From 3a460cc704ab0c1e055365fec06324c667035afd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torma=20Krist=C3=B3f?= Date: Sat, 1 Jan 2022 19:24:52 +0100 Subject: [PATCH] v0.1 done: docker webhosts, smtp gateway --- .gitignore | 2 + inventory.yaml | 14 +++++++ prepare.yaml | 32 +++++++++++++++ roles/common/defaults/main.yaml | 7 ++++ roles/common/handlers/main.yaml | 8 ++++ roles/common/tasks/apt.yaml | 37 +++++++++++++++++ roles/common/tasks/clean-motd.yaml | 13 ++++++ roles/common/tasks/disable-cloudinit.yaml | 13 ++++++ roles/common/tasks/firewalld.yaml | 27 +++++++++++++ roles/common/tasks/remove-snap.yaml | 18 +++++++++ roles/common/tasks/serivce-user.yaml | 7 ++++ roles/common/tasks/ssh-security-settings.yaml | 40 +++++++++++++++++++ roles/common/tasks/static-networking.yaml | 16 ++++++++ roles/common/tasks/timesync.yaml | 18 +++++++++ roles/common/templates/netplan.yaml | 10 +++++ roles/common/templates/timesyncd.conf | 5 +++ roles/docker/files/daemon.json | 3 ++ roles/docker/tasks/docker.yaml | 21 ++++++++++ roles/internalsmtp/defaults/main.yaml | 4 ++ roles/internalsmtp/tasks/postfix.yaml | 18 +++++++++ roles/internalsmtp/templates/main.cf | 32 +++++++++++++++ roles/smtpgateway/defaults/main.yaml | 5 +++ roles/smtpgateway/tasks/postfix.yaml | 27 +++++++++++++ roles/smtpgateway/templates/main.cf | 37 +++++++++++++++++ roles/smtpgateway/templates/sasl_passwd | 1 + roles/webgateway/tasks/apache.yaml | 15 +++++++ roles/webserver/files/apache-site.conf | 17 ++++++++ roles/webserver/tasks/apache.yaml | 23 +++++++++++ 28 files changed, 470 insertions(+) create mode 100644 .gitignore create mode 100644 inventory.yaml create mode 100644 prepare.yaml create mode 100644 roles/common/defaults/main.yaml create mode 100644 roles/common/handlers/main.yaml create mode 100644 roles/common/tasks/apt.yaml create mode 100644 roles/common/tasks/clean-motd.yaml create mode 100644 roles/common/tasks/disable-cloudinit.yaml create mode 100644 roles/common/tasks/firewalld.yaml create mode 100644 roles/common/tasks/remove-snap.yaml create mode 100644 roles/common/tasks/serivce-user.yaml create mode 100644 roles/common/tasks/ssh-security-settings.yaml create mode 100644 roles/common/tasks/static-networking.yaml create mode 100644 roles/common/tasks/timesync.yaml create mode 100644 roles/common/templates/netplan.yaml create mode 100644 roles/common/templates/timesyncd.conf create mode 100644 roles/docker/files/daemon.json create mode 100644 roles/docker/tasks/docker.yaml create mode 100644 roles/internalsmtp/defaults/main.yaml create mode 100644 roles/internalsmtp/tasks/postfix.yaml create mode 100644 roles/internalsmtp/templates/main.cf create mode 100644 roles/smtpgateway/defaults/main.yaml create mode 100644 roles/smtpgateway/tasks/postfix.yaml create mode 100644 roles/smtpgateway/templates/main.cf create mode 100644 roles/smtpgateway/templates/sasl_passwd create mode 100644 roles/webgateway/tasks/apache.yaml create mode 100644 roles/webserver/files/apache-site.conf create mode 100644 roles/webserver/tasks/apache.