LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/*: tags refactoring

python3
Zolfa 4 years ago
parent
375d1db38b
commit
96aba4b73e
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
15 changed files with 537 additions and 299 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +16
    -5
      roles/certbot/tasks/main.yaml
  2. +52
    -2
      roles/ldap/tasks/1_configure_server.yaml
  3. +2
    -12
      roles/ldap/tasks/4_setup_tls.yaml
  4. +6
    -0
      roles/ldap/tasks/5_configure_replication.yaml
  5. +22
    -0
      roles/ldap/tasks/main.yaml
  6. +134
    -0
      roles/lxc_guest/tasks/01-create.yaml
  7. +60
    -0
      roles/lxc_guest/tasks/02-configure.yaml
  8. +16
    -0
      roles/lxc_guest/tasks/03-monitoring.yaml
  9. +11
    -214
      roles/lxc_guest/tasks/main.yaml
  10. +24
    -0
      roles/nginx/tasks/main.yaml
  11. +24
    -0
      roles/reverse_proxy/tasks/main.yaml
  12. +8
    -0
      roles/service/tasks/main.yaml
  13. +82
    -0
      roles/ssh_server/tasks/01-install.yaml
  14. +66
    -0
      roles/ssh_server/tasks/02-configure.yaml
  15. +14
    -66
      roles/ssh_server/tasks/main.yaml

+ 16
- 5
roles/certbot/tasks/main.yaml View File

@ -9,7 +9,9 @@
update_cache: true
cache_valid_time: 3600
tags:
- 'packages'
- 'install'
- 'role::certbot'
- 'role::certbot::install'
# Standard nginx installation should not listen on port 80
# -> This is probably not required.
@ -35,7 +37,10 @@
args:
creates: '/etc/letsencrypt/live/{{ certbot_site_fqdn }}/cert.pem'
tags:
- 'tls_pub'
- 'configure'
- 'role::certbot::configure'
- 'pki'
- 'pki::acme'
#- name: 'restart webservers'
# service:
@ -48,14 +53,18 @@
src: 'certbot.timer'
dest: '/etc/systemd/system/certbot.timer'
tags:
- 'tls_pub'
- 'install'
- 'role::certbot'
- 'role::certbot::install'
- name: 'add systemd service for cert renewal'
template:
src: 'certbot.service'
dest: '/etc/systemd/system/certbot.service'
tags:
- 'tls_pub'
- 'install'
- 'role::certbot'
- 'role::certbot::install'
- name: 'enable timer'
systemd:
@ -64,5 +73,7 @@
enabled: true
daemon_reload: true
tags:
- 'tls_pub'
- 'install'
- 'role::certbot'
- 'role::certbot::install'
...

