From 896ba27da57d7fa0233021c2e4c85ced7fa6eee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 2 Oct 2024 12:15:01 +0200 Subject: [PATCH 01/33] =?UTF-8?q?refs=20#8025=20Configure=20base=20Debian?= =?UTF-8?q?=20host=20-=20Detalles=20en=20los=20nombres=20de=20las=20tareas?= =?UTF-8?q?=20y=20la=20condici=C3=B3n=20when=20de=20Configure=20virtual=20?= =?UTF-8?q?machine?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- playbooks/debian.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/debian.yml b/playbooks/debian.yml index f1ef67f..266cd85 100644 --- a/playbooks/debian.yml +++ b/playbooks/debian.yml @@ -2,13 +2,13 @@ hosts: all vars_files: ../vault.yml tasks: - - name: Configure virtual machine or host + - name: Configure virtual machine or host (not LXC) import_role: name: debian-host when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm' - - name: Configure base system + - name: Configure base system (all) import_role: - name: debian-base + name: debian-base - name: Configure guest import_role: name: debian-guest @@ -16,4 +16,4 @@ - name: Configure virtual machine import_role: name: debian-qemu - when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm' + when: ansible_virtualization_type == 'kvm' -- 2.40.1 From ed9e69b96ba87d7675b9280ae0f4cf7f4ec0f3aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 3 Oct 2024 09:42:08 +0200 Subject: [PATCH 02/33] Refs #8025 Sincro --- 1 | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 1 diff --git a/1 b/1 new file mode 100644 index 0000000..4a19164 --- /dev/null +++ b/1 @@ -0,0 +1,92 @@ +env: + PASSBOLT_BASE_URL: https://passbolt.verdnatura.es + PASSBOLT_PASSPHRASE: Carrerdelalloma10_ + PASSBOLT_PRIVATE_KEY: | + -----BEGIN PGP PRIVATE KEY BLOCK----- + +xcTGBGbe58QBDAC9MOLpqjHYOYCRfOMHFlR3//A9PLfp1NPpxndKhgzBePvy +wA7C2MjFiyHt7NN4DITjKH60Lmv6Lce+j9y0QPDG42rKCsjTIOHl/pYR4QQT +NCqCnrguATuPqs4gnHKXzhrHqu7dViiD9epyNmTVUhB2PoCZvwb/0NCbKW1Q +stNn7Q1x/01qGj92nrus8rgdsLmWxAbeER/PW2/gIFrKqOXMUl8Ra1jOoCqd +6EcFvZ28mv0AtyeNNYjBc8hKqoCj3uPmL4JPKH/+XgaKBGlI/SaIHeT6hUal +LGKg1I/+GEqnvWwd/c6CEyHYPWD1O5SA9GOfHQUYIB506CTsm4HCbvsvM9y8 +aySB1dq8iI+yZhGufRHWJofuF/ix8AT7+SdALlW43q8ZSv+WC0XBdKn0CEFx +nzCyqY1MXz/AbdNFrMT4ItczYw1LOUud8O7M2mqdkHSDYb9w1l5eas3U186x +tdbG2jhloXhMOfJmYv1BHJc/0LRumSkblAEvpMA0GjuMgLEAEQEAAf4JAwiF +26xTqzLoceDAyEYx9jLvIZ44yGgl5F7IHN77W4BDdwOXbqOQBft8iGxmR7RD +bXlKdqJVaaHd267aAPOzYct8OLJx2RxyCky8vtU68mbSkrmySVuDWBD5ZNlk +1suhrTyeCjUa6tcAPqDVvM+n1ZzIjmonyFTJ0XVkZUoUj5JStZbt/3FMLzlF +ylA/tISRQGUMJd4zMe3nWaa65Px7UsX2IGknuuVnxLTdVWe/gXH6mnm2lCFI +awhaJwSoQALX4SRODbSzGArkcUz2kwleQssIwR5GTrKkrZepWpJeBzg/8EDY +XGxQRAI5RBCkhWIObLOYfxhHJVQSEWMYbgrOKjTqUllXI3okdqWGJtYcs6Cn +jn4p6qvCEYEj4UHRos1ue5anwUd0suzjZ2OP955GwrWSBClIBG5fqAF1bfIZ +Zw4+aiGCBuxi0zsqEq93HdZtqKgx4JOmcH+RrRAJjssG1llAcGwBVWXnqKfP +9XtfGI6e08QZD+KT5fUzOGiRBSXUPaEKx7YsnZ3auR8z1yHFfpW4sRlB/cOj +YuIs/r1jf2uypxLDOkKajtOXljsPIjjd2G9LCN19yts0rArrCTiA2ktFClWk +iXEEVg/w9XY1oEb4Z9BOLPfSCyRwbp5SpaAzPoSMZL05UZlWTCF9zs5tC2d4 +nQjeyiuXcbfrUk9Ri3OPfOZAa5MpQgNTrEM8d24Da7GMhbVK8sw84sVQhXql +vlGzoQD6e9P8JVf7gtYlWGcH+wYGbkDpyWoFHcObr+AVeWbtD0ySTszyRfcR +DdGW4EmNG0R4yS0FqfFHUOhiq5xvfH6kKNPkp+czQsvLpPy9gyT8S1xOn2cr +y3vcaCu1vMD7+zIW05JMEbpitaIrC0qG0K8X4GO0OSqKFyRZ6VnCbEG50tPg +s9hWgcRg53csRF34HFc+LWVJdzVTkt8jcXyzdnlKxcG89/E2AfXx4i4p3XBK +WdfUpDROH5xCjNcInBo/ZXR8GmOogb4Z6PAKvcUX/scHpQAZ4mB717pqAM3j +/YBpih/FoiEaEhKqPVZnWMU78pCbUUIwEKO6CwxghhDfgHzyE0u0efpNJnb3 +b5n3PMEbGeUpWisiQidOW/9d2x4mvItRZ06VYY3I1G5aM2OVYyw2wz7iCoiz +JRosWw25+ThcF3FKyguBVYoN7n/zcOmaAii5OMAoS5D0ohyBcfeq+2PnIYsr +1yrMyw0gcT1KhO2K0ah/THd91bkI3dcD52hhHXbC0fuz00n9dhAaSoXrGbAj +dV4CGmK6XQSzO/qaatVnOKQI7XAkm3PF0GSJsEj5zMA5M57LuF5uvAhIgIzj +qj4TF5ApOfDoXmgt3Eve16SIqLJva80eWGF2aSBMbGVvIDx4YXZpQHZlcmRu +YXR1cmEuZXM+wsEKBBABCAA+BYJm3ufEBAsJBwgJkGX8BIy7HvicAxUICgQW +AAIBAhkBApsDAh4BFiEEiUE63GI6sVeiwcC4ZfwEjLse+JwAALPbDACT8Sc7 +h3sqxFac2bSs4nYCqXM9UQZosM6VmQk8EyG4dLwquOJh009ipaDrI2bKZrX7 +I+Qn9L+y7Gv8vAhHutOUdrqE+Pk0A4xk0q563KlyO1i9XzMEvKYOGX4BT9Aa +kLcWDstpdEKJYeV+iNexcxKBoZedls4NkZaD/ZBD4RRnI3pYzJcmmVX88oAT +TdJ5jRng4gX0ecKa2BAmhBzYJpDAJbTT1j4x0gsOgA/YrHfghqxXaIY0TNe8 +RzEdaTq2FGsWRsh1Wasc4F0yfou2hkv7WZmYKXYgh9MfZVa9gwTn9/gtyRpr +nqwL+2clIJMqmqueLGaTNEO4Ktd5xiLrZM5nvg60hJ8UxhK6hrfFjuATeQp1 +S8r9OQyPiqh/mXZ15tAjO3AF+gDEE/df0K/n7fUcqcL/JLhU5RHe9T446KHq +rabT2URpZuWrzEEGIV7tlz43l2e3o18BsxezkXMSnF/hbQ2riY9ZIWuYKDeZ +ANRU2dHmg4jXWOyylsiu86XjxNnHxMYEZt7nxAEMANZERNcxpQfpu2YwOepi +gLN5HVnSFf6pmRxr5UKvMjBHctw2rK3oYtWUdrEXUR6k3z/bE+0jC3sZmoyQ +UlCy6wCsL8KTIKpMj4Op3Hwnf89mPsJVr3mlIXKKgr4moTNvDJjhTYCE9XXV ++GSFHX5aZ+icgElnZKXwY3z0VhL8baDcQDPt7SC0f0LR+bBO4XgqZFijdXIB +5zarv4kXBYRXnfzJWZ9JnZef6HEU2Ks/gtHKd+5bCsTm6GQPrWzmoLHMDCUf +jyGKaG8IF8TcWKjoZGxC+S8HP9dj1qr9zcX+DZ+3TlWzCn0ZiGlVnbX1yJ+S +JFRpopxkmpYPjIYVk6gIsMTZh3D3Kn6VoTaMPxlM9iAvfIjwhKeAFX9H38p0 +6zMbTJYTYVMTCxUom3IwrPTtfI6B1ryE8kUA4c3UBpbnWHBb9O8MPDj+Wp43 +m7EuwiSXf9JxBBLzh/Zs3BBoiVlSClNPXjx2uPFi3zgkpxFmEis3fim5itPb +L+UDFPZN9kmNEwARAQAB/gkDCHSfGEgjaci74E0PwpFU1u7aLRSNykJ5REC4 +I9H8Ma0yAK3Mv0Grl9Az/9Th+Jr5u3K0UKEwhgl6Wwr6JpBkPyxg2m9ZMOej +p2VM8KsbrmVmEt5qwrWuG2Iy+iXXIMd+DFrvrNmk8blSqbGaWLExK4iI/VaH +swDL3A2QUp7EKCSu8rHBFbI5Z1deh5wXHOZXn2ofs/8oWDkt1DmVLflVlTfr +eIUg2+v+d8OGbe0wLlb2aBirsGYPLxVBK6uVg5RH6N4vaE4++85KGFvsY0d3 ++tsHFXRc3SUS9ezBJMEsfmklnzMyWToopMbilIMZPN6AMD0COWAThE235yny +QtOW00FQraFxippFlWQ00OuqwSIOj5RqZir0Wsv+Cf5pqcpjAENr8ssfmMXZ +H3t6ZAKQdEBAY8CQYbJK5s8bpXg5FP0GMZLX/z8sY2UrBDbsKR06iGkAY+oM +4nqVQwy2qIJ0ixYLSVoEKX6zGUwVokJcEgwsFn5ZBBbSYRw9hZbDS0Cudsv+ +2aVawiX7/7m1HLwytNoUTfsptsPqXljEdj467jyzvMrVVp2hTmKlLb0DfILV +kIBc4tbOoo02OXpPUQnp5ZLdCKsa0u0qkciHwgMmUXIAUjSiUq5o89Ks84rU +zomrtNSpZBXjf5fIY235sUk2itlQFQUsskgDd4HgDNoJwH9XEGA6chf7K9Xj +oI5lODG3xmbbh1cQ9P/wCVEz1sJ22amYhubVUihbxDi6cPnRyryxhK6BC2DY +FOmWs/jH7IEL/T02JN/a8lgvZVdKOiNj7TsBHbascidDzpDXPJq4y9Q0moAp +HCuW5j/3/YfvItZAwrkb1mElnLkvf5oGLQACtonT8VdrjImUFJF4Q0Ne1+Ke +GCHnlB7iI+Nxwj82oRAkCld9opC2K5tZePOkH45tUFBIy/y+cGhr5zwhpuRa +dqZdItpVg60klpbP4rATCEeJFspOc8jtp++Wj4AIm7zhqRJNKc/RfzYm/ltR +L744MbeFzZ1idvDEWJFNfd0gQ6ByR9H3JbY/Pe+E5gpCUVd0tfc4dJSnzq0u +iK2YwBoLc+cvJbsMXFXzvS6PN4Tj78YwEwOjV+LvlNAJJgxucjlt8Fib1hRF +pj4gguwgPtnHnk2f6mZE3SkIR8CI/pWZFNzI3j/FybMm2vp8ev4ckPGvGSN9 +R0gswiXtVh0uzgP8d95fyb+3m9x1qq2ICR9XJTPRENgJP5++Y7D05JudaYh+ +EOcInt8iWWo3PaNfp12bbJ3vde1utyoCZkLkH1Fg60b4HSjaUlE+hT3v2W0/ +AXy/Ai32NdaTqIhbsbsqs5ZsQbN/W4+8U1uNLC2cCGBZmLSeiRIozlkIwsD2 +BBgBCAAqBYJm3ufECZBl/ASMux74nAKbDBYhBIlBOtxiOrFXosHAuGX8BIy7 +HvicAACbJwwAlBQyDfgJskHaUoZYhN3S1qn9EwhEZM13bU6pch9AwUBGBqnL +8kgjTOHP3Ccv7fQDRAWGtZUbNOozPqmmREwbYNA+SD8S7+R//coYYfQ84iRS +2B0qqKKXKAFa+FH+WinJk5ADa5lJn0laL3Ql9HORcDQYl+Q1Pv8XDVVEQNDW +rHzWcSer8jf8Qj7CFbZRj1ltZOyHDDQ+PFBS0rrydD70gNzRVkAzR2jkcR/P +Y8hQ8hgWhBwHhU6kaVDcHhOXGWt5P1mZftEmN/krRlfj++yXxRJUR1Akjwd7 +05KSUR+7NtZudKiVmIiY3V0VSYHzsDl65UM9E/8NBGCxx3ly6WPqCNO4UM11 +0q0iJ6M24bGiba1YcYefpHuGZ3TCwukcLARERtlA7jzimKOSY1lRGW4eZeUQ +VIWZIAxD0GeKtVrZFwD/a2SeQcPwdRpGlW6YIaIouiRQ00N51NDUIUWKTWur +HPqCJoa+Tfr5FMmCOrPnQKQPcQcu/lwtbGSt+5tRk/+R +=D0UM +-----END PGP PRIVATE KEY BLOCK----- -- 2.40.1 From 9464d6d8a35ee5e0986f51ce4b1683fddea65a29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 3 Oct 2024 10:45:21 +0200 Subject: [PATCH 03/33] Refs #8025 Crazy git --- 1 | 92 --------------------------------------------------------------- 1 file changed, 92 deletions(-) delete mode 100644 1 diff --git a/1 b/1 deleted file mode 100644 index 4a19164..0000000 --- a/1 +++ /dev/null @@ -1,92 +0,0 @@ -env: - PASSBOLT_BASE_URL: https://passbolt.verdnatura.es - PASSBOLT_PASSPHRASE: Carrerdelalloma10_ - PASSBOLT_PRIVATE_KEY: | - -----BEGIN PGP PRIVATE KEY BLOCK----- - -xcTGBGbe58QBDAC9MOLpqjHYOYCRfOMHFlR3//A9PLfp1NPpxndKhgzBePvy -wA7C2MjFiyHt7NN4DITjKH60Lmv6Lce+j9y0QPDG42rKCsjTIOHl/pYR4QQT -NCqCnrguATuPqs4gnHKXzhrHqu7dViiD9epyNmTVUhB2PoCZvwb/0NCbKW1Q -stNn7Q1x/01qGj92nrus8rgdsLmWxAbeER/PW2/gIFrKqOXMUl8Ra1jOoCqd -6EcFvZ28mv0AtyeNNYjBc8hKqoCj3uPmL4JPKH/+XgaKBGlI/SaIHeT6hUal -LGKg1I/+GEqnvWwd/c6CEyHYPWD1O5SA9GOfHQUYIB506CTsm4HCbvsvM9y8 -aySB1dq8iI+yZhGufRHWJofuF/ix8AT7+SdALlW43q8ZSv+WC0XBdKn0CEFx -nzCyqY1MXz/AbdNFrMT4ItczYw1LOUud8O7M2mqdkHSDYb9w1l5eas3U186x -tdbG2jhloXhMOfJmYv1BHJc/0LRumSkblAEvpMA0GjuMgLEAEQEAAf4JAwiF -26xTqzLoceDAyEYx9jLvIZ44yGgl5F7IHN77W4BDdwOXbqOQBft8iGxmR7RD -bXlKdqJVaaHd267aAPOzYct8OLJx2RxyCky8vtU68mbSkrmySVuDWBD5ZNlk -1suhrTyeCjUa6tcAPqDVvM+n1ZzIjmonyFTJ0XVkZUoUj5JStZbt/3FMLzlF -ylA/tISRQGUMJd4zMe3nWaa65Px7UsX2IGknuuVnxLTdVWe/gXH6mnm2lCFI -awhaJwSoQALX4SRODbSzGArkcUz2kwleQssIwR5GTrKkrZepWpJeBzg/8EDY -XGxQRAI5RBCkhWIObLOYfxhHJVQSEWMYbgrOKjTqUllXI3okdqWGJtYcs6Cn -jn4p6qvCEYEj4UHRos1ue5anwUd0suzjZ2OP955GwrWSBClIBG5fqAF1bfIZ -Zw4+aiGCBuxi0zsqEq93HdZtqKgx4JOmcH+RrRAJjssG1llAcGwBVWXnqKfP -9XtfGI6e08QZD+KT5fUzOGiRBSXUPaEKx7YsnZ3auR8z1yHFfpW4sRlB/cOj -YuIs/r1jf2uypxLDOkKajtOXljsPIjjd2G9LCN19yts0rArrCTiA2ktFClWk -iXEEVg/w9XY1oEb4Z9BOLPfSCyRwbp5SpaAzPoSMZL05UZlWTCF9zs5tC2d4 -nQjeyiuXcbfrUk9Ri3OPfOZAa5MpQgNTrEM8d24Da7GMhbVK8sw84sVQhXql -vlGzoQD6e9P8JVf7gtYlWGcH+wYGbkDpyWoFHcObr+AVeWbtD0ySTszyRfcR -DdGW4EmNG0R4yS0FqfFHUOhiq5xvfH6kKNPkp+czQsvLpPy9gyT8S1xOn2cr -y3vcaCu1vMD7+zIW05JMEbpitaIrC0qG0K8X4GO0OSqKFyRZ6VnCbEG50tPg -s9hWgcRg53csRF34HFc+LWVJdzVTkt8jcXyzdnlKxcG89/E2AfXx4i4p3XBK -WdfUpDROH5xCjNcInBo/ZXR8GmOogb4Z6PAKvcUX/scHpQAZ4mB717pqAM3j -/YBpih/FoiEaEhKqPVZnWMU78pCbUUIwEKO6CwxghhDfgHzyE0u0efpNJnb3 -b5n3PMEbGeUpWisiQidOW/9d2x4mvItRZ06VYY3I1G5aM2OVYyw2wz7iCoiz -JRosWw25+ThcF3FKyguBVYoN7n/zcOmaAii5OMAoS5D0ohyBcfeq+2PnIYsr -1yrMyw0gcT1KhO2K0ah/THd91bkI3dcD52hhHXbC0fuz00n9dhAaSoXrGbAj -dV4CGmK6XQSzO/qaatVnOKQI7XAkm3PF0GSJsEj5zMA5M57LuF5uvAhIgIzj -qj4TF5ApOfDoXmgt3Eve16SIqLJva80eWGF2aSBMbGVvIDx4YXZpQHZlcmRu -YXR1cmEuZXM+wsEKBBABCAA+BYJm3ufEBAsJBwgJkGX8BIy7HvicAxUICgQW -AAIBAhkBApsDAh4BFiEEiUE63GI6sVeiwcC4ZfwEjLse+JwAALPbDACT8Sc7 -h3sqxFac2bSs4nYCqXM9UQZosM6VmQk8EyG4dLwquOJh009ipaDrI2bKZrX7 -I+Qn9L+y7Gv8vAhHutOUdrqE+Pk0A4xk0q563KlyO1i9XzMEvKYOGX4BT9Aa -kLcWDstpdEKJYeV+iNexcxKBoZedls4NkZaD/ZBD4RRnI3pYzJcmmVX88oAT -TdJ5jRng4gX0ecKa2BAmhBzYJpDAJbTT1j4x0gsOgA/YrHfghqxXaIY0TNe8 -RzEdaTq2FGsWRsh1Wasc4F0yfou2hkv7WZmYKXYgh9MfZVa9gwTn9/gtyRpr -nqwL+2clIJMqmqueLGaTNEO4Ktd5xiLrZM5nvg60hJ8UxhK6hrfFjuATeQp1 -S8r9OQyPiqh/mXZ15tAjO3AF+gDEE/df0K/n7fUcqcL/JLhU5RHe9T446KHq -rabT2URpZuWrzEEGIV7tlz43l2e3o18BsxezkXMSnF/hbQ2riY9ZIWuYKDeZ -ANRU2dHmg4jXWOyylsiu86XjxNnHxMYEZt7nxAEMANZERNcxpQfpu2YwOepi -gLN5HVnSFf6pmRxr5UKvMjBHctw2rK3oYtWUdrEXUR6k3z/bE+0jC3sZmoyQ -UlCy6wCsL8KTIKpMj4Op3Hwnf89mPsJVr3mlIXKKgr4moTNvDJjhTYCE9XXV -+GSFHX5aZ+icgElnZKXwY3z0VhL8baDcQDPt7SC0f0LR+bBO4XgqZFijdXIB -5zarv4kXBYRXnfzJWZ9JnZef6HEU2Ks/gtHKd+5bCsTm6GQPrWzmoLHMDCUf -jyGKaG8IF8TcWKjoZGxC+S8HP9dj1qr9zcX+DZ+3TlWzCn0ZiGlVnbX1yJ+S -JFRpopxkmpYPjIYVk6gIsMTZh3D3Kn6VoTaMPxlM9iAvfIjwhKeAFX9H38p0 -6zMbTJYTYVMTCxUom3IwrPTtfI6B1ryE8kUA4c3UBpbnWHBb9O8MPDj+Wp43 -m7EuwiSXf9JxBBLzh/Zs3BBoiVlSClNPXjx2uPFi3zgkpxFmEis3fim5itPb -L+UDFPZN9kmNEwARAQAB/gkDCHSfGEgjaci74E0PwpFU1u7aLRSNykJ5REC4 -I9H8Ma0yAK3Mv0Grl9Az/9Th+Jr5u3K0UKEwhgl6Wwr6JpBkPyxg2m9ZMOej -p2VM8KsbrmVmEt5qwrWuG2Iy+iXXIMd+DFrvrNmk8blSqbGaWLExK4iI/VaH -swDL3A2QUp7EKCSu8rHBFbI5Z1deh5wXHOZXn2ofs/8oWDkt1DmVLflVlTfr -eIUg2+v+d8OGbe0wLlb2aBirsGYPLxVBK6uVg5RH6N4vaE4++85KGFvsY0d3 -+tsHFXRc3SUS9ezBJMEsfmklnzMyWToopMbilIMZPN6AMD0COWAThE235yny -QtOW00FQraFxippFlWQ00OuqwSIOj5RqZir0Wsv+Cf5pqcpjAENr8ssfmMXZ -H3t6ZAKQdEBAY8CQYbJK5s8bpXg5FP0GMZLX/z8sY2UrBDbsKR06iGkAY+oM -4nqVQwy2qIJ0ixYLSVoEKX6zGUwVokJcEgwsFn5ZBBbSYRw9hZbDS0Cudsv+ -2aVawiX7/7m1HLwytNoUTfsptsPqXljEdj467jyzvMrVVp2hTmKlLb0DfILV -kIBc4tbOoo02OXpPUQnp5ZLdCKsa0u0qkciHwgMmUXIAUjSiUq5o89Ks84rU -zomrtNSpZBXjf5fIY235sUk2itlQFQUsskgDd4HgDNoJwH9XEGA6chf7K9Xj -oI5lODG3xmbbh1cQ9P/wCVEz1sJ22amYhubVUihbxDi6cPnRyryxhK6BC2DY -FOmWs/jH7IEL/T02JN/a8lgvZVdKOiNj7TsBHbascidDzpDXPJq4y9Q0moAp -HCuW5j/3/YfvItZAwrkb1mElnLkvf5oGLQACtonT8VdrjImUFJF4Q0Ne1+Ke -GCHnlB7iI+Nxwj82oRAkCld9opC2K5tZePOkH45tUFBIy/y+cGhr5zwhpuRa -dqZdItpVg60klpbP4rATCEeJFspOc8jtp++Wj4AIm7zhqRJNKc/RfzYm/ltR -L744MbeFzZ1idvDEWJFNfd0gQ6ByR9H3JbY/Pe+E5gpCUVd0tfc4dJSnzq0u -iK2YwBoLc+cvJbsMXFXzvS6PN4Tj78YwEwOjV+LvlNAJJgxucjlt8Fib1hRF -pj4gguwgPtnHnk2f6mZE3SkIR8CI/pWZFNzI3j/FybMm2vp8ev4ckPGvGSN9 -R0gswiXtVh0uzgP8d95fyb+3m9x1qq2ICR9XJTPRENgJP5++Y7D05JudaYh+ -EOcInt8iWWo3PaNfp12bbJ3vde1utyoCZkLkH1Fg60b4HSjaUlE+hT3v2W0/ -AXy/Ai32NdaTqIhbsbsqs5ZsQbN/W4+8U1uNLC2cCGBZmLSeiRIozlkIwsD2 -BBgBCAAqBYJm3ufECZBl/ASMux74nAKbDBYhBIlBOtxiOrFXosHAuGX8BIy7 -HvicAACbJwwAlBQyDfgJskHaUoZYhN3S1qn9EwhEZM13bU6pch9AwUBGBqnL -8kgjTOHP3Ccv7fQDRAWGtZUbNOozPqmmREwbYNA+SD8S7+R//coYYfQ84iRS -2B0qqKKXKAFa+FH+WinJk5ADa5lJn0laL3Ql9HORcDQYl+Q1Pv8XDVVEQNDW -rHzWcSer8jf8Qj7CFbZRj1ltZOyHDDQ+PFBS0rrydD70gNzRVkAzR2jkcR/P -Y8hQ8hgWhBwHhU6kaVDcHhOXGWt5P1mZftEmN/krRlfj++yXxRJUR1Akjwd7 -05KSUR+7NtZudKiVmIiY3V0VSYHzsDl65UM9E/8NBGCxx3ly6WPqCNO4UM11 -0q0iJ6M24bGiba1YcYefpHuGZ3TCwukcLARERtlA7jzimKOSY1lRGW4eZeUQ -VIWZIAxD0GeKtVrZFwD/a2SeQcPwdRpGlW6YIaIouiRQ00N51NDUIUWKTWur -HPqCJoa+Tfr5FMmCOrPnQKQPcQcu/lwtbGSt+5tRk/+R -=D0UM ------END PGP PRIVATE KEY BLOCK----- -- 2.40.1 From 9dfbe294bc8bb9a8461b6400af082221bbb2451f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 3 Oct 2024 16:08:45 +0200 Subject: [PATCH 04/33] =?UTF-8?q?Refs=20#8025=20A=C3=B1adido=20host=20ansi?= =?UTF-8?q?ble-client=20al=20inventario=20de=20lab?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- inventories/lab | 1 + 1 file changed, 1 insertion(+) diff --git a/inventories/lab b/inventories/lab index 809234a..3e5f260 100644 --- a/inventories/lab +++ b/inventories/lab @@ -29,6 +29,7 @@ kubetest-worker[01:04] corelab-proxy1 zammad matrix +ansible-client [guest:children] cephtest -- 2.40.1 From 757d3dfe29014ea33e70ecd2fc62488a95c931f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 4 Oct 2024 13:15:55 +0200 Subject: [PATCH 05/33] refs #8025 Little modifications - Using module systemd insted service. Other approach to hosts file. More strict disable apparmor. --- .gitignore | 1 + inventories/group_vars/all.yml | 1 - roles/debian-host/handlers/main.yml | 4 ++-- roles/debian-host/tasks/apparmor.yml | 11 +++++++++-- roles/debian-host/tasks/hostname.yml | 11 ++++------- roles/debian-host/tasks/sysctl.yml | 2 +- roles/debian-host/templates/resolv.conf | 4 ++-- 7 files changed, 19 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index 18cb88c..e274a3d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,6 @@ .vault-pass .vault.yml .passbolt.yml +inventories/local venv context/_build diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index d14f1d3..4615399 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -11,7 +11,6 @@ main_dns_server: ns1.verdnatura.es ldap_uri: ldap://ldap.verdnatura.es ldap_base: dc=verdnatura,dc=es dc_net: "10.0.0.0/16" -resolv_domain: verdnatura.es resolvers: - '10.0.0.4' - '10.0.0.5' diff --git a/roles/debian-host/handlers/main.yml b/roles/debian-host/handlers/main.yml index 35f2de4..45b25b1 100644 --- a/roles/debian-host/handlers/main.yml +++ b/roles/debian-host/handlers/main.yml @@ -1,4 +1,4 @@ - name: restart-sysctl - service: + systemd: name: systemd-sysctl - state: restarted + state: restarted \ No newline at end of file diff --git a/roles/debian-host/tasks/apparmor.yml b/roles/debian-host/tasks/apparmor.yml index 38a2e8f..a239254 100644 --- a/roles/debian-host/tasks/apparmor.yml +++ b/roles/debian-host/tasks/apparmor.yml @@ -1,5 +1,12 @@ -- name: Disable AppArmor - service: +- name: Stop AppArmor + systemd: name: apparmor state: stopped +- name: Disable AppArmor service + systemd: + name: apparmor enabled: no +- name: Mask AppArmor service + systemd: + name: apparmor + masked: yes \ No newline at end of file diff --git a/roles/debian-host/tasks/hostname.yml b/roles/debian-host/tasks/hostname.yml index 799a81f..b17bd1f 100644 --- a/roles/debian-host/tasks/hostname.yml +++ b/roles/debian-host/tasks/hostname.yml @@ -2,11 +2,8 @@ hostname: name: "{{ inventory_hostname_short }}" use: debian -- name: Configure hosts file - blockinfile: +- name: Populating hosts file with hostname + lineinfile: path: /etc/hosts - marker_begin: '--- BEGIN VN ---' - marker_end: '--- END VN ---' - marker: "# {mark}" - block: | - {{ ansible_default_ipv4.address }} {{ ansible_host }} {{ inventory_hostname_short }} + regexp: '^127.0.1.1' + line: '127.0.1.1 {{ ansible_host }} {{ inventory_hostname_short }}' \ No newline at end of file diff --git a/roles/debian-host/tasks/sysctl.yml b/roles/debian-host/tasks/sysctl.yml index be8eaf7..aab1e57 100644 --- a/roles/debian-host/tasks/sysctl.yml +++ b/roles/debian-host/tasks/sysctl.yml @@ -1,4 +1,4 @@ -- name: Set systctl configuration +- name: Set systctl custom vn configuration copy: src: sysctl/ dest: /etc/sysctl.d/ diff --git a/roles/debian-host/templates/resolv.conf b/roles/debian-host/templates/resolv.conf index cce81b4..52a1891 100644 --- a/roles/debian-host/templates/resolv.conf +++ b/roles/debian-host/templates/resolv.conf @@ -1,5 +1,5 @@ -domain {{ resolv_domain }} -search {{ resolv_domain }} +domain {{ host_domain }} +search {{ host_domain }} {% if resolvers is defined %} {% for resolver in resolvers %} nameserver {{resolver}} -- 2.40.1 From d6c51141bf81e2faa8d7b0798d48e41b64d0dc39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 7 Oct 2024 09:43:51 +0200 Subject: [PATCH 06/33] Refs #8025 Solution to approach resolv.conf only on case no dhcp-client is used --- roles/debian-host/tasks/main.yml | 2 ++ roles/debian-host/tasks/resolv.yml | 21 +++++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/debian-host/tasks/main.yml b/roles/debian-host/tasks/main.yml index e4f179a..11d6c3f 100644 --- a/roles/debian-host/tasks/main.yml +++ b/roles/debian-host/tasks/main.yml @@ -4,3 +4,5 @@ tags: sysctl - import_tasks: apparmor.yml tags: apparmor +- import_tasks: resolv.yml + tags: resolv diff --git a/roles/debian-host/tasks/resolv.yml b/roles/debian-host/tasks/resolv.yml index 9aeb5a4..60455c0 100644 --- a/roles/debian-host/tasks/resolv.yml +++ b/roles/debian-host/tasks/resolv.yml @@ -1,9 +1,22 @@ -- name: Replace /etc/resolv.conf +- name: Check if DNS is already configured + stat: + path: /etc/resolv.conf + register: resolv_conf +- name: Read /etc/resolv.conf + slurp: + path: /etc/resolv.conf + register: resolv_conf_content + when: resolv_conf.stat.exists +- name: Check if DNS servers are already present + set_fact: + dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}" + when: resolv_conf.stat.exists +- name: Apply resolv.conf template only if DNS is not configured template: - src: resolv.conf - dest: /etc/ + src: templates/resolv.conf + dest: /etc/resolv.conf owner: root group: root mode: '0644' backup: true - when: resolv_enabled + when: not resolv_conf.stat.exists or not dns_configured -- 2.40.1 From 606548db7efbeacc4c7790d1090ae58888419714 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 7 Oct 2024 12:06:19 +0200 Subject: [PATCH 07/33] Refs #8025 Resolv task moved to debian-base role - Review & refactor tasks from debian-base role defuser, install and locate --- roles/debian-base/handlers/main.yml | 1 - roles/debian-base/tasks/install.yml | 8 ++++++- roles/debian-base/tasks/locale.yml | 21 ++++++------------- roles/debian-base/tasks/main.yml | 2 ++ .../tasks/resolv.yml | 0 .../templates/resolv.conf | 0 roles/debian-host/tasks/main.yml | 2 -- 7 files changed, 15 insertions(+), 19 deletions(-) rename roles/{debian-host => debian-base}/tasks/resolv.yml (100%) rename roles/{debian-host => debian-base}/templates/resolv.conf (100%) diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 524348c..76239c2 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -18,4 +18,3 @@ service: name: nagios-nrpe-server state: restarted - diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml index e02d485..635d024 100644 --- a/roles/debian-base/tasks/install.yml +++ b/roles/debian-base/tasks/install.yml @@ -7,4 +7,10 @@ - psmisc - bash-completion - screen - - aptitude \ No newline at end of file + - aptitude + - vim + - aptitude + - tree + - btop + - ncdu + - debconf-utils diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml index 218c067..faf125b 100644 --- a/roles/debian-base/tasks/locale.yml +++ b/roles/debian-base/tasks/locale.yml @@ -1,15 +1,6 @@ -- name: Enable locale languages - lineinfile: - dest: /etc/locale.gen - regexp: "{{item.regexp}}" - line: "{{item.line}}" - state: present - with_items: - - regexp: "^# es_ES.UTF-8 UTF-8" - line: "es_ES.UTF-8 UTF-8" - - regexp: "^# en_US.UTF-8 UTF-8" - line: "en_US.UTF-8 UTF-8" -- name: Generate locale - command: locale-gen -- name: Update locale - command: update-locale LANG=en_US.UTF-8 +- name: Set to generate locales + debconf: + name: locales + question: locales/locales_to_be_generated + value: en_US.UTF-8 UTF-8, es_ES.UTF-8 UTF-8 + vtype: multiselect diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 405ee97..ab9c185 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,3 +1,5 @@ +- import_tasks: resolv.yml + tags: resolv - import_tasks: defuser.yml tags: defuser - import_tasks: install.yml diff --git a/roles/debian-host/tasks/resolv.yml b/roles/debian-base/tasks/resolv.yml similarity index 100% rename from roles/debian-host/tasks/resolv.yml rename to roles/debian-base/tasks/resolv.yml diff --git a/roles/debian-host/templates/resolv.conf b/roles/debian-base/templates/resolv.conf similarity index 100% rename from roles/debian-host/templates/resolv.conf rename to roles/debian-base/templates/resolv.conf diff --git a/roles/debian-host/tasks/main.yml