Dev

.gitignore

@@ -0,0 +1 @@
+.vscode/*

ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+roles_path = $HOME/ITtoolsTask/roles
+inventory = $HOME/ITtoolsTask/inventory.ini
+forks = 10
+remote_user = vagrant
+become = False
+ansible_python_interpreter = /usr/bin/python3.8

inventory.ini

@@ -0,0 +1,7 @@
+[haproxy]
+192.168.0.2 keepalived_state=MASTER keepalived_priority=101
+192.168.0.3 keepalived_state=BACKUP keepalived_priority=99
+
+[webserver]
+192.168.0.4
+192.168.0.5

playbook.yml

@@ -0,0 +1,23 @@
+- name: Configure Task
+  hosts: all
+  become: true
+  gather_facts: true
+  vars_files: 
+  - vault.yml
+  vars:
+    keepalived_ip: 192.168.0.6
+  tasks:
+    - name: Set subject_alt_names
+      set_fact:
+        subject_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}"
+      when: "'haproxy' in group_names"
+
+    - name: Import apache Role
+      import_role:
+        name: "apache"
+      when: "'webserver' in group_names"
+
+    - name: Import haproxy Role 
+      import_role:
+        name: "haproxy"
+      when: "'haproxy' in group_names"

roles/apache/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+# handlers file for apache
+- name: Restart Httpd
+  service:
+    name: httpd
+    state: restarted

roles/apache/meta/main.yml

@@ -0,0 +1,14 @@
+galaxy_info:
+  role_name: apache
+  author: Yoav Katz
+  description: Creating httpd configuration with default index.html inside it
+  platforms:
+    - name: Centos8
+      versions:
+        - all
+
+  license: MIT
+
+  min_ansible_version: 2.1
+
+dependencies: ['certificates']

roles/apache/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Ensure httpd and his required packages ares installed.
+  dnf:
+    name:
+      - httpd
+      - mod_ssl
+      - openssh
+    state: present
+
+- name: Generate httpd configuration
+  template:
+    src: httpd.conf.j2
+    dest: /etc/httpd/conf/httpd.conf
+    validate: httpd -t -f %s
+    mode: 0644
+    owner: apache
+    group: apache
+  notify:
+    - Restart Httpd
+
+- name: Generate apache html
+  template:
+    src: index.html.j2
+    dest: /var/www/html/index.html
+    mode: 0644
+    owner: apache
+    group: apache
+
+- name: Ensure httpd service is enabled
+  service:
+    name: httpd
+    state: started
+    enabled: true

roles/apache/templates/httpd.conf.j2

@@ -0,0 +1,78 @@
+ServerRoot "/etc/httpd"
+ServerName {{ ansible_fqdn }}
+
+Include conf.modules.d/*.conf
+
+User apache
+Group apache
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "/var/www/html"
+
+#Further relax access to the default document root:
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+<VirtualHost *:443>
+   SSLEngine on
+   SSLCertificateKeyFile /etc/ssl/private/server.pem
+   SSLCertificateFile /etc/ssl/private/server.pem
+   SSLProtocol all -SSLv2 -SSLv3
+</VirtualHost>
+
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog "logs/error_log"
+
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule alias_module>
+    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+</IfModule>
+
+<Directory "/var/www/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+EnableSendfile on
+IncludeOptional conf.d/*.conf

roles/apache/templates/index.html.j2

@@ -0,0 +1,7 @@
+<html>
+<head>
+</head>
+<body>
+    <h1>{{ ansible_nodename }}</h1>
+</body>
+</html>

roles/apache/vars/main.yml

@@ -0,0 +1 @@
+handler_to_notify: 'Restart Httpd'

roles/certificates/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+organization_details:
+  name: "Katz"
+  locality: "Tel Aviv"
+  country: "IL"

roles/certificates/meta/main.yml

@@ -0,0 +1,14 @@
+galaxy_info:
+  role_name: certificates
+  author: Yoav Katz
+  description: Creating certificates to using a CA given as a variable
+  platforms:
+    - name: Centos8
+      versions:
+        - all
+
+  license: MIT
+
+  min_ansible_version: 2.1
+
+dependencies: []