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..294d4d3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.vault_password_file +venv/ \ No newline at end of file diff --git a/inventory.yaml b/inventory.yaml new file mode 100644 index 0000000..bb2ce9e --- /dev/null +++ b/inventory.yaml @@ -0,0 +1,14 @@ +--- +all: + vars: + ansible_become: true + ansible_user: ansible + hosts: + kube-master-luna: + legit_uplink: + interface: enp1s0 + gateway: 192.168.100.1 + address: 192.168.100.10 + legit_cluster_network: + interface: enp8s0 + address: 192.168.8.10 \ No newline at end of file diff --git a/prepare.yaml b/prepare.yaml new file mode 100644 index 0000000..889e99c --- /dev/null +++ b/prepare.yaml @@ -0,0 +1,32 @@ +--- +- name: "prepare vms for kmlabs-k8s-cluster" + hosts: all + handlers: + - name: "netplanapply" + command: netplan apply + async: 45 + poll: 0 + + - name: "restartkubelet" + systemd: + name: kubelet + state: restarted + + tasks: + - name: "do apt stuff" + import_tasks: tasks/apt.yaml + + - name: "disable cloudinit" + import_tasks: tasks/disable-cloudinit.yaml + + - name: "remove snap" + import_tasks: tasks/remove-snap.yaml + + - name: "clean motd" + import_tasks: tasks/clean-motd.yaml + + - name: "fix dns" + import_tasks: tasks/fix-dns-resolution.yaml + + - name: "setup networking" + import_tasks: tasks/static-networking.yaml \ No newline at end of file diff --git a/roles/common/defaults/main.yaml b/roles/common/defaults/main.yaml new file mode 100644 index 0000000..6199a3d --- /dev/null +++ b/roles/common/defaults/main.yaml @@ -0,0 +1,7 @@ +--- +# defaults file for timedatectl +timedatectl_timeservers: ['noc-a.sch.bme.hu', 'noc-b.sch.bme.hu'] + +timedatectl_timeservers_fallback: ['time.bme.hu'] + +timedatectl_timezone: 'Europe/Budapest' diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml new file mode 100644 index 0000000..20be5df --- /dev/null +++ b/roles/common/handlers/main.yaml @@ -0,0 +1,8 @@ +--- +- name: run Timedatectl + command: timedatectl set-ntp true + +- name: "netplanapply" + command: netplan apply + async: 45 + poll: 0 diff --git a/roles/common/tasks/apt.yaml b/roles/common/tasks/apt.yaml new file mode 100644 index 0000000..eb30aba --- /dev/null +++ b/roles/common/tasks/apt.yaml @@ -0,0 +1,37 @@ +--- +- name: "Remove Ubuntu bloatware" + apt: + state: absent + name: ubutu-server + autoremove: yes + +- name: "Update machine" + apt: + update_cache: yes + upgrade: yes + autoclean: yes + autoremove: yes + +- name: "Install my favourite applications" + apt: + update_cache: yes + state: present + name: + - tmux + - htop + - dnsutils + - needrestart + - curl + - wget + - netcat-openbsd + - tree + - net-tools + - nano + - psmisc + - python3 + - python3-venv + - strace + - ifstat + - tcpdump + - xxd + - git diff --git a/roles/common/tasks/clean-motd.yaml b/roles/common/tasks/clean-motd.yaml new file mode 100644 index 0000000..780bbe1 --- /dev/null +++ b/roles/common/tasks/clean-motd.yaml @@ -0,0 +1,13 @@ +--- +- name: clean motd + file: + state: file + path: /etc/update-motd.d/{{ item }} + owner: root + group: root + mode: "0000" + with_items: + - 10-help-text + - 50-landscape-sysinfo + - 50-motd-news + - 91-release-upgrade \ No newline at end of file diff --git a/roles/common/tasks/disable-cloudinit.yaml b/roles/common/tasks/disable-cloudinit.yaml new file mode 100644 index 0000000..028dd65 --- /dev/null +++ b/roles/common/tasks/disable-cloudinit.yaml @@ -0,0 +1,13 @@ +--- +- name: disable cloudinit + copy: + content: "" + dest: /etc/cloud/cloud-init.disabled + force: no + +- name: disable network autoconfig + copy: + content: "network: {config: disabled}" + dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg + force: no + diff --git a/roles/common/tasks/firewalld.yaml b/roles/common/tasks/firewalld.yaml new file mode 100644 index 0000000..fca96b0 --- /dev/null +++ b/roles/common/tasks/firewalld.yaml @@ -0,0 +1,27 @@ +--- +- name: "Install Docker via apt" + apt: + update_cache: yes + state: present + name: + - firewalld + +- name: Start and enable firewalld + service: + name: firewalld + state: restarted + enabled: yes + +- name: Permit traffic in public zone for https service + ansible.posix.firewalld: + zone: public + service: https + permanent: yes + state: enabled + +- name: Permit traffic in public zone for ssh service + ansible.posix.firewalld: + zone: public + service: ssh + permanent: yes + state: enabled diff --git a/roles/common/tasks/remove-snap.yaml b/roles/common/tasks/remove-snap.yaml new file mode 100644 index 0000000..e088c05 --- /dev/null +++ b/roles/common/tasks/remove-snap.yaml @@ -0,0 +1,18 @@ +--- +- name: Remove snapd from Ubuntu + apt: + name: snapd + state: absent + purge: yes + when: ansible_distribution == "Ubuntu" + +- name: Remove snapd-related directories + file: + path: "{{ item }}" + state: absent + with_items: + - /snap + - /var/snap + - /var/lib/snapd + - "/home/{{ ansible_user }}/snap" + when: ansible_distribution == "Ubuntu" \ No newline at end of file diff --git a/roles/common/tasks/serivce-user.yaml b/roles/common/tasks/serivce-user.yaml new file mode 100644 index 0000000..fcdc1bd --- /dev/null +++ b/roles/common/tasks/serivce-user.yaml @@ -0,0 +1,7 @@ +--- +- name: "Add service user with docker group membership" + ansible.builtin.user: + name: service-user + comment: Service user + groups: docker + append: yes diff --git a/roles/common/tasks/ssh-security-settings.yaml b/roles/common/tasks/ssh-security-settings.yaml new file mode 100644 index 0000000..4ff1ecd --- /dev/null +++ b/roles/common/tasks/ssh-security-settings.yaml @@ -0,0 +1,40 @@ +--- +- name: Disable password authentication + replace: + path: /etc/ssh/sshd_config + regexp: 'PasswordAuthentication yes' + replace: 'PasswordAuthentication no' + +- name: Disable root authentication + replace: + path: /etc/ssh/sshd_config + regexp: '#PermitRootLogin prohibit-password' + replace: 'PermitRootLogin no' + +- name: Disable X11 forwarding + replace: + path: /etc/ssh/sshd_config + regexp: 'X11Forwarding yes' + replace: 'X11Forwarding no' + +- name: Explicitly only listen on ipv4 + replace: + path: /etc/ssh/sshd_config + regexp: '#AddressFamily any' + replace: 'AddressFamily inet' + +- name: Check if AllowUsers is defined + lineinfile: + state: absent + path: /etc/ssh/sshd_config + regexp: "^AllowUsers" + check_mode: true + changed_when: false + register: checkallowusers + +- name: Define AllowUsers if undefined + lineinfile: + state: present + path: /etc/ssh/sshd_config + line: "AllowUsers tormakris ansible service-user" + when: checkallowusers.found == 0 diff --git a/roles/common/tasks/static-networking.yaml b/roles/common/tasks/static-networking.yaml new file mode 100644 index 0000000..700f331 --- /dev/null +++ b/roles/common/tasks/static-networking.yaml @@ -0,0 +1,16 @@ +--- +- name: "remove cloudinit config" + file: + path: /etc/netplan/50-cloud-init.yaml + state: absent + +- name: "remove installer config" + file: + path: /etc/netplan/00-installer-config.yaml + state: absent + +- name: "install static config" + template: + src: templates/netplan.yaml + dest: /etc/netplan/00-static.yaml + notify: netplanapply diff --git a/roles/common/tasks/timesync.yaml b/roles/common/tasks/timesync.yaml new file mode 100644 index 0000000..32ce27c --- /dev/null +++ b/roles/common/tasks/timesync.yaml @@ -0,0 +1,18 @@ +--- +- name: Setup timesync config + template: + src: timesyncd.conf.template + dest: /etc/systemd/timesyncd.conf + notify: run Timedatectl + when: ansible_service_mgr == "systemd" + +- name: set Timezone + timezone: name={{ timedatectl_timezone }} + when: ansible_service_mgr == "systemd" + +- name: Reastart timesyncd to