verdnatura/vn-ansible
verdnatura
/
vn-ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refs #8025 Debian roles merged

This commit is contained in:
Juan Ferrer 2025-02-04 21:03:45 +01:00
parent 03b20064ef
commit ccb95837fa
58 changed files with 6 additions and 953 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
playbooks/debian.yml
View File

@ -1,18 +1,5 @@
- name: Configure base Debian host
hosts: all
tasks:
- name: Configure virtual machine or host (not LXC)
import_role:
name: debian-host
when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm'
- name: Configure base system (all)
import_role:
name: debian-base
- name: Configure guest
import_role:
name: debian-guest
when: ansible_virtualization_role == 'guest'
- name: Configure virtual machine
import_role:
name: debian-qemu
when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm'
- import_role:
name: debian

2
playbooks/kube.yml
View File

@ -1,5 +1,7 @@
- name: Configure Kubernetes
hosts: all
tasks:
- import_role:
name: debian
- import_role:
name: kube

2
playbooks/pve.yml
View File

@ -1,5 +1,7 @@
- name: Configure PVE
hosts: all
tasks:
- import_role:
name: debian
- import_role:
name: pve

41
roles/debian-base/defaults/main.yaml
View File

@ -1,41 +0,0 @@
vn_first_time: false
vn_witness_checked: false
deb_packages:
- https://apt.verdnatura.es/pool/main/v/vn-host/vn-apt-source_3.0.1_all.deb
- https://apt.verdnatura.es/pool/main/v/vn-host/vn-host_3.0.1_all.deb
grub_user: admin
default_user: user
fail2ban:
email: "{{ sysadmin_mail }}"
bantime: 600
maxretry: 4
ignore: "127.0.0.0/8 {{ dc_net }}"
logpath: "/var/log/auth.log"
fail2ban_base_packages:
- fail2ban
- rsyslog
time_server_spain: ntp.roa.es
nagios_packages:
- nagios-nrpe-server
- nagios-plugins-contrib
- monitoring-plugins-basic
base_packages:
- htop
- psmisc
- bash-completion
- screen
- aptitude
- tree
- btop
- ncdu
- debconf-utils
- net-tools
- gpg
- curl
- cloud-guest-utils
- rsync
- parted
- yq
locales_present:
- en_US.UTF-8
- es_ES.UTF-8