+ 52
- 2
roles/ldap/tasks/1_configure_server.yaml View File

@ -3,6 +3,9 @@
vars:
service_name: 'nscd'
service_packages: 'nscd'
tags:
- 'install'
- 'role::ldap::install'
- name: 'set debconf values'
debconf:
@ -15,6 +18,9 @@
- { question: 'slapd/domain', value: '{{ ldap_domain }}' }
- { question: 'slapd/dump_database', value: 'when needed' }
- { question: 'shared/organization', value: '{{ ldap_organization }}' }
tags:
- 'install'
- 'role::ldap::install'
- import_role: name='service'
vars:
@ -25,6 +31,9 @@
- 'libpam-ldap'
- 'python3-ldap'
- 'sudo'
tags:
- 'install'
- 'role::ldap::install'
- name: 'delete old backups'
file:
@ -32,16 +41,25 @@
state: 'absent'
with_fileglob: '/var/backups/*.ldapdb'
when: debconfs.results[0].changed
tags:
- 'install'
- 'role::ldap::install'
- name: 'backup old database and re-create'
command: 'dpkg-reconfigure -p critical slapd'
when: debconfs.results[0].changed
tags:
- 'install'
- 'role::ldap::install'
- name: 'start slapd service'
service:
name: 'slapd'
enabled: true
state: 'started'
tags:
- 'install'
- 'role::ldap::install'
- name: 'copy schemas'
copy:
@ -52,6 +70,10 @@
- 'kerberos.ldif'
- 'phamm.ldif'
- 'phamm-vacation.ldif'
tags:
- 'configure'
- 'role::ldap::configure'
- 'role::ldap::schemas'
- name: 'activate schemas'
command:
@ -62,6 +84,10 @@
- 'kerberos.ldif'
- 'phamm.ldif'
- 'phamm-vacation.ldif'
tags:
- 'configure'
- 'role::ldap::configure'
- 'role::ldap::schemas'
- name: 'activate modules'
ldap_attr:
@ -72,6 +98,9 @@
- '{1}pw-sha2'
- '{2}auditlog'
- '{3}memberof'
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'create log dir'
file:
@ -79,6 +108,10 @@
owner: 'openldap'
group: 'openldap'
state: 'directory'
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'set loglevel'
ldap_attr:
@ -86,6 +119,9 @@
name: 'olcLogLevel'
state: 'exact'
values: 'stats acl'
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'activate auditlog overlay'
ldap_entry:
@ -98,6 +134,9 @@
loop:
- { db: '{0}config', logfile: 'audit_config.ldif' }
- { db: '{1}mdb', logfile: 'audit_mdb.ldif' }
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'activate memberof overlay'
ldap_entry:
@ -105,12 +144,18 @@
objectClass:
- 'olcOverlayConfig'
- 'olcMemberOf'
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'set default password hash'
ldap_attr:
dn: 'olcDatabase={-1}frontend,cn=config'
name: 'olcPasswordHash'
values: '{SSHA512}'
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'configure TLS x509 <-> ldap dn translation'
ldap_attr:
@ -127,10 +172,11 @@
- >-
{2} ^cn=([^,]+),ou=LDAP,{{ ldap_x509_suffix }}$
cn=$1,ou=LDAP,{{ ldap_basedn }}
tags:
- 'configure'
- 'role::ldap::configure'
- name: 'configure main tree acls'
tags:
- 'ldap::acl'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcAccess'
@ -243,6 +289,10 @@
# by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
# by dn.children=ou=Server,{{ ldap_basedn }} read
# [5] :: ou=Kerberos - Wi
tags:
- 'configure'
- 'role::ldap::configure'
- 'role::ldap::acls'
- name: 'MONITORING | set ldap_server'


+ 2
- 12
roles/ldap/tasks/4_setup_tls.yaml View File

@ -6,21 +6,18 @@
update_cache: true
cache_valid_time: 3600
tags:
- 'packages'
- 'install'
- 'role:ldap::install'
- name: 'update tls server ca'
copy:
content: '{{ ldap_tls_server_ca }}{{ tls_root_ca }}'
dest: '/etc/ldap/server_ca.crt'
tags:
- 'tls_int'
- name: 'update tls user ca'
copy:
content: '{{ ldap_tls_user_ca }}{{ tls_root_ca }}'
dest: '/etc/ldap/user_ca.crt'
tags:
- 'tls_int'
- name: 'generete and sign slapd tls certificate'
import_role: name='ca_cert'
@ -31,8 +28,6 @@
ca_cert_tls_key_path: '/etc/ldap/slapd.key'
ca_cert_tls_cert_path: '/etc/ldap/slapd.crt'
ca_cert_tls_csr_path: '/etc/ldap/slapd.csr'
tags:
- 'tls_int'
- name: 'set private key ownership'
file:
@ -41,7 +36,6 @@
group: 'openldap'
mode: '600'
## BROKEN! WAITING FOR ANSIBLE 2.10 ldap_attrs
## Currently you have to run 2-3 times to get proper configuration.
- name: 'configuring TLS options'
@ -68,8 +62,6 @@
# olcTLSVerifyClient: 'try'
# olcTLSCipherSuite: 'SECURE:-VERS-ALL:+VERS-TLS1.3'
## <---
tags:
- 'tls_int'
- name: 'configuring slapd service'
lineinfile:
@ -77,6 +69,4 @@
regexp: '^SLAPD_SERVICES='
path: '/etc/default/slapd'
notify: 'restart slapd'
tags:
- 'tls_int'
...

