commit ec76d50c7b5187c9d1a7a22aeddd1f0181f32a45 Author: Donavan Fritz Date: Fri Jun 7 13:43:00 2024 -0700 initial migration and clean-up from previous repo diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d5bbc81 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +vault* +venv/* +.venv/* +.idea/* + + diff --git a/README.md b/README.md new file mode 100644 index 0000000..34f7ac4 --- /dev/null +++ b/README.md @@ -0,0 +1,57 @@ +# Fritzlab Ansible Playbooks + +--- + +### Proxmox Hosts + +We manage Proxmox hosts via Ansible. +The following playbook will set the Proxmox settings for all hosts in the inventory file. + +```bash +$ ansible-playbook --vault-password-file vault-password compute/playbook-host-proxmox.yaml -i compute/inventory-host-proxmox.yaml +``` + +### Dell iDRAC + +We manage Dell iDRAC settings via Ansible (via Redfish API). +The following playbook will set the iDRAC settings for all hosts in the inventory file. + +```bash +$ ansible-playbook --vault-password-file vault-password compute/playbook-machine-idrac.yaml -i compute/inventory-machine-idrac.yaml +``` + +### Secrets + +We use ansible-vault to encrypt secrets. +The vault password is assumed to be available in a file called `vault-password`. +This password file is not stored in the repository and must be created by the user. +It is stored in 1Password under the name `Ansible Vault Password`. + +#### Add new secret into an inventory file +Here is how to encrypt a new secret with ansible-vault: + +```bash +$ ansible-vault encrypt_string --vault-password-file vault-password +!vault | + $ANSIBLE_VAULT;1.1;AES256 + 64383837303638393966666536323131376366613531613966633532633439343961663934373263 + 6237393730666235326365326430396231623031613166340a386363653865656432373138616232 + 34393765326262373435373334653838366562616465333536633335356637353335333839613233 + 6337316139363334650a393238656266643965333630343166366335616539393838366333323934 + 65616636656235373738306561316431336232376165356465623232313465303435 +``` +The result is a string that can be used in a playbook. + +```yaml +dell_machines: + hosts: + host001: + idrac_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65356164386561376463613762323663633466653432643561313230393131356635646361353265 + 6437613034393061336565366465656539326366326430650a366331383165333136326535633833 + 39336366666137623230393261633166313837303432653336636363393936323133636366313636 + 3738316235663337370a333031643466323962643034313433666236313831643861656461643833 + 35316235356566333761333635356337373632646365343364373563613034636334 +``` + diff --git a/compute/inventory-host-proxmox.yaml b/compute/inventory-host-proxmox.yaml new file mode 100644 index 0000000..10eaaf4 --- /dev/null +++ b/compute/inventory-host-proxmox.yaml @@ -0,0 +1,138 @@ +all: + hosts: + + # dell poweredge r640 hosts + host001: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62396366303338343231383764336164626531613464616535663237346439313133656162646233 + 3435323336663030613038653831393366376637353933300a303130626663313563313434316564 + 38653161303031303935666534613933323437393965353332666637666132393036666531613232 + 3766333934383130310a343137326561316561306138636163313632366662306337623232336166 + 32666561303536636136316634383562633232333632363430643239333436336433 + ansible_host: host001.sjc001.fritzlab.net + ipv4_address: 172.25.6.101 + ipv6_address: 2602:817:3000:c206::101 + host002: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31653536313038353937653034643230366637363464333534653065363261313565323935613561 + 3830653463613463626466393961383531353233626330630a616131373837656133383534393537 + 66643463626336393161323733383230323131323062343062656139613330623461646338393035 + 6562613235393039650a386666343039653739623336303430353835313461336331646430363063 + 38633438353737303932613330356532386138346265316432616564346239343836 + ansible_host: host002.sjc001.fritzlab.net + ipv4_address: 172.25.6.102 + ipv6_address: 2602:817:3000:c206::102 + host003: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64306133313464643937343234636132343839313465646131623866626461333537383337613537 + 3365313231663034663339373633653461643463666638300a323531366265613531356338643736 + 39343331663230333165633431366466313838636432636638333965333937313834323732346536 + 6131353761376366640a316131346538323965633536613965306639633032343439313962386630 + 33366530393336336466623461333738313566663663663336616230353735373865 + ansible_host: host003.sjc001.fritzlab.net + ipv4_address: 172.25.6.103 + ipv6_address: 2602:817:3000:c206::103 + host004: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30343932313439653462613862333838366438383066613466633431373038306338346635306562 + 3362306632323435383332633633616563626238346435300a663137393532666239303862663061 + 31646361323562383866663062633337316664393164373436653730316431376133613262653339 + 6439363865303266640a376232366234666563393638613935656230386631643364333832393036 + 35653462306330393735363061636234623564643764653936353939616230646233 + ansible_host: host004.sjc001.fritzlab.net + ipv4_address: 172.25.6.104 + ipv6_address: 2602:817:3000:c206::104 + + # Intel NUC hosts + host201: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63366438616366643633383736323435656637386137376166613765663962623761333762663461 + 3966613863636636376636343533623936666334626336620a623433363830326262663238636532 + 34323731623766396163313063333266666266396539616533626135656661393064613530326633 + 3336643339616434650a313464653764666264346564363166656531306165613037623035333038 + 33336337303565663530626632666462313832316231306633333263396164306462 + ansible_host: host201.sjc001.fritzlab.net + ipv4_address: 172.25.6.201 + ipv6_address: 2602:817:3000:c206::201 + host202: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61633065303062393637303631356165643930666134366233326635356230666465326466376639 + 3564346461363335373238366633666261613536303062300a393262653233623934303563323162 + 64313263616132636233636463663436326430303030646234653939646661626366643263623364 + 3262366331643733380a343439633763653563356634366336323866366563313130333036353765 + 61303333313935316232303064653833373466623533613935383161323938633761 + ansible_host: host202.sjc001.fritzlab.net + ipv4_address: 172.25.6.202 + ipv6_address: 2602:817:3000:c206::202 + host203: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66313132663037653035623066333133393736656362663062313261313465316232326262346533 + 3537313839613736663963656463393264666538623562650a393532333264333933303230616639 + 36363136616562333433623863336262323939623732303934626162366133326162363966623139 + 6635653538646465360a333363656135643431396562663239373537643964633063633266613630 + 32343164396531666665656130373132386562626533326562636234613233623566 + ansible_host: host203.sjc001.fritzlab.net + ipv4_address: 172.25.6.203 + ipv6_address: 2602:817:3000:c206::203 + host204: + ansible_user: root + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30356265386433663730306532306430616632333033356630656233346332386633323337646330 + 3533363566356362373639363063333863393663316438650a366263356238393938616561653037 + 36383332373137616165346535653063636431653365613335656533313064666633623635643938 + 3639306462303639630a316238613166376335393165663564386263313933333766323232333533 + 62316137383036373162376262353231663062393636346136356539653234306235 + ansible_host: host204.sjc001.fritzlab.net + ipv4_address: 172.25.6.204 + ipv6_address: 2602:817:3000:c206::204 + + vars: + ipv6_prefix_len: 64 + ipv6_gateway: 2602:817:3000:c206::A + ipv4_prefix_len: 