Add ansible notebook for configuring QALab Servers

d-fine · Oct 17, 2024 · 6f82f49 · 6f82f49
1 parent cfec69b
commit 6f82f49
Show file tree

Hide file tree

Showing 10 changed files with 153 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -164,3 +164,6 @@ cython_debug/
 
 # Automatically generated API clients
 clients/
+
+# Ansible Inventory
+inventory.yml
diff --git a/infra/playbook.yml b/infra/playbook.yml
@@ -0,0 +1,26 @@
+---
+- name: Configure an OTC ubuntu server for a Dataland QALab Deployment
+  hosts: all
+  become: true
+  tasks:
+    - name: Update packages on the system
+      ansible.builtin.include_role:
+        name: systemupdate
+
+    - name: Configure SSH Server
+      ansible.builtin.include_role:
+        name: configuressh
+
+    - name: Install docker
+      ansible.builtin.include_role:
+        name: geerlingguy.docker
+      vars:
+        docker_install_compose: false
+        docker_users:
+          - 'ubuntu'
+
+    - name: Configure authoirzed SSH Keys
+      ansible.posix.authorized_key:
+        user: ubuntu
+        state: present
+        key: "{{ authorized_ssh_keys }}"  
diff --git a/infra/requirements.yml b/infra/requirements.yml
@@ -0,0 +1,4 @@
+---
+roles:
+  - name: geerlingguy.docker
+    version: "7.1.0"
diff --git a/infra/roles/configuressh/handlers/main.yml b/infra/roles/configuressh/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart ssh
+  become: true
+  ansible.builtin.service:
+    name: "ssh"
+    state: "restarted"
diff --git a/infra/roles/configuressh/meta/main.yml b/infra/roles/configuressh/meta/main.yml
@@ -0,0 +1,2 @@
+---
+dependencies: []
diff --git a/infra/roles/configuressh/tasks/main.yml b/infra/roles/configuressh/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Update SSH configuration.
+  become: true
+  ansible.builtin.lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: "u=rw,g=r,o=r"
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication No"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin No"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords No"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication No"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication No"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding No"
+    - regexp: '^AllowTcpForwarding'
+      line: "AllowTcpForwarding yes"
+  notify: Restart ssh
diff --git a/infra/roles/systemupdate/meta/main.yml b/infra/roles/systemupdate/meta/main.yml
@@ -0,0 +1,2 @@
+---
+dependencies: []
diff --git a/infra/roles/systemupdate/tasks/main.yml b/infra/roles/systemupdate/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Update the system using apt, rebooting if required
+  become: true
+  block:
+    - name: Update apt cache if needed
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+
+    - name: Upgrade all packages on server
+      ansible.builtin.apt:
+        upgrade: dist
+
+    - name: Check if a reboot is required
+      register: reboot_required_file
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+
+    - name: Reboot if required
+      ansible.builtin.reboot:
+        connect_timeout: 5
+        reboot_timeout: 300
+        pre_reboot_delay: 0
+        post_reboot_delay: 30
+        test_command: uptime
+      when: reboot_required_file.stat.exists
+
+    - name: Remove dependencies that are no longer required.
+      ansible.builtin.apt:
+        autoremove: true
diff --git a/pdm.lock b/pdm.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -46,6 +46,9 @@ testing = [
     "pytest>=8.3.3",
     "coverage>=7.6.3",
 ]
+infra = [
+    "ansible>=10.5.0",
+]   
 
 [tool.ruff]
 line-length = 120