b/roles/debian-host/tasks/main.yml index 11d6c3f..e4f179a 100644 --- a/roles/debian-host/tasks/main.yml +++ b/roles/debian-host/tasks/main.yml @@ -4,5 +4,3 @@ tags: sysctl - import_tasks: apparmor.yml tags: apparmor -- import_tasks: resolv.yml - tags: resolv -- 2.40.1 From 24864f694fb5f6804705ae3a18c3007ebbc6157d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 7 Oct 2024 12:35:23 +0200 Subject: [PATCH 08/33] Refs #8025 tasks from debian-base role tzdata refactor --- roles/debian-base/files/set-timezone.sh | 8 -------- roles/debian-base/tasks/tzdata.yml | 12 ++++++++++-- 2 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 roles/debian-base/files/set-timezone.sh diff --git a/roles/debian-base/files/set-timezone.sh b/roles/debian-base/files/set-timezone.sh deleted file mode 100644 index 9e17f1c..0000000 --- a/roles/debian-base/files/set-timezone.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -echo 'tzdata tzdata/Areas select Europe' | debconf-set-selections -echo 'tzdata tzdata/Zones/Europe select Madrid' | debconf-set-selections -echo 'tzdata tzdata/Zones/Etc select UTC' | debconf-set-selections -rm /etc/timezone -rm /etc/localtime -dpkg-reconfigure -f noninteractive tzdata diff --git a/roles/debian-base/tasks/tzdata.yml b/roles/debian-base/tasks/tzdata.yml index f5e34a8..9560354 100644 --- a/roles/debian-base/tasks/tzdata.yml +++ b/roles/debian-base/tasks/tzdata.yml @@ -1,2 +1,10 @@ -- name: Configure the time zone - script: set-timezone.sh +- name: Configure debconf for tzdata + debconf: + name: tzdata + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "string" + loop: + - { question: "tzdata/Areas", value: "Europe" } + - { question: "tzdata/Zones/Europe", value: "Madrid" } + - { question: "tzdata/Zones/Etc", value: "UTC" } -- 2.40.1 From 4139e78a9d1363d21fbfd9052aff9374b86ff6ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 7 Oct 2024 13:10:30 +0200 Subject: [PATCH 09/33] Refs #8025 Update notify triggers in the debconf Ansible module for locales and tzdata to reconfigure packages. --- roles/debian-base/handlers/main.yml | 4 ++++ roles/debian-base/tasks/locale.yml | 12 ++++++++---- roles/debian-base/tasks/tzdata.yml | 1 + 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 76239c2..8071c56 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -18,3 +18,7 @@ service: name: nagios-nrpe-server state: restarted +- name: Generate locales + command: /usr/sbin/locale-gen +- name: Reconfigure tzdata + command: dpkg-reconfigure -f noninteractive tzdata diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml index faf125b..3ee9e6d 100644 --- a/roles/debian-base/tasks/locale.yml +++ b/roles/debian-base/tasks/locale.yml @@ -1,6 +1,10 @@ -- name: Set to generate locales +- name: Configure debconf for locales debconf: name: locales - question: locales/locales_to_be_generated - value: en_US.UTF-8 UTF-8, es_ES.UTF-8 UTF-8 - vtype: multiselect + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "{{ item.vtype }}" + loop: + - { question: "locales/locales_to_be_generated", value: "en_US.UTF-8 UTF-8, es_ES.UTF-8 UTF-8", vtype: "multiselect" } + - { question: "locales/default_environment_locales", value: "en_US.UTF-8", vtype: "string" } + notify: Generate locales diff --git a/roles/debian-base/tasks/tzdata.yml b/roles/debian-base/tasks/tzdata.yml index 9560354..8683519 100644 --- a/roles/debian-base/tasks/tzdata.yml +++ b/roles/debian-base/tasks/tzdata.yml @@ -8,3 +8,4 @@ - { question: "tzdata/Areas", value: "Europe" } - { question: "tzdata/Zones/Europe", value: "Madrid" } - { question: "tzdata/Zones/Etc", value: "UTC" } + notify: Reconfigure tzdata -- 2.40.1 From 7ec58a2f89a62db93dfb336177dac2b5087b8e6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 7 Oct 2024 15:42:12 +0200 Subject: [PATCH 10/33] Refs #8025 debian base rol - approche install packages, triggers-notify in main --- inventories/group_vars/all.yml | 11 ++++++ roles/debian-base/handlers/main.yml | 10 ++--- roles/debian-base/tasks/install.yml | 13 +------ roles/debian-base/tasks/locale.yml | 2 +- roles/debian-base/tasks/relayhost.yml | 53 ++++++++------------------- roles/debian-base/tasks/tzdata.yml | 2 +- 6 files changed, 34 insertions(+), 57 deletions(-) diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index 4615399..6eaa81a 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -19,3 +19,14 @@ awx_pub_key: > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzAwWm+IsqZCgMzjdZ7Do3xWtVtoUCpWJpH7KSi2a/H awx@verdnatura.es +base_packages: + - htop + - psmisc + - bash-completion + - screen + - aptitude + - vim + - tree + - btop + - ncdu + - debconf-utils diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 8071c56..169347f 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -2,10 +2,6 @@ service: name: systemd-timesyncd state: restarted -- name: restart-exim - service: - name: exim4 - state: restarted - name: restart-ssh service: name: ssh @@ -18,7 +14,9 @@ service: name: nagios-nrpe-server state: restarted -- name: Generate locales +- name: generate locales command: /usr/sbin/locale-gen -- name: Reconfigure tzdata +- name: reconfigure tzdata command: dpkg-reconfigure -f noninteractive tzdata +- name: update exim configuration + command: update-exim4.conf diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml index 635d024..a43a71e 