102
roles/debian-base/files/motd
View File

@ -1,102 +0,0 @@
#!/bin/bash
LABEL="\033[0;32m"
SUBLB="\033[0;36m"
RESET="\033[0m"
BLINK="\033[5m"
. /etc/os-release
# Environment
PRO="\033[1;5;31m"
LAB="\033[0;35m"
VN="\033[0;32m"
UNKNOWN="\033[0;33m"
FQDN=$(hostname --fqdn)
case "$FQDN" in
*.dc.verdnatura.es)
ENVIRONMENT="${PRO}Production${RESET}"
;;
*.lab.verdnatura.es)
ENVIRONMENT="${LAB}Laboratory${RESET}"
;;
*.verdnatura.es)
ENVIRONMENT="${VN}Verdnatura${RESET}"
;;
*)
ENVIRONMENT="${UNKNOWN}Unknown${RESET}"
;;
esac
# Last login
LAST="$(last -n1 | head -1)"
if [ "$LAST" != "" ] ; then
LAST_LOGIN_USER="$(echo $LAST | cut -d' ' -f1)"
LAST_LOGIN_IP="$(echo $LAST | cut -d' ' -f3)"
LAST_LOGIN_TIME="$(echo $LAST | cut -d' ' -f4-)"
LAST_LOGIN="$LAST_LOGIN_USER ($LAST_LOGIN_IP) $LAST_LOGIN_TIME"
fi
# Packages
PACKAGES=$(dpkg-query -W -f='${binary:Package}\n' | wc -l)
SHOW_UPGRADEABLE=0
USER_UID=$(id -u $USER)
USER_GROUPS=$(id -Gn $USER)
if [ ${USER_UID} -eq 0 ] ; then
SHOW_UPGRADEABLE=1
fi
if [[ "${USER_GROUPS}" == *"sysadmin"* ]] ; then
SHOW_UPGRADEABLE=1
fi
if [ $SHOW_UPGRADEABLE -eq 1 ] ; then
UPGRADEABLE="$(apt list --upgradable 2>/dev/null | tail -n +2 | wc -l)"
if [ "$UPGRADEABLE" -gt 0 ]; then
UPGRADEABLE_ALERT="${BLINK}($UPGRADEABLE upgradeable)${RESET}"
fi
fi
# Network and users
NET_IPS=$(ip -o -4 add sh | tail -n +2 | awk '{printf "\033[0;36m%16s >\033[0m %-15s\n",$2,$4}')
CONNECTED_USERS=$(w | tail -n +2 | awk '{printf "\t%15s %12s %8s %s\n",$1,$3,$4, substr( $0, index($0,$8), index($0,$NF)) }')
# Logo
FW="\033[1;37m"
FG="\033[1;32m"
GB="\e[48;5;112m"
GL="\e[48;5;70m"
RS="\e[0m"
echo -e
echo -e " $GL $GB $RS"
echo -e " $GL $GB $GL $RS $GL $GB $RS" " ${FW}__ __ _ ${FG} _ _ _ ${RS}"
echo -e " $GB $GL $RS $GL $GB $GL $RS" " ${FW}\ \ / /__ _ __ __| |${FG}| \ | | __ _| |_ _ _ _ __ __ _ ${RS}"
echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ \ / / _ \ '__/ _' |${FG}| \| |/ _' | __| | | | '__/ _' |${RS}"
echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ V / __/ | | (_| |${FG}| |\ | (_| | |_| |_| | | | (_| |${RS}"
echo -e " " " ${FW} \_/ \___|_| \__,_|${FG}|_| \_|\__,_|\__|\__,_|_| \__,_|${RS}"
echo -e " $GL $GB $RS $GB $GL $RS"
echo -e " $GL $GB $GL $RS $GL $GB $RS"
echo -e " $GB $GL $RS"
echo -e
# Information
echo -e "${LABEL}Host :${RESET} $FQDN"
echo -e "${LABEL}OS :${RESET} $NAME $(cat /etc/debian_version) ($VERSION_CODENAME)"
echo -e "${LABEL}Kernel :${RESET} $(uname -r)"
echo -e "${LABEL}Shell :${RESET} $SHELL $(echo $BASH_VERSION | cut -d'(' -f1)"
echo -e "${LABEL}Uptime :${RESET} $(uptime -p | tr -d ',')"
echo -e "${LABEL}Packages :${RESET} $PACKAGES $UPGRADEABLE_ALERT"
echo -e "${LABEL}IP :${RESET}"
echo -e "$NET_IPS"
echo -e "${LABEL}Last Login :${RESET} $LAST_LOGIN"
echo -e "${LABEL}Environment :${RESET} $ENVIRONMENT"
echo -e "${LABEL}Connected users :${RESET}"
echo -e "$CONNECTED_USERS"

47
roles/debian-base/files/profile.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
# Prompt
FQDN=$(hostname --fqdn)
if [[ $FQDN == *.verdnatura.es ]]; then
SHORT_HOST=${FQDN%.verdnatura.es}
case "$SHORT_HOST" in
*.dc)
ENVIRONMENT="\[\033[01;31m\]PRO\[\033[00m\]"
;;
*.lab)
ENVIRONMENT="\[\033[01;35m\]LAB\[\033[00m\]"
;;
*)
ENVIRONMENT="\[\033[01;32m\]VN\[\033[00m\]"
;;
esac
PS1="\u@$SHORT_HOST[$ENVIRONMENT]:\w"
if [ "$(id -u)" -eq 0 ]; then
PS1="$PS1# "
else
PS1="$PS1\$ "
fi
fi
# History
HISTSIZE=10000
HISTFILESIZE=50000
HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
# Security
TMOUT=3600
# Aliases
#export LS_OPTIONS='--color=auto'
#eval "$(dircolors)"
#alias ls='ls $LS_OPTIONS'
#alias ll='ls $LS_OPTIONS -l'
#alias la='ls $LS_OPTIONS -la'

