LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

style and variables refactoring 

- Coherent quotation style
    Single quotes for text variable (even if implicit), no quotes for
    variable and conditional statements, if not required.

- Some useful tags added:
  * ssh_certs
	  renewal of server SSH certificates and configuration of authorized
      CA.
  * tls_pub
	  renewal of public TLS certificates (let's encrypt) and certbot
	  configuration.
  * tls_int
	  renewal of internal TLS certificates (service authorizations) and
	  configuration of authorized internal CA.
	  *(ToDo: deployment of Certificate Revokation Lists)*
  * lxc
      deployment of new containers (deployment of configuration file
	  excluded, for instance change in ip address are always applied and
	  trigger a container restart even if you skip this tag.
  * packages
	  installation and upgrade of software packages (apt, opkg or
	  tarballs)
  * service_password
     create new random password for services-only password, for routine
	 rotation. Not meant to be skipped (some roles need to know the
	 service password, so they do a rotation).

- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab

- x509_subject_prefix
- x509_ldap_suffix
	*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
	Used in roles/certbot and roles/gitlab
- root_ca_cert
	*Replaces:* ssl_ca_cert and files/lilik_x1.crt

New defaults:

- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
	*Replaces:* fqdn_domain

Removed:

- fqdn_dmain
- x509_suffix
	*Replaced by:* x509_ldap_suffix in common

New defaults:

- server_fqdn | default: `${hostname}.${domain}`
   *Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`

New defaults:

- server_fqdn | default: `${hostname}.${domain}`
python3
Zolfa 5 years ago
parent
8720df17c3
commit
5631ae6a15
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
21 changed files with 364 additions and 292 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +8
    -11
      ldap.yaml
  2. +58
    -51
      prepare_host.yaml
  3. +10
    -10
      projects.yaml
  4. +2
    -1
      roles/certbot/defaults/main.yaml
  5. +29
    -19
      roles/certbot/tasks/main.yaml
  6. +11
    -12
      roles/gitlab/README.md
  7. +7
    -4
      roles/gitlab/defaults/main.yaml
  8. +32
    -13
      roles/gitlab/tasks/main.yaml
  9. +18
    -4
      roles/gitlab/templates/gitlab.rb.j2
  10. +16
    -40
      roles/ldap/README.md
  11. +2
    -0
      roles/ldap/defaults/main.yaml
  12. +9
    -2
      roles/ldap/tasks/2_renew_rootpw.yaml
  13. +32
    -23
      roles/ldap/tasks/4_setup_tls.yaml
  14. +5
    -5
      roles/ldap/tasks/main.yaml
  15. +23
    -12
      roles/lxc_guest/tasks/main.yaml
  16. +2
    -1
      roles/nginx/defaults/main.yml
  17. +4
    -3
      roles/nginx/handlers/main.yaml
  18. +1
    -1
      roles/nginx/meta/main.yaml
  19. +26
    -24
      roles/nginx/tasks/main.yaml
  20. +55
    -56
      roles/reverse_proxy/tasks/main.yaml
  21. +14
    -0
      roles/ssh_server/tasks/main.yaml

+ 8
- 11
ldap.yaml View File

@ -1,10 +1,10 @@
---
# 1) Deploy the lxc container(s)
- hosts: ldap
- hosts: 'ldap'
# The host may not exist yet: do not gather facts
gather_facts: false
tags:
- lxc
- 'lxc'
tasks:
# Delegate lxc container deployment to `ansible_lxc_host`
- import_role: name='lxc_guest'
@ -16,19 +16,16 @@
# gather facts (setup) and configure SSH.
- set_fact: ansible_connection='ssh_lxc'
- setup:
- include_role: name='ssh_server'
- import_role: name='ssh_server'
# Now the host should be ssh-reachable
- set_fact: ansible_connection='ssh'
# 2) Deploy LDAP server(s)
- hosts: ldap
- hosts: 'ldap'
roles:
- role: dns_record
- role: ldap
ldap_domain: 'lilik.it'
- role: 'dns_record'
- role: 'ldap'
ldap_organization: 'LILiK'
fqdn_domain: 'dmz.{{ domain }}'
x509_suffix: 'o=LILiK,l=Firenze,st=IT'
virtual_domains:
- '{{ domain }}'
# Default values:
@ -37,6 +34,6 @@
#check_tree: true
# 3) Enable monitoring
- hosts: status
- hosts: 'status'
roles:
- role: icinga2-monitoring
- role: 'icinga2-monitoring'

+ 58
- 51
prepare_host.yaml View File

@ -1,79 +1,86 @@
---
- hosts: vm_hosts
- hosts: 'vm_hosts'
roles:
- role: ssh_server
- role: 'ssh_server'
vars:
management_vlan: 9
virtual_machine_vlan: 13
virtual_machine_vlan: 5
tasks:
- name: install lxc related packages
- name: 'install lxc related packages'
apt:
pkg:
- lxc
- python3
- python3-lxc
state: present
update_cache: yes
- 'lxc'
- 'python3'
- 'python3-lxc'
state: 'present'
update_cache: true
cache_valid_time: 3600
tags:
- 'packages'
- name: install common lxc filesystem support
- name: 'install common lxc filesystem support'
apt:
name: xfsprogs
state: present
notify: load xfs module
name: 'xfsprogs'
state: 'present'
notify: 'load xfs module'
tags:
- 'packages'
- name: autoload xfs module
- name: 'autoload xfs module'
copy:
content: "xfs\n"
dest: /etc/modules-load.d/xfs.conf
notify: load xfs module
content: 'xfs\n'
dest: '/etc/modules-load.d/xfs.conf'
notify: 'load xfs module'
- name: install network bridge utilities
- name: 'install network bridge utilities'
apt:
pkg:
- bridge-utils
- vlan
state: present
update_cache: yes
cache_valid_time: 3600
notify: restart networking
# We should fix this bug. We really should. It's a bug.
# Bridge-utils requires a complete system reboot to enable the new bridge.
- name: configure network bridge with vlans
template:
src: templates/interfaces.j2
dest: /etc/network/interfaces
notify: restart networking
- 'bridge-utils'
- 'vlan'
state: 'present'
update_cache: true
cache_valid_time: '3600'
notify: 'restart networking'
tags:
- 'pacakges'
- name: 'configure network bridge with vlans'
template:
src: 'templates/interfaces.j2'
dest: '/etc/network/interfaces'
notify: 'restart networking'
- name: install utilities
- name: 'install utilities'
apt:
pkg:
- vim
- htop
state: present
update_cache: yes
- 'vim'
- 'htop'
state: 'present'
update_cache: true
cache_valid_time: 3600
tags:
- 'packages'
- name: enable lvm wipe signature
- name: 'enable lvm wipe signature'
lineinfile:
dest: /etc/lvm/lvm.conf
state: present
line: " wipe_signatures_when_zeroing_new_lvs = 0"
dest: '/etc/lvm/lvm.conf'
state: 'present'
line: ' wipe_signatures_when_zeroing_new_lvs = 0'
regexp: '^\s*.+wipe_signatures_when_zeroing_new_lvs = '
notify: restart lvm
notify: 'restart lvm'
handlers:
- name: restart networking
- name: 'restart networking'
service:
name: networking
state: restarted
- name: restart lvm
shell: /etc/init.d/lvm2 reload
- name: load xfs module
name: 'networking'
state: 'restarted'
- name: 'restart lvm'
command: '/etc/init.d/lvm2 reload'
- name: 'load xfs module'
modprobe:
name: xfs
state: present
name: 'xfs'
state: 'present'
- hosts: status
- hosts: 'status'
roles:
- role: icinga2-monitoring
- role: 'icinga2-monitoring'

+ 10
- 10
projects.yaml View File

@ -1,8 +1,8 @@
---
- hosts: projects
- hosts: 'projects'
gather_facts: false
tags:
- lxc
- 'lxc'
tasks:
- import_role: name='lxc_guest'
vars:
@ -12,16 +12,16 @@
delegate_to: '{{ ansible_lxc_host }}'
- set_fact: ansible_connection='ssh_lxc'
- setup:
- include_role: name='ssh_server'
- import_role: name='ssh_server'
- set_fact: ansible_connection='ssh'
- hosts: projects
- hosts: 'projects'
roles:
- role: dns_record
- role: reverse_proxy
hostname: projects
- role: gitlab
- role: 'dns_record'
- role: 'reverse_proxy'
hostname: 'projects'
- role: 'gitlab'
- hosts: status
- hosts: 'status'
roles:
- role: icinga2-monitoring
- role: 'icinga2-monitoring'

+ 2
- 1
roles/certbot/defaults/main.yaml View File

@ -1,2 +1,3 @@
---
webserver_name: nginx
webserver_name: 'nginx'
...

+ 29
- 19
roles/certbot/tasks/main.yaml View File

@ -1,14 +1,15 @@
---
- name: install certbot
- name: 'install certbot'
apt:
name: "{{ item }}"
state: present
pkg:
- 'certbot'
- 'sendmail-bin'
- 'cron'
state: 'present'
update_cache: true
cache_valid_time: 3600
with_items:
- certbot
- sendmail-bin
- cron
tags:
- 'packages'
- name: Shutdown webservers
service:
@ -16,19 +17,21 @@
state: stopped
ignore_errors: yes
- name: request certificate
- name: 'request certificate'
command: >
certbot
certonly
-a standalone
--agree-tos
--email roots@lists.lilik.it
--email {{ letsencrypt_email }}
--preferred-challenges http
-d {{ server_fqdn }}
-d www.{{ server_fqdn }}
-n
args:
creates: /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem
creates: '/etc/letsencrypt/live/{{ server_fqdn }}/cert.pem'
tags:
- 'tls_pub'
- name: Restart webservers
service:
@ -36,19 +39,26 @@
state: started
ignore_errors: yes
- name: Add systemd timer for cert renewal
- name: 'add systemd timer for cert renewal'
template:
src: certbot.timer
dest: /etc/systemd/system/certbot.timer
src: 'certbot.timer'
dest: '/etc/systemd/system/certbot.timer'
tags:
- 'tls_pub'
- name: Add systemd service for cert renewal
- name: 'add systemd service for cert renewal'
template:
src: certbot.service
dest: /etc/systemd/system/certbot.service
src: 'certbot.service'
dest: '/etc/systemd/system/certbot.service'
tags:
- 'tls_pub'
- name: Enable timer
- name: 'enable timer'
systemd:
name: certbot.timer
state: started
name: 'certbot.timer'
state: 'started'
enabled: true
daemon_reload: true
tags:
- 'tls_pub'
...

+ 11
- 12
roles/gitlab/README.md View File

@ -4,15 +4,15 @@ Set-up a Omnibus GitLab server
## Configuration variables
| Name | Description |
|-----------------|-----------------------------------------------------------|
| `fqdn` | [`$hosname.$domain`] |
| `ssh_port` | External SSH port. [`22`] |
| `ldap_server`* | LDAP server FQDN (must be valid for STARTTLS). |
| `ldap_basedn`* | LDAP base before ou=People (i.e.: `'dc=example,dc=com'`). |
| `enable_https` | Enable HTTPS. [`false`] |
| `ldap_admin_dn` | DN of a LDAP user with admin privileges. |
| `ldap_admin_pw` | Bind password of that user. |
| Name | Description |
|-----------------|-------------------------------------------------|
| `server_fqdn` | [`$hostname.$domain`] |
| `ssh_port` | External SSH port. [`22`] |
| `ldap_server`* | LDAP server fqdn [`'ldap1.dmz.$domain'`] |
| `ldap_domain` | LDAP domain, used to derive base dn [`$domain`] |
| `enable_https` | Enable HTTPS. [`false`] |
| `ldap_admin_dn` | DN of a LDAP user with admin privileges. |
| `ldap_admin_pw` | Bind password of that user. |
**Note**: The Ansible controller must have OpenLDAP properly configured
with root ca set in `~/.ldaprc`.
@ -43,15 +43,14 @@ hosts:
playbook.yaml:
---
# Configure LDAP on a Physical Host
# Configure GitLab on a Physical Host
- hosts: 'host1'
roles:
- role: 'dns_record'
- role: 'reverse_proxy'
hostname: 'projects'
- role: 'gitlab'
ldap_server: 'ldap.dmz.{{ domain }}'
ldap_basedn: 'dc=example,dc=com'
Command line:


+ 7
- 4
roles/gitlab/defaults/main.yaml View File

@ -1,5 +1,8 @@
fqdn: '{{ ansible_hostname }}.{{ domain }}'
---
server_fqdn: '{{ ansible_hostname }}.{{ domain }}'
ssh_port: 8022
ldap_server: ldap1.dmz.lilik.it
ldap_basedn: 'dc=lilik,dc=it'
enable_https: false
ldap_domain: '{{ domain }}'
ldap_server: 'ldap1.dmz.{{ domain }}'
ldap_basedn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
enable_https: true
...

+ 32
- 13
roles/gitlab/tasks/main.yaml View File

@ -6,12 +6,16 @@
pkg:
- 'gnupg'
- 'ca-certificates'
tags:
- 'packages'
- name: 'add gitlab gnupg key to apt'
apt_key:
id: 'F6403F6544A38863DAA0B6E03F01618A51312F3F'
url: 'https://packages.gitlab.com/gpg.key'
state: 'present'
tags:
- 'packages'
- name: 'add gitlab apt repos'
apt_repository:
@ -20,37 +24,53 @@
loop:
- 'deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main'
- 'deb-src https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main'
tags:
- 'packages'
- include_role: name='service'
vars:
service_name: 'gitlab'
service_packages:
- 'gitlab-ce'
- name: 'install gitlab'
apt:
pkg: 'gitlab-ce'
state: 'present'
update_cache: true
cache_valid_time: 3600
tags:
- 'packages'
- name: 'load root ca'
copy:
content: '{{ ssl_ca_cert }}'
dest: '/etc/gitlab/ca.crt'
content: '{{ tls_root_ca }}'
dest: '/etc/gitlab/root_ca.crt'
tags:
- 'tls_int'
- name: 'generate gitlab password'
- name: 'generate gitlab ldap password'
gen_passwd: 'length=32'
register: 'ldap_bindpw'
register: 'new_passwd'
tags:
- 'tls_int'
- 'service_password'
- name: 'set gitlab password'
- name: 'set gitlab ldap password'
delegate_to: 'localhost'
ldap_passwd:
dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}'
passwd: '{{ ldap_bindpw.passwd }}'
passwd: '{{ new_passwd.passwd }}'
server_uri: 'ldap://{{ ldap_server }}'
start_tls: true
bind_dn: '{{ ldap_admin_dn }}'
bind_pw: '{{ ldap_admin_pw }}'
tags:
- 'tls_int'
- 'service_password'
- name: 'update configuration'
- name: 'update gitlab configuration'
template:
src: 'gitlab.rb.j2'
dest: '/etc/gitlab/gitlab.rb'
notify: 'reconfigure gitlab'
tags:
- 'tls_int'
- 'service_password'
- name: 'patch gitlab to run in lxc'
lineinfile:
@ -58,4 +78,3 @@
insertafter: '^ command "sysctl -e --system"\n'
line: ' ignore_failure true'
notify: 'reconfigure gitlab'

+ 18
- 4
roles/gitlab/templates/gitlab.rb.j2 View File

@ -27,9 +27,9 @@
##! address from AWS. For more details, see:
##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
{% if enable_https %}
external_url 'https://{{ fqdn }}'
external_url 'https://{{ server_fqdn }}'
{% else %}
external_url 'http://{{ fqdn }}'
external_url 'http://{{ server_fqdn }}'
{% endif %}
## Roles for multi-instance GitLab
@ -343,11 +343,11 @@ external_url 'http://{{ fqdn }}'
port: 389
uid: 'cn'
bind_dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}'
password: '{{ ldap_bindpw.passwd }}'
password: '{{ new_passwd.passwd }}'
encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
tls_options:
ca_file: '/etc/gitlab/ca.crt'
ca_file: '/etc/gitlab/root_ca.crt'
min_version: 772 # TLSv1.3
# smartcard_auth: false
# active_directory: true
@ -1870,6 +1870,19 @@ external_url 'http://{{ fqdn }}'
################################################################################
# Let's Encrypt integration
################################################################################
{% if enable_https %}
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = [ '{{ letsencrypt_email }}' ] # This should be an array of email addresses to add as contacts
letsencrypt['group'] = 'root'
letsencrypt['key_size'] = 4096
letsencrypt['owner'] = 'root'
letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings
letsencrypt['auto_renew'] = true
letsencrypt['auto_renew_hour'] = 0
letsencrypt['auto_renew_minute'] = 54 # Should be a number or cron expression, if specified.
letsencrypt['auto_renew_day_of_month'] = "*/4"
{% else %}
# letsencrypt['enable'] = nil
# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts
# letsencrypt['group'] = 'root'
@ -1881,6 +1894,7 @@ external_url 'http://{{ fqdn }}'
# letsencrypt['auto_renew_hour'] = 0
# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.
# letsencrypt['auto_renew_day_of_month'] = "*/4"
{% endif %}
##! Turn off automatic init system detection. To skip init detection in
##! non-docker containers. Recommended not to change.


+ 16
- 40
roles/ldap/README.md View File

@ -4,17 +4,17 @@ Set-up a LDAP server
## Configuration variables
| Name | Description |
|----------------------|-------------------------------------------------------------|
| `ldap_domain`* | Dot-form domain name (i.e.: `'lilik.it'`). |
| `ldap_organization`* | Organization (i.e.: `'LILiK'`). |
| `ssl_subject_prefix` | X.509 TLS Cert Subject (i.e: `'/ST=IT/L=Firenze/O=LILiK'`). |
| `fqdn_domain`* | Required for TLS certificate. |
| `x509_suffix`* | The same in LDAP form (i.e: `'o=LILiK,l=Firenze/st=IT'`). |
| `virtual_domains` | Required with `check_tree`: list of vds to init. |
| `ldap_tls_enabled` | Enables TLS, requires a *ca_manager*. [`true`] |
| `renew_rootdn_pw` | Create a new random password for RooDN. [`true`] |
| `check_tree` | Deploy initial tree configuration. [`true`] |
| Name | Description |
|------------------------|-------------------------------------------------------------|
| `ldap_domain` | Dot-form domain name. [`$domain`] |
| `ldap_organization`* | Organization (i.e.: `'LILiK'`). |
| `x509_subject_prefix`* | X.509 TLS Cert Subject (i.e: `'/ST=IT/L=Firenze/O=LILiK'`). |
| `x509_ldap_suffix`* | The same in LDAP form (i.e: `'o=LILiK,l=Firenze/st=IT'`). |
| `server_fqdn`* | Required for TLS certificate. [`'$hostname.dmz.$domain'`] |
| `virtual_domains` | Required with `check_tree`: list of vds to init. |
| `ldap_tls_enabled` | Enables TLS, requires a *ca_manager*. [`true`] |
| `renew_rootdn_pw` | Create a new random password for RooDN. [`true`] |
| `check_tree` | Deploy initial tree configuration. [`true`] |
**Note:** If `ldap_tls_enabled` the *ca_manager* host should be configured
@ -26,11 +26,11 @@ group_vars/all.yaml:
---
domain: 'example.com'
ssl_subject_prefix: '/C=IT/L=Firenze/O=LILiK'
x509_suffix: 'o=LILiK,l=Firenze,st=IT'
x509_subject_prefix: '/C=IT/L=Firenze/O=LILiK'
x509_ldap_suffix: 'o=LILiK,l=Firenze,st=IT'
user_ca_keys:
- "ssh-ed25519 ################### CA"
ssl_ca_cert: |
tls_root_ca: |
-----BEGIN CERTIFICATE-----
###########################
-----END CERTIFICATE-----
@ -49,33 +49,9 @@ playbook.yaml:
- hosts: 'host'
roles:
- role: ldap
ldap_domain: 'example.com'
#ldap_domain: '{{ domain }}'
#server_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}'
ldap_organization: 'Example'
fqdn_domain: '{{ domain }}'
virtual_domains:
- 'example.com'
# Configure LDAP on a LXC container
- hosts: 'ldap1'
gather_facts: false # host may not exist yet
tasks:
- import_role: name='lxc_guest'
vars:
vm_name: '{{ inventory_hostname }}'
vm_size: '1G'
delegate_to: '{{ ansible_lxc_host }}'
- set_fact: ansible_connection='ssh_lxc'
- setup: # gather facts
- include_role: name='ssh_server'
# Now the guest is ssh-reachable, don't need proxy anymore.
- set_fact: ansible_connection='ssh'
- hosts: 'ldap1'
roles:
- role: 'dns_record'
- role: 'ldap'
ldap_domain: 'example.com'
ldap_organization: 'Example'
fqdn_domain: '{{ domain }}'
virtual_domains:
- 'example.com'


+ 2
- 0
roles/ldap/defaults/main.yaml View File

@ -1,4 +1,6 @@
---
ldap_domain: '{{ domain }}'
server_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}'
ldap_tls_enabled: true
renew_rootdn_pw: true
check_tree: true


+ 9
- 2
roles/ldap/tasks/2_renew_rootpw.yaml View File

@ -6,21 +6,28 @@
- name: 'renewing admin password - generation'
gen_passwd: 'length=32'
register: new_passwd
hide_log: true
- set_fact:
password: new_passwd.passwd
- name: 'renewing admin password - hashing'
shell: >
slappasswd
-o module-load=pw-sha2
-h "{SSHA512}"
-s "{{ new_passwd.passwd }}"
-s {{ password | quote }}
register: new_passwd_hash
no_log: true
- name: 'renewing admin password - setting RootPW'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcRootPW'
values: '{{ new_passwd_hash.stdout }}'
values: >-
{{ new_passwd_hash.stdout }}
state: 'exact'
no_log: true
- name: 'renewing admin password - calling ldappasswd'
ldap_passwd:


+ 32
- 23
roles/ldap/tasks/4_setup_tls.yaml View File

@ -1,14 +1,18 @@
- apt:
pkg: 'openssl'
state: 'present'
tags:
- 'packages'
- name: 'generate ED25519 private key'
- name: 'create slapd private key'
shell:
cmd: >
openssl genpkey
-algorithm ED25519
-out /etc/ldap/slapd.key
creates: '/etc/ldap/slapd.key'
tags:
- 'tls_int'
- name: 'set private key ownership'
file:
@ -17,35 +21,24 @@
group: 'openldap'
mode: '600'
- name: 'generate certificate request'
shell:
cmd: >
openssl req
-new
-subj "{{ ssl_subject_prefix }}/OU=Server/CN={{ ansible_hostname }}.{{ fqdn_domain }}"
-key /etc/ldap/slapd.key
-out /etc/ldap/slapd.csr
creates: '/etc/ldap/slapd.csr'
- name: 'lookup_ssl_ca_cert'
when: ssl_ca_cert is not defined
set_fact:
ssl_ca_cert: '{{ lookup("file", "lilik_ca_w1.pub") }}'
- name: 'update ssl_ca_cert'
- name: 'update tls ca'
copy:
content: "{{ ssl_ca_cert }}"
dest: '/etc/ldap/ssl_ca.crt'
content: '{{ tls_root_ca }}'
dest: '/etc/ldap/root_ca.crt'
tags:
- 'tls_int'
- name: 'check if slapd cert is valid'
- name: 'check slapd cert status'
command: >
openssl verify
-CAfile /etc/ldap/ssl_ca.crt
-CAfile /etc/ldap/root_ca.crt
-untrusted /etc/ldap/slapd.crt
/etc/ldap/slapd.crt
register: slapd_cert_is_valid
changed_when: false
failed_when: false
tags:
- 'tls_int'
- when: slapd_cert_is_valid.rc != 0
block:
@ -85,6 +78,17 @@
- debug:
var: request_result
verbosity: 2
- name: 'create slapd cert request'
shell:
cmd: >
openssl req
-new
-subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"
-key /etc/ldap/slapd.key
-out /etc/ldap/slapd.csr
when: slapd_cert_is_valid.rc != 0
tags:
- 'tls_int'
- name: 'renewing cert - storing new cert file'
copy:
@ -102,6 +106,8 @@
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
failed_when: false
tags:
- 'tls_int'
- name: 'configuring TLS options'
ldap_attr:
@ -114,11 +120,14 @@
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' }
- { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth
tags:
- 'tls_int'
- name: 'configuring slapd service'
lineinfile:
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
regexp: '^SLAPD_SERVICES='
path: '/etc/default/slapd'
notify:
- 'restart slapd'
notify: 'restart slapd'
tags:
- 'tls_int'

+ 5
- 5
roles/ldap/tasks/main.yaml View File

@ -1,16 +1,16 @@
---
- name: 'including configuration tasks'
include_tasks: '1_configure_server.yaml'
import_tasks: '1_configure_server.yaml'
- name: 'including password renewal tasks'
include_tasks: '2_renew_rootpw.yaml'
when: renew_rootdn_pw
import_tasks: '2_renew_rootpw.yaml'
tags: service_password
- name: 'including tree provisionig tasks'
include_tasks: '3_provision_tree.yaml'
import_tasks: '3_provision_tree.yaml'
when: check_tree
- name: 'including tls tasks'
include_tasks: '4_setup_tls.yaml'
import_tasks: '4_setup_tls.yaml'
when: ldap_tls_enabled
...

+ 23
- 12
roles/lxc_guest/tasks/main.yaml View File

@ -3,31 +3,36 @@
stat:
path: '/var/lib/lxc/{{ vm_name }}'
register: container_dir
tags:
- 'lxc'
- name: 'check if container exists'
container_exists:
name: '{{ vm_name }}'
register: container_exists
tags:
- 'lxc'
- name: 'check if release is supported'
assert:
that: distro in [ 'bullseye', 'sid', 'buster' ]
msg: 'release {{ distro }} not supported by debian template'
tags:
- 'lxc'
- when: not (container_exists.exists and container_dir.stat.isdir)
block:
- block:
- name: 'create the lxc container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
fs_type: 'xfs'
container_log: true
template: 'debian'
template_options: '--release {{ distro }} --packages=ssh,python3'
state: 'stopped'
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
fs_type: 'xfs'
container_log: true
template: 'debian'
template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt'
state: 'stopped'
# suppress messages related to file descriptors
# leaking when lvm is invoked
environment:
@ -43,6 +48,9 @@
name: '{{ vm_name }}'
state: 'started'
when: auto_start|bool
when: not (container_exists.exists and container_dir.stat.isdir)
tags:
- 'lxc'
- name: 'update container config'
template:
@ -56,6 +64,8 @@
name: '{{ vm_name }}'
state: '{{ container_state }}'
register: container_running_state
tags:
- 'lxc'
- name: 'update container resolv.conf'
template:
@ -79,3 +89,4 @@
monitoring_host: '{{ monitoring_host | default([]) }} + [ "{{ vm_name }}" ]'
delegate_facts: true
delegate_to: 'status'
...

+ 2
- 1
roles/nginx/defaults/main.yml View File

@ -1,2 +1,3 @@
---
server_fqdn: "{{ ansible_hostname }}.lilik.it"
server_fqdn: '{{ ansible_hostname }}.{{ domain }}'
...

+ 4
- 3
roles/nginx/handlers/main.yaml View File

@ -1,4 +1,5 @@
---
- name: validate nginx configuration
command: nginx -t -c /etc/nginx/nginx.conf
changed_when: False
- name: 'validate nginx configuration'
command: 'nginx -t -c /etc/nginx/nginx.conf'
changed_when: false
...

+ 1
- 1
roles/nginx/meta/main.yaml View File

@ -1,3 +1,3 @@
---
dependencies:
- role: certbot
- role: 'certbot'

+ 26
- 24
roles/nginx/tasks/main.yaml View File

@ -1,34 +1,35 @@
---
- include_role:
name: service
name: 'service'
vars:
service_name: nginx
service_name: 'nginx'
service_packages:
- nginx
- 'nginx'
tags:
- 'packages'
- name: disable nginx default configuration
- name: 'disable nginx default configuration'
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: restart nginx
path: '/etc/nginx/sites-enabled/default'
state: 'absent'
notify: 'restart nginx'
- name: create nginx location configuration directory
- name: 'create nginx location configuration directory'
file:
path: '{{ item }}'
state: directory
mode: 0755
owner: www-data
group: www-data
with_items:
- /etc/nginx/locations/
state: 'directory'
mode: '0755'
owner: 'www-data'
group: 'www-data'
loop:
- '/etc/nginx/locations/'
- '/etc/nginx/locations/{{ server_fqdn }}/'
- name: upload nginx configuration
- name: 'upload nginx configuration'
template:
src: base.j2
dest: "/etc/nginx/sites-available/{{ server_fqdn }}.conf"
notify:
- restart nginx
src: 'base.j2'
dest: '/etc/nginx/sites-available/{{ server_fqdn }}.conf'
notify: 'restart nginx'
- name: create Diffie Hellman exchange parameters
command: openssl dhparam -out /etc/nginx/dhparam.pem 2048
@ -36,9 +37,10 @@
creates: /etc/nginx/dhparam.pem
notify: restart nginx
- name: enable nginx configurations
- name: 'enable nginx configurations'
file:
src: "/etc/nginx/sites-available/{{ server_fqdn }}.conf"
dest: "/etc/nginx/sites-enabled/{{ server_fqdn }}.conf"
state: link
notify: restart nginx
src: '/etc/nginx/sites-available/{{ server_fqdn }}.conf'
dest: '/etc/nginx/sites-enabled/{{ server_fqdn }}.conf'
state: 'link'
notify: 'restart nginx'
...

+ 55
- 56
roles/reverse_proxy/tasks/main.yaml View File

@ -1,77 +1,76 @@
---
- name: add https configs to nginx
- name: 'add https configs to nginx'
blockinfile:
dest: /etc/nginx/nginx.conf
dest: '/etc/nginx/nginx.conf'
block: |
stream {
stream {
map $ssl_preread_server_name $name {
include /etc/nginx/map.conf.d/*.conf;
}
include /etc/nginx/upstream.conf.d/*.conf;
map $ssl_preread_server_name $name {
include /etc/nginx/map.conf.d/*.conf;
}
include /etc/nginx/upstream.conf.d/*.conf;
log_format stream_routing '$remote_addr [$time_local] '
'with SNI name "$ssl_preread_server_name" '
'proxying to "$name" '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
server {
listen {{ public_ip }}:443;
ssl_preread on;
proxy_pass $name;
access_log /var/log/nginx/stream_443.log stream_routing;
}
}
delegate_to: reverse_proxy
log_format stream_routing '$remote_addr [$time_local] '
'with SNI name "$ssl_preread_server_name" '
'proxying to "$name" '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
server {
listen {{ public_ip }}:443;
ssl_preread on;
proxy_pass $name;
# Pass original Client IP with PROXY PROTOCOL
access_log /var/log/nginx/stream_443.log stream_routing;
}
}
delegate_to: 'reverse_proxy'
notify: reload nginx
- name: add http configs to nginx
- name: 'add http configs to nginx'
lineinfile:
dest: /etc/nginx/nginx.conf
dest: '/etc/nginx/nginx.conf'
insertafter: '^http {'
line: 'include /etc/nginx/http.conf.d/*.conf;'
delegate_to: reverse_proxy
notify: reload nginx
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: Create the http.conf directory for nginx
- name: 'create the http.conf.d directory for nginx'
file:
state: directory
dest: "/etc/nginx/http.conf.d"
delegate_to: reverse_proxy
notify: reload nginx
state: 'directory'
dest: '/etc/nginx/http.conf.d'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: Upload http to reverse proxy
- name: 'upload http to reverse proxy'
template:
src: http.j2
dest: "/etc/nginx/http.conf.d/http_{{ hostname }}.conf"
delegate_to: reverse_proxy
notify: reload nginx
src: 'http.j2'
dest: '/etc/nginx/http.conf.d/http_{{ hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: Create the map.conf directory for nginx
- name: 'create the map.conf directory for nginx'
file:
state: directory
dest: "/etc/nginx/map.conf.d"
delegate_to: reverse_proxy
notify: reload nginx
state: 'directory'
dest: '/etc/nginx/map.conf.d'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: Create the upstream.conf directory for nginx
- name: 'create the upstream.conf directory for nginx'
file:
state: directory
dest: "/etc/nginx/upstream.conf.d"
delegate_to: reverse_proxy
notify: reload nginx
state: 'directory'
dest: '/etc/nginx/upstream.conf.d'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: Upload mappings to reverse proxy
- name: 'upload mappings to reverse proxy'
template:
src: map.j2
dest: "/etc/nginx/map.conf.d/map_{{ hostname }}.conf"
delegate_to: reverse_proxy
notify: reload nginx
src: 'map.j2'
dest: '/etc/nginx/map.conf.d/map_{{ hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: Upload upstream to reverse proxy
- name: 'upload upstream to reverse proxy'
template:
src: upstream.j2
dest: "/etc/nginx/upstream.conf.d/upstream_{{ hostname }}.conf"
delegate_to: reverse_proxy
notify: reload nginx
src: 'upstream.j2'
dest: '/etc/nginx/upstream.conf.d/upstream_{{ hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'

+ 14
- 0
roles/ssh_server/tasks/main.yaml View File

@ -5,21 +5,29 @@
service_packages:
- 'openssh-server'
- 'openssh-sftp-server'
tags:
- packages
- name: 'update user ca certs'
template:
src: 'user_ca.pub.j2'
dest: '/etc/ssh/user_ca.pub'
notify: 'restart ssh'
tags:
- ssh_certs
- name: 'validate ssh cert if present'
ssh_cert:
register: ssh_verification
ignore_errors: yes
tags:
- ssh_certs
- debug:
var: ssh_verification
verbosity: 2
tags:
- ssh_certs
- block:
- name: 'generate host cert request'
@ -77,6 +85,8 @@
register: set_pub_key
notify: 'restart ssh'
when: ssh_verification.failed
tags:
- ssh_certs
- name: 'add certificate to sshd config'
lineinfile:
@ -84,6 +94,8 @@
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: 'restart ssh'
tags:
- ssh_certs
- name: 'trust user ca key'
lineinfile:
@ -91,6 +103,8 @@
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: 'restart ssh'
tags:
- ssh_certs
- name: 'permit root login only with certificate'
lineinfile:


Write Preview
Loading…
Cancel
Save