---
|
###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT
|
###### OR PASS as "-e" args to ansible-playbook command
|
|
## Indicate the list of private workloads to deploy with
|
# this config. Takes a list of remote workloads as parameter
|
# private_workloads.
|
# Name will be used as part of a path name, so avoid spaces and
|
# other non-alphanumeric characters.
|
# - name: workload-name
|
# url: ssh://github.com:foo/bar.git
|
# path: /classroom/infrastructure/agnosticd-workload
|
# git_ssh_key: /home/provisioner/github-private.key
|
private_workloads: []
|
|
### Common Host settings
|
repo_method: file # Other Options are: file, satellite and rhn
|
#If using repo_method: satellite, you must set these values as well.
|
# satellite_url: satellite.example.com
|
# satellite_org: Sat_org_name
|
# satellite_activationkey: "rhel7basic"
|
|
# Do you want to run a full yum update
|
update_packages: false
|
|
install_bastion: false
|
install_common: true
|
install_courseware: true
|
|
# Indicate whether status will be reported to status API service on Bastion
|
# Also, indicates whether the status API will be installed on Bastion
|
report_status: true
|
|
# Defines the version of the Ansible Tower installer.
|
# The version should match a file available here:
|
# https://releases.ansible.com/ansible-tower/setup/
|
towerversion: "3.5.2-1"
|
tower_admin_password: changeme
|
|
## guid is the deployment unique identifier, it will be appended to all tags,
|
## files and anything that identifies this environment from another "just like it"
|
guid: defaultguid
|
course_name: default
|
platform: opentlc
|
project_tag: "{{ env_type }}-{{ guid }}"
|
|
### If you want a Key Pair name created and injected into the hosts,
|
# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
|
# you can use the key used to create the environment or use your own self generated key
|
# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
|
use_own_key: true
|
env_authorized_key: "{{guid}}key"
|
ansible_ssh_private_key_file: ~/.ssh/{{key_name}}
|
set_env_authorized_key: true
|
win_connect_method: psrp
|
|
### AWS EC2 Environment settings
|
|
### Route 53 Zone ID (AWS)
|
# This is the Route53 HostedZoneId where you will create your Public DNS entries
|
# This only needs to be defined if your CF template uses route53
|
HostedZoneId: Z3IHLWJZOU9SRT
|
# The region to be used, if not specified by -e in the command line
|
aws_region: us-east-1
|
# The key that is used to
|
key_name: "default_key_name"
|
|
## Networking (AWS)
|
subdomain_base_short: "{{ guid }}"
|
subdomain_base_suffix: ".{{ course_name }}.opentlc.com"
|
subdomain_base: "{{ subdomain_base_short }}{{ subdomain_base_suffix }}"
|
|
zone_internal_dns: "{{guid}}.{{course_name}}.internal."
|
chomped_zone_internal_dns: "{{guid}}.{{course_name}}.internal"
|
|
vpcid_cidr_block: "172.25.0.0/16"
|
vpcid_name_tag: "{{subdomain_base}}"
|
|
aws_availability_zone: "{{ aws_region }}a"
|
aws_private_subnet_cidr: "172.25.250.0/24"
|
aws_public_subnet_cidr: "172.25.251.0/24"
|
aws_vpc_name: "{{course_name}}-{{guid}}-vpc"
|
|
cf_template_description: "{{ env_type }}-{{ guid }} Ansible Agnostic Deployer "
|
|
## Environment Sizing
|
|
bastion_instance_type: "t2.medium"
|
tower_instance_type: "t2.medium"
|
gitlab_instance_type: "t2.medium"
|
|
windows_instance_count: 2
|
windows_instance_type: "t3.medium"
|
|
windows_workstation_instance_type: "t3.large"
|
|
activedirectory_instance_count: 1
|
activedirectory_instance_type: "t3.medium"
|
|
# Windows Domain Settings
|
dns_domain_name: "example.com"
|
dns_domain_name_short: "example"
