If you're me, then you/I would have thought you/I were a right jammy genius setting up a code-server that also had ansible installed in there. You could edit your playbooks, make easy modifications and all the other fancy goodness that came from using vs code. In your browser and have a nice centralised location to do all your ansible things. What's not to like? Nothing. It is ruddy genius.
BUT
Have ya'll heard of Ansible Tower? Course you have. For my own benefit though, Ansible Tower is a pretty fancy web gui that allows a bunch of automation and "stuff" for ansible. I was under the impression it required monies, and being the poor cat I am, had to forego the use of such a fascinating looking tool. That is, until I stumbled upon this guys blog post. Go read it. Credit where credits due.
Anyway. Turns out Red Hat have open sourced Ansible Tower, and will then use certain versions that they'll harden and provide support for in production environments. Brilliant. I set up an instance for myself. I mostly used David's guide, with some caveats that I'll be detailing mostly for myself so I can copy/paste things if I need to in the future. The thing that really tickles me about this installation though is that all the heaving lifting is done by an ansible playbook. Meta up in here. I did see an option for LDAP authentication so I'll definitely be hooking it up (or trying to at least) to my domain. We'll see how that goes. Anyways. The install instructions only partially plagiarised from David's guide and the official install documentation.
Install Docker Engine and Docker Compose. Optionally, add your user to the docker group.
usermod -aG docker <username>
Check your docker compose version by
docker-compose version
If you didn't add your user to the docker group, you'll need to sudo. Make a note of your version number. In my case, the version was xxxxxx. Note it down, but not sure how super important this step is. You'll see why in a moment.
Install Ansible.
Now we need nodejs and npm. On Debian 10, npm doesn't install automatically when you install nodejs so we need to specify both.
sudo apt install -y nodejs npm
For some reason we need to add the npm package. Could be wrong about this though. Give it a miss. See what happens.
sudo npm install npm --global
sudo apt remove docker-py
sudo apt install -y python3-pip
sudo pip3 install docker-compose==xxxx
So. Here we're removing docker-py because the install docs say so. Now we need to install the docker compose python module. Here's where things get a little weird. Remember where I said to note the version number? Well you're supposed to put that version number where I put xxxx, but searching for my version number shows nothing available for that so I went down to the latest available version. Seems to work fine for me.
Cool. On to the easy bit. Grab the code from the awx git repo and cd into awx/installer/
Generate a secret. You can do this in ye olde terminal by
pwgen -N 1 -s 30
Or just generate one using a password manager of your choice. Make a note of it.
Open up the inventory file in your editor of choice (as long as it's not emacs) and edit any values you fancy. The ones I edited we're
admin_password=password:)
secret_key=secretKeyWeGeneratedEarlier
pg_password=iWantedADifferentPassword
After that, run the playbook in the directory as root. Ooooooh. Scary.
sudo su
ansible-playbook -i inventory install.yml
You are going to read the playbook first though yeah? See what's popping and that before you let it go to town on your poor defenseless vm? Yeah? Cool.
After a few, it'll probably act like it's all done and stuff. So off you go to the ip address of the vm and lo and behold, you see a updating screen. Neato you say and off you go to have a cheeky powernap. Later you decide to have a playaround and.... what is this? Still updating? Nah fam. You had your chance. Easy fix.
cd ~/.awx/
docker-compose stop
# change back to the install directory
sudo su
ansible-playbook -i inventory install.yml
Give it a few and magically things will now work. Above I said to change to ~/.awx. This is in contrast to David's guide. That's because I didn't change any of the default directories. I provision all my vms with a "deploy" user, and any services I run get deployed under this user. Makes it easy for my troubleshoot things no matter what vm I'm in.
Now what? Well, I off-loaded ssl to pfSense box because I do like seeing that padlock on my browser. I could have added in a dedicated cert, but why bother when my way is easier?
Next up. LDAP/Active Directory. I never look forward to this. It's never fun or easy. I'm following the helpful docs here but itnowork. So next idea is to look at log files, which according to here are available in /var/log/tower and /var/log/supervisor/. Well, turns out they're not, but that's probably because I'm looking in the wrong place. Ok, what about in the containers. Logical idea. Well. Looked in both and I can see the tower directory, with log files. Looked in all of them and found nothing of note :/
Ok. Well what did we learn from our forray into rancher and active directory? KILL ZE FIREWALL!. Une momente....... Is no work. I have this link to peruse when I want to try this again. I'm off to do something less annoying.
Update: The final link I included prior to this update had the perfect solution. Some tinkering is required for your own OU/Group schema, but once set up with admins, users, auditors and helpdesk, it all just works fine. Which means I can now start actually using it.
Quick run through of the settings.
Have a user that can do ldap searches.
Create the following groups:
- tower_lab_users
- tower_lab_auditors
- tower_lab_admins
- tower_lab_team_helpdesk
Use the following query in Active Directory to obtain the distinguished names. (Small nitpick with the guide I linked. The powershell command uses the wrong search query. No real biggie, but good thing I've been brushing up on my powershell :3)
get-adgroup -Filter {Name -like "tower_lab_*"} | ft distinguishedName
LDAP USER SEARCH
[
"DC=<blanked>,DC=COM",
"SCOPE_SUBTREE",
"(sAMAccountName=%(user)s)"
]
LDAP GROUP SEARCH
[
"DC=<blanked>,DC=COM",
"SCOPE_SUBTREE",
"(objectClass=users)"
]
LDAP USER ATTRIBUTE MAP
{
"first_name": "givenname",
"last_name": "sn",
"email": "mail"
}
LDAP USER FLAGS BY GROUP
{
"is_superuser": [
"CN=tower_lab_admins,CN=Users,DC=<blanked>,DC=COM"
],
"is_system_auditor": [
"CN=tower_lab_auditors,CN=Users,DC=<blanked>,DC=COM"
]
}
LDAP ORGANIZATION MAP
{
"LDAP Lab": {
"users": [
"CN=tower_lab_auditors,CN=Users,DC=<blanked>,DC=COM",
"CN=tower_lab_users,CN=Users,DC=<blanked>,DC=COM",
"CN=tower_lab_helpdesk,CN=Users,DC=<blanked>,DC=COM"
],
"remove_admins": true,
"admins": "CN=tower_lab_admins,CN=Users,DC=<blanked>,DC=COM"
}
}
LDAP TEAM MAP
{
"LDAP Lab Admins": {
"users": "CN=tower_lab_admins,CN=Users,DC=<blanked>,DC=COM",
"remove": true,
"organization": "<blanked>.COM"
},
"LDAP Lab Auditors": {
"users": "CN=tower_lab_auditors,CN=Users,DC=<blanked>,DC=COM",
"remove": true,
"organization": "<blanked>.COM"
},
"LDAP Lab Users": {
"users": "CN=tower_lab_users,CN=Users,DC=<blanked>,DC=COM",
"remove": true,
"organization": "<blanked>.COM"
},
"LDAP Lab HelpDesk": {
"users": "CN=tower_lab_helpdesk,CN=Users,DC=<blanked>,DC=COM",
"remove": true,
"organization": "<blanked>.COM"
}
}
This should be enough for to get a functioning connection working.