From 7b892cbeb2436dbcb04b8a30686935e16ff58a2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=BE=D0=BB=D0=B3=D0=B8=D0=B9=20=D0=90=D1=80=D1=82?= =?UTF-8?q?=D1=91=D0=BC?= Date: Thu, 7 Sep 2023 17:56:08 +0300 Subject: [PATCH] add roles --- ansible/00_test.yml | 37 +---- ansible/02_deploy_dc1_role.yml | 6 + ansible/02_deploy_primary_dc.yml | 102 ------------ ...d_dns_record.yml => 03_add_dns_record.yml} | 6 +- ansible/03_check_dc1.yml | 58 ------- ansible/04_deploy_dc2_role.yml | 6 + ..._replication.yml => 05_dc_replication.yml} | 6 +- ansible/06_2_deploy_second_dc.yml | 145 ------------------ ...samba_users.yml => 06_add_samba_users.yml} | 21 ++- ...a_clients.yml => 07_add_samba_clients.yml} | 2 +- ansible/07_check_dc2.yml | 58 ------- ansible/08_deploy_nas_role.yml | 6 + ansible/08_nas.yml | 36 ----- ansible/group_vars/nas/nas_vars.yml | 11 ++ ansible/group_vars/nas/share.conf | 10 ++ ansible/hosts.ini | 3 + ansible/roles/deploy_dc1/.travis.yml | 29 ++++ ansible/roles/deploy_dc1/README.md | 25 +++ ansible/roles/deploy_dc1/defaults/main.yml | 2 + ansible/roles/deploy_dc1/handlers/main.yml | 2 + ansible/roles/deploy_dc1/meta/main.yml | 53 +++++++ ansible/roles/deploy_dc1/tasks/check_dc1.yml | 54 +++++++ ansible/roles/deploy_dc1/tasks/deploy_dc1.yml | 98 ++++++++++++ ansible/roles/deploy_dc1/tasks/main.yml | 7 + ansible/roles/deploy_dc1/tests/inventory | 2 + ansible/roles/deploy_dc1/tests/test.yml | 5 + ansible/roles/deploy_dc1/vars/main.yml | 2 + ansible/roles/deploy_dc2/.travis.yml | 29 ++++ ansible/roles/deploy_dc2/README.md | 30 ++++ ansible/roles/deploy_dc2/defaults/main.yml | 2 + ansible/roles/deploy_dc2/handlers/main.yml | 2 + ansible/roles/deploy_dc2/meta/main.yml | 53 +++++++ ansible/roles/deploy_dc2/tasks/check_dc2.yml | 54 +++++++ .../deploy_dc2/tasks/deploy_second_dc.yml | 141 +++++++++++++++++ ansible/roles/deploy_dc2/tasks/main.yml | 7 + ansible/roles/deploy_dc2/tests/inventory | 2 + ansible/roles/deploy_dc2/tests/test.yml | 5 + ansible/roles/deploy_dc2/vars/main.yml | 2 + ansible/roles/deploy_nas/.travis.yml | 29 ++++ ansible/roles/deploy_nas/README.md | 38 +++++ ansible/roles/deploy_nas/defaults/main.yml | 2 + ansible/roles/deploy_nas/handlers/main.yml | 2 + ansible/roles/deploy_nas/meta/main.yml | 53 +++++++ ansible/roles/deploy_nas/tasks/main.yml | 7 + .../roles/deploy_nas/tasks/nas_prepare.yml | 67 ++++++++ ansible/roles/deploy_nas/tasks/nas_smb.yml | 28 ++++ ansible/roles/deploy_nas/tests/inventory | 2 + ansible/roles/deploy_nas/tests/test.yml | 5 + ansible/roles/deploy_nas/vars/main.yml | 2 + ansible/roles/deploy_vms/README.md | 33 +--- 50 files changed, 922 insertions(+), 465 deletions(-) create mode 100644 ansible/02_deploy_dc1_role.yml delete mode 100644 ansible/02_deploy_primary_dc.yml rename ansible/{06_1_add_dns_record.yml => 03_add_dns_record.yml} (95%) delete mode 100644 ansible/03_check_dc1.yml create mode 100644 ansible/04_deploy_dc2_role.yml rename ansible/{06_3_dc_replication.yml => 05_dc_replication.yml} (97%) delete mode 100644 ansible/06_2_deploy_second_dc.yml rename ansible/{04_add_samba_users.yml => 06_add_samba_users.yml} (66%) rename ansible/{05_add_samba_clients.yml => 07_add_samba_clients.yml} (96%) delete mode 100644 ansible/07_check_dc2.yml create mode 100644 ansible/08_deploy_nas_role.yml delete mode 100644 ansible/08_nas.yml create mode 100644 ansible/group_vars/nas/nas_vars.yml create mode 100644 ansible/group_vars/nas/share.conf create mode 100644 ansible/roles/deploy_dc1/.travis.yml create mode 100644 ansible/roles/deploy_dc1/README.md create mode 100644 ansible/roles/deploy_dc1/defaults/main.yml create mode 100644 ansible/roles/deploy_dc1/handlers/main.yml create mode 100644 ansible/roles/deploy_dc1/meta/main.yml create mode 100644 ansible/roles/deploy_dc1/tasks/check_dc1.yml create mode 100644 ansible/roles/deploy_dc1/tasks/deploy_dc1.yml create mode 100644 ansible/roles/deploy_dc1/tasks/main.yml create mode 100644 ansible/roles/deploy_dc1/tests/inventory create mode 100644 ansible/roles/deploy_dc1/tests/test.yml create mode 100644 ansible/roles/deploy_dc1/vars/main.yml create mode 100644 ansible/roles/deploy_dc2/.travis.yml create mode 100644 ansible/roles/deploy_dc2/README.md create mode 100644 ansible/roles/deploy_dc2/defaults/main.yml create mode 100644 ansible/roles/deploy_dc2/handlers/main.yml create mode 100644 ansible/roles/deploy_dc2/meta/main.yml create mode 100644 ansible/roles/deploy_dc2/tasks/check_dc2.yml create mode 100644 ansible/roles/deploy_dc2/tasks/deploy_second_dc.yml create mode 100644 ansible/roles/deploy_dc2/tasks/main.yml create mode 100644 ansible/roles/deploy_dc2/tests/inventory create mode 100644 ansible/roles/deploy_dc2/tests/test.yml create mode 100644 ansible/roles/deploy_dc2/vars/main.yml create mode 100644 ansible/roles/deploy_nas/.travis.yml create mode 100644 ansible/roles/deploy_nas/README.md create mode 100644 ansible/roles/deploy_nas/defaults/main.yml create mode 100644 ansible/roles/deploy_nas/handlers/main.yml create mode 100644 ansible/roles/deploy_nas/meta/main.yml create mode 100644 ansible/roles/deploy_nas/tasks/main.yml create mode 100644 ansible/roles/deploy_nas/tasks/nas_prepare.yml create mode 100644 ansible/roles/deploy_nas/tasks/nas_smb.yml create mode 100644 ansible/roles/deploy_nas/tests/inventory create mode 100644 ansible/roles/deploy_nas/tests/test.yml create mode 100644 ansible/roles/deploy_nas/vars/main.yml diff --git a/ansible/00_test.yml b/ansible/00_test.yml index 8613cb7..29ec796 100644 --- a/ansible/00_test.yml +++ b/ansible/00_test.yml @@ -1,35 +1,12 @@ --- - name: Разворачивание контроллера домена - hosts: dctest2 + hosts: nastest tasks: - - name: Внесение изменений в /etc/krb5.conf - "default_realm = {{ dc_details.realm }}" - ansible.builtin.lineinfile: - path: /etc/krb5.conf - regexp: 'default_realm' - line: " default_realm = {{ dc_details.realm }}" - - - name: Внесение изменений в /etc/krb5.conf - "dns_lookup_realm = false" - ansible.builtin.lineinfile: - path: /etc/krb5.conf - regexp: 'dns_lookup_realm' - line: " dns_lookup_realm = false" - - - name: Внесение изменений в /etc/krb5.conf - "dns_lookup_kdc = true" - ansible.builtin.lineinfile: - path: /etc/krb5.conf - regexp: 'dns_lookup_kdc' - line: " dns_lookup_kdc = true" - -#### - -- name: Конфигурация NTP - ansible.builtin.command: - cmd: control chrony server - -- name: Включение NTP (режим server) - service: - name: chronyd - state: started - enabled: true \ No newline at end of file + - name: Создание разделяемого ресурса Samba + ansible.builtin.file: + path: /share/sambashare + state: directory + mode: '0770' + group: "{{ smb_share_grp }}" \ No newline at end of file diff --git a/ansible/02_deploy_dc1_role.yml b/ansible/02_deploy_dc1_role.yml new file mode 100644 index 0000000..66baa91 --- /dev/null +++ b/ansible/02_deploy_dc1_role.yml @@ -0,0 +1,6 @@ +--- + +- name: Разворачивание первого контроллера домена + hosts: dctest1 + roles: + - deploy_dc1 diff --git a/ansible/02_deploy_primary_dc.yml b/ansible/02_deploy_primary_dc.yml deleted file mode 100644 index 0bef943..0000000 --- a/ansible/02_deploy_primary_dc.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -- name: Разворачивание контроллера домена - hosts: dctest1 - - tasks: - - name: Проверка соответствия ОС - ansible.builtin.fail: - msg: Операционная система должна быть Альт - when: ansible_os_family != "Altlinux" - - - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} - ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" - register: samba_tool_result - ignore_errors: yes - - - name: Если на хосте развёрнут домен, выполнение прерывается - ansible.builtin.fail: - msg: На хосте {{ ansible_hostname }} обнаружен развёрнутый домен. Прерываю выполнение - when: - - samba_tool_result.failed == false - - - name: Обновление системы - apt_rpm: - update_cache: true - dist_upgrade: true - clean: true - - - name: Назначение корректного имени хоста - ansible.builtin.hostname: - name: "{{ hostnames.dc1_host }}.{{ dc_details.realm }}" - use: systemd - - - name: Установка пакетов {{ packages }} - apt_rpm: - package: "{{ item }}" - state: present - update_cache: yes - loop: "{{ packages }}" - - - name: Конфигурация NTP (режим server) - ansible.builtin.command: - cmd: control chrony server - - - name: Включение службы синхронизации времени chrony - ansible.builtin.systemd: - name: chronyd - enabled: true - state: restarted - masked: false - - - name: Отключение служб, которые будут конфликтовать с контроллером - ansible.builtin.systemd: - name: "{{ item }}" - enabled: false - state: stopped - loop: "{{ stop_daemons }}" - ignore_errors: yes - - - name: Удалить старую конфигурацию Samba - ansible.builtin.file: - path: "{{ item }}" - state: absent - force: true - loop: "{{ old_config_to_remove }}" - - - name: Создать каталог для хранения групповых политик - ansible.builtin.file: - path: "{{ gp_folder }}" - state: directory - mode: '0755' - - - name: Настройка резолвера на 127.0.0.1 - ansible.builtin.lineinfile: - path: /etc/resolvconf.conf - regexp: '^name_servers' - line: name_servers=127.0.0.1 - - - name: Обновление конфигурации резолвера - ansible.builtin.shell: "resolvconf -u" - - - name: Разворачивание первого контроллера домена - ansible.builtin.shell: | - samba-tool domain provision --realm={{ dc_details.realm }} --domain={{ dc_details.domain }} \ - --adminpass='{{ dc_details.adminpass }}' --dns-backend=SAMBA_INTERNAL \ - --option="dns forwarder={{ dc_details.dns_forwarder }}" --server-role=dc --use-rfc2307 - register: dc_provision_output - - ansible.builtin.debug: - var: dc_provision_output.stdout_lines - - - name: Включение службы {{ samba_service }} - ansible.builtin.systemd: - name: "{{ samba_service }}" - enabled: true - state: restarted - masked: false - - - name: Копирование конфигурации Kerberos - ansible.builtin.copy: - remote_src: true - src: /var/lib/samba/private/krb5.conf - dest: /etc/krb5.conf diff --git a/ansible/06_1_add_dns_record.yml b/ansible/03_add_dns_record.yml similarity index 95% rename from ansible/06_1_add_dns_record.yml rename to ansible/03_add_dns_record.yml index dfa00fe..cf62e6f 100644 --- a/ansible/06_1_add_dns_record.yml +++ b/ansible/03_add_dns_record.yml @@ -1,6 +1,6 @@ --- -- name: Добавление DNS записи о втором контроллере на первом +- name: Добавление DNS записи о втором контроллере на первый hosts: dctest1 tasks: @@ -12,14 +12,14 @@ - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" register: samba_tool_result - ignore_errors: yes + ignore_errors: true - name: Если на хосте НЕ развёрнут домен, выполнение прерывается ansible.builtin.fail: msg: На хосте {{ ansible_hostname }} НЕ обнаружен развёрнутый домен. Прерываю выполнение when: - samba_tool_result.failed != false - + - name: Добавление DNS записи ansible.builtin.shell: | samba-tool dns add {{ dc_details.dc1_ip }} {{ dc_details.realm }} \ diff --git a/ansible/03_check_dc1.yml b/ansible/03_check_dc1.yml deleted file mode 100644 index 0890dda..0000000 --- a/ansible/03_check_dc1.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- - -- name: Проверка состояния первого контроллера домена - hosts: dctest1 - - tasks: - - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} - ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" - register: samba_tool_result - - - name: Информация о домене - ansible.builtin.debug: - var: samba_tool_result.stdout_lines - - - name: Получение настройки резолвера - ansible.builtin.shell: "cat /etc/resolv.conf" - register: resolv_conf_result - - name: Вывод /etc/resolv.conf - ansible.builtin.debug: - var: resolv_conf_result.stdout_lines - - - name: Записи служб DNS. Kerberos - ansible.builtin.shell: "host -t SRV _kerberos._udp.{{ dc_details.realm }}" - register: srv_kerberos - - name: SRV запись Kerberos - ansible.builtin.debug: - var: srv_kerberos.stdout_lines - - - name: Записи служб DNS. LDAP - ansible.builtin.shell: "host -t SRV _ldap._tcp.