24 + ipv4_gateway: 172.25.6.254 + resolvers: + - 2602:817:3000:c608::202 + - 2602:817:3000:c608::203 + - 142.202.202.202 + - 142.202.203.204 + domain_name: "fritzlab.net" + vlans: + # DMZ + 630: DMZ_USER + 600: DMZ_TRANSIT + 603: DMZ_TRANSIT_FRITZLAB + 604: DMZ_TRANSIT_VINO + 606: DMZ_SERVER1 + 607: DMZ_SERVER_MSP + 608: DMZ_DNS + 666: DMZ_SERVER6 + # FRITZLAB + 200: FRITZLAB_TRANSIT + 204: FRITZLAB_MANAGEMENT4 + 205: FRITZLAB_MANAGEMENT + 206: FRITZLAB_SERVER + 207: FRITZLAB_USER + 260: FRITZLAB_SERVER6 + 270: FRITZLAB_USER6 + # VINO + 300: VINO_TRANSIT + 306: VINO_SERVER + 307: VINO_USER + 360: VINO_SERVER6 + 370: VINO_USER6 \ No newline at end of file diff --git a/compute/inventory-machine-idrac.yaml b/compute/inventory-machine-idrac.yaml new file mode 100644 index 0000000..a1fbf08 --- /dev/null +++ b/compute/inventory-machine-idrac.yaml @@ -0,0 +1,73 @@ +dell_machines: + hosts: + host001: + idrac_user: root + idrac_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65356164386561376463613762323663633466653432643561313230393131356635646361353265 + 6437613034393061336565366465656539326366326430650a366331383165333136326535633833 + 39336366666137623230393261633166313837303432653336636363393936323133636366313636 + 3738316235663337370a333031643466323962643034313433666236313831643861656461643833 + 35316235356566333761333635356337373632646365343364373563613034636334 + ipv4_address: 172.25.5.101 + ipv4_gateway: 172.25.5.254 + ipv4_mask: 255.255.255.0 + ipv4_dns_1: 142.202.202.202 + ipv6_address: 2602:817:3000:C205::101 + ipv6_gateway: 2602:817:3000:C205::A + ipv6_prefix_len: 64 + ipv6_dns_1: 2602:817:3000:c607::203 + host002: + idrac_user: root + idrac_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64383837303638393966666536323131376366613531613966633532633439343961663934373263 + 6237393730666235326365326430396231623031613166340a386363653865656432373138616232 + 34393765326262373435373334653838366562616465333536633335356637353335333839613233 + 6337316139363334650a393238656266643965333630343166366335616539393838366333323934 + 65616636656235373738306561316431336232376165356465623232313465303435 + ipv4_address: 172.25.5.102 + ipv4_gateway: 172.25.5.254 + ipv4_mask: 255.255.255.0 + ipv4_dns_1: 142.202.202.202 + ipv6_address: 2602:817:3000:C205::102 + ipv6_gateway: 2602:817:3000:C205::A + ipv6_prefix_len: 64 + ipv6_dns_1: 2602:817:3000:c607::203 + host003: + idrac_user: root + idrac_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65376638303736373436663038396632613035393461303131383933633933313734306532363230 + 3930343335323535383266333335333137663364316361620a643666663936653737663962613030 + 32376430323735346435623261656261343535376162643435653639343065666331353034656330 + 3061666336326131300a613137623161313063313535333266303933346639363537373466616165 + 30333230623238356639313565376530663039383162613038373362303063316331 + ipv4_address: 172.25.5.103 + ipv4_gateway: 172.25.5.254 + ipv4_mask: 255.255.255.0 + ipv4_dns_1: 142.202.202.202 + ipv6_address: 2602:817:3000:C205::103 + ipv6_gateway: 2602:817:3000:C205::A + ipv6_prefix_len: 64 + ipv6_dns_1: 2602:817:3000:c607::203 + host004: + idrac_user: root + idrac_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66333238656166383431323739373466333163353534303936323264323034663263623630646630 + 6133646630613666303838653764383938376537636632640a376330366161666466623830343133 + 32666630306437323839393564316139343664666161623333633365643839306631383337383330 + 3833643366396262620a363065396134346635353234663835616162323062303132393662333236 + 37396434316334333730306633626261646531356662336634306663663832363431 + ipv4_address: 172.25.5.104 + ipv4_gateway: 172.25.5.254 + ipv4_mask: 255.255.255.0 + ipv4_dns_1: 142.202.202.202 + ipv6_address: 2602:817:3000:C205::104 + ipv6_gateway: 2602:817:3000:C205::A + ipv6_prefix_len: 64 + ipv6_dns_1: 2602:817:3000:c607::203 + vars: + snmp_trap_dst_ipv4_1: 0.0.0.0 + diff --git a/compute/playbook-host-proxmox.yaml b/compute/playbook-host-proxmox.yaml new file mode 100644 index 0000000..a3eca40 --- /dev/null +++ b/compute/playbook-host-proxmox.yaml @@ -0,0 +1,153 @@ +--- +- name: Configure Network and DNS settings on Proxmox Host + hosts: + - host20* + become: true + + tasks: + - name: Set system hostname to inventory hostname + hostname: + name: "{{ inventory_hostname }}.{{ domain_name }}" + + - name: Configure base bond network interfaces for Dell PowerEdge R640 + template: + src: interface-base-dell.j2 + dest: /etc/network/interfaces.d/base + notify: restart networking + when: inventory_hostname.startswith('host0') + + - name: Configure network interfaces for Dell PowerEdge R640 + template: + src: interface-main-dell.j2 + dest: /etc/network/interfaces + notify: restart networking + when: inventory_hostname.startswith('host0') + + - name: Configure base vlan network interfaces for Intel NUCs + template: + src: interface-base-intel.j2 + dest: /etc/network/interfaces.d/base + notify: restart networking + when: inventory_hostname.startswith('host2') + + - name: Configure network interfaces for Intel NUCs + template: + src: interface-main-intel.j2 + dest: /etc/network/interfaces + notify: restart networking + when: inventory_hostname.startswith('host2') + + - name: Configure resolv.conf for DNS settings + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + + - name: Configure /ets/hosts + template: + src: hosts.j2 + dest: /etc/hosts + + - name: Set timezone to UTC + ansible.builtin.timezone: + name: UTC + + - name: Configure NTP (Chrony) + template: + src: chrony.conf.j2 + dest: /etc/chrony/chrony.conf + notify: restart chrony + + - name: Create managed .bashrc file + template: + src: bashrc_managed.j2 + dest: "/root/.bashrc_managed" + + - name: Ensure .bashrc includes the managed file + lineinfile: + path: "/root/.bashrc" + line: 'if [ -f ~/.bashrc_managed ]; then . ~/.bashrc_managed; fi' + insertbefore: EOF + + - name: Copy SSH public key to remote host + authorized_key: + user: root + state: present + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKfPOnXImpSaSDzHLtlv6tenIdWhZEA15WWbkNCkM0u8q8eefJYMEkdT0F+46rilxjVnB0wmWcVUFmU8uT2YqfUczYb185LDKeSC5qQI/J+XibxeZNkE7swcTy9nj/dRqO2OpKPJnWUTQAUrgY7hmZYtOx8cjuQUvuRA1yBi5AuGFrHG0NKLr1h7AriLhkTv1xYAQ0W9wrG3hw882oLf1cLSAKWWhJX0XrlqKJQ5bqmt8yW3JO+Twdm2KDbxkR3IiHgpyfe9/zf5STMBejP2gXG0vpbRoVM9X10BtWDo22JudPEt2Wdy7qe7UqZLlNjHaYkUVTtN+JEf4ZoaBUf98t dfritz@desktops-mbp.corp.netflix.com" + + - name: Check if PVE enterprise apt sources file exists + stat: + path: /etc/apt/sources.list.d/pve-enterprise.list + register: pve_apt_source_enterprise + + - name: Move PVE enterprise apt sources, if file exists + command: mv /etc/apt/sources.list.d/pve-enterprise.list /etc/apt/sources.list.d/pve-enterprise.list.old + when: pve_apt_source_enterprise.stat.exists + + - name: Check if PVE ceph apt sources file exists + stat: + path: /etc/apt/sources.list.d/ceph.list + register: pve_apt_source_ceph + + - name: Move PVE ceph apt sources, if file exists + command: mv /etc/apt/sources.list.d/ceph.list /etc/apt/sources.list.d/ceph.list.old + when: pve_apt_source_ceph.stat.exists + + - name: Manage apt sources + template: + src: sources.j2 + dest: "/etc/apt/sources.list" + + - name: Manage .digrc + template: + src: digrc.j2 + dest: "/root/.digrc" + + - name: Update apt repos + apt: + update_cache: yes + + - name: Install packages + apt: + state: present + name: + - htop + - nano + - wget + - curl + - iperf3 + + - name: Update all host/vm packages + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + name: "*" + state: latest + + - name: Ensure ISO mount point directory exists + ansible.builtin.file: + path: /mnt/iso-images/template/iso + state: directory + + - name: Insert/update NFS mount block in /etc/fstab + notify: reload fstab + ansible.builtin.blockinfile: + path: /etc/fstab + block: | + nas001.sjc001.fritzlab.net:/mnt/main/iso /mnt/iso-images/template/iso nfs4 rw 0 0 + marker: "# {mark} ANSIBLE MANAGED BLOCK for NFS mounts" + backup: yes + + + handlers: + - name: restart networking + command: ifreload -a + - name: restart chrony + systemd: + name: chrony + state: restarted + - name: restart pveproxy + systemd: + name: pveproxy + state: restarted + - name: reload fstab + command: mount -a diff --git a/compute/playbook-machine-idrac.yaml b/compute/playbook-machine-idrac.yaml new file mode 100644 index 0000000..4656f57 --- /dev/null +++ b/compute/playbook-machine-idrac.yaml @@ -0,0 +1,99 @@ +--- +- name: Configure Dell Server with OpenManage Ansible Modules + hosts: + - host001 + + # these are required because the module is running locally and + # connecting to the iDRAC over HTTP/HTTPS + gather_facts: false + connection: local + + vars: + common_idrac_settings: &common_idrac_settings + idrac_ip: "{{ ipv6_address }}" + idrac_user: "{{ idrac_user }}" + idrac_password: "{{ idrac_password }}" + validate_certs: false + + tasks: + + - name: Set Name + dellemc.openmanage.idrac_attributes: + <<: *common_idrac_settings + idrac_attributes: + "WebServer.1.ManualDNSEntry": "idrac.{{ inventory_hostname }}.sjc001.fritzlab.net" + "NIC.1.DNSDomainName": "{{ inventory_hostname }}" + "NIC.1.DNSRacName": "{{ inventory_hostname }}" + "NICStatic.1.DNSDomainName": "{{ inventory_hostname }}" + + - name: Set IPv6 Address + dellemc.openmanage.idrac_attributes: + <<: *common_idrac_settings + idrac_attributes: + "IPv6.1.Enable": "Enabled" + "IPv6Static.1.DNSFromDHCP6": "Disabled" + "IPv6.1.AutoConfig": "Disabled" + "IPv6Static.1.Address1": "{{ ipv6_address }}" + "IPv6Static.1.PrefixLength": "{{ ipv6_prefix_len }}" + "IPv6Static.1.Gateway": "{{ ipv6_gateway }}" + "IPv6Static.1.DNS1": "{{ ipv6_dns_1 }}" + + - name: Set IPv4 Address + dellemc.openmanage.idrac_attributes: + <<: *common_idrac_settings + idrac_attributes: + "IPv4.1.Enable": "Enabled" + "IPv4.1.DHCPEnable": "Disabled" + "IPv4.1.DNSFromDHCP": "Disabled" + "IPv4Static.1.Address": "{{ ipv4_address }}" + "IPv4Static.1.DNS1": "{{ ipv4_dns_1 }}" + "IPv4Static.1.Gateway": "{{ ipv4_gateway }}" + "IPv4Static.1.Netmask": "{{ ipv4_mask }}" + + - name: Set SNMP Settings + dellemc.openmanage.idrac_attributes: + <<: *common_idrac_settings + idrac_attributes: + # pollers settings + "SNMPAlert.1.Destination": "" + "SNMPAlert.1.SNMPv3Username": "" + "SNMPAlert.2.Destination": "" + "SNMPAlert.2.SNMPv3Username": "" + "SNMPAlert.3.Destination": "" + "SNMPAlert.3.SNMPv3Username": "" + "SNMPAlert.4.Destination": "" + "SNMPAlert.4.SNMPv3Username": "" + "SNMPAlert.5.Destination": "::" + "SNMPAlert.5.SNMPv3Username": "" + "SNMPAlert.6.Destination": "::" + "SNMPAlert.6.SNMPv3Username": "" + "SNMPAlert.7.Destination": "::" + "SNMPAlert.7.SNMPv3Username": "" + "SNMPAlert.8.Destination": "::" + "SNMPAlert.8.SNMPv3Username": "" + # trap settings + "SNMPTrapIPv4.1.DestIPv4Addr": "{{ snmp_trap_dst_ipv4_1 }}" + "SNMPTrapIPv4.2.DestIPv4Addr": "0.0.0.0" + "SNMPTrapIPv4.3.DestIPv4Addr": "0.0.0.0" + "SNMPTrapIPv4.4.DestIPv4Addr": "0.0.0.0" + "SNMPTrapIPv6.1.DestIPv6Addr": "::" + "SNMPTrapIPv6.2.DestIPv6Addr": "::" + "SNMPTrapIPv6.3.DestIPv6Addr": "::" + + - name: Auto Attach Virtual Media + dellemc.openmanage.idrac_attributes: + <<: *common_idrac_settings + idrac_attributes: + "VirtualMedia.1.Attached": "AutoAttach" + + - name: Disable auto discovery + dellemc.openmanage.idrac_attributes: + <<: *common_idrac_settings + idrac_attributes: + "Autodiscovery.1.EnableIPChangeAnnounce": "Disabled" + "Autodiscovery.1.EnableIPChangeAnnounceFromDHCP": "Enabled" + "Autodiscovery.1.EnableIPChangeAnnounceFromUnicastDNS": "Enabled" + "Autodiscovery.1.EnableIPChangeAnnounceFrommDNS": "Enabled" + "Autodiscovery.1.SendTestAnnouncement": "Disabled" + + diff --git a/compute/templates/bashrc_managed.j2 b/compute/templates/bashrc_managed.j2 new file mode 100644 index 0000000..ac3c578 --- /dev/null +++ b/compute/templates/bashrc_managed.j2 @@ -0,0 +1,6 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +alias ll="ls -lFah" +alias sudo="" diff --git a/compute/templates/chrony.conf.j2 b/compute/templates/chrony.conf.j2 new file mode 100644 index 0000000..f8ab236 --- /dev/null +++ b/compute/templates/chrony.conf.j2 @@ -0,0 +1,27 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +server 0.debian.pool.ntp.org. iburst prefer +server 1.debian.pool.ntp.org. iburst +server 2.debian.pool.ntp.org. iburst +server 3.debian.pool.ntp.org. iburst + +# Log files location. +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can't be used along with the 'rtcfile' directive. +rtcsync + +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, but only in the first three clock updates. +makestep 1 3 + +# Get TAI-UTC offset and leap seconds from the system tz database. +# This directive must be commented out when using time sources serving +# leap-smeared time. +leapsectz right/UTC diff --git a/compute/templates/digrc.j2 b/compute/templates/digrc.j2 new file mode 100644 index 0000000..bb304c1 --- /dev/null +++ b/compute/templates/digrc.j2 @@ -0,0 +1 @@ +-t aaaa diff --git a/compute/templates/fstab.j2 b/compute/templates/fstab.j2 new file mode 100644 index 0000000..808edd6 --- /dev/null +++ b/compute/templates/fstab.j2 @@ -0,0 +1,4 @@ + + +nas001.sjc001.fritzlab.net:/mnt/main/iso /mnt/iso-images/template/iso nfs4 rw 0 0 + diff --git a/compute/templates/hosts.j2 b/compute/templates/hosts.j2 new file mode 100644 index 0000000..aa76ed5 --- /dev/null +++ b/compute/templates/hosts.j2 @@ -0,0 +1,34 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +# Loopback +127.0.0.1 localhost.localdomain +127.0.0.1 localhost +::1 localhost.localdomain +::1 localhost + +# IPv4 addresses +{% if ansible_facts['all_ipv4_addresses'] %} +{% for ip in ansible_facts['all_ipv4_addresses'] %} +{{ ip }} {{ inventory_hostname}} +{{ ip }} {{ inventory_hostname }}.{{ domain_name }} +{% endfor %} +{% endif %} + +# IPv6 addresses +{% if ansible_facts['all_ipv6_addresses'] %} +{% for ip in ansible_facts['all_ipv6_addresses'] %} +{% if not ip.startswith('fe80') %} +{{ ip }} {{ inventory_hostname}} +{{ ip }} {{ inventory_hostname }}.{{ domain_name }} +{% endif %} +{% endfor %} +{% endif %} + +# The following lines are desirable for IPv6 capable hosts +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts diff --git a/compute/templates/interface-base-dell.j2 b/compute/templates/interface-base-dell.j2 new file mode 100644 index 0000000..d96d4b1 --- /dev/null +++ b/compute/templates/interface-base-dell.j2 @@ -0,0 +1,44 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +# loopback network interface +auto lo +iface lo inet loopback + +# 1g rj45 network interfaces +iface eno1 inet manual +iface eno2 inet manual + +# 10g rg45 network interfaces +iface eno3 inet manual +iface eno4 inet manual + +# 10g sfp+ network interfaces +iface ens2f0 inet manual +iface ens2f1 inet manual + +# 20g bond interfaces +auto bond10 +iface bond10 inet manual + bond-slaves ens2f0 ens2f1 + bond-miimon 100 + bond-mode 802.3ad + +# 4g bond interfaces +auto bond1 +iface bond1 inet manual + bond-slaves eno1 eno2 eno3 eno4 + bond-miimon 100 + bond-mode 802.3ad + +# bond subinterfaces +{% for vlan_id, vlan_name in vlans.items() %} +auto bond10.{{ vlan_id }} +iface bond10.