stargate-cluster/vm-ansible
stargate-cluster/vm-ansible
1
0
Fork 0
Code Pull Requests Releases Activity

remove fqdn
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Torma Kristóf 2023-08-30 23:13:59 +02:00
parent 85fb26bf52
commit 52f7e7e153
19 changed files with 96 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
roles/backuphost/tasks/main.yaml
View File

@ -1,18 +1,18 @@
# TODO: Make backup user part of AD
---
- name: "Add backup user"
ansible.builtin.user:
user:
name: backup
comment: Backup user
shell: /bin/bash
- name: Create .ssh directory of backup user
ansible.builtin.file:
file:
path: /home/backup/.ssh
state: directory
- name: Copy authorized_keys
ansible.builtin.copy:
copy:
src: authorized_keys
dest: /home/backup/.ssh/authorized_keys
mode: 0600
@ -20,7 +20,7 @@
group: backup
- name: Copy ssh config
ansible.builtin.copy:
copy:
src: ssh_config
dest: /home/backup/.ssh/config
mode: 0600

6
roles/backupscript/tasks/main.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Generate backupscript"
ansible.builtin.template:
template:
src: backupscript.sh
dest: /etc/cron.weekly/backupscript
owner: root
@ -8,12 +8,12 @@
mode: '0700'
- name: Create .ssh directory of root user
ansible.builtin.file:
file:
path: /root/.ssh
state: directory
- name: Copy ssh config
ansible.builtin.copy:
copy:
src: ssh_config
dest: /root/.ssh/config
mode: 0600

8
roles/common/tasks/apt.yaml
View File

@ -1,26 +1,26 @@
---
- name: "Use custom Ubuntu mirror"
ansible.builtin.replace:
replace:
path: /etc/apt/sources.list
regexp: 'http://hu.archive.ubuntu.com'
replace: 'https://mirror.niif.hu'
backup: yes
- name: "Remove Ubuntu bloatware"
ansible.builtin.apt:
apt:
state: absent
name: ubutu-server
autoremove: yes
- name: "Update machine"
ansible.builtin.apt:
apt:
update_cache: yes
upgrade: "yes"
autoclean: yes
autoremove: yes
- name: "Install my favourite applications"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:

2
roles/common/tasks/clean-motd.yaml
View File

@ -1,6 +1,6 @@
---
- name: clean motd
ansible.builtin.file:
file:
state: touch
owner: tormakris@intra.tormakris.dev
group: domain users@intra.tormakris.dev

4
roles/common/tasks/disable-cloudinit.yaml
View File

@ -1,12 +1,12 @@
---
- name: disable cloudinit
ansible.builtin.copy:
copy:
content: ""
dest: /etc/cloud/cloud-init.disabled
force: no
- name: disable network autoconfig
ansible.builtin.copy:
copy:
content: "network: {config: disabled}"
dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
force: no

4
roles/common/tasks/node-exporter.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Install node exporter"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -14,7 +14,7 @@
src: 192.168.69.0/24
- name: Enable and restart exporter daemon
ansible.builtin.service:
service:
name: prometheus-node-exporter
state: restarted
enabled: yes

4
roles/common/tasks/remove-snap.yaml
View File

@ -1,13 +1,13 @@
---
- name: Remove snapd from Ubuntu
ansible.builtin.apt:
apt:
name: snapd
state: absent
purge: yes
when: ansible_distribution == "Ubuntu"
- name: Remove snapd-related directories
ansible.builtin.file:
file:
path: "{{ item }}"
state: absent
with_items:

8
roles/common/tasks/ssh-security-settings.yaml
View File

@ -1,24 +1,24 @@
---
- name: Disable root authentication
ansible.builtin.replace:
replace:
path: /etc/ssh/sshd_config
regexp: '#PermitRootLogin prohibit-password'
replace: 'PermitRootLogin no'
- name: Disable X11 forwarding
ansible.builtin.replace:
replace:
path: /etc/ssh/sshd_config
regexp: 'X11Forwarding yes'
replace: 'X11Forwarding no'
- name: Explicitly only listen on ipv4
ansible.builtin.replace:
replace:
path: /etc/ssh/sshd_config
regexp: '#AddressFamily any'
replace: 'AddressFamily inet'
- name: "Restart sshd"
ansible.builtin.service:
service:
name: sshd
state: restarted
...