{{ dc_details.realm }}" - register: srv_ldap - - name: SRV запись LDAP - ansible.builtin.debug: - var: srv_ldap.stdout_lines - - - name: Записи служб DNS. A запись - ansible.builtin.shell: "host {{ hostnames.dc1_host }}.{{ dc_details.realm }}" - register: a_line - - name: A запись домена - ansible.builtin.debug: - var: a_line.stdout_lines - - - name: Проверка возможности авторизации Kerberos - ansible.builtin.expect: - command: "kinit {{ dc_details.admin }}" - responses: - # "Password for {{ dc_details.admin }}@{{ dc_details.realm_u }}:": "{{ dc_details.adminpass }}" - "Password for .*:": "{{ dc_details.adminpass }}" - echo: true - timeout: 5 - no_log: true - - - name: Текущие билеты Kerberos - ansible.builtin.shell: "klist" - register: klist - - name: Вывод билета Kerberos - ansible.builtin.debug: - var: klist.stdout_lines diff --git a/ansible/04_deploy_dc2_role.yml b/ansible/04_deploy_dc2_role.yml new file mode 100644 index 0000000..fbee4ed --- /dev/null +++ b/ansible/04_deploy_dc2_role.yml @@ -0,0 +1,6 @@ +--- + +- name: Разворачивание второго контроллера домена + hosts: dctest2 + roles: + - deploy_dc2 diff --git a/ansible/06_3_dc_replication.yml b/ansible/05_dc_replication.yml similarity index 97% rename from ansible/06_3_dc_replication.yml rename to ansible/05_dc_replication.yml index 0db2cb1..d6ae233 100644 --- a/ansible/06_3_dc_replication.yml +++ b/ansible/05_dc_replication.yml @@ -1,6 +1,6 @@ --- -- name: Репликация между контроллерами домена +- name: Репликация между контроллерами hosts: dctest1 tasks: @@ -12,7 +12,7 @@ - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" register: samba_tool_result - ignore_errors: yes + ignore_errors: true - name: Если на хосте НЕ развёрнут домен, выполнение прерывается ansible.builtin.fail: @@ -30,7 +30,7 @@ register: rep1_output - ansible.builtin.debug: msg: "Итог репликации: {{ rep1_output.stdout }}" - + - name: Репликация в направлении {{ hostnames.dc1_host }} -> {{ hostnames.dc2_host }} ansible.builtin.shell: | samba-tool drs replicate \ diff --git a/ansible/06_2_deploy_second_dc.yml b/ansible/06_2_deploy_second_dc.yml deleted file mode 100644 index ba009ee..0000000 --- a/ansible/06_2_deploy_second_dc.yml +++ /dev/null @@ -1,145 +0,0 @@ ---- - -- name: Разворачивание контроллера домена - hosts: dctest2 - - tasks: - - name: Проверка соответствия ОС - ansible.builtin.fail: - msg: Операционная система должна быть Альт - when: ansible_os_family != "Altlinux" - - - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} - ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" - register: samba_tool_result - ignore_errors: yes - - - name: Если на хосте развёрнут домен, выполнение прерывается - ansible.builtin.fail: - msg: На хосте {{ ansible_hostname }} обнаружен развёрнутый домен. Прерываю выполнение - when: - - samba_tool_result.failed == false - - - name: Обновление системы - apt_rpm: - update_cache: true - dist_upgrade: true - clean: true - - - name: Назначение корректного имени хоста - ansible.builtin.hostname: - name: "{{ hostnames.dc2_host }}.{{ dc_details.realm }}" - use: systemd - - - name: Установка пакетов {{ packages }} - apt_rpm: - package: "{{ item }}" - state: present - update_cache: yes - loop: "{{ packages }}" - - - name: Конфигурация NTP (режим server) - ansible.builtin.command: - cmd: control chrony server - - - name: Настройка синхронизации времени с контроллером домена - {{ dc_details.dc1_ip }} - ansible.builtin.lineinfile: - path: /etc/resolvconf.conf - regexp: '^server .*' - line: server {{ dc_details.dc1_ip }} - - - name: Перезапуск службы синхронизации времени - ansible.builtin.systemd: - name: "{{ sync_time_daemon }}" - enabled: true - state: restarted - masked: false - - - name: Отключение служб, которые будут конфликтовать с контроллером - ansible.builtin.systemd: - name: "{{ item }}" - enabled: false - state: stopped - loop: "{{ stop_daemons }}" - ignore_errors: yes - - - name: Удалить старую конфигурацию Samba - ansible.builtin.file: - path: "{{ item }}" - state: absent - force: true - loop: "{{ old_config_to_remove }}" - - - name: Создать каталог для хранения групповых политик - ansible.builtin.file: - path: "{{ gp_folder }}" - state: directory - mode: '0755' - - - name: Настройка резолвера на контроллер домена - {{ dc_details.dc1_ip }} - ansible.builtin.lineinfile: - path: /etc/resolvconf.conf - regexp: '^name_servers' - line: name_servers={{ dc_details.dc1_ip }} - - # - name: Настройка резолвера доменную зону - {{ dc_details.realm }} - # ansible.builtin.lineinfile: - # path: /etc/resolvconf.conf - # regexp: '^search_domains' - # line: search_domains={{ dc_details.realm }} - - - name: Обновление конфигурации резолвера - ansible.builtin.shell: "resolvconf -u" - - - name: Внесение изменений в /etc/krb5.conf - "default_realm = {{ dc_details.realm }}" - ansible.builtin.lineinfile: - path: /etc/krb5.conf - regexp: 'default_realm' - line: " default_realm = {{ dc_details.realm }}" - - - name: Внесение изменений в /etc/krb5.conf - "dns_lookup_realm = false" - ansible.builtin.lineinfile: - path: /etc/krb5.conf - regexp: 'dns_lookup_realm' - line: " dns_lookup_realm = false" - - - name: Внесение изменений в /etc/krb5.conf - "dns_lookup_kdc = true" - ansible.builtin.lineinfile: - path: /etc/krb5.conf - regexp: 'dns_lookup_kdc' - line: " dns_lookup_kdc = true" - - - name: Добавление второго контроллера домена - ansible.builtin.shell: | - samba-tool domain join {{ dc_details.realm }} DC -Uadministrator --realm={{ dc_details.realm }} \ - --option="dns forwarder=77.88.8.8" --option="idmap_ldb:use rfc2307 = yes" --password=P@ssw0rd - register: dc2_join_output - - ansible.builtin.debug: - # samba dc при развёртывании валит вывод во все потоки, в том числе и err - var: dc2_join_output.stderr_lines[-1:] # показать последнюю строку вывода - - - name: Включение службы {{ samba_service }} - ansible.builtin.systemd: - name: "{{ samba_service }}" - enabled: true - state: restarted - masked: false - - - name: Копирование конфигурации Kerberos - ansible.builtin.copy: - remote_src: true - src: /var/lib/samba/private/krb5.conf - dest: /etc/krb5.conf - - - name: Настройка резолвера на 127.0.0.1 - ansible.builtin.lineinfile: - path: /etc/resolvconf.conf - regexp: '^name_servers' - line: name_servers=127.0.0.1 - - - name: Обновление конфигурации резолвера - ansible.builtin.shell: "resolvconf -u" - - - name: Перезагрузка узла после добавления в домен - ansible.builtin.reboot: - reboot_timeout: 3600 diff --git a/ansible/04_add_samba_users.yml b/ansible/06_add_samba_users.yml similarity index 66% rename from ansible/04_add_samba_users.yml rename to ansible/06_add_samba_users.yml index 7c534fc..36c8f5f 100644 --- a/ansible/04_add_samba_users.yml +++ b/ansible/06_add_samba_users.yml @@ -3,7 +3,7 @@ - name: Создание пользователей контроллера домена hosts: dctest1 vars: - - samba_user_mode: create + - samba_user_mode: create # или 'delete' tasks: - name: Пользователи в домене Samba @@ -21,9 +21,18 @@ --gecos='{{ item.fname }} {{ item.sname }}' \ --given-name={{ item.fname }} --surname={{ item.sname }} loop: "{{ samba_users }}" - when: (not item.username in user_list.stdout_lines) and (samba_user_mode != 'delete') + when: (not item.username in user_list.stdout_lines) and (samba_user_mode == 'create') no_log: true - + register: add_users + + - name: Отключается срок действия пароля пользователей + ansible.builtin.command: | + samba-tool user setexpiry \ + {{ item.username }} --noexpiry + loop: "{{ samba_users }}" + when: add_users.changed + no_log: true + - name: Удаляются пользователи домена ansible.builtin.command: samba-tool user {{ samba_user_mode }} {{ item.username }} loop: "{{ samba_users }}" @@ -35,4 +44,10 @@ msg: "{{ status.results[1].stderr_lines }}" when: samba_user_mode == 'delete' + - name: Пользователи в домене Samba + ansible.builtin.command: samba-tool user list + register: user_list + - name: Список пользователей + ansible.builtin.debug: + var: user_list.stdout_lines diff --git a/ansible/05_add_samba_clients.yml b/ansible/07_add_samba_clients.yml similarity index 96% rename from ansible/05_add_samba_clients.yml rename to ansible/07_add_samba_clients.yml index 46c5b81..b871b49 100644 --- a/ansible/05_add_samba_clients.yml +++ b/ansible/07_add_samba_clients.yml @@ -1,6 +1,6 @@ --- -- name: Добавление компьютеров в контроллер +- name: Добавление компьютеров в домен hosts: testws tasks: diff --git a/ansible/07_check_dc2.yml b/ansible/07_check_dc2.yml deleted file mode 100644 index c589c9c..0000000 --- a/ansible/07_check_dc2.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- - -- name: Проверка состояния второго контроллера домена - hosts: dctest2 - - tasks: - - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} - ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" - register: samba_tool_result - - - name: Информация о домене - ansible.builtin.debug: - var: samba_tool_result.stdout_lines - - - name: Получение настройки резолвера - ansible.builtin.shell: "cat /etc/resolv.conf" - register: resolv_conf_result - - name: Вывод /etc/resolv.conf - ansible.builtin.debug: - var: resolv_conf_result.stdout_lines - - - name: Записи служб DNS. Kerberos - ansible.builtin.shell: "host -t SRV _kerberos._udp.{{ dc_details.realm }}" - register: srv_kerberos - - name: SRV запись Kerberos - ansible.builtin.debug: - var: srv_kerberos.stdout_lines - - - name: Записи служб DNS. LDAP - ansible.builtin.shell: "host -t SRV _ldap._tcp.{{ dc_details.realm }}" - register: srv_ldap - - name: SRV запись LDAP - ansible.builtin.debug: - var: srv_ldap.stdout_lines - - - name: Записи служб DNS. A запись - ansible.builtin.shell: "host {{ hostnames.dc2_host }}.{{ dc_details.realm }}" - register: a_line - - name: A запись домена - ansible.builtin.debug: - var: a_line.stdout_lines - - - name: Проверка возможности авторизации Kerberos - ansible.builtin.expect: - command: "kinit {{ dc_details.admin }}" - responses: - # "Password for {{ dc_details.admin }}@{{ dc_details.realm_u }}:": "{{ dc_details.adminpass }}" - "Password for .*:": "{{ dc_details.adminpass }}" - echo: true - timeout: 5 - no_log: true - - - name: Текущие билеты Kerberos - ansible.builtin.shell: "klist" - register: klist - - name: Вывод билета Kerberos - ansible.builtin.debug: - var: klist.stdout_lines diff --git a/ansible/08_deploy_nas_role.yml b/ansible/08_deploy_nas_role.yml new file mode 100644 index 0000000..d65e69b --- /dev/null +++ b/ansible/08_deploy_nas_role.yml @@ -0,0 +1,6 @@ +--- + +- name: Разворачивание второго контроллера домена + hosts: nastest + roles: + - deploy_nas diff --git a/ansible/08_nas.yml b/ansible/08_nas.yml deleted file mode 100644 index 4498292..0000000 --- a/ansible/08_nas.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Настройка файлового сервера - hosts: nas - - tasks: - - name: Проверка соответствия ОС - ansible.builtin.fail: - msg: Операционная система должна быть Альт - when: ansible_os_family != "Altlinux" - - - name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} - ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" - register: samba_tool_result - ignore_errors: yes - - - name: Если на хосте развёрнут домен, выполнение прерывается - ansible.builtin.fail: - msg: На хосте {{ ansible_hostname }} обнаружен развёрнутый домен. Прерываю выполнение - when: - - samba_tool_result.failed == false - - - name: Обновление системы - apt_rpm: - update_cache: true - dist_upgrade: true - clean: true - - - name: Назначение корректного имени хоста - ansible.builtin.hostname: - name: "{{ hostnames.dc1_host }}.