diff --git a/ldap.yaml b/ldap.yaml index 184fdac..206e03f 100644 --- a/ldap.yaml +++ b/ldap.yaml @@ -1,10 +1,10 @@ --- # 1) Deploy the lxc container(s) -- hosts: ldap +- hosts: 'ldap' # The host may not exist yet: do not gather facts gather_facts: false tags: - - lxc + - 'lxc' tasks: # Delegate lxc container deployment to `ansible_lxc_host` - import_role: name='lxc_guest' @@ -16,19 +16,16 @@ # gather facts (setup) and configure SSH. - set_fact: ansible_connection='ssh_lxc' - setup: - - include_role: name='ssh_server' + - import_role: name='ssh_server' # Now the host should be ssh-reachable - set_fact: ansible_connection='ssh' # 2) Deploy LDAP server(s) -- hosts: ldap +- hosts: 'ldap' roles: - - role: dns_record - - role: ldap - ldap_domain: 'lilik.it' + - role: 'dns_record' + - role: 'ldap' ldap_organization: 'LILiK' - fqdn_domain: 'dmz.{{ domain }}' - x509_suffix: 'o=LILiK,l=Firenze,st=IT' virtual_domains: - '{{ domain }}' # Default values: @@ -37,6 +34,6 @@ #check_tree: true # 3) Enable monitoring -- hosts: status +- hosts: 'status' roles: - - role: icinga2-monitoring + - role: 'icinga2-monitoring' diff --git a/prepare_host.yaml b/prepare_host.yaml index d20b92b..c7ca68b 100644 --- a/prepare_host.yaml +++ b/prepare_host.yaml @@ -1,79 +1,86 @@ --- -- hosts: vm_hosts +- hosts: 'vm_hosts' roles: - - role: ssh_server + - role: 'ssh_server' vars: management_vlan: 9 - virtual_machine_vlan: 13 + virtual_machine_vlan: 5 tasks: - - name: install lxc related packages + - name: 'install lxc related packages' apt: pkg: - - lxc - - python3 - - python3-lxc - state: present - update_cache: yes + - 'lxc' + - 'python3' + - 'python3-lxc' + state: 'present' + update_cache: true cache_valid_time: 3600 + tags: + - 'packages' - - name: install common lxc filesystem support + - name: 'install common lxc filesystem support' apt: - name: xfsprogs - state: present - notify: load xfs module + name: 'xfsprogs' + state: 'present' + notify: 'load xfs module' + tags: + - 'packages' - - name: autoload xfs module + - name: 'autoload xfs module' copy: - content: "xfs\n" - dest: /etc/modules-load.d/xfs.conf - notify: load xfs module + content: 'xfs\n' + dest: '/etc/modules-load.d/xfs.conf' + notify: 'load xfs module' - - name: install network bridge utilities + - name: 'install network bridge utilities' apt: pkg: - - bridge-utils - - vlan - state: present - update_cache: yes - cache_valid_time: 3600 - notify: restart networking - # We should fix this bug. We really should. It's a bug. - # Bridge-utils requires a complete system reboot to enable the new bridge. - - name: configure network bridge with vlans - template: - src: templates/interfaces.j2 - dest: /etc/network/interfaces - notify: restart networking + - 'bridge-utils' + - 'vlan' + state: 'present' + update_cache: true + cache_valid_time: '3600' + notify: 'restart networking' + tags: + - 'pacakges' + - name: 'configure network bridge with vlans' + template: + src: 'templates/interfaces.j2' + dest: '/etc/network/interfaces' + notify: 'restart networking' - - name: install utilities + - name: 'install utilities' apt: pkg: - - vim - - htop - state: present - update_cache: yes + - 'vim' + - 'htop' + state: 'present' + update_cache: true cache_valid_time: 3600 + tags: + - 'packages' - - name: enable lvm wipe signature + - name: 'enable lvm wipe signature' lineinfile: - dest: /etc/lvm/lvm.conf - state: present - line: " wipe_signatures_when_zeroing_new_lvs = 0" + dest: '/etc/lvm/lvm.conf' + state: 'present' + line: ' wipe_signatures_when_zeroing_new_lvs = 0' regexp: '^\s*.