zabbix
---

- name: ===== ZABBIX INSTALLATION =====
  hosts: all
  become: true
  tasks:
  - include_vars: vars

  - name: removing selinux
    yum: name=selinux state=absent
  - selinux: state=disabled

  - name: "Add repository - Zabbix {{ zabbixversion }}"
    yum_repository:
      name: zabbix
      description: Zabbix repo
      file: zabbix
      baseurl: "http://repo.zabbix.com/zabbix/{{ zabbixversion }}/rhel/$releasever/$basearch/"
      enabled: yes
      gpgcheck: no
  - name: Add repository - Zabbix non supported
    yum_repository:
      name: zabbix-non-supported
      description: Zabbix non-supported repo
      file: zabbix
      baseurl: http://repo.zabbix.com/non-supported/rhel/$releasever/$basearch/
      enabled: yes
      gpgcheck: no
  # zabbix
  - name: installing zabbix-agent
    yum: name=zabbix-agent state=latest
  - name: configuring zabbix-agent
    lineinfile: dest=/etc/zabbix/zabbix_agentd.conf regexp="^Server\=" line="Server={{ zabbixserver }}"
  - lineinfile: dest=/etc/zabbix/zabbix_agentd.conf regexp="^ServerActive\=" line="ServerActive={{ zabbixserveractive }}"
  - lineinfile: dest=/etc/zabbix/zabbix_agentd.conf regexp="^Hostname\=" line="Hostname={{inventory_hostname}}"
  - service: name=zabbix-agent state=restarted enabled=yes
/etc/ansible/books/syslog
---

- name: "===== SYSLOG CONF ======"
  hosts: all
  become: true
  tasks:
   - include_vars: vars
   - name: updating rsyslog.conf
     lineinfile: dest=/etc/rsyslog.conf state=present regexp="^\*\.\*\ \@" line="*.* @{{ syslogserver }}"
   - service: "name=rsyslog state=restarted"
/etc/ansible/books/update
---

- name: ===== UPDATING SOFTWARE =====
  hosts: all
  become: true
  tasks:
    - name: upgrade all packages
      yum: name=* state=latest update_cache=yes
/etc/ansible/books/repos
---

- name: ===== REPO INSTALLATION =====
  hosts: all
  become: yes
  tasks:

  - name: Add repository - EPEL
    yum_repository:
      name: epel
      description: EPEL repo
      baseurl: http://download.fedoraproject.org/pub/epel/$releasever/$basearch/
      enabled: yes
      gpgcheck: no

  - name: Add repository - Zabbix
    yum_repository:
      name: zabbix
      description: Zabbix repo
      file: zabbix
      baseurl: http://repo.zabbix.com/zabbix/3.2/rhel/$releasever/$basearch/
      enabled: yes
      gpgcheck: no
  - name: Add repository - Zabbix non supported
    yum_repository:
      name: zabbix-non-supported
      description: Zabbix non-supported repo
      file: zabbix
      baseurl: http://repo.zabbix.com/non-supported/rhel/$releasever/$basearch/
      enabled: yes
      gpgcheck: no

  - name: Add repository - FServer
    yum_repository:
      name: fserver
      description: FServer RHEL Repo
      baseurl: http://mirror.fserver.ru/centos-repo/$releasever/$basearch/
      enabled: yes
      gpgcheck: no

  - name: Add repository - MariaDB
    yum_repository:
      name: MariaDB
      description: MariaDB 10.1 repo
      baseurl: http://yum.mariadb.org/10.1/centos$releasever-amd64
      enabled: no
      gpgcheck: no
  - name: Add repository - MariaDB MaxScale
    yum_repository:
      name: MaxScale
      description: MariaDB MaxScale repo
      baseurl: http://code.mariadb.com/mariadb-maxscale/latest/centos/$releasever/$basearch/
      enabled: no
      gpgcheck: no

  - name: Add repository - Nginx
    yum_repository:
      name: nginx
      description: nginx repo
      baseurl: http://nginx.org/packages/centos/$releasever/$basearch/
      enabled: yes
      gpgcheck: no

  - name: Add repository - Remi
    yum_repository:
      name: remi
      description: remi repo
      file: remi
      mirrorlist: http://rpms.remirepo.net/enterprise/$releasever/remi/mirror
      enabled: yes
      gpgcheck: no
  - name: Add repository - Remi php56
    yum_repository:
      name: remi-php56
      description: remi-php56 repo
      file: remi
      mirrorlist: http://rpms.remirepo.net/enterprise/$releasever/php56/mirror
      enabled: yes
      gpgcheck: no
  - name: Add repository - Remi php70
    yum_repository:
      name: remi-php70
      description: remi-php70 repo
      file: remi
      mirrorlist: http://rpms.remirepo.net/enterprise/$releasever/php70/mirror
      enabled: no
      gpgcheck: no
  - name: Add repository - Remi php71
    yum_repository:
      name: remi-php71
      description: remi-php71 repo
      file: remi
      mirrorlist: http://rpms.remirepo.net/enterprise/$releasever/php71/mirror
      enabled: no
      gpgcheck: no

  - name: Add repository - Squid
    yum_repository:
      name: squid
      description: Squid repo
      mirrorlist: http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/
      enabled: no
      gpgcheck: no

  - name: Add repository - Asterisk
    yum_repository:
      name: asterisk-common
      description: Asterisk Common Repo
      file: asterisk
      baseurl: https://ast.tucny.com/repo/asterisk-common/el$releasever/$basearch/
      enabled: no
      gpgcheck: no
  - name: Add repository - Asterisk 11
    yum_repository:
      name: asterisk-11
      description: Asterisk 11 Repo
      file: asterisk
      baseurl: https://ast.tucny.com/repo/asterisk-11/el$releasever/$basearch/
      enabled: no
      gpgcheck: no
  - name: Add repository - Asterisk 13
    yum_repository:
      name: asterisk-13
      description: Asterisk 13 Repo
      file: asterisk
      baseurl: https://ast.tucny.com/repo/asterisk-13/el$releasever/$basearch/
      enabled: no
      gpgcheck: no
  - name: Add repository - Asterisk 14
    yum_repository:
      name: asterisk-14
      description: Asterisk 14 Repo
      file: asterisk
      baseurl: https://ast.tucny.com/repo/asterisk-14/el$releasever/$basearch/
      enabled: no
      gpgcheck: no
  - name: Add repository - SNGrep
    yum_repository:
      name: sngrep
      description: Irontec sngrep repo
      file: asterisk
      baseurl: http://packages.irontec.com/centos/$releasever/$basearch/
      enabled: no
      gpgcheck: no

  - name: Add repository - Veeam
    yum_repository:
      name: veeam
      description: Veeam Backup for GNU/Linux
      baseurl: http://repository.veeam.com/backup/linux/agent/rpm/el/$releasever/$basearch
      enabled: no
      gpgcheck: no

  - name: Add repository - Bacula
    yum_repository:
      name: bacula
      description: Bacula repo
      baseurl: https://copr-be.cloud.fedoraproject.org/results/slaanesh/Bacula/epel-$releasever-$basearch/
      enabled: no
      gpgcheck: no

  - name: Add repository - Bareos
    yum_repository:
      name: bareos
      description: Bareos 16.2 repo
      baseurl: http://download.bareos.org/bareos/release/16.2/CentOS_$releasever/
      enabled: no
      gpgcheck: no