--- ###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT ###### OR PASS as "-e" args to ansible-playbook command ## Indicate the list of private workloads to deploy with # this config. Takes a list of remote workloads as parameter # private_workloads. # Name will be used as part of a path name, so avoid spaces and # other non-alphanumeric characters. # - name: workload-name # url: ssh://github.com:foo/bar.git # path: /classroom/infrastructure/agnosticd-workload # git_ssh_key: /home/provisioner/github-private.key private_workloads: [] ### Common Host settings repo_method: file # Other Options are: file, satellite and rhn #If using repo_method: satellite, you must set these values as well. # satellite_url: satellite.example.com # satellite_org: Sat_org_name # satellite_activationkey: "rhel7basic" # Do you want to run a full yum update update_packages: false install_bastion: false install_common: true install_courseware: true # Indicate whether status will be reported to status API service on Bastion # Also, indicates whether the status API will be installed on Bastion report_status: true # Defines the version of the Ansible Tower installer. # The version should match a file available here: # https://releases.ansible.com/ansible-tower/setup/ towerversion: "3.5.2-1" tower_admin_password: changeme ## guid is the deployment unique identifier, it will be appended to all tags, ## files and anything that identifies this environment from another "just like it" guid: defaultguid course_name: default platform: opentlc project_tag: "{{ env_type }}-{{ guid }}" ### If you want a Key Pair name created and injected into the hosts, # set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` # you can use the key used to create the environment or use your own self generated key # if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}}) use_own_key: true env_authorized_key: "{{guid}}key" ansible_ssh_private_key_file: ~/.ssh/{{key_name}} set_env_authorized_key: true win_connect_method: psrp ### AWS EC2 Environment settings ### Route 53 Zone ID (AWS) # This is the Route53 HostedZoneId where you will create your Public DNS entries # This only needs to be defined if your CF template uses route53 HostedZoneId: Z3IHLWJZOU9SRT # The region to be used, if not specified by -e in the command line aws_region: us-east-1 # The key that is used to key_name: "default_key_name" ## Networking (AWS) subdomain_base_short: "{{ guid }}" subdomain_base_suffix: ".{{ course_name }}.opentlc.com" subdomain_base: "{{ subdomain_base_short }}{{ subdomain_base_suffix }}" zone_internal_dns: "{{guid}}.{{course_name}}.internal." chomped_zone_internal_dns: "{{guid}}.{{course_name}}.internal" vpcid_cidr_block: "172.25.0.0/16" vpcid_name_tag: "{{subdomain_base}}" aws_availability_zone: "{{ aws_region }}a" aws_private_subnet_cidr: "172.25.250.0/24" aws_public_subnet_cidr: "172.25.251.0/24" aws_vpc_name: "{{course_name}}-{{guid}}-vpc" cf_template_description: "{{ env_type }}-{{ guid }} Ansible Agnostic Deployer " ## Environment Sizing bastion_instance_type: "t2.medium" tower_instance_type: "t2.medium" gitlab_instance_type: "t2.medium" windows_instance_count: 2 windows_instance_type: "t3.medium" windows_workstation_instance_type: "t3.large" activedirectory_instance_count: 1 activedirectory_instance_type: "t3.medium" # Windows Domain Settings dns_domain_name: "example.com" dns_domain_name_short: "example" ldap_basedn: "DC=example,DC=com" ldap_search_base: "{{ ldap_basedn }}" ldap_access_filter: "(&(objectClass=user)(memberOf=CN=Ansible Users,CN=Users,{{ ldap_search_base }}))" tower_ldap_search_dn: "CN=Users,{{ ldap_search_base }}" security_groups: - name: BastionSG rules: - name: SSHBastion description: "SSH public" from_port: 22 to_port: 22 protocol: tcp cidr: "0.0.0.0/0" rule_type: Ingress - name: HttpBastion description: "Http public" from_port: 80 to_port: 80 protocol: tcp cidr: "0.0.0.0/0" rule_type: Ingress - name: NginxBastion description: "Http public" from_port: 30904 to_port: 30904 protocol: tcp cidr: "0.0.0.0/0" rule_type: Ingress - name: TowerSG rules: - name: InternalNetworkTowerTcp description: "All internal TCP traffic" from_port: 0 to_port: 65535 protocol: tcp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: InternalNetworkTowerUdp description: "All internal UDP traffic" from_port: 0 to_port: 65535 protocol: udp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: GitlabSG rules: - name: InternalNetworkGitlabTcp description: "All internal TCP traffic" from_port: 0 to_port: 65535 protocol: tcp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: InternalNetworkGitlabUdp description: "All internal UDP traffic" from_port: 0 to_port: 65535 protocol: udp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: WinDCSG rules: - name: InternalNetworkWinTcp description: "All internal TCP traffic" from_port: 0 to_port: 65535 protocol: tcp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: InternalNetworkWinUdp description: "All internal UDP traffic" from_port: 0 to_port: 65535 