+wipe_signatures_when_zeroing_new_lvs = ' - notify: restart lvm + notify: 'restart lvm' + handlers: - - name: restart networking + - name: 'restart networking' service: - name: networking - state: restarted - - name: restart lvm - shell: /etc/init.d/lvm2 reload - - name: load xfs module + name: 'networking' + state: 'restarted' + - name: 'restart lvm' + command: '/etc/init.d/lvm2 reload' + - name: 'load xfs module' modprobe: - name: xfs - state: present + name: 'xfs' + state: 'present' -- hosts: status +- hosts: 'status' roles: - - role: icinga2-monitoring + - role: 'icinga2-monitoring' diff --git a/projects.yaml b/projects.yaml index b28391e..763eb7e 100644 --- a/projects.yaml +++ b/projects.yaml @@ -1,8 +1,8 @@ --- -- hosts: projects +- hosts: 'projects' gather_facts: false tags: - - lxc + - 'lxc' tasks: - import_role: name='lxc_guest' vars: @@ -12,16 +12,16 @@ delegate_to: '{{ ansible_lxc_host }}' - set_fact: ansible_connection='ssh_lxc' - setup: - - include_role: name='ssh_server' + - import_role: name='ssh_server' - set_fact: ansible_connection='ssh' -- hosts: projects +- hosts: 'projects' roles: - - role: dns_record - - role: reverse_proxy - hostname: projects - - role: gitlab + - role: 'dns_record' + - role: 'reverse_proxy' + hostname: 'projects' + - role: 'gitlab' -- hosts: status +- hosts: 'status' roles: - - role: icinga2-monitoring + - role: 'icinga2-monitoring' diff --git a/roles/certbot/defaults/main.yaml b/roles/certbot/defaults/main.yaml index 223f3e8..1a51a2d 100644 --- a/roles/certbot/defaults/main.yaml +++ b/roles/certbot/defaults/main.yaml @@ -1,2 +1,3 @@ --- -webserver_name: nginx +webserver_name: 'nginx' +... diff --git a/roles/certbot/tasks/main.yaml b/roles/certbot/tasks/main.yaml index 5b959c5..b6928ac 100644 --- a/roles/certbot/tasks/main.yaml +++ b/roles/certbot/tasks/main.yaml @@ -1,14 +1,15 @@ --- -- name: install certbot +- name: 'install certbot' apt: - name: "{{ item }}" - state: present + pkg: + - 'certbot' + - 'sendmail-bin' + - 'cron' + state: 'present' update_cache: true cache_valid_time: 3600 - with_items: - - certbot - - sendmail-bin - - cron + tags: + - 'packages' - name: Shutdown webservers service: @@ -16,19 +17,21 @@ state: stopped ignore_errors: yes -- name: request certificate +- name: 'request certificate' command: > certbot certonly -a standalone --agree-tos - --email roots@lists.lilik.it + --email {{ letsencrypt_email }} --preferred-challenges http -d {{ server_fqdn }} -d www.{{ server_fqdn }} -n args: - creates: /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem + creates: '/etc/letsencrypt/live/{{ server_fqdn }}/cert.pem' + tags: + - 'tls_pub' - name: Restart webservers service: @@ -36,19 +39,26 @@ state: started ignore_errors: yes -- name: Add systemd timer for cert renewal +- name: 'add systemd timer for cert renewal' template: - src: certbot.timer - dest: /etc/systemd/system/certbot.timer + src: 'certbot.timer' + dest: '/etc/systemd/system/certbot.timer' + tags: + - 'tls_pub' -- name: Add systemd service for cert renewal +- name: 'add systemd service for cert renewal' template: - src: certbot.service - dest: /etc/systemd/system/certbot.service + src: 'certbot.service' + dest: '/etc/systemd/system/certbot.service' + tags: + - 'tls_pub' -- name: Enable timer +- name: 'enable timer' systemd: - name: certbot.timer - state: started + name: 'certbot.timer' + state: 'started' enabled: true daemon_reload: true + tags: + - 'tls_pub' +... diff --git a/roles/gitlab/README.md b/roles/gitlab/README.md index 3801a45..4325cc5 100644 --- a/roles/gitlab/README.md +++ b/roles/gitlab/README.md @@ -4,15 +4,15 @@ Set-up a Omnibus GitLab server ## Configuration variables -| Name | Description | -|-----------------|-----------------------------------------------------------| -| `fqdn` | [`$hosname.$domain`] | -| `ssh_port` | External SSH port. [`22`] | -| `ldap_server`* | LDAP server FQDN (must be valid for STARTTLS). | -| `ldap_basedn`* | LDAP base before ou=People (i.e.: `'dc=example,dc=com'`). | -| `enable_https` | Enable HTTPS. [`false`] | -| `ldap_admin_dn` | DN of a LDAP user with admin privileges. | -| `ldap_admin_pw` | Bind password of that user. | +| Name | Description | +|-----------------|-------------------------------------------------| +| `server_fqdn` | [`$hostname.