|
ldap_basedn: "DC=example,DC=com"
|
ldap_search_base: "{{ ldap_basedn }}"
|
ldap_access_filter: "(&(objectClass=user)(memberOf=CN=Ansible Users,CN=Users,{{ ldap_search_base }}))"
|
tower_ldap_search_dn: "CN=Users,{{ ldap_search_base }}"
|
|
security_groups:
|
- name: BastionSG
|
rules:
|
- name: SSHBastion
|
description: "SSH public"
|
from_port: 22
|
to_port: 22
|
protocol: tcp
|
cidr: "0.0.0.0/0"
|
rule_type: Ingress
|
- name: HttpBastion
|
description: "Http public"
|
from_port: 80
|
to_port: 80
|
protocol: tcp
|
cidr: "0.0.0.0/0"
|
rule_type: Ingress
|
- name: NginxBastion
|
description: "Http public"
|
from_port: 30904
|
to_port: 30904
|
protocol: tcp
|
cidr: "0.0.0.0/0"
|
rule_type: Ingress
|
- name: TowerSG
|
rules:
|
- name: InternalNetworkTowerTcp
|
description: "All internal TCP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: tcp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: InternalNetworkTowerUdp
|
description: "All internal UDP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: udp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: GitlabSG
|
rules:
|
- name: InternalNetworkGitlabTcp
|
description: "All internal TCP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: tcp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: InternalNetworkGitlabUdp
|
description: "All internal UDP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: udp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: WinDCSG
|
rules:
|
- name: InternalNetworkWinTcp
|
description: "All internal TCP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: tcp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: InternalNetworkWinUdp
|
description: "All internal UDP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: udp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: WinSG
|
rules:
|
- name: InternalNetworkWinTcp
|
description: "All internal TCP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: tcp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: InternalNetworkWinUdp
|
description: "All internal UDP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: udp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: WorkstationSG
|
rules:
|
- name: HTTPWin
|
description: "HTTP public"
|
from_port: 80
|
to_port: 80
|
protocol: tcp
|
cidr: "0.0.0.0/0"
|
rule_type: Ingress
|
- name: HTTPSWin
|
description: "HTTPS public"
|
from_port: 443
|
to_port: 443
|
protocol: tcp
|
cidr: "0.0.0.0/0"
|
rule_type: Ingress
|
- name: WinRDP
|
description: "Win RDP public"
|
from_port: 3389
|
to_port: 3389
|
protocol: tcp
|
cidr: "0.0.0.0/0"
|
rule_type: Ingress
|
- name: InternalNetworkWinTcp
|
description: "All internal TCP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: tcp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
- name: InternalNetworkWinUdp
|
description: "All internal UDP traffic"
|
from_port: 0
|
to_port: 65535
|
protocol: udp
|
cidr: "{{ vpcid_cidr_block }}"
|
rule_type: Ingress
|
|
instances:
|
- name: "bastion"
|
count: 1
|
unique: true
|
security_group: "BastionSG"
|
public_dns: true
|
flavor:
|
"ec2": "{{bastion_instance_type}}"
|
image_id: RHEL76GOLD
|
tags:
|
- key: "AnsibleGroup"
|
value: "bastions"
|
- key: "ostype"
|
value: "linux"
|
|
- name: "tower"
|
count: 1
|
unique: true
|
security_group: "TowerSG"
|
public_dns: false
|
flavor:
|
"ec2": "{{tower_instance_type}}"
|
image_id: RHEL76GOLD
|
tags:
|
- key: "AnsibleGroup"
|
value: "towers"
|
- key: "ostype"
|
value: "linux"
|
#TODO is this needed? it doesn't work like this
|
# UserData: |
|
# UserData:
|
# hostname: tower
|