6
roles/common/tasks/timesync.yaml
View File

@ -1,18 +1,18 @@
---
- name: Setup timesync config
ansible.builtin.template:
template:
src: timesyncd.conf.template
dest: /etc/systemd/timesyncd.conf
notify: run Timedatectl
when: ansible_service_mgr == "systemd"
- name: set Timezone
ansible.builtin.timezone: name={{ timedatectl_timezone }}
timezone: name={{ timedatectl_timezone }}
when: ansible_service_mgr == "systemd"
- name: Reastart timesyncd to apply changes
when: ansible_service_mgr == "systemd"
ansible.builtin.systemd:
systemd:
state: restarted
daemon_reload: yes
name: systemd-timesyncd

2
roles/common/tasks/ufw.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Install ufw via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:

8
roles/common/tasks/user-ops.yaml
View File

@ -1,13 +1,13 @@
---
- name: Create .ssh directory of ansible user
ansible.builtin.file:
file:
path: /home/ansible@intra.tormakris.dev/.ssh
state: directory
owner: ansible@intra.tormakris.dev
group: domain users@intra.tormakris.dev
- name: Copy authorized_keys
ansible.builtin.copy:
copy:
src: authorized_keys
dest: /home/ansible@intra.tormakris.dev/.ssh/authorized_keys
mode: 0600
@ -15,7 +15,7 @@
group: domain users@intra.tormakris.dev
- name: Check if group is present in sudoers
ansible.builtin.lineinfile:
lineinfile:
state: absent
path: /etc/sudoers
regexp: "^%linuxadmins"
@ -24,7 +24,7 @@
register: checksudoers
- name: Define group in sudoers
ansible.builtin.lineinfile:
lineinfile:
state: present
path: /etc/sudoers
line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"

8
roles/docker/tasks/main.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Install Docker via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -8,7 +8,7 @@
- docker-compose
- name: Disable userland proxy
ansible.builtin.copy:
copy:
src: daemon.json
dest: /etc/docker/daemon.json
mode: 644
@ -16,13 +16,13 @@
group: backup
- name: Enable and restart Docker daemon
ansible.builtin.service:
service:
name: docker
state: restarted
enabled: yes
- name: "Add service user to docker group"
ansible.builtin.user:
user:
name: service-user@intra.tormakris.dev
groups: docker
append: yes

14
roles/internalsmtp/tasks/main.yaml
View File

@ -1,31 +1,31 @@
---
- name: "Install Postfix via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
- postfix
- name: Install Postfix forwarder config
ansible.builtin.template:
template:
src: templates/main.cf
dest: /etc/postfix/main.cf
- name: Restart Postfix
ansible.builtin.service:
service:
name: postfix
state: restarted
enabled: yes
- name: "Install postfix exporter"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
- prometheus-postfix-exporter
- name: Copy postfix exporter config
ansible.builtin.copy:
copy:
src: prometheus-postfix-exporter
dest: /etc/default/prometheus-postfix-exporter
owner: root
@ -33,13 +33,13 @@
mode: '0644'
- name: Add the prometheus user to postdrop group
ansible.builtin.user:
user:
name: prometheus
groups: postdrop
append: yes
- name: Enable and restart exporter daemon
ansible.builtin.service:
service:
name: prometheus-postfix-exporter
state: restarted
enabled: yes

6
roles/netplan/tasks/main.yaml
View File

@ -1,16 +1,16 @@
---
- name: "remove cloudinit config"
ansible.builtin.file:
file:
path: /etc/netplan/50-cloud-init.yaml
state: absent
- name: "remove installer config"
ansible.builtin.file:
file:
path: /etc/netplan/00-installer-config.yaml
state: absent
- name: "install static config"
ansible.builtin.template:
template:
src: templates/netplan.yaml
dest: /etc/netplan/00-static.yaml
notify: netplanapply