$domain`] | +| `ssh_port` | External SSH port. [`22`] | +| `ldap_server`* | LDAP server fqdn [`'ldap1.dmz.$domain'`] | +| `ldap_domain` | LDAP domain, used to derive base dn [`$domain`] | +| `enable_https` | Enable HTTPS. [`false`] | +| `ldap_admin_dn` | DN of a LDAP user with admin privileges. | +| `ldap_admin_pw` | Bind password of that user. | **Note**: The Ansible controller must have OpenLDAP properly configured with root ca set in `~/.ldaprc`. @@ -43,15 +43,14 @@ hosts: playbook.yaml: --- - # Configure LDAP on a Physical Host + # Configure GitLab on a Physical Host - hosts: 'host1' roles: - role: 'dns_record' - role: 'reverse_proxy' hostname: 'projects' - role: 'gitlab' - ldap_server: 'ldap.dmz.{{ domain }}' - ldap_basedn: 'dc=example,dc=com' + Command line: diff --git a/roles/gitlab/defaults/main.yaml b/roles/gitlab/defaults/main.yaml index 54abd55..c832f05 100644 --- a/roles/gitlab/defaults/main.yaml +++ b/roles/gitlab/defaults/main.yaml @@ -1,5 +1,8 @@ -fqdn: '{{ ansible_hostname }}.{{ domain }}' +--- +server_fqdn: '{{ ansible_hostname }}.{{ domain }}' ssh_port: 8022 -ldap_server: ldap1.dmz.lilik.it -ldap_basedn: 'dc=lilik,dc=it' -enable_https: false +ldap_domain: '{{ domain }}' +ldap_server: 'ldap1.dmz.{{ domain }}' +ldap_basedn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' +enable_https: true +... diff --git a/roles/gitlab/tasks/main.yaml b/roles/gitlab/tasks/main.yaml index ce64d4e..b69320a 100644 --- a/roles/gitlab/tasks/main.yaml +++ b/roles/gitlab/tasks/main.yaml @@ -6,12 +6,16 @@ pkg: - 'gnupg' - 'ca-certificates' + tags: + - 'packages' - name: 'add gitlab gnupg key to apt' apt_key: id: 'F6403F6544A38863DAA0B6E03F01618A51312F3F' url: 'https://packages.gitlab.com/gpg.key' state: 'present' + tags: + - 'packages' - name: 'add gitlab apt repos' apt_repository: @@ -20,37 +24,53 @@ loop: - 'deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main' - 'deb-src https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main' + tags: + - 'packages' -- include_role: name='service' - vars: - service_name: 'gitlab' - service_packages: - - 'gitlab-ce' +- name: 'install gitlab' + apt: + pkg: 'gitlab-ce' + state: 'present' + update_cache: true + cache_valid_time: 3600 + tags: + - 'packages' - name: 'load root ca' copy: - content: '{{ ssl_ca_cert }}' - dest: '/etc/gitlab/ca.crt' + content: '{{ tls_root_ca }}' + dest: '/etc/gitlab/root_ca.crt' + tags: + - 'tls_int' -- name: 'generate gitlab password' +- name: 'generate gitlab ldap password' gen_passwd: 'length=32' - register: 'ldap_bindpw' + register: 'new_passwd' + tags: + - 'tls_int' + - 'service_password' -- name: 'set gitlab password' +- name: 'set gitlab ldap password' delegate_to: 'localhost' ldap_passwd: dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}' - passwd: '{{ ldap_bindpw.passwd }}' + passwd: '{{ new_passwd.passwd }}' server_uri: 'ldap://{{ ldap_server }}' start_tls: true bind_dn: '{{ ldap_admin_dn }}' bind_pw: '{{ ldap_admin_pw }}' + tags: + - 'tls_int' + - 'service_password' -- name: 'update configuration' +- name: 'update gitlab configuration' template: src: 'gitlab.rb.j2' dest: '/etc/gitlab/gitlab.rb' notify: 'reconfigure gitlab' + tags: + - 'tls_int' + - 'service_password' - name: 'patch gitlab to run in lxc' lineinfile: @@ -58,4 +78,3 @@ insertafter: '^ command "sysctl -e --system"\n' line: ' ignore_failure true' notify: 'reconfigure gitlab' - diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/gitlab/templates/gitlab.rb.j2 index bca3f37..2de061e 100644 --- a/roles/gitlab/templates/gitlab.rb.j2 +++ b/roles/gitlab/templates/gitlab.rb.j2 @@ -27,9 +27,9 @@ ##! address from AWS. For more details, see: ##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html {% if enable_https %} -external_url 'https://{{ fqdn }}' +external_url 'https://{{ server_fqdn }}' {% else %} -external_url 'http://{{ fqdn }}' +external_url 'http://{{ server_fqdn }}' {% endif %} ## Roles for multi-instance GitLab @@ -343,11 +343,11 @@ external_url 'http://{{ fqdn }}' port: 389 uid: 'cn' bind_dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}' - password: '{{ ldap_bindpw.passwd }}' + password: '{{ new_passwd.passwd }}' encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain" verify_certificates: true tls_options: - ca_file: '/etc/gitlab/ca.crt' + ca_file: '/etc/gitlab/root_ca.crt' min_version: 772 # TLSv1.3 # smartcard_auth: false # active_directory: true @@ -1870,6 +1870,19 @@ external_url 'http://{{ fqdn }}' ################################################################################ # Let's Encrypt integration ################################################################################ +{% if enable_https %} + letsencrypt['enable'] = true + letsencrypt['contact_emails'] = [ '{{ letsencrypt_email }}' ] # This should be an array of email addresses to add as contacts + letsencrypt['group'] = 'root' + letsencrypt['key_size'] = 4096 + letsencrypt['owner'] = 'root' + letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www' +# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings + letsencrypt['auto_renew'] = true + letsencrypt['auto_renew_hour'] = 0 + letsencrypt['auto_renew_minute'] = 54 # Should be a number or cron expression, if specified. + letsencrypt['auto_renew_day_of_month'] = "*/4" +{% else %} # letsencrypt['enable'] = nil # letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts # letsencrypt['group'] = 'root' @@ -1881,6 +1894,7 @@ external_url 'http://{{ fqdn }}' # letsencrypt['auto_renew_hour'] = 0 # letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified. # letsencrypt['auto_renew_day_of_month'] = "*/4" +{% endif %} ##! Turn off automatic init system detection. To skip init detection in ##! non-docker containers. Recommended not to change. diff --git a/roles/ldap/README.md b/roles/ldap/README.md index 81c6dc8..9f444fa 100644 --- a/roles/ldap/README.md +++ b/roles/ldap/README.md @@ -4,17 +4,17 @@ Set-up a LDAP server ## Configuration variables -| Name | Description | -|----------------------|-------------------------------------------------------------| -| `ldap_domain`* | Dot-form domain name (i.e.: `'lilik.it'`). | -| `ldap_organization`* | Organization (i.e.: `'LILiK'`). | -| `ssl_subject_prefix` | X.509 TLS Cert Subject (i.e: `'/ST=IT/L=Firenze/O=LILiK'`). | -| `fqdn_domain`* | Required for TLS certificate. | -| `x509_suffix`* | The same in LDAP form (i.e: `'o=LILiK,l=Firenze/st=IT'`). | -| `virtual_domains` | Required with `check_tree`: list of vds to init. | -| `ldap_tls_enabled` | Enables TLS, requires a *ca_manager*. [`true`] | -| `renew_rootdn_pw` | Create a new random password for RooDN. [`true`] | -| `check_tree` | Deploy initial tree configuration. [`true`] | +| Name | Description | +|------------------------|-------------------------------------------------------------| +| `ldap_domain` | Dot-form domain name. [`$domain`] | +| `ldap_organization`* | Organization (i.e.: `'LILiK'`). | +| `x509_subject_prefix`* | X.509 TLS Cert Subject (i.e: `'/ST=IT/L=Firenze/O=LILiK'`). | +| `x509_ldap_suffix`* | The same in LDAP form (i.e: `'o=LILiK,l=Firenze/st=IT'`). | +| `server_fqdn`* | Required for TLS certificate. [`'$hostname.dmz.