Ben Vincent
c846cc4e21
- add rundeck account on all hosts except rundeck - add rundeck ssh private/public key to rundeck server
206 lines
5.6 KiB
YAML
206 lines
5.6 KiB
YAML
---
|
|
hiera_include:
|
|
- profiles::rundeck::server
|
|
- profiles::nginx::simpleproxy
|
|
|
|
hiera_exclude:
|
|
- profiles::accounts::rundeck
|
|
|
|
profiles::packages::exclude:
|
|
- jq
|
|
|
|
profiles::ssh::sign::principals:
|
|
- rundeck.main.unkin.net
|
|
- rundeck.service.consul
|
|
- rundeck.query.consul
|
|
|
|
# manage a simple nginx reverse proxy
|
|
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
|
|
profiles::nginx::simpleproxy::nginx_aliases:
|
|
- rundeck.main.unkin.net
|
|
- rundeck.service.consul
|
|
- rundeck.query.consul
|
|
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
|
|
|
profiles::nginx::simpleproxy::proxy_port: 4440
|
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
nginx::client_max_body_size: 20M
|
|
# additional altnames
|
|
profiles::pki::vault::alt_names:
|
|
- rundeck.main.unkin.net
|
|
- rundeck.service.consul
|
|
- rundeck.query.consul
|
|
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
|
|
|
# configure consul service
|
|
consul::services:
|
|
rundeck:
|
|
service_name: 'rundeck'
|
|
tags:
|
|
- 'automation'
|
|
- 'rundeck'
|
|
address: "%{facts.networking.ip}"
|
|
port: 443
|
|
checks:
|
|
- id: 'glauth_http_check'
|
|
name: 'glauth HTTP Check'
|
|
http: "http://%{facts.networking.fqdn}:4440"
|
|
method: 'GET'
|
|
tls_skip_verify: true
|
|
interval: '10s'
|
|
timeout: '1s'
|
|
profiles::consul::client::node_rules:
|
|
- resource: service
|
|
segment: rundeck
|
|
disposition: write
|
|
|
|
profiles::rundeck::server::mysql_backend: true
|
|
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
|
|
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
|
|
profiles::rundeck::server::auth_config:
|
|
file:
|
|
auth_flag: 'sufficient'
|
|
jaas_config:
|
|
file: '/etc/rundeck/realm.properties'
|
|
realm_config:
|
|
admin_user: 'admin'
|
|
admin_password: "%{hiera('rundeck_admin_pass')}"
|
|
ldap:
|
|
jaas_config:
|
|
debug: 'true'
|
|
providerUrl: 'ldap://ldap.service.consul:389'
|
|
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
bindPassword: "%{hiera('ldap_bindpass')}"
|
|
authenticationMethod: 'simple'
|
|
forceBindingLogin: 'true'
|
|
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
|
|
userRdnAttribute: 'uid'
|
|
userIdAttribute: 'uid'
|
|
userPasswordAttribute: 'userPassword'
|
|
userObjectClass: 'posixAccount'
|
|
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
|
|
roleNameAttribute: 'uid'
|
|
roleMemberAttribute: 'uniqueMember'
|
|
roleObjectClass: 'groupOfUniqueNames'
|
|
nestedGroups: 'true'
|
|
|
|
profiles::rundeck::server::key_storage_config:
|
|
- type: 'db'
|
|
path: 'keys'
|
|
- type: 'vault-storage'
|
|
path: 'vault'
|
|
config:
|
|
prefix: 'rundeck'
|
|
address: https://vault.query.consul:8200
|
|
storageBehaviour: 'vault'
|
|
secretBackend: rundeck
|
|
engineVersion: '2'
|
|
authBackend: approle
|
|
approleAuthMount: approle
|
|
approleId: "%{hiera('vault::roleid')}"
|
|
|
|
profiles::rundeck::server::cli_projects:
|
|
Self-Service:
|
|
update_method: 'set'
|
|
config:
|
|
project.description: 'self-service tasks'
|
|
project.disable.executions: 'false'
|
|
Infrastructure:
|
|
config:
|
|
project.description: 'infrastructure management'
|
|
project.disable.schedule: 'false'
|
|
|
|
profiles::rundeck::server::acl_policies:
|
|
global_admin_policy:
|
|
acl_policies:
|
|
- description: 'Global Admin, all access'
|
|
context:
|
|
application: "rundeck"
|
|
for:
|
|
project:
|
|
- allow: '*'
|
|
resource:
|
|
- allow: '*'
|
|
storage:
|
|
- allow: '*'
|
|
by:
|
|
- group: ['rundeck_globaladmin']
|
|
- description: 'Global Admin, all access'
|
|
context:
|
|
project: '.*'
|
|
for:
|
|
resource:
|
|
- allow: '*'
|
|
adhoc:
|
|
- allow: '*'
|
|
job:
|
|
- allow: '*'
|
|
node:
|
|
- allow: '*'
|
|
by:
|
|
- group: ['rundeck_globaladmin']
|
|
selfservice_admin_policy:
|
|
acl_policies:
|
|
- description: 'Admin, all access for Self-Service project'
|
|
context:
|
|
project: 'Self-Service'
|
|
for:
|
|
resource:
|
|
- allow: '*'
|
|
adhoc:
|
|
- allow: '*'
|
|
job:
|
|
- allow: '*'
|
|
node:
|
|
- allow: '*'
|
|
by:
|
|
- group: ['rundeck_selfserice_admin']
|
|
selfservice_user_policy:
|
|
acl_policies:
|
|
- description: 'Users can execute tasks but not edit for Self-Service project'
|
|
context:
|
|
project: 'Self-Service'
|
|
for:
|
|
resource:
|
|
- allow: ['read']
|
|
adhoc:
|
|
- allow: ['run']
|
|
job:
|
|
- allow: ['read', 'run']
|
|
node:
|
|
- allow: ['read', 'run']
|
|
by:
|
|
- group: ['rundeck_selfserice_user']
|
|
infrastructure_admin_policy:
|
|
acl_policies:
|
|
- description: 'Admin, all access for Infrastructure project'
|
|
context:
|
|
project: 'Infrastructure'
|
|
for:
|
|
resource:
|
|
- allow: '*'
|
|
adhoc:
|
|
- allow: '*'
|
|
job:
|
|
- allow: '*'
|
|
node:
|
|
- allow: '*'
|
|
by:
|
|
- group: ['rundeck_infrastructure_admin']
|
|
infrastructure_user_policy:
|
|
acl_policies:
|
|
- description: 'Users can execute tasks but not edit for Infrastructure project'
|
|
context:
|
|
project: 'Infrastructure'
|
|
for:
|
|
resource:
|
|
- allow: ['read']
|
|
adhoc:
|
|
- allow: ['run']
|
|
job:
|
|
- allow: ['read', 'run']
|
|
node:
|
|
- allow: ['read', 'run']
|
|
by:
|
|
- group: ['rundeck_infrastructure_user']
|