v0.1 done: docker webhosts, smtp gateway

2022-01-01 19:24:52 +01:00 · 2022-01-01 19:24:52 +01:00 · 3a460cc704
commit 3a460cc704
28 changed files with 470 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+.vault_password_file
+venv/
--- a/inventory.yaml
+++ b/inventory.yaml
@ -0,0 +1,14 @@
+---
+all:
+  vars:
+    ansible_become: true
+    ansible_user: ansible
+  hosts:
+    kube-master-luna:
+      legit_uplink:
+        interface: enp1s0
+        gateway: 192.168.100.1
+        address: 192.168.100.10
+      legit_cluster_network:
+        interface: enp8s0
+        address: 192.168.8.10
--- a/prepare.yaml
+++ b/prepare.yaml
@ -0,0 +1,32 @@
+---
+- name: "prepare vms for kmlabs-k8s-cluster"
+  hosts: all
+  handlers:
+    - name: "netplanapply"
+      command: netplan apply
+      async: 45
+      poll: 0
+
+    - name: "restartkubelet"
+      systemd: 
+        name: kubelet
+        state: restarted
+
+  tasks:
+    - name: "do apt stuff"
+      import_tasks: tasks/apt.yaml
+
+    - name: "disable cloudinit"
+      import_tasks: tasks/disable-cloudinit.yaml
+
+    - name: "remove snap"
+      import_tasks: tasks/remove-snap.yaml
+
+    - name: "clean motd"
+      import_tasks: tasks/clean-motd.yaml
+
+    - name: "fix dns"
+      import_tasks: tasks/fix-dns-resolution.yaml
+
+    - name: "setup networking"
+      import_tasks: tasks/static-networking.yaml
--- a/roles/common/defaults/main.yaml
+++ b/roles/common/defaults/main.yaml
@ -0,0 +1,7 @@
+---
+# defaults file for timedatectl
+timedatectl_timeservers: ['noc-a.sch.bme.hu', 'noc-b.sch.bme.hu']
+
+timedatectl_timeservers_fallback: ['time.bme.hu']
+
+timedatectl_timezone: 'Europe/Budapest'
--- a/roles/common/handlers/main.yaml
+++ b/roles/common/handlers/main.yaml
@ -0,0 +1,8 @@
+---
+- name: run Timedatectl
+  command: timedatectl set-ntp true
+
+- name: "netplanapply"
+  command: netplan apply
+  async: 45
+  poll: 0
--- a/roles/common/tasks/apt.yaml
+++ b/roles/common/tasks/apt.yaml
@ -0,0 +1,37 @@
+---
+- name: "Remove Ubuntu bloatware"
+  apt: 
+    state: absent
+    name: ubutu-server
+    autoremove: yes
+
+- name: "Update machine"
+  apt:
+    update_cache: yes
+    upgrade: yes
+    autoclean: yes
+    autoremove: yes
+
+- name: "Install my favourite applications"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - tmux
+     - htop
+     - dnsutils
+     - needrestart
+     - curl
+     - wget
+     - netcat-openbsd
+     - tree
+     - net-tools
+     - nano
+     - psmisc
+     - python3
+     - python3-venv
+     - strace
+     - ifstat
+     - tcpdump
+     - xxd
+     - git
--- a/roles/common/tasks/clean-motd.yaml
+++ b/roles/common/tasks/clean-motd.yaml
@ -0,0 +1,13 @@
+---
+- name: clean motd
+  file:
+    state: file
+    path: /etc/update-motd.d/{{ item }}
+    owner: root
+    group: root
+    mode: "0000"
+  with_items:
+    - 10-help-text
+    - 50-landscape-sysinfo
+    - 50-motd-news
+    - 91-release-upgrade
--- a/roles/common/tasks/disable-cloudinit.yaml
+++ b/roles/common/tasks/disable-cloudinit.yaml
@ -0,0 +1,13 @@
+---
+- name: disable cloudinit
+  copy:
+    content: ""
+    dest: /etc/cloud/cloud-init.disabled
+    force: no
+
+- name: disable network autoconfig
+  copy:
+    content: "network: {config: disabled}"
+    dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
+    force: no
+
--- a/roles/common/tasks/firewalld.yaml
+++ b/roles/common/tasks/firewalld.yaml
@ -0,0 +1,27 @@
+---
+- name: "Install Docker via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - firewalld
+
+- name: Start and enable firewalld
+  service:
+    name: firewalld
+    state: restarted
+    enabled: yes
+
+- name: Permit traffic in public zone for https service
+  ansible.posix.firewalld:
+    zone: public
+    service: https
+    permanent: yes
+    state: enabled
+
+- name: Permit traffic in public zone for ssh service
+  ansible.posix.firewalld:
+    zone: public
+    service: ssh
+    permanent: yes
+    state: enabled
--- a/roles/common/tasks/remove-snap.yaml
+++ b/roles/common/tasks/remove-snap.yaml
@ -0,0 +1,18 @@
+---
+- name: Remove snapd from Ubuntu
+  apt:
+    name: snapd
+    state: absent
+    purge: yes
+  when: ansible_distribution == "Ubuntu"
+
+- name: Remove snapd-related directories