$domain'`] | +| `virtual_domains` | Required with `check_tree`: list of vds to init. | +| `ldap_tls_enabled` | Enables TLS, requires a *ca_manager*. [`true`] | +| `renew_rootdn_pw` | Create a new random password for RooDN. [`true`] | +| `check_tree` | Deploy initial tree configuration. [`true`] | **Note:** If `ldap_tls_enabled` the *ca_manager* host should be configured @@ -26,11 +26,11 @@ group_vars/all.yaml: --- domain: 'example.com' - ssl_subject_prefix: '/C=IT/L=Firenze/O=LILiK' - x509_suffix: 'o=LILiK,l=Firenze,st=IT' + x509_subject_prefix: '/C=IT/L=Firenze/O=LILiK' + x509_ldap_suffix: 'o=LILiK,l=Firenze,st=IT' user_ca_keys: - "ssh-ed25519 ################### CA" - ssl_ca_cert: | + tls_root_ca: | -----BEGIN CERTIFICATE----- ########################### -----END CERTIFICATE----- @@ -49,33 +49,9 @@ playbook.yaml: - hosts: 'host' roles: - role: ldap - ldap_domain: 'example.com' + #ldap_domain: '{{ domain }}' + #server_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}' ldap_organization: 'Example' - fqdn_domain: '{{ domain }}' - virtual_domains: - - 'example.com' - - # Configure LDAP on a LXC container - - hosts: 'ldap1' - gather_facts: false # host may not exist yet - tasks: - - import_role: name='lxc_guest' - vars: - vm_name: '{{ inventory_hostname }}' - vm_size: '1G' - delegate_to: '{{ ansible_lxc_host }}' - - set_fact: ansible_connection='ssh_lxc' - - setup: # gather facts - - include_role: name='ssh_server' - # Now the guest is ssh-reachable, don't need proxy anymore. - - set_fact: ansible_connection='ssh' - - hosts: 'ldap1' - roles: - - role: 'dns_record' - - role: 'ldap' - ldap_domain: 'example.com' - ldap_organization: 'Example' - fqdn_domain: '{{ domain }}' virtual_domains: - 'example.com' diff --git a/roles/ldap/defaults/main.yaml b/roles/ldap/defaults/main.yaml index 0f38c26..d39c5ab 100644 --- a/roles/ldap/defaults/main.yaml +++ b/roles/ldap/defaults/main.yaml @@ -1,4 +1,6 @@ --- +ldap_domain: '{{ domain }}' +server_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}' ldap_tls_enabled: true renew_rootdn_pw: true check_tree: true diff --git a/roles/ldap/tasks/2_renew_rootpw.yaml b/roles/ldap/tasks/2_renew_rootpw.yaml index 199a36d..3a1e12d 100644 --- a/roles/ldap/tasks/2_renew_rootpw.yaml +++ b/roles/ldap/tasks/2_renew_rootpw.yaml @@ -6,21 +6,28 @@ - name: 'renewing admin password - generation' gen_passwd: 'length=32' register: new_passwd + hide_log: true + +- set_fact: + password: new_passwd.passwd - name: 'renewing admin password - hashing' shell: > slappasswd -o module-load=pw-sha2 -h "{SSHA512}" - -s "{{ new_passwd.passwd }}" + -s {{ password | quote }} register: new_passwd_hash + no_log: true - name: 'renewing admin password - setting RootPW' ldap_attr: dn: 'olcDatabase={1}mdb,cn=config' name: 'olcRootPW' - values: '{{ new_passwd_hash.stdout }}' + values: >- + {{ new_passwd_hash.stdout }} state: 'exact' + no_log: true - name: 'renewing admin password - calling ldappasswd' ldap_passwd: diff --git a/roles/ldap/tasks/4_setup_tls.yaml b/roles/ldap/tasks/4_setup_tls.yaml index 49f2d95..f217deb 100644 --- a/roles/ldap/tasks/4_setup_tls.yaml +++ b/roles/ldap/tasks/4_setup_tls.yaml @@ -1,14 +1,18 @@ - apt: pkg: 'openssl' state: 'present' + tags: + - 'packages' -- name: 'generate ED25519 private key' +- name: 'create slapd private key' shell: cmd: > openssl genpkey -algorithm ED25519 -out /etc/ldap/slapd.key creates: '/etc/ldap/slapd.key' + tags: + - 'tls_int' - name: 'set private key ownership' file: @@ -17,35 +21,24 @@ group: 'openldap' mode: '600' -- name: 'generate certificate request' - shell: - cmd: > - openssl req - -new - -subj "{{ ssl_subject_prefix }}/OU=Server/CN={{ ansible_hostname }}.