iac/ansible-role-common
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Migrate from old repository

Browse Source
This commit is contained in:
nemunaire 2023-02-15 01:55:08 +01:00
commit 4a304d486a
16 changed files with 516 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
ssh_authorized_keys: []
ssh_authorized_keys_extra: []

30
handlers/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: reload hostname
service:
name: hostname
state: restarted
- name: reload nginx
service:
name: nginx
state: restarted
- name: reload docker
service:
name: docker
state: reloaded
- name: restart docker
service:
name: docker
state: restarted
- name: reload chronyd
service:
name: chronyd
state: restarted
- name: restart sshd
service:
name: sshd
state: restarted

18
meta/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
dependencies: []
galaxy_info:
role_name: common
author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
description: Common role
license: GPL-3.0-or-later
min_ansible_version: 2.9
platforms:
- name: Alpine
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []

100
tasks/main.yml Normal file
View File

@ -0,0 +1,100 @@
---
- import_tasks: ssh.yml
tags:
- ssh
- name: fix hostname
template:
src: hostname.j2
dest: /etc/hostname
register: firsttime
notify:
- reload hostname
# tags:
# - always
- name: fix /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: "^{{ item.ip }}"
line: "{{ item.ip }} {{ item.hosts }}"
with_items:
- ip: "127.0.0.1"
hosts: "{{ inventory_hostname }}.{{ mydomain }} {{ inventory_hostname }} localhost localhost.localdomain"
- ip: "::1"
hosts: "{{ inventory_hostname }}.{{ mydomain }} {{ inventory_hostname }} localhost localhost.localdomain"
when: mydomain is defined
- import_tasks: "pkg_Alpine.yml"
when: ansible_distribution == 'Alpine'
tags:
- pkg
- import_tasks: "pkg_Debian.yml"
when: ansible_distribution == 'Debian'
tags:
- pkg
- name: ensure rngd is running
service:
name: rngd
enabled: yes
state: started
tags:
- pkg
- include_tasks: "sshd.yml"
tags:
- ssh
- name: ensure netmount is enabled
service:
name: netmount
enabled: yes
state: started
tags:
- pkg
when: ansible_distribution == 'Alpine' and iscsid.session[ansible_hostname] is defined
- name: ensure haveged is disabled
service:
name: haveged
enabled: no
state: stopped
tags:
- pkg
- name: configure networking
template:
src: networking.j2
dest: /etc/network/interfaces
when: wanted_ip4 is defined or wanted_ip6 is defined
tags:
- networking
- name: configure watchdog
template:
src: watchdog.conf.j2
dest: /etc/conf.d/watchdog
when: ansible_distribution == 'Alpine'
- name: configure watchdog
template:
src: watchdog-deb.conf.j2
dest: /etc/watchdog.conf
when: ansible_distribution != 'Alpine'
- name: ensure watchdog is running
service:
name: watchdog
enabled: yes
state: started
- name: configure chrony
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
notify:
- reload chronyd
when: ansible_distribution == 'Alpine'
tags:
- chrony

76
tasks/pkg_Alpine.yml Normal file
View File

@ -0,0 +1,76 @@
---
- name: remove acpid
apk:
name: busybox-acpid
state: absent
tags:
- pkg
- name: set alpine repositories
template:
src: apk-repositories
dest: /etc/apk/repositories
register: change_release
tags:
- pkg
- command: apk fix
when: firsttime is changed
tags:
- pkg
- name: Upgrade system
apk:
update_cache: yes
upgrade: yes
available: "{{ change_release.changed }}"
when: firsttime is not changed
tags:
- pkg
- name: install common packages (alpine)
apk:
name:
- acl
- chrony
- coreutils
- docker
- docker-py
- haveged
- htop
- iptables
- ip6tables
- nginx
- openssh
- openssl
- py3-openssl
- rng-tools
# - ssmtp
state: present
update_cache: yes
tags:
- pkg
- name: install ssmtp (alpine)
apk:
name:
- ssmtp
state: present
when: "'scouts' not in group_names"
tags:
- pkg
- name: configure ssmtp
template:
src: ssmtp.conf.j2
dest: /etc/ssmtp/ssmtp.conf
when: "'scouts' not in group_names"
tags:
- pkg
- name: make Docker depends on netmount
lineinfile:
path: /etc/conf.d/docker
line: 'rc_need="netmount"'
tags:
- pkg

