add ansible playbook

Author: vitabaks

ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+inventory = ./inventory
+display_skipped_hosts = false
+remote_tmp = /tmp/${USER}/ansible
+host_key_checking = false
+timeout=60
+
+[persistent_connection]
+retries = 3
+connect_timeout = 60
+command_timeout = 30
+
+
+# https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg

deploy_pgcluster.yml

@@ -0,0 +1,73 @@
+---
+
+- name: Deploy PostgreSQL High-Availability Cluster (based on "Patroni" and "DCS(etcd)")
+  hosts: postgres-cluster
+  become: true
+  become_method: sudo
+  any_errors_fatal: true
+  gather_facts: true
+  vars_files: 
+    - vars/main.yml
+    - "vars/{{ ansible_os_family }}.yml"
+
+
+  pre_tasks:
+    - import_tasks: tasks/check_system.yml
+
+    - import_tasks: tasks/add-repository.yml
+      tags: [ add_repo, configure ]
+
+    - import_tasks: tasks/packages.yml
+      tags: [ install_packages, install_postgres ]
+
+    - import_tasks: tasks/sudo.yml
+      tags: [ sudo, postgres_sudo, configure ]
+
+    - import_tasks: tasks/configure.yml
+      tags: configure
+      
+  roles:
+    - role: ansible-role-firewall
+      tags: firewall
+
+  tasks:
+    - meta: flush_handlers
+    
+    - import_tasks: tasks/etcd.yml
+      when: dcs_exists == "false" and dcs_type == "etcd"
+      tags: [ etcd, etcd_cluster ]
+
+    - import_tasks: tasks/patroni.yml
+      tags: patroni
+
+    - import_tasks: tasks/pgbouncer.yml
+      when: install_pgbouncer == "true"
+      tags: pgbouncer
+
+    - import_tasks: tasks/haproxy.yml
+      when: with_haproxy_load_balancing == "true" and cluster_vip | length > 0
+      tags: [ haproxy, load_balancing ]
+
+    - import_tasks: tasks/vip-manager.yml
+      when: with_haproxy_load_balancing != "true" and cluster_vip | length > 0
+      tags: [ vip, vip_manager ]
+
+    # optional
+    - import_tasks: tasks/postgresql-users.yml
+      when: is_master == "true" and postgresql_users | length > 0
+      tags: postgresql_users
+
+    - import_tasks: tasks/postgresql-databases.yml
+      when: is_master == "true" and postgresql_databases | length > 0
+      tags: postgresql_databases
+
+    - import_tasks: tasks/postgresql-extensions.yml
+      when: is_master == "true" and postgresql_extensions | length > 0
+      tags: postgresql_extensions
+
+    # finish (info)
+    - import_tasks: tasks/deploy_finish.yml
+      tags: [ cluster_info, cluster_status ]
+
+      
+

files/requirements.txt

@@ -0,0 +1,15 @@
+psycopg2>=2.8
+urllib3>=1.19.1,!=1.21,<1.25
+boto
+PyYAML
+requests
+six >= 1.7
+kazoo>=1.3.1
+python-etcd>=0.4.3,<0.5
+python-consul>=0.7.0
+click>=4.1
+prettytable>=0.7
+tzlocal
+python-dateutil
+psutil>=2.0.0
+cdiff

files/vip-manager

@@ -0,0 +1,4 @@
+---
+
+is_master: 'true'
+postgresql_exists: 'false'

group_vars/master

@@ -0,0 +1,4 @@
+---
+
+is_master: 'false'
+postgresql_exists: 'false'

group_vars/replica

@@ -0,0 +1,28 @@
+# This is example inventory file!
+# Please specify the ip addresses and connection settings for your environment
+
+# "postgresql_exists='true'" if PostgreSQL is already exists and runing
+# "hostname=" variable is optional (used to change the server name)
+
+[master]
+10.128.64.140 postgresql_exists='false' hostname=pgnode01
+
+[replica]
+10.128.64.142 hostname=pgnode02
+10.128.64.143 hostname=pgnode03
+
+
+[postgres-cluster:children]
+master
+replica
+
+
+# Connection settings
+[all:vars]
+ansible_connection='ssh'
+ansible_ssh_port='22'
+ansible_user='root'
+ansible_ssh_pass='testpas'  # "sshpass" package is required for use "ansible_ssh_pass"
+#ansible_ssh_private_key_file=
+# ansible_python_interpreter='/usr/bin/python3'  # is required for use python3
+

inventory

@@ -0,0 +1,3 @@
+*.retry
+*/__pycache__
+*.pyc

roles/ansible-role-firewall/.gitignore

@@ -0,0 +1,30 @@
+---
+language: python
+services: docker
+
+env:
+  global:
+    - ROLE_NAME: firewall
+  matrix:
+    - MOLECULE_DISTRO: centos7
+    - MOLECULE_DISTRO: centos6
+    - MOLECULE_DISTRO: ubuntu1804
+    - MOLECULE_DISTRO: ubuntu1604
+    - MOLECULE_DISTRO: debian9
+
+install:
+  # Install test dependencies.
+  - pip install molecule docker
+
+before_script:
+  # Use actual Ansible Galaxy role name for the project directory.
+  - cd ../
+  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
+  - cd geerlingguy.$ROLE_NAME
+
+script:
+  # Run tests.
+  - molecule test
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/ansible-role-firewall/.travis.yml

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Jeff Geerling
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

roles/ansible-role-firewall/LICENSE

@@ -0,0 +1,93 @@
+# Ansible Role: Firewall (iptables)
+
+[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall)
+
+Installs an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`).
+
+This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.
+
+After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall.
+
+## Requirements
+
+None.
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+    firewall_state: started
+    firewall_enabled_at_boot: true
+
+Controls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`).
+
+    firewall_allowed_tcp_ports:
+      - "22"
+      - "80"
+      ...
+    firewall_allowed_udp_ports: []
+
+A list of TCP or UDP ports (respectively) to open to incoming traffic.
+
+    firewall_forwarded_tcp_ports:
+      - { src: "22", dest: "2222" }
+      - { src: "80", dest: "8080" }
+    firewall_forwarded_udp_ports: []
+
+Forward `src` port to `dest` port, either TCP or UDP (respectively).
+
+    firewall_additional_rules: []
+    firewall_ip6_additional_rules: []
+
+Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used:
+
+    # Allow only the IP 167.89.89.18 to access port 4949 (Munin).
+    firewall_additional_rules:
+      - "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"
+    
+    # Allow only the IP 214.192.48.21 to access port 3306 (MySQL).
+    firewall_additional_rules:
+      - "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"
+
+See [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples.
+
+    firewall_log_dropped_packets: true
+
+Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").
+
+    firewall_disable_firewalld: false
+    firewall_disable_ufw: false
+
+Set to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+    - hosts: server
+      vars_files:
+        - vars/main.yml
+      roles:
+        - { role: geerlingguy.firewall }
+
+*Inside `vars/main.yml`*:
+
+    firewall_allowed_tcp_ports:
+      - "22"
+      - "25"
+      - "80"
+
+## TODO
+
+  - Make outgoing ports more configurable.
+  - Make other firewall features (like logging) configurable.
+
+## License
+
+MIT / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

roles/ansible-role-firewall/README.md

@@ -0,0 +1,19 @@
+---
+firewall_state: started
+firewall_enabled_at_boot: true
+
+firewall_allowed_tcp_ports:
+  - "22"
+  - "25"
+  - "80"
+  - "443"
+firewall_allowed_udp_ports: []
+firewall_forwarded_tcp_ports: []
+firewall_forwarded_udp_ports: []
+firewall_additional_rules: []
+firewall_ip6_additional_rules: []
+firewall_log_dropped_packets: true
+
+# Set to true to ensure other firewall management software is disabled.
+firewall_disable_firewalld: false
+firewall_disable_ufw: false

roles/ansible-role-firewall/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart firewall
+  service: name=firewall state=restarted

roles/ansible-role-firewall/handlers/main.yml

@@ -0,0 +1,26 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: geerlingguy
+  description: Simple iptables firewall for most Unix-like systems.
+  company: "Midwestern Mac, LLC"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 2.4
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+  galaxy_tags:
+    - networking
+    - system
+    - security
+    - firewall
+    - iptables
+    - tcp

roles/ansible-role-firewall/meta/main.yml

@@ -0,0 +1,42 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+  options:
+    config-file: molecule/default/yaml-lint.yml
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
+scenario:
+  name: default
+  test_sequence:
+    - lint
+    - destroy
+    - dependency
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - check
+    - side_effect
+    - verify
+    - destroy
+verifier:
+  name: testinfra
+  lint:
+    name: flake8