From 7aa174925ad60d7162268e16a06755e2a88358d4 Mon Sep 17 00:00:00 2001 From: Nemo Date: Fri, 15 May 2020 22:22:26 +0200 Subject: [PATCH] First commit --- .gitignore | 5 + README.md | 153 ++++++++++++++++++ ToDoList.md | 8 + group_vars/all/all.yml | 21 +++ group_vars/all/vault.yml.template | 9 ++ group_vars/backup.yml | 11 ++ group_vars/os_debian.yml | 25 +++ group_vars/os_gentoo.yml | 32 ++++ host_vars/host.example.org | 26 +++ inventory_template.yml | 20 +++ playbook_general_deploy.yml | 10 ++ requirements.yml | 1 + roles/auto_reboot/README.md | 50 ++++++ roles/auto_reboot/defaults/main.yml | 16 ++ roles/auto_reboot/handlers/main.yml | 8 + roles/auto_reboot/meta/main.yml | 29 ++++ roles/auto_reboot/tasks/crontask.yml | 13 ++ roles/auto_reboot/tasks/main.yml | 5 + roles/auto_reboot/tasks/package.yml | 7 + roles/auto_upgrade/README.md | 55 +++++++ roles/auto_upgrade/defaults/main.yml | 19 +++ roles/auto_upgrade/handlers/main.yml | 8 + roles/auto_upgrade/meta/main.yml | 29 ++++ roles/auto_upgrade/tasks/crontask.yml | 13 ++ roles/auto_upgrade/tasks/main.yml | 5 + roles/auto_upgrade/tasks/package.yml | 7 + roles/client_iptables/README.md | 43 +++++ roles/client_iptables/defaults/main.yml | 9 ++ roles/client_iptables/files/iptables | 2 + roles/client_iptables/meta/main.yml | 26 +++ roles/client_iptables/tasks/boot.yml | 9 ++ roles/client_iptables/tasks/iptables.yml | 60 +++++++ roles/client_iptables/tasks/main.yml | 7 + roles/client_iptables/tasks/package.yml | 5 + roles/client_iptables/tasks/save.yml | 3 + roles/client_ntp/README.md | 40 +++++ roles/client_ntp/defaults/main.yml | 6 + roles/client_ntp/meta/main.yml | 25 +++ roles/client_ntp/tasks/main.yml | 5 + roles/client_ntp/tasks/package.yml | 5 + roles/client_ntp/tasks/service.yml | 6 + roles/client_resolvers/README.md | 46 ++++++ roles/client_resolvers/defaults/main.yml | 12 ++ roles/client_resolvers/meta/main.yml | 26 +++ roles/client_resolvers/tasks/main.yml | 4 + roles/client_resolvers/tasks/resolv_conf.yml | 5 + .../client_resolvers/templates/resolv.conf.j2 | 4 + roles/client_tools/README.md | 44 +++++ roles/client_tools/defaults/main.yml | 10 ++ roles/client_tools/meta/main.yml | 26 +++ roles/client_tools/tasks/main.yml | 4 + roles/client_tools/tasks/package.yml | 9 ++ roles/users_sudo/README.md | 47 ++++++ roles/users_sudo/defaults/main.yml | 17 ++ roles/users_sudo/meta/main.yml | 26 +++ roles/users_sudo/tasks/group.yml | 6 + roles/users_sudo/tasks/main.yml | 7 + roles/users_sudo/tasks/package.yml | 6 + roles/users_sudo/tasks/users.yml | 20 +++ 59 files changed, 1155 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 ToDoList.md create mode 100644 group_vars/all/all.yml create mode 100644 group_vars/all/vault.yml.template create mode 100644 group_vars/backup.yml create mode 100644 group_vars/os_debian.yml create mode 100644 group_vars/os_gentoo.yml create mode 100644 host_vars/host.example.org create mode 100644 inventory_template.yml create mode 100644 playbook_general_deploy.yml create mode 100644 requirements.yml create mode 100644 roles/auto_reboot/README.md create mode 100644 roles/auto_reboot/defaults/main.yml create mode 100644 roles/auto_reboot/handlers/main.yml create mode 100644 roles/auto_reboot/meta/main.yml create mode 100644 roles/auto_reboot/tasks/crontask.yml create mode 100644 roles/auto_reboot/tasks/main.yml create mode 100644 roles/auto_reboot/tasks/package.yml create mode 100644 roles/auto_upgrade/README.md create mode 100644 roles/auto_upgrade/defaults/main.yml create mode 100644 roles/auto_upgrade/handlers/main.yml create mode 100644 roles/auto_upgrade/meta/main.yml create mode 100644 roles/auto_upgrade/tasks/crontask.yml create mode 100644 roles/auto_upgrade/tasks/main.yml create mode 100644 roles/auto_upgrade/tasks/package.yml create mode 100644 roles/client_iptables/README.md create mode 100644 roles/client_iptables/defaults/main.yml create mode 100644 roles/client_iptables/files/iptables create mode 100644 roles/client_iptables/meta/main.yml create mode 100644 roles/client_iptables/tasks/boot.yml create mode 100644 roles/client_iptables/tasks/iptables.yml create mode 100644 roles/client_iptables/tasks/main.yml create mode 100644 roles/client_iptables/tasks/package.yml create mode 100644 roles/client_iptables/tasks/save.yml create mode 100644 roles/client_ntp/README.md create mode 100644 roles/client_ntp/defaults/main.yml create mode 100644 roles/client_ntp/meta/main.yml create mode 100644 roles/client_ntp/tasks/main.yml create mode 100644 roles/client_ntp/tasks/package.yml create mode 100644 roles/client_ntp/tasks/service.yml create mode 100644 roles/client_resolvers/README.md create mode 100644 roles/client_resolvers/defaults/main.yml create mode 100644 roles/client_resolvers/meta/main.yml create mode 