+ 6
- 0
roles/ldap/tasks/5_configure_replication.yaml View File

@ -11,6 +11,9 @@
ca_cert_tls_csr_path: '/etc/ldap/syncrepl.csr'
ca_cert_tls_cert_path: '/etc/ldap/syncrepl.crt'
when: ldap_syncrepl_is_consumer
tags:
- 'pki'
- 'pki::tls'
- name: 'SYNC | set key ownership'
file:
@ -18,6 +21,9 @@
owner: 'openldap'
group: 'openldap'
when: ldap_syncrepl_is_consumer
tags:
- 'pki'
- 'pki::tls'
- name: 'SYNC | activate syncprov module'
ldap_attr:


+ 22
- 0
roles/ldap/tasks/main.yaml View File

@ -1,19 +1,41 @@
---
- name: 'including configuration tasks'
import_tasks: '1_configure_server.yaml'
tags:
- 'role::ldap'
- name: 'including password renewal tasks'
import_tasks: '2_renew_rootpw.yaml'
tags: service_password
tags:
- 'install'
- 'service_password'
- 'role::ldap'
- 'role::ldap::install'
- name: 'including tree provisionig tasks'
import_tasks: '3_provision_tree.yaml'
when: ldap_check_tree
tags:
- 'install'
- 'role::ldap'
- 'role::ldap::install'
- 'role::ldap::init_tree'
- name: 'including tls tasks'
import_tasks: '4_setup_tls.yaml'
when: ldap_tls_enabled
tags:
- 'configure'
- 'role::ldap'
- 'role::ldap::configure'
- 'pki'
- 'pki::tls'
- name: 'including replication tasks'
import_tasks: '5_configure_replication.yaml'
tags:
- 'configure'
- 'role::ldap'
- 'role::ldap::replicaton'
...

+ 134
- 0
roles/lxc_guest/tasks/01-create.yaml View File

@ -0,0 +1,134 @@
---
- name: 'check | container folder exists'
stat:
path: '/var/lib/lxc/{{ vm_name }}'
register: container_dir
- name: 'check | container exists'
container_exists:
name: '{{ vm_name }}'
register: container_exists
- name: 'check | distro is supported'
assert:
that: distro in [ 'debian', 'alpine' ]
- name: 'check | Debian | release is supported'
assert:
that: release in [ 'bullseye', 'sid', 'buster' ]
msg: 'release {{ release }} not supported by debian template'
when: distro == 'debian'
- block:
- name: 'create | Debian | Privileged Container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
fs_type: 'xfs'
container_log: true
template: 'debian'
template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt'
state: 'stopped'
# suppress messages related to file descriptors
# leaking when lvm is invoked
environment:
LVM_SUPPRESS_FD_WARNINGS: 1
when: (not unprivileged) and distro == 'debian'
- name: 'pre-create | Unprivileged Container | Subxid Script'
copy:
src: 'find_subxid.sh'
dest: 'find_subxid.sh'
when: unprivileged
- name: 'pre-create | Unprivileged Container | Find Subxid'
command: 'bash find_subxid.sh'
register: avail_subxid
when: unprivileged
- name: 'pre-create | Unprivileged Container | Set Subxid'
set_fact:
subuidmap: '{{ avail_subxid.stdout_lines[0] }}'
subgidmap: '{{ avail_subxid.stdout_lines[1] }}'
when: unprivileged
- name: 'pre-create | Unprivileged Container | Allocate Subxid'
command: >-
usermod
-v {{ '{}-{}'.format(subuidmap.split(' ')[0],
subuidmap.split(' ')[0]|int+subuidmap.split(' ')[1]|int-1) }}
-w {{ '{}-{}'.format(subgidmap.split(' ')[0],
subgidmap.split(' ')[0]|int+subgidmap.split(' ')[1]|int-1) }}
root
- name: 'pre-create | Unprivileged Container | Create config stub'
copy:
content: |
lxc.idmap = u 0 {{ subuidmap }}
lxc.idmap = g 0 {{ subgidmap }}
dest: '/tmp/lxc_unpriv_config'
when: unprivileged
- name: 'create | Unprivileged Container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_type: 'xfs'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
container_log: true
template: 'download'
template_options: '-d {{ distro }} -r {{ release }} -a amd64'
config: '/tmp/lxc_unpriv_config'
state: 'stopped'
when: unprivileged
- name: 'post-create | LXC Container Configuration'
template:
src: 'config.j2'
dest: '/var/lib/lxc/{{ vm_name }}/config'
- block:
- name: 'post-create | Alpine | Force restart'
lxc_container:
name: '{{ vm_name }}'
state: 'restarted'
- name: 'post-create | Alpine | Guest Network Configuration'
raw: |
rm /etc/network/interfaces
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
- name: 'post-create | Alpine | Force restart'
lxc_container:
name: '{{ vm_name }}'
state: 'restarted'
- name: 'post-create | Alpine | Install Python'
raw: |
apk update
apk upgrade
apk add python3
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
when: distro == 'alpine'
- name: 'post-create | Debian | Guest Initial Configuration'
lxc_container:
name: '{{ vm_name }}'
container_command: |
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
apt update
apt install -y python3 python3-apt
systemctl mask systemd-journald-audit.socket
state: 'stopped'
- name: 'post-create | Start container'
lxc_container:
name: '{{ vm_name }}'
state: 'started'
when: auto_start|bool
when: not (container_exists.exists and container_dir.stat.isdir)

+ 60
- 0
roles/lxc_guest/tasks/02-configure.yaml View File

@ -0,0 +1,60 @@
---
- name: 'check | container unprivileged?'
command: >-
grep -e '^lxc.idmap = ' /var/lib/lxc/{{ vm_name }}/config
register: unpriv_status
changed_when: false
failed_when: unpriv_status.rc > 1
- name: 'configure | Unprivileged Container | Subxid mappings'
set_fact:
unprivileged: true
subuidmap: '{{ unpriv_status.stdout_lines[0] | replace("lxc.idmap = u 0 ", "") }}'
subgidmap: '{{ unpriv_status.stdout_lines[1] | replace("lxc.idmap = g 0 ", "") }}'
when: unpriv_status.rc == 0
- name: 'configure | LXC Container Config file'
template:
src: 'config.j2'
dest: '/var/lib/lxc/{{ vm_name }}/config'
register: container_config
notify: 'restart container'
- name: 'configure | Container Running State'
lxc_container:
name: '{{ vm_name }}'
state: '{{ container_state }}'
register: container_running_state
- name: 'configure | Container /etc/resolv.conf'
template:
src: 'resolv.conf.j2'
dest: '/etc/resolv.conf'
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
- name: 'configure | Container /etc/network/interfaces'
copy:
src: 'interfaces'
dest: '/etc/network/interfaces'
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
notify: 'restart container'
- name: 'configure | Debian | APT Periodic'
lineinfile:
path: '/etc/apt/apt.conf.d/02periodic'
line: '{{ item.key }} "{{ item.value }}";'
regexp: '^{{ item.key }} '
create: true
loop:
- { key: 'APT::Periodic::Enable', value: '1' }
- { key: 'APT::Periodic::Update-Package-Lists', value: '1' }
- { key: 'APT::Periodic::Verbose', value: '2' }
delegate_to: '{{ vm_name }}'
when: distro == 'debian'
connection: 'ssh_lxc'
- meta: 'flush_handlers'
...

+ 16
- 0
roles/lxc_guest/tasks/03-monitoring.yaml View File

@ -0,0 +1,16 @@
---
- name: 'MONITORING | Host type: lxc_vm'
set_fact:
monitoring_entry: >
{{ { 'address': ansible_host,
'host_type': 'lxc_vm' } }}
- name: 'MONITORING | Append host'
set_fact:
monitoring_facts: >
{{ hostvars[monitoring_host]['monitoring_facts']
| default({})
| combine({host_fqdn: monitoring_entry}) }}
delegate_facts: true
delegate_to: '{{ monitoring_host }}'
...

