From 4d6cbb52cd534c9da931a928b133f6732fe6a735 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Tue, 26 Sep 2017 17:32:47 -0400 Subject: [PATCH 1/4] Add Amazon EC2 role This role is intended to setup and start EC2 instances, before Evolinux roles. --- amazon-ec2/README | 58 +++++++++++++++++++++++++++ amazon-ec2/amazon-ec2-evolinux.yml | 59 ++++++++++++++++++++++++++++ amazon-ec2/defaults/main.yml | 48 ++++++++++++++++++++++ amazon-ec2/tasks/create-instance.yml | 55 ++++++++++++++++++++++++++ 4 files changed, 220 insertions(+) create mode 100644 amazon-ec2/README create mode 100644 amazon-ec2/amazon-ec2-evolinux.yml create mode 100644 amazon-ec2/defaults/main.yml create mode 100644 amazon-ec2/tasks/create-instance.yml diff --git a/amazon-ec2/README b/amazon-ec2/README new file mode 100644 index 00000000..d3be7dc3 --- /dev/null +++ b/amazon-ec2/README @@ -0,0 +1,58 @@ +# amazon-ec2 + +Manage Amazon EC2 instances. + +This role is intended to be called before any other role to setup and start EC2 +instances. + +## Dependancies + +You should first ensure that you have python-boto package installed on your +machine and an Amazon security access key pair created for your account. + +## Tasks + +By default, this role does nothing (no `main.yml` file). + +* `create-instance.yml`: create new EC2 instances + +## Variables + + - `aws_access_key` and `aws_secret_key`: your AWS credentials + - `aws_region`: where to create instances. Default: ca-central-1 + - `ec2_public_ip`: assign public elastic IP address. Default: False + - `ec2_instance_count`: how many instance to launch. Default: 1 + - `ec2_security_group: EC2 security group to use. See + ec2_evolinux_security_group in `defaults/main.yml` to define your own. + Default: ec2_evolinux_security_group + - `ec2_base_ami`: EC2 image to use. Default is to use Debian official ones, + depending on the region + - `ec2_instance_type`: EC2 instance type to use + - `ssh_pubkey_file`: SSH public key file to push to AWS. Do not try to put + your ED25519 key here, AWS does not support it. Default: ~/.ssh/id_rsa.pub + - `ec2_keyname: a name to give to your public key on AWS. Default is to use + $USER environment variable. + +## Examples + +In your main evolinux playbook put this play before Evolinux one: + +``` +--- +- name: Prepare Amazon EC2 instance + hosts: localhost + gather_facts: False + + vars: + aws_access_key: + aws_secret_key: + # Any other variable you want to set. + + tasks: + - include_role: + name: amazon-ec2 + tasks_from: create-instance.yml +``` + +See amazon-ec2-evolinux.yml for an almost ready-to-use playbook to set up +Amazon EC2 instances running Evolinux. diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml new file mode 100644 index 00000000..282b8353 --- /dev/null +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -0,0 +1,59 @@ +--- +- name: Prepare Amazon EC2 instance + hosts: localhost + gather_facts: False + + vars: + aws_access_key: + aws_secret_key: + aws_region: ca-central-1 + + tasks: + - include_role: + name: amazon-ec2 + tasks_from: create-instance.yml + +- name: Install Evolinux + hosts: launched-instances + become: yes + + vars_files: + - 'vars/secrets.yml' + + vars: + admin_users: "{{ admin_users }}" + minifirewall_trusted_ips: "{{ trusted_ips }}" + fail2ban_ignore_ips: "{{ trusted_ips }}" + evolinux_hostname: + evolinux_domain: + evolinux_fqdn: + evolinux_internal_hostname: + minifirewall_public_ports_tcp: [80, 443] + minifirewall_public_ports_udp: [] + minifirewall_semipublic_ports_tcp: [22] + nagios_nrpe_allowed_hosts: "{{ trusted_ips }}" + + roles: + - etc-git + - evolinux-base + - admin-users + - munin + - minifirewall + - fail2ban + - nagios-nrpe + - listupgrade + - evomaintenance + - evocheck + - packweb-apache + - mysql + + post_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible post-run