3
roles/debian-base/files/sendmail-common.local
View File

@ -1,3 +0,0 @@
[Definition]
actionstart =
actionstop =

5
roles/debian-base/files/vimrc.local
View File

@ -1,5 +0,0 @@
syntax on
set showcmd
set showmatch
set ignorecase
set smartcase

26
roles/debian-base/handlers/main.yml
View File

@ -1,26 +0,0 @@
- name: restart systemd-timesyncd
systemd:
name: systemd-timesyncd
state: restarted
- name: restart-ssh
systemd:
name: ssh
state: restarted
- name: restart fail2ban
systemd:
name: fail2ban
state: restarted
- name: restart-nrpe
systemd:
name: nagios-nrpe-server
state: restarted
- name: restart sshd
systemd:
name: sshd
state: restarted
- name: generate locales
command: /usr/sbin/locale-gen
- name: reconfigure tzdata
command: dpkg-reconfigure -f noninteractive tzdata
- name: update exim configuration
command: /usr/sbin/update-exim4.conf

53
roles/debian-base/tasks/bacula.yml
View File

@ -1,53 +0,0 @@
- name: Install Bacula FD packages
apt:
name: bacula-fd
state: present
- name: Read content file in base64
slurp:
src: /etc/bacula/common_default_passwords
register: file_content
- name: Going to text plane
no_log: true
set_fact:
file_content_decoded: "{{ file_content.content | b64decode }}"
- name: Extracting passwords
no_log: true
set_fact:
passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}"
- name: Initialize password dictionary
set_fact:
bacula_passwords: {}
- name: Convert lines to individual variables generating a new dict
no_log: true
set_fact:
bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}"
loop: "{{ passwords }}"
when: "'FDPASSWD' in item or 'FDMPASSWD' in item"
- name: Configure Bacula FD
template:
src: bacula-fd.conf
dest: /etc/bacula/bacula-fd.conf
owner: root
group: bacula
mode: u=rw,g=r,o=
backup: true
register: bacula_config
- name: Configure master cert
copy:
content: "{{ ca_bacula }}"
dest: /etc/bacula/master-cert.pem
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Configure master cert
copy:
content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
dest: /etc/bacula/fd-cert.pem
owner: root
group: bacula
mode: u=rw,g=r,o=
- name: Restart Bacula FD service
service:
name: bacula-fd
state: restarted
when: bacula_config.changed

5
roles/debian-base/tasks/defuser.yml
View File

@ -1,5 +0,0 @@
- name: Delete default user
user:
name: "{{ default_user }}"
state: absent
remove: yes

40
roles/debian-base/tasks/fail2ban.yml
View File

@ -1,40 +0,0 @@
- name: Install fail2ban and rsyslog packages
apt:
name: "{{ fail2ban_base_packages }}"
state: present
- name: Configure sshd_config settings
copy:
dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf
content: |
# Do not edit this file! Ansible will overwrite it.
SyslogFacility AUTH
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart sshd
- name: Adjust action configuration to reduce noise
copy:
src: sendmail-common.local
dest: /etc/fail2ban/action.d/sendmail-common.local
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart sshd
- name: Configure fail2ban service
template:
src: jail.local
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart fail2ban
register: jail
- name: Ensure file for auth sshd custom log exists
file:
path: /var/log/auth.log
state: touch
owner: root
group: adm
mode: u=rw,g=r,o=
when: jail.changed

4
roles/debian-base/tasks/install.yml
View File

@ -1,4 +0,0 @@
- name: Install base packages
apt:
name: "{{ base_packages }}"
state: present

6
roles/debian-base/tasks/locale.yml
View File

@ -1,6 +0,0 @@
- name: make sure locales in variable are generated
locale_gen:
name: "{{ item }}"
state: present
with_items: "{{ locales_present }}"
notify: generate locales

