commit | author | age
|
1e2288
|
1 |
--- |
JR |
2 |
###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT |
|
3 |
###### OR PASS as "-e" args to ansible-playbook command |
|
4 |
|
9f5643
|
5 |
## Indicate the list of private workloads to deploy with |
RM |
6 |
# this config. Takes a list of remote workloads as parameter |
b2bd21
|
7 |
# private_workloads. |
J |
8 |
# Name will be used as part of a path name, so avoid spaces and |
|
9 |
# other non-alphanumeric characters. |
9f5643
|
10 |
# - name: workload-name |
RM |
11 |
# url: ssh://github.com:foo/bar.git |
|
12 |
# path: /classroom/infrastructure/agnosticd-workload |
73a52a
|
13 |
# git_ssh_key: /home/provisioner/github-private.key |
9f5643
|
14 |
private_workloads: [] |
1e2288
|
15 |
|
9f5643
|
16 |
### Common Host settings |
1e2288
|
17 |
repo_method: file # Other Options are: file, satellite and rhn |
JR |
18 |
#If using repo_method: satellite, you must set these values as well. |
|
19 |
# satellite_url: satellite.example.com |
|
20 |
# satellite_org: Sat_org_name |
|
21 |
# satellite_activationkey: "rhel7basic" |
|
22 |
|
|
23 |
# Do you want to run a full yum update |
|
24 |
update_packages: false |
|
25 |
|
|
26 |
install_bastion: false |
|
27 |
install_common: true |
|
28 |
install_courseware: true |
|
29 |
|
|
30 |
# Indicate whether status will be reported to status API service on Bastion |
|
31 |
# Also, indicates whether the status API will be installed on Bastion |
|
32 |
report_status: true |
|
33 |
|
|
34 |
# Defines the version of the Ansible Tower installer. |
|
35 |
# The version should match a file available here: |
|
36 |
# https://releases.ansible.com/ansible-tower/setup/ |
|
37 |
towerversion: "3.5.2-1" |
|
38 |
tower_admin_password: changeme |
|
39 |
|
|
40 |
## guid is the deployment unique identifier, it will be appended to all tags, |
|
41 |
## files and anything that identifies this environment from another "just like it" |
|
42 |
guid: defaultguid |
|
43 |
course_name: default |
|
44 |
platform: opentlc |
|
45 |
project_tag: "{{ env_type }}-{{ guid }}" |
|
46 |
|
|
47 |
### If you want a Key Pair name created and injected into the hosts, |
|
48 |
# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` |
|
49 |
# you can use the key used to create the environment or use your own self generated key |
|
50 |
# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}}) |
|
51 |
use_own_key: true |
|
52 |
env_authorized_key: "{{guid}}key" |
|
53 |
ansible_ssh_private_key_file: ~/.ssh/{{key_name}} |
|
54 |
set_env_authorized_key: true |
|
55 |
win_connect_method: psrp |
|
56 |
|
|
57 |
### AWS EC2 Environment settings |
|
58 |
|
|
59 |
### Route 53 Zone ID (AWS) |
|
60 |
# This is the Route53 HostedZoneId where you will create your Public DNS entries |
|
61 |
# This only needs to be defined if your CF template uses route53 |
|