8
roles/openvpn/tasks/main.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Install openvpn-server via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -15,13 +15,13 @@
reload: yes
- name: Enable and restart openvpn daemon
ansible.builtin.service:
service:
name: openvpn-server@stargate
state: restarted
enabled: yes
- name: Check if AllowUsers is defined
ansible.builtin.lineinfile:
lineinfile:
state: absent
path: /etc/ufw/before.rules
regexp: "^# START OPENVPN"
@ -30,7 +30,7 @@
register: checkufwrules
- name: Insert openvpn iptables rules
ansible.builtin.blockinfile:
blockinfile:
path: /etc/ufw/before.rules
block: |
# START OPENVPN RULES

24
roles/realmd/tasks/main.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Install realmd and dependencies"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -16,7 +16,7 @@
- packagekit
- name: Check if computer is joined to domain
ansible.builtin.lineinfile:
lineinfile:
state: absent
path: /etc/sssd/sssd.conf
line: "^ad_access_filter"
@ -25,22 +25,22 @@
register: checkjoined
- name: "Get join password from local environment variable"
ansible.builtin.set_fact:
set_fact:
join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
delegate_to: localhost
when: checkjoined.found == 0
- name: Join to AD with realmd
ansible.builtin.shell:
shell:
cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev
when: checkjoined.found == 0
- name: Enable pam homedir create on first logon
ansible.builtin.command:
command:
cmd: pam-auth-update --enable mkhomedir
- name: Check if ad_gpo_access_control is disabled
ansible.builtin.lineinfile:
lineinfile:
state: absent
path: /etc/sssd/sssd.conf
regexp: "^ad_gpo_access_control"
@ -49,14 +49,14 @@
register: checkadgpoac
- name: Set ad_gpo_access_control to disabled
ansible.builtin.lineinfile:
lineinfile:
state: present
path: /etc/sssd/sssd.conf
line: "ad_gpo_access_control = disabled"
when: checkadgpoac.found == 0
- name: Check if ad_access_filter is set
ansible.builtin.lineinfile:
lineinfile:
state: absent
path: /etc/sssd/sssd.conf
regexp: "^ad_access_filter"
@ -65,19 +65,19 @@
register: checkadaf
- name: Set ad_gpo_access_control to disabled
ansible.builtin.lineinfile:
lineinfile:
state: present
path: /etc/sssd/sssd.conf
line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
when: checkadaf.found == 0
- name: "Restart sssd"
ansible.builtin.service:
service:
name: sssd
state: restarted
- name: Check if group is presend in sudoers
ansible.builtin.lineinfile:
lineinfile:
state: absent
path: /etc/sudoers
regexp: "^%linuxadmins"
@ -86,7 +86,7 @@
register: checksudoers
- name: Define group in sudoers
ansible.builtin.lineinfile:
lineinfile:
state: present
path: /etc/sudoers
line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"

16
roles/smtpgateway/tasks/main.yaml
View File

@ -1,22 +1,22 @@
---
- name: "Install Postfix via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
- postfix
- name: Install Postfix mail gateway config
ansible.builtin.template:
template:
src: templates/main.cf
dest: /etc/postfix/main.cf
- name: Build /etc/mailname
ansible.builtin.shell:
shell:
cmd: "hostname --fqdn > /etc/mailname"
- name: Restart Postfix
ansible.builtin.service:
service:
name: postfix
state: restarted
enabled: yes
@ -28,14 +28,14 @@
src: 192.168.69.0/24
- name: "Install postfix exporter"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
- prometheus-postfix-exporter
- name: Copy exporter config
ansible.builtin.copy:
copy:
src: prometheus-postfix-exporter
dest: /etc/default/prometheus-postfix-exporter
owner: root
@ -43,13 +43,13 @@
mode: '0644'
- name: Add the prometheus user to postdrop group
ansible.builtin.user:
user:
name: prometheus
groups: postdrop
append: yes
- name: Enable and restart exporter daemon
ansible.builtin.service:
service:
name: prometheus-postfix-exporter
state: restarted
enabled: yes

