ansible/configs/ansible-skylight/env_vars.yml
@@ -78,7 +78,7 @@ windows_instance_count: 2 windows_instance_type: "t3.medium" windows_workstation_instance_type: "t3.medium" windows_workstation_instance_type: "t3.large" activedirectory_instance_count: 1 activedirectory_instance_type: "t3.medium" @@ -295,7 +295,7 @@ UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" tags: - key: "AnsibleGroup" value: "workstations,windows_servers" value: "workstations" - key: "ostype" value: "windows" @@ -333,6 +333,7 @@ # Windows Default account user_prefix: student workstation_user: training ###################### GITLAB INFO ####################### # Gitlab variables ansible/configs/ansible-skylight/files/cloud_providers/ec2_cloud_template.j2
@@ -246,8 +246,13 @@ Value: "{{project_tag}}" - Key: "{{project_tag}}" Value: "{{ instance['name'] }}" {% if instance['unique'] | default(false) %} - Key: "instance_name" Value: "{{ instance['name'] }}" {% else %} - Key: "instance_name" Value: "{{ instance['name'] }}{{instancecount.index}}" {% endif %} - Key: "env_type" Value: "{{ env_type }}" - Key: "guid" ansible/configs/ansible-skylight/files/hosts_template.j2
@@ -1,64 +1,42 @@ [all:vars] {% if ssh_port is defined %} ansible_port={{ ssh_port }} {% endif %} [windows:vars] [windows_hosts:vars] ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore ansible_port=5986 [windows_workstations:vars] ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore ansible_port=5986 [windows_domain_controllers:vars] [activedirectories:vars] ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore ansible_port=5986 ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" [tower:vars] ansible_port=22 ansible_ssh_user={{ ansible_user }} ansible_ssh_private_key_file="/root/.ssh/{{ env_authorized_key }}.pem" [gitlab:vars] ansible_port=22 ansible_ssh_user={{ ansible_user }} ansible_ssh_private_key_file="/root/.ssh/{{ env_authorized_key }}.pem" [infra] {% for host in hostvars %} {% if "windc" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {% elif "gitlab" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} {% endif %} {% endfor %} [windows] [windows_hosts] {% for host in hostvars %} {% if "win1" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {% elif "win2" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {% elif "workstation" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ workstation_password }}" private_ip={{ hostvars[host].private_ip_address }} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ workstation_password }}" private_ip={{ hostvars[host].private_ip_address }} {% endif %} {% endfor %} {% for group in groups %} {% if 'tag' not in group and 'unknowns' not in group and 'ungrouped' not in group %} {% if 'tag' not in group and 'unknowns' not in group and 'ungrouped' not in group and 'linux' not in group and 'towers' not in group and 'gitlab' not in group and 'bastions' not in group %} [{{group}}] {% for entry in groups[group] %} {% for host in hostvars %} {% if entry == host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} {% if entry == host and 'bastion' not in entry %} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} {% endif %} {% endfor %} {% endfor %} ansible/configs/ansible-skylight/post_software.yml
@@ -23,15 +23,34 @@ - name: Copy Ansible Inventory for this environment win_copy: src: "{{output_dir}}/hosts-{{ env_type }}-{{ guid }}" dest: "C:\\inventory.ini" dest: "C:\\inventory.ini" - name: PostSoftware flight-check hosts: localhost connection: local hosts: towers gather_facts: false become: false become: true tags: - post_flight_check tasks: - name: Get rid of conflicting SSL library package: name: pyOpenSSL state: absent - name: Upgrade requests-credssp module pip: name: requests-credssp state: latest - name: Test Ansible connectivity to Windows servers shell: | ansible windows -m win_ping register: ansible_check ignore_errors: true - debug: msg: "[ERROR] Ansible connectivity from Tower failed" when: ansible_check is failed - debug: msg: "Post-Software checks completed successfully" ansible/configs/ansible-skylight/software.yml
@@ -16,7 +16,9 @@ - skylight-windows-ad - name: Step 002 software - Configure Windows Servers hosts: windows_servers hosts: - windows_servers - workstations gather_facts: true tags: - windows-servers @@ -69,13 +71,10 @@ roles: - skylight-windows-workstation - name: Software flight-check - name: Step 00xxxxx software hosts: localhost connection: local gather_facts: false gather_facts: False become: false tags: - post_flight_check tasks: - debug: msg: "Software checks completed successfully" msg: "Software tasks Ended" ansible/roles/skylight-ansible-tower/tasks/main.yml
