Ansible Tower (AWX)

Automatic Configuration Management

Plan

Base vm and AWX install

Deploy base CentOS template.

Follow the nice install instructions by MrMEEE

Open port 8052 for the http interface and set a sensible admin password.

firewall-cmd --zone=public --add-port=8052/tcp --permanent
firewall-cmd --reload

LDAP prep

Create the following groups on FreeIPA if you want to fully use LDAP to manage all possible roles.

awx-superusers
awx-orgadmins
awx-orgusers
awx-orgdeployers
awx-users

AWX requires a bind user, so if you haven't already, create a bind user with a password, but zero group memberships/rights.

Add the user you want to log on to AWX to the awx-superuser and awx-user groups.

AWX LDAP Auth configuration

Log on to AWX with your default admin account. Go to Administration->Settings->Authentication->Authentication and configure it to use FreeIPA users and groups.

LDAP SERVER URI
ldap://freeipa.lan.example.com:389

LDAP USER DN TEMPLATE
uid=%(user)s,cn=users,cn=accounts,dc=lan,dc=example,dc=com

LDAP DENY GROUP

LDAP BIND DN
uid=binduser,cn=users,cn=accounts,dc=lan,dc=example,dc=com

LDAP GROUP TYPE
MemberDNGroupType

LDAP BIND PASSWORD
pw for binduser

LDAP REQUIRE GROUP
cn=awx-users,cn=groups,cn=accounts,dc=lan,dc=example,dc=com

LDAP USER SEARCH
[]

LDAP GROUP SEARCH
[
 "cn=groups,cn=accounts,dc=lan,dc=example,dc=com",
 "SCOPE_SUBTREE",
 "(objectClass=groupOfNames)"
]

LDAP USER ATTRIBUTE MAP
{
 "first_name": "givenName",
 "last_name": "sn",
 "email": "mail"
}

LDAP GROUP TYPE PARAMETERS
{
 "member_attr": "member",
 "name_attr": "cn"
}

LDAP USER FLAGS BY GROUP
{
 "is_superuser": "CN=awx-superusers,cn=groups,cn=accounts,dc=lan,dc=example,dc=com"
}

LDAP ORGANIZATION MAP (untestet ATM)
{
 "EXAMPLEORG":{
  "admins":"CN=awx-orgadmins,DC=lan,DC=example,DC=com",
  "users":"CN=awx-orgusers,DC=lan,DC=example,DC=com",
  "remove_admins":false,
  "remove_users":false
 }
}

LDAP TEAM MAP (untestet ATM)
{
 "DEPLOYMENT_TEAM": {
  "organization": "EXAMPLEORG",
  "users": "CN=awx-orgdeployers,DC=lan,DC=example,DC=com",
  "remove": true
 }
}

AWX inventory from Proxmox

Log on to proxmox and create a user with the name "inventory". Use Proxmox VE Auth server instead of Linux PAM.
Log on to proxmox with ssh and assign read rights to vms to the new user:

 pveum aclmod /vms -user inventory@pve -role PVEAuditor

The script is borowed from https://github.com/xezpeleta/Ansible-Proxmox-inventory

The script uses python3, and we'll just make sure to use the software collections version that is already installed from the awx install when running the script.

On your AWX server, go to /etc/ansible and download the proxmox.py dynamic inventory script and set the executable bit:

cd /etc/ansible/
wget https://github.com/xezpeleta/Ansible-Proxmox-inventory/raw/master/proxmox.py
chmod +x proxmox.py

Now set the connection information in a json file with the same first name in /etc/ansible:

{
    "url": "https://proxmox.example.com:8006/",
    "username": "inventory@pve",
    "password": "inventory-password-you-set",
    "validateCert": false
}

Make sure to allow traffic on port 8006 from awx to proxmox in your Sophos UTM. Test with nmap if the port is open from awx:

nmap -p 8006 proxmox.example.com

You can test the script and credentials with

scl enable rh-python36 "/etc/ansible/proxmox.py --list --pretty --trust-invalid-certs"

It SHOULD output a list of virtual machines on your proxmox.

Once that is verified as working, go to the awx web interface and go to the Inventory Scripts menu. Add a new script with the content:

#!/bin/bash
scl enable rh-python36 "/etc/ansible/proxmox.py --list --pretty --trust-invalid-certs"

Go to inventories, and create a new inventory with an appropriate name like Proxmox guests or something. After saving the inventory, open it up and go to Sources and add a new source of the type Custom Script and select your custom script. Set a name for the import, check "overwrite/overwrite variables/update on launch" and set a cache timeout for 43200 or something reasonable - this tells AWX to refresh the inventory if the last sync was more than 12 hours ago when it is used. After saving, you can now press the update/sync button for the sync method when in the Inventory->Sources view. The inventory should now populate.

If you've been consistently naming your machines the same as their hostnames, and search domain is configured correctly (it should be), it should now be possible to reach the proxmox hosts when running templates.