From 1e565544fe9af1d5fae68b61ad0a571c924a1af2 Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Fri, 27 Sep 2024 13:26:47 +0200 Subject: [PATCH] refs #8025 Vault added, core hosts splitted, tasks parametized, auth enabled --- .gitignore | 1 + README.md | 10 +++- ansible.cfg | 5 +- inventories/core | 32 +++++++++++++ inventories/group_vars/all.yml | 47 +++---------------- inventories/production | 35 -------------- playbooks/debian.yml | 1 + playbooks/facts.yml | 2 +- playbooks/test.yml | 5 -- roles/debian-base/defaults/main.yaml | 7 +++ roles/debian-base/files/profile.sh | 8 ++++ roles/debian-base/files/timesync | 5 -- roles/debian-base/tasks/bacula.yml | 2 +- roles/debian-base/tasks/fail2ban.yml | 2 +- roles/debian-base/tasks/locale.yml | 2 +- roles/debian-base/tasks/nrpe.yml | 8 ++-- roles/debian-base/tasks/root.yaml | 19 +------- .../tasks/{tymesyncd.yml => timesync.yml} | 4 +- .../{bacula-fd.conf.j2 => bacula-fd.conf} | 0 .../templates/{jail.local.j2 => jail.local} | 0 .../debian-base/{files => templates}/nrpe.cfg | 2 +- roles/debian-base/vars/main.yml | 5 -- roles/debian-guest/files/nslcd.conf | 16 ------- roles/debian-guest/files/sudoers | 1 - roles/debian-guest/handlers/main.yml | 6 +++ roles/debian-guest/tasks/auth.yml | 21 ++------- roles/debian-guest/tasks/main.yml | 5 +- roles/debian-guest/tasks/sudoers.yml | 2 +- roles/debian-guest/templates/nslcd.conf | 16 +++++++ roles/debian-guest/templates/sudoers | 1 + roles/debian-qemu/{vars => defaults}/main.yml | 0 roles/debian-qemu/files/auto.homes | 1 - roles/debian-qemu/files/homes.autofs | 1 - roles/debian-qemu/tasks/autofs.yml | 6 +-- roles/debian-qemu/tasks/main.yml | 3 ++ roles/debian-qemu/templates/auto.homes | 1 + roles/debian-qemu/templates/homes.autofs | 1 + roles/freeradius/handlers/main.yaml | 5 +- roles/freeradius/vars/main.yaml | 1 - roles/nsupdate/tasks/main.yml | 2 +- vault.yml | 26 ++++++++++ 41 files changed, 149 insertions(+), 168 deletions(-) create mode 100644 inventories/core delete mode 100644 playbooks/test.yml delete mode 100644 roles/debian-base/files/timesync rename roles/debian-base/tasks/{tymesyncd.yml => timesync.yml} (83%) rename roles/debian-base/templates/{bacula-fd.conf.j2 => bacula-fd.conf} (100%) rename roles/debian-base/templates/{jail.local.j2 => jail.local} (100%) rename roles/debian-base/{files => templates}/nrpe.cfg (95%) delete mode 100644 roles/debian-guest/files/nslcd.conf delete mode 100644 roles/debian-guest/files/sudoers create mode 100644 roles/debian-guest/handlers/main.yml create mode 100644 roles/debian-guest/templates/nslcd.conf create mode 100644 roles/debian-guest/templates/sudoers rename roles/debian-qemu/{vars => defaults}/main.yml (100%) delete mode 100644 roles/debian-qemu/files/auto.homes delete mode 100644 roles/debian-qemu/files/homes.autofs create mode 100644 roles/debian-qemu/templates/auto.homes create mode 100644 roles/debian-qemu/templates/homes.autofs create mode 100644 vault.yml diff --git a/.gitignore b/.gitignore index 1d74e21..973bdc4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .vscode/ +.vaultpass diff --git a/README.md b/README.md index a8505d8..6f9efbb 100644 --- a/README.md +++ b/README.md @@ -21,12 +21,20 @@ ansible-playbook -u root -i , [--tags tag1,tag2] playbooks/test. *Note the comma at the end of the hostname or IP.