aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Merge branch 'refactor' into 'master'

Browse source 
Refactor

See merge request aurore/ansible!30
This commit is contained in:
Alexandre IOOSS 2019-03-26 08:36:21 +01:00
commit 00ccc4c377
21 changed files with 130 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
roles/baseconfig/tasks/apt-listchanges.yml
View file

@ -12,11 +12,20 @@
# Send email when there is something new
- name: Configure apt-listchanges
lineinfile:
dest: /etc/apt/listchanges.conf
regexp: "^{{ item.key }}="
line: "{{ item.value }}"
with_dict:
confirm: 'confirm=true'
email_address: "email_address={{ monitoring_mail }}"
which: 'which=both'
ini_file:
path: /etc/apt/listchanges.conf
no_extra_spaces: true
section: apt
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
loop:
- option: confirm
value: "true"
- option: email_address
value: "{{ monitoring_mail }}"
- option: which
value: both
...

21
roles/baseconfig/tasks/main.yml
View file

@ -23,8 +23,8 @@
# Pimp my server
- name: Customize motd
copy:
src: 'update-motd.d/00-logo'
dest: '/etc/update-motd.d/00-logo'
src: update-motd.d/00-logo
dest: /etc/update-motd.d/00-logo
mode: 0755
# Configure APT mirrors on Debian Stretch
@ -33,8 +33,8 @@
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: 'apt/sources.list.j2'
dest: '/etc/apt/sources.list'
src: apt/sources.list.j2
dest: /etc/apt/sources.list
mode: 0644
# Patriotisme
@ -50,8 +50,7 @@
question: locales/default_environment_locale
value: fr_FR.UTF-8
vtype: select
notify:
- Reconfigure locales
notify: Reconfigure locales
# Molly-Guard : prevent accidental shutdowns
- include_tasks: molly-guard.yml
@ -62,8 +61,8 @@
# User skeleton
- name: Configure user skeleton
copy:
src: skel/{{ item.key }}
dest: /etc/skel/{{ item.value }}
with_dict:
dot_zshrc: .zshrc
dot_zshrc.local: .zshrc.local
src: skel/dot_{{ item.key }}
dest: /etc/skel/.{{ item.value }}
loop:
- zshrc
- zshrc.local

32
roles/basesecurity/tasks/main.yml
View file

@ -42,21 +42,45 @@
- name: Install fail2ban
apt:
name: fail2ban
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure fail2ban
template:
src: fail2ban/jail.d/local.conf.j2
dest: /etc/fail2ban/jail.d/local.conf
mode: 0644
ini_file:
path: /etc/fail2ban/jail.d/local.conf
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
notify: Restart fail2ban service
loop:
- section: DEFAULT
option: ignoreip
value: 10.128.0.254 # Whitelist bastion
- section: sshd
option: enabled
value: "true"
- section: sshd
option: bantime
value: 600
- section: sshd
option: findtime
value: 600
- section: sshd
option: maxretry
value: 5
# See altered packages and configurations with `debsums -ca`
- name: Install debsums
apt:
name: debsums
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

12
roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2
View file

@ -1,12 +0,0 @@
# {{ ansible_managed }}
# Ban a host for 10mn
# if it has failed 5 times during the last 10mn
[sshd]
enabled = true
bantime = 600
findtime = 600
maxretry = 5
# Whitelist bastion
ignoreip = 10.128.0.254

10
roles/codimd/tasks/0_apt_dependencies.yml
View file

@ -2,8 +2,9 @@
# For HTTPS apt
- name: Install HTTPS apt
apt:
name: apt-transport-https
update_cache: true
name: apt-transport-https
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
@ -12,19 +13,22 @@
apt_key:
url: https://dl.yarnpkg.com/debian/pubkey.gpg
id: 1646B01B86E50310
state: present
register: apt_key_result
retries: 3
until: apt_key_result is succeeded
- name: Configure Yarn repository
apt_repository:
repo: "deb https://dl.yarnpkg.com/debian/ stable main"
repo: deb https://dl.yarnpkg.com/debian/ stable main
state: present
# Install CodiMD dependencies
- name: Install required packages
apt:
name: yarn
update_cache: true
name: yarn
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

4
roles/codimd/tasks/main.yml
View file

@ -47,8 +47,8 @@
# Service file
- name: Install CodiMD systemd unit
template:
src: 'systemd/codimd.service.j2'
dest: '/etc/systemd/system/codimd.service'
src: systemd/codimd.service.j2
dest: /etc/systemd/system/codimd.service
owner: root
group: root
mode: 0644

3
roles/dokuwiki/tasks/main.yml
View file

@ -22,8 +22,9 @@
# Install
- name: Install DokuWiki
apt:
name: dokuwiki
update_cache: true
name: dokuwiki
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

3
roles/etherpad/tasks/main.yml
View file

@ -2,8 +2,9 @@
# Install EtherPad dependencies
- name: Install required packages
apt:
name: curl
update_cache: true
name: curl
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

2
roles/ldap-client/handlers/main.yml
View file

@ -1,6 +1,6 @@
---
- name: Reconfigure libnss-ldapd package
command: 'dpkg-reconfigure libnss-ldapd -f noninteractive'
command: dpkg-reconfigure libnss-ldapd -f noninteractive
- name: Restart nslcd service
service:

17
roles/ldap-client/tasks/0_install_ldap.yml
View file

@ -2,11 +2,12 @@
# Install LDAP client packages
- name: Install LDAP client packages
apt:
update_cache: true
name:
- nslcd
- libnss-ldapd
- libpam-ldapd
update_cache: true
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
@ -31,11 +32,11 @@
- name: Configure NSS to use LDAP
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item.key }}:"
line: "{{ item.value }}"
with_dict:
passwd: 'passwd: files ldap'
group: 'group: files ldap'
shadow: 'shadow: files ldap'
sudoers: 'sudoers: files ldap'
regexp: "^{{ item }}:"
line: "{{ item }}: files ldap"
loop:
- passwd
- group
- shadow
- sudoers
notify: Restart nslcd service

13
roles/ldap-client/tasks/1_group_security.yml
View file

@ -3,8 +3,9 @@
- name: Filter SSH on groups
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^AllowGroups'
line: "AllowGroups root sudoldap aurore ssh"
regexp: ^AllowGroups
line: AllowGroups root sudoldap aurore ssh
state: present
# To gain root access with ldap rights
- name: Install SUDO package
@ -19,13 +20,17 @@
- name: Configure sudoers sudo group
lineinfile:
dest: /etc/sudoers
regexp: "^%{{ sudo_group }}"
regexp: ^%{{ sudo_group }}
line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"
state: present
validate: /usr/sbin/visudo -cf %s
# Set sudo location group
- name: Configure sudoers sudo location group
lineinfile:
dest: /etc/sudoers
regexp: "^%{{ sudo_group_location }}"
regexp: ^%{{ sudo_group_location }}
line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL"
state: present
validate: /usr/sbin/visudo -cf %s
when: sudo_group_location is defined

4
roles/ldap-client/tasks/2_userland_scripts.yml
View file

@ -3,9 +3,9 @@
- name: Copy passwd and chsh scripts
template:
src: "{{ item }}.j2"
dest: "/usr/local/bin/{{ item }}"
dest: /usr/local/bin/{{ item }}
mode: 0755
with_items:
loop:
- chsh
- passwd

24
roles/ldap-replica/tasks/main.yml
View file

@ -28,22 +28,26 @@
# Cry a bit
- name: Remove old data
file: path={{ item }} state=absent
with_items:
file:
path: "{{ item }}"
state: absent
loop:
- /etc/ldap/slapd.d
- /var/lib/ldap
# Cry a lot
- name: Recreate structure
file: path={{ item }} state=directory
with_items:
file:
path: "{{ item }}"
state: directory
loop:
- /etc/ldap/slapd.d
- /var/lib/ldap
# Install schema as root
# We can't do a `become_user` here
- name: Install LDAP schema
command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d'
command: slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d
# then fix permissions
- name: Fix permissions
@ -52,10 +56,12 @@
owner: openldap
group: openldap
recurse: true
with_items:
- '/var/lib/ldap'
- '/etc/ldap/slapd.d'
loop:
- /var/lib/ldap
- /etc/ldap/slapd.d
# Save the day
- name: Start LDAP server
service: name=slapd state=started
service:
name: slapd
state: started

4
roles/matrix-appservice-discord/tasks/main.yml
View file

@ -44,8 +44,8 @@
# Service file
- name: Install matrix-appservice-discord systemd unit
template:
src: 'systemd/matrix-appservice-discord.service.j2'
dest: '/etc/systemd/system/matrix-appservice-discord.service'
src: systemd/matrix-appservice-discord.service.j2
dest: /etc/systemd/system/matrix-appservice-discord.service
owner: root
group: root
mode: 0644

4
roles/matrix-appservice-irc/tasks/main.yml
View file

@ -33,8 +33,8 @@
# Service file
- name: Install matrix-appservice-irc systemd unit
template:
src: 'systemd/matrix-appservice-irc.service.j2'
dest: '/etc/systemd/system/matrix-appservice-irc.service'
src: systemd/matrix-appservice-irc.service.j2
dest: /etc/systemd/system/matrix-appservice-irc.service
owner: root
group: root
mode: 0644

4
roles/matrix-appservice-webhooks/tasks/main.yml
View file

@ -33,8 +33,8 @@
# Service file
- name: Install matrix-appservice-webhooks systemd unit
template:
src: 'systemd/matrix-appservice-webhooks.service.j2'
dest: '/etc/systemd/system/matrix-appservice-webhooks.service'
src: systemd/matrix-appservice-webhooks.service.j2
dest: /etc/systemd/system/matrix-appservice-webhooks.service
owner: root
group: root
mode: 0644

1
roles/matrix-mxisd/tasks/main.yml
View file

@ -2,6 +2,7 @@
- name: Install mxisd
apt:
deb: "{{ mxisd_deb }}"
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

11
roles/matrix-riot/tasks/main.yml
View file

@ -2,8 +2,9 @@
# Install HTTPS support for APT
- name: Install apt-transport-https
apt:
name: apt-transport-https
update_cache: true
name: apt-transport-https
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
@ -11,21 +12,24 @@
# Add the repository into source list
- name: Configure riot repository
apt_repository:
repo: "deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main"
repo: deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main
state: present
# Add the key
- name: Configure the apt key
apt_key:
url: https://riot.im/packages/debian/repo-key.asc
id: E019645248E8F4A1
state: present
register: apt_key_result
retries: 3
until: apt_key_result is succeeded
- name: Install riot-web
apt:
name: riot-web
update_cache: true
name: riot-web
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
@ -43,6 +47,7 @@
- name: Install nginx
apt:
name: nginx
state: present
register: apt_result
retries: 3
until: apt_result is succeeded

3
roles/matrix-synapse/tasks/main.yml
View file

@ -1,8 +1,9 @@
---
- name: Install matrix-synapse
apt:
name: matrix-synapse
update_cache: true
name: matrix-synapse
state: present
default_release: stretch-backports
register: apt_result
retries: 3

13
roles/nginx-reverse-proxy/tasks/main.yml
View file

@ -4,8 +4,9 @@
# but also reduces the surface of attack
- name: Install NGINX server
apt:
name: nginx-light
update_cache: true
name: nginx-light
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
@ -13,8 +14,8 @@
# Install proxy snippets
- name: Configure NGINX proxy snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
src: nginx/snippets/{{ item }}.j2
dest: /etc/nginx/snippets/{{ item }}
mode: 0644
loop:
- proxy-common.conf
@ -25,7 +26,7 @@
- name: Configure NGINX sites
template:
src: nginx/nginx-sites-available.j2
dest: "/etc/nginx/sites-available/{{ item.name }}"
dest: /etc/nginx/sites-available/{{ item.name }}
mode: 0644
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service
@ -40,8 +41,8 @@
# Activate sites
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item.name }}"
dest: "/etc/nginx/sites-enabled/{{ item.name }}"
src: /etc/nginx/sites-available/{{ item.name }}
dest: /etc/nginx/sites-enabled/{{ item.name }}
state: link
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service

3
roles/nodejs/tasks/main.yml
View file

@ -10,11 +10,12 @@
- name: Install required packages
apt:
update_cache: true
name:
- nodejs
- npm
- build-essential # To build npm packages
update_cache: true
state: present
register: apt_result
retries: 3
until: apt_result is succeeded