protocol: udp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: WinSG rules: - name: InternalNetworkWinTcp description: "All internal TCP traffic" from_port: 0 to_port: 65535 protocol: tcp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: InternalNetworkWinUdp description: "All internal UDP traffic" from_port: 0 to_port: 65535 protocol: udp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: WorkstationSG rules: - name: HTTPWin description: "HTTP public" from_port: 80 to_port: 80 protocol: tcp cidr: "0.0.0.0/0" rule_type: Ingress - name: HTTPSWin description: "HTTPS public" from_port: 443 to_port: 443 protocol: tcp cidr: "0.0.0.0/0" rule_type: Ingress - name: WinRDP description: "Win RDP public" from_port: 3389 to_port: 3389 protocol: tcp cidr: "0.0.0.0/0" rule_type: Ingress - name: InternalNetworkWinTcp description: "All internal TCP traffic" from_port: 0 to_port: 65535 protocol: tcp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress - name: InternalNetworkWinUdp description: "All internal UDP traffic" from_port: 0 to_port: 65535 protocol: udp cidr: "{{ vpcid_cidr_block }}" rule_type: Ingress instances: - name: "bastion" count: 1 unique: true security_group: "BastionSG" public_dns: true flavor: "ec2": "{{bastion_instance_type}}" image_id: RHEL76GOLD tags: - key: "AnsibleGroup" value: "bastions" - key: "ostype" value: "linux" - name: "tower" count: 1 unique: true security_group: "TowerSG" public_dns: false flavor: "ec2": "{{tower_instance_type}}" image_id: RHEL76GOLD tags: - key: "AnsibleGroup" value: "towers" - key: "ostype" value: "linux" #TODO is this needed? it doesn't work like this # UserData: | # UserData: # hostname: tower # fqdn: "tower.{{dns_domain_name}}" # manage_etc_hosts: true # chpasswd: { expire: False } # ssh_pwauth: True - name: "gitlab" count: 1 unique: true security_group: "GitlabSG" public_dns: false flavor: "ec2": "{{gitlab_instance_type}}" image_id: RHEL76GOLD tags: - key: "AnsibleGroup" value: "gitlab" - key: "ostype" value: "linux" - name: "windc" count: "{{activedirectory_instance_count}}" public_dns: false unique: "{{ true if activedirectory_instance_count | int <= 1 else false }}" security_group: "WinDCSG" flavor: "ec2": "{{activedirectory_instance_type}}" image_id: WIN2019FULL UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" tags: - key: "AnsibleGroup" value: "activedirectories" - key: "ostype" value: "windows" - name: "win" count: "{{windows_instance_count}}" unique: "{{ true if windows_instance_count | int <= 1 else false }}" public_dns: false security_group: "WinSG" flavor: "ec2": "{{windows_instance_type}}" image_id: WIN2019FULL UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" tags: - key: "AnsibleGroup" value: "windows_servers" - key: "ostype" value: "windows" volumes: - device_name: "/dev/xvdf" size: 5 - name: "workstation" count: 1 unique: true public_dns: true security_group: "WorkstationSG" flavor: "ec2": "{{windows_workstation_instance_type}}" image_id: WIN2016FULL UserData: "{{ lookup('template', '../configs/{{ env_type }}/templates/win_ec2_userdata.j2') }}" tags: - key: "AnsibleGroup" value: "workstations" - key: "ostype" value: "windows" install_win_ssh: false ###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYMENT ###### You can, but you usually wouldn't need to. # The following interfere with Windows servers which use Administrator #ansible_user: ec2-user #remote_user: ec2-user common_packages: - python - unzip - bash-completion - tmux - bind-utils - wget - git - vim-enhanced - at - python2-pip - gcc rhel_repos: - rhel-7-server-rpms - rhel-7-server-extras-rpms disable_default_repos: true enable_epel: true # Needed for reverse lookup DNS setup ptr_zone_name: "250.25.172.in-addr.arpa" ptr_zone_cidr: "172.25.250.0/24" # Windows Default account user_prefix: student workstation_user: training ###################### GITLAB INFO ####################### # Gitlab variables gitlab_external_url: "https://gitlab.{{ dns_domain_name }}/" gitlab_git_data_dir: "/var/opt/gitlab/git-data" gitlab_backup_path: "/var/opt/gitlab/backups" gitlab_edition: "gitlab-ce" # SSL Config gitlab_redirect_http_to_https: "true" gitlab_ssl_certificate: "/etc/gitlab/ssl/gitlab.crt" gitlab_ssl_certificate_key: "/etc/gitlab/ssl/gitlab.key" # SSL Self-signed Certificate Configuration gitlab_create_self_signed_cert: "true" gitlab_self_signed_cert_subj: "/C=US/ST=North Carolina/L=Raleigh/O=Ansible/CN=gitlab.{{ dns_domain_name }}" # LDAP Configuration gitlab_ldap_enabled: "true" gitlab_ldap_host: "windc.{{ dns_domain_name }}" gitlab_ldap_port: "389" gitlab_ldap_uid: "sAMAccountName" gitlab_ldap_method: "plain" gitlab_ldap_bind_dn: "CN=Admin,CN=Users,{{ ldap_basedn }}" gitlab_ldap_password: "{{ windows_password }}" gitlab_ldap_base: "{{ ldap_basedn }}" # General Config gitlab_time_zone: "UTC" gitlab_backup_keep_time: "604800" gitlab_download_validate_certs: yes gitlab_version: "10.0.6-ce.0.el7" # Email configuration. gitlab_email_enabled: "false" gitlab_smtp_enable: "false" git_lab: false advanced_lab: false