Refs #8025 Debian.yml - Forward Fast Juan

2024-10-02 14:02:22 +02:00 · 2024-10-02 14:02:22 +02:00 · c16fe4755e
parent 896ba27da5 6bce31ab19
commit c16fe4755e
11 changed files with 115 additions and 61 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,6 @@
 .vscode/
-.vaultpass
+.vault-pass
+.vault.yml
+.passbolt.yml
 venv
 context/_build
--- a/README.md
+++ b/README.md
@ -2,24 +2,30 @@

 Collection of Ansible playbooks used in the Verdnatura server farm.

-## Install Ansible
+## Setup Ansible

-Instal Ansible on Debian.
+Install Ansible on Debian.
 ```
 apt install ansible
 ```

-Install dependencies.
-```
-ansible-galaxy collection install -r collections/requirements.yml
-```
-
 Create Python virtual environment.
 ```
 python3 -m venv venv
 source venv/bin/activate
 pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
 pip install -r requirements.txt
+deactivate
+```
+
+Install dependencies.
+```
+ansible-galaxy collection install -r collections/requirements.yml
+```
+
+Before running any Ansible command, activate the Python virtual environment.
+```
+source venv/bin/activate
 ```

 ## Run playbook
@ -27,30 +33,52 @@ pip install -r requirements.txt
 Before merging changes into protected branches, playbooks should be tested 
 locally to ensure they work properly.

-Launch playbook on the fly on a host not declared in the inventory.
+Run playbook on inventory host.
 ```
-ansible-playbook -i <ip_or_hostname>, [-t tag1,tag2] playbooks/test.yml
+ansible-playbook -i inventories/lab -l <host> [-t tag1,tag2...] playbooks/ping.yml
+```
+
+Run playbook on the fly on a host not declared in the inventory.
+```
+ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
 ```

 *Note the comma at the end of the hostname or IP.*

-## Manage vault
+## Manage secrets

-To manage Ansible vault place the password into *.vaultpass* file.
+Secrets can be managed by using Ansible vault or an external keystore, Passbolt 
+is used in this case. It is recommended to use an external keystore to avoid 
+publicly exposing the secrets, even if they are encrypted.

-View or edit the vault file.
+When running playbooks that use any of the keystores mentioned above, the 
+*run-playbook.sh* script can be used, it is an ovelay over the original 
+*ansible-playbook* command which injects the necessary parameters.
+
+### Ansible vault
+
+To manage Ansible vault place the encryption password into *.vault-pass* file.
+
+Manage the vault.
 ```
-ansible-vault {view,edit} --vault-pass-file .vaultpass vault.yml
+ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
 ```

-When running playbooks that use the vault the *vault-playbook.sh* script can 
-be used, it is ovelay over the original *ansible-playbook* command.
+> [!CAUTION]
+> The files used for the vault must only be used locally and 
+> under **no** circumstances can they be uploaded to the repository.

-## Create execution environment
+### Passbolt
+
+Add the necessary environment variables to the *.passbolt.yml* file:
+
+* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
+
+## Build execution environment for AWX

 Create an image with *ansible-builder* and upload it to registry.
 ```
-ansible-builder build --tag ansible-runner:vn1
+ansible-builder build --tag awx-ee:vn1
 ```

 ## Common playbooks
@ -65,6 +93,7 @@ ansible-builder build --tag ansible-runner:vn1
 * https://docs.ansible.com/ansible/latest/reference_appendices/config.html
 * https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
 * https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
-* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
-* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/
+* https://ansible.readthedocs.io/projects/builder/en/latest/
 * https://www.ansible.com/blog/introduction-to-ansible-builder/
+* https://github.com/ansible/awx-ee/tree/devel
+* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
--- a/context/Dockerfile
+++ b/context/Dockerfile
@ -1,8 +1,10 @@
-ARG EE_BASE_IMAGE="quay.io/ansible/ansible-runner:latest"
-ARG PYCMD="/usr/bin/python3"
+ARG EE_BASE_IMAGE="quay.io/centos/centos:stream9"
+ARG PYCMD="/usr/bin/python3.12"
+ARG PYPKG="python3.12"
 ARG PKGMGR_PRESERVE_CACHE=""
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=""
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS=""
+ARG ANSIBLE_INSTALL_REFS="ansible-core>=2.17.0 ansible-runner==2.4.0"
 ARG PKGMGR="/usr/bin/dnf"

 # Base build stage
@ -11,22 +13,28 @@ USER root
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR

 COPY _build/scripts/ /output/scripts/
 COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
+RUN $PKGMGR install $PYPKG -y ; if [ -z $PKGMGR_PRESERVE_CACHE ]; then $PKGMGR clean all; fi
 RUN /output/scripts/pip_install $PYCMD
+RUN $PYCMD -m pip install --no-cache-dir $ANSIBLE_INSTALL_REFS

 # Galaxy build stage
 FROM base as galaxy
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR

 RUN /output/scripts/check_galaxy
@ -43,9 +51,11 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /build
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR

 RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
@ -53,7 +63,8 @@ RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
 COPY --from=galaxy /usr/share/ansible /usr/share/ansible

 COPY _build/requirements.txt requirements.txt
-RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
+COPY _build/bindep.txt bindep.txt
+RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --user-bindep=bindep.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
 RUN /output/scripts/assemble

