Move nms host roles to adm hosts

2025-07-12 13:18:18 +00:00 · 2025-07-12 13:18:18 +00:00 · fe5444052b
commit fe5444052b
parent 4c32ae71da
6 changed files with 140 additions and 1 deletions
--- a/group_vars/adm.yml
+++ b/group_vars/adm.yml
@ -2,11 +2,43 @@
 datadisks:
  - {size: 10, type: nvme}

+chrony_allow:
+  - 172.20.25.0/24
+
+unbound_zones:
+  - 25.20.172.in-addr.arpa
+  - oob.foo.sh
+dhcpd_template: dhcpd.conf.oob.j2
+dhcpd_ldap_filter: >-
+  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
+unbound_config: unbound.conf.oob.j2
+
+network_vip_interfaces:
+  - device: eth0
+    vhid: 11
+    ipaddr: 172.20.20.21
+    netmask: 255.255.240.0
+    pass: "{{ vip21_pass }}"
+  - device: eth1
+    vhid: 25
+    ipaddr: 172.20.25.1
+    netmask: 255.255.255.0
+    pass: "{{ vip25_pass }}"
+    priority: "{{ vip25_priority }}"
+
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 25, from: [172.20.25.0/24]}
+  - {proto: tcp, port: 53, from: [172.20.25.0/24]}
+  - {proto: udp, port: 53, from: [172.20.25.0/24]}
  - {proto: tcp, port: 80, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: udp, port: 123, from: [172.20.25.0/24]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22, 172.20.25.0/24]}
+  - {proto: udp, port: 514, from: [172.20.25.0/24]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9116, from: [172.20.20.0/22]}
+firewall_raw:
+  - "ip daddr 224.0.0.0/8 accept"

 sssd_allow_groups:
  - sysadm
--- a/host_vars/adm01.home.foo.sh.yml
+++ b/host_vars/adm01.home.foo.sh.yml
@ -4,3 +4,16 @@ network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:0b"
+  - device: eth1
+    vlan: 25
+    ipaddr: 172.20.25.2
+    netmask: 255.255.255.0
+    proto: static
+    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
+  - device: eth2
+    vlan: 103
+    ipaddr: 192.168.100.2
+    netmask: 255.255.255.248
+    proto: static
+
+vip25_priority: 128
--- a/host_vars/adm02.home.foo.sh.yml
+++ b/host_vars/adm02.home.foo.sh.yml
@ -4,3 +4,16 @@ network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:0c"
+  - device: eth1
+    vlan: 25
+    ipaddr: 172.20.25.3
+    netmask: 255.255.255.0
+    proto: static
+    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
+  - device: eth2
+    vlan: 103
+    ipaddr: 192.168.100.3
+    netmask: 255.255.255.248
+    proto: static
+
+vip25_priority: 1
--- a/hosts.yml
+++ b/hosts.yml
@ -3,6 +3,8 @@ adm:
  hosts:
    adm01.home.foo.sh:
    adm02.home.foo.sh:
+  vars:
+    snmp_exporter_version: "0.29.0"
 audiobooks:
  hosts:
    audiobooks02.home.foo.sh:
--- a/playbooks/adm.yml
+++ b/playbooks/adm.yml
@ -28,6 +28,10 @@
    - ansible_host
    - certbot
    - cups
+    - nginx
+    - role: nginx_site
+      nginx_site_name: oob.foo.sh
+      nginx_site_plaintest: false
    - sshca
    - ssh_known_hosts
    - role: keytab
@ -38,10 +42,36 @@
      autofs_home: false
    - sssd
    - mkhomedir
+    - aten_pdu
+    - routeros
    - rpm_build
+    - snmp_exporter
    - web_build

  tasks:
+    - name: Run handlers to get interfaces configured
+      ansible.builtin.meta: flush_handlers
+
+    - name: Enable UDP rsyslog server
+      ansible.builtin.import_role:
+        name: rsyslog
+        tasks_from: udp-listen
+
+    - name: Enable postfix mail relay
+      ansible.builtin.import_role:
+        name: postfix
+        tasks_from: relay
+      vars:
+        relay_domains: [foo.sh]
+
+    - name: Import unbound role
+      ansible.builtin.import_role:
+        name: unbound
+
+    - name: Import dhcpd role
+      ansible.builtin.import_role:
+        name: dhcpd
+
    - name: Install packages
      ansible.builtin.package:
        name: "{{ item }}"
@ -150,3 +180,14 @@
        mode: "0755"
        owner: root
        group: "{{ ansible_wheel }}"
+
+    - name: Create sw-backup script
+      ansible.builtin.copy:
+        dest: /usr/local/bin/sw-backup
+        content: |
+          #!/bin/sh
+          set -eu
+          ssh "admin@${1}" /export > "/srv/backup/${1}.rsc"
+        mode: "0755"
+        owner: root
+        group: "{{ ansible_wheel }}"
--- a/roles/unbound/templates/unbound.conf.oob.j2
+++ b/roles/unbound/templates/unbound.conf.oob.j2
@ -0,0 +1,38 @@
+
+server:
+    interface: eth1
+
+    access-control: 127.0.0.0/8 allow
+    access-control: ::1 allow
+    access-control: 172.20.25.1/32 allow
+    access-control: 172.20.25.2/32 allow
+    access-control: 172.20.25.3/32 allow
+    access-control: 172.20.25.0/24 refuse_non_local
+
+    extended-statistics: yes
+
+    hide-identity: yes
+    hide-version: yes
+
+    tls-upstream: yes
+    tls-cert-bundle: {{ tls_bundle }}
+
+    chroot: ""
+
+    unblock-lan-zones: yes
+
+remote-control:
+    control-enable: yes
+    control-interface: /var/run/unbound.sock
+
+forward-zone:
+    name: "."
+    forward-addr: 172.20.20.10@853#dns.home.foo.sh
+    forward-addr: 172.20.20.11@853#dns.home.foo.sh
+    forward-addr: 172.20.20.12@853#dns.home.foo.sh
+
+{% for zone in unbound_zones %}
+auth-zone:
+    name: "{{ zone }}"
+    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
+{% endfor %}