{{ fqdn_domain }}" - -key /etc/ldap/slapd.key - -out /etc/ldap/slapd.csr - creates: '/etc/ldap/slapd.csr' - -- name: 'lookup_ssl_ca_cert' - when: ssl_ca_cert is not defined - set_fact: - ssl_ca_cert: '{{ lookup("file", "lilik_ca_w1.pub") }}' - -- name: 'update ssl_ca_cert' +- name: 'update tls ca' copy: - content: "{{ ssl_ca_cert }}" - dest: '/etc/ldap/ssl_ca.crt' + content: '{{ tls_root_ca }}' + dest: '/etc/ldap/root_ca.crt' + tags: + - 'tls_int' -- name: 'check if slapd cert is valid' +- name: 'check slapd cert status' command: > openssl verify - -CAfile /etc/ldap/ssl_ca.crt + -CAfile /etc/ldap/root_ca.crt -untrusted /etc/ldap/slapd.crt /etc/ldap/slapd.crt register: slapd_cert_is_valid changed_when: false failed_when: false + tags: + - 'tls_int' - when: slapd_cert_is_valid.rc != 0 block: @@ -85,6 +78,17 @@ - debug: var: request_result verbosity: 2 +- name: 'create slapd cert request' + shell: + cmd: > + openssl req + -new + -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}" + -key /etc/ldap/slapd.key + -out /etc/ldap/slapd.csr + when: slapd_cert_is_valid.rc != 0 + tags: + - 'tls_int' - name: 'renewing cert - storing new cert file' copy: @@ -102,6 +106,8 @@ - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } failed_when: false + tags: + - 'tls_int' - name: 'configuring TLS options' ldap_attr: @@ -114,11 +120,14 @@ - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' } - { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth + tags: + - 'tls_int' - name: 'configuring slapd service' lineinfile: line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"' regexp: '^SLAPD_SERVICES=' path: '/etc/default/slapd' - notify: - - 'restart slapd' + notify: 'restart slapd' + tags: + - 'tls_int' diff --git a/roles/ldap/tasks/main.yaml b/roles/ldap/tasks/main.yaml index d71df62..29ba503 100644 --- a/roles/ldap/tasks/main.yaml +++ b/roles/ldap/tasks/main.yaml @@ -1,16 +1,16 @@ --- - name: 'including configuration tasks' - include_tasks: '1_configure_server.yaml' + import_tasks: '1_configure_server.yaml' - name: 'including password renewal tasks' - include_tasks: '2_renew_rootpw.yaml' - when: renew_rootdn_pw + import_tasks: '2_renew_rootpw.yaml' + tags: service_password - name: 'including tree provisionig tasks' - include_tasks: '3_provision_tree.yaml' + import_tasks: '3_provision_tree.yaml' when: check_tree - name: 'including tls tasks' - include_tasks: '4_setup_tls.yaml' + import_tasks: '4_setup_tls.yaml' when: ldap_tls_enabled ... diff --git a/roles/lxc_guest/tasks/main.yaml b/roles/lxc_guest/tasks/main.yaml index fbf4da0..2f7ac2b 100644 --- a/roles/lxc_guest/tasks/main.yaml +++ b/roles/lxc_guest/tasks/main.yaml @@ -3,31 +3,36 @@ stat: path: '/var/lib/lxc/{{ vm_name }}' register: container_dir + tags: + - 'lxc' - name: 'check if container exists' container_exists: name: '{{ vm_name }}' register: container_exists + tags: + - 'lxc' - name: 'check if release is supported' assert: that: distro in [ 'bullseye', 'sid', 'buster' ] msg: 'release {{ distro }} not supported by debian template' + tags: + - 'lxc' -- when: not (container_exists.exists and container_dir.stat.isdir) - block: +- block: - name: 'create the lxc container' lxc_container: - name: '{{ vm_name }}' - backing_store: 'lvm' - fs_size: '{{ vm_size }}' - vg_name: '{{ vg_name }}' - lv_name: 'vm_{{ vm_name }}' - fs_type: 'xfs' - container_log: true - template: 'debian' - template_options: '--release {{ distro }} --packages=ssh,python3' - state: 'stopped' + name: '{{ vm_name }}' + backing_store: 'lvm' + fs_size: '{{ vm_size }}' + vg_name: '{{ vg_name }}' + lv_name: 'vm_{{ vm_name }}' + fs_type: 'xfs' + container_log: true + template: 'debian' + template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt' + state: 'stopped' # suppress messages related to file descriptors # leaking when lvm is invoked environment: @@ -43,6 +48,9 @@ name: '{{ vm_name }}' state: 'started' when: auto_start|bool + when: not (container_exists.exists and container_dir.stat.isdir) + tags: + - 'lxc' - name: 'update container config' template: @@ -56,6 +64,8 @@ name: '{{ vm_name }}' state: '{{ container_state }}' register: container_running_state + tags: + - 'lxc' - name: 'update container resolv.conf' template: @@ -79,3 +89,4 @@ monitoring_host: '{{ monitoring_host | default([]) }} + [ "{{ vm_name }}" ]' delegate_facts: true delegate_to: 'status' +... diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 4d5150a..fc2aa4a 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,2 +1,3 @@ --- -server_fqdn: "{{ ansible_hostname }}.lilik.it" +server_fqdn: '{{ ansible_hostname }}.