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /snap
+    - /var/snap
+    - /var/lib/snapd
+    - "/home/{{ ansible_user }}/snap"
+  when: ansible_distribution == "Ubuntu"
--- a/roles/common/tasks/serivce-user.yaml
+++ b/roles/common/tasks/serivce-user.yaml
@ -0,0 +1,7 @@
+---
+- name: "Add service user with docker group membership"
+  ansible.builtin.user:
+    name: service-user
+    comment: Service user
+    groups: docker
+    append: yes
--- a/roles/common/tasks/ssh-security-settings.yaml
+++ b/roles/common/tasks/ssh-security-settings.yaml
@ -0,0 +1,40 @@
+---
+- name: Disable password authentication
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: 'PasswordAuthentication yes'
+    replace: 'PasswordAuthentication no'
+
+- name: Disable root authentication
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: '#PermitRootLogin prohibit-password'
+    replace: 'PermitRootLogin no'
+
+- name: Disable X11 forwarding
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: 'X11Forwarding yes'
+    replace: 'X11Forwarding no'
+
+- name: Explicitly only listen on ipv4
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: '#AddressFamily any'
+    replace: 'AddressFamily inet'
+
+- name: Check if AllowUsers is defined
+  lineinfile:
+    state: absent
+    path: /etc/ssh/sshd_config
+    regexp: "^AllowUsers"
+  check_mode: true
+  changed_when: false
+  register: checkallowusers
+
+- name: Define AllowUsers if undefined
+  lineinfile:
+    state: present
+    path: /etc/ssh/sshd_config
+    line: "AllowUsers tormakris ansible service-user"
+  when: checkallowusers.found == 0
--- a/roles/common/tasks/static-networking.yaml
+++ b/roles/common/tasks/static-networking.yaml
@ -0,0 +1,16 @@
+---
+- name: "remove cloudinit config"
+  file:
+    path: /etc/netplan/50-cloud-init.yaml
+    state: absent
+
+- name: "remove installer config"
+  file:
+    path: /etc/netplan/00-installer-config.yaml
+    state: absent
+
+- name: "install static config"
+  template:
+    src: templates/netplan.yaml
+    dest: /etc/netplan/00-static.yaml
+  notify: netplanapply
--- a/roles/common/tasks/timesync.yaml
+++ b/roles/common/tasks/timesync.yaml
@ -0,0 +1,18 @@
+---
+- name: Setup timesync config
+  template:
+    src: timesyncd.conf.template
+    dest: /etc/systemd/timesyncd.conf
+  notify: run Timedatectl
+  when: ansible_service_mgr == "systemd"
+
+- name: set Timezone
+  timezone: name={{ timedatectl_timezone }}
+  when: ansible_service_mgr == "systemd"
+
+- name: Reastart timesyncd to apply changes
+  when: ansible_service_mgr == "systemd"
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: yes
+    name: systemd-timesyncd
--- a/roles/common/templates/netplan.yaml
+++ b/roles/common/templates/netplan.yaml
@ -0,0 +1,10 @@
+# {{ansible_managed}}
+network:
+  version: 2
+  renderer: networkd
+  ethernets:
+    ens192:
+      dhcp4: true
+      dhcp4-overrides:
+        use-routes: false
+      gateway4: {{default_gateway}}
--- a/roles/common/templates/timesyncd.conf
+++ b/roles/common/templates/timesyncd.conf
@ -0,0 +1,5 @@
+# {{ansible_managed}}
+[Time]
+NTP={% for server in timedatectl_timeservers %} {{ server}} {% endfor %}
+
+FallbackNTP={% for server in timedatectl_timeservers_fallback %} {{ server}} {% endfor %}
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@ -0,0 +1,3 @@
+{
+    "userland-proxy": false
+}
--- a/roles/docker/tasks/docker.yaml
+++ b/roles/docker/tasks/docker.yaml
@ -0,0 +1,21 @@
+---
+- name: "Install Docker via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - docker.io
+     - docker-compose
+
+- name: Disable userland proxy
+  copy:
+    src: daemon.json
+    dest: /etc/docker/daemon.json
+    mode: 644
+    owner: root
+
+- name: Enable and restart Docker daemon
+  service:
+    name: docker
+    state: restarted
+    enabled: yes
--- a/roles/internalsmtp/defaults/main.yaml
+++ b/roles/internalsmtp/defaults/main.yaml
@ -0,0 +1,4 @@
+---
+postfix_relayhost: 'smtp.stargate.internal'
+
+external_domain: 'kmlabz.com'
--- a/roles/internalsmtp/tasks/postfix.yaml
+++ b/roles/internalsmtp/tasks/postfix.yaml
@ -0,0 +1,18 @@
+---
+- name: "Install Postfix via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - postfix
+
+- name: Install Postfix forwarder config
+  template:
