magfest · claughinghouse · Sep 29, 2021 · Sep 26, 2021 · Sep 26, 2021 · Sep 26, 2021
@@ -40,6 +40,8 @@ stages:
 init:
   stage: prepare-tf
   extends: .global
+  environment:
+    name: production
   script:
     - terraform init
     - terraform validate
@@ -48,6 +50,8 @@ init:
 
 validate:
   extends: .global
+  environment:
+    name: production
   stage: validate-tf
   script:
     - terraform validate
@@ -57,6 +61,8 @@ validate:
 plan:
   stage: build-tf
   extends: .global
+  environment:
+    name: production
   artifacts:
     name: plan
     paths:
@@ -78,7 +84,7 @@ create:
   script:
     - terraform apply -auto-approve
   rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH == "aaron-dev"'
+    - if: '$TF_VAR_subnet != ""'
       when: on_success
     - when: never
   artifacts:
@@ -95,9 +101,13 @@ run-playbooks:
   dependencies:
     - create
   script:
-    - echo $(/bin/true)
+    - cd ${CI_PROJECT_DIR}/ansible
+    - echo ${ANSIBLE_VAULT_PASSWORD} > ${CI_PROJECT_DIR}/ansible/.vault-password
+    - ansible-galaxy install -r requirements.yaml
+    - ansible-galaxy collection install -r requirements.yaml
+    - ansible-playbook -i ./inventory -i ${TF_ROOT}/hosts.ini --vault-password-file ./.vault-password playbook.yaml
   rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH == "aaron-dev"'
+    - if: '$TF_VAR_subnet != ""'
       when: on_success
     - when: never
 
@@ -111,7 +121,7 @@ destroy:
   script:
     - terraform destroy -auto-approve
   rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH == "aaron-dev"'
+    - if: '$TF_VAR_subnet != "" && $CI_COMMIT_BRANCH != "prod"'
       when: manual
     - when: never
   artifacts:

