ansible-collections-commons
This is a collection of Ansible roles that perform common management tasks. The selection of roles is targeted at deploying the OSISM stack, but some of them may also be useful in other contexts.
The collection is published at https://galaxy.ansible.com/osism/commons.
For bugs or feature requests, please open an issue at https://github.com/osism/ansible-collection-commons/issues.
- certificates
An ansible role to install and update CA certificates.
Role Variables
-
certificates_ca
Default:[]
This is a list which contains the name and the certificate.
-
certificates_ca.name
The name from the certificate file.
Example:
certificates_ca: - name: sample.crt certificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
-
certificates_ca.name
-
certificates_ca_path
Default:/usr/local/share/ca-certificates
The path where the certificates will be stored.
-
certificates_ca_package_name
Default:ca-certificates
The Debian package which is needed to install for the certificates.
-
certificates_ca_update_command
Default:/usr/sbin/update-ca-certificates
Command for updating the certificates.
-
certificates_ca
- cleanup
An ansible role for cleanup not longer needed packages, services and timers.
Role Variables
-
cleanup_packages_default
Default:lxc
The packages which not needed anymore per default.
-
cleanup_packages_extra
Default:[]
Packages, which you can declare what you not needed anymore
-
cleanup_packages
Default:cleanup_packages_default + cleanup_packages_extra + cleanup_packages_distribution
The whole packages from the first and second parameters including the distribution packages, which should be cleaned up.
-
cleanup_services_default
Default:[]
The services which are no longer needed per default.
-
cleanup_services_extra
Default:[]
Services that you can declare which you not needed anymore.
-
cleanup_services
Default:cleanup_services_default + cleanup_services_extra + cleanup_services_distribution
The whole services from the default and your declaration which will be deleted.
-
cleanup_cloudinit
Default:true
If you want to cleanup the cloudinit file let the default set to true, if not set it to false.
Distribution specific variables:
- Debian:
-
cleanup_services_distribution
Default:[]
Services from Debian which are not longer needed.
-
cleanup_packages_distribution
Default:- libvirt-bin - lxd - open-iscsi
Debian packages which are no longer needed.
-
cleanup_cloudinit_package_name
Default:cloud-init
Debian cloudinit package declaration.
-
cleanup_services_distribution
- RedHat:
-
cleanup_services_distribution
Default:[]
Services from RedHat which are no longer needed.
-
cleanup_packages_distribution
Default:- libvirt - iscsi-initiator-utils
RedHat packages which are no longer needed.
-
cleanup_cloudinit_package_name
Default:cloud-init
RedHat cloudinit package declaration.
-
cleanup_services_distribution
-
cleanup_packages_default
- configfs
Configfs is a pseudofilesystem to modify kernel objects. This role mounts the filesystem, so you can interact with configfs.
Role Variables
No variables are needed here.
- configuration
Install the configuration directory.
Generic Role Variables
-
operator_user
Default:dragon
The user that will own the configuration directory.
-
operator_group
Default:"{{ operator_user }}"
The group that will own the configuration directory.
-
configuration_type
Default:git
That is the source type for the configuration. Currently only
git
is supported.-
configuration_directory
Default:/opt/configuration
The directory where the configuration will be stored in.
Variables for configuration type ``git``
-
configuration_git_package_name
Default:git
Name of the package to install for the
git
binary.-
configuration_git_proxy
Default:""
If you have to use a proxy to be able to reach your git server use this variable.
-
configuration_git_public_key
Default:""
The public key from the keypair which you use to connect to git.
-
configuration_git_private_key
Default:""
The private key from the keypair which you use to connect to git.
-
configuration_git_private_key_file
Default:~/.ssh/id_rsa.configuration
The path where your keypair is stored.
-
configuration_git_version
Default:main
The branch name which should be used.
-
configuration_git_host
Default:github.com
The host from where you get the repositories.
-
configuration_git_port
Default:22
The port that is used for downloading the repository.
-
configuration_git_repository
Default:osism/ansible-collection-commons.git
The name of the repository which is needed.
-
configuration_git_protocol
Default:ssh
Which protocol will be used for the downloads.
-
configuration_git_username
Default:git
The username that is used for downloading the repository.
-
operator_user
- docker_compose
Ansible role for configuration and installation of docker-compose including its components.
Role Variables
-
docker_compose_install_type
Default:package
Source of docker-compose installation. Currently only ‘package’ is supported.
-
docker_compose_package_name
Default:docker-compose
The name of the docker-compose package to uninstall.
-
docker_compose_plugin_package_name
Default:docker-compose-plugin
The name of the docker-compose-plugin package to install.
-
docker_compose_service_user
Default:"{{ operator_user | default('dragon') }}"
The user the docker-compose service should run with.
-
docker_compose_service_group
Default:"{{ operator_group | default('dragon') }}"
The group the docker-compose service should run with.
-
docker_compose_install_type
- hostname
Ansible role for setting up the hostname. It uses the short hostname provided from the ansible inventory.
- hosts
This role populates the
/etc/hosts
file with the hosts from the ansible inventory. For each host, ifhost_enable
istrue
, the IPv4 address of thehosts_interface
is added to/etc/hosts
.Role Variables
-
hosts_enable
Default:true
Whether to include hosts by default.
-
hosts_interface
The IPv4 address assigned to this interface is placed in the hosts file.
-
hosts_group_name
Default:all
Write only hosts that are included in this group to the hosts file.
-
hosts_use_dns_as_single_source_of_truth
Default:false
Set this parameter to True if DNS is to be used as a single source of truth. No hosts from the hosts defined under hosts_group_name are then included in the hosts file.
-
hosts_type
Default:block
valid values: [block, local, template] # TODO
-
hosts_file
Default:/etc/hosts
Path to the managed hosts file.
-
hosts_file_backup
Default:true
If this value is set to true, a backup of the file is created before any changes are made.
-
hosts_file_reset
Default:false
If the type block is used and this value is set to True the hosts file is always completely reset.
-
hosts_ignore
Default:[]
A list of hosts that should not be included in the hosts file.
-
hosts_additional_entries
Default:{}
A dictionary with entries in the form FQDN: IP_ADDRESS which are added to the end of the hosts file.
-
hosts_enable
- ipmitool
Ansbile role for installing ipmitool and its required kernel modules.
Role Variables
-
ipmitool_package_name
Default:ipmitool
Distribution package for ipmitool.
-
ipmitool_kernel_modules
Default:- ipmi_devintf - ipmi_si
Required kernel modules for running ipmitool.
-
ipmitool_package_name
- kernel_modules
Ansible role for installing kernel modules. The configured modules are both loaded immediately via
modprobe
as well as added to the/etc/modules
so that they will be automatically installed on boot.Role Variables
-
kernel_modules_default
Default:[ "bonding", "8021q" ]
Default list of kernel modules to install.
-
kernel_modules_extra
Default:[]
List of extra modules to install.
-
kernel_modules
Default:kernel_modules_default + kernel_modules_extra
All modules which you want to install.
-
kernel_modules_default
- known_hosts
This role adds the ssh hostkeys from hosts in the ansible inventory to a known_hosts file.
Role Variables
-
operator_user
Default:dragon
The user that will own the known_hosts file.
-
operator_group
Default:operator_user
The group that will own the known_hosts file.
-
known_hosts_group_name
Default:all
Add hosts from this group to known_hosts.
-
known_hosts_destination
Default:/home/{{ operator_user }}/.ssh
Destination where the known_hosts file is stored.
-
operator_user
- kompose
This ansible role checks if kompose is already installed, if not triggers an install and checks the checksum.
Role Variables
-
kompose_install_type
Default:url
From which source the download should done.
-
kompose_version
Default:1.22.0
Which version of kompose should be installed.
-
kompose_checksum
Default:6203d67263886bbd455168f59309496d486fc3a6df330b7ba37823b283bd9ea5
The checksum of the downloaded file.
-
kompose_url
Default:"https://github.com/kubernetes/kompose/releases/download/v{{ kompose_version }}/kompose-linux-amd64"
Url for the download.
-
kompose_install_type
- kubectl
This ansible role will install kubectl
Role Variables
-
kubectl_package_name
Default:kubectl
Name of the kubctl package.
-
kubectl_configure_repository
Default:true
Configure repository.
-
kubectl_debian_repository_arch
Default:amd64
Repository architecture.
-
kubectl_debian_repository_key
Default:https://raw.githubusercontent.com/kubernetes/k8s.io/main/apt/doc/apt-key.gpg
Repository gpg key.
-
kubectl_debian_repository
Default:"deb [ arch={{ kubectl_debian_repository_arch }} signed-by=/usr/share/keyrings/kubectl.gpg ] https://apt.kubernetes.io/ kubernetes-xenial main"
Repository URL.
-
kubectl_package_name
- lynis
This ansible role will install lynis.
Role Variables
-
lynis_package_name
Default:lynis
The package that should be installed.
-
lynis_configure_repository
Default:true
Whether to add the lynis_debian_repository to the apt configuration.
-
lynis_debian_repository_arch
Default:amd64
Repository architecture.
-
lynis_debian_repository_key
Default:https://packages.cisofy.com/keys/cisofy-software-public.key
Add the repository gpg-key.
-
lynis_debian_repository
Default:"deb [ arch={{ lynis_debian_repository_arch }} ] https://packages.cisofy.com/community/lynis/deb/ stable main"
Define which repository you want to install.
-
lynis_package_name
- microcode
Ansible role for the installation of microcode.
Role Variables
-
microcode_packages_default
Default:- amd64-microcode - intel-microcode
The packages that are needed for microcode
-
microcode_packages_extra
Default:[]
Extra packages which you want to install.
-
microcode_packages
Default:microcode_packages_default + microcode_packages_extra
The whole packages that will be installed.
-
microcode_packages_default
- motd
Sets the content of the Message of the Day (/etc/motd) and the prelogin message and identification (/etc/issue) file.
Role Variables
-
motd_content
Default:""
Contents to be written to
motd_path
andissue_path
.Example:
motd_content: | ------------------------------------------------------------------------------ * WARNING * * You are accessing a secured system and your actions will be logged along * * with identifying information. Disconnect immediately if you are not an * * authorized user of this system. * ------------------------------------------------------------------------------
-
motd_path
Default:/etc/motd
The full path to the motd file.
-
issue_path
Default:/etc/issue
The full path to the issue file.
-
motd_content
- network
Ansible role for managing and configuring the internal network types.
Role Variables
-
network_type
Default:interfaces
Which type of network you want to install. Possible values are
interfaces
andnetplan
.-
network_manage_devices
Default:true
Flag whether all network devices are controlled by this role.
Note
Attention! If true, all additional configurations are deleted.
-
network_allow_service_restart
Default:false
Allow the network to restart.
Note
Attention! This is only triggered, when the all interface file was changed.
-
network_restart_method
Default:nothing
How should changed interfaces be treated? Options:
service
- restart the network service for the interfaceinterface
- down & up the interfacenothing
- do nothing*
- undefined behavior
Configuration for type interfaces
List of all network interface configurations:
-
network_interfaces
For ipv6 you want to add an additional inet6 entry.
Example configuration:
- device: eth0 # auto & allow are only used for the first device entry auto: true # enable on boot (default) allow: [] # array of allow-[stanzas] eg. allow-hotplug family: inet # network type eg. inet | inet6 (default) method: dhcp # dhcp | static (default) # examples for method 'static' # description: 'a user description' # address: 192.168.1.11 # network: 192.168.1.0 # netmask: 193.168.1.255 # broadcast: 192.168.1.255 # gateway: 192.168.1.1 # transport # mtu: 9000 # give a non-default mtu # ifmetric # metric: 10 # optional dns settings # nameservers: ['9.9.9.9'] # dns_search: "domain.net" # appended dns search string # optional additional subnets/ips # subnets: ['192.168.123.0/24', '192.168.124.11/32'] bridge: {} # optional bridge parameters # ports: # stp: # fd: # maxwait: # waitport: bond: {} # optional bonding parameters # mode: # miimon: # master: # slaves: # lacp-rate: # optional vlan settings vlan: {} # raw-device: 'eth0' # inline hook scripts pre-up: [] # pre-up script lines up: [] # up script lines post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines
-
network_interfaces_path
Default:/etc/network/interfaces
Destination path where to store the interface configuration files.
-
network_interface_path
Default:/etc/network/interfaces.d
Sorce path from where to get the configuration file.
-
network_interface_permissions
Default:0644
To set the file permissions for network interfaces configuration files.
-
network_interface_restart_commands
Default:interface: "ifdown {{ item.item.0 }}; ifup {{ item.item.0 }}"
Commands for restarting the interface.
-
network_interface_required_packages
Default:- bridge-utils - ifenslave - ifmetric - ifupdown - vlan
The packages that are required for the type interfaces-installation.
Configuration for type netplan
-
network_netplan_required_packages
Default:netplan.io
Package which is required for the type netplan-installation.
-
network_netplan_path
Default:/etc/netplan
Directory to store the configuration file.
-
network_netplan_file
Default:01-osism.yaml
The configuration file for netplan.
-
network_netplan_permissions
Default:0644
To set the file permissions for netplan configuration files.
-
network_netplan_remove_unmanaged_files
Default:true
Removing unused configuration files.
-
network_netplan_managed_files_defaults
Default:network_netplan_file
Name of the used configuration file.
-
network_netplan_managed_files_extra
Default:[]
If there are more than one used configuration file, please declare it here.
-
network_netplan_managed_files
Default:network_netplan_managed_files_defaults + network_netplan_managed_files_extra
The whole used configuration files.
-
network_version
Default:2
The 01-osism-file describes the network interfaces available on your system. Network version is needed for the network declaration.
-
network_renderer
Default:networkd
The Daemon that actually provides network functionality.
-
network_bonds
Netplan-bond configuration. For more information please look at the netplan documentation.
-
network_bridges
Netplan-bridges configuration. For more information please look at the netplan documentation.
-
network_ethernets
Netplan-ethernet configuration. For more information please look at the netplan documentation.
-
network_tunnels
Netplan-tunnels configuration. For more information please look at the netplan documentation.
-
network_vlans
Netplan-vlans configuration. For more information please look at the netplan documentation.
-
network_dispatcher_package_name
Default:networkd-dispatcher
The required package for the networkd-dispatcher.
-
network_dispatcher_service_name
Default:networkd-dispatcher
The service name from the dispatcher. This is needed to start the service.
-
network_dispatcher_scripts
Default:[]
Where the scripts for the dispatcher are stored and where it should be run.
Example:
- src: /opt/configuration/network/vxlan.sh dest: routable.d/vxlan.sh - src: /opt/configuration/network/iptables.sh dest: routable.d/iptables.sh
This is a interface to avoid error because ansible does not recognize.
Example:
network_dummy_interfaces: - lo-bgp - lo-vxlan
-
network_dummy_interface_mtu
Default:9000
Maximum Transfer Unit. Please look which MTU fits for your system.
-
network_type
- operator
Ansible role to configure the operator user with all its dependencies.
Role Variables
-
operator_user
Default:dragon
The operator user name.
-
operator_user_id
Default:45000
ID for the operator user.
-
operator_group
Default:dragon
The group for the operator user.
-
operator_group_id
Default:45000
ID for the group.
-
operator_shell
Default:/bin/bash
The default shell for the operator.
-
operator_authorized_keys
Default:[]
A list of ssh authorized keys to add.
-
operator_password
Encrypted password string to set for the operator user (optional).
Warning
Use “mkpasswd –method=sha-512” to generate an encrypted password. Do not set this variable to a clear-text password.
-
operator_sudo_nopasswd
Default:true
Whether the operator user can invoke sudo without a password.
-
operator_sudo_cmd_list
Default:ALL
Commands that the user can use with sudo.
-
operator_groups
Additional groups for the operator user. The default list of groups is distribution specific.
-
operator_user
- packages
This ansible role installs a number of required packages.
Role Variables
-
upgrade_packages
Default:true
For updating the package cache.
-
required_packages_default
Default:- ethtool - jq - rsyslog
The required packages which are needed.
-
required_packages_extra
Default:[]
Extra packages which you want to install.
-
required_packages
Default:required_packages_default + required_packages_extra + required_packages_distribution
The whole packages which should be installed.
Debian Variables
-
apt_cache_valid_time
Default:3600
Update the apt cache if it is older than the cache_valid_time. This option is set in seconds.
-
required_packages_distribution
Default:- debsums - selinux-utils - ssh
Required packages for Debian
RedHat Variables
-
required_packages_distribution
Default:- libselinux-utils - openssh
Required packages for RedHat
-
upgrade_packages
- podman
Ansible role to install podman.
Role Variables
-
podman_action
Default:deploy
Name for which file should be included.
Example:
config.yml
ordeploy.yml
-
podman_package_name
Default:podman
The required package for podman.
-
podman_action
- proxy
This ansible role will setup the proxies.
Role Variables
-
proxy_proxies
Default:{}
The proxies which will be configured. Please declare which you want to configure.
Example:
proxy_proxies: http: http://proxy.tld:8080 https: http://proxy.tld:8080 ftp: http://proxy.tld:8080
-
proxy_no_proxy_default
Default:- 127.0.0.1 - localhost
The addresses listed here are not configured via proxy.
-
proxy_no_proxy_extra
Default:[]
Here you can list extra addresses which are not to be configured via proxy.
-
proxy_no_proxy
Default:proxy_no_proxy_default + proxy_no_proxy_extra
All addresses which should not configured via proxy
-
proxy_package_manager
Default:true
Also set proxy for the package manager.
-
proxy_apt_conf_path
Default:/etc/apt/apt.conf.d/01proxy
Debain specific path. This path is where to store the configuration file.
-
proxy_proxies
- repository
Ansible role to configure the default repository sources.
Role Variables
-
repositories
Default:{}
A dict of
name:repository
pairs, these will be used as the list of package sources. The format of therepository
values is distribution-specific.If not set explicitly, some default repositories are configured. For Ubuntu, these are mirrors of the
main
,restricted
,universe
andmultiverse
repositories for each of the release,-backports
,-security
and-updates
pockets.-
repository_cache_valid_time
Default:120
Only for Debian/Ubuntu:
Update the apt cache if it is older than the
cache_valid_time
. This option is set in seconds.-
repository_key_files_directory
Default:""
Only for Debian/Ubuntu:
Keys stored in this directory are added to APT as trusted keys.
-
repository_keys
Only for Debian/Ubuntu:
List of URLs from which to collect GPG keys that APT should trust.
-
repository_key_ids
Only for Debian/Ubuntu:
Dict of
ID:keyserver
pairs, each key ID is fetched from its keyserver and added to APT as trusted key.-
enable_phased_updates
Default:false
Only for Debian/Ubuntu:
Enable phased updates.
-
repository_apt_acquire_forceipv4
Default:false
Only for Debian/Ubuntu:
Forcing IPv4 transport with apt-get.
-
repositories
- resolvconf
Ansible role for configuring nameserver and its components.
Role Variables
-
resolvconf_nameserver_default
Default:- 9.9.9.9 - 149.112.112.112
The default IP addresses from the nameservers you want to choose for the configuration.
-
resolvconf_nameserver_extra
If you want to install extra nameservers declare it here.
-
resolvconf_nameserver
The whole list of nameservers you want to configure.
-
resolvconf_fallback_nameserver
Alternitive nameserver with IPv4 and IPv6 addresses in a list if no DNS server information is known. If this option is not set, a compiled-in list is used instead.
-
resolvconf_search
Default:osism.test
This is the local domain.
-
resolvconf_minimum_number_of_nameservers
Default:2
The minimum number of nameserver of name servers that must be configured.
-
resolvconf_cache
Default:true
The cache for resolvconf. That means that requests are stored and takes the results from earlier requests. This is for a better performance because not every request is a new network request.
-
resolvconf_cache_from_localhost
Default:false
Sometimes in the case of development you will need to set the localhost cache on false. For this you can use this parameter.
-
resolvconf_dns_over_tls
Default:false
If true it will encrypted all connections, if false not. Please beware that you, if you want to use it, need a DNS server that supports DNS-over-TLS. You need a valid certificate too. Using DNS-over-TLS results in a little performance loss.
-
resolvconf_dnssec
Default:allow-downgrade
Does not enforce secured DNS requests. Fallback to normal (insecure) DNS is allowed. To enforce DNSSEC set this variable to true. This will only work on systems where DNSSEC is supported. Using it results in a little perfomance loss.
-
resolvconf_read_etc_hosts
Default:true
If set to true it allowes the systemd-resolved to read the /etc/hosts.
-
resolvconf_file
Default:/etc/resolv.conf
Path to the configuration file.
-
resolvconf_nameserver_default
- services
Ansible role for manage services.
Role Variables
-
services_warning_default
Default:nscd
Have a look at services_warning.
-
services_warning_extra
Have a look at services_warning.
-
services_warning
Services which shouldn’t be running. They will be displayed in a debug message.
-
services_required_default
Default:cron
Have a look at services_required.
-
services_required_extra
Have a look at services_required.
-
services_required
The services declared in a list which should be managed.
-
services_warning_default
- sosreport
This ansible role installs and configures sosreport. Sosreport helps to collect informations from the configured plugins.
Role Variables
-
sosreport_unarchive
Default:false
By default the sosreport will be unarchived on the destination machine after running.
-
sosreport_tmpdir
Default:/tmp/sosreport
It is a temporary directory where the reports will be stored on the machine where the report is generated.
-
sosreport_required_packages
Default:sosreport
Required packages for sosreport.
-
sosreport_name
The name will include by default the hostname and the date. It is the name under which the report will be stored.
-
sosreport_archive_filename
This will be the name from the archived sosreport.
-
sosreport_archive_directory
The directory where the archived sosreports will be stored in.
-
sosreport_plugins
Default:- apt - auditd - block - devices - docker - dpkg - filesys - hardware - kernel - kvm - md - memory - networking - pci - process - processor - python - services - ssh - system - systemd - ubuntu - udev - usb - xfs
From where sosreport should collect the informations which you needed.
-
operator_user
Default:dragon
The user with which sosreport should run and own the reqired directories.
-
operator_group
Default:operator_user
The group from the user with which sosreport should run and own the reqired directories.
-
sosreport_unarchive
- sshconfig
Ansible Role for configuring the ssh-client. Makes it possible to connect via ssh to the hosts.
Role Variables
-
operator_user
Default:dragon
The user who will own the configuration directory.
-
operator_group
Default:operator_user
The group which will own th econfiguration directory.
-
sshconfig_groupname
Default:all
The groups (hosts) which will be configured.
-
sshconfig_order
Default:20
Priority for the ssh configuration file. The file will be stored in the config.d directory where oether files might exist. They are read in alphabetical order and with this variable you can minipulate the order in which it will be evaluated.
-
sshconfig_port
Default:22
The port on which the ssh-service will listen for connections.
-
sshconfig_private_key_file
Default:/opt/ansible/secrets/id_rsa.operator
The file in which the ssh key from the operator is stored.
-
sshconfig_user
Default:operator_user
User which should be used to establish the ssh connection.
-
operator_user
- state
This andible role transports facts into a state file.
Role Variables
-
state_name
Default:osism
The name which the state file will have.
-
state_section
Default:status
This declares the section in the file where the facts have to be added.
-
state_option
Default:deployed
Given option that a fact must have befor adding to the file.
-
state_value
Default:false
The value that is given for checking a fact. # Fix me
-
state_name
- sysctl
This role configures sysctl (Kernelparameters). It can be used to tune the components from a system to a better perfoming way.Be aware that if you do it in the wrong way it can slow down the system too.
Role Variables
-
sysctl_defaults
In this section are the parameters for elesticsearch, rabbitmq and the notes
all
orcompute
are declared in a list.-
sysctl_extra
Here you can declare extra variables that you want to configure.
-
sysctl_defaults
- sysdig
Ansible role for installation and configuration sysdig. Sysdig is a system visibility tool with native support for containers.
Role Variables
-
sysdig_package_name
Default:sysdig
The required package which is needed.
-
sysdig_kernel_module_name
Default:sysdig_probe
The kernel module name for configuring and enabling sysdig.
-
sysdig_configure_repository
Default:true
For downloading packages via https, this package is needed first.
-
sysdig_debian_repository_arch
Default:amd64
This means the architecture from the system where you want to install sysdig.
-
sysdig_debian_repository_key
Default:https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
The Url where the package will be downloaded from.
-
sysdig_debian_repository
Default:deb [ arch={{ sysdig_debian_repository_arch }} ] https://download.sysdig.com/stable/deb stable-{{ sysdig_debian_repository_arch }}/
Repository name from the sysdig-file for debian distributions.
-
sysdig_package_name
- systohc
This ansible role will synchronize the hardware clock.
Role Variables
-
systohc
Default:true
When true the systemclock is synced to the hardwareclock.
-
systohc_common
# Fix me
-
systohc
- timezone
Ansible role for timezone configuration.
Role Variables
-
timezone_hwclock
Default:UTC
Whether the hardware clock is in UTC or in local timezone. Possible values are local and UTC.
-
timezone_name
Default:UTC
Name of the timezone for the system clock.
-
timezone_hwclock
- trivy
Ansible role for the trivy installation. Trivy is a scanner for vulnerabilities in container images, file systems, and git repositories, as well as for configuration issues and hard-coded secrets.
Role Variables
-
trivy_package_name
Default:trivy
Name from the required package for the trivy installation.
-
trivy_configure_repository
Default:true
The package which is needed for downloading packages via https.
-
trivy_debian_repository_arch
Default:amd64
Architecture from the target system.
-
trivy_debian_repository_key
Default:https://aquasecurity.github.io/trivy-repo/deb/public.key
The url from which you will get the package.
-
trivy_debian_repository
Default:deb [ arch={{ trivy_debian_repository_arch }} ] https://aquasecurity.github.io/trivy-repo/deb {{ ansible_distribution_release }} main
Name of the trivy debian repository.
-
trivy_package_name
- vault_import
Ansible role for importing secrets to hashicorp vault.
Role Variables
-
vault_token
Default:""
Token to login to vault.
-
vault_protocol
Default:http
The protocol which will be used to connect to vault.
-
vault_host
Default:vault
Hostname of the vault-server.
-
vault_port
Default:8200
The Port which vault will use for connections.
-
vault_url
Default:{{ vault_protocol }}://{{ vault_host }}:{{ vault_port }}
Address from the vault server for connections to the server.
-
vault_secrets_path
Default:/opt/configuration/environments/secrets.yml
This path contains the file with the secrets which should imported to vault.
-
vault_token
- vault_init
This ansible role will configure policies inside the vault-server for the key-value-store (kv).
Role Variables
-
vault_token
Default:""
Token to login to vault.
-
vault_protocol
Default:http
The protocol which will be used to connect to vault.
-
vault_host
Default:vault
Hostname of the vault-server.
-
vault_port
Default:8200
The Port which vault will use for connections.
-
vault_url
Default:{{ vault_protocol }}://{{ vault_host }}:{{ vault_port }}
Address from the vault server for connections to the server.
-
vault_rules_read
Default:path "kv/*" {capabilities = ["read"]}
Vault-read-policy. Configures a policy to allow reads from the key-value-store.
-
vault_rules_write
Default:| path "kv/*" { capabilities = ["create", "read", "update", "delete", "list"]}
Vault-write-policy. Configures a policy to allow every action to the key-value-store.
-
vault_token
- vault_seal
Ansible role to seal the vault-server.
Role Variables
-
vault_container_name
Default:manager_vault_1
The name of the vault-container.
-
vault_token
Default:""
Token to login to vault.
Warning
This action will completly block any interaction with vault.
-
vault_container_name
- vault_unseal
Ansible role to unseal the vault-server.
Role Variables
-
vault_container_name
Default:manager_vault_1
The name of the vault-container.
The algorithm to unseal the vault-server is called shamir. For the unsealing you will need at least three keys:
-
vault_unseal_key_1
-
vault_unseal_key_2
-
vault_unseal_key_3
-
vault_container_name