{{ dc_details.realm }}" - use: systemd - -################### - https://www.altlinux.org/Samba/Fileserver/AD-auth -################### \ No newline at end of file diff --git a/ansible/group_vars/nas/nas_vars.yml b/ansible/group_vars/nas/nas_vars.yml new file mode 100644 index 0000000..f8dee4b --- /dev/null +++ b/ansible/group_vars/nas/nas_vars.yml @@ -0,0 +1,11 @@ +# Переменные для настройки файлового сервера + +nas_samba_pkg: samba + +nas_samba_service: + - smb + - nmb + +smb_share: /share/sambashare +smb_share_grp: "domain users" +smb_conf_file: /etc/samba/smb.conf \ No newline at end of file diff --git a/ansible/group_vars/nas/share.conf b/ansible/group_vars/nas/share.conf new file mode 100644 index 0000000..f53172b --- /dev/null +++ b/ansible/group_vars/nas/share.conf @@ -0,0 +1,10 @@ +[sambashare] + comment = Общая директория Samba + path = /share/sambashare + writable = yes + browseable = yes + guest ok = no + write list = @"ALT\domain users" + force group = "ALT\domain users" + force create mode = 0666 + force directory mode = 0775 diff --git a/ansible/hosts.ini b/ansible/hosts.ini index 736b1b3..d674cf5 100644 --- a/ansible/hosts.ini +++ b/ansible/hosts.ini @@ -12,6 +12,9 @@ dc2 ansible_host=10.1.1.12 dctest1 ansible_host=192.168.13.139 dctest2 ansible_host=192.168.13.155 +[nastest] +"{{ hostnames.nas_host }}" ansible_host=192.168.13.166 + [testws] "{{ hostnames.cl1_host }}" ansible_host=192.168.13.152 "{{ hostnames.cl2_host }}" ansible_host=192.168.13.153 diff --git a/ansible/roles/deploy_dc1/.travis.yml b/ansible/roles/deploy_dc1/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/ansible/roles/deploy_dc1/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/ansible/roles/deploy_dc1/README.md b/ansible/roles/deploy_dc1/README.md new file mode 100644 index 0000000..ad790b4 --- /dev/null +++ b/ansible/roles/deploy_dc1/README.md @@ -0,0 +1,25 @@ +Deploy DC1 +========= + +Роль разворачивает контроллер домена Samba DC. + +Требования +------------ + +Поддерживается исключительно ОС Альт. +Работоспособность проверена на Альт Сервер 10.1 x86-64. + +Переменные +-------------- + +Все переменные вынесены за пределы роли и расположены во внешней директории `group_vars` + +Лицензия +------- + +BSD + +Автор +------------------ + +Артём Долгий, [artem@da2001.ru](mailto:artem@da2001.ru) diff --git a/ansible/roles/deploy_dc1/defaults/main.yml b/ansible/roles/deploy_dc1/defaults/main.yml new file mode 100644 index 0000000..59f3bfc --- /dev/null +++ b/ansible/roles/deploy_dc1/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for deploy_primary_dc \ No newline at end of file diff --git a/ansible/roles/deploy_dc1/handlers/main.yml b/ansible/roles/deploy_dc1/handlers/main.yml new file mode 100644 index 0000000..2a36dc5 --- /dev/null +++ b/ansible/roles/deploy_dc1/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for deploy_primary_dc \ No newline at end of file diff --git a/ansible/roles/deploy_dc1/meta/main.yml b/ansible/roles/deploy_dc1/meta/main.yml new file mode 100644 index 0000000..227ad9c --- /dev/null +++ b/ansible/roles/deploy_dc1/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + \ No newline at end of file diff --git a/ansible/roles/deploy_dc1/tasks/check_dc1.yml b/ansible/roles/deploy_dc1/tasks/check_dc1.yml new file mode 100644 index 0000000..ac531ef --- /dev/null +++ b/ansible/roles/deploy_dc1/tasks/check_dc1.yml @@ -0,0 +1,54 @@ +--- + +- name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} + ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: samba_tool_result + +- name: Информация о домене + ansible.builtin.debug: + var: samba_tool_result.stdout_lines + +- name: Получение настройки резолвера + ansible.builtin.shell: "cat /etc/resolv.conf" + register: resolv_conf_result +- name: Вывод /etc/resolv.conf + ansible.builtin.debug: + var: resolv_conf_result.stdout_lines + +- name: Записи служб DNS. Kerberos + ansible.builtin.shell: "host -t SRV _kerberos._udp.{{ dc_details.realm }}" + register: srv_kerberos +- name: SRV запись Kerberos + ansible.builtin.debug: + var: srv_kerberos.stdout_lines + +- name: Записи служб DNS. LDAP + ansible.builtin.shell: "host -t SRV _ldap._tcp.{{ dc_details.realm }}" + register: srv_ldap +- name: SRV запись LDAP + ansible.builtin.debug: + var: srv_ldap.stdout_lines + +- name: Записи служб DNS. A запись + ansible.builtin.shell: "host {{ hostnames.dc1_host }}.{{ dc_details.realm }}" + register: a_line +- name: A запись домена + ansible.builtin.debug: + var: a_line.stdout_lines + +- name: Проверка возможности авторизации Kerberos + ansible.builtin.expect: + command: "kinit {{ dc_details.admin }}" + responses: + # "Password for {{ dc_details.admin }}@{{ dc_details.realm_u }}:": "{{ dc_details.adminpass }}" + "Password for .*:": "{{ dc_details.adminpass }}" + echo: true + timeout: 5 + no_log: true + +- name: Текущие билеты Kerberos + ansible.builtin.shell: "klist" + register: klist +- name: Вывод билета Kerberos + ansible.builtin.debug: + var: klist.stdout_lines diff --git a/ansible/roles/deploy_dc1/tasks/deploy_dc1.yml b/ansible/roles/deploy_dc1/tasks/deploy_dc1.yml new file mode 100644 index 0000000..1d48127 --- /dev/null +++ b/ansible/roles/deploy_dc1/tasks/deploy_dc1.yml @@ -0,0 +1,98 @@ +--- + +- name: Проверка соответствия ОС + ansible.builtin.fail: + msg: Операционная система должна быть Альт + when: ansible_os_family != "Altlinux" + +- name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} + ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: samba_tool_result + ignore_errors: true + +- name: Если на хосте развёрнут домен, выполнение прерывается + ansible.builtin.fail: + msg: На хосте {{ ansible_hostname }} обнаружен развёрнутый домен. Прерываю выполнение + when: + - samba_tool_result.failed == false + +- name: Обновление системы + apt_rpm: + update_cache: true + dist_upgrade: true + clean: true + +- name: Назначение корректного имени хоста + ansible.builtin.hostname: + name: "{{ hostnames.dc1_host }}.