{{ domain }}' +... diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml index 0ff6ab7..fe30c3e 100644 --- a/roles/nginx/handlers/main.yaml +++ b/roles/nginx/handlers/main.yaml @@ -1,4 +1,5 @@ --- -- name: validate nginx configuration - command: nginx -t -c /etc/nginx/nginx.conf - changed_when: False +- name: 'validate nginx configuration' + command: 'nginx -t -c /etc/nginx/nginx.conf' + changed_when: false +... diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 0a38d44..e3a79ac 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -1,3 +1,3 @@ --- dependencies: - - role: certbot + - role: 'certbot' diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index e41e484..93e16b9 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -1,34 +1,35 @@ --- - include_role: - name: service + name: 'service' vars: - service_name: nginx + service_name: 'nginx' service_packages: - - nginx + - 'nginx' + tags: + - 'packages' -- name: disable nginx default configuration +- name: 'disable nginx default configuration' file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: restart nginx + path: '/etc/nginx/sites-enabled/default' + state: 'absent' + notify: 'restart nginx' -- name: create nginx location configuration directory +- name: 'create nginx location configuration directory' file: path: '{{ item }}' - state: directory - mode: 0755 - owner: www-data - group: www-data - with_items: - - /etc/nginx/locations/ + state: 'directory' + mode: '0755' + owner: 'www-data' + group: 'www-data' + loop: + - '/etc/nginx/locations/' - '/etc/nginx/locations/{{ server_fqdn }}/' -- name: upload nginx configuration +- name: 'upload nginx configuration' template: - src: base.j2 - dest: "/etc/nginx/sites-available/{{ server_fqdn }}.conf" - notify: - - restart nginx + src: 'base.j2' + dest: '/etc/nginx/sites-available/{{ server_fqdn }}.conf' + notify: 'restart nginx' - name: create Diffie Hellman exchange parameters command: openssl dhparam -out /etc/nginx/dhparam.pem 2048 @@ -36,9 +37,10 @@ creates: /etc/nginx/dhparam.pem notify: restart nginx -- name: enable nginx configurations +- name: 'enable nginx configurations' file: - src: "/etc/nginx/sites-available/{{ server_fqdn }}.conf" - dest: "/etc/nginx/sites-enabled/{{ server_fqdn }}.conf" - state: link - notify: restart nginx + src: '/etc/nginx/sites-available/{{ server_fqdn }}.conf' + dest: '/etc/nginx/sites-enabled/{{ server_fqdn }}.conf' + state: 'link' + notify: 'restart nginx' +... diff --git a/roles/reverse_proxy/tasks/main.yaml b/roles/reverse_proxy/tasks/main.yaml index 814f084..59815c1 100644 --- a/roles/reverse_proxy/tasks/main.yaml +++ b/roles/reverse_proxy/tasks/main.yaml @@ -1,77 +1,76 @@ --- -- name: add https configs to nginx +- name: 'add https configs to nginx' blockinfile: - dest: /etc/nginx/nginx.conf + dest: '/etc/nginx/nginx.conf' block: | - stream { + stream { + map $ssl_preread_server_name $name { + include /etc/nginx/map.conf.d/*.conf; + } + include /etc/nginx/upstream.conf.d/*.conf; - map $ssl_preread_server_name $name { - include /etc/nginx/map.conf.d/*.conf; - } - include /etc/nginx/upstream.conf.d/*.conf; - - log_format stream_routing '$remote_addr [$time_local] ' - 'with SNI name "$ssl_preread_server_name" ' - 'proxying to "$name" ' - '$protocol $status $bytes_sent $bytes_received ' - '$session_time'; - server { - listen {{ public_ip }}:443; - ssl_preread on; - proxy_pass $name; - access_log /var/log/nginx/stream_443.log stream_routing; - } - - } - delegate_to: reverse_proxy + log_format stream_routing '$remote_addr [$time_local] ' + 'with SNI name "$ssl_preread_server_name" ' + 'proxying to "$name" ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time'; + server { + listen {{ public_ip }}:443; + ssl_preread on; + proxy_pass $name; + # Pass original Client IP with PROXY PROTOCOL + access_log /var/log/nginx/stream_443.log stream_routing; + } + } + delegate_to: 'reverse_proxy' notify: reload nginx -- name: add http configs to nginx +- name: 'add http configs to nginx' lineinfile: - dest: /etc/nginx/nginx.conf + dest: '/etc/nginx/nginx.conf' insertafter: '^http {' line: 'include /etc/nginx/http.conf.d/*.conf;' - delegate_to: reverse_proxy - notify: reload nginx + delegate_to: 'reverse_proxy' + notify: 'reload nginx' -- name: Create the http.conf directory for nginx +- name: 'create the http.conf.d directory for nginx' file: - state: directory - dest: "/etc/nginx/http.conf.d" - delegate_to: reverse_proxy - notify: reload nginx + state: 'directory' + dest: '/etc/nginx/http.conf.d' + delegate_to: 'reverse_proxy' + notify: 'reload nginx' -- name: Upload http to reverse proxy +- name: 'upload http to reverse proxy' template: - src: http.j2 - dest: "/etc/nginx/http.conf.d/http_{{ hostname }}.conf" - delegate_to: reverse_proxy - notify: reload nginx + src: 'http.j2' + dest: '/etc/nginx/http.conf.d/http_{{ hostname }}.conf' + delegate_to: 'reverse_proxy' + notify: 'reload nginx' -- name: Create the map.conf directory for nginx +- name: 'create the map.conf directory for nginx' file: - state: directory - dest: "/etc/nginx/map.conf.d" - delegate_to: reverse_proxy - notify: reload nginx + state: 'directory' + dest: '/etc/nginx/map.conf.d' + delegate_to: 'reverse_proxy' + notify: 'reload nginx' -- name: Create the upstream.conf directory for nginx +- name: 'create the upstream.conf directory for nginx' file: - state: directory - dest: "/etc/nginx/upstream.conf.d" - delegate_to: reverse_proxy - notify: reload nginx + state: 'directory' + dest: '/etc/nginx/upstream.conf.d' + delegate_to: 'reverse_proxy' + notify: 'reload nginx' -- name: Upload mappings to reverse proxy +- name: 'upload mappings to reverse proxy' template: - src: map.j2 - dest: "/etc/nginx/map.conf.d/map_{{ hostname }}.conf" - delegate_to: reverse_proxy - notify: reload nginx + src: 'map.j2' + dest: '/etc/nginx/map.conf.d/map_{{ hostname }}.conf' + delegate_to: 'reverse_proxy' + notify: 'reload nginx' -- name: Upload upstream to reverse proxy +- name: 'upload upstream to reverse proxy' template: - src: upstream.j2 - dest: "/etc/nginx/upstream.conf.d/upstream_{{ hostname }}.conf" - delegate_to: reverse_proxy - notify: reload nginx + src: 'upstream.j2' + dest: '/etc/nginx/upstream.conf.d/upstream_{{ hostname }}.conf' + delegate_to: 'reverse_proxy' + notify: 'reload nginx' diff --git a/roles/ssh_server/tasks/main.yaml b/roles/ssh_server/tasks/main.yaml index 22653d8..afa5861 100644 --- a/roles/ssh_server/tasks/main.yaml +++ b/roles/ssh_server/tasks/main.yaml @@ -5,21 +5,29 @@ service_packages: - 'openssh-server' - 'openssh-sftp-server' + tags: + - packages - name: 'update user ca certs' template: src: 'user_ca.pub.j2' dest: '/etc/ssh/user_ca.pub' notify: 'restart ssh' + tags: + - ssh_certs - name: 'validate ssh cert if present' ssh_cert: register: ssh_verification ignore_errors: yes + tags: + - ssh_certs - debug: var: ssh_verification verbosity: 2 + tags: + - ssh_certs - block: - name: 'generate host cert request' @@ -77,6 +85,8 @@ register: set_pub_key notify: 'restart ssh' when: ssh_verification.failed + tags: + - ssh_certs - name: 'add certificate to sshd config' lineinfile: @@ -84,6 +94,8 @@ dest: '/etc/ssh/sshd_config' regexp: '^HostCertificate *' notify: 'restart ssh' + tags: + - ssh_certs - name: 'trust user ca key' lineinfile: @@ -91,6 +103,8 @@ dest: '/etc/ssh/sshd_config' regexp: '^TrustedUserCAKeys *' notify: 'restart ssh' + tags: + - ssh_certs - name: 'permit root login only with certificate' lineinfile: