Implement: Initial Ansible environment bootstrapping and core roles

This commit introduces the foundational Ansible playbooks, roles, and configurations for automated provisioning of both production and test environments. Key capabilities include: - **Base System Setup:** Common packages, timezone, chrony, and hostname. - **Security Hardening:** SELinux disable, SSH configuration, `dnf-automatic`, `fail2ban`, `firewalld` setup, and `journald` log limits. - **Docker & Swarm:** Docker installation and configuration, Docker Swarm initialization/joining for managers and workers, overlay network creation, and node labeling. - **Storage:** Hetzner StorageBox integration using `davfs2`. - **Directory Structure:** Creation of application and database-specific directories. This establishes a comprehensive, automated pipeline for infrastructure deployment and initial configuration.
2026-05-11 17:51:43 +03:00 · 2026-05-11 17:51:43 +03:00 · f73504c0f2
commit f73504c0f2
parent 58b6fdc605
22 changed files with 489 additions and 7 deletions
--- a/ansible/prod/ansible.cfg
+++ b/ansible/prod/ansible.cfg
@ -0,0 +1,13 @@
+[defaults]
+inventory = inventory/generated/prod.yml
+remote_user = root
+host_key_checking = False
+retry_files_enabled = False
+interpreter_python = auto_silent
+roles_path = ../roles
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root
+become_ask_pass = False
--- a/ansible/prod/group_vars/all.yml
+++ b/ansible/prod/group_vars/all.yml
@ -0,0 +1,4 @@
+# Global variables for prod
+storagebox_account: "u469968"
+admin_allowed_cidrs: "127.0.0.1/8"
+timezone: "Europe/Istanbul"
--- a/ansible/prod/group_vars/prod.yml
+++ b/ansible/prod/group_vars/prod.yml
@ -0,0 +1,6 @@
+# Prod environment specific variables
+storagebox_user: "{{ storagebox_account }}-sub2" # Prod sub-account suffix
+storagebox_url: "https://{{ storagebox_user }}.your-storagebox.de/"
+storagebox_mount_point: "/mnt/storagebox"
+swarm_manager_ip: "10.20.10.11"
+# storagebox_password: "{{ vault_storagebox_password }}"
--- a/ansible/prod/prod-bootstrap.yml
+++ b/ansible/prod/prod-bootstrap.yml
@ -0,0 +1,31 @@
+---
+- name: Prod Environment Bootstrap (Common Roles)
+  hosts: all
+  become: yes
+  roles:
+    - role: base
+      tags: [base]
+    - role: hardening
+      tags: [hardening]
+    - role: docker
+      tags: [docker]
+    - role: node_dirs
+      tags: [node_dirs]
+    - role: storagebox
+      tags: [storagebox]
+
+- name: Swarm Infrastructure Setup (Prod HA)
+  hosts: iklim-app-*
+  become: yes
+  serial: 1
+  roles:
+    - role: swarm
+      tags: [swarm]
+
+# Prod'da DB node'ları da worker olarak swarm'a katılır
+- name: DB Nodes Swarm Join
+  hosts: iklim-db-*
+  become: yes
+  roles:
+    - role: swarm
+      tags: [swarm]
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -0,0 +1,5 @@
+---
+collections:
+  - name: ansible.posix
+  - name: community.general
+  - name: community.docker
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@ -0,0 +1,46 @@
+---
+- name: Update all packages
+  ansible.builtin.dnf:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Install EPEL release
+  ansible.builtin.dnf:
+    name: epel-release
+    state: present
+
+- name: Install base packages
+  ansible.builtin.dnf:
+    name:
+      - curl
+      - wget
+      - git
+      - jq
+      - tar
+      - unzip
+      - bash-completion
+      - gettext
+      - tree
+      - ca-certificates
+      - fail2ban
+      - chrony
+      - python3
+      - python3-pip
+      - htop
+      - btop
+    state: present
+
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+
+- name: Ensure chrony is running
+  ansible.builtin.service:
+    name: chronyd
+    state: started
+    enabled: yes
+
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
--- a/ansible/roles/docker/handlers/main.yml
+++ b/ansible/roles/docker/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart Docker
+  ansible.builtin.service:
+    name: docker
+    state: restarted
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@ -0,0 +1,47 @@
+---
+- name: Add Docker repository
+  ansible.builtin.get_url:
+    url: https://download.docker.com/linux/rhel/docker-ce.repo
+    dest: /etc/yum.repos.d/docker-ce.repo
+    mode: '0644'
+