Evolinux playbook" + + - include_role: + name: evocheck + tasks_from: exec.yml diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml new file mode 100644 index 00000000..d53371dc --- /dev/null +++ b/amazon-ec2/defaults/main.yml @@ -0,0 +1,48 @@ +--- +aws_region: ca-central-1 +ec2_public_ip: False +ec2_instance_count: 1 +ec2_security_group: "{{ec2_evolinux_security_group}}" +ec2_base_ami: "{{ec2_debian_base_ami[aws_region]}}" +ec2_instance_type: t2.micro +# Note: Do not try to put your ED25519 key here, AWS does not support it... +ssh_pubkey_file: ~/.ssh/id_rsa.pub +ec2_keyname: "{{lookup('env', 'USER')}}" + +# From https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch +ec2_debian_base_ami: + ap-northeast-1: ami-032dd665 + ap-northeast-2: ami-e174ac8f + ap-south-1: ami-6e7a3e01 + ap-southeast-1: ami-41365b22 + ap-southeast-2: ami-51f61333 + ca-central-1: ami-18239d7c + eu-central-1: ami-11bb0e7e + eu-west-1: ami-d037cda9 + eu-west-2: ami-ece3f388 + sa-east-1: ami-a24635ce + us-east-1: ami-ac5e55d7 + us-east-2: ami-9fbb98fa + us-west-1: ami-560c3836 + us-west-2: ami-fa18f282 + +ec2_evolinux_security_group: + name: evolinux-default + description: Evolinux default security group + rules: + - proto: icmp + cidr_ip: 0.0.0.0/0 + from_port: -1 + to_port: -1 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 5666 + to_port: 5666 + cidr_ip: 0.0.0.0/0 + rules_egress: + - proto: all + cidr_ip: 0.0.0.0/0 + diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml new file mode 100644 index 00000000..25b5c620 --- /dev/null +++ b/amazon-ec2/tasks/create-instance.yml @@ -0,0 +1,55 @@ +--- +- name: Create default security group + ec2_group: + name: "{{ec2_security_group.name}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + description: "{{ec2_security_group.description}}" + rules: "{{ec2_security_group.rules}}" + +- name: Create key pair + ec2_key: + name: "{{ec2_keyname}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + key_material: "{{item}}" + with_file: "{{ssh_pubkey_file}}" + +- name: Launch new instance(s) + ec2: + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + image: "{{ec2_base_ami}}" + instance_type: "{{ec2_instance_type}}" + count: "{{ec2_instance_count}}" + assign_public_ip: "{{ec2_public_ip}}" + group: "{{ec2_security_group.name}}" + key_name: "{{ec2_keyname}}" + wait: yes + register: ec2 + +- name: Add newly created instance(s) to inventory + add_host: + hostname: "{{item.public_dns_name}}" + groupname: launched-instances + ansible_user: admin + ansible_ssh_common_args: "-o StrictHostKeyChecking=no" + with_items: "{{ec2.instances}}" + +- debug: + msg: "Your newly created instance is reachable at: {{item.public_dns_name}}" + with_items: "{{ec2.instances}}" + +- name: Wait for SSH to come up on all instances (give up after 2m) + wait_for: + state: started + host: "{{item.public_dns_name}}" + port: 22 + timeout: 120 + with_items: "{{ec2.instances}}" From 54d72ad9e0e931dd7580aee6b0887ce97b87460b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 13 Nov 2017 15:40:18 +0100 Subject: [PATCH 2/4] typo + whitespaces --- amazon-ec2/README | 4 ++-- amazon-ec2/defaults/main.yml | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/amazon-ec2/README b/amazon-ec2/README index d3be7dc3..c47de370 100644 --- a/amazon-ec2/README +++ b/amazon-ec2/README @@ -5,9 +5,9 @@ Manage Amazon EC2 instances. This role is intended to be called before any other role to setup and start EC2 instances. -## Dependancies +## Dependencies -You should first ensure that you have python-boto package installed on your +You should first ensure that you have `python-boto` package installed on your machine and an Amazon security access key pair created for your account. ## Tasks diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml index d53371dc..fde898bd 100644 --- a/amazon-ec2/defaults/main.yml +++ b/amazon-ec2/defaults/main.yml @@ -2,12 +2,12 @@ aws_region: ca-central-1 ec2_public_ip: False ec2_instance_count: 1 -ec2_security_group: "{{ec2_evolinux_security_group}}" -ec2_base_ami: "{{ec2_debian_base_ami[aws_region]}}" +ec2_security_group: "{{ ec2_evolinux_security_group }}" +ec2_base_ami: "{{ ec2_debian_base_ami[aws_region] }}" ec2_instance_type: t2.micro # Note: Do not try to put your ED25519 key here, AWS does not support it... ssh_pubkey_file: ~/.ssh/id_rsa.pub -ec2_keyname: "{{lookup('env', 'USER')}}" +ec2_keyname: "{{ lookup('env', 'USER') }}" # From https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch ec2_debian_base_ami: @@ -45,4 +45,3 @@ ec2_evolinux_security_group: rules_egress: - proto: all cidr_ip: 0.0.0.0/0 - From 2fe548ce4e47731a4ec1da4f39157108dcd34d50 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Wed, 15 Nov 2017 17:25:43 -0500 Subject: [PATCH 3/4] Open standart ports in default security group --- amazon-ec2/defaults/main.yml | 88 ++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml index fde898bd..c22b9df4 100644 --- a/amazon-ec2/defaults/main.yml +++ b/amazon-ec2/defaults/main.yml @@ -42,6 +42,94 @@ ec2_evolinux_security_group: from_port: 5666 to_port: 5666 cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 53 + to_port: 53 + cidr_ip: 0.0.0.0/0 + - proto: udp + from_port: 53 + to_port: 53 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 389 + to_port: 389 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 636 + to_port: 636 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 143 + to_port: 143 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 993 + to_port: 993 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 110 + to_port: 110 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 995 + to_port: 995 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 25 + to_port: 25 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 443 + to_port: 443 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 21 + to_port: 21 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 20 + to_port: 20 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 5001 + to_port: 5001 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 465 + to_port: 465 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 587 + to_port: 587 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 8181 + to_port: 8181 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 8282 + to_port: 8282 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 9091 + to_port: 9091 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 2222 + to_port: 2222 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 2223 + to_port: 2223 + cidr_ip: 0.0.0.0/0 + - proto: udp + from_port: 123 + to_port: 123 + cidr_ip: 0.0.0.0/0 rules_egress: - proto: all cidr_ip: 0.0.0.0/0 From 16a1111345d8ad18d6fd3b7fdaeb8ad36181372d Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Wed, 15 Nov 2017 17:32:18 -0500 Subject: [PATCH 4/4] Add a post-install task file --- amazon-ec2/README | 1 + amazon-ec2/tasks/post-install.yml | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 amazon-ec2/tasks/post-install.yml diff --git a/amazon-ec2/README b/amazon-ec2/README index c47de370..80442d05 100644 --- a/amazon-ec2/README +++ b/amazon-ec2/README @@ -15,6 +15,7 @@ machine and an Amazon security access key pair created for your account. By default, this role does nothing (no `main.yml` file). * `create-instance.yml`: create new EC2 instances +* `post-install.yml`: remove admin user created on Debian instances ## Variables diff --git a/amazon-ec2/tasks/post-install.yml b/amazon-ec2/tasks/post-install.yml new file mode 100644 index 00000000..369f4941 --- /dev/null +++ b/amazon-ec2/tasks/post-install.yml @@ -0,0 +1,5 @@ +--- +- name: Remove admin user + user: + name: admin + state: absent