34
roles/debian-base/tasks/main.yml
View File

@ -1,34 +0,0 @@
- import_tasks: witness.yml
tags: witness
- import_tasks: root.yml
tags: root
- import_tasks: resolv.yml
tags: resolv
- import_tasks: timesync.yml
tags: timesync
- import_tasks: sshd_configure.yml
tags: sshd_configure
- import_tasks: defuser.yml
tags: defuser
- import_tasks: install.yml
tags: install
- import_tasks: locale.yml
tags: locale
- import_tasks: tzdata.yml
tags: tzdata
- import_tasks: relayhost.yml
tags: relayhost
- import_tasks: motd.yml
tags: motd
- import_tasks: profile.yml
tags: profile
- import_tasks: vim.yml
tags: vim
- import_tasks: nrpe.yml
tags: nrpe
- import_tasks: fail2ban.yml
tags: fail2ban
- import_tasks: bacula.yml
tags: bacula
- import_tasks: vn-repo.yml
tags: vn-repo

7
roles/debian-base/tasks/motd.yml
View File

@ -1,7 +0,0 @@
- name: Copy MOTD configuration file
copy:
src: motd
dest: /etc/update-motd.d/90-vn
mode: u=rwx,g=rx,o=rx
owner: root
group: root

22
roles/debian-base/tasks/nrpe.yml
View File

@ -1,22 +0,0 @@
- name: Install NRPE packages
apt:
name: "{{ nagios_packages }}"
state: present
install_recommends: no
- name: Set NRPE generic configuration
template:
src: nrpe.cfg
dest: /etc/nagios/nrpe.d/90-vn.cfg
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart-nrpe
- name: Create NRPE local configuration file
file:
path: /etc/nagios/nrpe.d/99-local.cfg
state: touch
owner: nagios
group: nagios
mode: u=rw,g=r,o=
modification_time: preserve
access_time: preserve

7
roles/debian-base/tasks/profile.yml
View File

@ -1,7 +0,0 @@
- name: Copy profile configuration file
copy:
src: profile.sh
dest: /etc/profile.d/vn.sh
mode: u=rw,g=r,o=r
owner: root
group: root

33
roles/debian-base/tasks/relayhost.yml
View File

@ -1,33 +0,0 @@
- name: Getting service facts to check for postfix
service_facts:
- when: "'postfix.service' not in ansible_facts.services"
block:
- name: Install exim packages
apt:
name: exim4
state: present
- name: Prepare exim configuration
blockinfile:
path: /etc/exim4/update-exim4.conf.conf
marker_begin: '--- BEGIN VN ---'
marker_end: '--- END VN ---'
marker: "# {mark}"
block: |
dc_eximconfig_configtype='satellite'
dc_other_hostnames='{{ ansible_fqdn }}'
dc_local_interfaces='127.0.0.1'
dc_readhost='{{ ansible_fqdn }}'
dc_smarthost='{{ smtp_server }}'
dc_hide_mailname='true'
state: present
create: yes
mode: u=rw,g=r,o=r
notify: update exim configuration
register: exim_config
- name: Force execution of handlers immediately
meta: flush_handlers
- name: Sending mail to verify relay host configuration works
shell: >
sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \
| mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}"
when: exim_config.changed

22
roles/debian-base/tasks/resolv.yml
View File

@ -1,22 +0,0 @@
- name: Check if DNS is already configured
stat:
path: /etc/resolv.conf
register: resolv_conf
- name: Read /etc/resolv.conf
slurp:
path: /etc/resolv.conf
register: resolv_conf_content
when: resolv_conf.stat.exists
- name: Check if DNS servers are already present
set_fact:
dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}"
when: resolv_conf.stat.exists
- name: Apply resolv.conf template only if DNS is not configured
template:
src: templates/resolv.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: u=rw,g=r,o=r
backup: true
when: not resolv_conf.stat.exists or not dns_configured