+- name: Install Docker packages
+  ansible.builtin.dnf:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+    state: present
+
+- name: Ensure /etc/docker directory exists
+  ansible.builtin.file:
+    path: /etc/docker
+    state: directory
+    mode: '0755'
+
+- name: Configure Docker daemon (Log Rotation)
+  ansible.builtin.template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+    mode: '0644'
+  notify: Restart Docker
+
+- name: Ensure Docker is started and enabled
+  ansible.builtin.service:
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Allow Docker traffic in firewalld
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop:
+    - 2377/tcp
+    - 7946/tcp
+    - 7946/udp
+    - 4789/udp
--- a/ansible/roles/docker/templates/daemon.json.j2
+++ b/ansible/roles/docker/templates/daemon.json.j2
@ -0,0 +1,7 @@
+{
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "50m",
+    "max-file": "5"
+  }
+}
--- a/ansible/roles/hardening/handlers/main.yml
+++ b/ansible/roles/hardening/handlers/main.yml
@ -0,0 +1,15 @@
+---
+- name: Restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
+- name: Restart fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted
+
+- name: Restart journald
+  ansible.builtin.service:
+    name: systemd-journald
+    state: restarted
--- a/ansible/roles/hardening/tasks/main.yml
+++ b/ansible/roles/hardening/tasks/main.yml
@ -0,0 +1,70 @@
+---
+- name: Disable SELinux
+  ansible.posix.selinux:
+    state: disabled
+  register: selinux_status
+
+- name: Reboot if SELinux changed
+  ansible.builtin.reboot:
+  when: selinux_status.changed
+
+- name: Configure SSH Hardening
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  loop:
+    - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
+    - { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
+    - { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
+    - { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
+  notify: Restart sshd
+
+- name: Install dnf-automatic
+  ansible.builtin.dnf:
+    name: dnf-automatic
+    state: present
+
+- name: Enable dnf-automatic timer
+  ansible.builtin.systemd:
+    name: dnf-automatic.timer
+    state: started
+    enabled: yes
+
+- name: Configure fail2ban jail
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+  notify: Restart fail2ban
+
+- name: Ensure firewalld is running
+  ansible.builtin.service:
+    name: firewalld
+    state: started
+    enabled: yes
+
+- name: Configure firewalld default zone
+  ansible.builtin.shell: firewall-cmd --set-default-zone=drop
+  when: ansible_facts.services['firewalld.service'].state == 'running'
+  changed_when: false
+
+- name: Configure journald log limits
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/journald.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  loop:
+    - { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
+    - { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
+  notify: Restart journald
+
+- name: Allow SSH in firewalld from admin CIDRs
+  ansible.posix.firewalld:
+    service: ssh
+    source: "{{ item }}"
+    state: enabled
+    permanent: yes
+    immediate: yes
+  loop: "{{ admin_allowed_cidrs.split(' ') }}"
--- a/ansible/roles/hardening/templates/jail.local.j2
+++ b/ansible/roles/hardening/templates/jail.local.j2
@ -0,0 +1,10 @@
+[DEFAULT]
+ignoreip = 127.0.0.1/8 {{ admin_allowed_cidrs }}
+bantime  = 21600
+findtime = 300
+maxretry = 5
+banaction = iptables-multiport
+backend = systemd
+
+[sshd]
+enabled = true
--- a/ansible/roles/node_dirs/tasks/main.yml
+++ b/ansible/roles/node_dirs/tasks/main.yml
@ -0,0 +1,29 @@
+---
+- name: Create base directory
+  ansible.builtin.file:
+    path: /opt/iklimco
+    state: directory
+    mode: '0755'
+
+- name: Create app specific directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /opt/iklimco/ssl
+    - /opt/iklimco/init
+    - /opt/iklimco/init/postgresql
+    - /opt/iklimco/init/mongodb
+    - /opt/iklimco/stacks
+  when: inventory_hostname in groups['app']
+
+- name: Create db specific directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /opt/iklimco/db
+    - /opt/iklimco/backup
+  when: inventory_hostname in groups['db']
--- a/ansible/roles/storagebox/tasks/main.yml