{{ dc_details.realm }}" + use: systemd + +- name: Установка пакетов {{ packages }} + apt_rpm: + package: "{{ item }}" + state: present + update_cache: yes + loop: "{{ packages }}" + +- name: Конфигурация NTP (режим server) + ansible.builtin.command: + cmd: control chrony server + +- name: Включение службы синхронизации времени chrony + ansible.builtin.systemd: + name: chronyd + enabled: true + state: restarted + masked: false + +- name: Отключение служб, которые будут конфликтовать с контроллером + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + loop: "{{ stop_daemons }}" + ignore_errors: true + +- name: Удалить старую конфигурацию Samba + ansible.builtin.file: + path: "{{ item }}" + state: absent + force: true + loop: "{{ old_config_to_remove }}" + +- name: Создать каталог для хранения групповых политик + ansible.builtin.file: + path: "{{ gp_folder }}" + state: directory + mode: '0755' + +- name: Настройка резолвера на 127.0.0.1 + ansible.builtin.lineinfile: + path: /etc/resolvconf.conf + regexp: '^name_servers' + line: name_servers=127.0.0.1 + +- name: Обновление конфигурации резолвера + ansible.builtin.shell: "resolvconf -u" + +- name: Разворачивание первого контроллера домена + ansible.builtin.shell: | + samba-tool domain provision --realm={{ dc_details.realm }} --domain={{ dc_details.domain }} \ + --adminpass='{{ dc_details.adminpass }}' --dns-backend=SAMBA_INTERNAL \ + --option="dns forwarder={{ dc_details.dns_forwarder }}" --server-role=dc --use-rfc2307 + register: dc_provision_output +- ansible.builtin.debug: + var: dc_provision_output.stdout_lines + +- name: Включение службы {{ samba_service }} + ansible.builtin.systemd: + name: "{{ samba_service }}" + enabled: true + state: restarted + masked: false + +- name: Копирование конфигурации Kerberos + ansible.builtin.copy: + remote_src: true + src: /var/lib/samba/private/krb5.conf + dest: /etc/krb5.conf diff --git a/ansible/roles/deploy_dc1/tasks/main.yml b/ansible/roles/deploy_dc1/tasks/main.yml new file mode 100644 index 0000000..70a1a41 --- /dev/null +++ b/ansible/roles/deploy_dc1/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Создание первого контроллера домена + import_tasks: deploy_dc1.yml + +- name: Проверка первого контроллера + import_tasks: check_dc1.yml \ No newline at end of file diff --git a/ansible/roles/deploy_dc1/tests/inventory b/ansible/roles/deploy_dc1/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible/roles/deploy_dc1/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible/roles/deploy_dc1/tests/test.yml b/ansible/roles/deploy_dc1/tests/test.yml new file mode 100644 index 0000000..0dfd57e --- /dev/null +++ b/ansible/roles/deploy_dc1/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - deploy_primary_dc \ No newline at end of file diff --git a/ansible/roles/deploy_dc1/vars/main.yml b/ansible/roles/deploy_dc1/vars/main.yml new file mode 100644 index 0000000..9fd2428 --- /dev/null +++ b/ansible/roles/deploy_dc1/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for deploy_primary_dc \ No newline at end of file diff --git a/ansible/roles/deploy_dc2/.travis.yml b/ansible/roles/deploy_dc2/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/ansible/roles/deploy_dc2/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/ansible/roles/deploy_dc2/README.md b/ansible/roles/deploy_dc2/README.md new file mode 100644 index 0000000..c627ed9 --- /dev/null +++ b/ansible/roles/deploy_dc2/README.md @@ -0,0 +1,30 @@ +Deploy DC1 +========= + +Роль разворачивает контроллер домена Samba DC. + +Требования +------------ + +Поддерживается исключительно ОС Альт. +Работоспособность проверена на Альт Сервер 10.1 x86-64. + +Переменные +-------------- + +Все переменные вынесены за пределы роли и расположены во внешней директории `group_vars` + +Зависимости +------------ + +Роль необходимо выполнять после запуска роли `deploy_dc1` + +Лицензия +------- + +BSD + +Автор +------------------ + +Артём Долгий, [artem@da2001.ru](mailto:artem@da2001.ru) diff --git a/ansible/roles/deploy_dc2/defaults/main.yml b/ansible/roles/deploy_dc2/defaults/main.yml new file mode 100644 index 0000000..2d6babf --- /dev/null +++ b/ansible/roles/deploy_dc2/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for deploy_dc2 \ No newline at end of file diff --git a/ansible/roles/deploy_dc2/handlers/main.yml b/ansible/roles/deploy_dc2/handlers/main.yml new file mode 100644 index 0000000..2910c01 --- /dev/null +++ b/ansible/roles/deploy_dc2/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for deploy_dc2 \ No newline at end of file diff --git a/ansible/roles/deploy_dc2/meta/main.yml b/ansible/roles/deploy_dc2/meta/main.yml new file mode 100644 index 0000000..227ad9c --- /dev/null +++ b/ansible/roles/deploy_dc2/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + \ No newline at end of file diff --git a/ansible/roles/deploy_dc2/tasks/check_dc2.yml b/ansible/roles/deploy_dc2/tasks/check_dc2.yml new file mode 100644 index 0000000..2dc5a75 --- /dev/null +++ b/ansible/roles/deploy_dc2/tasks/check_dc2.yml @@ -0,0 +1,54 @@ +--- + +- name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} + ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: samba_tool_result + +- name: Информация о домене + ansible.builtin.debug: + var: samba_tool_result.stdout_lines + +- name: Получение настройки резолвера + ansible.builtin.shell: "cat /etc/resolv.conf" + register: resolv_conf_result +- name: Вывод /etc/resolv.conf + ansible.builtin.debug: + var: resolv_conf_result.stdout_lines + +- name: Записи служб DNS. Kerberos + ansible.builtin.shell: "host -t SRV _kerberos._udp.{{ dc_details.realm }}" + register: srv_kerberos +- name: SRV запись Kerberos + ansible.builtin.debug: + var: srv_kerberos.stdout_lines + +- name: Записи служб DNS. LDAP + ansible.builtin.shell: "host -t SRV _ldap._tcp.{{ dc_details.realm }}" + register: srv_ldap +- name: SRV запись LDAP + ansible.builtin.debug: + var: srv_ldap.stdout_lines + +- name: Записи служб DNS. A запись + ansible.builtin.shell: "host {{ hostnames.dc2_host }}.{{ dc_details.realm }}" + register: a_line +- name: A запись домена + ansible.builtin.debug: + var: a_line.stdout_lines + +- name: Проверка возможности авторизации Kerberos + ansible.builtin.expect: + command: "kinit {{ dc_details.admin }}" + responses: + # "Password for {{ dc_details.admin }}@{{ dc_details.realm_u }}:": "{{ dc_details.adminpass }}" + "Password for .