From 4a304d486a29bbb762ed6994369ba923e85f0914 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Wed, 15 Feb 2023 01:55:08 +0100 Subject: [PATCH] Migrate from old repository --- defaults/main.yml | 3 + handlers/main.yml | 30 ++++++++++ meta/main.yml | 18 ++++++ tasks/main.yml | 100 +++++++++++++++++++++++++++++++++ tasks/pkg_Alpine.yml | 76 +++++++++++++++++++++++++ tasks/pkg_Debian.yml | 40 +++++++++++++ tasks/ssh.yml | 7 +++ tasks/sshd.yml | 44 +++++++++++++++ templates/apk-repositories | 2 + templates/chrony.conf.j2 | 34 +++++++++++ templates/hostname.j2 | 1 + templates/msmtprc.j2 | 14 +++++ templates/networking.j2 | 39 +++++++++++++ templates/ssmtp.conf.j2 | 56 ++++++++++++++++++ templates/watchdog-deb.conf.j2 | 50 +++++++++++++++++ templates/watchdog.conf.j2 | 2 + 16 files changed, 516 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 tasks/pkg_Alpine.yml create mode 100644 tasks/pkg_Debian.yml create mode 100644 tasks/ssh.yml create mode 100644 tasks/sshd.yml create mode 100644 templates/apk-repositories create mode 100644 templates/chrony.conf.j2 create mode 100644 templates/hostname.j2 create mode 100644 templates/msmtprc.j2 create mode 100644 templates/networking.j2 create mode 100644 templates/ssmtp.conf.j2 create mode 100644 templates/watchdog-deb.conf.j2 create mode 100644 templates/watchdog.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..8511d9a --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +--- +ssh_authorized_keys: [] +ssh_authorized_keys_extra: [] diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..3ae2c0f --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,30 @@ +--- +- name: reload hostname + service: + name: hostname + state: restarted + +- name: reload nginx + service: + name: nginx + state: restarted + +- name: reload docker + service: + name: docker + state: reloaded + +- name: restart docker + service: + name: docker + state: restarted + +- name: reload chronyd + service: + name: chronyd + state: restarted + +- name: restart sshd + service: + name: sshd + state: restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..6dad738 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,18 @@ +--- + +dependencies: [] + +galaxy_info: + role_name: common + author: 'Pierre-Olivier Mercier ' + description: Common role + license: GPL-3.0-or-later + min_ansible_version: 2.9 + platforms: + - name: Alpine + versions: + - all + - name: Debian + versions: + - all + galaxy_tags: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..287485b --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,100 @@ +--- +- import_tasks: ssh.yml + tags: + - ssh + +- name: fix hostname + template: + src: hostname.j2 + dest: /etc/hostname + register: firsttime + notify: + - reload hostname +# tags: +# - always + +- name: fix /etc/hosts + lineinfile: + dest: /etc/hosts + regexp: "^{{ item.ip }}" + line: "{{ item.ip }} {{ item.hosts }}" + with_items: + - ip: "127.0.0.1" + hosts: "{{ inventory_hostname }}.{{ mydomain }} {{ inventory_hostname }} localhost localhost.localdomain" + - ip: "::1" + hosts: "{{ inventory_hostname }}.{{ mydomain }} {{ inventory_hostname }} localhost localhost.localdomain" + when: mydomain is defined + +- import_tasks: "pkg_Alpine.yml" + when: ansible_distribution == 'Alpine' + tags: + - pkg +- import_tasks: "pkg_Debian.yml" + when: ansible_distribution == 'Debian' + tags: + - pkg + +- name: ensure rngd is running + service: + name: rngd + enabled: yes + state: started + tags: + - pkg + +- include_tasks: "sshd.yml" + tags: + - ssh + +- name: ensure netmount is enabled + service: + name: netmount + enabled: yes + state: started + tags: + - pkg + when: ansible_distribution == 'Alpine' and iscsid.session[ansible_hostname] is defined + +- name: ensure haveged is disabled + service: + name: haveged + enabled: no + state: stopped + tags: + - pkg + +- name: configure networking + template: + src: networking.j2 + dest: /etc/network/interfaces + when: wanted_ip4 is defined or wanted_ip6 is defined + tags: + - networking + +- name: configure watchdog + template: + src: watchdog.conf.j2 + dest: /etc/conf.d/watchdog + when: ansible_distribution == 'Alpine' + +- name: configure watchdog + template: + src: watchdog-deb.conf.j2 + dest: /etc/watchdog.conf + when: ansible_distribution != 'Alpine' + +- name: ensure watchdog is running + service: + name: watchdog + enabled: yes + state: started + +- name: configure chrony + template: + src: chrony.conf.j2 + dest: /etc/chrony/chrony.conf + notify: + - reload chronyd + when: ansible_distribution == 'Alpine' + tags: + - chrony diff --git a/tasks/pkg_Alpine.yml b/tasks/pkg_Alpine.yml new file mode 100644 index 0000000..b7e6e9b --- /dev/null +++ b/tasks/pkg_Alpine.yml @@ -0,0 +1,76 @@ +--- +- name: remove acpid + apk: + name: busybox-acpid + state: absent + tags: + - pkg + +- name: set alpine repositories + template: + src: apk-repositories + dest: /etc/apk/repositories + register: change_release + tags: + - pkg + +- command: apk fix + when: firsttime is changed + tags: + - pkg + +- name: Upgrade system + apk: + update_cache: yes + upgrade: yes + available: "{{ change_release.changed }}" + when: firsttime is not changed + tags: + - pkg + +- name: install common packages (alpine) + apk: + name: + - acl + - chrony + - coreutils + - docker + - docker-py + - haveged + - htop + - iptables + - ip6tables + - nginx + - openssh + - openssl + - py3-openssl + - rng-tools +# - ssmtp + state: present + update_cache: yes + tags: + - pkg + +- name: install ssmtp (alpine) + apk: + name: + - ssmtp + state: present + when: "'scouts' not in group_names" + tags: + - pkg + +- name: configure ssmtp + template: + src: ssmtp.conf.j2 + dest: /etc/ssmtp/ssmtp.conf + when: "'scouts' not in group_names" + tags: + - pkg + +- name: make Docker depends on netmount + lineinfile: + path: /etc/conf.d/docker + line: 'rc_need="netmount"' + tags: + - pkg diff --git a/tasks/pkg_Debian.yml b/tasks/pkg_Debian.yml new file mode 100644 index 0000000..95548cd --- /dev/null +++ b/tasks/pkg_Debian.yml @@ -0,0 +1,40 @@ +--- +- name: install common packages (debian) + apt: + name: + - ca-certificates + - apt-transport-https + - curl +# - docker.io + - haveged + - htop + - gpg + - iptables + - iptables-persistent + - msmtp-mta + - nginx + - openssh-server + - python3-apt + - python3-docker + - python3-openssl + - rng-tools5 + - watchdog + - wget + state: present + update_cache: yes + +- name: ensure netfilter-persistent is enabled + service: + name: netfilter-persistent + enabled: yes + state: started + tags: + - pkg + +- name: configure msmtp + template: + src: msmtprc.j2 + dest: /etc/msmtprc + when: "'scouts' not in group_names" + tags: + - pkg diff --git a/tasks/ssh.yml b/tasks/ssh.yml new file mode 100644 index 0000000..d688eaf --- /dev/null +++ b/tasks/ssh.yml @@ -0,0 +1,7 @@ +--- +- name: Set ssh authorized_keys + ansible.posix.authorized_key: + key: "{{ ssh_authorized_keys | union(ssh_authorized_keys_extra) | flatten | join('\n') }}" + state: present + user: "{{ ansible_user }}" + exclusive: true diff --git a/tasks/sshd.yml b/tasks/sshd.yml new file mode 100644 index 0000000..f3ec00e --- /dev/null +++ b/tasks/sshd.yml @@ -0,0 +1,44 @@ +--- +- name: Disable legacy ssh algorithms + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#(HostKey {{ item }})$" + line: '\1' + backrefs: yes + validate: '/usr/sbin/sshd -f %s -t' + loop: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ed25519_key + notify: + - restart sshd + tags: + - pkg + +- name: Activate specifics SSH ports + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?