First commit

environments/development/group_vars/all.yml

@@ -0,0 +1,6 @@
+---
+splunk_uri_lm: https://my_license_master:8089
+ansible_user: my_ansible_ssh_user
+ansible_ssh_private_key_file: ~/.ssh/my_ansible_ssh.key
+git_server: ssh://git@mygithost:1234
+git_key: ~/.ssh/my-git-key

environments/development/inventory.yml

@@ -0,0 +1,10 @@
+---
+all:
+  children:
+
+    full:
+      children:
+
+        search:
+          hosts:
+            10.202.37.251:

environments/production/group_vars/all.yml

@@ -0,0 +1,7 @@
+---
+splunk_uri_lm: https://my_license_master:8089
+ansible_user: my_ansible_ssh_user
+ansible_ssh_private_key_file: ~/.ssh/my_ansible_ssh.key
+git_server: ssh://git@mygithost:1234
+git_key: ~/.ssh/my-git-key
+git_project: SOMEPROJECT

environments/production/group_vars/clustermaster.yml

@@ -0,0 +1,7 @@
+---
+# group vars for cluster master
+splunk_app_deploy_path: etc/master-apps # default subdirectory in splunk_home that apps from git should be installed to, overridable in git_apps if you want to install to etc/apps
+git_version: 1.0.0
+git_apps:
+    - name: my_outputs
+    - name: Splunk_TA_nix

environments/production/group_vars/deploymentserver.yml

@@ -0,0 +1,13 @@
+---
+# group_vars for deployment server
+splunk_app_deploy_path: etc/deployment-apps
+git_version: master
+git_apps:
+    # Example of cloning a repository from a different git server and then deploying it to a path other than etc/deployment-apps
+    - name: my_outputs
+      git_version: 1.0.0
+      git_server: ssh://git@anotherserver.com
+      git_key: ~/.ssh/anotherkey
+      git_project: SPLK
+      splunk_app_deploy_path: etc/apps
+    - name: disable_rest

environments/production/group_vars/universalforwarder.yml

@@ -0,0 +1,6 @@
+---
+# group_vars for universal forwarders
+splunk_uri_ds: my-ds:8089
+splunk_app_deploy_path: etc/apps # subdirectory in splunk_home that apps from git should be installed to by Ansible
+git_apps:
+    - name: config_base

environments/production/host_vars/my-shc-deployer.yml

@@ -0,0 +1,5 @@
+---
+deploy_target: my-shc-target-sh-uri
+git_version: 1.0.0 # This is the golden repo branch for this host! It retires all ID/ED/SB/CM projects and repos
+git_apps:
+    - name: myapp

environments/production/inventory.yml

@@ -0,0 +1,57 @@
+---
+# YAML format inventory with nested groups for variable inheritance
+# Mason Morales, Splunk, Inc.
+# References:
+# https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
+# Read this: https://docs.ansible.com/ansible/2.9/plugins/inventory/yaml.html
+# https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible
+# ##########################################################################
+all:
+  children:
+
+    full:
+      children:
+
+        licensemaster:
+          hosts:
+            my-lm-host:
+
+        dmc:
+          hosts:
+            my-dmc-host:
+
+        shdeployer:
+          hosts:
+            my-shc-deployer:
+
+        search:
+          children:
+
+            west_coast_shc:
+              hosts:
+                sh-01:
+                sh-02:
+                sh-03:
+
+        heavyforwarder:
+          hosts:
+            my-hf-01:
+            some-other-hf:
+
+        standalone:
+            hosts:
+              my-standalone-splunk-server:
+              my-other-standalone-splunk-server:
+
+    universalforwarder:
+      children:
+
+        vmware:
+          hosts:
+            my-vm-ware-host-[001:100]:
+          vars:
+            clientName: vmware
+
+        web:
+          hosts:
+            my-web-host-[01-05]:

playbooks/ansible.cfg

@@ -0,0 +1,27 @@
+[defaults]
+inventory_enabled = yaml, host_list, ini, script
+internal_poll_interval = 0.001
+inventory = hosts
+host_key_checking = False
+timeout = 60
+Forks = 50
+transport = paramiko
+# To use slack notification, make sure you do this first: easy_install prettytable
+# callback_whitelist = slack, splunk
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=7200s -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no
+scp_if_ssh = True
+timeout = 10
+retries = 5
+# Tip: Disable pipelining when you get "sudo: sorry, you must have a tty to run sudo\n" - disabled is MUCH slower but more compatible
+pipelining=True
+
+#[callback_slack]
+#webhook_url = https://hooks.slack.com/services/<token>
+#channel = #channel_here
+#username = splunk_ansible
+
+#[callback_splunk]
+#url = https://my-hec-target/services/collector/event?channel=<insert-guid-for-channel-here>
+#authtoken = <insert-auth-token-here>

playbooks/splunk_app_install.yml

@@ -0,0 +1,8 @@
+# Example playbook to install/upgrade apps on a Splunk host
+- hosts:
+    - all
+  roles:
+    - ../roles/splunk
+  serial: 50
+  vars:
+    - deployment_task: configure_apps.yml

playbooks/splunk_install_or_upgrade.yml

@@ -0,0 +1,9 @@
+---
+# Example playbook to perform either a splunk installation or upgrade
+- hosts:
+    - all
+  roles:
+    - ../roles/splunk
+  serial: 50
+  vars:
+    - deployment_task: check_splunk.yml

playbooks/splunk_upgrade_full_stack.yml

@@ -0,0 +1,67 @@
+---
+# Example playbook to properly upgrade a single-site indexer cluster and search head cluster using the splunk role from ansible-role-for-splunk
+- hosts:
+    - clustermaster
+  become: yes
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  roles:
+    - ../roles/splunk
+  vars:
+    deployment_task: check_splunk.yml
+
+- hosts:
+    - licensemaster
+    - shdeployer
+    - deploymentserver
+  become: yes
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  roles:
+    - ../roles/splunk
+  vars:
+    deployment_task: check_splunk.yml
+
+- hosts:
+    - search
+  serial: 50
+  become: yes
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  roles:
+    - ../roles/splunk
+  vars:
+    deployment_task: check_splunk.yml
+
+- hosts:
+    - clustermaster
+  become: yes
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  roles:
+    - ../roles/splunk
+  vars:
+    deployment_task: set_maintenance_mode.yml
+    state: enable
+
+- hosts:
+    - indexer
+  serial: 100
+  become: yes
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  roles:
+    - ../roles/splunk
+  vars:
+    deployment_task: check_splunk.yml
+
+- hosts:
+    - clustermaster
+  become: yes
+  any_errors_fatal: true
+  max_fail_percentage: 0
+  roles:
+    - ../roles/splunk
+  vars:
+    deployment_task: set_maintenance_mode.yml
+    state: disable

roles/splunk/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

roles/splunk/README.md

@@ -0,0 +1,35 @@
+Role Name
+=========
+
+Ansible Starter Pack for Splunk Administration
+
+Requirements
+------------
+
+Ansible 2.7 or higher
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+<<TO DO>>
+
+Dependencies
+------------
+
+prettytable if using the Slack plugin
+
+Example Playbook
+----------------
+
+See examples included in the playbooks directory.
+
+License
+-------
+
+Apache 2.0
+
+Author Information
+------------------
+
+Authored by Mason Morales, Splunk, Inc. This project is being open-sourced by Splunk for community usage. Please note that Splunk does not provide official support for this product.

roles/splunk/defaults/main.yml

@@ -0,0 +1,54 @@
+---
+# defaults file for splunk role
+# Anything that is undefined here should be configured. I recommend setting the values in your group_vars under an all.yml file.
+slack_channel: undefined
+slack_token: undefined
+splunk_home: auto_determined # This gets set by main.yml but we have to define it here or Ansible will complain that it is undefined
+splunk_package_url: auto_determined # This gets set by main.yml but we have to define it here or Ansible will complain that it is undefined
+splunk_package_path: ~/
+splunk_package_url_full: https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.6&product=splunk&filename=splunk-8.0.6-152fb4b2bb96-Linux-x86_64.tgz&wget=true
+#splunk_package_url_full: https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.4.1&product=splunk&filename=splunk-8.0.4.1-ab7a85abaa98-Linux-x86_64.tgz&wget=true
+splunk_package_url_uf: https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.4&product=universalforwarder&filename=splunkforwarder-8.0.4-767223ac207f-Linux-x86_64.tgz&wget=true
+splunk_install_type: undefined # There are two ways to configure this. The easiest way is to nest hosts under either a "full" group or a "uf" group in your inventory and main.yml will handle it for you. Or, you can also set the value via a group_vars or host_vars file.
+splunk_install_path: /opt # Base directory on the operating system to which splunk should be installed
+splunk_nix_user: splunk
+splunk_nix_group: splunk
+splunk_uri_lm: undefined
+splunk_uri_cm: undefined
+splunk_uri_ds: undefined # e.g. mydeploymentserver.mydomain.com:8089 ; Note that you must also configure the clientName var under either group_vars or host_vars for deploymentclient.conf to be configured
+clientName: undefined
+splunk_admin_username: admin
+splunk_admin_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
+splunk_user_seed: false # Requires splunk_admin_password var to be set
+splunk_configure_secret: false # If set to true, you need to update files/splunk.secret
+# Although there are tasks for the following Splunk configurations in this role, they are not included in any tasks by default. You can add them to your install_splunk.yml if you would like to have Ansible manage any of these files
+splunk_configure_authentication: false
+ad_bind_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
+splunk_authenticationconf: authentication.conf.j2
+splunk_use_initd: false
+git_local_clone_path: ~/ # Base directory under which repositories for app deplyoment should be cloned to
+git_server: undefined # e.g. ssh://git@mygithost:1234 - Note that this may be set in an all.yml group_var or inside the git_apps dictionary within host_vars
+git_key: undefined # Path to SSH key for cloning repositories - Note that this may be set in an all.yml group_var or inside the git_apps dictionary within host_vars
+git_project: undefined
+git_version: master # Configure default version to clone, overridable inside the git_apps dictionary within host_vars
+splunk_app_deploy_path: undefined # Path under $SPLUNK_HOME/ to deploy apps to - Note that this may be set in group_vars, host_vars, playbook vars, or inside the git_apps dictionary within host_vars
+add_crashlog_script: false # Set to true to install a script and cron job to automatically cleanup splunk crash logs older than 7 days
+add_diag_script: false # Set to true to install a script and cron job to automatically cleanup splunk diag files older than 30 days
+add_pstack_script: false # Set to true to install a pstack generation script for troubleshooting purposes in $SPLUNK_HOLME/genpstacks.sh
+install_utilities: false # Set to true to install the list of packages defined in the linux_packages var after installing splunk
+linux_packages:
+  - nload
+  - iotop
+  - iftop
+  - sysstat
+  - telnet
+  - tcpdump
+  - htop
+  - atop
+  - lsof
+  - policycoreutils-python
+  - policycoreutils
+  - setroubleshoot
+  - nethogs
+  - gdb
+  - bind-utils

roles/splunk/files/disable-thp.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Disable Transparent Huge Pages (THP)
+
+[Service]
+Type=simple
+ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
+
+[Install]
+WantedBy=multi-user.target

roles/splunk/files/rsync-filter

@@ -0,0 +1,9 @@
+- /.git
+- /*/.git
+- /.gitignore
+- /*/README.txt
+- /*/README.MD
+- /*/README.md
+- /*/app.manifest
+- /*/githash
+- /*/package.json

roles/splunk/files/splunk.secret

@@ -0,0 +1 @@
+# insert your common splunk.secret here and encrypt it with ansible-vault

roles/splunk/files/splunk_ulimits.conf

@@ -0,0 +1,4 @@
+splunk   soft   nofile  655350
+splunk   hard   nofile  819200
+splunk   soft   nproc   32768
+splunk   hard   nproc   51200