RedHatTraining/agnosticd.git

joelbirchler

2020-03-03 73a52a15ce4aefe711f0dd684cadb5cb2c52602d

commit \| author \| age
1e2288	1	---
JR	2	###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT
	3	###### OR PASS as "-e" args to ansible-playbook command
	4
9f5643	5	## Indicate the list of private workloads to deploy with
RM	6	# this config. Takes a list of remote workloads as parameter
b2bd21	7	# private_workloads.
J	8	# Name will be used as part of a path name, so avoid spaces and
	9	# other non-alphanumeric characters.
9f5643	10	# - name: workload-name
RM	11	# url: ssh://github.com:foo/bar.git
	12	# path: /classroom/infrastructure/agnosticd-workload
73a52a	13	# git_ssh_key: /home/provisioner/github-private.key
9f5643	14	private_workloads: []
1e2288	15
9f5643	16	### Common Host settings
1e2288	17	repo_method: file # Other Options are: file, satellite and rhn
JR	18	#If using repo_method: satellite, you must set these values as well.
	19	# satellite_url: satellite.example.com
	20	# satellite_org: Sat_org_name
	21	# satellite_activationkey: "rhel7basic"
	22
	23	# Do you want to run a full yum update
	24	update_packages: false
	25
	26	install_bastion: false
	27	install_common: true
	28	install_courseware: true
	29
	30	# Indicate whether status will be reported to status API service on Bastion
	31	# Also, indicates whether the status API will be installed on Bastion
	32	report_status: true
	33
	34	# Defines the version of the Ansible Tower installer.
	35	# The version should match a file available here:
	36	# https://releases.ansible.com/ansible-tower/setup/
	37	towerversion: "3.5.2-1"
	38	tower_admin_password: changeme
	39
	40	## guid is the deployment unique identifier, it will be appended to all tags,
	41	## files and anything that identifies this environment from another "just like it"
	42	guid: defaultguid
	43	course_name: default
	44	platform: opentlc
	45	project_tag: "{{ env_type }}-{{ guid }}"
	46
	47	### If you want a Key Pair name created and injected into the hosts,
	48	# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
	49	# you can use the key used to create the environment or use your own self generated key
	50	# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
	51	use_own_key: true
	52	env_authorized_key: "{{guid}}key"
	53	ansible_ssh_private_key_file: ~/.ssh/{{key_name}}
	54	set_env_authorized_key: true
	55	win_connect_method: psrp
	56
	57	### AWS EC2 Environment settings
	58
	59	### Route 53 Zone ID (AWS)
	60	# This is the Route53 HostedZoneId where you will create your Public DNS entries
	61	# This only needs to be defined if your CF template uses route53
	62	HostedZoneId: Z3IHLWJZOU9SRT
	63	# The region to be used, if not specified by -e in the command line
	64	aws_region: us-east-1
	65	# The key that is used to
	66	key_name: "default_key_name"
	67
	68	## Networking (AWS)
	69	subdomain_base_short: "{{ guid }}"
	70	subdomain_base_suffix: ".{{ course_name }}.opentlc.com"
	71	subdomain_base: "{{ subdomain_base_short }}{{ subdomain_base_suffix }}"
	72
	73	zone_internal_dns: "{{guid}}.{{course_name}}.internal."
	74	chomped_zone_internal_dns: "{{guid}}.{{course_name}}.internal"
	75
	76	vpcid_cidr_block: "172.25.0.0/16"
	77	vpcid_name_tag: "{{subdomain_base}}"
	78
	79	aws_availability_zone: "{{ aws_region }}a"
	80	aws_private_subnet_cidr: "172.25.250.0/24"
	81	aws_public_subnet_cidr: "172.25.251.0/24"
	82	aws_vpc_name: "{{course_name}}-{{guid}}-vpc"
	83
	84	cf_template_description: "{{ env_type }}-{{ guid }} Ansible Agnostic Deployer "
	85
	86	## Environment Sizing
	87
	88	bastion_instance_type: "t2.medium"
	89	tower_instance_type: "t2.medium"
	90	gitlab_instance_type: "t2.medium"
	91
	92	windows_instance_count: 2
	93	windows_instance_type: "t3.medium"
	94
	95	windows_workstation_instance_type: "t3.large"
	96
	97	activedirectory_instance_count: 1
	98	activedirectory_instance_type: "t3.medium"
	99
	100	# Windows Domain Settings
	101	dns_domain_name: "example.com"
	102	dns_domain_name_short: "example"
	103	ldap_basedn: "DC=example,DC=com"
	104	ldap_search_base: "{{ ldap_basedn }}"