+    src: templates/main.cf
+    dest: /etc/postfix/main.cf
+
+- name: Restart Postfix
+  service:
+    name: postfix
+    state: restarted
+    enabled: yes
--- a/roles/internalsmtp/templates/main.cf
+++ b/roles/internalsmtp/templates/main.cf
@ -0,0 +1,32 @@
+# {{ansible_managed}}
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+append_dot_mydomain = no
+
+readme_directory = no
+
+compatibility_level = 2
+
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=encrypt
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ansible_hostname}}.{{external_domain}}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = {{ansible_hostname}}.{{external_domain}}, $myhostname, {{ansible_hostname}}, localhost.localdomain, localhost
+relayhost = {{postfix_relayhost}}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
--- a/roles/smtpgateway/defaults/main.yaml
+++ b/roles/smtpgateway/defaults/main.yaml
@ -0,0 +1,5 @@
+---
+postfix_relayhost: 'smtp.sendgrid.net'
+external_domain: 'kmlabz.com'
+username: lofasz
+password: lofasz
--- a/roles/smtpgateway/tasks/postfix.yaml
+++ b/roles/smtpgateway/tasks/postfix.yaml
@ -0,0 +1,27 @@
+---
+- name: "Install Postfix via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - postfix
+
+- name: Install Postfix SASL credentials
+  template:
+    src: templates/sasl_passwd
+    mode: 600
+    dest: /etc/postfix/sasl_passwd
+
+- name: Install Postfix mail gateway config
+  template:
+    src: templates/main.cf
+    dest: /etc/postfix/main.cf
+
+- name: Build hashtable of SASL creds
+  command: postmap /etc/postfix/sasl_passwd
+
+- name: Restart Postfix
+  service:
+    name: postfix
+    state: restarted
+    enabled: yes
--- a/roles/smtpgateway/templates/main.cf
+++ b/roles/smtpgateway/templates/main.cf
@ -0,0 +1,37 @@
+# {{ansible_managed}}
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+append_dot_mydomain = no
+
+readme_directory = no
+
+compatibility_level = 2
+
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options = noanonymous
+smtp_sasl_tls_security_options = noanonymous
+smtp_tls_security_level = encrypt
+header_size_limit = 4096000
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ansible_hostname}}.{{external_domain}}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = {{ansible_hostname}}.{{external_domain}}, $myhostname, {{ansible_hostname}}, localhost.localdomain, localhost
+relayhost = {{postfix_relayhost}}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
--- a/roles/smtpgateway/templates/sasl_passwd
+++ b/roles/smtpgateway/templates/sasl_passwd
@ -0,0 +1 @@
+[{{postfix_relayhost}}:587 {{username}}:{{password}}
--- a/roles/webgateway/tasks/apache.yaml
+++ b/roles/webgateway/tasks/apache.yaml
@ -0,0 +1,15 @@
+---
+- name: "Install Apache via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - apache2
+
+# TODO: Felmasolni a templatelt konfigokat es bekapcsolni oket
+
+- name: Enable and restart Apache2 daemon
+  service:
+    name: apache2
+    state: restarted
+    enabled: yes
--- a/roles/webserver/files/apache-site.conf
+++ b/roles/webserver/files/apache-site.conf
@ -0,0 +1,17 @@
+<IfModule mod_ssl.c>
+        <VirtualHost _default_:443>
+                ServerAdmin webmaster@kmlabz.com
+
+                DocumentRoot /var/www/html
+
+                ErrorLog ${APACHE_LOG_DIR}/error.log
+                CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+                SSLEngine on
+                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+                ProxyPass "/" "http://127.0.0.1:8080/" retry=1 acquire=3000 timeout=600 Keepalive=On
+                ProxyPassReverse "/" "http://127.0.0.1:8080/"
+        </VirtualHost>
+</IfModule>
--- a/roles/webserver/tasks/apache.yaml
+++ b/roles/webserver/tasks/apache.yaml
@ -0,0 +1,23 @@
+---
+- name: "Install Apache via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - apache2
+
+- name: Upload site config to destination
+  copy:
+    src: apache-site.conf
+    dest: /etc/apache2/sites-available/site.conf
+    mode: 644
+    owner: root
+
+- name: Enable site
+  command: a2ensite site.conf
+
+- name: Enable and restart Apache2 daemon
+  service:
+    name: apache2
+    state: restarted
+    enabled: yes
				`@ -0,0 +1 @@`
				`[{{postfix_relayhost}}:587 {{username}}:{{password}}`