Start writing the Ansible playbook

If we want to automate everything :-) #8

automation/ansible/.ansible-lint

@@ -0,0 +1 @@
+profile: production

automation/ansible/.gitignore

@@ -0,0 +1 @@
+*.secret.yml

automation/ansible/README.md

@@ -0,0 +1,32 @@
+# OpenFest Infra -- Ansible Playbooks
+
+## General Variables
+
+### Global/Group
+
+| Name            | Description                                     |
+|-----------------|-------------------------------------------------|
+| global_ssh_keys | Keys of people authorized to access _all_ hosts |
+
+### Host
+
+| Name               | Description                                                   |
+|--------------------|---------------------------------------------------------------|
+| ssh_keys['root']   | Users authorized to run commands as root                      |
+| ssh_keys[username] | Authorized keys for a specific user                           |
+| ssh_keys['*']      | Authorized keys for all non-root users provisioned by ansible |
+
+## Secret and not-so-secret Variables (grouped by service)
+
+### Keycloak
+
+| Name                      | Description                                                          |
+|---------------------------|----------------------------------------------------------------------|
+| keycloak_hostname         | Passed as the [Public URL](https://www.keycloak.org/server/hostname) |
+| keycloak_db_password      | PostgreSQL DB Password                                               |
+| keycloak_db_ansible_host  | PostgreSQL DB Host (in inventory), for provisioning the database     |
+| keycloak_podman_user_name | Owner of the keycloak container                                      |
+| keycloak_podman_user_home | `{{ keycloak_podman_user_name }}`'s home directory                   |
+| keycloak_data_dir         | Used for the volumes / bind mounts                                   |
+| keycloak_listen_address   | Where to bind on the host (for using a reverse proxy)                |
+

automation/ansible/group_vars/all/packages.yml

@@ -0,0 +1,8 @@
+---
+
+global_packages:
+  Debian:
+    - vim
+    - mtr-tiny
+    - traceroute
+    - tcpdump

automation/ansible/group_vars/all/ssh_users.yml.example

@@ -0,0 +1,2 @@
+global_root_ssh_key_urls:
+  - https://pesho.ludost.net/files/openfest_keys

automation/ansible/host_vars/server1/common.yml.example

@@ -0,0 +1,2 @@
+---
+hostname: server1.openfest.org

automation/ansible/host_vars/server1/firewall.yml.example

@@ -0,0 +1 @@
+firewall:

automation/ansible/hosts.ini

@@ -0,0 +1,4 @@
+server1 	ansible_host=192.168.122.87 	ansible_user=root
+
+[routers]
+server1

automation/ansible/lint.sh

@@ -0,0 +1 @@
+ansible-lint roles/*/tasks/main.yml

automation/ansible/main.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Run common tasks
+  hosts: all
+  roles:
+    - common
+
+- name: Router
+  hosts: routers
+  roles:
+    - firewall
+    - router

automation/ansible/roles/common/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Add ssh keys for root
+  ansible.builtin.include_tasks: root_sshkeys.yml
+
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ hostname }}"
+  when: hostname is defined
+
+- name: Install sudo as it's needed for 'become'
+  ansible.builtin.package:
+    name: sudo
+    state: present

automation/ansible/roles/common/tasks/packages.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Install standard packages
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{
+    (global_packages[ansible_os_family] | default([])) +
+    (local_packages | default([]))
+  }}"

automation/ansible/roles/common/tasks/root_sshkeys.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Add public keys for root
+  ansible.posix.authorized_key:
+    user: root
+    key: "{{ lookup('ansible.builtin.url', item) }}"
+    state: present  # Note: we don't remove other/existing keys
+  with_items: "{{
+    (global_root_ssh_key_urls | default([])) +
+    (root_ssh_keys | default([]))
+  }}"

automation/ansible/roles/firewall/files/nftables.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=nftables
+Documentation=man:nft(8) http://wiki.nftables.org
+Wants=network-pre.target
+Before=network-pre.target shutdown.target
+Conflicts=shutdown.target
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=null
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/usr/sbin/nft -f /etc/nftables.conf
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=sysinit.target

automation/ansible/roles/firewall/handlers/firewall.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Restart nftables
+  ansible.builtin.service:
+    name: nftables.service
+    state: restarted

automation/ansible/roles/firewall/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: Install nftables
+  ansible.builtin.package:
+    name: nftables
+    state: present
+
+- name: Get available services
+  ansible.builtin.service_facts:
+
+- name: Create service file if it doesn't exist already
+  ansible.builtin.copy:
+    src: nftables.service
+    dest: /etc/systemd/system/nftables.service
+    state: present
+    mode: "644"
+  when: ansible_facts.services['nftables.service'] is not defined
+
+- name: Add config file
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: "{{ nftables_main_file[ansible_os_family] |
+       default('/etc/nftables.conf') }}"
+    mode: "644"
+  vars:
+    nftables_main_file:
+      Debian: /etc/nftables.conf
+      RedHat: /etc/nftables/main.nft
+
+- name: Create subdirs
+  ansible.builtin.file:
+    name: "{{ item }}"
+    state: directory
+    mode: "755"
+  with_items:
+    - /etc/nftables/input.d
+    - /etc/nftables/forward.d
+    - /etc/nftables/output.d
+    - /etc/nftables/filter.d
+    - /etc/nftables/global.d
+
+- name: Enable and start nftables
+  ansible.builtin.systemd_service:
+    name: nftables.service
+    enabled: true
+    state: started
+    daemon_reload: true

automation/ansible/roles/firewall/templates/nftables.conf.j2

@@ -0,0 +1,38 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+include "/etc/nftables/global.d/*.nft";
+
+table inet filter {
+	include "/etc/nftables/filter.d/*.nft";
+
+	chain input {
+		type filter hook input priority filter; policy {{ firewall.input_policy | default('drop') }};
+
+		iif lo accept
+
+		# Anti-klonootryazvane
+		tcp dport ssh accept
+		ct state established,related accept
+
+		# Don't block ICMP
+		ip protocol icmp accept
+		ip6 nexthdr icmpv6 accept
+
+		include "/etc/nftables/input.d/*.nft";
+
+		# Should we reject or drop?
+		ip protocol tcp reject with tcp reset
+		ip6 nexthdr tcp reject with tcp reset
+		reject
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy {{ firewall.forward_policy | default('drop') }};
+	}
+
+	chain output {
+		type filter hook output priority filter; policy {{ firewall.output_policy | default('accept') }};
+	}
+}

automation/ansible/roles/router/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Configure sysctl
+  ansible.builtin.include_tasks: sysctl.yml

automation/ansible/roles/router/tasks/sysctl.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Create sysctl.d
+  ansible.builtin.file:
+    name: /etc/sysctl.d
+    state: directory
+    mode: "755"
+- name: Enable IPv4 routing
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /etc/sysctl.d/router.conf
+    state: present
+    reload: true
+
+- name: Enable IPv6 routing
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_file: /etc/sysctl.d/router.conf
+    state: present
+    reload: true

automation/ansible/run.sh

@@ -0,0 +1 @@
+ansible-playbook -i hosts.ini main.yml