Initial ansible
This commit is contained in:
parent
af58add743
commit
96eccd5807
13
ansible/ansible.cfg
Normal file
13
ansible/ansible.cfg
Normal file
@ -0,0 +1,13 @@
|
||||
[defaults]
|
||||
inventory = hosts
|
||||
remote_tmp = /tmp
|
||||
forks = 50
|
||||
nocols = 1
|
||||
remote_user = root
|
||||
vault_password_file = ~/.of2019-vault-pass
|
||||
roles_path = playbooks/roles
|
||||
host_key_checking = False
|
||||
|
||||
[ssh_connection]
|
||||
pipelining = True
|
||||
ssh_args = -C -o ControlMaster=auto -o ControlPersist=600s -o PasswordAuthentication=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
|
15
ansible/group_vars/all/default.yml
Normal file
15
ansible/group_vars/all/default.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
# SSH keys to deploy (override them in host_vars if ever necessary)
|
||||
# The files refer to files in the common role
|
||||
ssh_users:
|
||||
- zeridon
|
||||
- maniax
|
||||
- arcopix
|
||||
|
||||
timezone: "Europe/Sofia"
|
||||
|
||||
ntp:
|
||||
server:
|
||||
- marla.ludost.net
|
||||
pool:
|
||||
- 0.bg.pool.ntp.org
|
5
ansible/hosts
Normal file
5
ansible/hosts
Normal file
@ -0,0 +1,5 @@
|
||||
[router]
|
||||
vin.openfest.org
|
||||
|
||||
[ansible-controller]
|
||||
vin.openfest.org
|
6
ansible/playbooks/roles/common/handlers/main.yml
Normal file
6
ansible/playbooks/roles/common/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: reload ssh
|
||||
service: name=sshd state=reloaded
|
||||
|
||||
- name: restart ntp
|
||||
service: name=ntp state=restarted
|
96
ansible/playbooks/roles/common/tasks/main.yml
Normal file
96
ansible/playbooks/roles/common/tasks/main.yml
Normal file
@ -0,0 +1,96 @@
|
||||
- name: "get git version"
|
||||
shell: git log -1 '--date=format:%Y-%m-%d %H:%M' '--pretty=format:%cd %h'
|
||||
register: git_version
|
||||
delegate_to: localhost
|
||||
changed_when: False
|
||||
|
||||
- name: set timezone
|
||||
timezone: name={{ timezone }}
|
||||
|
||||
- name: "configure sources.list"
|
||||
template:
|
||||
src: sources.list.j2
|
||||
dest: /etc/apt/sources.list
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
register: apt_sources
|
||||
|
||||
- name: "run apt update if we have modified the sources"
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_sources.changed
|
||||
|
||||
- name: "run apt update if the cache is is stale"
|
||||
apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 86400
|
||||
|
||||
- name: "add ssh keys to root"
|
||||
authorized_key:
|
||||
user: root
|
||||
key: "{{ lookup('file', '../../access/ssh-keys/'+item+'.key') }}"
|
||||
with_items: "{{ ssh_users }}"
|
||||
|
||||
- name: "configure root user"
|
||||
user:
|
||||
name: root
|
||||
shell: /bin/bash
|
||||
password: ""
|
||||
|
||||
- name: "disable ssh password login for root"
|
||||
replace: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin\ yes$' replace='PermitRootLogin without-password'
|
||||
notify: reload ssh
|
||||
|
||||
- name: "disable ssh password login for everyone"
|
||||
lineinfile: dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
|
||||
notify: reload ssh
|
||||
|
||||
- name: "Install packages"
|
||||
apt:
|
||||
state: latest
|
||||
install_recommends: no
|
||||
package:
|
||||
- apt-transport-https
|
||||
- bash-completion
|
||||
- binutils
|
||||
- ca-certificates
|
||||
- curl
|
||||
- ethtool
|
||||
- file
|
||||
- git
|
||||
- htop
|
||||
- ifmetric
|
||||
- iftop
|
||||
- inotify-tools
|
||||
- iotop
|
||||
- less
|
||||
- libcap2-bin
|
||||
- lsof
|
||||
- ltrace
|
||||
- mediainfo
|
||||
- mtr-tiny
|
||||
- patch
|
||||
- screen
|
||||
- sipcalc
|
||||
- strace
|
||||
- sudo
|
||||
- tcpdump
|
||||
- vim
|
||||
- vnstat
|
||||
|
||||
- name: "Install ntp"
|
||||
apt:
|
||||
state: latest
|
||||
install_recommends: no
|
||||
package:
|
||||
- ntp
|
||||
|
||||
- name: "Configure ntp"
|
||||
template:
|
||||
src: ntp.conf.j2
|
||||
dest: /etc/ntp.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: restart ntp
|
42
ansible/playbooks/roles/common/templates/ntp.conf.j2
Normal file
42
ansible/playbooks/roles/common/templates/ntp.conf.j2
Normal file
@ -0,0 +1,42 @@
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
|
||||
# Enable this if you want statistics to be logged.
|
||||
#statsdir /var/log/ntpstats/
|
||||
|
||||
statistics loopstats peerstats clockstats
|
||||
filegen loopstats file loopstats type day enable
|
||||
filegen peerstats file peerstats type day enable
|
||||
filegen clockstats file clockstats type day enable
|
||||
|
||||
|
||||
{% for type, list in ntp.items() %}
|
||||
{% for upstream in list %}
|
||||
{{ type }} {{ upstream }} minpoll 4 maxpoll 10 iburst burst
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
# hard backup
|
||||
pool 3.bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst
|
||||
|
||||
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
|
||||
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
|
||||
# might also be helpful.
|
||||
#
|
||||
# Note that "restrict" applies to both servers and clients, so a configuration
|
||||
# that might be intended to block requests from certain clients could also end
|
||||
# up blocking replies from your own upstream servers.
|
||||
|
||||
# By default, exchange time with everybody, but don't allow configuration.
|
||||
restrict -4 default kod notrap nomodify nopeer noquery limited
|
||||
restrict -6 default kod notrap nomodify nopeer noquery limited
|
||||
|
||||
# Local users may interrogate the ntp server more closely.
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
||||
|
||||
# Needed for adding pool entries
|
||||
restrict source notrap nomodify noquery
|
13
ansible/playbooks/roles/common/templates/sources.list.j2
Normal file
13
ansible/playbooks/roles/common/templates/sources.list.j2
Normal file
@ -0,0 +1,13 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# packages
|
||||
deb http://debian.ludost.net/debian/ {{ansible_distribution_release}} main contrib non-free
|
||||
deb http://security.debian.org/debian-security {{ansible_distribution_release}}/updates main contrib non-free
|
||||
deb http://debian.ludost.net/debian/ {{ansible_distribution_release}}-updates main contrib non-free
|
||||
deb http://deb.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free
|
||||
|
||||
# sources
|
||||
deb-src http://debian.ludost.net/debian/ {{ansible_distribution_release}} main contrib non-free
|
||||
deb-src http://security.debian.org/debian-security {{ansible_distribution_release}}/updates main contrib non-free
|
||||
deb-src http://debian.ludost.net/debian/ {{ansible_distribution_release}}-updates main contrib non-free
|
||||
deb-src http://deb.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free
|
54
ansible/playbooks/site.yml
Normal file
54
ansible/playbooks/site.yml
Normal file
@ -0,0 +1,54 @@
|
||||
##
|
||||
## Lets prep
|
||||
##
|
||||
|
||||
- name: Preparation
|
||||
hosts: all
|
||||
gather_facts: False
|
||||
pre_tasks:
|
||||
- name: install ansible dependencies (python)
|
||||
raw: test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-minimal python-pkg-resources) # install pkg-resources to avoid needlesly triggering the next test
|
||||
changed_when: False
|
||||
|
||||
- name: install ansible dependencies (python-pkg-resources)
|
||||
raw: test -e /usr/lib/python2.7/dist-packages/pkg_resources.py || (apt-get -y update && apt-get install -y python-pkg-resources)
|
||||
changed_when: false # raw has no change handler
|
||||
|
||||
##
|
||||
## Ansible stuff
|
||||
##
|
||||
|
||||
- name: Install ansible
|
||||
hosts: ansible-controller
|
||||
gather_facts: True
|
||||
tasks:
|
||||
- name: Add Ansible gpg key
|
||||
apt_key:
|
||||
keyserver: keyserver.ubuntu.com
|
||||
id: "93C4A3FD7BB9C367"
|
||||
register: ansible_gpg_key_result
|
||||
|
||||
- name: Add Ansible ppa
|
||||
apt_repository:
|
||||
repo: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main"
|
||||
register: ansible_ppa_result
|
||||
|
||||
- name: Update apt cache if repo or key added.
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: ansible_ppa_result.changed or ansible_gpg_key_result.changed
|
||||
|
||||
- name: Install ansible
|
||||
apt:
|
||||
name: ansible
|
||||
|
||||
##
|
||||
## roles roles roles
|
||||
##
|
||||
|
||||
- name: common roles
|
||||
hosts: all
|
||||
tags:
|
||||
- common
|
||||
roles:
|
||||
- common
|
Loading…
Reference in New Issue
Block a user