diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..0670089 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,13 @@ +[defaults] +inventory = hosts +remote_tmp = /tmp +forks = 50 +nocols = 1 +remote_user = root +vault_password_file = ~/.of2019-vault-pass +roles_path = playbooks/roles +host_key_checking = False + +[ssh_connection] +pipelining = True +ssh_args = -C -o ControlMaster=auto -o ControlPersist=600s -o PasswordAuthentication=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null diff --git a/ansible/group_vars/all/default.yml b/ansible/group_vars/all/default.yml new file mode 100644 index 0000000..e8c69f5 --- /dev/null +++ b/ansible/group_vars/all/default.yml @@ -0,0 +1,15 @@ +--- +# SSH keys to deploy (override them in host_vars if ever necessary) +# The files refer to files in the common role +ssh_users: + - zeridon + - maniax + - arcopix + +timezone: "Europe/Sofia" + +ntp: + server: + - marla.ludost.net + pool: + - 0.bg.pool.ntp.org \ No newline at end of file diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..5d7ff57 --- /dev/null +++ b/ansible/hosts @@ -0,0 +1,5 @@ +[router] +vin.openfest.org + +[ansible-controller] +vin.openfest.org \ No newline at end of file diff --git a/ansible/playbooks/roles/common/handlers/main.yml b/ansible/playbooks/roles/common/handlers/main.yml new file mode 100644 index 0000000..a016060 --- /dev/null +++ b/ansible/playbooks/roles/common/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload ssh + service: name=sshd state=reloaded + +- name: restart ntp + service: name=ntp state=restarted \ No newline at end of file diff --git a/ansible/playbooks/roles/common/tasks/main.yml b/ansible/playbooks/roles/common/tasks/main.yml new file mode 100644 index 0000000..2816830 --- /dev/null +++ b/ansible/playbooks/roles/common/tasks/main.yml @@ -0,0 +1,96 @@ +- name: "get git version" + shell: git log -1 '--date=format:%Y-%m-%d %H:%M' '--pretty=format:%cd %h' + register: git_version + delegate_to: localhost + changed_when: False + +- name: set timezone + timezone: name={{ timezone }} + +- name: "configure sources.list" + template: + src: sources.list.j2 + dest: /etc/apt/sources.list + owner: root + group: root + mode: 0644 + register: apt_sources + +- name: "run apt update if we have modified the sources" + apt: + update_cache: yes + when: apt_sources.changed + +- name: "run apt update if the cache is is stale" + apt: + update_cache: yes + cache_valid_time: 86400 + +- name: "add ssh keys to root" + authorized_key: + user: root + key: "{{ lookup('file', '../../access/ssh-keys/'+item+'.key') }}" + with_items: "{{ ssh_users }}" + +- name: "configure root user" + user: + name: root + shell: /bin/bash + password: "" + +- name: "disable ssh password login for root" + replace: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin\ yes$' replace='PermitRootLogin without-password' + notify: reload ssh + +- name: "disable ssh password login for everyone" + lineinfile: dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present + notify: reload ssh + +- name: "Install packages" + apt: + state: latest + install_recommends: no + package: + - apt-transport-https + - bash-completion + - binutils + - ca-certificates + - curl + - ethtool + - file + - git + - htop + - ifmetric + - iftop + - inotify-tools + - iotop + - less + - libcap2-bin + - lsof + - ltrace + - mediainfo + - mtr-tiny + - patch + - screen + - sipcalc + - strace + - sudo + - tcpdump + - vim + - vnstat + +- name: "Install ntp" + apt: + state: latest + install_recommends: no + package: + - ntp + +- name: "Configure ntp" + template: + src: ntp.conf.j2 + dest: /etc/ntp.conf + owner: root + group: root + mode: 0640 + notify: restart ntp diff --git a/ansible/playbooks/roles/common/templates/ntp.conf.j2 b/ansible/playbooks/roles/common/templates/ntp.conf.j2 new file mode 100644 index 0000000..25aaa6e --- /dev/null +++ b/ansible/playbooks/roles/common/templates/ntp.conf.j2 @@ -0,0 +1,42 @@ +{{ ansible_managed | comment }} + +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +{% for type, list in ntp.items() %} +{% for upstream in list %} +{{ type }} {{ upstream }} minpoll 4 maxpoll 10 iburst burst +{% endfor %} +{% endfor %} + +# hard backup +pool 3.bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery \ No newline at end of file diff --git a/ansible/playbooks/roles/common/templates/sources.list.j2 b/ansible/playbooks/roles/common/templates/sources.list.j2 new file mode 100644 index 0000000..9a31723 --- /dev/null +++ b/ansible/playbooks/roles/common/templates/sources.list.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} + +# packages +deb http://debian.ludost.net/debian/ {{ansible_distribution_release}} main contrib non-free +deb http://security.debian.org/debian-security {{ansible_distribution_release}}/updates main contrib non-free +deb http://debian.ludost.net/debian/ {{ansible_distribution_release}}-updates main contrib non-free +deb http://deb.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free + +# sources +deb-src http://debian.ludost.net/debian/ {{ansible_distribution_release}} main contrib non-free +deb-src http://security.debian.org/debian-security {{ansible_distribution_release}}/updates main contrib non-free +deb-src http://debian.ludost.net/debian/ {{ansible_distribution_release}}-updates main contrib non-free +deb-src http://deb.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml new file mode 100644 index 0000000..6733db0 --- /dev/null +++ b/ansible/playbooks/site.yml @@ -0,0 +1,54 @@ +## +## Lets prep +## + +- name: Preparation + hosts: all + gather_facts: False + pre_tasks: + - name: install ansible dependencies (python) + raw: test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-minimal python-pkg-resources) # install pkg-resources to avoid needlesly triggering the next test + changed_when: False + + - name: install ansible dependencies (python-pkg-resources) + raw: test -e /usr/lib/python2.7/dist-packages/pkg_resources.py || (apt-get -y update && apt-get install -y python-pkg-resources) + changed_when: false # raw has no change handler + +## +## Ansible stuff +## + +- name: Install ansible + hosts: ansible-controller + gather_facts: True + tasks: + - name: Add Ansible gpg key + apt_key: + keyserver: keyserver.ubuntu.com + id: "93C4A3FD7BB9C367" + register: ansible_gpg_key_result + + - name: Add Ansible ppa + apt_repository: + repo: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" + register: ansible_ppa_result + + - name: Update apt cache if repo or key added. + apt: + update_cache: yes + when: ansible_ppa_result.changed or ansible_gpg_key_result.changed + + - name: Install ansible + apt: + name: ansible + +## +## roles roles roles +## + +- name: common roles + hosts: all + tags: + - common + roles: + - common \ No newline at end of file