100644 roles/client_resolvers/tasks/main.yml create mode 100644 roles/client_resolvers/tasks/resolv_conf.yml create mode 100644 roles/client_resolvers/templates/resolv.conf.j2 create mode 100644 roles/client_tools/README.md create mode 100644 roles/client_tools/defaults/main.yml create mode 100644 roles/client_tools/meta/main.yml create mode 100644 roles/client_tools/tasks/main.yml create mode 100644 roles/client_tools/tasks/package.yml create mode 100644 roles/users_sudo/README.md create mode 100644 roles/users_sudo/defaults/main.yml create mode 100644 roles/users_sudo/meta/main.yml create mode 100644 roles/users_sudo/tasks/group.yml create mode 100644 roles/users_sudo/tasks/main.yml create mode 100644 roles/users_sudo/tasks/package.yml create mode 100644 roles/users_sudo/tasks/users.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2a1f74c --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +group_vars/all/vault.yml +host_vars/*.wirebrass.fr +inventory_wirebrass.yml +.vault-password +*.retry diff --git a/README.md b/README.md new file mode 100644 index 0000000..dcad5e7 --- /dev/null +++ b/README.md @@ -0,0 +1,153 @@ +# ansible-base + +## Introduction + +This document describes how to use ansible-base to deploy basic infrastructures. + +The main parts of this document are : + +* Ansible "server" (or local machine) preparation +* Nodes preparation +* Deployment + +## Ansible "server" (or local machine) preparation + +Update and install Ansible and GIT on your system. + +Clone this repo (ssh pubkey needs to be authorized for this repo) and go into the cloned directory : + +```bash +git clone git@git.grifon.fr:nemo/ansible-base.git +cd ansible-core +``` + +Download roles dependecies (currenty not used) : + +```ansible-galaxy install -r requirements.yml -p ./roles/``` + +Copy the template inventory and edit the new file to add your node(s) in the corresponding `function` section and `os` section : + +```bash +cp inventory_template.yml inventory_yourInventoryName.yml +vi inventory_yourInventoryName.yml +``` + +Example with template values : + +```bash +all: + vars: + ansible_user: ansible + ansible_become: yes + children: + function: + children: + backup_server: + hosts: + myFirstGentooHost.example.org: + ... + ... + os: + children: + os_gentoo: + hosts: + myFirstGentooHost.example.org: + mySecondGentooHost.anotherexample.org: + os_debian: + hosts: + myFirstDebianHost.example.org: + mySecondDebianHost.anotherexample.org: + ... + ... +``` + +> Note : the node's name needs to be reachable, you can use IP address or FQDN (recommended). +> WARNING : if you don't want to publish your inventory in the SCM system, add the filename in your .gitignore file (if you're using GIT). + +Create a vault file for all nodes using the vault template file and define all values : + +```bash +cp group_vars/all/vault.yml.template group_vars/all/vault.yml +vim group_vars/all/vault.yml +``` + +Encrypt the vault file and check if edit function works. A prompt will ask you a password : + +```bash +ansible-vault encrypt group_vars/all/vault.yml +ansible-vault edit group_vars/all/vault.yml +``` + +> Note : if you version your code, don't forget to exclude this vault file of versionning (with .`gitignorefile` if you are using GIT). + +According to your needs, you can edit all variables in `group_vars` directory and subdirectories. + +You can also define host-specific variables (reboot/upgrade enable/disabe, cron hours, specific config, ...) in the host_vars directory (host.example.org is a commented example). Don't forget to update .gitignore if you don't want to publish some host vars. + +## Nodes preparation + +On the node, with the root account (or sudo) : + +* Install SSH, sudo and gentoolkit (if Gentoo) OR python-apt (if Debian) OR python-yum (if CentOS) ... +* Enable and start SSH service. +* Configure the ansible user : + +```bash +# Create an ansible user +useradd -m -s /bin/bash ansible + +# Add sudoers rights to ansible user +echo "ansible ALL=(ALL:ALL) NOPASSWD: ALL +" > /etc/sudoers.d/ansible + +# Check the sudo configuration +su - ansible +sudo -i # If OK, you're root here +exit +exit + +# Add SSH public key of the account used on the Ansible server (or local machine) to the ansible user on the remote node to deploy +su - ansible +mkdir -p .ssh +vi .ssh/authorized_keys # Here add pubkey +``` + +> Note : this procedure can vary slightly if you're not using a Debian or CentOS node. + +On the Ansible server (or local machine), check the SSH connection : + +```bash +ssh ansible@ +exit +``` + +## Deployment + +From the Ansible server (or your local machine), you can deploy specific playbooks using the following command : + +```bash +ansible-playbook -i inventory_yourInventoryName.yml --ask-vault-pass +``` + +> Notes : +> +> * --diff option can be added to see the difference applied. +> * --check option can be added to test the deployment without really do any action on the remote node (in some cases it fails even if the deployment will go well). + +Playbook deployment : + +* playbook_general_deploy.yml +* playbook_build_deploy.yml +* playbook_backup_deploy.yml + +### playbook_general_deploy.yml + +This playbook deploys general configuration : tools (useful packages), auto reboot, auto upgrade, sudo users, NTP client and DNS resolvers. + +### playbook_build_deploy.yml + +This playbook deploys a build node which needs Docker. + +### playbook_backup_deploy.yml + +This playbook deploys a backup server which use borgbackup to manage backup rotation. diff --git a/ToDoList.md b/ToDoList.md new file mode 100644 index 0000000..ee704a4 --- /dev/null +++ b/ToDoList.md @@ -0,0 +1,8 @@ +# ToDoList (not exhaustive) + +* Complete iptables roles and use it (maybe only for non-firewalld systems). +* Create backup roles (server and clients) + git clone --mirror of the GIT repositories to backup them. +* Create monitoring roles (server and clients) : Icinga and Munin. +* Add a pre-task which can install python-apt, gentoolkit or python-yum if not installed (with shell module). +* Add roles for different function (DNS resolvers, VPN server, BGP router, ...) + diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml new file mode 100644 index 0000000..2f1b2f6 --- /dev/null +++ b/group_vars/all/all.yml @@ -0,0 +1,21 @@ +--- +# Sudo users on all servers +sudo_users: + - john + +# Hash of default password to use when a user is created +default_user_password: "{{ vault_default_user_password }}" + +# Map users' public key +public_key: + john: "{{ vault_public_key_john }}" + +# Default DNS resolvers to use (here it's FDN and LDN) +resolvers: + - 2001:910:800::40 + - 80.67.169.12 + - 2001:913::8 + - 80.67.188.188 + +# Domain to use in the DNS "search" resolver field +main_domain: wirebrass.fr diff --git a/group_vars/all/vault.yml.template b/group_vars/all/vault.yml.template new file mode 100644 index 0000000..4daf5a1 --- /dev/null +++ b/group_vars/all/vault.yml.template @@ -0,0 +1,9 @@ +vault_default_user_password: HASH_OF_DEFAULT_GNU_LINUX_USER_PASSWORD + +vault_public_key_: | + SSH_PUBKEY01_OF_ + SSH_PUBKEY02_OF_ + +vault_private_key_backup_ser_host: | + SSH_PRIV_KEY_OF_backup_user_USER_ON_USER_HOST +vault_public_key_backup_user_host: SSH_PUBKEY_OF_backup_user_USER_ON_BACKUP_HOST diff --git a/group_vars/backup.yml b/group_vars/backup.yml new file mode 100644 index 0000000..52b1eba --- /dev/null +++ b/group_vars/backup.yml @@ -0,0 +1,11 @@ +# Private/Public SSH keys of backup user to access GIT repositories in Read-Only mode +private_key_backup_user_host: "{{ vault_private_key_backup_user_host }}" +public_key_backup_user_host: "{{ vault_public_key_backup_user_host }}" + +# All GIT repositories to backup +git_repo_to_backup: + - ansible-base + +# Ports allowed by iptables +tcp_authorized_ports: + - 22 diff --git a/group_vars/os_debian.yml b/group_vars/os_debian.yml new file mode 100644 index 0000000..78e993d --- /dev/null +++ b/group_vars/os_debian.yml @@ -0,0 +1,25 @@ +# Service and package's name of NTP client on Debian +ntp_service_name: ntp +ntp_package: ntp + +# Package's name of sudo package on Debian +sudo_package: sudo + +# Service and package's name of CRON on Debian +cron_service_name: cron +cron_package: cron + +# Sudoers' group name on Debian +sudo_group: sudo + +# Command to run to execute a Debian update +cron_upgrade_job: export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin; export TERM=rxvt-unicode-256color; apt-get -q update && apt-get -q -y upgrade && apt-get -q -y autoremove + +# Tools to install on Debian hosts +tools_package: + - sudo + - curl + - sed + - grep + - net-tools + diff --git a/group_vars/os_gentoo.yml b/group_vars/os_gentoo.yml new file mode 100644 index 0000000..26537a3 --- /dev/null +++ b/group_vars/os_gentoo.yml @@ -0,0 +1,32 @@ +# Service and package's name of NTP client on Gentoo +ntp_service_name: ntpd +ntp_package: ntp + +# Package's name of sudo package on Gentoo +sudo_package: sudo + +# Service and package's name of CRON on Gentoo +cron_service_name: cronie +cron_package: cronie + +# Sudoers' group name on Gentoo +sudo_group: wheel + +# Command to run to execute a Gentoo update +cron_upgrade_job: emerge --sync --quiet && emerge --quiet-build -uvDN @world && emerge --quiet-build @preserved-rebuild && emerge --depclean && eselect news read + +# Tools to install on Gentoo hosts +tools_package: + - bind-tools + - vim + - tcpdump + - gentoolkit + - tmux + - htop + - sudo + - curl + - sed + - awk + - grep + - jq + - mailutils diff --git a/host_vars/host.example.org