* +## Manage vault + +Place vault password into *.vaultpass* file. + +Edit vault file. +``` +ansible-vault edit vault.yml +``` + ## Common playbooks * **facts.yml**: Collect and display facts from a host * **ping.yml**: Check that a host is alive and reachable * **awx.yml**: Create and configure AWX user -* **test.yml**: Test an specific role. Don't forget to undo changes before pushing! * **debian.yml**: Setup base Debian server ## Documentation diff --git a/ansible.cfg b/ansible.cfg index 02b7ba8..a6fd83b 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,10 +1,11 @@ [defaults] +remote_user = root +host_key_checking = False roles_path = ./roles inventory = ./inventories/production gathering = smart interpreter_python = auto_silent -remote_user = awx -host_key_checking = False +vault_password_file = .vaultpass [privilege_escalation] become = True diff --git a/inventories/core b/inventories/core new file mode 100644 index 0000000..27037d1 --- /dev/null +++ b/inventories/core @@ -0,0 +1,32 @@ +[ceph] +ceph1 ansible_host=ceph1.core.dc.verdnatura.es +ceph2 ansible_host=ceph2.core.dc.verdnatura.es +ceph3 ansible_host=ceph3.core.dc.verdnatura.es + +[ceph_gw] +ceph-gw1 ansible_host=ceph-gw1.core.dc.verdnatura.es +ceph-gw2 ansible_host=ceph-gw2.core.dc.verdnatura.es + +[pve] +pve01 ansible_host=pve01.core.dc.verdnatura.es +pve02 ansible_host=pve02.core.dc.verdnatura.es +pve03 ansible_host=pve03.core.dc.verdnatura.es +pve04 ansible_host=pve04.core.dc.verdnatura.es +pve05 ansible_host=pve04.core.dc.verdnatura.es + +[infra:children] +ceph +ceph_gw +pve + +[core] +core-agent ansible_host=core-agent.core.dc.verdnatura.es +core-proxy ansible_host=core-proxy.core.dc.verdnatura.es + +[backup] +bacula-dir ansible_host=bacula-dir.backup.dc.verdnatura.es +bacula-db ansible_host=bacula-db.backup.dc.verdnatura.es +bacularis ansible_host=bacularis.backup.dc.verdnatura.es +backup-nas ansible_host=backup-nas.backup.dc.verdnatura.es +tftp ansible_host=tftp.backup.dc.verdnatura.es +kube-backup ansible_host=kube-backup.backup.dc.verdnatura.es diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index d307c50..5dd7be7 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -1,5 +1,12 @@ sysadmin_mail: sysadmin@verdnatura.es +sysadmin_group: sysadmin smtp_server: smtp.verdnatura.es +homes_server: homes.servers.dc.verdnatura.es +nagios_server: nagios.verdnatura.es +time_server: time1.verdnatura.es time2.verdnatura.es +main_dns_server: ns1.verdnatura.es +ldap_uri: ldap://ldap.verdnatura.es +ldap_base: dc=verdnatura,dc=es dc_net: "10.0.0.0/16" resolv: domain: verdnatura.es @@ -12,43 +19,3 @@ awx_pub_key: > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzAwWm+IsqZCgMzjdZ7Do3xWtVtoUCpWJpH7KSi2a/H awx@verdnatura.es -nslcd_password: !vault > - $ANSIBLE_VAULT;1.1;AES256 - 30343461633538323832316231383362626636653864353535346461353937313131336135396162 - 3866623238353638323961363239373236393339333134380a313561363030306165393965396234 - 65316535626434333331633438613639633163643765633064363833303461363834653864646464 - 3133313233353730620a343536316266393637623563313563613332646630643632366439343764 - 30383935303161646339393361393130613266663337373364626635646430326465 -rndc_key: !vault > - $ANSIBLE_VAULT;1.1;AES256 - 36386562613235363931396632656535383336313537636431643338353438313231623839313031 - 3830616135393732353265666664353963393366343461630a633365396165653761353762383739 - 66303862376465626435633964313237643230653463353662343831646464633639383336323863 - 6139333234386565620a653438613165626131653834633931343766343162653932373161653362 - 38303139333536656263656163623333313234393666353766363565633732366165 -radius_ldap_password: !vault > - $ANSIBLE_VAULT;1.1;AES256 - 31643037313539376337363739616361363339616235623433656131306539373030373731643934 - 3432656465343430366366646237326137656134346562360a306538303762313261616632643135 - 39316439653932396134646432633262326631363765643564306565636363356335653539656531 - 6234636463376364620a636133346337306437643939376531633564633737333133363065633031 - 61643731646163323636343837373761303930323961653663343135303731623133 -radius_client_password: !vault > - $ANSIBLE_VAULT;1.1;AES256 - 62313333666335316231396365653635356639626563613738363137383434343437393833393934 - 6439646632303536393438306234323862363532393733630a356136393539363161346631623161 - 37636365653331333735353166646164613732303035613231353237343139623137396364643637 - 3261656465336435630a666466643734373830633933613266663631343730386530633839386239 - 62623434663130363637303035363434313566376661356362663238666166343534 -awx_smtp_password: !vault > - $ANSIBLE_VAULT;1.1;AES256 - 62393936623766653737356136353765336265636136616330306537393638646663326663346138 - 3631616362363163393036613564623864383365633634660a366563363836363061623566393361 - 37633364633631333130346332613235303762316435313535613664323830656363353237373561 - 3866653365636431630a303262666662376662623862663461633361333037643863353135343836 - 61383730366664353730616331666139376234313562383163613736353231666533 -grub_code: > - grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE22 - 29139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA385 - 7B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE - 0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7 diff --git a/inventories/production b/inventories/production index 60314ed..1e38715 100644 --- a/inventories/production +++ b/inventories/production @@ -1,24 +1,3 @@ -[ceph] -ceph1 ansible_host=ceph1.core.dc.verdnatura.es -ceph2 ansible_host=ceph2.core.dc.verdnatura.es -ceph3 ansible_host=ceph3.core.dc.verdnatura.es - -[ceph_gw] -ceph-gw1 ansible_host=ceph-gw1.core.dc.verdnatura.es -ceph-gw2 ansible_host=ceph-gw2.core.dc.verdnatura.es - -[pve] -pve01 ansible_host=pve01.core.dc.verdnatura.es -pve02 ansible_host=pve02.core.dc.verdnatura.es -pve03 ansible_host=pve03.core.dc.verdnatura.es -pve04 ansible_host=pve04.core.dc.verdnatura.es -pve05 ansible_host=pve04.core.dc.verdnatura.es - -[infra:children] -ceph -ceph_gw -pve - [kube_master] kube-master1 ansible_host=kube-master1.servers.dc.verdnatura.es kube-master2 ansible_host=kube-master2.servers.dc.verdnatura.es @@ -51,18 +30,6 @@ dc1 ansible_host=dc1.servers.dc.verdnatura.es dc2 ansible_host=dc2.servers.dc.verdnatura.es server ansible_host=server.servers.dc.verdnatura.es -[backup] -bacula-dir ansible_host=bacula-dir.backup.dc.verdnatura.es -bacula-db ansible_host=bacula-db.backup.dc.verdnatura.es -bacularis ansible_host=bacularis.backup.dc.verdnatura.es -backup-nas ansible_host=backup-nas.backup.dc.verdnatura.es -tftp ansible_host=tftp.backup.dc.verdnatura.es -kube-backup ansible_host=kube-backup.backup.dc.verdnatura.es - -[core] -core-agent ansible_host=core-agent.core.dc.verdnatura.es -core-proxy ansible_host=core-proxy.core.dc.verdnatura.es - [db] db-proxy1 ansible_host=db-proxy1.servers.dc.verdnatura.es db-proxy2 ansible_host=db-proxy2.servers.dc.verdnatura.es @@ -121,8 +88,6 @@ dev-db ansible_host=dev-db.servers.dc.verdnatura.es [guest:children] ad -backup -core db kubernetes ldap diff --git a/playbooks/debian.yml b/playbooks/debian.yml index 6de614b..4888a35 100644 --- a/playbooks/debian.yml +++ b/playbooks/debian.yml @@ -1,5 +1,6 @@ - name: Configure base Debian host hosts: all + vars_files: ../vault.yml tasks: - name: Configure base system import_role: diff --git a/playbooks/facts.yml b/playbooks/facts.yml index 9ad84e5..0ccd652 100644 --- a/playbooks/facts.yml +++ b/playbooks/facts.yml @@ -3,7 +3,7 @@ gather_facts: yes tasks: - name: Print all available facts - ansible.builtin.debug: + debug: var: ansible_facts - name: Print variable value debug: diff --git a/playbooks/test.yml b/playbooks/test.yml deleted file mode 100644 index 358ac5d..0000000 --- a/playbooks/test.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Test role - hosts: all - tasks: - - import_role: - name: debian-base diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 7f95631..3eb8039 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,3 +1,10 @@ +default_user: user +root_password: Pa$$w0rd +fail2ban: + email: "{{ sysadmin_mail }}" + bantime: 600 + maxretry: 4 + ignore: "127.0.0.0/8 {{ dc_net }}" exim_dc_eximconfig_configtype: satellite dc_other_hostnames: "{{ ansible_fqdn }}" dc_local_interfaces: 127.0.0.1 diff --git a/roles/debian-base/files/profile.sh b/roles/debian-base/files/profile.sh index d8f3cf6..ab1ac12 100644 --- a/roles/debian-base/files/profile.sh +++ b/roles/debian-base/files/profile.sh @@ -37,3 +37,11 @@ HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " # Security TMOUT=3600 + +# Aliases + +#export LS_OPTIONS='--color=auto' +#eval "$(dircolors)" +#alias ls='ls $LS_OPTIONS' +#alias ll='ls $LS_OPTIONS -l' +#alias la='ls $LS_OPTIONS -la' diff --git a/roles/debian-base/files/timesync b/roles/debian-base/files/timesync deleted file mode 100644 index 3c79241..0000000 --- a/roles/debian-base/files/timesync +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -test -x /usr/sbin/ntpdate || exit 0 -/usr/sbin/ntpdate time1.verdnatura.es -/usr/sbin/ntpdate time2.verdnatura.es diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index a786645..ef04a37 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -8,7 +8,7 @@ register: bacula_passwords - name: Configure Bacula FD template: - src: bacula-fd.conf.j2 + src: bacula-fd.conf dest: /etc/bacula/bacula-fd.conf owner: root group: bacula diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index f1a7042..709bafe 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -7,7 +7,7 @@ - rsyslog - name: Configure fail2ban service template: - src: jail.local.j2 + src: jail.local dest: /etc/fail2ban/jail.local owner: root group: root diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml index 33efdf0..218c067 100644 --- a/roles/debian-base/tasks/locale.yml +++ b/roles/debian-base/tasks/locale.yml @@ -12,4 +12,4 @@ - name: Generate locale command: locale-gen - name: Update locale - command: update-locale LANG=en_US.UTF-8 \ No newline at end of file + command: update-locale LANG=en_US.UTF-8 diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index b76f672..57ab588 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -6,12 +6,12 @@ - nagios-nrpe-server - nagios-plugins-contrib - name: Set NRPE generic configuration - copy: + template: src: nrpe.cfg dest: /etc/nagios/nrpe.d/90-vn.cfg owner: root group: root - mode: '0644' + mode: u=rw,g=r,o=r notify: restart-nrpe - name: Create NRPE local configuration file file: @@ -19,4 +19,6 @@ state: touch owner: nagios group: nagios - mode: '0640' + mode: u=rw,g=r,o= + modification_time: preserve + access_time: preserve diff --git a/roles/debian-base/tasks/root.yaml b/roles/debian-base/tasks/root.yaml index 6e42647..0bb8a91 100644 --- a/roles/debian-base/tasks/root.yaml +++ b/roles/debian-base/tasks/root.yaml @@ -6,21 +6,4 @@ - name: Change root password user: name: root - password: "{{ ssh_password | password_hash('sha512') }}" -- name: Configure bashrc - lineinfile: - dest: /root/.bashrc - regexp: "{{item.regexp}}" - line: "{{item.line}}" - state: present - with_items: - - regexp: "^# export LS_OPTIONS" - line: "export LS_OPTIONS='--color=auto" - - regexp: "^# eval" - line: 'eval "$(dircolors)"' - - regexp: "^# alias ls='ls $LS_OPTIONS'" - line: "alias ls='ls $LS_OPTIONS'" - - regexp: "^# alias ll='ls $LS_OPTIONS -l'" - line: "alias ll='ls $LS_OPTIONS -l'" - - regexp: "# alias la='ls $LS_OPTIONS -la'" - line: "alias la='ls $LS_OPTIONS -la'" + password: "{{ root_password | password_hash('sha512') }}" diff --git a/roles/debian-base/tasks/tymesyncd.yml b/roles/debian-base/tasks/timesync.yml similarity index 83% rename from roles/debian-base/tasks/tymesyncd.yml rename to roles/debian-base/tasks/timesync.yml index 89fbe1e..708a409 100644 --- a/roles/debian-base/tasks/tymesyncd.yml +++ b/roles/debian-base/tasks/timesync.yml @@ -2,7 +2,7 @@ lineinfile: path: /etc/systemd/timesyncd.conf regexp: '^#NTP' - line: "NTP=time1.verdnatura.es time2.verdnatura.es" + line: "NTP={{ time_server }}" owner: root group: root mode: '0644' @@ -14,7 +14,7 @@ owner: root group: root mode: '0644' - notify: restart systemd-timesyncd + notify: restart systemd-timesyncd - name: Service should start on boot service: name: systemd-timesyncd diff --git a/roles/debian-base/templates/bacula-fd.conf.j2 b/roles/debian-base/templates/bacula-fd.conf similarity index 100% rename from roles/debian-base/templates/bacula-fd.conf.j2 rename to roles/debian-base/templates/bacula-fd.conf diff --git a/roles/debian-base/templates/jail.local.j2 b/roles/debian-base/templates/jail.local similarity index 100% rename from roles/debian-base/templates/jail.local.j2 rename to roles/debian-base/templates/jail.local diff --git a/roles/debian-base/files/nrpe.cfg b/roles/debian-base/templates/nrpe.cfg similarity index 95% rename from roles/debian-base/files/nrpe.cfg rename to roles/debian-base/templates/nrpe.cfg index ba31809..7efab1f 100644 --- a/roles/debian-base/files/nrpe.cfg +++ b/roles/debian-base/templates/nrpe.cfg @@ -1,4 +1,4 @@ -allowed_hosts=nagios.verdnatura.es +allowed_hosts={{ nagios_server }} command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var diff --git a/roles/debian-base/vars/main.yml b/roles/debian-base/vars/main.yml index 4fd5f1c..17fe0d6 100644 --- a/roles/debian-base/vars/main.yml +++ b/roles/debian-base/vars/main.yml @@ -1,8 +1,3 @@ -fail2ban: - email: "{{ sysadmin_mail }}" - bantime: 600 - maxretry: 4 - ignore: "127.0.0.0/8 {{ dc_net }}" vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb diff --git a/roles/debian-guest/files/nslcd.conf b/roles/debian-guest/files/nslcd.conf deleted file mode 100644 index 858edce..0000000 --- a/roles/debian-guest/files/nslcd.conf +++ /dev/null @@ -1,16 +0,0 @@ -# See nslcd.conf(5) for details. - -uid nslcd -gid nslcd - -uri ldap://ldap.verdnatura.es -idle_timelimit 60 - -base dc=verdnatura,dc=es -binddn cn=nss,ou=admins,dc=verdnatura,dc=es -bindpw password -pagesize 500 - -filter group (&(objectClass=posixGroup)(cn=sysadmin)) -filter passwd (&(objectClass=posixAccount)(memberOf=cn=sysadmin,ou=dnGroups,dc=verdnatura,dc=es)) -pam_authz_search (&(objectClass=posixGroup)(cn=sysadmin)(memberuid=$username)) diff --git a/roles/debian-guest/files/sudoers b/roles/debian-guest/files/sudoers deleted file mode 100644 index d9faa7f..0000000 --- a/roles/debian-guest/files/sudoers +++ /dev/null @@ -1 +0,0 @@ -%sysadmin ALL=(ALL) NOPASSWD: ALL diff --git a/roles/debian-guest/handlers/main.yml b/roles/debian-guest/handlers/main.yml new file mode 100644 index 0000000..1764d05 --- /dev/null +++ b/roles/debian-guest/handlers/main.yml @@ -0,0 +1,6 @@ +- name: restart-nslcd + service: + name: nslcd + state: restarted +- name: pam-update-ldap + shell: pam-auth-update --enable ldap diff --git a/roles/debian-guest/tasks/auth.yml b/roles/debian-guest/tasks/auth.yml index e355630..7930b91 100644 --- a/roles/debian-guest/tasks/auth.yml +++ b/roles/debian-guest/tasks/auth.yml @@ -3,22 +3,15 @@ name: nslcd state: present - name: Configure NSLCD - copy: + template: src: nslcd.conf dest: /etc/nslcd.conf owner: root group: nslcd mode: '0640' - backup: yes -- name: Add LDAP password to NSLCD configuration - lineinfile: - dest: /etc/nslcd.conf - regexp: "{{item.regexp}}" - line: "{{item.line}}" - state: present - with_items: - - regexp: "^bindpw" - line: "bindpw {{ nslcd_password }}" + notify: + - restart-nslcd + - pam-update-ldap - name: Configure nsswitch to use NSLCD lineinfile: dest: /etc/nsswitch.conf @@ -30,9 +23,3 @@ line: "passwd: files systemd ldap" - regexp: "^group:" line: "group: files systemd ldap" -- name: Reconfigure PAM to use LDAP - shell: pam-auth-update --enable ldap -- name: Restart NSLCD service - service: - name: nslcd - state: restarted diff --git a/roles/debian-guest/tasks/main.yml b/roles/debian-guest/tasks/main.yml index 6eb005d..44edaef 100644 --- a/roles/debian-guest/tasks/main.yml +++ b/roles/debian-guest/tasks/main.yml @@ -1,3 +1,4 @@ -- include_tasks: auth.yml - when: false +- import_tasks: auth.yml + tags: auth - import_tasks: sudoers.yml + tags: sudoers diff --git a/roles/debian-guest/tasks/sudoers.yml b/roles/debian-guest/tasks/sudoers.yml index 0671ddd..45e1d8c 100644 --- a/roles/debian-guest/tasks/sudoers.yml +++ b/roles/debian-guest/tasks/sudoers.yml @@ -3,7 +3,7 @@ name: sudo state: present - name: Add sysadmin to sudoers - copy: + template: src: sudoers dest: /etc/sudoers.d/vn mode: u=rw,g=r,o= diff --git a/roles/debian-guest/templates/nslcd.conf b/roles/debian-guest/templates/nslcd.conf new file mode 100644 index 0000000..ba36843 --- /dev/null +++ b/roles/debian-guest/templates/nslcd.conf @@ -0,0 +1,16 @@ +# See