(Port {{ item }})$" + insertafter: "^Port [0-9]+$" + line: "Port {{ item }}" + validate: '/usr/sbin/sshd -f %s -t' + loop: + - 22 + - 622 + notify: + - restart sshd + tags: + - pkg + +- name: Disable ssh password authentification + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#? *{{ item.regexp }}" + line: "{{ item.line }}" + validate: '/usr/sbin/sshd -f %s -t' + loop: + - { regexp: "ChallengeResponseAuthentication", line: "ChallengeResponseAuthentication no" } + - { regexp: "PasswordAuthentication", line: "PasswordAuthentication no" } + notify: + - restart sshd + tags: + - pkg diff --git a/templates/apk-repositories b/templates/apk-repositories new file mode 100644 index 0000000..baa29da --- /dev/null +++ b/templates/apk-repositories @@ -0,0 +1,2 @@ +https://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/main +https://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/community diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 new file mode 100644 index 0000000..45a5883 --- /dev/null +++ b/templates/chrony.conf.j2 @@ -0,0 +1,34 @@ +# {{ ansible_managed }} + +# List of NTP servers to use. +{% if ansible_hostname == 'hesat' %} +pool ntp.tuxfamily.net iburst +pool fr.pool.ntp.org iburst +server 2a01:e0a:2b:2250::b +{% else %} +{% for server in ntp_pool %} +pool {{ server }} iburst +{% endfor %} + +initstepslew 10 {{ ntp_pool[0] }} +{% endif %} + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/chrony.drift + +# In first three updates step the system clock instead of slew +# if the adjustment is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +cmdport 0 + +user ntp + +{% if ntp_served_for is defined %} +{% for network in ntp_served_for %} +allow {{ network }} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/templates/hostname.j2 b/templates/hostname.j2 new file mode 100644 index 0000000..1ee9db5 --- /dev/null +++ b/templates/hostname.j2 @@ -0,0 +1 @@ +{{ inventory_hostname }} \ No newline at end of file diff --git a/templates/msmtprc.j2 b/templates/msmtprc.j2 new file mode 100644 index 0000000..058f09f --- /dev/null +++ b/templates/msmtprc.j2 @@ -0,0 +1,14 @@ +defaults + +account here +{% if rewrite_domain is defined %} +from root@{{ rewrite_domain }} +set_from_header on +{% else %} +from root@{{ ansible_hostname }}.{{ ansible_domain }} +{% endif %} +host {{ mailhub }} +port 25 +tls on + +account default : here diff --git a/templates/networking.j2 b/templates/networking.j2 new file mode 100644 index 0000000..afda18f --- /dev/null +++ b/templates/networking.j2 @@ -0,0 +1,39 @@ +# The loopback network interface +auto lo +iface lo inet loopback +{% if local_network.dns is defined %} + dns-nameservers {{ local_network.dns }} +{% endif %} + +# The main interface +auto eth0 +{% if wanted_ip4 is defined %} +iface eth0 inet static + address {{ wanted_ip4 }}/24 + gateway {{ local_network.gateway }} +{% else %} +iface eth0 inet dhcp +{% endif %} +{% if wanted_ip6 is defined %} +iface eth0 inet6 static +{% if local_network.gateway6 is defined %} + address {{ wanted_ip6 }}/64 + gateway {{ local_network.gateway6 }} + pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra +{% else %} + address {{ wanted_ip6 }}/128 + post-up ip addrlabel add prefix {{ wanted_ip6 }}/64 label 99 + post-up ip addrlabel add prefix {{ wanted_ip6 }}/128 label 1 +{% endif %} +{% endif %} + +{% if wanted_serekh is defined %} +auto wg-serekh +iface wg-serekh inet6 static + address {{ wanted_serekh }}/64 + pre-up ip link add dev wg-serekh type wireguard + pre-up wg setconf wg-serekh /etc/wireguard/wg-serekh.conf + post-down ip link delete dev wg-serekh +{% endif %} + +source-directory /etc/network/interfaces.d diff --git a/templates/ssmtp.conf.j2 b/templates/ssmtp.conf.j2 new file mode 100644 index 0000000..da1d083 --- /dev/null +++ b/templates/ssmtp.conf.j2 @@ -0,0 +1,56 @@ +# +# /etc/ssmtp.conf -- a config file for sSMTP sendmail. +# + +# The person who gets all mail for userids < MinUserId +# Make this empty to disable rewriting. +root=postmaster + +# All mail delivered to userid >= MinUserId goes to user, not root. +#MinUserId=1000 + +# The place where the mail goes. The actual machine name is required +# no MX records are consulted. Commonly mailhosts are named mail.domain.com +# The example will fit if you are in domain.com and your mailhub is so named. +#mailhub=mail +mailhub={{ mailhub }} + +# Example for SMTP port number 2525 +# mailhub=mail.your.domain:2525 +# Example for SMTP port number 25 (Standard/RFC) +# mailhub=mail.your.domain +# Example for SSL encrypted connection +# mailhub=mail.your.domain:465 + +# Where will the mail seem to come from? +{% if rewrite_domain is defined %} +rewriteDomain={{ rewrite_domain }} +{% else %} +#rewriteDomain= +{% endif %} + +# The full hostname + +# Gentoo bug #47562 +# Commenting the following line will force ssmtp to figure +# out the hostname itself. + +# hostname=_HOSTNAME_ + +# Set this to never rewrite the "From:" line (unless not given) and to +# use that address in the "from line" of the envelope. +#FromLineOverride=YES + +# Use SSL/TLS to send secure messages to server. +#UseTLS=YES + +# Use SSL/TLS certificate to authenticate against smtp host. +#UseTLSCert=YES + +# Use this RSA certificate. +#TLSCert=/etc/ssl/certs/ssmtp.pem + +# Get enhanced (*really* enhanced) debugging information in the logs +# If you want to have debugging of the config file parsing, move this option +# to the top of the config file and uncomment +#Debug=YES diff --git a/templates/watchdog-deb.conf.j2 b/templates/watchdog-deb.conf.j2 new file mode 100644 index 0000000..e893590 --- /dev/null +++ b/templates/watchdog-deb.conf.j2 @@ -0,0 +1,50 @@ +#ping = 172.31.14.1 +#ping = 172.26.1.255 +#interface = eth0 +#file = /var/log/messages +#change = 1407 + +# Uncomment to enable test. Setting one of these values to '0' disables it. +# These values will hopefully never reboot your machine during normal use +# (if your machine is really hung, the loadavg will go much higher than 25) +#max-load-1 = 24 +#max-load-5 = 18 +#max-load-15 = 12 + +# Note that this is the number of pages! +# To get the real size, check how large the pagesize is on your machine. +#min-memory = 1 +#allocatable-memory = 1 + +#repair-binary = /usr/sbin/repair +#repair-timeout = 60 +#test-binary = +#test-timeout = 60 + +# The retry-timeout and repair limit are used to handle errors in a more robust +# manner. Errors must persist for longer than retry-timeout to action a repair +# or reboot, and if repair-maximum attempts are made without the test passing a +# reboot is initiated anyway. +#retry-timeout = 60 +#repair-maximum = 1 + +watchdog-device = /dev/watchdog +watchdog-timeout = 16 + +# Defaults compiled into the binary +#temperature-sensor = +#max-temperature = 90 + +# Defaults compiled into the binary +#admin = root +#interval = 1 +#logtick = 1 +#log-dir = /var/log/watchdog + +# This greatly decreases the chance that watchdog won't be scheduled before +# your machine is really loaded +realtime = yes +priority = 1 + +# Check if rsyslogd is still running by enabling the following line +#pidfile = /var/run/rsyslogd.pid diff --git a/templates/watchdog.conf.j2 b/templates/watchdog.conf.j2 new file mode 100644 index 0000000..0f896a5 --- /dev/null +++ b/templates/watchdog.conf.j2 @@ -0,0 +1,2 @@ +WATCHDOG_OPTS="-T 16 -t 10" +WATCHDOG_DEV="/dev/watchdog"