apply changes + when: ansible_service_mgr == "systemd" + ansible.builtin.systemd: + state: restarted + daemon_reload: yes + name: systemd-timesyncd diff --git a/roles/common/templates/netplan.yaml b/roles/common/templates/netplan.yaml new file mode 100644 index 0000000..336d835 --- /dev/null +++ b/roles/common/templates/netplan.yaml @@ -0,0 +1,10 @@ +# {{ansible_managed}} +network: + version: 2 + renderer: networkd + ethernets: + ens192: + dhcp4: true + dhcp4-overrides: + use-routes: false + gateway4: {{default_gateway}} diff --git a/roles/common/templates/timesyncd.conf b/roles/common/templates/timesyncd.conf new file mode 100644 index 0000000..2694bf5 --- /dev/null +++ b/roles/common/templates/timesyncd.conf @@ -0,0 +1,5 @@ +# {{ansible_managed}} +[Time] +NTP={% for server in timedatectl_timeservers %} {{ server}} {% endfor %} + +FallbackNTP={% for server in timedatectl_timeservers_fallback %} {{ server}} {% endfor %} \ No newline at end of file diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json new file mode 100644 index 0000000..6761fe5 --- /dev/null +++ b/roles/docker/files/daemon.json @@ -0,0 +1,3 @@ +{ + "userland-proxy": false +} \ No newline at end of file diff --git a/roles/docker/tasks/docker.yaml b/roles/docker/tasks/docker.yaml new file mode 100644 index 0000000..135ff5c --- /dev/null +++ b/roles/docker/tasks/docker.yaml @@ -0,0 +1,21 @@ +--- +- name: "Install Docker via apt" + apt: + update_cache: yes + state: present + name: + - docker.io + - docker-compose + +- name: Disable userland proxy + copy: + src: daemon.json + dest: /etc/docker/daemon.json + mode: 644 + owner: root + +- name: Enable and restart Docker daemon + service: + name: docker + state: restarted + enabled: yes diff --git a/roles/internalsmtp/defaults/main.yaml b/roles/internalsmtp/defaults/main.yaml new file mode 100644 index 0000000..217ecf1 --- /dev/null +++ b/roles/internalsmtp/defaults/main.yaml @@ -0,0 +1,4 @@ +--- +postfix_relayhost: 'smtp.stargate.internal' + +external_domain: 'kmlabz.com' diff --git a/roles/internalsmtp/tasks/postfix.yaml b/roles/internalsmtp/tasks/postfix.yaml new file mode 100644 index 0000000..10bdaea --- /dev/null +++ b/roles/internalsmtp/tasks/postfix.yaml @@ -0,0 +1,18 @@ +--- +- name: "Install Postfix via apt" + apt: + update_cache: yes + state: present + name: + - postfix + +- name: Install Postfix forwarder config + template: + src: templates/main.cf + dest: /etc/postfix/main.cf + +- name: Restart Postfix + service: + name: postfix + state: restarted + enabled: yes diff --git a/roles/internalsmtp/templates/main.cf b/roles/internalsmtp/templates/main.cf new file mode 100644 index 0000000..3b0dda1 --- /dev/null +++ b/roles/internalsmtp/templates/main.cf @@ -0,0 +1,32 @@ +# {{ansible_managed}} + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +append_dot_mydomain = no + +readme_directory = no + +compatibility_level = 2 + +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=encrypt +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = {{ansible_hostname}}.{{external_domain}} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = {{ansible_hostname}}.