	105	ldap_access_filter: "(&(objectClass=user)(memberOf=CN=Ansible Users,CN=Users,{{ ldap_search_base }}))"
	106	tower_ldap_search_dn: "CN=Users,{{ ldap_search_base }}"
	107
	108	security_groups:
	109	- name: BastionSG
	110	rules:
	111	- name: SSHBastion
	112	description: "SSH public"
	113	from_port: 22
	114	to_port: 22
	115	protocol: tcp
	116	cidr: "0.0.0.0/0"
	117	rule_type: Ingress
	118	- name: HttpBastion
	119	description: "Http public"
	120	from_port: 80
	121	to_port: 80
	122	protocol: tcp
	123	cidr: "0.0.0.0/0"
	124	rule_type: Ingress
	125	- name: NginxBastion
	126	description: "Http public"
	127	from_port: 30904
	128	to_port: 30904
	129	protocol: tcp
	130	cidr: "0.0.0.0/0"
	131	rule_type: Ingress
	132	- name: TowerSG
	133	rules:
	134	- name: InternalNetworkTowerTcp
	135	description: "All internal TCP traffic"
	136	from_port: 0
	137	to_port: 65535
	138	protocol: tcp
	139	cidr: "{{ vpcid_cidr_block }}"
	140	rule_type: Ingress
	141	- name: InternalNetworkTowerUdp
	142	description: "All internal UDP traffic"
	143	from_port: 0
	144	to_port: 65535
	145	protocol: udp
	146	cidr: "{{ vpcid_cidr_block }}"
	147	rule_type: Ingress
	148	- name: GitlabSG
	149	rules:
	150	- name: InternalNetworkGitlabTcp
	151	description: "All internal TCP traffic"
	152	from_port: 0
	153	to_port: 65535
	154	protocol: tcp
	155	cidr: "{{ vpcid_cidr_block }}"
	156	rule_type: Ingress
	157	- name: InternalNetworkGitlabUdp
	158	description: "All internal UDP traffic"
	159	from_port: 0
	160	to_port: 65535
	161	protocol: udp
	162	cidr: "{{ vpcid_cidr_block }}"
	163	rule_type: Ingress
	164	- name: WinDCSG
	165	rules:
	166	- name: InternalNetworkWinTcp
	167	description: "All internal TCP traffic"
	168	from_port: 0
	169	to_port: 65535
	170	protocol: tcp
	171	cidr: "{{ vpcid_cidr_block }}"
	172	rule_type: Ingress
	173	- name: InternalNetworkWinUdp
	174	description: "All internal UDP traffic"
	175	from_port: 0
	176	to_port: 65535
	177	protocol: udp
	178	cidr: "{{ vpcid_cidr_block }}"
	179	rule_type: Ingress
	180	- name: WinSG
	181	rules:
	182	- name: InternalNetworkWinTcp
	183	description: "All internal TCP traffic"
	184	from_port: 0
	185	to_port: 65535
	186	protocol: tcp
	187	cidr: "{{ vpcid_cidr_block }}"
	188	rule_type: Ingress
	189	- name: InternalNetworkWinUdp
	190	description: "All internal UDP traffic"
	191	from_port: 0
	192	to_port: 65535
	193	protocol: udp
	194	cidr: "{{ vpcid_cidr_block }}"
	195	rule_type: Ingress
	196	- name: WorkstationSG
	197	rules:
	198	- name: HTTPWin
	199	description: "HTTP public"
	200	from_port: 80
	201	to_port: 80
	202	protocol: tcp
	203	cidr: "0.0.0.0/0"
	204	rule_type: Ingress
	205	- name: HTTPSWin
	206	description: "HTTPS public"
	207	from_port: 443
	208	to_port: 443
	209	protocol: tcp
	210	cidr: "0.0.0.0/0"
	211	rule_type: Ingress
	212	- name: WinRDP
	213	description: "Win RDP public"
	214	from_port: 3389
	215	to_port: 3389
	216	protocol: tcp
	217	cidr: "0.0.0.0/0"
	218	rule_type: Ingress
	219	- name: InternalNetworkWinTcp
	220	description: "All internal TCP traffic"
	221	from_port: 0
	222	to_port: 65535
	223	protocol: tcp
	224	cidr: "{{ vpcid_cidr_block }}"
	225	rule_type: Ingress
	226	- name: InternalNetworkWinUdp
	227	description: "All internal UDP traffic"
	228	from_port: 0
	229	to_port: 65535
	230	protocol: udp
	231	cidr: "{{ vpcid_cidr_block }}"
	232	rule_type: Ingress
	233
	234	instances:
	235	- name: "bastion"
	236	count: 1
	237	unique: true
	238	security_group: "BastionSG"
	239	public_dns: true
	240	flavor:
	241	"ec2": "{{bastion_instance_type}}"
	242	image_id: RHEL76GOLD
	243	tags:
	244	- key: "AnsibleGroup"
	245	value: "bastions"
	246	- key: "ostype"
	247	value: "linux"
	248
	249	- name: "tower"
	250	count: 1
	251	unique: true
	252	security_group: "TowerSG"
	253	public_dns: false
	254	flavor:
	255	"ec2": "{{tower_instance_type}}"
	256	image_id: RHEL76GOLD
	257	tags:
	258	- key: "AnsibleGroup"
	259	value: "towers"
	260	- key: "ostype"
	261	value: "linux"
	262	#TODO is this needed? it doesn't work like this
	263	# UserData: \|
	264	# UserData:
	265	# hostname: tower
	266	# fqdn: "tower.{{dns_domain_name}}"
	267	# manage_etc_hosts: true
	268	# chpasswd: { expire: False }
	269	# ssh_pwauth: True
	270
	271	- name: "gitlab"
	272	count: 1
	273	unique: true
	274	security_group: "GitlabSG"
	275	public_dns: false
	276	flavor:
	277	"ec2": "{{gitlab_instance_type}}"
	278	image_id: RHEL76GOLD
	279	tags:
	280	- key: "AnsibleGroup"
	281	value: "gitlab"
	282	- key: "ostype"
	283	value: "linux"
	284
	285	- name: "windc"
	286	count: "{{activedirectory_instance_count}}"
	287	public_dns: false
	288	unique: "{{ true if activedirectory_instance_count \| int <= 1 else false }}"
	289	security_group: "WinDCSG"
	290	flavor:
	291	"ec2": "{{activedirectory_instance_type}}"
	292	image_id: WIN2019FULL
	293	UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}"
	294	tags:
	295	- key: "AnsibleGroup"
	296	value: "activedirectories"
	297	- key: "ostype"
	298	value: "windows"
	299
	300	- name: "win"
	301	count: "{{windows_instance_count}}"
	302	unique: "{{ true if windows_instance_count \| int <= 1 else false }}"
	303	public_dns: false
	304	security_group: "WinSG"
	305	flavor:
	306	"ec2": "{{windows_instance_type}}"
	307	image_id: WIN2019FULL
	308	UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}"
	309	tags:
	310	- key: "AnsibleGroup"
	311	value: "windows_servers"
	312	- key: "ostype"
	313	value: "windows"
	314	volumes:
	315	- device_name: "/dev/xvdf"
	316	size: 5
	317
	318	- name: "workstation"
	319	count: 1
	320	unique: true
	321	public_dns: true
	322	security_group: "WorkstationSG"
	323	flavor:
	324	"ec2": "{{windows_workstation_instance_type}}"
	325	image_id: WIN2016FULL
	326	UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}"
	327	tags:
	328	- key: "AnsibleGroup"
	329	value: "workstations"
	330	- key: "ostype"
	331	value: "windows"
	332
	333	install_win_ssh: false
	334
	335	###### VARIABLES YOU SHOULD *NOT* CONFIGURE FOR YOUR DEPLOYMENT
	336	###### You can, but you usually wouldn't need to.
	337
	338	# The following interfere with Windows servers which use Administrator
	339	#ansible_user: ec2-user
	340	#remote_user: ec2-user
	341
	342	common_packages:
	343	- python
	344	- unzip
	345	- bash-completion
	346	- tmux
	347	- bind-utils
	348	- wget
	349	- git
	350	- vim-enhanced
	351	- at
	352	- python2-pip
	353	- gcc
	354
	355	rhel_repos:
	356	- rhel-7-server-rpms
	357	- rhel-7-server-extras-rpms
	358
	359	disable_default_repos: true
	360
	361	enable_epel: true
	362
	363	# Needed for reverse lookup DNS setup
	364	ptr_zone_name: "250.25.172.in-addr.arpa"
	365	ptr_zone_cidr: "172.25.250.0/24"
	366
	367	# Windows Default account
	368	user_prefix: student
	369	workstation_user: training
	370
	371	###################### GITLAB INFO #######################
	372	# Gitlab variables
	373	gitlab_external_url: "https://gitlab.{{ dns_domain_name }}/"
	374	gitlab_git_data_dir: "/var/opt/gitlab/git-data"
	375	gitlab_backup_path: "/var/opt/gitlab/backups"
	376	gitlab_edition: "gitlab-ce"
	377
	378	# SSL Config
	379	gitlab_redirect_http_to_https: "true"
	380	gitlab_ssl_certificate: "/etc/gitlab/ssl/gitlab.crt"
	381	gitlab_ssl_certificate_key: "/etc/gitlab/ssl/gitlab.key"
	382
	383	# SSL Self-signed Certificate Configuration
	384	gitlab_create_self_signed_cert: "true"
	385	gitlab_self_signed_cert_subj: "/C=US/ST=North Carolina/L=Raleigh/O=Ansible/CN=gitlab.{{ dns_domain_name }}"
	386
	387	# LDAP Configuration
	388	gitlab_ldap_enabled: "true"
	389	gitlab_ldap_host: "windc.{{ dns_domain_name }}"
	390	gitlab_ldap_port: "389"
	391	gitlab_ldap_uid: "sAMAccountName"
	392	gitlab_ldap_method: "plain"
	393	gitlab_ldap_bind_dn: "CN=Admin,CN=Users,{{ ldap_basedn }}"
	394	gitlab_ldap_password: "{{ windows_password }}"
	395	gitlab_ldap_base: "{{ ldap_basedn }}"
	396
	397	# General Config
	398	gitlab_time_zone: "UTC"
	399	gitlab_backup_keep_time: "604800"
	400	gitlab_download_validate_certs: yes
	401	gitlab_version: "10.0.6-ce.0.el7"
	402
	403	# Email configuration.
	404	gitlab_email_enabled: "false"
	405	gitlab_smtp_enable: "false"
	406
	407	git_lab: false
	408	advanced_lab: false