@@ -0,0 +1,62 @@
+---
+branch_subnet_trimmed: "{{ (branch_subnet.split('.'))[0:3] | join('.') }}"
+magevent_net_hosts:
+  # MAGCloud per-branch "dynamic" IP entries
+  - { name: "dhcp1", ip: "{{ branch_subnet_trimmed }}.4", type: "A" }
+  - { name: "dhcp2", ip: "{{ branch_subnet_trimmed }}.5", type: "A" }
+  - { name: "ntp1", ip: "{{ branch_subnet_trimmed }}.6", type: "A" }
+  - { name: "ntp2", ip: "{{ branch_subnet_trimmed }}.7", type: "A" }
+  - { name: "dns1", ip: "{{ branch_subnet_trimmed }}.110", type: "A" }
+  - { name: "dns2", ip: "{{ branch_subnet_trimmed }}.120", type: "A" }
+  - { name: "syslog", ip: "{{ branch_subnet_trimmed }}.130", type: "A" }
+  # MAGCloud static/not-in-Terraform-yet entries
+  - { name: "salt", ip: "10.101.22.8", type: "A" }
+  - { name: "foreman", ip: "10.101.22.8", type: "A" }
+  - { name: "tftp", ip: "10.101.22.9", type: "A" }
+  - { name: "freeradius", ip: "10.101.22.10", type: "A" }
+  - { name: "freeipa", ip: "10.101.22.11", type: "A" }
+  - { name: "asterisk", ip: "10.101.22.12", type: "A" }
+  - { name: "cups", ip: "10.101.22.13", type: "A" }
+  - { name: "repo", ip: "10.101.22.14", type: "A" }
+  - { name: "assman", ip: "10.101.22.15", type: "A" }
+  - { name: "smokeping", ip: "10.101.22.16", type: "A" }
+  - { name: "radios", ip: "10.101.22.17", type: "A" }
+  - { name: "wowza", ip: "10.101.22.18", type: "A" }
+  - { name: "badges", ip: "10.101.22.19", type: "A" }
+  - { name: "stereo", ip: "10.101.22.20", type: "A" }
+  - { name: "rams1", ip: "10.101.22.21", type: "A" }
+  - { name: "rams2", ip: "10.101.22.22", type: "A" }
+  - { name: "index", ip: "10.101.22.24", type: "A" }
+  - { name: "vpn", ip: "10.101.22.25", type: "A" }
+  - { name: "isp", ip: "10.101.22.27", type: "A" }
+  - { name: "staffsuite", ip: "10.101.22.28", type: "A" }
+  - { name: "challenges", ip: "10.101.22.53", type: "A" }
+  - { name: "shifts", ip: "10.101.22.58", type: "A" }
+  - { name: "minecraft", ip: "10.101.22.124", type: "A" }
+  - { name: "vyos", ip: "10.101.22.122", type: "A" }
+  - { name: "freeradius2020", ip: "10.101.22.131", type: "A" }
+  - { name: "netbox", ip: "10.101.22.132", type: "A" }
+  - { name: "radiomon", ip: "10.101.22.133", type: "A" }
+  - { name: "gitlab", ip: "10.101.22.134", type: "A" }
+  - { name: "gitlab-runner-1", ip: "10.101.22.135", type: "A" }
+  - { name: "stackstorm", ip: "10.101.22.136", type: "A" }
+  - { name: "librenms", ip: "10.101.22.151", type: "A" }
+  - { name: "zabbix", ip: "10.101.22.200", type: "A" }
+  # MAGCloud management IPs
+  - { name: "oa1", ip: "10.101.21.11", type: "A" }
+  - { name: "oa2", ip: "10.101.21.12", type: "A" }
+  - { name: "vc1", ip: "10.101.21.13", type: "A" }
+  - { name: "quorum-ipmi", ip: "10.101.21.20", type: "A" }
+  - { name: "pve1-ipmi", ip: "10.101.21.21", type: "A" }
+  - { name: "pve2-ipmi", ip: "10.101.21.22", type: "A" }
+  - { name: "quorum", ip: "10.101.21.40", type: "A" }
+  - { name: "pve1", ip: "10.101.21.41", type: "A" }
+  - { name: "pve2", ip: "10.101.21.42", type: "A" }
+  - { name: "synology", ip: "10.101.21.156", type: "A" }
+  # external IPs, CNAMEs, etc.
+  - { name: "fixit", ip: "52.45.46.140", type: "A" }
+  - { name: "fixit", ip: "2600:1f18:423b:a500:76bf:d287:e6f9:2306", type: "AAAA" }
+  - { name: "streaming", ip: "streaming-456449487.us-east-1.elb.amazonaws.com.", type: "CNAME" }
+  - { name: "coldbrew", ip: "hydrophobic-pheasant-7qpulrttf80t5n3leh0etcff.herokudns.com.", type: "CNAME" }
+  - { name: "schedule", ip: "schedule.magevent.net.s3-website-us-east-1.amazonaws.com.", type: "CNAME" }
+  - { name: "food", ip: "157.245.3.204", type: "A" }
@@ -1,23 +1,23 @@
 ---
 all:
   children:
-    # Control Plane group, do not change the 'control-plane' name
-    # hosts should match the filenames in 'host_vars'
-    # dhcp:
-    #   hosts:
-    #     dhcp1:
-    #     dhcp2:
-    # dns:
-    #   hosts:
-    #     dns1:
-    #     dns2:
-    # rsyslog:
-    #   hosts:
-    #     rsyslog-1:
-    # cups:
-    #   hosts:
-    #     cups-1:
-    # dns:
-    #   hosts:
-    #     dns-1:
-    #     dns-2:
+  # Control Plane group, do not change the 'control-plane' name
+  # hosts should match the filenames in 'host_vars'
+  # dhcp:
+  #   hosts:
+  #     dhcp1:
+  #     dhcp2:
+  # dns:
+  #   hosts:
+  #     dns1:
+  #     dns2:
+  # rsyslog:
+  #   hosts:
+  #     rsyslog-1:
+  # cups:
+  #   hosts:
+  #     cups-1:
+  # dns:
+  #   hosts:
+  #     dns-1:
+  #     dns-2:
@@ -0,0 +1,40 @@
+---
+- name: Initial Ubuntu setup
+  hosts:
+  - all
+  remote_user: root
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+  - ubuntu
+
+- name: CUPS setup
+  hosts:
+  - cups
+  remote_user: root
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+  - cups
+
+- name: rsyslog setup
+  hosts:
+  - rsyslog
+  remote_user: root
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+  - rsyslog
+
+- name: DNS setup
+  hosts:
+  - dns
+  remote_user: root
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+  - dns
@@ -7,3 +7,4 @@
   any_errors_fatal: true
   roles:
   - ubuntu
+  - dns
@@ -1,30 +1,11 @@
-options {
-  listen-on { any; };
-  forwarders { 8.8.8.8; 8.8.4.4; };
-  allow-recursion { any; };
-};
-
-zone "magevent.net" IN {
-        type master;
-        file "/var/named/magevent.net.zone";
-        notify no;
-};
-
-zone "win.magevent.net" {
-        type stub;
-        masters {10.101.22.210; 10.101.22.220;};
-        file "/var/named/win.magevent.net.zone";
-        forwarders { };
-};
-
-zone "onsite.uber.magfest.org" IN {
-        type master;
-        file "/var/named/onsite.uber.magfest.org.zone";
-        notify no;
-};
-
-zone "onsite.reggie.magfest.org" IN {
-        type master;
-        file "/var/named/onsite.reggie.magfest.org.zone";
-        notify no;
-};
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
@@ -0,0 +1,24 @@
+zone "magevent.net" IN {
+        type master;
+        file "/var/lib/bind/magevent.net.zone";
+        notify no;
+};
+
+zone "win.magevent.net" {
+        type stub;
+        masters {10.101.22.210; 10.101.22.220;};
+        file "/var/lib/bind/win.magevent.net.zone";
+        forwarders { };
+};
+
+zone "onsite.uber.magfest.org" IN {
+        type master;
+        file "/var/lib/bind/onsite.uber.magfest.org.zone";
+        notify no;
+};
+
+zone "onsite.reggie.magfest.org" IN {
+        type master;
+        file "/var/lib/bind/onsite.reggie.magfest.org.zone";
+        notify no;
+};
@@ -0,0 +1,26 @@
+options {
+        directory "/var/cache/bind";
+
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+
+        // forwarders {
+        //      0.0.0.0;
+        // };
+
+        //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        listen-on { any; };
+        listen-on-v6 { any; };
+        forwarders { 1.1.1.1; 8.8.8.8; 8.8.4.4; 1.0.0.1; };
+        allow-recursion { any; };
+};
@@ -1,7 +1,3 @@
 ---
 - name: Configure DNS servers
   include: "server.yaml"
-  when: ansible_hostname | regex_search("^dns[0-9]+\.")
-
-- name: Populate /etc/hosts
-  include: "etc_hosts.yaml"
@@ -10,23 +10,50 @@
   notify:
   - Restart named
 