# fqdn: "tower.{{dns_domain_name}}"
|
# manage_etc_hosts: true
|
# chpasswd: { expire: False }
|
# ssh_pwauth: True
|
|
- name: "gitlab"
|
count: 1
|
unique: true
|
security_group: "GitlabSG"
|
public_dns: false
|
flavor:
|
"ec2": "{{gitlab_instance_type}}"
|
image_id: RHEL76GOLD
|
tags:
|
- key: "AnsibleGroup"
|
value: "gitlab"
|
- key: "ostype"
|
value: "linux"
|
|
- name: "windc"
|
count: "{{activedirectory_instance_count}}"
|
public_dns: false
|
unique: "{{ true if activedirectory_instance_count | int <= 1 else false }}"
|
security_group: "WinDCSG"
|
flavor:
|
"ec2": "{{activedirectory_instance_type}}"
|
image_id: WIN2019FULL
|
UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}"
|
tags:
|
- key: "AnsibleGroup"
|
value: "activedirectories"
|
- key: "ostype"
|
value: "windows"
|
|
- name: "win"
|
count: "{{windows_instance_count}}"
|
unique: "{{ true if windows_instance_count | int <= 1 else false }}"
|
public_dns: false
|
security_group: "WinSG"
|
flavor:
|
"ec2": "{{windows_instance_type}}"
|
image_id: WIN2019FULL
|
UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}"
|
tags:
|
- key: "AnsibleGroup"
|
value: "windows_servers"
|
- key: "ostype"
|
value: "windows"
|
volumes:
|
- device_name: "/dev/xvdf"
|
size: 5
|
|
- name: "workstation"
|
count: 1
|
unique: true
|
public_dns: true
|
security_group: "WorkstationSG"
|
flavor:
|
"ec2": "{{windows_workstation_instance_type}}"
|
image_id: WIN2016FULL
|
UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}"
|
tags:
|
- key: "AnsibleGroup"
|
value: "workstations"
|
- key: "ostype"
|
value: "windows"
|
|
install_win_ssh: false
|
|
###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYMENT
|
###### You can, but you usually wouldn't need to.
|
|
# The following interfere with Windows servers which use Administrator
|
#ansible_user: ec2-user
|
#remote_user: ec2-user
|
|
common_packages:
|
- python
|
- unzip
|
- bash-completion
|
- tmux
|
- bind-utils
|
- wget
|
- git
|
- vim-enhanced
|
- at
|
- python2-pip
|
- gcc
|
|
rhel_repos:
|
- rhel-7-server-rpms
|
- rhel-7-server-extras-rpms
|
|
disable_default_repos: true
|
|
enable_epel: true
|
|
# Needed for reverse lookup DNS setup
|
ptr_zone_name: "250.25.172.in-addr.arpa"
|
ptr_zone_cidr: "172.25.250.0/24"
|
|
# Windows Default account
|
user_prefix: student
|
workstation_user: training
|
|
###################### GITLAB INFO #######################
|
# Gitlab variables
|
gitlab_external_url: "https://gitlab.{{ dns_domain_name }}/"
|
gitlab_git_data_dir: "/var/opt/gitlab/git-data"
|
gitlab_backup_path: "/var/opt/gitlab/backups"
|
gitlab_edition: "gitlab-ce"
|
|
# SSL Config
|
gitlab_redirect_http_to_https: "true"
|
gitlab_ssl_certificate: "/etc/gitlab/ssl/gitlab.crt"
|
gitlab_ssl_certificate_key: "/etc/gitlab/ssl/gitlab.key"
|
|
# SSL Self-signed Certificate Configuration
|
gitlab_create_self_signed_cert: "true"
|
gitlab_self_signed_cert_subj: "/C=US/ST=North Carolina/L=Raleigh/O=Ansible/CN=gitlab.{{ dns_domain_name }}"
|
|
# LDAP Configuration
|
gitlab_ldap_enabled: "true"
|
gitlab_ldap_host: "windc.{{ dns_domain_name }}"
|
gitlab_ldap_port: "389"
|
gitlab_ldap_uid: "sAMAccountName"
|
gitlab_ldap_method: "plain"
|
gitlab_ldap_bind_dn: "CN=Admin,CN=Users,{{ ldap_basedn }}"
|
gitlab_ldap_password: "{{ windows_password }}"
|
gitlab_ldap_base: "{{ ldap_basedn }}"
|
|
# General Config
|
gitlab_time_zone: "UTC"
|
gitlab_backup_keep_time: "604800"
|
gitlab_download_validate_certs: yes
|
gitlab_version: "10.0.6-ce.0.el7"
|
|
# Email configuration.
|
gitlab_email_enabled: "false"
|
gitlab_smtp_enable: "false"
|
|
git_lab: false
|
advanced_lab: false
|