b/host_vars/host.example.org new file mode 100644 index 0000000..5778282 --- /dev/null +++ b/host_vars/host.example.org @@ -0,0 +1,26 @@ +# Enable auto reboot +#auto_reboot: true + +# Cron task scheduling for auto reboot +#cron_reboot_minute: "50" +#cron_reboot_hour: "0" +#cron_reboot_day: "*" +#cron_reboot_month: "*" +#cron_reboot_weekday: "1" + +# Set to true if you want to enable auto upgrade +#auto_upgrade: true + +# Cron task scheduling for auto upgrade +#cron_upgrade_minute: "25" +#cron_upgrade_hour: "0" +#cron_upgrade_day: "*" +#cron_upgrade_month: "*" +#cron_upgrade_weekday: "*" + +# All authorized TCP ports +#tcp_authorized_ports: +# - 22 + +# All incoming authorized IP (all ports and all protocols) +#ip_authorized: [] diff --git a/inventory_template.yml b/inventory_template.yml new file mode 100644 index 0000000..981381f --- /dev/null +++ b/inventory_template.yml @@ -0,0 +1,20 @@ +all: + vars: + ansible_user: ansible + ansible_become: yes + children: + function: + children: + backup_server: + hosts: + myFirstGentooHost.example.org: + os: + children: + os_gentoo: + hosts: + myFirstGentooHost.example.org: + mySecondGentooHost.anotherexample.org: + os_debian: + hosts: + myFirstDebianHost.example.org: + mySecondDebianHost.anotherexample.org: diff --git a/playbook_general_deploy.yml b/playbook_general_deploy.yml new file mode 100644 index 0000000..e77e83e --- /dev/null +++ b/playbook_general_deploy.yml @@ -0,0 +1,10 @@ +--- +- hosts: all + roles: + - auto_reboot + - auto_upgrade + #- client_iptables # Role not well defined now + - client_ntp + - client_resolvers + - client_tools + - users_sudo diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/requirements.yml @@ -0,0 +1 @@ +--- diff --git a/roles/auto_reboot/README.md b/roles/auto_reboot/README.md new file mode 100644 index 0000000..7287518 --- /dev/null +++ b/roles/auto_reboot/README.md @@ -0,0 +1,50 @@ +Ansible Role: auto reboot +========= + +This role defines a contask to auto-reboot a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # Cron task scheduling for auto reboot + cron_reboot_minute: "0" + cron_reboot_hour: "3" + cron_reboot_day: "*" + cron_reboot_month: "*" + cron_reboot_weekday: "*" + + # Set to true if you want to enable auto reboot + auto_reboot: false + + # Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...) + cron_service_name: cron + cron_package: cron + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - auto_reboot + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/auto_reboot/defaults/main.yml b/roles/auto_reboot/defaults/main.yml new file mode 100644 index 0000000..d0f2c0d --- /dev/null +++ b/roles/auto_reboot/defaults/main.yml @@ -0,0 +1,16 @@ +--- +# defaults file for client_reboot + +# Cron task scheduling for auto reboot +cron_reboot_minute: "0" +cron_reboot_hour: "3" +cron_reboot_day: "*" +cron_reboot_month: "*" +cron_reboot_weekday: "*" + +# Set to true if you want to enable auto reboot +auto_reboot: false + +# Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...) +cron_service_name: cron +cron_package: cron diff --git a/roles/auto_reboot/handlers/main.yml b/roles/auto_reboot/handlers/main.yml new file mode 100644 index 0000000..5b1e2c2 --- /dev/null +++ b/roles/auto_reboot/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# handlers file for client_reboot + +- name: "restart cron" + service: + name: "{{ cron_service_name }}" + enabled: yes + state: restarted diff --git a/roles/auto_reboot/meta/main.yml b/roles/auto_reboot/meta/main.yml new file mode 100644 index 0000000..6e86d27 --- /dev/null +++ b/roles/auto_reboot/meta/main.yml @@ -0,0 +1,29 @@ +galaxy_info: + author: nemo + description: Auto reboot for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + - name: EL + versions: + - 7 + + galaxy_tags: + - reboot + - system + - server + - cron + - auto + +dependencies: [] diff --git a/roles/auto_reboot/tasks/crontask.yml b/roles/auto_reboot/tasks/crontask.yml new file mode 100644 index 0000000..4f9b10a --- /dev/null +++ b/roles/auto_reboot/tasks/crontask.yml @@ -0,0 +1,13 @@ +--- +- name: crontask configured + cron: + name: "Auto reboot" + user: root + minute: "{{ cron_reboot_minute }}" + hour: "{{ cron_reboot_hour }}" + day: "{{ cron_reboot_day }}" + month: "{{ cron_reboot_month }}" + weekday: "{{ cron_reboot_weekday }}" + job: /sbin/reboot + notify: restart cron + when: auto_reboot # Only if auto reboot is enabled for this host or group of hosts diff --git a/roles/auto_reboot/tasks/main.yml b/roles/auto_reboot/tasks/main.yml new file mode 100644 index 0000000..3d54f34 --- /dev/null +++ b/roles/auto_reboot/tasks/main.yml @@ -0,0 +1,5 @@ +--- +# Main tasks file for auto_reboot + +- import_tasks: package.yml +- import_tasks: crontask.yml diff --git a/roles/auto_reboot/tasks/package.yml