+ 11
- 214
roles/lxc_guest/tasks/main.yaml View File

@ -1,217 +1,14 @@
---
- name: 'check if container dir exists'
stat:
path: '/var/lib/lxc/{{ vm_name }}'
register: container_dir
tags:
- 'lxc'
- name: 'check if container exists'
container_exists:
name: '{{ vm_name }}'
register: container_exists
tags:
- 'lxc'
- name: 'check if release is supported'
assert:
that: release in [ 'bullseye', 'sid', 'buster' ]
msg: 'release {{ release }} not supported by debian template'
when: distro == 'debian'
tags:
- 'lxc'
- block:
- name: 'privileged | create lxc container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
fs_type: 'xfs'
container_log: true
template: 'debian'
template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt'
state: 'stopped'
# suppress messages related to file descriptors
# leaking when lvm is invoked
environment:
LVM_SUPPRESS_FD_WARNINGS: 1
when: (not unprivileged) and distro == 'debian'
- name: 'unprivileged | upload bash script'
copy:
src: 'find_subxid.sh'
dest: 'find_subxid.sh'
when: unprivileged
- name: 'unprivileged | get free subxid mappings'
command: 'bash find_subxid.sh'
register: avail_subxid
when: unprivileged
- name: 'unprivileged | set subxid mappings'
set_fact:
subuidmap: '{{ avail_subxid.stdout_lines[0] }}'
subgidmap: '{{ avail_subxid.stdout_lines[1] }}'
when: unprivileged
- name: 'unprivileged | create system subxid mappings'
command: >-
usermod
-v {{ '{}-{}'.format(subuidmap.split(' ')[0],
subuidmap.split(' ')[0]|int+subuidmap.split(' ')[1]|int-1) }}
-w {{ '{}-{}'.format(subgidmap.split(' ')[0],
subgidmap.split(' ')[0]|int+subgidmap.split(' ')[1]|int-1) }}
root
- name: 'unprivileged | create config seed'
copy:
content: |
lxc.idmap = u 0 {{ subuidmap }}
lxc.idmap = g 0 {{ subgidmap }}
dest: '/tmp/lxc_unpriv_config'
when: unprivileged
- name: 'unprivileged | create lxc container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_type: 'xfs'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
container_log: true
template: 'download'
template_options: '-d {{ distro }} -r {{ release }} -a amd64'
config: '/tmp/lxc_unpriv_config'
state: 'stopped'
when: unprivileged
- name: 'deploy container config'
template:
src: 'config.j2'
dest: '/var/lib/lxc/{{ vm_name }}/config'
- block:
- name: 'unprivilaged | alpine | start for tweak'
lxc_container:
name: '{{ vm_name }}'
state: 'restarted'
- name: 'unprivileged | alpine | tweak'
raw: |
rm /etc/network/interfaces
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
- name: 'unprivileged | alpine | restart'
lxc_container:
name: '{{ vm_name }}'
state: 'restarted'
- name: 'unprivileged | alpine | install python'
raw: |
apk update
apk upgrade
apk add python3
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
when: distro == 'alpine'
- name: 'unprivileged | tweak config'
lxc_container:
name: '{{ vm_name }}'
container_command: |
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
apt update
apt install -y python3 python3-apt
systemctl mask systemd-journald-audit.socket
state: 'stopped'
- name: 'start container'
lxc_container:
name: '{{ vm_name }}'
state: 'started'
when: auto_start|bool
when: not (container_exists.exists and container_dir.stat.isdir)
tags:
- 'lxc'
- name: 'read unprivileged status from config'
command: >-
grep -e '^lxc.idmap = ' /var/lib/lxc/{{ vm_name }}/config
register: unpriv_status
changed_when: false
failed_when: unpriv_status.rc > 1
- name: 'set unprivileged status from config'
set_fact:
unprivileged: true
subuidmap: '{{ unpriv_status.stdout_lines[0] | replace("lxc.idmap = u 0 ", "") }}'
subgidmap: '{{ unpriv_status.stdout_lines[1] | replace("lxc.idmap = g 0 ", "") }}'
when: unpriv_status.rc == 0
- name: 'update container config'
template:
src: 'config.j2'
dest: '/var/lib/lxc/{{ vm_name }}/config'
register: container_config
notify: 'restart container'
- name: 'set container running state'
lxc_container:
name: '{{ vm_name }}'
state: '{{ container_state }}'
register: container_running_state
tags:
- 'lxc'
- name: 'update container resolv.conf'
template:
src: 'resolv.conf.j2'
dest: '/etc/resolv.conf'
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
- name: 'update container net config'
copy:
src: 'interfaces'
dest: '/etc/network/interfaces'
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
notify: 'restart container'
- name: 'update container apt config'
lineinfile:
path: '/etc/apt/apt.conf.d/02periodic'
line: '{{ item.key }} "{{ item.value }}";'
regexp: '^{{ item.key }} '
create: true
loop:
- { key: 'APT::Periodic::Enable', value: '1' }
- { key: 'APT::Periodic::Update-Package-Lists', value: '1' }
- { key: 'APT::Periodic::Verbose', value: '2' }
delegate_to: '{{ vm_name }}'
when: distro == 'debian'
connection: 'ssh_lxc'
- meta: 'flush_handlers'
- name: 'MONITORING | add to monitored hosts'
block:
- name: 'MONITORING | add to monitored hosts'
set_fact:
monitoring_entry: >
{{ { 'address': ansible_host,
'host_type': 'lxc_vm' } }}
- name: 'MONITORING | update monitoring facts'
set_fact:
monitoring_facts: >
{{ hostvars[monitoring_host]['monitoring_facts']
| default({})
| combine({host_fqdn: monitoring_entry}) }}
delegate_facts: true
delegate_to: '{{ monitoring_host }}'
tags:
- 'monitoring'
- import_tasks: '01-create.yaml'
tags:
- 'vm::create'
- import_tasks: '02-configure.yaml'
tags:
- 'vm::configure'
- import_tasks: '03-monitoring.yaml'
tags:
- 'monitoring'
tags:
- 'role::lxc_guest'
...

+ 24
- 0
roles/nginx/tasks/main.yaml View File

@ -4,12 +4,20 @@
service_name: 'nginx'
service_packages:
- 'nginx'
tags:
- 'install'
- 'role::nginx'
- 'role::nginx::install'
- name: 'disable nginx default configuration'
file:
path: '/etc/nginx/sites-enabled/default'
state: 'absent'
notify: 'restart nginx'
tags:
- 'install'
- 'role::nginx'
- 'role::nginx::install'
- name: 'create nginx location configuration directory'
file:
@ -21,12 +29,22 @@
loop:
- '/etc/nginx/locations/'
- '/etc/nginx/locations/{{ nginx_site_fqdn }}/'
tags:
- 'configure'
- 'role::nginx'
- 'role::nginx::configure'
- name: 'upload nginx configuration'
template:
src: 'base.j2'
dest: '/etc/nginx/sites-available/{{ nginx_site_fqdn }}.conf'
notify: 'restart nginx'
tags:
- 'configure'
- 'role::nginx'
- 'role::nginx::configure'
- name: 'enable nginx configurations'
file:
@ -34,6 +52,11 @@
dest: '/etc/nginx/sites-enabled/{{ nginx_site_fqdn }}.conf'
state: 'link'
notify: 'restart nginx'
tags:
- 'configure'
- 'role::nginx'
- 'role::nginx::configure'
- name: 'MONITORNIG | add HTTP vhost'
block:
@ -56,5 +79,6 @@
delegate_facts: true
delegate_to: '{{ monitoring_host }}'
tags:
- 'role::nginx'
- 'monitoring'
...

+ 24
- 0
roles/reverse_proxy/tasks/main.yaml View File

@ -37,6 +37,10 @@
}
delegate_to: 'reverse_proxy'
notify: 'reload reverse proxy'
tags:
- 'install'
- 'role::reverse_proxy'
- 'role::reverse_proxy::install'
- name: 'configure nginx http 80 forwarder'
lineinfile:
@ -45,6 +49,10 @@
line: 'include /etc/nginx/http.conf.d/*.conf;'
delegate_to: 'reverse_proxy'
notify: 'reload reverse proxy'
tags:
- 'install'
- 'role::reverse_proxy'
- 'role::reverse_proxy::install'
- name: 'create configuration directories for sites'
file:
@ -56,6 +64,10 @@
- 'http.conf.d'
- 'map.conf.d'
- 'upstream.conf.d'
tags:
- 'install'
- 'role::reverse_proxy'
- 'role::reverse_proxy::install'
- name: 'configure http proxy for https redirect and acme challenge'
template:
@ -63,6 +75,10 @@
dest: '/etc/nginx/http.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload reverse proxy'
tags:
- 'configure'
- 'role::reverse_proxy'
- 'role::reverse_proxy::configure'
- name: 'configure upstream server spec'
copy:
@ -75,6 +91,10 @@
dest: '/etc/nginx/upstream.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload reverse proxy'
tags:
- 'configure'
- 'role::reverse_proxy'
- 'role::reverse_proxy::configure'
- name: 'configure sni-upstream mapping'
copy:
@ -85,6 +105,10 @@
dest: '/etc/nginx/map.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload reverse proxy'
tags:
- 'configure'
- 'role::reverse_proxy'
- 'role::reverse_proxy::configure'
- meta: 'flush_handlers'


+ 8
- 0
roles/service/tasks/main.yaml View File

@ -14,6 +14,8 @@
service:
name: '{{ service_name }}'
enabled: true
tags:
- 'services'
when: ansible_distribution == 'Debian'
- block:
@ -22,10 +24,14 @@
name: '{{ service_packages|join(",") }}'
state: 'present'
update_cache: true
tags:
- 'packages'
- name: 'ALPINE | start service at boot'
service:
name: '{{ service_name }}'
enabled: true
tags:
- 'services'
when: ansible_distribution == 'Alpine'
- block:
@ -42,4 +48,6 @@
openwrt_init:
name: '{{ service_name }}{{ "d" if service_name=="ssh" }}'
enabled: true
tags:
- 'services'
when: ansible_distribution == 'openwrt'

+ 82
- 0
roles/ssh_server/tasks/01-install.yaml View File

@ -0,0 +1,82 @@
---
- import_role: name='service'
vars:
service_name: 'ssh'
service_packages:
- 'openssh-server'
- 'openssh-sftp-server'
tags:
- 'ssh'
- name: 'upload user and server ca'
copy:
content: |
{% for ca in item.1 %}
{{ ca }}
{% endfor %}
dest: '/etc/ssh/{{ item.0 }}_ca.pub'
vars:
cas: '{{ item.1 }}'
notify: 'restart ssh'
loop:
- [ 'user', '{{ ssh_user_ca }}' ]
- [ 'server', '{{ ssh_server_ca }}' ]
tags:
- 'ssh'
- 'pki'
- 'pki::ssh'
- name: 'generate and sign host certificate'
import_role: name='ca_cert'
vars:
ca_cert_common_name: '{{ host_fqdn }}'
ca_cert_proto: 'ssh'
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub'
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key'
tags:
- 'ssh'
- 'pki'
- 'pki::ssh'
- name: 'add host certificate to sshd config'
lineinfile:
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: 'restart ssh'
tags:
- 'ssh'
- 'pki'
- 'pki::ssh'
- name: 'add user ca to sshd config'
lineinfile:
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: 'restart ssh'
tags:
- 'ssh'
- 'pki'
- 'pki::ssh'
- name: 'permit root login only with certificate'
lineinfile:
line: 'PermitRootLogin without-password'
dest: '/etc/ssh/sshd_config'
regexp: '^PermitRootLogin *'
notify: 'restart ssh'
tags:
- 'ssh'
- meta: 'flush_handlers'
- name: 'waiting for ssh on {{ inventory_hostname }} to start'
wait_for:
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
port: 22
timeout: 30
delegate_to: 'localhost'
delegate_facts: true
tags:
- 'ssh'

