Initial ansible

ansible/ansible.cfg

@@ -0,0 +1,13 @@
+[defaults]
+inventory 		= hosts
+remote_tmp		= /tmp
+forks			= 50
+nocols			= 1
+remote_user		= root
+vault_password_file	= ~/.of2019-vault-pass
+roles_path		= playbooks/roles
+host_key_checking	= False
+
+[ssh_connection]
+pipelining		= True
+ssh_args		= -C -o ControlMaster=auto -o ControlPersist=600s -o PasswordAuthentication=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

ansible/group_vars/all/default.yml

@@ -0,0 +1,15 @@
+---
+# SSH keys to deploy (override them in host_vars if ever necessary)
+# The files refer to files in the common role
+ssh_users:
+  - zeridon
+  - maniax
+  - arcopix
+
+timezone: "Europe/Sofia"
+
+ntp:
+  server:
+    - marla.ludost.net
+  pool:
+    - 0.bg.pool.ntp.org

ansible/hosts

@@ -0,0 +1,5 @@
+[router]
+vin.openfest.org
+
+[ansible-controller]
+vin.openfest.org

ansible/playbooks/roles/common/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: reload ssh
+  service: name=sshd state=reloaded
+
+- name: restart ntp
+  service: name=ntp state=restarted

ansible/playbooks/roles/common/tasks/main.yml

@@ -0,0 +1,96 @@
+- name: "get git version"
+  shell: git log -1 '--date=format:%Y-%m-%d %H:%M' '--pretty=format:%cd %h'
+  register: git_version
+  delegate_to: localhost
+  changed_when: False
+
+- name: set timezone
+  timezone: name={{ timezone }}
+
+- name: "configure sources.list"
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+    owner: root
+    group: root
+    mode: 0644
+  register: apt_sources
+
+- name: "run apt update if we have modified the sources"
+  apt:
+    update_cache: yes
+  when: apt_sources.changed
+
+- name: "run apt update if the cache is is stale"
+  apt:
+    update_cache: yes
+    cache_valid_time: 86400
+
+- name: "add ssh keys to root"
+  authorized_key:
+    user: root
+    key: "{{ lookup('file', '../../access/ssh-keys/'+item+'.key') }}"
+  with_items: "{{ ssh_users }}"
+
+- name: "configure root user"
+  user:
+    name: root
+    shell: /bin/bash
+    password: ""
+
+- name: "disable ssh password login for root"
+  replace: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin\ yes$' replace='PermitRootLogin without-password'
+  notify: reload ssh
+
+- name: "disable ssh password login for everyone"
+  lineinfile: dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
+  notify: reload ssh
+
+- name: "Install packages"
+  apt:
+    state: latest
+    install_recommends: no
+    package:
+      - apt-transport-https
+      - bash-completion
+      - binutils
+      - ca-certificates
+      - curl
+      - ethtool
+      - file
+      - git
+      - htop
+      - ifmetric
+      - iftop
+      - inotify-tools
+      - iotop
+      - less
+      - libcap2-bin
+      - lsof
+      - ltrace
+      - mediainfo
+      - mtr-tiny
+      - patch
+      - screen
+      - sipcalc
+      - strace
+      - sudo
+      - tcpdump
+      - vim
+      - vnstat
+
+- name: "Install ntp"
+  apt:
+    state: latest
+    install_recommends: no
+    package:
+      - ntp
+
+- name: "Configure ntp"
+  template:
+    src: ntp.conf.j2
+    dest: /etc/ntp.conf
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart ntp

ansible/playbooks/roles/common/templates/ntp.conf.j2

@@ -0,0 +1,42 @@
+{{ ansible_managed | comment }}
+
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+{% for type, list in ntp.items() %}
+{% for upstream in list %}
+{{ type }} {{ upstream }} minpoll 4 maxpoll 10 iburst burst
+{% endfor %}
+{% endfor %}
+
+# hard backup
+pool 3.bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery

ansible/playbooks/roles/common/templates/sources.list.j2

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+# packages
+deb http://debian.ludost.net/debian/ {{ansible_distribution_release}} main contrib non-free
+deb http://security.debian.org/debian-security {{ansible_distribution_release}}/updates main contrib non-free
+deb http://debian.ludost.net/debian/ {{ansible_distribution_release}}-updates main contrib non-free
+deb http://deb.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free
+
+# sources
+deb-src http://debian.ludost.net/debian/ {{ansible_distribution_release}} main contrib non-free
+deb-src http://security.debian.org/debian-security {{ansible_distribution_release}}/updates main contrib non-free
+deb-src http://debian.ludost.net/debian/ {{ansible_distribution_release}}-updates main contrib non-free
+deb-src http://deb.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free

ansible/playbooks/site.yml

@@ -0,0 +1,54 @@
+##
+## Lets prep
+##
+
+- name: Preparation
+  hosts: all
+  gather_facts: False
+  pre_tasks:
+    - name: install ansible dependencies (python)
+      raw: test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-minimal python-pkg-resources) # install pkg-resources to avoid needlesly triggering the next test
+      changed_when: False
+
+    - name: install ansible dependencies (python-pkg-resources)
+      raw: test -e /usr/lib/python2.7/dist-packages/pkg_resources.py || (apt-get -y update && apt-get install -y python-pkg-resources)
+      changed_when: false # raw has no change handler
+
+##
+## Ansible stuff
+##
+
+- name: Install ansible
+  hosts: ansible-controller
+  gather_facts: True
+  tasks:
+    - name: Add Ansible gpg key
+      apt_key:
+        keyserver: keyserver.ubuntu.com
+        id: "93C4A3FD7BB9C367"
+      register: ansible_gpg_key_result
+
+    - name: Add Ansible ppa
+      apt_repository:
+        repo: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main"
+      register: ansible_ppa_result
+
+    - name: Update apt cache if repo or key added.
+      apt:
+        update_cache: yes
+      when: ansible_ppa_result.changed or ansible_gpg_key_result.changed
+
+    - name: Install ansible
+      apt:
+        name: ansible
+
+##
+## roles roles roles
+##
+
+- name: common roles
+  hosts: all
+  tags:
+    - common
+  roles:
+    - common