@@ -17,6 +17,7 @@ - nano - bind-utils - python-pip - python-ldap3 state: present #- name: Install devel branch ansible/roles/skylight-ansible-tower/tasks/setup.yml
@@ -254,7 +254,7 @@ user: admin password: "{{ tower_admin_password }}" body: id: "{{ host_id.json.results[0].id }}" '{ "id": {{ host_id.json.results[0].id | int }} }' body_format: json validate_certs: False force_basic_auth: yes @@ -288,7 +288,7 @@ method: PATCH user: admin password: "{{ tower_admin_password }}" body: '{ "TOWER_URL_BASE": "https://s{{ userid }}-tower.{{ dns_domain_name }}" }' body: '{ "TOWER_URL_BASE": "https://tower.{{ dns_domain_name }}" }' body_format: json validate_certs: False force_basic_auth: yes ansible/roles/skylight-ansible-tower/templates/host_inventory.j2
@@ -1,64 +1,42 @@ [all:vars] {% if ssh_port is defined %} ansible_port={{ ssh_port }} {% endif %} [windows:vars] [windows_hosts:vars] ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore ansible_port=5986 [windows_workstations:vars] ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore ansible_port=5986 [windows_domain_controllers:vars] [activedirectories:vars] ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore ansible_port=5986 ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" [tower:vars] ansible_port=22 ansible_ssh_user={{ ansible_user }} ansible_ssh_private_key_file="/root/.ssh/{{ env_authorized_key }}.pem" [gitlab:vars] ansible_port=22 ansible_ssh_user={{ ansible_user }} ansible_ssh_private_key_file="/root/.ssh/{{ env_authorized_key }}.pem" [infra] {% for host in hostvars %} {% if "windc" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {% elif "gitlab" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} {% endif %} {% endfor %} [windows] [windows_hosts] {% for host in hostvars %} {% if "win1" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {% elif "win2" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {% elif "workstation" in host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ windows_password }}" private_ip={{ hostvars[host].private_ip_address }} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} ansible_user={{ hostvars[host].ansible_user }} ansible_password="{{ workstation_password }}" private_ip={{ hostvars[host].private_ip_address }} {% endif %} {% endfor %} {% for group in groups %} {% if 'tag' not in group and 'unknowns' not in group and 'ungrouped' not in group %} {% if 'tag' not in group and 'unknowns' not in group and 'ungrouped' not in group and 'linux' not in group and 'towers' not in group and 'gitlab' not in group and 'bastions' not in group %} [{{group}}] {% for entry in groups[group] %} {% for host in hostvars %} {% if entry == host %} {{ host }} ansible_host={{ hostvars[host].private_ip_address }} {% if entry == host and 'bastion' not in entry %} {{ hostvars[host].instance_name }}.{{ dns_domain_name }} ansible_host={{ hostvars[host].private_ip_address }} {% endif %} {% endfor %} {% endfor %} ansible/roles/skylight-ansible-tower/templates/tower_host.json.j2
@@ -3,6 +3,5 @@ "description": "", "inventory": "{{ inventory_id.json.results[0].id }}", "enabled": true, "instance_id": "", "variables": "ansible_port: 5986\nansible_connection: winrm\nansible_winrm_server_cert_validation: ignore\nansible_winrm_transport: ntlm" "instance_id": "" } ansible/roles/skylight-do417-repos/tasks/main.yml
@@ -1,23 +1,36 @@ --- - name: Remove repo directory file: path: /tmp/do417-labs path: /tmp/do417 state: absent - name: Get ssh key for Github copy: src: "{{ github_ssh_key }}" dest: /tmp/github_ssh_key mode: 0400 owner: "{{ ansible_user }}" - name: Get lab source code git: clone: yes force: yes dest: "/tmp/do417-labs" repo: "https://github.com/jimrigsbee/do417-labs" clone: yes force: yes dest: "/tmp/do417" repo: "ssh://git@github.com/RedHatTraining/do417.git" key_file: /tmp/github_ssh_key - name: Remove ssh key for Github file: path: /tmp/github_ssh_key state: absent - name: Remove .git directory file: path: /tmp/do417-labs/.git path: /tmp/do417/.git state: absent - name: Determining material directories command: find /tmp/do417-labs/ -maxdepth 1 -mindepth 1 -type d -printf '%f\n' command: find /tmp/do417/classroom/infrastructure/playbooks/files/src -maxdepth 1 -mindepth 1 -type d -printf '%f\n' register: repos_name - name: Retrieve access token @@ -97,9 +110,9 @@ - name: Copying files for repositories copy: src: "/tmp/do417-labs/{{ item }}/" src: "/tmp/do417/classroom/infrastructure/playbooks/files/src/{{ item }}/" dest: "/tmp/{{ item }}/" remote_src: true remote_src: true with_items: "{{ repos_name.stdout_lines }}" - name: Load files into repositories ansible/roles/skylight-gitlab-env/tasks/api.yml