+- name: Correct named directory permissions
+  ansible.builtin.file:
+    path: "{{ item }}"
+    mode: 02775
+    owner: root
+    group: bind
+  with_items:
+  - "/etc/bind"
+  - "/var/lib/bind"
+  - "/var/cache/bind"
+  notify:
+  - Restart named
+
+- name: Install named config
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/bind/{{ item }}"
+    mode: 0660
+    owner: root
+    group: bind
+  with_items:
+  - "named.conf"
+  - "named.conf.options"
+  - "named.conf.local"
+  notify:
+  - Restart named
+
 - name: Generate magevent.net zone file
   ansible.builtin.template:
     src: magevent.net.zone.j2
-    dest: /var/named/magevent.net.zone
-    mode: 0600
+    dest: /var/lib/bind/magevent.net.zone
+    mode: 0660
     owner: root
-    group: root
+    group: bind
   notify:
   - Restart named
 
 - name: Install additional zone files
   ansible.builtin.copy:
     src: "{{ item }}"
-    dest: "/var/named/{{ item }}"
-    mode: 0600
+    dest: "/var/lib/bind/{{ item }}"
+    mode: 0660
     owner: root
-    group: root
+    group: bind
   with_items:
   - "onsite.reggie.magfest.org.zone"
   - "onsite.uber.magfest.org.zone"

@@ -37,8 +37,8 @@ www                       IN        A        10.101.22.24
 
 {% if branch == "prod" %}
 {% for item in branch_list %}
-dns1-{{ item.branch }}     IN  A   {{ (item.subnet | split('.'))[0:3] | join('.') }}.110
-dns2-{{ item.branch }}     IN  A   {{ (item.subnet | split('.'))[0:3] | join('.') }}.120
+dns1-{{ item.branch }}     IN  A   {{ (item.subnet.split('.'))[0:3] | join('.') }}.110
+dns2-{{ item.branch }}     IN  A   {{ (item.subnet.split('.'))[0:3] | join('.') }}.120
 {% endfor %}
 {% endif %}