 # Final build stage
@ -61,9 +72,11 @@ FROM base as final
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR

 RUN /output/scripts/check_ansible $PYCMD
--- a/execution-environment.yml
+++ b/execution-environment.yml
@ -1,4 +1,33 @@
 version: 3
+images:
+  base_image:
+    name: quay.io/centos/centos:stream9
 dependencies:
-  galaxy: collections/requirements.yml
  python: requirements.txt
+  galaxy: collections/requirements.yml
+  python_interpreter:
+    package_system: python3.12
+    python_path: /usr/bin/python3.12
+  ansible_core:
+    package_pip: ansible-core>=2.17.0
+  ansible_runner:
+    package_pip: ansible-runner==2.4.0
+  system: |
+    git-core [platform:rpm]
+    python3.11-devel [platform:rpm compile]
+    libcurl-devel [platform:rpm compile]
+    krb5-devel [platform:rpm compile]
+    krb5-workstation [platform:rpm]
+    subversion [platform:rpm]
+    subversion [platform:dpkg]
+    git-lfs [platform:rpm]
+    sshpass [platform:rpm]
+    rsync [platform:rpm]
+    epel-release [platform:rpm]
+    unzip [platform:rpm]
+    podman-remote [platform:rpm]
+    cmake [platform:rpm compile]
+    gcc [platform:rpm compile]
+    gcc-c++ [platform:rpm compile]
+    make [platform:rpm compile]
+    openssl-devel [platform:rpm compile]
--- a/inventories/group_vars/all.yml
+++ b/inventories/group_vars/all.yml
@ -1,4 +1,6 @@
 ansible_host: "{{inventory_hostname_short}}.{{host_domain}}"
+passbolt: 'anatomicjc.passbolt.passbolt'
+passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
 sysadmin_mail: sysadmin@verdnatura.es
 sysadmin_group: sysadmin
 smtp_server: smtp.verdnatura.es
--- a/playbooks/debian.yml
+++ b/playbooks/debian.yml
@ -1,6 +1,5 @@
 - name: Configure base Debian host
  hosts: all
-  vars_files: ../vault.yml
  tasks:
  - name: Configure virtual machine or host (not LXC)
    import_role:
--- a/playbooks/passbolt.yml
+++ b/playbooks/passbolt.yml
@ -1,10 +1,6 @@
 - name: Fetch passbolt password
  hosts: all
  gather_facts: no
-  vars:
-    passbolt: 'anatomicjc.passbolt.passbolt'
-    passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
  tasks:
-  - name: Print password
-    debug:
-      msg: "Variable: {{ lookup(passbolt, 'test') }}"
+  - debug:
+      msg: "Password: {{ lookup(passbolt, 'test').password }}"
--- a/roles/debian-guest/templates/nslcd.conf
+++ b/roles/debian-guest/templates/nslcd.conf
@ -8,7 +8,7 @@ idle_timelimit 60

 base {{ ldap_base }}
 binddn cn=nss,ou=admins,{{ ldap_base }}
-bindpw {{ nslcd_password }}
+bindpw {{ lookup(passbolt, 'nslcd').password }}
 pagesize 500

 filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }}))
--- a/run-playbook.sh
+++ b/run-playbook.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+EXTRA_ARGS=()
+
+if [ -f .passbolt.yml ]; then
+    EXTRA_ARGS+=("--extra-vars" "@.passbolt.yml")
+fi
+if [ -f .vaultpass ]; then
+    EXTRA_ARGS+=("--vault-password-file" ".vaultpass")
+fi
+
+export PYTHONPATH=./venv/lib/python3.12/site-packages/
+ansible-playbook ${EXTRA_ARGS[@]} $@
--- a/vault-playbook.sh
+++ b/vault-playbook.sh
@ -1,3 +0,0 @@
-#!/bin/bash
-export PYTHONPATH=./venv/lib/python3.12/site-packages/
-ansible-playbook --vault-password-file .vaultpass $@
--- a/vault.yml
+++ b/vault.yml
@ -1,26 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37396535616365346266643936343463336564303066356131363064633436353763343735666563
-3234623639383039393735346632636163623435313965660a363363386637666261626661336333
-39643436663965383239323435613339323766623630633430343465313038643235636666343938
-3531636532613661650a336631666138306166346363333534613436396565343161623838363132
-30643532636332356630306563336165663266663237326262336533363665653230393332623134
-63626333303134346435666231386361643137636132383236373937636235326132666230306362
-36363136653963366235626239656339663736393636663136656164393031323663623463393438
-63646635343462363332636531323634623930643737333430613666366335303362323764363533
-39336533366466633132383438633063616564623862366263376638323138623363656164343635
-64346437646435383137313162656237303436343839366261633935613735316166376466616635
-61616132626539656633353032663932653730633365633331313330323932653465656634383334
-64633634326462316164316130373334666365643936646634333032326465373131656161646234
-30376135613534303533326133383661353235343034356466333961396237373937353137373735
-32373633396438313133663839373663656139346163386336373265356265613038646633386334
-37353331373332373636346166333639343936633464663335653762386431376632613430363666
-66636139663662633861643733306238646335353664636265623464393163343462326239613662
-63633236326161643838353931646566323236326636376331663463333664636566666462303063
-31303436356164623234346362386633633633623230366366393839376239636533636564666663
-39663034373664663063656561306132383734646263656464626432633963396638363362396664
-37303038373038346536613235333237613435663632656334643334326232396336653035326162
-63663637306531373030643962386339393263653262363037626538386132353363663761363138
-62663532313862396339653364306533326639333139336636343762373038333838313762393431
-34386239303765653930306334393339383234303137346461633231353637326137353964613832
-61353035353539633334333337346665383937346566396438306465336337366661323435616133
-37643932306265633465643430636662653865313661663331316662303861356466