62 |
HostedZoneId: Z3IHLWJZOU9SRT |
|
63 |
# The region to be used, if not specified by -e in the command line |
|
64 |
aws_region: us-east-1 |
|
65 |
# The key that is used to |
|
66 |
key_name: "default_key_name" |
|
67 |
|
|
68 |
## Networking (AWS) |
|
69 |
subdomain_base_short: "{{ guid }}" |
|
70 |
subdomain_base_suffix: ".{{ course_name }}.opentlc.com" |
|
71 |
subdomain_base: "{{ subdomain_base_short }}{{ subdomain_base_suffix }}" |
|
72 |
|
|
73 |
zone_internal_dns: "{{guid}}.{{course_name}}.internal." |
|
74 |
chomped_zone_internal_dns: "{{guid}}.{{course_name}}.internal" |
|
75 |
|
|
76 |
vpcid_cidr_block: "172.25.0.0/16" |
|
77 |
vpcid_name_tag: "{{subdomain_base}}" |
|
78 |
|
|
79 |
aws_availability_zone: "{{ aws_region }}a" |
|
80 |
aws_private_subnet_cidr: "172.25.250.0/24" |
|
81 |
aws_public_subnet_cidr: "172.25.251.0/24" |
|
82 |
aws_vpc_name: "{{course_name}}-{{guid}}-vpc" |
|
83 |
|
|
84 |
cf_template_description: "{{ env_type }}-{{ guid }} Ansible Agnostic Deployer " |
|
85 |
|
|
86 |
## Environment Sizing |
|
87 |
|
|
88 |
bastion_instance_type: "t2.medium" |
|
89 |
tower_instance_type: "t2.medium" |
|
90 |
gitlab_instance_type: "t2.medium" |
|
91 |
|
|
92 |
windows_instance_count: 2 |
|
93 |
windows_instance_type: "t3.medium" |
|
94 |
|
|
95 |
windows_workstation_instance_type: "t3.large" |
|
96 |
|
|
97 |
activedirectory_instance_count: 1 |
|
98 |
activedirectory_instance_type: "t3.medium" |
|
99 |
|
|
100 |
# Windows Domain Settings |
|
101 |
dns_domain_name: "example.com" |
|
102 |
dns_domain_name_short: "example" |
|
103 |
ldap_basedn: "DC=example,DC=com" |
|
104 |
ldap_search_base: "{{ ldap_basedn }}" |
|
105 |
ldap_access_filter: "(&(objectClass=user)(memberOf=CN=Ansible Users,CN=Users,{{ ldap_search_base }}))" |
|
106 |
tower_ldap_search_dn: "CN=Users,{{ ldap_search_base }}" |
|
107 |
|
|
108 |
security_groups: |
|
109 |
- name: BastionSG |
|
110 |
rules: |
|
111 |
- name: SSHBastion |
|
112 |
description: "SSH public" |
|
113 |
from_port: 22 |
|
114 |
to_port: 22 |
|
115 |
protocol: tcp |
|
116 |
cidr: "0.0.0.0/0" |
|
117 |
rule_type: Ingress |
|
118 |
- name: HttpBastion |
|
119 |
description: "Http public" |
|
120 |
from_port: 80 |
|
121 |
to_port: 80 |
|
122 |
protocol: tcp |
|
123 |
cidr: "0.0.0.0/0" |
|
124 |
rule_type: Ingress |
|
125 |
- name: NginxBastion |
|
126 |
description: "Http public" |
|
127 |
from_port: 30904 |
|
128 |
to_port: 30904 |
|
129 |
protocol: tcp |
|
130 |
cidr: "0.0.0.0/0" |
|
131 |
rule_type: Ingress |
|
132 |
- name: TowerSG |
|
133 |
rules: |
|
134 |
- name: InternalNetworkTowerTcp |
|
135 |
description: "All internal TCP traffic" |
|
136 |
from_port: 0 |
|
137 |
to_port: 65535 |
|
138 |
protocol: tcp |
|
139 |
cidr: "{{ vpcid_cidr_block }}" |
|
140 |
rule_type: Ingress |
|
141 |