*:": "{{ dc_details.adminpass }}" + echo: true + timeout: 5 + no_log: true + +- name: Текущие билеты Kerberos + ansible.builtin.shell: "klist" + register: klist +- name: Вывод билета Kerberos + ansible.builtin.debug: + var: klist.stdout_lines diff --git a/ansible/roles/deploy_dc2/tasks/deploy_second_dc.yml b/ansible/roles/deploy_dc2/tasks/deploy_second_dc.yml new file mode 100644 index 0000000..e7e9bac --- /dev/null +++ b/ansible/roles/deploy_dc2/tasks/deploy_second_dc.yml @@ -0,0 +1,141 @@ +--- + +- name: Проверка соответствия ОС + ansible.builtin.fail: + msg: Операционная система должна быть Альт + when: ansible_os_family != "Altlinux" + +- name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} + ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: samba_tool_result + ignore_errors: true + +- name: Если на хосте развёрнут домен, выполнение прерывается + ansible.builtin.fail: + msg: На хосте {{ ansible_hostname }} обнаружен развёрнутый домен. Прерываю выполнение + when: + - samba_tool_result.failed == false + +- name: Обновление системы + apt_rpm: + update_cache: true + dist_upgrade: true + clean: true + +- name: Назначение корректного имени хоста + ansible.builtin.hostname: + name: "{{ hostnames.dc2_host }}.{{ dc_details.realm }}" + use: systemd + +- name: Установка пакетов {{ packages }} + apt_rpm: + package: "{{ item }}" + state: present + update_cache: yes + loop: "{{ packages }}" + +- name: Конфигурация NTP (режим server) + ansible.builtin.command: + cmd: control chrony server + +- name: Настройка синхронизации времени с контроллером домена - {{ dc_details.dc1_ip }} + ansible.builtin.lineinfile: + path: /etc/resolvconf.conf + regexp: '^server .*' + line: server {{ dc_details.dc1_ip }} + +- name: Перезапуск службы синхронизации времени + ansible.builtin.systemd: + name: "{{ sync_time_daemon }}" + enabled: true + state: restarted + masked: false + +- name: Отключение служб, которые будут конфликтовать с контроллером + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + loop: "{{ stop_daemons }}" + ignore_errors: true + +- name: Удалить старую конфигурацию Samba + ansible.builtin.file: + path: "{{ item }}" + state: absent + force: true + loop: "{{ old_config_to_remove }}" + +- name: Создать каталог для хранения групповых политик + ansible.builtin.file: + path: "{{ gp_folder }}" + state: directory + mode: '0755' + +- name: Настройка резолвера на контроллер домена - {{ dc_details.dc1_ip }} + ansible.builtin.lineinfile: + path: /etc/resolvconf.conf + regexp: '^name_servers' + line: name_servers={{ dc_details.dc1_ip }} + +# - name: Настройка резолвера доменную зону - {{ dc_details.realm }} +# ansible.builtin.lineinfile: +# path: /etc/resolvconf.conf +# regexp: '^search_domains' +# line: search_domains={{ dc_details.realm }} + +- name: Обновление конфигурации резолвера + ansible.builtin.shell: "resolvconf -u" + +- name: Внесение изменений в /etc/krb5.conf - "default_realm = {{ dc_details.realm }}" + ansible.builtin.lineinfile: + path: /etc/krb5.conf + regexp: 'default_realm' + line: " default_realm = {{ dc_details.realm }}" + +- name: Внесение изменений в /etc/krb5.conf - "dns_lookup_realm = false" + ansible.builtin.lineinfile: + path: /etc/krb5.conf + regexp: 'dns_lookup_realm' + line: " dns_lookup_realm = false" + +- name: Внесение изменений в /etc/krb5.conf - "dns_lookup_kdc = true" + ansible.builtin.lineinfile: + path: /etc/krb5.conf + regexp: 'dns_lookup_kdc' + line: " dns_lookup_kdc = true" + +- name: Добавление второго контроллера домена + ansible.builtin.shell: | + samba-tool domain join {{ dc_details.realm }} DC -Uadministrator --realm={{ dc_details.realm }} \ + --option="dns forwarder=77.88.8.8" --option="idmap_ldb:use rfc2307 = yes" --password=P@ssw0rd + register: dc2_join_output +- ansible.builtin.debug: + # samba dc при развёртывании валит вывод во все потоки, в том числе и err + var: dc2_join_output.stderr_lines[-1:] # показать последнюю строку вывода + +- name: Включение службы {{ samba_service }} + ansible.builtin.systemd: + name: "{{ samba_service }}" + enabled: true + state: restarted + masked: false + +- name: Копирование конфигурации Kerberos + ansible.builtin.copy: + remote_src: true + src: /var/lib/samba/private/krb5.conf + dest: /etc/krb5.conf + +- name: Настройка резолвера на 127.0.0.1 + ansible.builtin.lineinfile: + path: /etc/resolvconf.conf + regexp: '^name_servers' + line: name_servers=127.0.0.1 + +- name: Обновление конфигурации резолвера + ansible.builtin.shell: "resolvconf -u" + +- name: Перезагрузка узла после добавления в домен + ansible.builtin.reboot: + reboot_timeout: 3600 diff --git a/ansible/roles/deploy_dc2/tasks/main.yml b/ansible/roles/deploy_dc2/tasks/main.yml new file mode 100644 index 0000000..18f1c41 --- /dev/null +++ b/ansible/roles/deploy_dc2/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Создание второго контроллера + import_tasks: deploy_second_dc.yml + +- name: Проверка второго контроллера + import_tasks: check_dc2.yml diff --git a/ansible/roles/deploy_dc2/tests/inventory b/ansible/roles/deploy_dc2/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible/roles/deploy_dc2/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible/roles/deploy_dc2/tests/test.yml b/ansible/roles/deploy_dc2/tests/test.yml new file mode 100644 index 0000000..1b36411 --- /dev/null +++ b/ansible/roles/deploy_dc2/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - deploy_dc2 \ No newline at end of file diff --git a/ansible/roles/deploy_dc2/vars/main.yml b/ansible/roles/deploy_dc2/vars/main.yml new file mode 100644 index 0000000..897ffe5 --- /dev/null +++ b/ansible/roles/deploy_dc2/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for deploy_dc2 \ No newline at end of file diff --git a/ansible/roles/deploy_nas/.travis.yml b/ansible/roles/deploy_nas/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/ansible/roles/deploy_nas/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/ansible/roles/deploy_nas/README.md b/ansible/roles/deploy_nas/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/roles/deploy_nas/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles/deploy_nas/defaults/main.yml b/ansible/roles/deploy_nas/defaults/main.yml new file mode 100644 index 0000000..387ba35 --- /dev/null +++ b/ansible/roles/deploy_nas/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for deploy_nas \ No newline at end of file diff --git a/ansible/roles/deploy_nas/handlers/main.yml b/ansible/roles/deploy_nas/handlers/main.yml new file mode 100644 index 0000000..91c2961 --- /dev/null +++ b/ansible/roles/deploy_nas/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for deploy_nas \ No newline at end of file diff --git a/ansible/roles/deploy_nas/meta/main.yml b/ansible/roles/deploy_nas/meta/main.yml new file mode 100644 index 0000000..227ad9c --- /dev/null +++ b/ansible/roles/deploy_nas/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + \ No newline at end of file diff --git a/ansible/roles/deploy_nas/tasks/main.yml b/ansible/roles/deploy_nas/tasks/main.yml new file mode 100644 index 0000000..51e62b5 --- /dev/null +++ b/ansible/roles/deploy_nas/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Подготовка узла для развёртывания файлового сервера + import_tasks: nas_prepare.yml + +- name: Настройка файлового сервера Samba + import_tasks: nas_smb.yml \ No newline at end of file diff --git a/ansible/roles/deploy_nas/tasks/nas_prepare.yml b/ansible/roles/deploy_nas/tasks/nas_prepare.yml new file mode 100644 index 0000000..f2a267d --- /dev/null +++ b/ansible/roles/deploy_nas/tasks/nas_prepare.yml @@ -0,0 +1,67 @@ +--- + +- name: Проверка соответствия ОС + ansible.builtin.fail: + msg: Операционная система должна быть Альт + when: ansible_os_family != "Altlinux" + +- name: Проверка наличия развёрнутого домена на хосте {{ ansible_hostname }} + ansible.builtin.shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: samba_tool_result + ignore_errors: true + +- name: Если на хосте развёрнут домен, выполнение прерывается + ansible.builtin.fail: + msg: На хосте {{ ansible_hostname }} обнаружен развёрнутый домен. Прерываю выполнение + when: + - samba_tool_result.failed == false + +- name: Обновление системы + apt_rpm: + update_cache: true + dist_upgrade: true + clean: true + +- name: Назначение корректного имени хоста + ansible.builtin.hostname: + name: "{{ hostnames.nas_host }}.{{ dc_details.realm }}" + use: systemd + +- name: Настройка резолвера на контроллеры домена - {{ dc_details.dc1_ip }}, {{ dc_details.dc2_ip }} + ansible.builtin.lineinfile: + path: /etc/resolvconf.conf + regexp: '^name_servers' + line: name_servers="{{ dc_details.dc1_ip }} {{ dc_details.dc2_ip }}" + +# - name: Настройка резолвера доменную зону - {{ dc_details.realm }} +# ansible.builtin.lineinfile: +# path: /etc/resolvconf.conf +# regexp: '^search_domains' +# line: search_domains={{ dc_details.realm }} + +- name: Обновление конфигурации резолвера + ansible.builtin.shell: "resolvconf -u" + +- name: Установка клиентского пакета Samba {{ samba_client_package }} + apt_rpm: + package: "{{ samba_client_package }}" + state: present + update_cache: yes + +- name: Ввод в домен + ansible.builtin.shell: | + system-auth write ad {{ dc_details.realm }} {{ inventory_hostname }} {{ dc_details.domain }} \ + '{{ dc_details.admin }}' '{{ dc_details.adminpass }}' + register: add_to_domain +- name: Итог ввода + ansible.builtin.debug: + var: add_to_domain.stdout_lines + +- name: Проверка ввода в домен + ansible.builtin.shell: net ads testjoin + register: testjoin + failed_when: testjoin.rc != 0 + +- name: Перезагрузка узла после добавления в домен + ansible.builtin.reboot: + reboot_timeout: 3600 diff --git a/ansible/roles/deploy_nas/tasks/nas_smb.yml b/ansible/roles/deploy_nas/tasks/nas_smb.yml new file mode 100644 index 0000000..9d66f09 --- /dev/null +++ b/ansible/roles/deploy_nas/tasks/nas_smb.yml @@ -0,0 +1,28 @@ +--- + +- name: Установка пакета {{ nas_samba_pkg }} + apt_rpm: + package: "{{ nas_samba_pkg }}" + state: present + update_cache: yes + +- name: Создание разделяемого ресурса Samba + ansible.builtin.file: + path: "{{ smb_share }}" + state: directory + mode: '0770' + group: "{{ smb_share_grp }}" + +- name: Добавление в конфигурацию Samba данных о разделяемом ресурсе + ansible.builtin.blockinfile: + block: "{{ lookup('ansible.builtin.file', '../../group_vars/nas/share.conf') }}" + path: "{{ smb_conf_file }}" + backup: yes + +- name: Включение служб файлового сервера Samba + ansible.builtin.systemd: + name: "{{ item }}" + enabled: true + state: restarted + masked: false + loop: "{{ nas_samba_service }}" diff --git a/ansible/roles/deploy_nas/tests/inventory b/ansible/roles/deploy_nas/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible/roles/deploy_nas/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible/roles/deploy_nas/tests/test.yml b/ansible/roles/deploy_nas/tests/test.yml new file mode 100644 index 0000000..eee895a --- /dev/null +++ b/ansible/roles/deploy_nas/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - deploy_nas \ No newline at end of file diff --git a/ansible/roles/deploy_nas/vars/main.yml b/ansible/roles/deploy_nas/vars/main.yml new file mode 100644 index 0000000..5d96c7a --- /dev/null +++ b/ansible/roles/deploy_nas/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for deploy_nas \ No newline at end of file diff --git a/ansible/roles/deploy_vms/README.md b/ansible/roles/deploy_vms/README.md index 225dd44..130fd6a 100644 --- a/ansible/roles/deploy_vms/README.md +++ b/ansible/roles/deploy_vms/README.md @@ -1,38 +1,19 @@ -Role Name +Deploy VMs ========= -A brief description of the role goes here. +Роль создаёт виртуальные машины из заранее подготовленных шаблонов. -Requirements +Требования ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Поддерживается гипервизор на основе Proxmox VE (Альт Виртуализация). -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License +Лицензия ------- BSD -Author Information +Автор ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Артём Долгий, [artem@da2001.ru](mailto:artem@da2001.ru)