100644 --- a/roles/debian-base/tasks/install.yml +++ b/roles/debian-base/tasks/install.yml @@ -2,15 +2,4 @@ apt: name: "{{ item }}" state: present - with_items: - - htop - - psmisc - - bash-completion - - screen - - aptitude - - vim - - aptitude - - tree - - btop - - ncdu - - debconf-utils + loop: "{{ base_packages }}" diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml index 3ee9e6d..788b79d 100644 --- a/roles/debian-base/tasks/locale.yml +++ b/roles/debian-base/tasks/locale.yml @@ -7,4 +7,4 @@ loop: - { question: "locales/locales_to_be_generated", value: "en_US.UTF-8 UTF-8, es_ES.UTF-8 UTF-8", vtype: "multiselect" } - { question: "locales/default_environment_locales", value: "en_US.UTF-8", vtype: "string" } - notify: Generate locales + notify: generate locales diff --git a/roles/debian-base/tasks/relayhost.yml b/roles/debian-base/tasks/relayhost.yml index 88ee3e2..c66b162 100644 --- a/roles/debian-base/tasks/relayhost.yml +++ b/roles/debian-base/tasks/relayhost.yml @@ -3,46 +3,25 @@ name: exim4 state: present - name: Prepare exim configuration - lineinfile: - dest: /etc/exim4/update-exim4.conf.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + blockinfile: + path: /etc/exim4/update-exim4.conf.conf + marker_begin: '--- BEGIN VN ---' + marker_end: '--- END VN ---' + marker: "# {mark}" + block: | + dc_eximconfig_configtype='satellite' + dc_other_hostnames='{{ ansible_fqdn }}' + dc_local_interfaces='127.0.0.1' + dc_readhost='{{ ansible_fqdn }}' + dc_smarthost='{{ smtp_server }}' + dc_hide_mailname='true' state: present - mode: 0644 - with_items: - - regexp: '^dc_eximconfig_configtype' - line: "dc_eximconfig_configtype='satellite'" - - regexp: '^dc_other_hostnames' - line: "dc_other_hostnames='{{ ansible_fqdn }}'" - - regexp: '^dc_local_interfaces' - line: "dc_local_interfaces='127.0.0.1'" - - regexp: '^dc_readhost' - line: "dc_readhost='{{ ansible_fqdn }}'" - - regexp: '^dc_relay_domains' - line: "dc_relay_domains=''" - - regexp: '^dc_minimaldns' - line: "dc_minimaldns='false'" - - regexp: '^dc_relay_nets' - line: "dc_relay_nets=''" - - regexp: '^dc_smarthost' - line: "dc_smarthost='{{ smtp_server }}'" - - regexp: '^CFILEMODE' - line: "CFILEMODE='644'" - - regexp: '^dc_use_split_config' - line: "dc_use_split_config='false'" - - regexp: '^dc_hide_mailname' - line: "dc_hide_mailname='true'" - - regexp: '^dc_mailname_in_oh' - line: "dc_mailname_in_oh='true'" - - regexp: '^dc_localdelivery' - line: "dc_localdelivery='mail_spool'" - notify: restart-exim + create: yes + mode: '0644' + notify: update exim configuration register: exim_config -- name: Update exim configuration - command: update-exim4.conf - when: exim_config.changed - name: Sending mail to verify relay host configuration works shell: > echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" - when: exim_config.changed + when: exim_config.changed diff --git a/roles/debian-base/tasks/tzdata.yml b/roles/debian-base/tasks/tzdata.yml index 8683519..3f9bf17 100644 --- a/roles/debian-base/tasks/tzdata.yml +++ b/roles/debian-base/tasks/tzdata.yml @@ -8,4 +8,4 @@ - { question: "tzdata/Areas", value: "Europe" } - { question: "tzdata/Zones/Europe", value: "Madrid" } - { question: "tzdata/Zones/Etc", value: "UTC" } - notify: Reconfigure tzdata + notify: reconfigure tzdata -- 2.40.1 From 32fa5102ce9657625e22fe09b8c405ca1c0ea74a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 7 Oct 2024 16:41:41 +0200 Subject: [PATCH 11/33] Refs #8025 debian base rol - more locales and group vars --- inventories/group_vars/all.yml | 3 +++ roles/debian-base/tasks/locale.yml | 14 +++++--------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index 6eaa81a..615b73f 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -30,3 +30,6 @@ base_packages: - btop - ncdu - debconf-utils +locales_present: + - en_US.UTF-8 + - es_ES.UTF-8 diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml index 788b79d..9063486 100644 --- a/roles/debian-base/tasks/locale.yml +++ b/roles/debian-base/tasks/locale.yml @@ -1,10 +1,6 @@ -- name: Configure debconf for locales - debconf: - name: locales - question: "{{ item.question }}" - value: "{{ item.value }}" - vtype: "{{ item.vtype }}" - loop: - - { question: "locales/locales_to_be_generated", value: "en_US.UTF-8 UTF-8, es_ES.UTF-8 UTF-8", vtype: "multiselect" } - - { question: "locales/default_environment_locales", value: "en_US.UTF-8", vtype: "string" } +- name: make sure locales in variable are generated + locale_gen: + name: "{{ item }}" + state: present + with_items: "{{ locales_present }}" notify: generate locales -- 2.40.1 From 88c47d3c3af51faef3a7230756e9b7b67eea17ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 8 Oct 2024 12:34:52 +0200 Subject: [PATCH 12/33] Refs #8025 Rol debian-base. Task relayhost fix and handler exim update config. --- roles/debian-base/handlers/main.yml | 2 +- roles/debian-base/tasks/relayhost.yml | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 169347f..379bf91 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -19,4 +19,4 @@ - name: reconfigure tzdata command: dpkg-reconfigure -f noninteractive tzdata - name: update exim configuration - command: update-exim4.conf + command: /usr/sbin/update-exim4.conf diff --git a/roles/debian-base/tasks/relayhost.yml b/roles/debian-base/tasks/relayhost.yml