43
roles/debian-base/tasks/root.yml
View File

@ -1,43 +0,0 @@
- name: Set the root password changed witness variable
set_fact:
root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}"
- when: vn_witness_checked and not root_pass_changed
no_log: true
block:
- name: Search root password in Passbolt
ignore_errors: true
set_fact:
passbolt_password: >
{{
lookup(passbolt, inventory_hostname_short,
username='root',
uri='ssh://'+hostname_fqdn
)
}}
- when: passbolt_password is not defined
block:
- name: Generate a random root password
set_fact:
root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
- name: Save root password into Passbolt
set_fact:
msg: >
{{
lookup(passbolt, inventory_hostname_short,
username='root',
password=root_password,
uri='ssh://'+hostname_fqdn+'/'
)
}}
environment:
PASSBOLT_CREATE_NEW_RESOURCE: true
- name: Change root password
user:
name: root
password: "{{ root_password | password_hash('sha512') }}"
- name: Set root password generated witness
ini_file:
path: /etc/vn.ini
section: witness
option: root_pass_changed
value: true

17
roles/debian-base/tasks/sshd_configure.yml
View File

@ -1,17 +0,0 @@
- name: Configure sshd_config settings
copy:
dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
content: |
# Do not edit this file! Ansible will overwrite it.
ListenAddress 0.0.0.0
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart sshd
- name: Deploy custom authorized_keys for root
copy:
dest: /root/.ssh/authorized_keys2
content: "{{ public_keys }}"
owner: root
group: root
mode: u=rw,g=,o=

28
roles/debian-base/tasks/timesync.yml
View File

@ -1,28 +0,0 @@
- name: Getting service facts to check for timesyncd
service_facts:
- when: "'systemd-timesyncd.service' in ansible_facts.services"
block:
- name: Ensure directory for timesyncd custom configuration exists
file:
path: /etc/systemd/timesyncd.conf.d/
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: Configure timesyncd service
copy:
dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf
content: |
[Time]
NTP={{ time_server }}
FallbackNTP={{ time_server_spain }}
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart systemd-timesyncd
- name: Ensure timesyncd service is enabled and started
when: "ansible_facts.services['systemd-timesyncd.service'].status == 'enabled'"
service:
name: systemd-timesyncd
enabled: yes
state: started

11
roles/debian-base/tasks/tzdata.yml
View File

@ -1,11 +0,0 @@
- name: Configure debconf for tzdata
debconf:
name: tzdata
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "string"
loop:
- { question: "tzdata/Areas", value: "Europe" }
- { question: "tzdata/Zones/Europe", value: "Madrid" }
- { question: "tzdata/Zones/Etc", value: "UTC" }
notify: reconfigure tzdata

11
roles/debian-base/tasks/vim.yml
View File

@ -1,11 +0,0 @@
- name: Install vim packages
apt:
name: vim
state: present
- name: Copy vim configuration file
copy:
src: vimrc.local
dest: /etc/vim/
mode: u=rw,g=r,o=r
owner: root
group: root

4
roles/debian-base/tasks/vn-repo.yml
View File

@ -1,4 +0,0 @@
- name: Install package
apt:
deb: "{{ item }}"
with_items: "{{ deb_packages }}"

17
roles/debian-base/tasks/witness.yml
View File

@ -1,17 +0,0 @@
- name: Check if witness INI file exists
stat:
path: /etc/vn.ini
register: witness_file
- name: Set witness related variables
set_fact:
vn_first_time: "{{ not witness_file.stat.exists }}"
vn_witness_checked: true
- when: not vn_first_time
block:
- name: Slurp witness INI file
slurp:
src: /etc/vn.ini
register: vn_ini_file
- name: Put witness as dictionary into variable
set_fact:
vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}"

24
roles/debian-base/templates/bacula-fd.conf
View File

@ -1,24 +0,0 @@
Director {
Name = bacula-dir
Password = "{{ bacula_passwords.fdpasswd }}"
}
Director {
Name = bacula-mon
Password = "{{ bacula_passwords.fdmpasswd }}"
Monitor = yes
}
FileDaemon {
Name = bacula-fd
WorkingDirectory = /var/lib/bacula
Pid Directory = /run/bacula
Maximum Concurrent Jobs = 20
Plugin Directory = /usr/lib/bacula
PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "/etc/bacula/fd-cert.pem"
PKI Master Key = "/etc/bacula/master-cert.pem"
}
Messages {
Name = Standard
director = bacula-dir = all, !skipped, !restored
}