+++ b/ansible/roles/storagebox/tasks/main.yml
@ -0,0 +1,40 @@
+---
+- name: Install davfs2
+  ansible.builtin.dnf:
+    name: davfs2
+    state: present
+
+- name: Configure davfs2 secrets
+  ansible.builtin.lineinfile:
+    path: /etc/davfs2/secrets
+    line: "{{ storagebox_url }} {{ storagebox_user }} {{ storagebox_password }}"
+    create: yes
+    mode: "0600"
+    owner: root
+    group: root
+
+- name: Create mount point
+  ansible.builtin.file:
+    path: "{{ storagebox_mount_point }}"
+    state: directory
+    mode: "0755"
+
+- name: Add fstab entry for StorageBox
+  ansible.builtin.lineinfile:
+    path: /etc/fstab
+    line: "{{ storagebox_url }} {{ storagebox_mount_point }} davfs _netdev,auto,user,rw,uid=root,gid=root 0 0"
+    state: present
+
+- name: Mount StorageBox
+  ansible.builtin.mount:
+    path: "{{ storagebox_mount_point }}"
+    src: "{{ storagebox_url }}"
+    fstype: davfs
+    opts: "_netdev,auto,user,rw,uid=root,gid=root"
+    state: mounted
+
+- name: Write mount marker
+  ansible.builtin.copy:
+    content: "mounted by ansible"
+    dest: "{{ storagebox_mount_point }}/.mounted_marker"
+    mode: '0644'
--- a/ansible/roles/storagebox_ssh_key/tasks/main.yml
+++ b/ansible/roles/storagebox_ssh_key/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Generate SSH key for StorageBox
+  ansible.builtin.user:
+    name: root
+    generate_ssh_key: yes
+    ssh_key_type: ed25519
+    ssh_key_file: .ssh/id_ed25519_storagebox
+    ssh_key_comment: "{{ inventory_hostname }}-storagebox"
--- a/ansible/roles/swarm/tasks/main.yml
+++ b/ansible/roles/swarm/tasks/main.yml
@ -0,0 +1,74 @@
+---
+- name: Check if Swarm is initialized
+  ansible.builtin.shell: docker info --format '{{.Swarm.LocalNodeState}}'
+  register: swarm_status
+  changed_when: false
+
+# 1. İlk Manager'ın (Leader) başlatılması
+- name: Initialize Docker Swarm (Leader)
+  ansible.builtin.shell: >
+    docker swarm init
+    --advertise-addr {{ private_ip }}
+  when: 
+    - inventory_hostname == groups['app'][0]
+    - swarm_status.stdout != 'active'
+  register: swarm_init_result
+
+# 2. Join Token'ların alınması (Sadece Leader üzerinden)
+- name: Get Swarm Manager Join Token
+  ansible.builtin.shell: docker swarm join-token manager -q
+  register: manager_token
+  delegate_to: "{{ groups['app'][0] }}"
+  when: inventory_hostname == groups['app'][0]
+  changed_when: false
+
+- name: Get Swarm Worker Join Token
+  ansible.builtin.shell: docker swarm join-token worker -q
+  register: worker_token
+  delegate_to: "{{ groups['app'][0] }}"
+  when: inventory_hostname == groups['app'][0]
+  changed_when: false
+
+# 3. Diğer App sunucularının Manager olarak katılması (Prod HA için)
+- name: Join Swarm as Manager
+  ansible.builtin.shell: >
+    docker swarm join
+    --token {{ hostvars[groups['app'][0]]['manager_token']['stdout'] }}
+    {{ swarm_manager_ip }}:2377
+  when:
+    - inventory_hostname in groups['app']
+    - inventory_hostname != groups['app'][0]
+    - swarm_status.stdout != 'active'
+
+# 4. DB sunucularının Worker olarak katılması
+- name: Join Swarm as Worker
+  ansible.builtin.shell: >
+    docker swarm join
+    --token {{ hostvars[groups['app'][0]]['worker_token']['stdout'] }}
+    {{ swarm_manager_ip }}:2377
+  when:
+    - inventory_hostname in groups['db']
+    - swarm_status.stdout != 'active'
+
+# 5. Overlay Network oluşturulması (Sadece bir kez Leader üzerinden)
+- name: Create iklimco-net overlay network
+  community.docker.docker_network:
+    name: iklimco-net
+    driver: overlay
+    attachable: yes
+    state: present
+  delegate_to: "{{ groups['app'][0] }}"
+  run_once: true
+
+# 6. Node Etiketleri (Labels)
+- name: Label App nodes (service)
+  ansible.builtin.shell: docker node update --label-add type=service {{ inventory_hostname }}
+  delegate_to: "{{ groups['app'][0] }}"
+  when: inventory_hostname in groups['app']
+  changed_when: false
+
+- name: Label DB nodes (db)
+  ansible.builtin.shell: docker node update --label-add role=db {{ inventory_hostname }}
+  delegate_to: "{{ groups['app'][0] }}"
+  when: inventory_hostname in groups['db']
+  changed_when: false
--- a/ansible/test/ansible.cfg
+++ b/ansible/test/ansible.cfg
@ -0,0 +1,14 @@