index c66b162..13c46f5 100644 --- a/roles/debian-base/tasks/relayhost.yml +++ b/roles/debian-base/tasks/relayhost.yml @@ -20,8 +20,10 @@ mode: '0644' notify: update exim configuration register: exim_config +- name: Force execution of handlers immediately + meta: flush_handlers - name: Sending mail to verify relay host configuration works shell: > - echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ + sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" - when: exim_config.changed + when: exim_config.changed -- 2.40.1 From 3ad39e03a8bc7777a30c9381007320106f918d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 8 Oct 2024 16:12:56 +0200 Subject: [PATCH 13/33] Refs #8025 Rol debian-base. Task nrpe fix, vars remove and move to group_vars and defaults. --- inventories/group_vars/all.yml | 1 + roles/debian-base/defaults/main.yaml | 3 +++ roles/debian-base/handlers/main.yml | 2 +- roles/debian-base/tasks/nrpe.yml | 2 ++ roles/debian-base/vars/main.yml | 3 --- 5 files changed, 7 insertions(+), 4 deletions(-) delete mode 100644 roles/debian-base/vars/main.yml diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index 2e8d5ad..fdadcd2 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -31,6 +31,7 @@ base_packages: - btop - ncdu - debconf-utils + - net-tools locales_present: - en_US.UTF-8 - es_ES.UTF-8 diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 6bd18b1..fa8f6da 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -5,3 +5,6 @@ fail2ban: bantime: 600 maxretry: 4 ignore: "127.0.0.0/8 {{ dc_net }}" +vn_host: + url: http://apt.verdnatura.es/pool/main/v/vn-host + package: vn-host_2.0.2_all.deb diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 379bf91..2626302 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -19,4 +19,4 @@ - name: reconfigure tzdata command: dpkg-reconfigure -f noninteractive tzdata - name: update exim configuration - command: /usr/sbin/update-exim4.conf + command: /usr/sbin/update-exim4.conf \ No newline at end of file diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index 57ab588..31e5f64 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -2,9 +2,11 @@ apt: name: "{{ item }}" state: present + install_recommends: no loop: - nagios-nrpe-server - nagios-plugins-contrib + - monitoring-plugins-basic - name: Set NRPE generic configuration template: src: nrpe.cfg diff --git a/roles/debian-base/vars/main.yml b/roles/debian-base/vars/main.yml deleted file mode 100644 index 17fe0d6..0000000 --- a/roles/debian-base/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -vn_host: - url: http://apt.verdnatura.es/pool/main/v/vn-host - package: vn-host_2.0.2_all.deb -- 2.40.1 From 616beda4b7d74c5903970fe11db387a2c8cabe93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 8 Oct 2024 16:35:53 +0200 Subject: [PATCH 14/33] Refs #8025 Debian-base - minor fix nrpe to bind ipv4 --- roles/debian-base/tasks/nrpe.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index 31e5f64..bf6aff3 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -14,7 +14,6 @@ owner: root group: root mode: u=rw,g=r,o=r - notify: restart-nrpe - name: Create NRPE local configuration file file: path: /etc/nagios/nrpe.d/99-local.cfg @@ -24,3 +23,9 @@ mode: u=rw,g=r,o= modification_time: preserve access_time: preserve +- name: Configure nrpe.cfg to bind ipv4 + lineinfile: + path: /etc/nagios/nrpe.cfg + regexp: '^#server_address=127.0.0.1' + line: 'server_address={{ ansible_default_ipv4.address }}' + notify: restart-nrpe \ No newline at end of file -- 2.40.1 From d14b123219b9c9b0f22adaf1ecf9935a53141ae0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 11:49:42 +0200 Subject: [PATCH 15/33] Refs #8025 Rol debian-base. Task timesync systemd fix, vars add to defaults, refactor handlers --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/handlers/main.yml | 12 ++++++------ roles/debian-base/tasks/main.yml | 2 ++ roles/debian-base/tasks/timesync.yml | 26 ++++++++++++++------------ 4 files changed, 23 insertions(+), 18 deletions(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index fa8f6da..5b2dc17 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -8,3 +8,4 @@ fail2ban: vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb +time_server_spain: ntp.roa.es diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 2626302..8ffbd80 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -1,17 +1,17 @@ -- name: restart-timesyncd - service: +- name: restart systemd-timesyncd + systemd: name: systemd-timesyncd state: restarted - name: restart-ssh - service: + systemd: name: ssh state: restarted - name: restart-fail2ban - service: + systemd: name: fail2ban state: restarted - name: restart-nrpe - service: + systemd: name: nagios-nrpe-server state: restarted - name: generate locales @@ -19,4 +19,4 @@ - name: reconfigure tzdata command: dpkg-reconfigure -f noninteractive tzdata - name: update exim configuration - command: /usr/sbin/update-exim4.conf \ No newline at end of file + command: /usr/sbin/update-exim4.conf diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index ab9c185..665c208 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,5 +1,7 @@ - import_tasks: resolv.yml tags: resolv +- import_tasks: timesync.yml + tags: timesync - import_tasks: defuser.yml tags: defuser - import_tasks: install.yml diff --git