+ 66
- 0
roles/ssh_server/tasks/02-configure.yaml View File

@ -0,0 +1,66 @@
---
- name: 'upload user and server ca'
copy:
content: |
{% for ca in item.1 %}
{{ ca }}
{% endfor %}
dest: '/etc/ssh/{{ item.0 }}_ca.pub'
vars:
cas: '{{ item.1 }}'
notify: 'restart ssh'
loop:
- [ 'user', '{{ ssh_user_ca }}' ]
- [ 'server', '{{ ssh_server_ca }}' ]
tags:
- 'pki'
- 'pki::ssh'
- name: 'generate and sign host certificate'
import_role: name='ca_cert'
vars:
ca_cert_common_name: '{{ host_fqdn }}'
ca_cert_proto: 'ssh'
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub'
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key'
tags:
- 'pki'
- 'pki::ssh'
- name: 'add host certificate to sshd config'
lineinfile:
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: 'restart ssh'
tags:
- 'pki'
- 'pki::ssh'
- name: 'add user ca to sshd config'
lineinfile:
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: 'restart ssh'
tags:
- 'pki'
- 'pki::ssh'
- name: 'permit root login only with certificate'
lineinfile:
line: 'PermitRootLogin without-password'
dest: '/etc/ssh/sshd_config'
regexp: '^PermitRootLogin *'
notify: 'restart ssh'
- meta: 'flush_handlers'
- name: 'waiting for ssh on {{ inventory_hostname }} to start'
wait_for:
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
port: 22
timeout: 30
delegate_to: 'localhost'
delegate_facts: true
...

+ 14
- 66
roles/ssh_server/tasks/main.yaml View File

@ -1,68 +1,16 @@
---
- import_role: name='service'
vars:
service_name: 'ssh'
service_packages:
- 'openssh-server'
- 'openssh-sftp-server'
- name: 'upload user and server ca'
copy:
content: |
{% for ca in item.1 %}
{{ ca }}
{% endfor %}
dest: '/etc/ssh/{{ item.0 }}_ca.pub'
vars:
cas: '{{ item.1 }}'
notify: 'restart ssh'
loop:
- [ 'user', '{{ ssh_user_ca }}' ]
- [ 'server', '{{ ssh_server_ca }}' ]
- block:
- import_tasks: '01-install.yaml'
tags:
- 'install'
- 'role::ssh_server::install'
- import_tasks: '02-configure.yaml'
tags:
- 'configure'
- 'role::ssh_server::configure'
#- import_tasks: '03-monitoring.yaml'
# tags:
# - 'monitoring'
tags:
- 'ssh_certs'
- name: 'generate and sign host certificate'
import_role: name='ca_cert'
vars:
ca_cert_common_name: '{{ host_fqdn }}'
ca_cert_proto: 'ssh'
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub'
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key'
tags:
- 'ssh_certs'
- name: 'add host certificate to sshd config'
lineinfile:
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: 'restart ssh'
tags:
- 'ssh_certs'
- name: 'add user ca to sshd config'
lineinfile:
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: 'restart ssh'
tags:
- 'ssh_certs'
- name: 'permit root login only with certificate'
lineinfile:
line: 'PermitRootLogin without-password'
dest: '/etc/ssh/sshd_config'
regexp: '^PermitRootLogin *'
notify: 'restart ssh'
- meta: 'flush_handlers'
- name: 'waiting for ssh on {{ inventory_hostname }} to start'
wait_for:
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
port: 22
timeout: 30
delegate_to: 'localhost'
delegate_facts: true
- 'role::ssh_server'
...

Write Preview
Loading…
Cancel
Save