{{external_domain}}, $myhostname, {{ansible_hostname}}, localhost.localdomain, localhost +relayhost = {{postfix_relayhost}} +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all \ No newline at end of file diff --git a/roles/smtpgateway/defaults/main.yaml b/roles/smtpgateway/defaults/main.yaml new file mode 100644 index 0000000..1f58d24 --- /dev/null +++ b/roles/smtpgateway/defaults/main.yaml @@ -0,0 +1,5 @@ +--- +postfix_relayhost: 'smtp.sendgrid.net' +external_domain: 'kmlabz.com' +username: lofasz +password: lofasz \ No newline at end of file diff --git a/roles/smtpgateway/tasks/postfix.yaml b/roles/smtpgateway/tasks/postfix.yaml new file mode 100644 index 0000000..25ca2ca --- /dev/null +++ b/roles/smtpgateway/tasks/postfix.yaml @@ -0,0 +1,27 @@ +--- +- name: "Install Postfix via apt" + apt: + update_cache: yes + state: present + name: + - postfix + +- name: Install Postfix SASL credentials + template: + src: templates/sasl_passwd + mode: 600 + dest: /etc/postfix/sasl_passwd + +- name: Install Postfix mail gateway config + template: + src: templates/main.cf + dest: /etc/postfix/main.cf + +- name: Build hashtable of SASL creds + command: postmap /etc/postfix/sasl_passwd + +- name: Restart Postfix + service: + name: postfix + state: restarted + enabled: yes diff --git a/roles/smtpgateway/templates/main.cf b/roles/smtpgateway/templates/main.cf new file mode 100644 index 0000000..5fe5791 --- /dev/null +++ b/roles/smtpgateway/templates/main.cf @@ -0,0 +1,37 @@ +# {{ansible_managed}} + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +append_dot_mydomain = no + +readme_directory = no + +compatibility_level = 2 + +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = noanonymous +smtp_sasl_tls_security_options = noanonymous +smtp_tls_security_level = encrypt +header_size_limit = 4096000 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = {{ansible_hostname}}.{{external_domain}} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = {{ansible_hostname}}.{{external_domain}}, $myhostname, {{ansible_hostname}}, localhost.localdomain, localhost +relayhost = {{postfix_relayhost}} +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all \ No newline at end of file diff --git a/roles/smtpgateway/templates/sasl_passwd b/roles/smtpgateway/templates/sasl_passwd new file mode 100644 index 0000000..c246f93 --- /dev/null +++ b/roles/smtpgateway/templates/sasl_passwd @@ -0,0 +1 @@ +[{{postfix_relayhost}}:587 {{username}}:{{password}} \ No newline at end of file diff --git a/roles/webgateway/tasks/apache.yaml b/roles/webgateway/tasks/apache.yaml new file mode 100644 index 0000000..0e008ca --- /dev/null +++ b/roles/webgateway/tasks/apache.yaml @@ -0,0 +1,15 @@ +--- +- name: "Install Apache via apt" + apt: + update_cache: yes + state: present + name: + - apache2 + +# TODO: Felmasolni a templatelt konfigokat es bekapcsolni oket + +- name: Enable and restart Apache2 daemon + service: + name: apache2 + state: restarted + enabled: yes diff --git a/roles/webserver/files/apache-site.conf b/roles/webserver/files/apache-site.conf new file mode 100644 index 0000000..dece11f --- /dev/null +++ b/roles/webserver/files/apache-site.conf @@ -0,0 +1,17 @@ + + + ServerAdmin webmaster@kmlabz.com + + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + ProxyPass "/" "http://127.0.0.1:8080/" retry=1 acquire=3000 timeout=600 Keepalive=On + ProxyPassReverse "/" "http://127.0.0.1:8080/" + + diff --git a/roles/webserver/tasks/apache.yaml b/roles/webserver/tasks/apache.yaml new file mode 100644 index 0000000..dbde28b --- /dev/null +++ b/roles/webserver/tasks/apache.yaml @@ -0,0 +1,23 @@ +--- +- name: "Install Apache via apt" + apt: + update_cache: yes + state: present + name: + - apache2 + +- name: Upload site config to destination + copy: + src: apache-site.conf + dest: /etc/apache2/sites-available/site.conf + mode: 644 + owner: root + +- name: Enable site + command: a2ensite site.conf + +- name: Enable and restart Apache2 daemon + service: + name: apache2 + state: restarted + enabled: yes