40
tasks/pkg_Debian.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: install common packages (debian)
apt:
name:
- ca-certificates
- apt-transport-https
- curl
# - docker.io
- haveged
- htop
- gpg
- iptables
- iptables-persistent
- msmtp-mta
- nginx
- openssh-server
- python3-apt
- python3-docker
- python3-openssl
- rng-tools5
- watchdog
- wget
state: present
update_cache: yes
- name: ensure netfilter-persistent is enabled
service:
name: netfilter-persistent
enabled: yes
state: started
tags:
- pkg
- name: configure msmtp
template:
src: msmtprc.j2
dest: /etc/msmtprc
when: "'scouts' not in group_names"
tags:
- pkg

7
tasks/ssh.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Set ssh authorized_keys
ansible.posix.authorized_key:
key: "{{ ssh_authorized_keys | union(ssh_authorized_keys_extra) | flatten | join('\n') }}"
state: present
user: "{{ ansible_user }}"
exclusive: true

44
tasks/sshd.yml Normal file
View File

@ -0,0 +1,44 @@
---
- name: Disable legacy ssh algorithms
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#(HostKey {{ item }})$"
line: '\1'
backrefs: yes
validate: '/usr/sbin/sshd -f %s -t'
loop:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ed25519_key
notify:
- restart sshd
tags:
- pkg
- name: Activate specifics SSH ports
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?(Port {{ item }})$"
insertafter: "^Port [0-9]+$"
line: "Port {{ item }}"
validate: '/usr/sbin/sshd -f %s -t'
loop:
- 22
- 622
notify:
- restart sshd
tags:
- pkg
- name: Disable ssh password authentification
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#? *{{ item.regexp }}"
line: "{{ item.line }}"
validate: '/usr/sbin/sshd -f %s -t'
loop:
- { regexp: "ChallengeResponseAuthentication", line: "ChallengeResponseAuthentication no" }
- { regexp: "PasswordAuthentication", line: "PasswordAuthentication no" }
notify:
- restart sshd
tags:
- pkg

2
templates/apk-repositories Normal file
View File

@ -0,0 +1,2 @@
https://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/main
https://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/community

34
templates/chrony.conf.j2 Normal file
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
# List of NTP servers to use.
{% if ansible_hostname == 'hesat' %}
pool ntp.tuxfamily.net iburst
pool fr.pool.ntp.org iburst
server 2a01:e0a:2b:2250::b
{% else %}
{% for server in ntp_pool %}
pool {{ server }} iburst
{% endfor %}
initstepslew 10 {{ ntp_pool[0] }}
{% endif %}
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/chrony.drift
# In first three updates step the system clock instead of slew
# if the adjustment is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
cmdport 0
user ntp
{% if ntp_served_for is defined %}
{% for network in ntp_served_for %}
allow {{ network }}
{% endfor %}
{% endif %}

1
templates/hostname.j2 Normal file
View File

@ -0,0 +1 @@
{{ inventory_hostname }}

14
templates/msmtprc.j2 Normal file
View File

@ -0,0 +1,14 @@
defaults
account here
{% if rewrite_domain is defined %}
from root@{{ rewrite_domain }}
set_from_header on
{% else %}
from root@{{ ansible_hostname }}.{{ ansible_domain }}
{% endif %}
host {{ mailhub }}
port 25
tls on
account default : here

39
templates/networking.j2 Normal file
View File

@ -0,0 +1,39 @@
# The loopback network interface
auto lo
iface lo inet loopback
{% if local_network.dns is defined %}
dns-nameservers {{ local_network.dns }}
{% endif %}
# The main interface
auto eth0
{% if wanted_ip4 is defined %}
iface eth0 inet static
address {{ wanted_ip4 }}/24
gateway {{ local_network.gateway }}
{% else %}
iface eth0 inet dhcp
{% endif %}
{% if wanted_ip6 is defined %}
iface eth0 inet6 static
{% if local_network.gateway6 is defined %}
address {{ wanted_ip6 }}/64
gateway {{ local_network.gateway6 }}
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra
{% else %}
address {{ wanted_ip6 }}/128
post-up ip addrlabel add prefix {{ wanted_ip6 }}/64 label 99
post-up ip addrlabel add prefix {{ wanted_ip6 }}/128 label 1
{% endif %}
{% endif %}
{% if wanted_serekh is defined %}
auto wg-serekh
iface wg-serekh inet6 static
address {{ wanted_serekh }}/64
pre-up ip link add dev wg-serekh type wireguard
pre-up wg setconf wg-serekh /etc/wireguard/wg-serekh.conf
post-down ip link delete dev wg-serekh
{% endif %}
source-directory /etc/network/interfaces.d

56
templates/ssmtp.conf.j2 Normal file
View File

@ -0,0 +1,56 @@
#
# /etc/ssmtp.conf -- a config file for sSMTP sendmail.
#
# The person who gets all mail for userids < MinUserId
# Make this empty to disable rewriting.
root=postmaster
# All mail delivered to userid >= MinUserId goes to user, not root.
#MinUserId=1000
# The place where the mail goes. The actual machine name is required
# no MX records are consulted. Commonly mailhosts are named mail.domain.com
# The example will fit if you are in domain.com and your mailhub is so named.
#mailhub=mail
mailhub={{ mailhub }}
# Example for SMTP port number 2525
# mailhub=mail.your.domain:2525
# Example for SMTP port number 25 (Standard/RFC)
# mailhub=mail.your.domain
# Example for SSL encrypted connection
# mailhub=mail.your.domain:465
# Where will the mail seem to come from?
{% if rewrite_domain is defined %}
rewriteDomain={{ rewrite_domain }}
{% else %}
#rewriteDomain=
{% endif %}
# The full hostname
# Gentoo bug #47562
# Commenting the following line will force ssmtp to figure
# out the hostname itself.
# hostname=_HOSTNAME_
# Set this to never rewrite the "From:" line (unless not given) and to
# use that address in the "from line" of the envelope.
#FromLineOverride=YES
# Use SSL/TLS to send secure messages to server.
#UseTLS=YES
# Use SSL/TLS certificate to authenticate against smtp host.
#UseTLSCert=YES
# Use this RSA certificate.
#TLSCert=/etc/ssl/certs/ssmtp.pem
# Get enhanced (*really* enhanced) debugging information in the logs
# If you want to have debugging of the config file parsing, move this option
# to the top of the config file and uncomment
#Debug=YES

50
templates/watchdog-deb.conf.j2 Normal file
View File

@ -0,0 +1,50 @@
#ping = 172.31.14.1
#ping = 172.26.1.255
#interface = eth0
#file = /var/log/messages
#change = 1407
# Uncomment to enable test. Setting one of these values to '0' disables it.
# These values will hopefully never reboot your machine during normal use
# (if your machine is really hung, the loadavg will go much higher than 25)
#max-load-1 = 24
#max-load-5 = 18
#max-load-15 = 12
# Note that this is the number of pages!
# To get the real size, check how large the pagesize is on your machine.
#min-memory = 1
#allocatable-memory = 1
#repair-binary = /usr/sbin/repair
#repair-timeout = 60
#test-binary =
#test-timeout = 60
# The retry-timeout and repair limit are used to handle errors in a more robust
# manner. Errors must persist for longer than retry-timeout to action a repair
# or reboot, and if repair-maximum attempts are made without the test passing a
# reboot is initiated anyway.
#retry-timeout = 60
#repair-maximum = 1
watchdog-device = /dev/watchdog
watchdog-timeout = 16
# Defaults compiled into the binary
#temperature-sensor =
#max-temperature = 90
# Defaults compiled into the binary
#admin = root
#interval = 1
#logtick = 1
#log-dir = /var/log/watchdog
# This greatly decreases the chance that watchdog won't be scheduled before
# your machine is really loaded
realtime = yes
priority = 1
# Check if rsyslogd is still running by enabling the following line
#pidfile = /var/run/rsyslogd.pid

2
templates/watchdog.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
WATCHDOG_OPTS="-T 16 -t 10"
WATCHDOG_DEV="/dev/watchdog"