22
roles/debian-base/templates/jail.local
View File

@ -1,22 +0,0 @@
# Do not edit this file! Ansible will overwrite it.
[DEFAULT]
ignoreip = {{ fail2ban.ignore }}
bantime = {{ fail2ban.bantime }}
findtime = {{ fail2ban.bantime }}
maxretry = {{ fail2ban.maxretry }}
destemail = {{ fail2ban.email }}
sender = root@{{ ansible_fqdn }}
banaction = nftables-multiport
action = %(action_)s
#+++++++++++++++ Jails
[sshd]
ignoreip = 127.0.0.1/8
enabled = true
port = 0:65535
filter = sshd
logpath = {{ fail2ban.logpath }}
action = %(action_mwl)s

13
roles/debian-base/templates/nrpe.cfg
View File

@ -1,13 +0,0 @@
allowed_hosts={{ nagios_server }}
server_address={{ ansible_default_ipv4.address }}
command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /
command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var
command[check_disk_usr]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /usr
command[check_disk_home]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /home
command[check_disk_tmp]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /tmp
command[check_dummy]=/usr/lib/nagios/plugins/check_dummy 0
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 40% -c 20% -n OK
command[check_load]=/usr/lib/nagios/plugins/check_load -r -w 3.5,3.25,3 -c 4.5,4.25,4
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 400 -c 500
command[check_memory]=/usr/lib/nagios/plugins/check_memory --available -m -w 20%: -c 10%:

7
roles/debian-base/templates/resolv.conf
View File

@ -1,7 +0,0 @@
domain {{ host_domain }}
search {{ host_domain }}
{% if resolvers is defined %}
{% for resolver in resolvers %}
nameserver {{resolver}}
{% endfor %}
{% endif %}

8
roles/debian-guest/handlers/main.yml
View File

@ -1,8 +0,0 @@
- name: restart-nslcd
service:
name: nslcd
state: restarted
- name: restart-ssh
systemd:
name: ssh
state: restarted

25
roles/debian-guest/tasks/auth.yml
View File

@ -1,25 +0,0 @@
- name: Install packages
apt:
name: nslcd
state: present
- name: Configure NSLCD
template:
src: nslcd.conf
dest: /etc/nslcd.conf
owner: root
group: nslcd
mode: '0640'
notify:
- restart-nslcd
register: nslcd
- name: Configure nsswitch to use NSLCD
lineinfile:
dest: /etc/nsswitch.conf
regexp: "{{item.regexp}}"
line: "{{item.line}}"
state: present
with_items:
- regexp: "^passwd:"
line: "passwd: files systemd ldap"
- regexp: "^group:"
line: "group: files systemd ldap"

6
roles/debian-guest/tasks/main.yml
View File

@ -1,6 +0,0 @@
- import_tasks: auth.yml
tags: auth
- import_tasks: sudoers.yml
tags: sudoers
- import_tasks: ssh_keys.yml
tags: ssh_keys

21
roles/debian-guest/tasks/ssh_keys.yml
View File

@ -1,21 +0,0 @@
- name: Set the SSH keys generated witness variable
set_fact:
ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}"
- when: vn_witness_checked and not ssh_keys_generated
block:
- name: Generate SSH key pairs
openssh_keypair:
path: "/etc/ssh/ssh_host_{{ item.type }}_key"
type: "{{ item.type }}"
force: yes
loop:
- { type: 'rsa' }
- { type: 'ecdsa' }
- { type: 'ed25519' }
notify: restart sshd
- name: Set SSH keys generated witness
ini_file:
path: /etc/vn.ini
section: witness
option: ssh_keys_generated
value: true

11
roles/debian-guest/tasks/sudoers.yml
View File

@ -1,11 +0,0 @@
- name: Install sudo package
apt:
name: sudo
state: present
- name: Add sysadmin to sudoers
template:
src: sudoers
dest: /etc/sudoers.d/vn
mode: u=rw,g=r,o=
owner: root
group: root

