PPBe/ansible-infra
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

refactor common role

Browse Source
This commit is contained in:
HgO
2020-11-28 20:47:30 +01:00
parent 67b8c5f230
commit 2b8f69fc41
45 changed files with 756 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
roles/common/tasks/backup.yml Normal file
View File

@@ -0,0 +1,40 @@
# 1. Backup incrémental tous les jours vers la storage box:
# 1. Dans /mnt/backups, accessible en ro pour l'user system "backup"
# -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme)
# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host.
# 2. D'autres machines se connectent pour récupérer les backups (rsync):
# 1. En sftp chrooté via l'user system "backup"
# 2. Donner accès SSH pour ces machines à l'user system "backup"
- name: Create SSH directory
file:
path: "{{ ssh_config_dir }}"
state: directory
mode: "700"
- name: Create SSH config file
file:
path: "{{ ssh_config_dir }}/config"
state: touch
access_time: preserve
modification_time: preserve
mode: "600"
- name: Create backup user
user:
name: "{{ backup_owner }}"
shell: /bin/bash
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
password: '*'
state: present
update_password: always
- name: Include Storage Box backup tasks
import_tasks: backup_storage_box.yml
when: storage_box_enabled
tags: backup_storage_box
- name: Include Borg backup tasks
import_tasks: backup_borg.yml
tags: backup_borg

61
roles/common/tasks/backup_borg.yml Normal file
View File

@@ -0,0 +1,61 @@
- name: Install Borg packages
package:
name: "{{ borg_package }}"
state: present
loop: "{{ borg_packages }}"
loop_control:
loop_var: borg_package
- name: Initialize Borg repository
command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
environment:
BORG_PASSPHRASE: "{{ borg_passphrase }}"
changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
register: _borg_backup_init
- name: Create Borgmatic config directory
file:
path: /etc/borgmatic
state: directory
owner: root
group: root
mode: "755"
- name: Copy Borgmatic config file
copy:
content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
dest: /etc/borgmatic/config.yaml
owner: root
group: root
mode: "600"
- name: Add cron job for regular Borgmatic create and prune
cron:
user: root
name: borgmatic-create
cron_file: borgmatic
hour: "{{ borgmatic_cron_hour }}"
minute: "{{ borgmatic_cron_minute }}"
state: present
job: borgmatic --create --prune
- name: Add cron job for unfrequent Borgmatic check
cron:
user: root
name: borgmatic-check
cron_file: borgmatic
weekday: "{{ borgmatic_check_cron_weekday }}"
hour: "{{ borgmatic_check_cron_hour }}"
minute: "{{ borgmatic_check_cron_minute }}"
state: present
job: borgmatic --check
- name: Set PATH for Borgmatic cron job.
cron:
user: root
name: PATH
cron_file: borgmatic
env: yes
state: present
value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

95
roles/common/tasks/backup_storage_box.yml Normal file
View File

@@ -0,0 +1,95 @@
- name: Install Storage Box mount dependencies
apt:
name: "{{ storage_box_package }}"
state: present
loop: "{{ storage_box_packages }}"
loop_control:
loop_var: storage_box_package
- name: Generate SSH key pair for storage box {{ storage_box_host }}
openssh_keypair:
path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
type: ed25519
- name: Update SSH config file for storage box {{ storage_box_host }}
blockinfile:
path: "{{ ssh_config_dir }}/config"
block: |
Host {{ storage_box_host }}
{% if storage_box_username is defined %}
User {{ storage_box_username }}
{% endif %}
Port {{ storage_box_port }}
IdentityFile {{ ssh_config_dir }}/{{ storage_box_prefix }}
PreferredAuthentications publickey,password
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ storage_box_host }}"
- name: Copy script to add OpenSSH public key through SFTP
copy:
src: sftp/push_public_key.sh
dest: /usr/local/bin/sftp_push_public_key
owner: root
group: root
mode: "755"
- name: Scan public keys for storage box {{ storage_box_host }}:{{ storage_box_port }}
command: ssh-keyscan -p {{ storage_box_port }} {{ storage_box_host }}
changed_when: no
register: _ssh_known_host
- name: Add backup host {{ storage_box_host }} in known hosts list
known_hosts:
name: |-
{%- if storage_box_port == 22 -%}
{{ storage_box_host }}
{%- else -%}
[{{ storage_box_host }}]:{{ storage_box_port }}
{%- endif -%}
key: "{{ _ssh_known_host.stdout }}"
state: present
- name: Push SSH public key to storage box {{ storage_box_host }}
when: storage_box_password is defined
command: sftp_push_public_key "{{ storage_box_host }}" "{{ ssh_config_dir }}/{{ storage_box_prefix }}.pub"
environment:
SSHPASS: "{{ storage_box_password }}"
changed_when:
- _storage_box_authorized.stdout is defined
- "'Public key added!' in _storage_box_authorized.stdout"
register: _storage_box_authorized
- name: Create backup endpoint {{ storage_box_path }} on {{ storage_box_host }}
shell: |
sftp {{ storage_box_host }} <<-EOF
mkdir "{{ storage_box_path }}"
EOF
changed_when: "'Couldn\\'t create directory' not in _backup_endpoint_created.stderr"
register: _backup_endpoint_created
- name: Create AutoFS config file for storage box {{ storage_box_host }} (SSHFS)
lineinfile:
path: /etc/auto.backup.{{ storage_box_prefix }}
regex: "^{{ storage_box_mount.path }} "
line: |
{{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
state: present
create: yes
notify: reload autofs
- name: Add AutoFS config file into main AutoFS config
lineinfile:
path: /etc/auto.master
regexp: '^/- /etc/auto.backup'
line: /- /etc/auto.backup.{{ storage_box_prefix }} --timeout=90,--ghost
state: present
notify: reload autofs
- name: Start AutoFS service
service:
name: autofs
state: started
enabled: yes
register: autofs_started
- name: Trigger AutoFS handlers
meta: flush_handlers

6
roles/common/tasks/main.yml
View File

@@ -6,11 +6,11 @@
tags: openssh
- import_tasks: ufw.yml
tags: firewall
- import_tasks: msmtp.yml
- import_tasks: postfix.yml
tags: smtp
- import_tasks: nginx.yml
tags: nginx
- import_tasks: node_exporter.yml
tags: node_exporter
#- import_tasks: backup.yml
# tags: backup
- import_tasks: backup.yml
tags: backup

18
roles/common/tasks/msmtp.yml
View File

@@ -1,18 +0,0 @@
---
# Install and configure SMTP relay
- name: Install msmtp
apt:
name:
- msmtp
- msmtp-mta
state: present
- name: Copy msmtp configuration
template:
src: msmtp/msmtprc.j2
dest: /etc/msmtprc
- name: Copy aliases
template:
src: msmtp/aliases.j2
dest: /etc/aliases

4
roles/common/tasks/nginx.yml
View File

@@ -2,7 +2,7 @@
# Install and configure Nginx
- name: Install htpasswd dependencies
apt:
name: python-passlib
name: python3-passlib
state: present
- name: Install SSL dependencies
@@ -32,7 +32,7 @@
# This can take a long time... So we are doing it in async mode
openssl_dhparam:
path: "{{ nginx_ssl_dir }}/dhparam.pem"
size: 3072
size: "{{ nginx_dhparam_size }}"
owner: root
group: www-data
async: 3600

5
roles/common/tasks/node_exporter.yml
View File

@@ -5,7 +5,7 @@
name: cloudalchemy.node-exporter
public: yes
vars:
node_exporter_web_listen_address: "0.0.0.0:{{ node_exporter_port }}"
node_exporter_web_listen_address: "localhost:{{ node_exporter_port }}"
- name: Configure Nginx for node-exporter
import_role:
@@ -28,3 +28,6 @@
ufw:
rule: allow
port: "{{ node_exporter_public_port }}"
- name: Trigger node-exporter handlers
meta: flush_handlers

3
roles/common/tasks/openssh.yml
View File

@@ -11,9 +11,10 @@
validate: '/usr/sbin/sshd -T -f %s'
notify: restart openssh
- name: Trigger Ansible handlers
- name: Trigger OpenSSH handlers
meta: flush_handlers
- name: Change Ansible SSH port to {{ openssh_port }}
set_fact:
ansible_port: "{{ openssh_port }}"
when: openssh_port != "22"

49
roles/common/tasks/postfix.yml Normal file
View File

@@ -0,0 +1,49 @@
- name: Install postfix package
apt:
name: postfix
state: present
- name: Copy postfix configuration file
template:
src: postfix/main.cf.j2
dest: /etc/postfix/main.cf
owner: root
group: root
mode: "644"
notify: reload postfix
- name: Copy aliases file
template:
src: postfix/aliases.j2
dest: "{{ smtp_aliases_path }}"
owner: root
group: root
mode: "644"
notify: update aliases
- name: Copy Postfix senders map
template:
src: postfix/senders.j2
dest: "{{ postfix_senders_map_path }}"
owner: root
group: root
mode: "644"
notify: update postfix senders
- name: Copy Postfix SASL secrets
template:
src: postfix/sasl_secrets.j2
dest: "{{ postfix_sasl_secrets_path }}"
owner: root
group: root
mode: "600"
notify: update postfix secrets
- name: Start postfix service
service:
name: postfix
state: started
enabled: yes
- name: Trigger Postfix handlers
meta: flush_handlers

16
roles/common/tasks/user.yml
View File

@@ -6,17 +6,21 @@
shell: /bin/bash
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
password: '*'
groups:
- sudo
append: yes
groups: "{{ user.groups | default(user_default_groups) }}"
append: no
state: present
update_password: on_create
update_password: always
- name: Add SSH public keys for user {{ user.name }}
authorized_key:
user: "{{ user.name }}"
state: present
# we can pass multiple SSH keys, but they must be separated by newlines
key: "{{ user.ssh_keys | join('\n') }}"
key: |
{% for key_file in lookup('fileglob', user_ssh_key_path, wantlist=true) %}
{{ lookup('file', key_file) }}
{% endfor %}
# remove obsolete keys
exclusive: yes
exclusive: yes
vars:
user_ssh_key_path: ssh/{{ user.name }}/*.pub