+[defaults]
+inventory = inventory/generated/test.yml
+remote_user = root
+host_key_checking = False
+retry_files_enabled = False
+interpreter_python = auto_silent
+# Üst dizindeki ortak rolleri kullan
+roles_path = ../roles
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root
+become_ask_pass = False
--- a/ansible/test/group_vars/all.yml
+++ b/ansible/test/group_vars/all.yml
@ -0,0 +1,4 @@
+# Global variables for all environments
+storagebox_account: "u469968"
+admin_allowed_cidrs: "127.0.0.1/8" # Overridden in inventory or vault
+timezone: "Europe/Istanbul"
--- a/ansible/test/group_vars/test-vault.yml
+++ b/ansible/test/group_vars/test-vault.yml
@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+39313733646339343230326361633435636632393938663537396530393131363335326664346334
+3533366238616262366665373638373030393536383962390a626532373431336632366264356261
+31336533663537303964613862336530363335616334313839363333383863323462376135636134
+3963356335393733650a393439336365343132373038393362653136353462646636396430376561
+66633161633434326265376631353734323661643830386437303631386438336536646538326465
+35653864633631656461313235316637383063656164353536336634373663353466346161623731
+38393365313439623261363732393333376266336663303565373866643135396437356339643136
+34303735336365353930353065343234373032363063356133393436383636313038643934663435
+61366635396363613537396563613235303665363230656366353739656364376636356433333766
+34323464343438356262363337303937646561366366386233353338333434633333373464373234
+31323763303366363239353537343966316439656134663033653965613635393562363663323962
+34646238386232616464343162386164626638306439346138336263386537653536336130616638
+39306366663164373235373863366237313933373633613464353364643630386666336134616364
+64363633306465323831623831323139373931393938623233636536636664353839643866393138
+37313261623737346433653535393835356635353662386632373964613832333434303739396164
+61653438326261346464316230656262393466643939636335363662383466616363333265303536
+61663337393038356165316261323035383361666266333665346363623166333434383166653936
+34396636373638656633643135316566663736363931393633393365343161636239306535623935
+38623165393963383131616261383539643234343064306366663434333166353131333431343532
+36363362303131373165646666343938663964323063643363303131336462386431396431323162
+34643539326266333236656130616134616663373966613464663136386239303861
--- a/ansible/test/group_vars/test.yml
+++ b/ansible/test/group_vars/test.yml
@ -0,0 +1,7 @@
+# Test environment specific variables
+storagebox_user: "{{ storagebox_account }}-sub4"
+storagebox_url: "https://{{ storagebox_user }}.your-storagebox.de/"
+storagebox_mount_point: "/mnt/storagebox"
+swarm_manager_ip: "10.10.10.11"
+admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32"
+# storagebox_password: "{{ vault_storagebox_password }}" # In test-vault.yml
--- a/ansible/test/inventory/generated/test.yml
+++ b/ansible/test/inventory/generated/test.yml
@ -1,14 +1,14 @@
 "all":
  "children":
+    "app":
+      "hosts":
+        "iklim-app-01":
+          "ansible_host": "167.235.194.61"
+          "ansible_user": "root"
+          "private_ip": "10.10.10.11"
    "db":
      "hosts":
        "iklim-db-01":
-          "ansible_host": "167.235.194.61"
-          "ansible_user": "root"
-          "private_ip": "10.10.20.11"
-    "swarm":
-      "hosts":
-        "iklim-app-01":
          "ansible_host": "167.235.205.93"
          "ansible_user": "root"
-          "private_ip": "10.10.10.11"
+          "private_ip": "10.10.20.11"
--- a/ansible/test/test-bootstrap.yml
+++ b/ansible/test/test-bootstrap.yml
@ -0,0 +1,25 @@
+---
+- name: Test Environment Bootstrap (Common Roles)
+  hosts: all
+  become: yes
+  roles:
+    - role: base
+      tags: [base]
+    - role: hardening
+      tags: [hardening]
+    - role: docker
+      tags: [docker]
+    - role: node_dirs
+      tags: [node_dirs]
+    - role: storagebox
+      tags: [storagebox]
+    - role: storagebox_ssh_key
+      tags: [storagebox_ssh_key]
+
+- name: Swarm Infrastructure Setup
+  hosts: all
+  become: yes
+  serial: 1 # Manager'in önce bitmesi ve token'i worker'a vermesi için
+  roles:
+    - role: swarm
+      tags: [swarm]