16
roles/debian-guest/templates/nslcd.conf
View File

@ -1,16 +0,0 @@
# See nslcd.conf(5) for details.
uid nslcd
gid nslcd
uri {{ ldap_uri }}
idle_timelimit 60
base {{ ldap_base }}
binddn cn=nss,ou=admins,{{ ldap_base }}
bindpw {{ lookup(passbolt, 'nslcd', folder_parent_id=passbolt_folder).password }}
pagesize 500
filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }}))
filter passwd (&(objectClass=posixAccount)(memberOf=cn={{ sysadmin_group }},ou=dnGroups,{{ ldap_base }}))
pam_authz_search (&(objectClass=posixGroup)(cn={{ sysadmin_group }})(memberuid=$username))

1
roles/debian-guest/templates/sudoers
View File

@ -1 +0,0 @@
%{{ sysadmin_group }} ALL=(ALL) NOPASSWD: ALL

4
roles/debian-host/files/sysctl/30-basic.conf
View File

@ -1,4 +0,0 @@
vm.swappiness=10
vm.dirty_ratio=30
vm.dirty_background_ratio=5
net.core.somaxconn=65536

7
roles/debian-host/files/sysctl/40-network.conf
View File

@ -1,7 +0,0 @@
net.core.rmem_max=134217728
net.core.wmem_max=134217728
net.core.netdev_max_backlog=250000
net.ipv4.tcp_rmem=4096 87380 67108864
net.ipv4.tcp_wmem=4096 65536 67108864
net.ipv4.tcp_congestion_control=htcp
net.ipv4.tcp_mtu_probing=1

3
roles/debian-host/files/sysctl/42-noipv6.conf
View File

@ -1,3 +0,0 @@
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

4
roles/debian-host/handlers/main.yml
View File

@ -1,4 +0,0 @@
- name: restart-sysctl
systemd:
name: systemd-sysctl
state: restarted

16
roles/debian-host/tasks/apparmor.yml
View File

@ -1,16 +0,0 @@
- name: Getting service facts to check for apparmor
service_facts:
- when: "'apparmor.service' in ansible_facts.services"
block:
- name: Stop AppArmor
systemd:
name: apparmor
state: stopped
- name: Disable AppArmor service
systemd:
name: apparmor
enabled: no
- name: Mask AppArmor service
systemd:
name: apparmor
masked: yes

9
roles/debian-host/tasks/hostname.yml
View File

@ -1,9 +0,0 @@
- name: Set the hostname
hostname:
name: "{{ inventory_hostname_short }}"
use: debian
- name: Populating hosts file with hostname
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.1\.1'
line: '127.0.1.1 {{ hostname_fqdn }} {{ inventory_hostname_short }}'

6
roles/debian-host/tasks/main.yml
View File

@ -1,6 +0,0 @@
- import_tasks: hostname.yml
tags: hostname
- import_tasks: sysctl.yml
tags: sysctl
- import_tasks: apparmor.yml
tags: apparmor

8
roles/debian-host/tasks/sysctl.yml
View File

@ -1,8 +0,0 @@
- name: Set systctl custom vn configuration
copy:
src: sysctl/
dest: /etc/sysctl.d/
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart-sysctl

8
roles/debian-qemu/defaults/main.yml
View File

@ -1,8 +0,0 @@
homes_path: /mnt/homes
autofs_packages:
- nfs-common
- autofs
- libnfs-utils
- autofs-ldap
blacklist_module_kernel: |
blacklist snd_hda_intel

1
roles/debian-qemu/files/80-hotplug-cpu-mem.rules
View File

@ -1 +0,0 @@
SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"

1
roles/debian-qemu/files/hotplug.cfg
View File

@ -1 +0,0 @@
GRUB_CMDLINE_LINUX_DEFAULT="quiet memhp_default_state=online security=none"