- name: InternalNetworkTowerUdp |
|
142 |
description: "All internal UDP traffic" |
|
143 |
from_port: 0 |
|
144 |
to_port: 65535 |
|
145 |
protocol: udp |
|
146 |
cidr: "{{ vpcid_cidr_block }}" |
|
147 |
rule_type: Ingress |
|
148 |
- name: GitlabSG |
|
149 |
rules: |
|
150 |
- name: InternalNetworkGitlabTcp |
|
151 |
description: "All internal TCP traffic" |
|
152 |
from_port: 0 |
|
153 |
to_port: 65535 |
|
154 |
protocol: tcp |
|
155 |
cidr: "{{ vpcid_cidr_block }}" |
|
156 |
rule_type: Ingress |
|
157 |
- name: InternalNetworkGitlabUdp |
|
158 |
description: "All internal UDP traffic" |
|
159 |
from_port: 0 |
|
160 |
to_port: 65535 |
|
161 |
protocol: udp |
|
162 |
cidr: "{{ vpcid_cidr_block }}" |
|
163 |
rule_type: Ingress |
|
164 |
- name: WinDCSG |
|
165 |
rules: |
|
166 |
- name: InternalNetworkWinTcp |
|
167 |
description: "All internal TCP traffic" |
|
168 |
from_port: 0 |
|
169 |
to_port: 65535 |
|
170 |
protocol: tcp |
|
171 |
cidr: "{{ vpcid_cidr_block }}" |
|
172 |
rule_type: Ingress |
|
173 |
- name: InternalNetworkWinUdp |
|
174 |
description: "All internal UDP traffic" |
|
175 |
from_port: 0 |
|
176 |
to_port: 65535 |
|
177 |
protocol: udp |
|
178 |
cidr: "{{ vpcid_cidr_block }}" |
|
179 |
rule_type: Ingress |
|
180 |
- name: WinSG |
|
181 |
rules: |
|
182 |
- name: InternalNetworkWinTcp |
|
183 |
description: "All internal TCP traffic" |
|
184 |
from_port: 0 |
|
185 |
to_port: 65535 |
|
186 |
protocol: tcp |
|
187 |
cidr: "{{ vpcid_cidr_block }}" |
|
188 |
rule_type: Ingress |
|
189 |
- name: InternalNetworkWinUdp |
|
190 |
description: "All internal UDP traffic" |
|
191 |
from_port: 0 |
|
192 |
to_port: 65535 |
|
193 |
protocol: udp |
|
194 |
cidr: "{{ vpcid_cidr_block }}" |
|
195 |
rule_type: Ingress |
|
196 |
- name: WorkstationSG |
|
197 |
rules: |
|
198 |
- name: HTTPWin |
|
199 |
description: "HTTP public" |
|
200 |
from_port: 80 |
|
201 |
to_port: 80 |
|
202 |
protocol: tcp |
|
203 |
cidr: "0.0.0.0/0" |
|
204 |
rule_type: Ingress |
|
205 |
- name: HTTPSWin |
|
206 |
description: "HTTPS public" |
|
207 |
from_port: 443 |
|
208 |
to_port: 443 |
|
209 |
protocol: tcp |
|
210 |
cidr: "0.0.0.0/0" |
|
211 |
rule_type: Ingress |
|
212 |
- name: WinRDP |
|
213 |
description: "Win RDP public" |
|
214 |
from_port: 3389 |
|
215 |
to_port: 3389 |
|
216 |
protocol: tcp |
|
217 |
cidr: "0.0.0.0/0" |
|
218 |
rule_type: Ingress |
|
219 |
- name: InternalNetworkWinTcp |
|
220 |
description: "All internal TCP traffic" |
|
221 |
from_port: 0 |
|
222 |
to_port: 65535 |
|
223 |
protocol: tcp |
|
224 |
cidr: "{{ vpcid_cidr_block }}" |
|
225 |
rule_type: Ingress |
|
226 |
- name: InternalNetworkWinUdp |
|
227 |
description: "All internal UDP traffic" |
|
228 |
from_port: 0 |
|
229 |
to_port: 65535 |
|
230 |
protocol: udp |
|
231 |
cidr: "{{ vpcid_cidr_block }}" |
|
232 |