nslcd.conf(5) for details. + +uid nslcd +gid nslcd + +uri {{ ldap_uri }} +idle_timelimit 60 + +base {{ ldap_base }} +binddn cn=nss,ou=admins,{{ ldap_base }} +bindpw {{ nslcd_password }} +pagesize 500 + +filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }})) +filter passwd (&(objectClass=posixAccount)(memberOf=cn={{ sysadmin_group }},ou=dnGroups,{{ ldap_base }})) +pam_authz_search (&(objectClass=posixGroup)(cn={{ sysadmin_group }})(memberuid=$username)) diff --git a/roles/debian-guest/templates/sudoers b/roles/debian-guest/templates/sudoers new file mode 100644 index 0000000..0479f3a --- /dev/null +++ b/roles/debian-guest/templates/sudoers @@ -0,0 +1 @@ +%{{ sysadmin_group }} ALL=(ALL) NOPASSWD: ALL diff --git a/roles/debian-qemu/vars/main.yml b/roles/debian-qemu/defaults/main.yml similarity index 100% rename from roles/debian-qemu/vars/main.yml rename to roles/debian-qemu/defaults/main.yml diff --git a/roles/debian-qemu/files/auto.homes b/roles/debian-qemu/files/auto.homes deleted file mode 100644 index a8cfec3..0000000 --- a/roles/debian-qemu/files/auto.homes +++ /dev/null @@ -1 +0,0 @@ -* -fstype=nfs4,rw homes.servers.dc.verdnatura.es:/mnt/homes/& diff --git a/roles/debian-qemu/files/homes.autofs b/roles/debian-qemu/files/homes.autofs deleted file mode 100644 index f28eff2..0000000 --- a/roles/debian-qemu/files/homes.autofs +++ /dev/null @@ -1 +0,0 @@ -/mnt/homes /etc/auto.homes --timeout=30 diff --git a/roles/debian-qemu/tasks/autofs.yml b/roles/debian-qemu/tasks/autofs.yml index 049e21d..8701228 100644 --- a/roles/debian-qemu/tasks/autofs.yml +++ b/roles/debian-qemu/tasks/autofs.yml @@ -8,7 +8,7 @@ - libnfs-utils - autofs-ldap - name: Create homes directory - ansible.builtin.file: + file: path: "{{ homes_path }}" state: directory mode: '0755' @@ -18,14 +18,14 @@ line: "automount: files" notify: restart-nslcd - name: Add file homes.autofs configured to autofs - copy: + template: src: homes.autofs dest: /etc/auto.master.d/homes.autofs owner: root group: root mode: '0644' - name: Add file /etc/auto.homes configured to the systemd - copy: + template: src: auto.homes dest: /etc/auto.homes owner: root diff --git a/roles/debian-qemu/tasks/main.yml b/roles/debian-qemu/tasks/main.yml index 3820ce9..ec83e1e 100644 --- a/roles/debian-qemu/tasks/main.yml +++ b/roles/debian-qemu/tasks/main.yml @@ -1,3 +1,6 @@ - import_tasks: agent.yml + tags: agent - import_tasks: hotplug.yml + tags: hotplug - import_tasks: autofs.yml + tags: autofs diff --git a/roles/debian-qemu/templates/auto.homes b/roles/debian-qemu/templates/auto.homes new file mode 100644 index 0000000..8b16230 --- /dev/null +++ b/roles/debian-qemu/templates/auto.homes @@ -0,0 +1 @@ +* -fstype=nfs4,rw {{ homes_server }}:{{ homes_path }}/& diff --git a/roles/debian-qemu/templates/homes.autofs b/roles/debian-qemu/templates/homes.autofs new file mode 100644 index 0000000..c18bad3 --- /dev/null +++ b/roles/debian-qemu/templates/homes.autofs @@ -0,0 +1 @@ +{{ homes_path }} /etc/auto.homes --timeout=30 diff --git a/roles/freeradius/handlers/main.yaml b/roles/freeradius/handlers/main.yaml index b46b437..74c7416 100644 --- a/roles/freeradius/handlers/main.yaml +++ b/roles/freeradius/handlers/main.yaml @@ -1,6 +1,5 @@ -# restart freeradius service to apply changes -- name: restart freeradius +- name: restart-freeradius service: - name: "{{ freeradius_daemon }}" + name: freeradius state: restarted enabled: yes \ No newline at end of file diff --git a/roles/freeradius/vars/main.yaml b/roles/freeradius/vars/main.yaml index 5d83bfc..baa3263 100644 --- a/roles/freeradius/vars/main.yaml +++ b/roles/freeradius/vars/main.yaml @@ -8,6 +8,5 @@ freeradius_dictionary_config: "{{ freeradius_base_folder }}dictionary" freeradius_clients_config: "{{ freeradius_base_folder }}clients.conf" freeradius_mod_ldap: "{{ freeradius_mods_available_folder }}ldap" freeradius_filter_config: "{{ freeradius_base_folder }}policy.d/filter" -freeradius_daemon: freeradius freeradius_pam_config: /etc/pam.d/radiusd freeradius_service_config: /lib/systemd/system/freeradius.service diff --git a/roles/nsupdate/tasks/main.yml b/roles/nsupdate/tasks/main.yml index 797156d..fa918d9 100644 --- a/roles/nsupdate/tasks/main.yml +++ b/roles/nsupdate/tasks/main.yml @@ -3,7 +3,7 @@ key_name: "rndc-key" key_secret: "{{ rndc_key }}" key_algorithm: "hmac-md5" - server: "ns1.verdnatura.es" + server: "{{ main_dns_server }}" zone: "{{ zone_record }}" record: "{{ name_record }}" ttl: "{{ ttl_record }}" diff --git a/vault.yml b/vault.yml new file mode 100644 index 0000000..25a562e --- /dev/null +++ b/vault.yml @@ -0,0 +1,26 @@ +$ANSIBLE_VAULT;1.1;AES256 +37396535616365346266643936343463336564303066356131363064633436353763343735666563 +3234623639383039393735346632636163623435313965660a363363386637666261626661336333 +39643436663965383239323435613339323766623630633430343465313038643235636666343938 +3531636532613661650a336631666138306166346363333534613436396565343161623838363132 +30643532636332356630306563336165663266663237326262336533363665653230393332623134 +63626333303134346435666231386361643137636132383236373937636235326132666230306362 +36363136653963366235626239656339663736393636663136656164393031323663623463393438 +63646635343462363332636531323634623930643737333430613666366335303362323764363533 +39336533366466633132383438633063616564623862366263376638323138623363656164343635 +64346437646435383137313162656237303436343839366261633935613735316166376466616635 +61616132626539656633353032663932653730633365633331313330323932653465656634383334 +64633634326462316164316130373334666365643936646634333032326465373131656161646234 +30376135613534303533326133383661353235343034356466333961396237373937353137373735 +32373633396438313133663839373663656139346163386336373265356265613038646633386334 +37353331373332373636346166333639343936633464663335653762386431376632613430363666 +66636139663662633861643733306238646335353664636265623464393163343462326239613662 +63633236326161643838353931646566323236326636376331663463333664636566666462303063 +31303436356164623234346362386633633633623230366366393839376239636533636564666663 +39663034373664663063656561306132383734646263656464626432633963396638363362396664 +37303038373038346536613235333237613435663632656334643334326232396336653035326162 +63663637306531373030643962386339393263653262363037626538386132353363663761363138 +62663532313862396339653364306533326639333139336636343762373038333838313762393431 +34386239303765653930306334393339383234303137346461633231353637326137353964613832 +61353035353539633334333337346665383937346566396438306465336337366661323435616133 +37643932306265633465643430636662653865313661663331316662303861356466