4
roles/debian-qemu/handlers/main.yml
View File

@ -1,4 +0,0 @@
- name: restart-autofs
service:
name: autofs
state: restarted

4
roles/debian-qemu/tasks/agent.yml
View File

@ -1,4 +0,0 @@
- name: Install QEMU guest agent
apt:
name: qemu-guest-agent
state: present

35
roles/debian-qemu/tasks/autofs.yml
View File

@ -1,35 +0,0 @@
- name: Update apt cache
apt:
update_cache: yes
- name: Install autofs packages
apt:
name: "{{ autofs_packages }}"
state: present
- name: Create homes directory
file:
path: "{{ homes_path }}"
state: directory
mode: '0755'
- name: Configure nsswitch for autofs
lineinfile:
path: /etc/nsswitch.conf
line: "automount: files"
- name: Add file homes.autofs configured to autofs
template:
src: homes.autofs
dest: /etc/auto.master.d/homes.autofs
owner: root
group: root
mode: '0644'
- name: Add file /etc/auto.homes configured to the systemd
template:
src: auto.homes
dest: /etc/auto.homes
owner: root
group: root
mode: '0644'
notify: restart-autofs
- name: Service autofs service
systemd:
name: autofs
enabled: yes

7
roles/debian-qemu/tasks/blacklist.yml
View File

@ -1,7 +0,0 @@
- name: Configure blacklist modprobe on VM
copy:
content: "{{ blacklist_module_kernel }}"
dest: /etc/modprobe.d/vn-blacklist.conf
owner: root
group: root
mode: u=rw,g=r,o=r

49
roles/debian-qemu/tasks/grub_startup.yml
View File

@ -1,49 +0,0 @@
# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication.
# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template.
# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help.
- name: GRUB edit unrestricted option
copy:
content: |
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry_id_option="--unrestricted $menuentry_id_option"
dest: /etc/grub.d/09_make_OS_entries_unrestricted
owner: root
group: root
checksum: fed5c365f11a919b857b78207565cf341b86082b
mode: u=rwx,g=rx,o=rx
register: grubunrestricted
- name: Search grub password in Passbolt
no_log: true
set_fact:
grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}"
- name: GRUB edit password protection
copy:
content: |
#!/bin/sh
exec tail -n +3 $0
set superusers="{{ grub_user }}"
password_pbkdf2 {{ grub_user }} {{ grub_code }}
dest: /etc/grub.d/00_before
owner: root
group: root
mode: u=rwx,g=rx,o=rx
register: grubpass
- name: Change GRUB_TIMEOUT from 5 to 1
copy:
content: |
GRUB_TIMEOUT=1
dest: /etc/default/grub.d/timeout.cfg
owner: root
group: root
mode: u=rw,g=r,o=r
register: grubtime
- name: Generate GRUB configuration
command: update-grub
when: grubunrestricted.changed or grubpass.changed or grubtime.changed

18
roles/debian-qemu/tasks/hotplug.yml
View File

@ -1,18 +0,0 @@
- name: Configure udev hotplug rules
copy:
src: 80-hotplug-cpu-mem.rules
dest: /usr/lib/udev/rules.d/
mode: u=rw,g=r,o=r
owner: root
group: root
- name: Configure GRUB for hotplug
copy:
src: hotplug.cfg
dest: /etc/default/grub.d/
mode: u=rw,g=r,o=r
owner: root
group: root
register: grub
- name: Generate GRUB configuration
command: update-grub
when: grub.changed

10
roles/debian-qemu/tasks/main.yml
View File

@ -1,10 +0,0 @@
- import_tasks: agent.yml
tags: agent
- import_tasks: hotplug.yml
tags: hotplug
- import_tasks: autofs.yml
tags: autofs
- import_tasks: blacklist.yml
tags: blacklist
- import_tasks: grub_startup.yml
tags: grub_startup

1
roles/debian-qemu/templates/auto.homes
View File

@ -1 +0,0 @@
* -fstype=nfs4,rw {{ homes_server }}:{{ homes_path }}/&

1
roles/debian-qemu/templates/homes.autofs
View File

@ -1 +0,0 @@
{{ homes_path }} /etc/auto.homes --timeout=30