{{ vlan_id }} inet manual + vlan-raw-device bond10 + +auto bond1.{{ vlan_id }} +iface bond1.{{ vlan_id }} inet manual + vlan-raw-device bond1 +{% endfor %} diff --git a/compute/templates/interface-base-intel.j2 b/compute/templates/interface-base-intel.j2 new file mode 100644 index 0000000..10be59d --- /dev/null +++ b/compute/templates/interface-base-intel.j2 @@ -0,0 +1,18 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +# loopback network interface +auto lo +iface lo inet loopback + +# 1g rj45 network interface +iface eno1 inet manual + +# vlan subinterfaces +{% for vlan_id, vlan_name in vlans.items() %} +auto vlan{{ vlan_id }} +iface vlan{{ vlan_id }} inet manual + vlan-raw-device eno1 + +{% endfor %} diff --git a/compute/templates/interface-main-dell.j2 b/compute/templates/interface-main-dell.j2 new file mode 100644 index 0000000..99c64e9 --- /dev/null +++ b/compute/templates/interface-main-dell.j2 @@ -0,0 +1,28 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +source-directory /etc/network/interfaces.d + +{% for vlan_id, vlan_name in vlans.items() %} +auto vmbr{{ vlan_id }} +iface vmbr{{ vlan_id }} inet manual + bridge-ports bond1.{{ vlan_id }} bond10.{{ vlan_id }} + bridge_fd 15 + bridge_hello 2 + bridge_maxage 20 + bridge_stp on +{% if vlan_id == 206 %} + address {{ ipv4_address }}/{{ ipv4_prefix_len }} + gateway {{ ipv4_gateway }} +{% endif %} +#{{ vlan_name }} + +iface vmbr{{ vlan_id }} inet6 static + accept_ra 0 +{% if vlan_id == 206 %} + address {{ ipv6_address }}/{{ ipv6_prefix_len }} + gateway {{ ipv6_gateway }} +{% endif %} + +{% endfor %} diff --git a/compute/templates/interface-main-intel.j2 b/compute/templates/interface-main-intel.j2 new file mode 100644 index 0000000..6e4f6b8 --- /dev/null +++ b/compute/templates/interface-main-intel.j2 @@ -0,0 +1,26 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +source-directory /etc/network/interfaces.d + +{% for vlan_id, vlan_name in vlans.items() %} +auto vmbr{{ vlan_id }} +iface vmbr{{ vlan_id }} inet manual + bridge-ports vlan{{ vlan_id }} + bridge-stp off + bridge-fd 0 +{% if vlan_id == 206 %} + address {{ ipv4_address }}/{{ ipv4_prefix_len }} + gateway {{ ipv4_gateway }} +{% endif %} +#{{ vlan_name }} + +iface vmbr{{ vlan_id }} inet6 static + accept_ra 0 +{% if vlan_id == 206 %} + address {{ ipv6_address }}/{{ ipv6_prefix_len }} + gateway {{ ipv6_gateway }} +{% endif %} + +{% endfor %} diff --git a/compute/templates/resolv.conf.j2 b/compute/templates/resolv.conf.j2 new file mode 100644 index 0000000..58dc5e2 --- /dev/null +++ b/compute/templates/resolv.conf.j2 @@ -0,0 +1,9 @@ +# +# This file is managed by Ansible, do not edit manually. +# +options rotate +{% for resolver in resolvers %} +nameserver {{ resolver }} +{% endfor %} + +search {{ domain_name }} diff --git a/compute/templates/sources.j2 b/compute/templates/sources.j2 new file mode 100644 index 0000000..fee8f2d --- /dev/null +++ b/compute/templates/sources.j2 @@ -0,0 +1,22 @@ +# +# This file is managed by Ansible, do not edit manually. +# + +# copied from docs at: +# https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_pve-no-subscription_repo +# ------ +deb http://ftp.debian.org/debian bookworm main contrib +deb http://ftp.debian.org/debian bookworm-updates main contrib + +# Proxmox VE pve-no-subscription repository provided by proxmox.com, +# NOT recommended for production use +deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription + +# security updates +deb http://security.debian.org/debian-security bookworm-security main contrib +# ----- + +# required for nvidia drivers +deb http://deb.debian.org/debian bookworm main contrib non-free +deb http://deb.debian.org/debian bookworm-updates main contrib non-free +deb http://security.debian.org/debian-security bookworm-security main contrib non-free