rule_type: Ingress |
|
233 |
|
|
234 |
instances: |
|
235 |
- name: "bastion" |
|
236 |
count: 1 |
|
237 |
unique: true |
|
238 |
security_group: "BastionSG" |
|
239 |
public_dns: true |
|
240 |
flavor: |
|
241 |
"ec2": "{{bastion_instance_type}}" |
|
242 |
image_id: RHEL76GOLD |
|
243 |
tags: |
|
244 |
- key: "AnsibleGroup" |
|
245 |
value: "bastions" |
|
246 |
- key: "ostype" |
|
247 |
value: "linux" |
|
248 |
|
|
249 |
- name: "tower" |
|
250 |
count: 1 |
|
251 |
unique: true |
|
252 |
security_group: "TowerSG" |
|
253 |
public_dns: false |
|
254 |
flavor: |
|
255 |
"ec2": "{{tower_instance_type}}" |
|
256 |
image_id: RHEL76GOLD |
|
257 |
tags: |
|
258 |
- key: "AnsibleGroup" |
|
259 |
value: "towers" |
|
260 |
- key: "ostype" |
|
261 |
value: "linux" |
|
262 |
#TODO is this needed? it doesn't work like this |
|
263 |
# UserData: | |
|
264 |
# UserData: |
|
265 |
# hostname: tower |
|
266 |
# fqdn: "tower.{{dns_domain_name}}" |
|
267 |
# manage_etc_hosts: true |
|
268 |
# chpasswd: { expire: False } |
|
269 |
# ssh_pwauth: True |
|
270 |
|
|
271 |
- name: "gitlab" |
|
272 |
count: 1 |
|
273 |
unique: true |
|
274 |
security_group: "GitlabSG" |
|
275 |
public_dns: false |
|
276 |
flavor: |
|
277 |
"ec2": "{{gitlab_instance_type}}" |
|
278 |
image_id: RHEL76GOLD |
|
279 |
tags: |
|
280 |
- key: "AnsibleGroup" |
|
281 |
value: "gitlab" |
|
282 |
- key: "ostype" |
|
283 |
value: "linux" |
|
284 |
|
|
285 |
- name: "windc" |
|
286 |
count: "{{activedirectory_instance_count}}" |
|
287 |
public_dns: false |
|
288 |
unique: "{{ true if activedirectory_instance_count | int <= 1 else false }}" |
|
289 |
security_group: "WinDCSG" |
|
290 |
flavor: |
|
291 |
"ec2": "{{activedirectory_instance_type}}" |
|
292 |
image_id: WIN2019FULL |
|
293 |
UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" |
|
294 |
tags: |
|
295 |
- key: "AnsibleGroup" |
|
296 |
value: "activedirectories" |
|
297 |
- key: "ostype" |
|
298 |
value: "windows" |
|
299 |
|
|
300 |
- name: "win" |
|
301 |
count: "{{windows_instance_count}}" |
|
302 |
unique: "{{ true if windows_instance_count | int <= 1 else false }}" |
|
303 |
public_dns: false |
|
304 |
security_group: "WinSG" |
|
305 |
flavor: |
|
306 |
"ec2": "{{windows_instance_type}}" |
|
307 |
image_id: WIN2019FULL |
|
308 |
UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" |
|
309 |
tags: |
|
310 |
- key: "AnsibleGroup" |
|
311 |
value: "windows_servers" |
|
312 |
- key: "ostype" |
|
313 |
value: "windows" |
|
314 |
volumes: |
|
315 |
- device_name: "/dev/xvdf" |
|
316 |
size: 5 |
|
317 |
|
|
318 |
- name: "workstation" |
|
319 |
count: 1 |
|
320 |
unique: true |
|
321 |
public_dns: true |
|
322 |
security_group: "WorkstationSG" |
|
323 |
flavor: |
|
324 |
"ec2": "{{windows_workstation_instance_type}}" |
|
325 |
image_id: WIN2016FULL |
|
326 |
UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" |
|
327 |
tags: |
|
328 |
- key: "AnsibleGroup" |
|
329 |
value: "workstations" |
|
330 |
- key: "ostype" |
|
331 |
value: "windows" |
|
332 |
|
|
333 |
install_win_ssh: false |
|
334 |
|
|
335 |
###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYMENT |
|
336 |
###### You can, but you usually wouldn't need to. |
|
337 |
|
|
338 |
# The following interfere with Windows servers which use Administrator |
|
339 |
#ansible_user: ec2-user |
|
340 |
#remote_user: ec2-user |
|
341 |
|
|
342 |
common_packages: |
|
343 |
- python |
|
344 |
- unzip |
|
345 |
- bash-completion |
|
346 |
- tmux |
|
347 |
- bind-utils |
|
348 |
- wget |
|
349 |
- git |
|
350 |
- vim-enhanced |
|
351 |
- at |
|
352 |
- python2-pip |
|
353 |
- gcc |
|
354 |
|
|
355 |
rhel_repos: |
|
356 |
- rhel-7-server-rpms |
|
357 |
- rhel-7-server-extras-rpms |
|
358 |
|
|
359 |
disable_default_repos: true |
|
360 |
|
|
361 |
enable_epel: true |
|
362 |
|
|
363 |
# Needed for reverse lookup DNS setup |
|
364 |
ptr_zone_name: "250.25.172.in-addr.arpa" |
|
365 |
ptr_zone_cidr: "172.25.250.0/24" |
|
366 |
|
|
367 |
# Windows Default account |
|
368 |
user_prefix: student |
|
369 |
workstation_user: training |
|
370 |
|
|
371 |
###################### GITLAB INFO ####################### |
|
372 |
# Gitlab variables |
|
373 |
gitlab_external_url: "https://gitlab.{{ dns_domain_name }}/" |
|
374 |
gitlab_git_data_dir: "/var/opt/gitlab/git-data" |
|
375 |
gitlab_backup_path: "/var/opt/gitlab/backups" |
|
376 |
gitlab_edition: "gitlab-ce" |
|
377 |
|
|
378 |
# SSL Config |
|
379 |
gitlab_redirect_http_to_https: "true" |
|
380 |
gitlab_ssl_certificate: "/etc/gitlab/ssl/gitlab.crt" |
|
381 |
gitlab_ssl_certificate_key: "/etc/gitlab/ssl/gitlab.key" |
|
382 |
|
|
383 |
# SSL Self-signed Certificate Configuration |
|
384 |
gitlab_create_self_signed_cert: "true" |
|
385 |
gitlab_self_signed_cert_subj: "/C=US/ST=North Carolina/L=Raleigh/O=Ansible/CN=gitlab.{{ dns_domain_name }}" |
|
386 |
|
|
387 |
# LDAP Configuration |
|
388 |
gitlab_ldap_enabled: "true" |
|
389 |
gitlab_ldap_host: "windc.{{ dns_domain_name }}" |
|
390 |
gitlab_ldap_port: "389" |
|
391 |
gitlab_ldap_uid: "sAMAccountName" |
|
392 |
gitlab_ldap_method: "plain" |
|
393 |
gitlab_ldap_bind_dn: "CN=Admin,CN=Users,{{ ldap_basedn }}" |
|
394 |
gitlab_ldap_password: "{{ windows_password }}" |
|
395 |
gitlab_ldap_base: "{{ ldap_basedn }}" |
|
396 |
|
|
397 |
# General Config |
|
398 |
gitlab_time_zone: "UTC" |
|
399 |
gitlab_backup_keep_time: "604800" |
|
400 |
gitlab_download_validate_certs: yes |
|
401 |
gitlab_version: "10.0.6-ce.0.el7" |
|
402 |
|
|
403 |
# Email configuration. |
|
404 |
gitlab_email_enabled: "false" |
|
405 |
gitlab_smtp_enable: "false" |
|
406 |
|
|
407 |
git_lab: false |
|
408 |
advanced_lab: false |