@@ -39,45 +39,45 @@ "skip_confirmation": true } - name: GitLab Post | Get local user information via API uri: url: https://gitlab.{{ dns_domain_name }}/api/v4/users?username={{ user_prefix }} method: GET validate_certs: no status_code: - 200 - 201 headers: Content-Type: application/json Authorization: Bearer {{ gitlab_access_token.json.access_token }} register: gitlab_local_users - name: debug debug: var: gitlab_local_users - name: GitLab Post | Create Projects via API uri: url: https://gitlab.{{ dns_domain_name }}/api/v4/projects/user/{{ item.id }} method: POST validate_certs: no status_code: - 200 - 201 - 409 - 400 body_format: json headers: Content-Type: application/json Authorization: Bearer {{ gitlab_access_token.json.access_token }} body: > { "name": "{{ item.name }}", "group": "{{ item.name }}", "issues_enabled": false, "wiki_enabled": false, "snippets_enabled": false } with_items: - "{{ gitlab_local_users.json }}" when: item.id is defined # - name: GitLab Post | Get local user information via API # uri: # url: https://gitlab.{{ dns_domain_name }}/api/v4/users?username={{ user_prefix }} # method: GET # validate_certs: no # status_code: # - 200 # - 201 # headers: # Content-Type: application/json # Authorization: Bearer {{ gitlab_access_token.json.access_token }} # register: gitlab_local_users # # - name: debug # debug: # var: gitlab_local_users # # - name: GitLab Post | Create Projects via API # uri: # url: https://gitlab.{{ dns_domain_name }}/api/v4/projects/user/{{ item.id }} # method: POST # validate_certs: no # status_code: # - 200 # - 201 # - 409 # - 400 # body_format: json # headers: # Content-Type: application/json # Authorization: Bearer {{ gitlab_access_token.json.access_token }} # body: > # { # "name": "{{ item.name }}", # "group": "{{ item.name }}", # "issues_enabled": false, # "wiki_enabled": false, # "snippets_enabled": false # } # with_items: # - "{{ gitlab_local_users.json }}" # when: item.id is defined ansible/roles/skylight-gitlab-env/tasks/main.yml
@@ -30,6 +30,7 @@ path: /root/set_root_pw.sh state: absent #TODO try new way from RM - name: sleep 2 minute to allow root to initialize after password set pause: minutes: 2 @@ -53,19 +54,19 @@ confirm: False state: present - name: GitLab Post | Create Projects in GitLab gitlab_project: server_url: https://gitlab.{{ dns_domain_name }} validate_certs: False login_user: root login_password: "{{ windows_password }}" name: "{{ user_prefix }}" group: "{{ user_prefix }}" issues_enabled: False wiki_enabled: False snippets_enabled: False state: present ignore_errors: true # - name: GitLab Post | Create Projects in GitLab # gitlab_project: # server_url: https://gitlab.{{ dns_domain_name }} # validate_certs: False # login_user: root # login_password: "{{ windows_password }}" # name: "{{ user_prefix }}" # group: "{{ user_prefix }}" # issues_enabled: False # wiki_enabled: False # snippets_enabled: False # state: present # ignore_errors: true when: ansible_version.full is version_compare('2.8', '<') ansible/roles/skylight-windows-ad/tasks/main.yml
@@ -75,7 +75,6 @@ - "win1.{{ chomped_zone_internal_dns }}" - "win2.{{ chomped_zone_internal_dns }}" #TODO: fix adding this group to administrators, s/b regular users - name: Add windows group win_domain_group: name: Ansible Users ansible/roles/skylight-windows-common/tasks/main.yml
@@ -29,6 +29,7 @@ fullname: "{{ item }}" groups: - Administrators - "Remote Management Users" name: "{{ item }}" password: "{{ windows_password }}" state: present ansible/roles/skylight-windows-workstation/tasks/main.yml
@@ -13,11 +13,46 @@ set_fact: ansible_password: "{{ workstation_password }}" - name: Remove domain student account from Remote Desktop Users win_group_membership: name: "Remote Desktop Users" members: - "{{ dns_domain_name_short }}\\{{ user_prefix }}" state: absent - name: Remove specific users from Remote Management win_group_membership: name: "Remote Management Users" members: - "{{ dns_domain_name_short }}\\Ansible Users" - "devops" state: absent - name: Remove specific users from Administrators win_group_membership: name: "Administrators" members: - "{{ dns_domain_name_short }}\\Ansible Users" - "devops" state: absent - name: Add local student user to workstation win_user: account_locked: no description: "Workstation Training account" fullname: "Training User" groups: - Administrators name: "{{ workstation_user }}" password: "{{ workstation_password }}" state: present user_cannot_change_password: yes # TODO figure out why this doesn't work # JR: Ansible just ignores this and runs as Administrator but when I set # "become" vars via set_fact it uses them - go figure???? # - become: yes # become_user: "{{ dns_domain_name_short }}\\{{ user_prefix }}" # become_user: "{{ workstation_user }}" # become_method: runas # become_flags: logon_type=new_credentials logon_flags=netcredentials_only # vars: @@ -25,9 +60,9 @@ - block: - name: Become student the hackish way set_fact: ansible_become_user: "{{ dns_domain_name_short }}\\{{ user_prefix }}" ansible_become_user: "{{ workstation_user }}" ansible_become: yes ansible_become_password: "{{ windows_password }}" ansible_become_password: "{{ workstation_password }}" ansible_become_method: runas - name: install Chocolatey @@ -94,53 +129,53 @@ - name: Copy .gitconfig to user directory win_copy: src: C:\Windows\.gitconfig dest: C:\Users\{{ user_prefix }}\.gitconfig dest: C:\Users\{{ workstation_user }}\.gitconfig remote_src: True - name: Clone student git repo win_command: git clone https://gitlab.{{ dns_domain_name }}/{{ user_prefix }}/{{ user_prefix }}.git args: chdir: C:\Users\{{ user_prefix }}\Documents creates: C:\Users\{{ user_prefix }}\Documents\{{ user_prefix }} - name: Create Readme file to intialize the repo win_copy: dest: C:\Users\{{ user_prefix }}\Documents\{{ user_prefix }}\README.md content: "" register: initialize - name: Add initial file win_command: git add C:\Users\{{ user_prefix }}\Documents\{{ user_prefix }}\README.md args: chdir: C:\Users\{{ user_prefix }}\Documents\{{ user_prefix }} when: initialize.changed - name: Commit initial file win_command: git commit -m "Initialize" args: chdir: C:\Users\{{ user_prefix }}\Documents\{{ user_prefix }} when: initialize.changed - name: Push initial commit win_command: git push args: chdir: C:\Users\{{ user_prefix }}\Documents\{{ user_prefix }} when: initialize.changed # - name: Clone student git repo # win_command: git clone https://gitlab.{{ dns_domain_name }}/{{ user_prefix }}/{{ user_prefix }}.git # args: # chdir: C:\Users\{{ workstation_user }}\Documents # creates: C:\Users\{{ workstation_user }}\Documents\{{ user_prefix }} # # - name: Create Readme file to intialize the repo # win_copy: # dest: C:\Users\{{ workstation_user }}\Documents\{{ user_prefix }}\README.md # content: "" # register: initialize # # - name: Add initial file # win_command: git add C:\Users\{{ workstation_user }}\Documents\{{ user_prefix }}\README.md # args: # chdir: C:\Users\{{ workstation_user }}\Documents\{{ user_prefix }} # when: initialize.changed # # - name: Commit initial file # win_command: git commit -m "Initialize" # args: # chdir: C:\Users\{{ workstation_user }}\Documents\{{ user_prefix }} # when: initialize.changed # # - name: Push initial commit # win_command: git push # args: # chdir: C:\Users\{{ workstation_user }}\Documents\{{ user_prefix }} # when: initialize.changed - name: Create VS Code Settings Directory win_file: path: C:\Users\{{ user_prefix }}\AppData\Roaming\Code\User\ path: C:\Users\{{ workstation_user }}\AppData\Roaming\Code\User\ state: directory - name: Create VS Code Settings Directory win_file: path: C:\Users\{{ user_prefix }}\AppData\Roaming\Code\User\ path: C:\Users\{{ workstation_user }}\AppData\Roaming\Code\User\ state: directory - name: Configure VS Code Settings File win_copy: src: files/settings.json dest: C:\Users\{{ user_prefix }}\AppData\Roaming\Code\User\settings.json dest: C:\Users\{{ workstation_user }}\AppData\Roaming\Code\User\settings.json - name: Set Chrome to default Browser win_regedit: @@ -184,12 +219,12 @@ - name: Remove EC2 Feedback Icon win_file: path: C:\Users\{{ user_prefix }}\Desktop\EC2 Feedback.website path: C:\Users\{{ workstation_user }}\Desktop\EC2 Feedback.website state: absent - name: Remove EC2 Website Icon win_file: path: C:\Users\{{ user_prefix }}\Desktop\EC2 Microsoft Windows Guide.website path: C:\Users\{{ workstation_user }}\Desktop\EC2 Microsoft Windows Guide.website state: absent always: - name: Restore ansible user info @@ -197,7 +232,7 @@ ansible_become: no # become: yes # become_user: "{{ dns_domain_name_short }}\\{{ user_prefix }}" # become_user: "{{ workstation_user }}" # become_method: runas # become_flags: logon_type=new_credentials logon_flags=netcredentials_only # vars: