From 2b8f69fc412acc97a003dd02b97dded8fea0d281 Mon Sep 17 00:00:00 2001 From: HgO Date: Sat, 28 Nov 2020 20:47:30 +0100 Subject: [PATCH] refactor common role --- .vault.secret | Bin 0 -> 53 bytes ansible.cfg | 1 + inventories/group_vars/all.yml | 45 --------- inventories/group_vars/all/main.yml | 31 ++++++ inventories/group_vars/all/vault.yml | 11 ++ .../mastodon.pirateparty.be/main.yml | 20 ++++ .../mastodon.pirateparty.be/vault.yml | 18 ++++ .../host_vars/pirateparty.be/vault.yml | 14 +++ .../host_vars/status.pirateparty.be.yml | 8 -- .../host_vars/status.pirateparty.be/vault.yml | 18 ++++ .../host_vars/talk.parley.be/vault.yml | 14 +++ .../host_vars/wiki.pirateparty.be/main.yml | 18 ++++ .../host_vars/wiki.pirateparty.be/vault.yml | 14 +++ inventories/hosts.ini | 5 +- playbooks/files/ssh/hgo/terry.pub | 1 + playbooks/files/ssh/tierce/q.pub | 1 + roles/common/.yamllint | 33 ++++++ roles/common/defaults/main.yml | 91 ++++++++++++++++- roles/common/defaults/vault.yml | 9 ++ roles/common/files/sftp/push_public_key.sh | 33 ++++++ roles/common/handlers/main.yml | 22 +++- roles/common/molecule/default/INSTALL.rst | 23 +++++ roles/common/molecule/default/converge.yml | 7 ++ .../default/files/ssh/ppbe/id_ed25519 | 7 ++ .../default/files/ssh/ppbe/id_ed25519.pub | 1 + roles/common/molecule/default/molecule.yml | 31 ++++++ roles/common/tasks/backup.yml | 40 ++++++++ roles/common/tasks/backup_borg.yml | 61 +++++++++++ roles/common/tasks/backup_storage_box.yml | 95 ++++++++++++++++++ roles/common/tasks/main.yml | 6 +- roles/common/tasks/msmtp.yml | 18 ---- roles/common/tasks/nginx.yml | 4 +- roles/common/tasks/node_exporter.yml | 5 +- roles/common/tasks/openssh.yml | 3 +- roles/common/tasks/postfix.yml | 49 +++++++++ roles/common/tasks/user.yml | 16 +-- roles/common/templates/msmtp/aliases.j2 | 1 - roles/common/templates/msmtp/msmtprc.j2 | 19 ---- .../templates/opensmtpd/smtpd-secret.j2 | 3 + .../common/templates/opensmtpd/smtpd.conf.j2 | 11 ++ roles/common/templates/postfix/aliases.j2 | 2 + roles/common/templates/postfix/main.cf.j2 | 40 ++++++++ .../common/templates/postfix/sasl_secrets.j2 | 3 + roles/common/templates/postfix/senders.j2 | 3 + roles/common/vars/main.yml | 11 +- 45 files changed, 756 insertions(+), 110 deletions(-) create mode 100644 .vault.secret delete mode 100644 inventories/group_vars/all.yml create mode 100644 inventories/group_vars/all/main.yml create mode 100644 inventories/group_vars/all/vault.yml create mode 100644 inventories/host_vars/mastodon.pirateparty.be/main.yml create mode 100644 inventories/host_vars/mastodon.pirateparty.be/vault.yml create mode 100644 inventories/host_vars/pirateparty.be/vault.yml delete mode 100644 inventories/host_vars/status.pirateparty.be.yml create mode 100644 inventories/host_vars/status.pirateparty.be/vault.yml create mode 100644 inventories/host_vars/talk.parley.be/vault.yml create mode 100644 inventories/host_vars/wiki.pirateparty.be/main.yml create mode 100644 inventories/host_vars/wiki.pirateparty.be/vault.yml create mode 100644 playbooks/files/ssh/hgo/terry.pub create mode 100644 playbooks/files/ssh/tierce/q.pub create mode 100644 roles/common/.yamllint create mode 100644 roles/common/defaults/vault.yml create mode 100644 roles/common/files/sftp/push_public_key.sh create mode 100644 roles/common/molecule/default/INSTALL.rst create mode 100644 roles/common/molecule/default/converge.yml create mode 100644 roles/common/molecule/default/files/ssh/ppbe/id_ed25519 create mode 100644 roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub create mode 100644 roles/common/molecule/default/molecule.yml create mode 100644 roles/common/tasks/backup.yml create mode 100644 roles/common/tasks/backup_borg.yml create mode 100644 roles/common/tasks/backup_storage_box.yml delete mode 100644 roles/common/tasks/msmtp.yml create mode 100644 roles/common/tasks/postfix.yml delete mode 100644 roles/common/templates/msmtp/aliases.j2 delete mode 100644 roles/common/templates/msmtp/msmtprc.j2 create mode 100644 roles/common/templates/opensmtpd/smtpd-secret.j2 create mode 100644 roles/common/templates/opensmtpd/smtpd.conf.j2 create mode 100644 roles/common/templates/postfix/aliases.j2 create mode 100644 roles/common/templates/postfix/main.cf.j2 create mode 100644 roles/common/templates/postfix/sasl_secrets.j2 create mode 100644 roles/common/templates/postfix/senders.j2 diff --git a/.vault.secret b/.vault.secret new file mode 100644 index 0000000000000000000000000000000000000000..24a263fc4411cea3b6a543a0c9393137a4e22f34 GIT binary patch literal 53 zcmV-50LuRWM@dveQdv+`0I>PDGHXpVQ(y$F3wYbMr~er32a2nV>?zl%DFT9A/ +users: +- name: hgo +- name: tierce +- name: backup + groups: [] + +acme_email: it@pirateparty.be \ No newline at end of file diff --git a/inventories/group_vars/all/vault.yml b/inventories/group_vars/all/vault.yml new file mode 100644 index 0000000..defee24 --- /dev/null +++ b/inventories/group_vars/all/vault.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 +65393535396562366132383030663065656633343839326661386330626365343036326165616263 +3130623331623634386333373134333864616662323633650a373033613761333332393937643339 +31313763366437343933656366633762666234363133353265336164623063333239393865336363 +3437303962393962620a343364653936396562306635323163326433306237623264393734383562 +37636466666363363736373934306137343738383062623831623533336439633061363965633138 +39383966626565666265303137663335663061373563306363323030323239326133333661653230 +36646131303238346563373763353765613664623936343564633534626263346161653161666631 +62343561373233653336623063323561393438316566643365623337623637653966663131336235 +34353361626266616331333435313732313339623735643730633933633439333962653862316134 +3163306462313137633166366461333462303034316631373165 diff --git a/inventories/host_vars/mastodon.pirateparty.be/main.yml b/inventories/host_vars/mastodon.pirateparty.be/main.yml new file mode 100644 index 0000000..c56fc8c --- /dev/null +++ b/inventories/host_vars/mastodon.pirateparty.be/main.yml @@ -0,0 +1,20 @@ +mastodon_home: /home/mastodon + +borgmatic_config: + location: + source_directories: + - "{{ mastodon_home }}" + - /etc + repositories: + - "{{ borg_repository }}" + exclude_patterns: + - "{{ mastodon_home }}/elasticsearch" + - "{{ mastodon_home }}/redis" + storage: + encryption_passphrase: "{{ borg_passphrase }}" + compression: zlib,7 + retention: + keep_hourly: 24 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 \ No newline at end of file diff --git a/inventories/host_vars/mastodon.pirateparty.be/vault.yml b/inventories/host_vars/mastodon.pirateparty.be/vault.yml new file mode 100644 index 0000000..bc08121 --- /dev/null +++ b/inventories/host_vars/mastodon.pirateparty.be/vault.yml @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 +63373233646532393433373238336163666262343364316631326561366630636136313631393038 +6563313039663237326263383539383736323936343137390a376435313339376630666632633337 +64613334626262616464663234313361353731623836316430643266303335386332623137353066 +6631636265633336360a366563656463343964316630333762646163653334336663643230353336 +66646566363537316631316633306334646630343164303630383638613033653037386564373566 +62646435393038396331343337353132396234366163333763326638373933363437643430376334 +31303735626564346438383535336465656166633137303439316235323938303236396637336461 +63343435623239396433623632653838386666653335346434333865346438643266616366623932 +34373065386263633737363863303138636539613536646166643066636166343935313333636564 +66613663623565633534656635356431623538306438353963303833373263303735313062343062 +36316132636564643564383634333562663136353663336661353433396132353832323063396130 +39633535643134663532656266613939353137643765396235633465656436613432303266313765 +61333165383030653733333533366232343535396634626237386266613037613838653034326162 +64366265313132656536333163616436396232623036386435353565396665343836323838656436 +30326363656639366239386637653234303635353630633461393039353462333338303563316132 +33353636343865666132343730336438363261383131343662316538633635653434623561633364 +6664 diff --git a/inventories/host_vars/pirateparty.be/vault.yml b/inventories/host_vars/pirateparty.be/vault.yml new file mode 100644 index 0000000..fd8b8f6 --- /dev/null +++ b/inventories/host_vars/pirateparty.be/vault.yml @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 +65623932623736623961633664613731383837313338336165366333343763646235316163653836 +6130643962393231643262353065653130326566613363630a346138396532663733383133666635 +30373362393636363833333530333762666164306436393263336164366637313132356464333931 +3861643330306337300a643330613364663861623564356535343035393966383161383739626234 +65313335316636646664396433393736386133343765643038663334666462333366353639363061 +65303230303132366366343734336462653764613836396531613235393837326532626330636134 +63643935323163356462343730633939303537656539336461666139323066366136343262326534 +62316332313137626463643964646630663631313464663365313066623934393665306665303031 +39613166626639663639623365343364396161656662333134303432656338393333323232366232 +63633937343165633638326234386231336637326237336636343830363661376236353939366634 +35653962393865616262366433663562333430643465613861643631323035626636343065336636 +62613464613462346436353636323035316665313866616535363833393033623339343136653063 +3363 diff --git a/inventories/host_vars/status.pirateparty.be.yml b/inventories/host_vars/status.pirateparty.be.yml deleted file mode 100644 index aef36db..0000000 --- a/inventories/host_vars/status.pirateparty.be.yml +++ /dev/null @@ -1,8 +0,0 @@ -storage_box_username: u212275-sub5 -storage_box_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 36313662333062323531613966386365373339663566303133653562663838316632613830613264 - 6564333736343830623061313534313630313534316231390a666662633861383563333562356561 - 64616534313266323833383331313334333761323965383634666635663430366461353437616465 - 6337363536643738310a656530663837386537336434633037376463336165613239323265366234 - 64663863333763356430616635323061396663373264343666323831646664646430 diff --git a/inventories/host_vars/status.pirateparty.be/vault.yml b/inventories/host_vars/status.pirateparty.be/vault.yml new file mode 100644 index 0000000..01ff89c --- /dev/null +++ b/inventories/host_vars/status.pirateparty.be/vault.yml @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 +64623562393233633764386333323337393862313165626238356166376661353837666332393437 +6637336439346134383738656537643263306161363931630a303734333431343634646438663466 +36303062376431643537313537343865653136336137363639373635333132323665353735386237 +6231666464343734340a643163623832303130333864316534663664313835633964386531646666 +64333431366464626633373630353631383233633233613066386137636631646663646535633037 +65336635383432616466366338613838656336396462636261623131333033653832623331353036 +30653163333566366439366362613933663262643361386332356366363731336163653335396636 +36616563353965376537326563363332653336653030303762656530346135383336363337383666 +32653563306235383135623733363666313539633032643566653935373762363935306230386566 +33656231613634373832316661366630616434343266333562373563383838313236643931363234 +37383733353235616261326333386534303362623737353566383536353439353133633735356336 +61633934323233393738363635656662396464383033623237623166663733666336313533373937 +66303433316461323338333034656238373035356162613662666132636530613966366465363036 +65323132653831373531346362366236636665323534663036303366376463613065313861383936 +65666463656631636361346130366462326166316533323839303563646133376661313631393333 +30303663323436376461323331643939376235313232353164653764306530663265326134333739 +3238 diff --git a/inventories/host_vars/talk.parley.be/vault.yml b/inventories/host_vars/talk.parley.be/vault.yml new file mode 100644 index 0000000..5488f55 --- /dev/null +++ b/inventories/host_vars/talk.parley.be/vault.yml @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 +39656566313337306263346133666139643435626566363036303031636336303866346437326662 +3431363531363065386666363464653937386162646330610a353161633236643238663032333134 +64303731653235323830626638323739626133313634316263343534373337393963643334363861 +6433346664336666330a666234373434646635646633323837616561323033363464353931363338 +38386238326135653039396161666639383131323430623466626165353634313730623662646139 +62653937323363653864313630633165323361663438383631303064383164613232656636333562 +65353131633931346161303830393630663264646636633837613031323132666132376139376265 +39373362633765633266373261333137396436343832653061323365393336303938613438643830 +63396338613463623839396433366538383033316165636564363838313737613761613961343535 +33643835366461363439613364303534616437316361383835633261326332636431656664393031 +35356232636339383031643838316437303637393938333361636562626633303839656232323231 +39633935636234303633386231356333356633386230373962333237656361333933373730616161 +3261 diff --git a/inventories/host_vars/wiki.pirateparty.be/main.yml b/inventories/host_vars/wiki.pirateparty.be/main.yml new file mode 100644 index 0000000..7e8dd77 --- /dev/null +++ b/inventories/host_vars/wiki.pirateparty.be/main.yml @@ -0,0 +1,18 @@ +borgmatic_config: + location: + source_directories: + - /var/www/mediawiki + - /etc + repositories: + - "{{ borg_repository }}" + storage: + encryption_passphrase: "{{ borg_passphrase }}" + compression: zlib,7 + retention: + keep_hourly: 24 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 + hooks: + mysql_databases: + - name: mediawiki_prod \ No newline at end of file diff --git a/inventories/host_vars/wiki.pirateparty.be/vault.yml b/inventories/host_vars/wiki.pirateparty.be/vault.yml new file mode 100644 index 0000000..c4fa6c3 --- /dev/null +++ b/inventories/host_vars/wiki.pirateparty.be/vault.yml @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 +65316362353466333562363830633862643035363561616137616633353032363832323039383966 +3430383934363433643639633732393361323736356562330a616437303366313861636539343236 +35623961613737653461653261663137316539653861333736616261313638633539356663313933 +3563653063633662300a366132666238623463306662633563336561626335656431393133393835 +36366436633162353765386561333865316236363832346465613162393139356362343438353535 +39653933656535366365356162333634366231316363633538383165383937623761363066653834 +35643638363534383561306332663536396538346638353632353839346637383130383863663030 +35393161393163313330626530383662333165363930626563303435393362636439613263653766 +39613832613366653339326262333433316138613566333131623334336165373765663237383334 +61383839373839373631393831336563633464346636393331633066353839313761393664646438 +61323331316238373538663462316533653433386132373664623433376639313364656162666638 +30313966656433663766343932633032623463323134306265643264303732383031623763646130 +3435 diff --git a/inventories/hosts.ini b/inventories/hosts.ini index d9827cc..d2cd298 100644 --- a/inventories/hosts.ini +++ b/inventories/hosts.ini @@ -8,4 +8,7 @@ talk.parley.be status.pirateparty.be [mumble] -talk.parley.be \ No newline at end of file +talk.parley.be + +[mastodon] +mastodon.pirateparty.be \ No newline at end of file diff --git a/playbooks/files/ssh/hgo/terry.pub b/playbooks/files/ssh/hgo/terry.pub new file mode 100644 index 0000000..616be25 --- /dev/null +++ b/playbooks/files/ssh/hgo/terry.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry \ No newline at end of file diff --git a/playbooks/files/ssh/tierce/q.pub b/playbooks/files/ssh/tierce/q.pub new file mode 100644 index 0000000..0f90492 --- /dev/null +++ b/playbooks/files/ssh/tierce/q.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q \ No newline at end of file diff --git a/roles/common/.yamllint b/roles/common/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/roles/common/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 0cedb9c..02ff7ef 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -3,9 +3,96 @@ node_exporter_path: / node_exporter_port: 9100 node_exporter_public_port: "9180" +node_exporter_password: password nginx_config_dir: /etc/nginx/conf.d nginx_ssl_dir: /etc/nginx/ssl +nginx_dhparam_size: 2048 -ssh_config_dir: ~/.ssh -backup_targets: [] +users: + - name: ppbe + - name: coco + groups: [] +user_default_groups: + - sudo + +openssh_port: "22" + +backup_owner: backup +backup_group: "{{ backup_owner }}" + +storage_box_enabled: no +storage_box_host: storage.example.com +storage_box_port: 23 +storage_box_path: /home/backup +storage_box_mount: + path: "/mnt/backup" + owner: "{{ backup_owner }}" + group: "{{ backup_group }}" + options: [rw,default_permissions] +storage_box_username: u123456-sub1 +storage_box_password: somesecret + +borg_encryption_mode: keyfile +borg_passphrase: "{{ vault_borg_passphrase }}" +borg_repository: |- + {%- if storage_box_enabled -%} + {{ storage_box_host }}:{{ storage_box_path }}/borg + {%- else -%} + {{ storage_box_mount.path }}/borg + {%- endif -%} + +borgmatic_config: + location: + source_directories: + - / + repositories: + - "{{ borg_repository }}" + exclude_patterns: + - /dev + - /home/*/.cache + - /home/*/.gvfs + - /lib* + - /media + - /mnt + - /proc + - /tmp + - /run + - /swap* + - /sys + - /usr/src/linux-headers* + - /var/backups + - /var/cache/apt/archives + - /var/lib + - /var/log + - /var/run + - /var/snap + exclude_caches: true + storage: + encryption_passphrase: "{{ borg_passphrase }}" + compression: zlib,7 + retention: + keep_hourly: 24 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 + +borgmatic_cron_hour: "3" +borgmatic_cron_minute: "0" +borgmatic_check_cron_weekday: "0" +borgmatic_check_cron_hour: "2" +borgmatic_check_cron_minute: "0" + +smtp_accounts: + example: + host: mail.example.com + port: 587 + from: no-reply@example.com + username: ahoy@example.com + password: secret +smtp_default_account: example +smtp_default_recipient: contact@example.com +smtp_aliases_path: /etc/aliases + +postfix_sasl_secrets_path: /etc/postfix/sasl/passwd +postfix_senders_map_path: /etc/postfix/senders \ No newline at end of file diff --git a/roles/common/defaults/vault.yml b/roles/common/defaults/vault.yml new file mode 100644 index 0000000..47004bc --- /dev/null +++ b/roles/common/defaults/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +66613631383234346131623731643533326566373463623935666636383464663639353164323861 +3464306432333534393565333334623965393363333365380a613764323664316338306532386331 +63353363633566373365623732636163366631656563393961333261623030363834376537643732 +6264373861313764390a306462323932333935653866373362383566333934386136336466623163 +39373332383733326261343162626336663135336561366137366466396463323762393538383333 +31663337393538623730326464316461323034636330626630616538316431633234306262613132 +36633164623162346231656364346363646563396664356337323763663135303963383533353838 +35396634386135386139 diff --git a/roles/common/files/sftp/push_public_key.sh b/roles/common/files/sftp/push_public_key.sh new file mode 100644 index 0000000..12cf307 --- /dev/null +++ b/roles/common/files/sftp/push_public_key.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +function usage { + echo "Usage: $0 " +} + +host="$1" +public_key_file="$2" + +if [[ $# -ne 2 ]]; then + >&2 usage + exit 1 +fi + +authorized_keys_file="/tmp/${host}-authorized_keys" + +sshpass -e sftp "${host}" <<-EOF + mkdir .ssh + chmod 0700 .ssh + get .ssh/authorized_keys "${authorized_keys_file}" +EOF + +if grep -f "${public_key_file}" "${authorized_keys_file}" > /dev/null; then + exit 0 +fi + +echo "Adding public key '${public_key_file}' for ${host}" +sshpass -e sftp "${host}" <<-EOF + !cat "${public_key_file}" >> "${authorized_keys_file}" + put "${authorized_keys_file}" .ssh/authorized_keys + chmod 0600 .ssh/authorized_keys +EOF +echo "Public key added!" \ No newline at end of file diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 18ebed3..d78bac3 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -3,6 +3,26 @@ name: ssh state: restarted +- name: reload postfix + service: + name: postfix + state: reloaded + +- name: update aliases + command: newaliases + +- name: update postfix senders + command: postmap {{ postfix_senders_map_path }} + +- name: update postfix secrets + command: postmap {{ postfix_sasl_secrets_path }} + - name: reload nginx include_tasks: ../handlers/nginx.yml - when: nginx_started is not changed \ No newline at end of file + when: nginx_started is not changed + +- name: reload autofs + service: + name: autofs + state: restarted + when: autofs_started is not changed \ No newline at end of file diff --git a/roles/common/molecule/default/INSTALL.rst b/roles/common/molecule/default/INSTALL.rst new file mode 100644 index 0000000..0c4bf5c --- /dev/null +++ b/roles/common/molecule/default/INSTALL.rst @@ -0,0 +1,23 @@ +********************************* +Vagrant driver installation guide +********************************* + +Requirements +============ + +* Vagrant +* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop + +Install +======= + +Please refer to the `Virtual environment`_ documentation for installation best +practices. If not using a virtual environment, please consider passing the +widely recommended `'--user' flag`_ when invoking ``pip``. + +.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ +.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site + +.. code-block:: bash + + $ pip install 'molecule_vagrant' diff --git a/roles/common/molecule/default/converge.yml b/roles/common/molecule/default/converge.yml new file mode 100644 index 0000000..3092f4e --- /dev/null +++ b/roles/common/molecule/default/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + become: yes + + roles: + - common \ No newline at end of file diff --git a/roles/common/molecule/default/files/ssh/ppbe/id_ed25519 b/roles/common/molecule/default/files/ssh/ppbe/id_ed25519 new file mode 100644 index 0000000..420fc7a --- /dev/null +++ b/roles/common/molecule/default/files/ssh/ppbe/id_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMgAAAJBcNgy6XDYM +ugAAAAtzc2gtZWQyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMg +AAAEDw/p35s5mUgbWvTlKnCuTuHdr3AJuNyFkn8DGERqzI7s210TheGfg4/YnQxbopJ41Q +2ADv3uPViWtv8+4MoAAyAAAADHBwYmVAdmFncmFudAE= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub b/roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub new file mode 100644 index 0000000..8d21224 --- /dev/null +++ b/roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant diff --git a/roles/common/molecule/default/molecule.yml b/roles/common/molecule/default/molecule.yml new file mode 100644 index 0000000..33abb7c --- /dev/null +++ b/roles/common/molecule/default/molecule.yml @@ -0,0 +1,31 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +platforms: + - name: debian-buster + box: debian/buster64 + memory: 1024 + cpus: 2 + interfaces: + - network_name: forwarded_port + guest: 22 + host: 22000 + - name: ubuntu-focal + box: ubuntu/focal64 + memory: 1024 + cpus: 2 + interfaces: + - network_name: forwarded_port + guest: 22 + host: 22010 +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: /usr/bin/python3 +verifier: + name: ansible \ No newline at end of file diff --git a/roles/common/tasks/backup.yml b/roles/common/tasks/backup.yml new file mode 100644 index 0000000..5bcb82a --- /dev/null +++ b/roles/common/tasks/backup.yml @@ -0,0 +1,40 @@ +# 1. Backup incrémental tous les jours vers la storage box: +# 1. Dans /mnt/backups, accessible en ro pour l'user system "backup" +# -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme) +# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups) +# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host. +# 2. D'autres machines se connectent pour récupérer les backups (rsync): +# 1. En sftp chrooté via l'user system "backup" +# 2. Donner accès SSH pour ces machines à l'user system "backup" + +- name: Create SSH directory + file: + path: "{{ ssh_config_dir }}" + state: directory + mode: "700" + +- name: Create SSH config file + file: + path: "{{ ssh_config_dir }}/config" + state: touch + access_time: preserve + modification_time: preserve + mode: "600" + +- name: Create backup user + user: + name: "{{ backup_owner }}" + shell: /bin/bash + # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131 + password: '*' + state: present + update_password: always + +- name: Include Storage Box backup tasks + import_tasks: backup_storage_box.yml + when: storage_box_enabled + tags: backup_storage_box + +- name: Include Borg backup tasks + import_tasks: backup_borg.yml + tags: backup_borg \ No newline at end of file diff --git a/roles/common/tasks/backup_borg.yml b/roles/common/tasks/backup_borg.yml new file mode 100644 index 0000000..dee8c68 --- /dev/null +++ b/roles/common/tasks/backup_borg.yml @@ -0,0 +1,61 @@ +- name: Install Borg packages + package: + name: "{{ borg_package }}" + state: present + loop: "{{ borg_packages }}" + loop_control: + loop_var: borg_package + +- name: Initialize Borg repository + command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}" + environment: + BORG_PASSPHRASE: "{{ borg_passphrase }}" + changed_when: "'A repository already exists' not in _borg_backup_init.stderr" + failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr + register: _borg_backup_init + +- name: Create Borgmatic config directory + file: + path: /etc/borgmatic + state: directory + owner: root + group: root + mode: "755" + +- name: Copy Borgmatic config file + copy: + content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}" + dest: /etc/borgmatic/config.yaml + owner: root + group: root + mode: "600" + +- name: Add cron job for regular Borgmatic create and prune + cron: + user: root + name: borgmatic-create + cron_file: borgmatic + hour: "{{ borgmatic_cron_hour }}" + minute: "{{ borgmatic_cron_minute }}" + state: present + job: borgmatic --create --prune + +- name: Add cron job for unfrequent Borgmatic check + cron: + user: root + name: borgmatic-check + cron_file: borgmatic + weekday: "{{ borgmatic_check_cron_weekday }}" + hour: "{{ borgmatic_check_cron_hour }}" + minute: "{{ borgmatic_check_cron_minute }}" + state: present + job: borgmatic --check + +- name: Set PATH for Borgmatic cron job. + cron: + user: root + name: PATH + cron_file: borgmatic + env: yes + state: present + value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin diff --git a/roles/common/tasks/backup_storage_box.yml b/roles/common/tasks/backup_storage_box.yml new file mode 100644 index 0000000..cfbd412 --- /dev/null +++ b/roles/common/tasks/backup_storage_box.yml @@ -0,0 +1,95 @@ +- name: Install Storage Box mount dependencies + apt: + name: "{{ storage_box_package }}" + state: present + loop: "{{ storage_box_packages }}" + loop_control: + loop_var: storage_box_package + +- name: Generate SSH key pair for storage box {{ storage_box_host }} + openssh_keypair: + path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}" + type: ed25519 + +- name: Update SSH config file for storage box {{ storage_box_host }} + blockinfile: + path: "{{ ssh_config_dir }}/config" + block: | + Host {{ storage_box_host }} + {% if storage_box_username is defined %} + User {{ storage_box_username }} + {% endif %} + Port {{ storage_box_port }} + IdentityFile {{ ssh_config_dir }}/{{ storage_box_prefix }} + PreferredAuthentications publickey,password + marker: "# {mark} ANSIBLE MANAGED BLOCK {{ storage_box_host }}" + +- name: Copy script to add OpenSSH public key through SFTP + copy: + src: sftp/push_public_key.sh + dest: /usr/local/bin/sftp_push_public_key + owner: root + group: root + mode: "755" + +- name: Scan public keys for storage box {{ storage_box_host }}:{{ storage_box_port }} + command: ssh-keyscan -p {{ storage_box_port }} {{ storage_box_host }} + changed_when: no + register: _ssh_known_host + +- name: Add backup host {{ storage_box_host }} in known hosts list + known_hosts: + name: |- + {%- if storage_box_port == 22 -%} + {{ storage_box_host }} + {%- else -%} + [{{ storage_box_host }}]:{{ storage_box_port }} + {%- endif -%} + key: "{{ _ssh_known_host.stdout }}" + state: present + +- name: Push SSH public key to storage box {{ storage_box_host }} + when: storage_box_password is defined + command: sftp_push_public_key "{{ storage_box_host }}" "{{ ssh_config_dir }}/{{ storage_box_prefix }}.pub" + environment: + SSHPASS: "{{ storage_box_password }}" + changed_when: + - _storage_box_authorized.stdout is defined + - "'Public key added!' in _storage_box_authorized.stdout" + register: _storage_box_authorized + +- name: Create backup endpoint {{ storage_box_path }} on {{ storage_box_host }} + shell: | + sftp {{ storage_box_host }} <<-EOF + mkdir "{{ storage_box_path }}" + EOF + changed_when: "'Couldn\\'t create directory' not in _backup_endpoint_created.stderr" + register: _backup_endpoint_created + +- name: Create AutoFS config file for storage box {{ storage_box_host }} (SSHFS) + lineinfile: + path: /etc/auto.backup.{{ storage_box_prefix }} + regex: "^{{ storage_box_mount.path }} " + line: | + {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }} + state: present + create: yes + notify: reload autofs + +- name: Add AutoFS config file into main AutoFS config + lineinfile: + path: /etc/auto.master + regexp: '^/- /etc/auto.backup' + line: /- /etc/auto.backup.{{ storage_box_prefix }} --timeout=90,--ghost + state: present + notify: reload autofs + +- name: Start AutoFS service + service: + name: autofs + state: started + enabled: yes + register: autofs_started + +- name: Trigger AutoFS handlers + meta: flush_handlers \ No newline at end of file diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 8c12c37..ff6978b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -6,11 +6,11 @@ tags: openssh - import_tasks: ufw.yml tags: firewall -- import_tasks: msmtp.yml +- import_tasks: postfix.yml tags: smtp - import_tasks: nginx.yml tags: nginx - import_tasks: node_exporter.yml tags: node_exporter -#- import_tasks: backup.yml -# tags: backup +- import_tasks: backup.yml + tags: backup diff --git a/roles/common/tasks/msmtp.yml b/roles/common/tasks/msmtp.yml deleted file mode 100644 index 1a2ecb1..0000000 --- a/roles/common/tasks/msmtp.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# Install and configure SMTP relay -- name: Install msmtp - apt: - name: - - msmtp - - msmtp-mta - state: present - -- name: Copy msmtp configuration - template: - src: msmtp/msmtprc.j2 - dest: /etc/msmtprc - -- name: Copy aliases - template: - src: msmtp/aliases.j2 - dest: /etc/aliases \ No newline at end of file diff --git a/roles/common/tasks/nginx.yml b/roles/common/tasks/nginx.yml index 98bf3c3..ab445a4 100644 --- a/roles/common/tasks/nginx.yml +++ b/roles/common/tasks/nginx.yml @@ -2,7 +2,7 @@ # Install and configure Nginx - name: Install htpasswd dependencies apt: - name: python-passlib + name: python3-passlib state: present - name: Install SSL dependencies @@ -32,7 +32,7 @@ # This can take a long time... So we are doing it in async mode openssl_dhparam: path: "{{ nginx_ssl_dir }}/dhparam.pem" - size: 3072 + size: "{{ nginx_dhparam_size }}" owner: root group: www-data async: 3600 diff --git a/roles/common/tasks/node_exporter.yml b/roles/common/tasks/node_exporter.yml index b647afb..120fa26 100644 --- a/roles/common/tasks/node_exporter.yml +++ b/roles/common/tasks/node_exporter.yml @@ -5,7 +5,7 @@ name: cloudalchemy.node-exporter public: yes vars: - node_exporter_web_listen_address: "0.0.0.0:{{ node_exporter_port }}" + node_exporter_web_listen_address: "localhost:{{ node_exporter_port }}" - name: Configure Nginx for node-exporter import_role: @@ -28,3 +28,6 @@ ufw: rule: allow port: "{{ node_exporter_public_port }}" + +- name: Trigger node-exporter handlers + meta: flush_handlers \ No newline at end of file diff --git a/roles/common/tasks/openssh.yml b/roles/common/tasks/openssh.yml index 51257c3..3cabe7c 100644 --- a/roles/common/tasks/openssh.yml +++ b/roles/common/tasks/openssh.yml @@ -11,9 +11,10 @@ validate: '/usr/sbin/sshd -T -f %s' notify: restart openssh -- name: Trigger Ansible handlers +- name: Trigger OpenSSH handlers meta: flush_handlers - name: Change Ansible SSH port to {{ openssh_port }} set_fact: ansible_port: "{{ openssh_port }}" + when: openssh_port != "22" \ No newline at end of file diff --git a/roles/common/tasks/postfix.yml b/roles/common/tasks/postfix.yml new file mode 100644 index 0000000..4f850d1 --- /dev/null +++ b/roles/common/tasks/postfix.yml @@ -0,0 +1,49 @@ +- name: Install postfix package + apt: + name: postfix + state: present + +- name: Copy postfix configuration file + template: + src: postfix/main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "644" + notify: reload postfix + +- name: Copy aliases file + template: + src: postfix/aliases.j2 + dest: "{{ smtp_aliases_path }}" + owner: root + group: root + mode: "644" + notify: update aliases + +- name: Copy Postfix senders map + template: + src: postfix/senders.j2 + dest: "{{ postfix_senders_map_path }}" + owner: root + group: root + mode: "644" + notify: update postfix senders + +- name: Copy Postfix SASL secrets + template: + src: postfix/sasl_secrets.j2 + dest: "{{ postfix_sasl_secrets_path }}" + owner: root + group: root + mode: "600" + notify: update postfix secrets + +- name: Start postfix service + service: + name: postfix + state: started + enabled: yes + +- name: Trigger Postfix handlers + meta: flush_handlers \ No newline at end of file diff --git a/roles/common/tasks/user.yml b/roles/common/tasks/user.yml index 5ba7306..db3ada8 100644 --- a/roles/common/tasks/user.yml +++ b/roles/common/tasks/user.yml @@ -6,17 +6,21 @@ shell: /bin/bash # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131 password: '*' - groups: - - sudo - append: yes + groups: "{{ user.groups | default(user_default_groups) }}" + append: no state: present - update_password: on_create + update_password: always - name: Add SSH public keys for user {{ user.name }} authorized_key: user: "{{ user.name }}" state: present # we can pass multiple SSH keys, but they must be separated by newlines - key: "{{ user.ssh_keys | join('\n') }}" + key: | + {% for key_file in lookup('fileglob', user_ssh_key_path, wantlist=true) %} + {{ lookup('file', key_file) }} + {% endfor %} # remove obsolete keys - exclusive: yes \ No newline at end of file + exclusive: yes + vars: + user_ssh_key_path: ssh/{{ user.name }}/*.pub \ No newline at end of file diff --git a/roles/common/templates/msmtp/aliases.j2 b/roles/common/templates/msmtp/aliases.j2 deleted file mode 100644 index a7c983a..0000000 --- a/roles/common/templates/msmtp/aliases.j2 +++ /dev/null @@ -1 +0,0 @@ -default: {{ smtp_default_contact }} \ No newline at end of file diff --git a/roles/common/templates/msmtp/msmtprc.j2 b/roles/common/templates/msmtp/msmtprc.j2 deleted file mode 100644 index 469810b..0000000 --- a/roles/common/templates/msmtp/msmtprc.j2 +++ /dev/null @@ -1,19 +0,0 @@ -defaults -auth on -tls on -tls_trust_file /etc/ssl/certs/ca-certificates.crt -logfile /var/log/msmtp.log - -{% for account in smtp_accounts %} -account {{ account.name }} -host {{ account.host }} -port 587 -from {{ account.from }} -user {{ account.user | default(account.from) }} -password {{ account.password }} - -{% endfor %} - -account default : {{ smtp_default_account }} - -aliases /etc/aliases diff --git a/roles/common/templates/opensmtpd/smtpd-secret.j2 b/roles/common/templates/opensmtpd/smtpd-secret.j2 new file mode 100644 index 0000000..67fffae --- /dev/null +++ b/roles/common/templates/opensmtpd/smtpd-secret.j2 @@ -0,0 +1,3 @@ +{% for account in smtp_accounts %} +{{ account.name }} {{ account.username | default(account.from) }}:{{ account.password }} +{% endfor %} \ No newline at end of file diff --git a/roles/common/templates/opensmtpd/smtpd.conf.j2 b/roles/common/templates/opensmtpd/smtpd.conf.j2 new file mode 100644 index 0000000..b2889e4 --- /dev/null +++ b/roles/common/templates/opensmtpd/smtpd.conf.j2 @@ -0,0 +1,11 @@ +listen on localhost + +table aliases file:/etc/aliases +table secrets file:/etc/smtpd-secret + +action "local" mbox alias +{% for account in smtp_accounts %} +action "{{ account.name }}_relay" relay host "smtps://{{ account.name }}@{{ account.host }}" auth mail-from "{{ account.from }}" +{% endfor %} +match for local action "local" +match for any action "{{ smtp_default_account }}_relay" \ No newline at end of file diff --git a/roles/common/templates/postfix/aliases.j2 b/roles/common/templates/postfix/aliases.j2 new file mode 100644 index 0000000..2b516df --- /dev/null +++ b/roles/common/templates/postfix/aliases.j2 @@ -0,0 +1,2 @@ +root: {{ smtp_default_recipient }} +postmaster: {{ smtp_default_recipient }} \ No newline at end of file diff --git a/roles/common/templates/postfix/main.cf.j2 b/roles/common/templates/postfix/main.cf.j2 new file mode 100644 index 0000000..6460879 --- /dev/null +++ b/roles/common/templates/postfix/main.cf.j2 @@ -0,0 +1,40 @@ +{{ ansible_managed | comment }} + +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +biff = no +recipient_delimiter = + +readme_directory = no +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# rewrite sender address +sender_canonical_maps = hash:{{ postfix_senders_map_path }} + +alias_maps = hash:{{ smtp_aliases_path }} +alias_database = hash:{{ smtp_aliases_path }} + +myhostname = {{ ansible_hostname }} +myorigin = $myhostname +mydestination = $myhostname, localhost.localdomain, localhost +mynetworks_style = host + +inet_interfaces = all +inet_protocols = all + +relayhost = [{{ smtp_accounts[smtp_default_account].host }}] +relay_domains = +# enable SASL authentication +smtp_sasl_auth_enable = yes +# disallow methods that allow anonymous authentication. +smtp_sasl_security_options = noanonymous +# where to find sasl_passwd +smtp_sasl_password_maps = hash:{{ postfix_sasl_secrets_path }} +# Enable STARTTLS encryption +smtp_use_tls = yes +# where to find CA certificates +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt \ No newline at end of file diff --git a/roles/common/templates/postfix/sasl_secrets.j2 b/roles/common/templates/postfix/sasl_secrets.j2 new file mode 100644 index 0000000..7e540ce --- /dev/null +++ b/roles/common/templates/postfix/sasl_secrets.j2 @@ -0,0 +1,3 @@ +{% for account in smtp_accounts.values() %} +[{{ account.host }}] {{ account.username }}:{{ account.password }} +{% endfor %} \ No newline at end of file diff --git a/roles/common/templates/postfix/senders.j2 b/roles/common/templates/postfix/senders.j2 new file mode 100644 index 0000000..8b58d9b --- /dev/null +++ b/roles/common/templates/postfix/senders.j2 @@ -0,0 +1,3 @@ +{% if smtp_accounts[smtp_default_account].from is defined %} +@{{ ansible_hostname }} {{ smtp_accounts[smtp_default_account].from }} +{% endif %} \ No newline at end of file diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml index fed6035..76f7479 100644 --- a/roles/common/vars/main.yml +++ b/roles/common/vars/main.yml @@ -1,2 +1,9 @@ ---- -# vars file for common +ssh_config_dir: "{{ ansible_env.HOME }}/.ssh" +storage_box_prefix: storage-box +storage_box_packages: + - sshpass + - sshfs + - autofs +borg_packages: + - borgbackup + - borgmatic \ No newline at end of file