b/roles/auto_reboot/tasks/package.yml new file mode 100644 index 0000000..e836610 --- /dev/null +++ b/roles/auto_reboot/tasks/package.yml @@ -0,0 +1,7 @@ +--- +- name: Cron installed + package: + name: "{{ cron_package }}" + state: present + notify: restart cron + when: auto_reboot # Only if auto reboot is enabled for this host or group of hosts diff --git a/roles/auto_upgrade/README.md b/roles/auto_upgrade/README.md new file mode 100644 index 0000000..3c17c47 --- /dev/null +++ b/roles/auto_upgrade/README.md @@ -0,0 +1,55 @@ +Ansible Role: auto upgrade +========= + +This role defines a contask to auto-upgrade a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # Cron task scheduling for auto upgrade + cron_upgrade_minute: "0" + cron_upgrade_hour: "2" + cron_upgrade_day: "*" + cron_upgrade_month: "*" + cron_upgrade_weekday: "*" + + # Set to true if you want to enable auto upgrade + auto_upgrade: false + + # Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...) + cron_service_name: cron + cron_package: cron + + # Default upgrade task configured for Debian + cron_upgrade_job: export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin; export TERM=rxvt-unicode-256color; apt-get -q update && apt-get -q -y upgrade && apt-get -q -y autoremove + +*WARNING :* by default, the `cron_upgrade_job` is configured for Debian family distribution, you need to change the value if you are using another OS. + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - auto_upgrade + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/auto_upgrade/defaults/main.yml b/roles/auto_upgrade/defaults/main.yml new file mode 100644 index 0000000..ddd9e5f --- /dev/null +++ b/roles/auto_upgrade/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# defaults file for auto_upgrade + +# Cron task scheduling for auto upgrade +cron_upgrade_minute: "0" +cron_upgrade_hour: "2" +cron_upgrade_day: "*" +cron_upgrade_month: "*" +cron_upgrade_weekday: "*" + +# Set to true if you want to enable auto upgrade +auto_upgrade: false + +# Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...) +cron_service_name: cron +cron_package: cron + +# Default upgrade task configured for Debian +cron_upgrade_job: export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin; export TERM=rxvt-unicode-256color; apt-get -q update && apt-get -q -y upgrade && apt-get -q -y autoremove diff --git a/roles/auto_upgrade/handlers/main.yml b/roles/auto_upgrade/handlers/main.yml new file mode 100644 index 0000000..8e3015e --- /dev/null +++ b/roles/auto_upgrade/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# handlers file for auto_upgrade + +- name: "restart cron" + service: + name: "{{ cron_service_name }}" + enabled: yes + state: restarted diff --git a/roles/auto_upgrade/meta/main.yml b/roles/auto_upgrade/meta/main.yml new file mode 100644 index 0000000..dc3818b --- /dev/null +++ b/roles/auto_upgrade/meta/main.yml @@ -0,0 +1,29 @@ +galaxy_info: + author: nemo + description: Auto upgrade crontask for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + - name: EL + versions: + - 7 + + galaxy_tags: + - upgrade + - system + - server + - cron + - auto + +dependencies: [] diff --git a/roles/auto_upgrade/tasks/crontask.yml b/roles/auto_upgrade/tasks/crontask.yml new file mode 100644 index 0000000..fc839d0 --- /dev/null +++ b/roles/auto_upgrade/tasks/crontask.yml @@ -0,0 +1,13 @@ +--- +- name: crontask configured + cron: + name: "Auto upgrade" + user: root + minute: "{{ cron_upgrade_minute }}" + hour: "{{ cron_upgrade_hour }}" + day: "{{ cron_upgrade_day }}" + month: "{{ cron_upgrade_month }}" + weekday: "{{ cron_upgrade_weekday }}" + job: "{{ cron_upgrade_job }}" + notify: restart cron + when: auto_upgrade # Only if auto upgrade is enabled for this host or group of hosts diff --git a/roles/auto_upgrade/tasks/main.yml b/roles/auto_upgrade/tasks/main.yml new file mode 100644 index 0000000..a13e48a --- /dev/null +++ b/roles/auto_upgrade/tasks/main.yml @@ -0,0 +1,5 @@ +--- +# Main tasks file for auto_upgrade + +- import_tasks: package.yml +- import_tasks: crontask.yml diff --git a/roles/auto_upgrade/tasks/package.yml b/roles/auto_upgrade/tasks/package.yml new file mode 100644 index 0000000..dbdc5d8 --- /dev/null +++ b/roles/auto_upgrade/tasks/package.yml @@ -0,0 +1,7 @@ +--- +- name: Cron installed + package: + name: "{{ cron_package }}" + state: present + notify: restart cron + when: auto_upgrade # Only if auto upgrade is enabled for this host or group of hosts diff --git a/roles/client_iptables/README.md b/roles/client_iptables/README.md new file mode 100644 index 0000000..c72494b --- /dev/null +++ b/roles/client_iptables/README.md @@ -0,0 +1,43 @@ +Ansible Role: client iptables +========= + +This role defines iptables rules for a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # All authorized TCP ports + tcp_authorized_ports: + - 22 + + # All incoming authorized IP + ip_authorized: [] + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - client_iptables + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/client_iptables/defaults/main.yml b/roles/client_iptables/defaults/main.yml new file mode 100644 index 0000000..2b5b972 --- /dev/null +++ b/roles/client_iptables/defaults/main.yml @@ -0,0 +1,9 @@ +--- +# defaults file for client_reboot + +# All authorized TCP ports +tcp_authorized_ports: + - 22 + +# All incoming authorized IP (all ports and all protocols) +ip_authorized: [] diff --git a/roles/client_iptables/files/iptables b/roles/client_iptables/files/iptables new file mode 100644 index 0000000..7cec65f --- /dev/null +++ b/roles/client_iptables/files/iptables @@ -0,0 +1,2 @@ +#!/bin/sh +/sbin/iptables-restore < /etc/iptables.up.rules diff --git a/roles/client_iptables/meta/main.yml b/roles/client_iptables/meta/main.yml new file mode 100644 index 0000000..b103441 --- /dev/null +++ b/roles/client_iptables/meta/main.yml @@ -0,0 +1,26 @@ +galaxy_info: + author: nemo + description: Set iptables for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + + galaxy_tags: + - iptables + - firewall + - system + - server + - security + +dependencies: [] diff --git a/roles/client_iptables/tasks/boot.yml b/roles/client_iptables/tasks/boot.yml new file mode 100644 index 0000000..bb15774 --- /dev/null +++ b/roles/client_iptables/tasks/boot.yml @@ -0,0 +1,9 @@ +--- +- name: Add load rules at boot + copy: + src: iptables + dest: /etc/network/if-pre-up.d/iptables + owner: root + group: root + mode: 0755 + diff --git a/roles/client_iptables/tasks/iptables.yml b/roles/client_iptables/tasks/iptables.yml new file mode 100644 index 0000000..ea8c73c --- /dev/null +++ b/roles/client_iptables/tasks/iptables.yml @@ -0,0 +1,60 @@ +--- +- name: Iptables installed + package: + name: "iptables" + state: present + +- name: Allow related and established connections + iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + +- name: Allow incoming on localhost interface + iptables: + chain: INPUT + in_interface: lo + jump: ACCEPT + +- name: Allow incoming ICMP + iptables: + chain: INPUT + protocol: icmp + jump: ACCEPT + +- name: Allow new incoming connections on TCP port 22 (SSH). + iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + comment: Accept new connections on port "22". + +- name: Allow new incoming connections on TCP port (dynamic list). + iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item }}" + jump: ACCEPT + comment: Accept new connections on port "{{ item }}". + loop: "{{ tcp_authorized_ports }}" + when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0) + +- name: Allow new incoming connections from specific IP (dynamic list). + iptables: + chain: INPUT + source: "{{ item }}" + jump: ACCEPT + comment: Accept new connections from IP "{{ item }}". + loop: "{{ ip_authorized }}" + when: ip_authorized is defined and (ip_authorized|length>0) + +- name: Set the policy for the FORWARD chain to DROP + iptables: + chain: FORWARD + policy: DROP + +- name: Set the policy for the INPUT chain to DROP + iptables: + chain: INPUT + policy: DROP diff --git a/roles/client_iptables/tasks/main.yml b/roles/client_iptables/tasks/main.yml new file mode 100644 index 0000000..eb9e708 --- /dev/null +++ b/roles/client_iptables/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# Main tasks file for client_iptables + +- import_tasks: package.yml +- import_tasks: iptables.yml +- import_tasks: save.yml +- import_tasks: boot.yml diff --git a/roles/client_iptables/tasks/package.yml b/roles/client_iptables/tasks/package.yml new file mode 100644 index 0000000..cb0fda2 --- /dev/null +++ b/roles/client_iptables/tasks/package.yml @@ -0,0 +1,5 @@ +--- +- name: Iptables installed + package: + name: "iptables" + state: present diff --git a/roles/client_iptables/tasks/save.yml b/roles/client_iptables/tasks/save.yml new file mode 100644 index 0000000..50687c3 --- /dev/null +++ b/roles/client_iptables/tasks/save.yml @@ -0,0 +1,3 @@ +--- +- name: Save iptables rules + shell: iptables-save > /etc/iptables.up.rules diff --git a/roles/client_ntp/README.md b/roles/client_ntp/README.md new file mode 100644 index 0000000..4b11928 --- /dev/null +++ b/roles/client_ntp/README.md @@ -0,0 +1,40 @@ +Ansible Role: client ntp +========= + +This role set up NTP client for a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # Name of the ntp service and ntp package (depends on your OS, can be ntp, ntpd...) + ntp_service_name: ntpd + ntp_package: ntp + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - client_ntp + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/client_ntp/defaults/main.yml