roles/certificates/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Ensure cryptography Package Installed
+  pip:
+    name: cryptography>=1.6
+    state: present
+    extra_args: "--only-binary :all:"
+
+- name: Generate private key
+  community.crypto.openssl_privatekey_pipe:
+    size: 2048
+  register: host_private_key
+
+- name: Create certificate signing request (CSR) for new certificate
+  community.crypto.openssl_csr_pipe:
+    privatekey_content: "{{ host_private_key.privatekey }}"
+    common_name: "{{ ansible_fqdn }}"
+    subject_alt_name: >
+      {{
+        [ 'DNS:localhost', 'IP:' + inventory_hostname, 'DNS:' + ansible_fqdn ] +
+        ( subject_alt_names | default('') | split(',') | select('match', '.+') )
+      }}
+    subject_alt_name_critical: true
+    organization_name: "{{ organization_details.name }}"
+    locality_name: "{{ organization_details.locality }}"
+    country_name: "{{  organization_details.country  }}"
+  register: host_csr
+
+- name: Sign the CSR using the CA
+  community.crypto.x509_certificate_pipe:
+    csr_content: "{{ host_csr.csr }}"
+    provider: ownca
+    ownca_path: /etc/ca/ca.crt
+    ownca_privatekey_path: /etc/ca/private/ca.key
+    ownca_not_before: "-1d"
+    ownca_not_after: +365d
+  register: host_crt
+  delegate_to: localhost
+
+- name: Ensure /etc/ssl/private directory exists
+  file:
+    path: /etc/ssl/private/
+    state: directory
+    mode: 0744
+
+- name: Assemble private key and certificate into PEM file
+  copy:
+    content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}"
+    dest: /etc/ssl/private/server.pem
+    mode: 0644
+  notify: "{{ handler_to_notify }}"

roles/haproxy/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for haproxy
+keepalived_ip: 192.168.0.6
+keepalived_subnet: 28
+keepalived_auth_pass: "1111"

roles/haproxy/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart HAProxy
+  service:
+    name: haproxy
+    state: restarted
+
+- name: Restart Keepalived
+  service:
+    name: keepalived
+    state: restarted

roles/haproxy/meta/main.yml

@@ -0,0 +1,14 @@
+galaxy_info:
+  role_name: haproxy
+  author: Yoav Katz
+  description: Creating haproxy with keepalived configuration that passes requests to webserver host group
+  platforms:
+    - name: Centos8
+      versions:
+        - all
+
+  license: MIT
+
+  min_ansible_version: 2.1
+
+dependencies: ['certificates']

roles/haproxy/tasks/keepalived.yml

@@ -0,0 +1,27 @@
+- name: Validate all keepalived host vars exists
+  assert:
+    that:
+      - keepalived_state in ['MASTER', 'BACKUP']
+      - keepalived_priority is number
+    fail_msg: "to configure Keepalived all hosts hosting it needs: keepalived_state and keepalived_priority"
+
+- name: Ensure Keepalived is installed.
+  dnf:
+    name: keepalived
+    state: present
+
+- name: Generate Keepalived configuration
+  template:
+    src: keepalived.conf.j2
+    dest: /etc/keepalived/keepalived.conf
+    validate: keepalived -t -f %s
+    mode: 0644
+    owner: haproxy
+    group: haproxy
+  notify: Restart Keepalived
+
+- name: Ensure Keepalive service is enabled
+  service:
+    name: keepalived
+    state: started
+    enabled: true

roles/haproxy/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Ensure HAProxy is installed.
+  dnf:
+    name: haproxy
+    state: present
+
+- name: Generate HAProxy configuration
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    validate: haproxy -c -f %s
+    mode: 0644
+    owner: haproxy
+    group: haproxy
+  notify: Restart HAProxy
+
+- name: Ensure HAProxy service is enabled
+  service:
+    name: haproxy
+    state: started
+    enabled: true
+
+- name: Generate keepalived
+  import_tasks:
+    file: keepalived.yml

roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,32 @@
+global
+  log /dev/log local0 info
+  user        haproxy
+  group       haproxy
+  daemon
+  maxconn     4000
+  tune.ssl.default-dh-param 2048
+
+defaults
+  log global
+  option  dontlognull
+  mode  http
+  timeout connect 5000
+  timeout client 50000
+  timeout server 50000
+
+frontend ha-front-ssl
+  bind *:443 ssl crt /etc/ssl/private/server.pem
+  mode tcp
+  option tcplog
+  http-request set-header X-Forwarded-For %[src]
+  http-request add-header X-Forwarded-Proto https
+  option http-server-close
+  {% for server in groups['webserver'] %}
+  acl url_{{ hostvars[server].ansible_nodename }} hdr(host) -i {{ hostvars[server].ansible_fqdn }}
+  use_backend be_{{ hostvars[server].ansible_nodename }} if url_{{ hostvars[server].ansible_nodename }}
+  {% endfor %}
+
+{% for server in groups['webserver'] %}
+backend be_{{ hostvars[server].ansible_nodename }}
+    server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check
+{% endfor %}