Merge branch 'master' of https://nca-dev.techsupport.co.uk/gitlab/ansible/vlad-ansible-linux
This commit is contained in:
VR
commit
2af64310d1
21
dnaclab_linux/ad1.dnaclab.net.crt
Normal file
21
dnaclab_linux/ad1.dnaclab.net.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDYzCCAkugAwIBAgIQOjH4SmsJLppClIB6CKuPKTANBgkqhkiG9w0BAQsFADBE
|
||||||
|
MRMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHZG5hY2xhYjEU
|
||||||
|
MBIGA1UEAxMLZG5hY2xhYi5uZXQwHhcNMjIwNDI4MTYyODMxWhcNMzIwNDI4MTYz
|
||||||
|
ODMwWjBEMRMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHZG5h
|
||||||
|
Y2xhYjEUMBIGA1UEAxMLZG5hY2xhYi5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|
||||||
|
DwAwggEKAoIBAQDJiTcCiTFlBkDIe19uDPm/JWfM53v2BHlyQZadk2aNVq18ZHTC
|
||||||
|
2724X9gKG2qUWhdxVYyBgnz/EYra+kgsJdXMsiDWN+MbfOdD3Xs7MBPC1goujFVW
|
||||||
|
6n6dvi5JZarFJjvDhKLfuRUB61we6vfccZwE4PwSChaIWDoCJlpcRaHnKEgLxawh
|
||||||
|
/UpArEm2KRWfRMDloxXmVJkjZ1JKQF54iZbMRvGhyGpIEcwLG9ddetEvjmDK+FIU
|
||||||
|
4AKG356ktjvFQFOCp4U9CTnm0h+AwOem+Le6Q5qV8GKPEc9wTJjbkarsoEYd9doS
|
||||||
|
d2qrmHiSe/mpO52Fn1HZELnjH3yis4wpaxP3AgMBAAGjUTBPMAsGA1UdDwQEAwIB
|
||||||
|
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSm6oQF7HWtEn8/zS61YUU7WEJ6
|
||||||
|
5DAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAU3PZaenth8q3
|
||||||
|
9O4HmcNR6+uPx3Ic4G6AgY6/rI1WSNnax9n76wvYBGd+DytOGLVhmzdW6U7udcUB
|
||||||
|
rn4mwKhiUa4LtvbZfSz7gycJ2f/l0Vqq2ebSWTM3D2L6leQKfy71USQ9u7oRNWHN
|
||||||
|
kmq8bzXrJ5NGCdMG4u+0848jqquD3wHZixvjHsCwZeKYDldnbZIvuOBQSh4N+YCV
|
||||||
|
jEgE2XULMYrxLSCh/01p1cl4It3Rb0/xR105cPlYEU6HyYQVctjdhgZAnanYAu+1
|
||||||
|
HaQtKGeASlx+i7WftsMCOJuC3ddEF7yT9se3yeAGjioIjLUhlx+1yHcXzEVyFVQd
|
||||||
|
uzeSL2RGjA==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
@ -3,8 +3,7 @@ all:
|
|||||||
children:
|
children:
|
||||||
services_hosts:
|
services_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
ubuntu.dnaclab.net:
|
services.dnaclab.net:
|
||||||
staging.dnaclab.net:
|
|
||||||
developer_hosts:
|
developer_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
developer.dnaclab.net:
|
developer.dnaclab.net:
|
||||||
@ -17,12 +16,7 @@ all:
|
|||||||
backups.dnaclab.net:
|
backups.dnaclab.net:
|
||||||
kubernetes:
|
kubernetes:
|
||||||
hosts:
|
hosts:
|
||||||
10.221.0.130:
|
k8s-master.dnaclab.net:
|
||||||
10.221.0.131:
|
k8s-worker1.dnaclab.net:
|
||||||
10.221.0.132:
|
k8s-worker2.dnaclab.net:
|
||||||
kubernetes_dev:
|
|
||||||
hosts:
|
|
||||||
172.16.1.130:
|
|
||||||
172.16.1.131:
|
|
||||||
172.16.1.132:
|
|
||||||
172.16.1.133:
|
|
||||||
|
|||||||
33
dnaclab_linux/prestage_root_ca.yaml
Normal file
33
dnaclab_linux/prestage_root_ca.yaml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
- name: Prestage server(s) with the NCA FSA AD1 root CA and load it into SSL service
|
||||||
|
hosts: all
|
||||||
|
become: yes
|
||||||
|
vars_files:
|
||||||
|
- global_vars/main.yml
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: Copy AD1 root certificate to the shared SSL store
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./ad1.dnaclab.net.crt"
|
||||||
|
dest: /usr/local/share/ca-certificates/
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0666'
|
||||||
|
|
||||||
|
- name: Update the CA certificate store
|
||||||
|
ansible.builtin.command: update-ca-certificates
|
||||||
|
register: update_results
|
||||||
|
|
||||||
|
- name: Print update results
|
||||||
|
ansible.builtin.debug:
|
||||||
|
var: update_results.stdout
|
||||||
|
|
||||||
|
- name: Verify that certificates signed by AD1 can be verified now
|
||||||
|
ansible.builtin.shell: openssl s_client -connect gitlab.dnaclab.net:443 -showcerts </dev/null
|
||||||
|
register: verify_results
|
||||||
|
|
||||||
|
- name: Report outcome of certificate install and validation
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: Root CA installation and validation successfull!
|
||||||
|
when: '"Verification: OK" in verify_results.stdout'
|
||||||
31
dnaclab_linux/prestage_update_dns.yaml
Normal file
31
dnaclab_linux/prestage_update_dns.yaml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
- name: Change the netplan configuration to only allow the internal DNS server
|
||||||
|
hosts: all
|
||||||
|
become: yes
|
||||||
|
vars_files:
|
||||||
|
- global_vars/main.yml
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: Check if the netplan configuration is present
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /etc/netplan/00-installer-config.yaml
|
||||||
|
|
||||||
|
- name: Set the new netplan to use only the internal DNS
|
||||||
|
ansible.builtin.command: netplan set ethernets.ens160.nameservers.addresses=[10.221.0.100]
|
||||||
|
|
||||||
|
- name: Apply the new netplan
|
||||||
|
ansible.builtin.command: netplan apply
|
||||||
|
|
||||||
|
- name: Restart the resolved service
|
||||||
|
ansible.builtin.command: systemctl restart systemd-resolved.service
|
||||||
|
|
||||||
|
- name: Get currently configured DNS servers
|
||||||
|
ansible.builtin.command: netplan get ethernets.ens160.nameservers.addresses
|
||||||
|
register: dns_check
|
||||||
|
|
||||||
|
- name: Validate that only the internal DNS is configured
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: Change successfull!
|
||||||
|
when: dns_check.stdout == "- 10.221.0.100"
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
- name: Reboots linux host and checks status
|
- name: Reboots linux host and checks status
|
||||||
hosts: kubernetes_dev
|
hosts: kubernetes
|
||||||
become: yes
|
become: yes
|
||||||
vars_files:
|
vars_files:
|
||||||
- global_vars/main.yml
|
- global_vars/main.yml
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user