32
roles/webgateway/tasks/main.yaml
View File

@ -1,6 +1,6 @@
---
- name: "Install nginx via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -19,7 +19,7 @@
port: https
- name: Copy default nginx config
ansible.builtin.copy:
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
@ -27,28 +27,28 @@
mode: '0644'
- name: Enable and restart nginx daemon
ansible.builtin.service:
service:
name: nginx
state: restarted
enabled: yes
- name: Generate certificate for all proxied domains
ansible.builtin.command:
command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ proxy }}"
- name: Generate certificate for all static sites
ansible.builtin.command:
command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ static }}"
- name: Generate certificate for all redirect sites
ansible.builtin.command:
command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ redirect }}"
- name: "Generate certbot script"
ansible.builtin.template:
template:
src: certbot.sh
dest: /etc/cron.weekly/certbot
owner: root
@ -56,7 +56,7 @@
mode: '0700'
- name: "Generate nginx configuration"
ansible.builtin.template:
template:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
@ -64,41 +64,41 @@
mode: '0644'
- name: Validate nginx configuration
ansible.builtin.command:
command:
cmd: nginx -t
- name: Reload nginx after configuration change
ansible.builtin.service:
service:
name: nginx
state: reloaded
- name: "Remove any existing static file directories"
ansible.builtin.file:
file:
path: "{{ item.directory }}"
state: absent
with_items: "{{ static }}"
- name: "Checkout static websites from git"
ansible.builtin.git:
git:
repo: "{{ item.repo }}"
dest: "{{ item.directory }}"
with_items: "{{ static }}"
- name: "Remove .git directory from static websites"
ansible.builtin.file:
file:
path: "{{ item.directory }}/.git"
state: absent
with_items: "{{ static }}"
- name: "Install nginx exporter"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
- prometheus-nginx-exporter
- name: Copy nginx exporter config
ansible.builtin.copy:
copy:
src: prometheus-nginx-exporter
dest: /etc/default/prometheus-nginx-exporter
owner: root
@ -106,7 +106,7 @@
mode: '0644'
- name: Enable and restart exporter daemon
ansible.builtin.service:
service:
name: prometheus-nginx-exporter
state: restarted
enabled: yes

24
roles/webserver/tasks/main.yaml
View File

@ -7,7 +7,7 @@
with_items: "{{ allowedranges }}"
- name: "Install Nginx via apt"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -16,7 +16,7 @@
- python3-certbot-dns-cloudflare
- name: Copy default nginx config
ansible.builtin.copy:
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
@ -24,18 +24,18 @@
mode: '0644'
- name: Enable and restart nginx daemon
ansible.builtin.service:
service:
name: nginx
state: restarted
enabled: yes
- name: "Get Cloudflare token from local environment variable"
ansible.builtin.set_fact:
set_fact:
cloudflare_token: "{{ lookup('env', 'CLOUDFLARE_TOKEN') }}"
delegate_to: localhost
- name: "Render Cloudflare Certbot plugin configuration"
ansible.builtin.template:
template:
src: cf-creds.ini
dest: /root/cf-creds.ini
owner: root
@ -43,12 +43,12 @@
mode: 0600
- name: Generate certificate for all server instances
ansible.builtin.shell:
shell:
cmd: certbot certonly --non-interactive --agree-tos -m iam@tormakristof.eu --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini -d {{item.domain}}
with_items: "{{ webserver }}"
- name: "Generate certbot script"
ansible.builtin.template:
template:
src: certbot.sh
dest: /etc/cron.weekly/certbot
owner: root
@ -56,7 +56,7 @@
mode: '0700'
- name: "Generate nginx configuration"
ansible.builtin.template:
template:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
@ -64,12 +64,12 @@
mode: '0644'
- name: Reload nginx daemon
ansible.builtin.service:
service:
name: nginx
state: reloaded
- name: "Install nginx exporter"
ansible.builtin.apt:
apt:
update_cache: yes
state: present
name:
@ -83,7 +83,7 @@
src: 192.168.69.0/24
- name: Copy nginx exporter config
ansible.builtin.copy:
copy:
src: prometheus-nginx-exporter
dest: /etc/default/prometheus-nginx-exporter
owner: root
@ -91,7 +91,7 @@
mode: '0644'
- name: Enable and restart exporter daemon
ansible.builtin.service:
service:
name: prometheus-nginx-exporter
state: restarted
enabled: yes