b/roles/client_ntp/defaults/main.yml new file mode 100644 index 0000000..7e3ab79 --- /dev/null +++ b/roles/client_ntp/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# defaults file for client_ntp + +# Name of the ntp service and ntp package (depends on your OS, can be ntp, ntpd...) +ntp_service_name: ntpd +ntp_package: ntp diff --git a/roles/client_ntp/meta/main.yml b/roles/client_ntp/meta/main.yml new file mode 100644 index 0000000..e8f9321 --- /dev/null +++ b/roles/client_ntp/meta/main.yml @@ -0,0 +1,25 @@ +galaxy_info: + author: nemo + description: Set up NTP client service for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + + galaxy_tags: + - ntp + - system + - server + - auto + +dependencies: [] diff --git a/roles/client_ntp/tasks/main.yml b/roles/client_ntp/tasks/main.yml new file mode 100644 index 0000000..cfde7d2 --- /dev/null +++ b/roles/client_ntp/tasks/main.yml @@ -0,0 +1,5 @@ +--- +# Main tasks file for client_ntp + +- import_tasks: package.yml +- import_tasks: service.yml diff --git a/roles/client_ntp/tasks/package.yml b/roles/client_ntp/tasks/package.yml new file mode 100644 index 0000000..00b5b33 --- /dev/null +++ b/roles/client_ntp/tasks/package.yml @@ -0,0 +1,5 @@ +--- +- name: NTP client installed + package: + name: "{{ ntp_package }}" + state: present diff --git a/roles/client_ntp/tasks/service.yml b/roles/client_ntp/tasks/service.yml new file mode 100644 index 0000000..737512e --- /dev/null +++ b/roles/client_ntp/tasks/service.yml @@ -0,0 +1,6 @@ +--- +- name: NTP client enabled + service: + name: "{{ ntp_service_name }}" + state: started + enabled: yes diff --git a/roles/client_resolvers/README.md b/roles/client_resolvers/README.md new file mode 100644 index 0000000..e8634b6 --- /dev/null +++ b/roles/client_resolvers/README.md @@ -0,0 +1,46 @@ +Ansible Role: client resolvers +========= + +This role defines DNS resolvers to use for a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # DNS resolvers to use + resolvers: + - 2001:910:800::40 + - 80.67.169.12 + - 2001:913::8 + - 80.67.188.188 + + # Domain to use in the DNS "search" resolver field + main_domain: wirebrass.fr + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - client_resolvers + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/client_resolvers/defaults/main.yml b/roles/client_resolvers/defaults/main.yml new file mode 100644 index 0000000..33e1fc5 --- /dev/null +++ b/roles/client_resolvers/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# defaults file for client_resolvers + +# DNS resolvers to use +resolvers: + - 2001:910:800::40 + - 80.67.169.12 + - 2001:913::8 + - 80.67.188.188 + +# Domain to use in the DNS "search" resolver field +main_domain: wirebrass.fr diff --git a/roles/client_resolvers/meta/main.yml b/roles/client_resolvers/meta/main.yml new file mode 100644 index 0000000..cbf408f --- /dev/null +++ b/roles/client_resolvers/meta/main.yml @@ -0,0 +1,26 @@ +galaxy_info: + author: nemo + description: Defines DNS resolvers to use for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + + galaxy_tags: + - dns + - system + - server + - resolvers + - resolv + +dependencies: [] diff --git a/roles/client_resolvers/tasks/main.yml b/roles/client_resolvers/tasks/main.yml new file mode 100644 index 0000000..39a99f1 --- /dev/null +++ b/roles/client_resolvers/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# Main tasks file for client_resolvers + +- import_tasks: resolv_conf.yml diff --git a/roles/client_resolvers/tasks/resolv_conf.yml b/roles/client_resolvers/tasks/resolv_conf.yml new file mode 100644 index 0000000..c21ff74 --- /dev/null +++ b/roles/client_resolvers/tasks/resolv_conf.yml @@ -0,0 +1,5 @@ +--- +- name: configure resolvers + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf diff --git a/roles/client_resolvers/templates/resolv.conf.j2 b/roles/client_resolvers/templates/resolv.conf.j2 new file mode 100644 index 0000000..8d50222 --- /dev/null +++ b/roles/client_resolvers/templates/resolv.conf.j2 @@ -0,0 +1,4 @@ +search {{ main_domain }} +{% for resolver in resolvers %} +nameserver {{ resolver }} +{% endfor %} diff --git a/roles/client_tools/README.md b/roles/client_tools/README.md new file mode 100644 index 0000000..f9961b5 --- /dev/null +++ b/roles/client_tools/README.md @@ -0,0 +1,44 @@ +Ansible Role: client tools +========= + +This role install packages (tools) on a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # All packages (tools) to install on the server + tools_package: + - sudo + - curl + - sed + - grep + - net-tools + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - client_tools + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/client_tools/defaults/main.yml b/roles/client_tools/defaults/main.yml new file mode 100644 index 0000000..0e43213 --- /dev/null +++ b/roles/client_tools/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# defaults file for client_tools + +# All packages (tools) to install on the server +tools_package: + - sudo + - curl + - sed + - grep + - net-tools diff --git a/roles/client_tools/meta/main.yml b/roles/client_tools/meta/main.yml new file mode 100644 index 0000000..250e142 --- /dev/null +++ b/roles/client_tools/meta/main.yml @@ -0,0 +1,26 @@ +galaxy_info: + author: nemo + description: Install tools on a GNU/Linux host. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + + galaxy_tags: + - tools + - system + - server + - install + - package + +dependencies: [] diff --git a/roles/client_tools/tasks/main.yml b/roles/client_tools/tasks/main.yml new file mode 100644 index 0000000..64156da --- /dev/null +++ b/roles/client_tools/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# Main tasks file for client_tools + +- import_tasks: package.yml diff --git a/roles/client_tools/tasks/package.yml b/roles/client_tools/tasks/package.yml new file mode 100644 index 0000000..001ba7a --- /dev/null +++ b/roles/client_tools/tasks/package.yml @@ -0,0 +1,9 @@ +--- +# Install tools task +- name: Tools installed + package: + name: "{{ item }}" + state: present + loop: "{{ tools_package }}" + when: tools_package is defined and (tools_package|length>0) + diff --git a/roles/users_sudo/README.md b/roles/users_sudo/README.md new file mode 100644 index 0000000..3130ade --- /dev/null +++ b/roles/users_sudo/README.md @@ -0,0 +1,47 @@ +Ansible Role: users sudo +========= + +This role defines users in sudo group on a GNU/Linux server. + +Requirements +------------ + +None. + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # HASH of Default user password when a new user is created + default_user_password: "" + + # Liste of all sudo users + sudo_users: [] + + # SSH public key of users to allow SSH connection witk SSH priv/pub keys + public_key: [] + +**WARNING :** all of these variables must be defined, else you may have some errors (use vault). + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - users_sudo + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. diff --git a/roles/users_sudo/defaults/main.yml b/roles/users_sudo/defaults/main.yml new file mode 100644 index 0000000..3882a4d --- /dev/null +++ b/roles/users_sudo/defaults/main.yml @@ -0,0 +1,17 @@ +--- +# defaults file for docker_registry + +# Name of the sudo package (depends on the OS) +sudo_package: sudo + +# Sudoers' group name +sudo_group: sudo + +# HASH of Default user password when a new user is created +default_user_password: "" + +# Liste of all sudo users +sudo_users: [] + +# SSH public key of users to allow SSH connection witk SSH priv/pub keys +public_key: [] diff --git a/roles/users_sudo/meta/main.yml b/roles/users_sudo/meta/main.yml new file mode 100644 index 0000000..22a4abf --- /dev/null +++ b/roles/users_sudo/meta/main.yml @@ -0,0 +1,26 @@ +galaxy_info: + author: nemo + description: Condigure sudo users for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + + galaxy_tags: + - sudo + - system + - server + - users + - sudoers + +dependencies: [] diff --git a/roles/users_sudo/tasks/group.yml b/roles/users_sudo/tasks/group.yml new file mode 100644 index 0000000..ea12664 --- /dev/null +++ b/roles/users_sudo/tasks/group.yml @@ -0,0 +1,6 @@ +--- +- name: Group sudo created + group: + name: "{{ sudo_group }}" + state: present + diff --git a/roles/users_sudo/tasks/main.yml b/roles/users_sudo/tasks/main.yml new file mode 100644 index 0000000..2057106 --- /dev/null +++ b/roles/users_sudo/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# Main tasks file for users_sudo + +- import_tasks: package.yml +- import_tasks: group.yml +- import_tasks: users.yml + diff --git a/roles/users_sudo/tasks/package.yml b/roles/users_sudo/tasks/package.yml new file mode 100644 index 0000000..4076c70 --- /dev/null +++ b/roles/users_sudo/tasks/package.yml @@ -0,0 +1,6 @@ +--- +- name: Sudo installed + package: + name: "{{ sudo_package }}" + state: present + diff --git a/roles/users_sudo/tasks/users.yml b/roles/users_sudo/tasks/users.yml new file mode 100644 index 0000000..8eee004 --- /dev/null +++ b/roles/users_sudo/tasks/users.yml @@ -0,0 +1,20 @@ +--- +- name: Privileged users in group sudo + user: + name: "{{ item }}" + groups: "{{ sudo_group }}" + shell: /bin/bash + append: yes + password: "{{ default_user_password }}" + update_password: on_create + loop: "{{ sudo_users }}" + when: sudo_users is defined and (sudo_users|length>0) + +- name: Set up authorized key for users + authorized_key: + user: "{{ item }}" + state: present + key: "{{ public_key[item] }}" + loop: "{{ sudo_users }}" + when: sudo_users is defined and (sudo_users|length>0) and public_key[item] is defined +