a/roles/debian-base/tasks/timesync.yml b/roles/debian-base/tasks/timesync.yml index 708a409..103234f 100644 --- a/roles/debian-base/tasks/timesync.yml +++ b/roles/debian-base/tasks/timesync.yml @@ -1,21 +1,23 @@ -- name: Configure /etc/systemd/timesyncd.conf - lineinfile: - path: /etc/systemd/timesyncd.conf - regexp: '^#NTP' - line: "NTP={{ time_server }}" +- name: Ensure directory for timesyncd custom configuration exists + file: + path: /etc/systemd/timesyncd.conf.d/ + state: directory owner: root group: root - mode: '0644' -- name: Configure /etc/systemd/timesyncd.conf - lineinfile: - path: /etc/systemd/timesyncd.conf - regexp: '^#?FallbackNTP=' - line: "FallbackNTP=ntp.roa.es" + mode: '0755' +- name: Configure NTP settings in /etc/systemd/timesyncd.conf.d/vn-ntp.conf + copy: + dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf + content: | + [Time] + NTP={{ time_server }} + FallbackNTP={{ time_server_spain }} owner: root group: root mode: '0644' notify: restart systemd-timesyncd -- name: Service should start on boot +- name: Ensure systemd-timesyncd service is enabled and started service: name: systemd-timesyncd enabled: yes + state: started -- 2.40.1 From 33586c7f961d0d600d9504d0f8bd122ef9ea431e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 13:21:32 +0200 Subject: [PATCH 16/33] Refs #8025 Rol debian-base. Task install, nrpe, fail2ban fix, refactor handlers --- inventories/group_vars/all.yml | 1 - roles/debian-base/defaults/main.yaml | 3 +++ roles/debian-base/tasks/fail2ban.yml | 7 ++----- roles/debian-base/tasks/install.yml | 3 +-- roles/debian-base/tasks/main.yml | 2 ++ roles/debian-base/tasks/nrpe.yml | 6 +----- roles/debian-once/handlers/main.yml | 4 ++++ roles/debian-once/tasks/ssh.yml | 20 +++++++++++++++++--- 8 files changed, 30 insertions(+), 16 deletions(-) create mode 100644 roles/debian-once/handlers/main.yml diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index fdadcd2..28f9649 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -26,7 +26,6 @@ base_packages: - bash-completion - screen - aptitude - - vim - tree - btop - ncdu diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 5b2dc17..92d106e 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -5,6 +5,9 @@ fail2ban: bantime: 600 maxretry: 4 ignore: "127.0.0.0/8 {{ dc_net }}" +fail2ban_base_packages: + - fail2ban + - rsyslog vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 709bafe..838e89e 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -1,10 +1,7 @@ -- name: Install fail2ban packages +- name: Install fail2ban and rsyslog packages apt: - name: fail2ban + name: "{{ fail2ban_base_packages }}" state: present - loop: - - fail2ban - - rsyslog - name: Configure fail2ban service template: src: jail.local diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml index a43a71e..396832c 100644 --- a/roles/debian-base/tasks/install.yml +++ b/roles/debian-base/tasks/install.yml @@ -1,5 +1,4 @@ - name: Install base packages apt: - name: "{{ item }}" + name: "{{ base_packages }}" state: present - loop: "{{ base_packages }}" diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 665c208..74471b2 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -20,3 +20,5 @@ tags: vim - import_tasks: nrpe.yml tags: nrpe +- import_tasks: fail2ban.yml + tags: fail2ban diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index bf6aff3..d5e98a1 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -1,12 +1,8 @@ - name: Install NRPE packages apt: - name: "{{ item }}" + name: "{{ nagios_packages }}" state: present install_recommends: no - loop: - - nagios-nrpe-server - - nagios-plugins-contrib - - monitoring-plugins-basic - name: Set NRPE generic configuration template: src: nrpe.cfg diff --git a/roles/debian-once/handlers/main.yml b/roles/debian-once/handlers/main.yml new file mode 100644 index 0000000..18c505e --- /dev/null +++ b/roles/debian-once/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart sshd + systemd: + name: sshd + state: restarted diff --git a/roles/debian-once/tasks/ssh.yml b/roles/debian-once/tasks/ssh.yml index 84877cc..26f7a8b 100644 --- a/roles/debian-once/tasks/ssh.yml +++ b/roles/debian-once/tasks/ssh.yml @@ -1,10 +1,24 @@ +- name: Generate a new SSH key pair + openssh_keypair: + path: /etc/ssh/ssh_host_rsa_key + type: rsa + size: 4096 + register: new_pair +- name: Configure sshd_config settings + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^#ListenAddress 0.0.0.0', line: 'ListenAddress 0.0.0.0' } + - { regexp: '^#SyslogFacility AUTH', line: 'SyslogFacility AUTH' } - name: Delete old host SSH keys file: path: "{{ item }}" state: absent with_items: - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ecdsa_key.pub - /etc/ssh/ssh_host_ed25519_key - - /etc/ssh/ssh_host_rsa_key -- name: Regenerate host SSH keys - command: dpkg-reconfigure openssh-server + - /etc/ssh/ssh_host_ed25519_key.pub + when: new_pair is succeeded -- 2.40.1 From 06cc6fa26bf20f0baf20f75dde74fd3d5f176de6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 13:36:16 +0200 Subject: [PATCH 17/33] Refs #8025 Rol debian-base. Task ssh move from debian-once to ., refactor handlers --- roles/debian-base/defaults/main.yaml | 4 ++++ roles/debian-base/handlers/main.yml | 4 ++++ roles/debian-base/tasks/main.yml | 2 ++ roles/{debian-once => debian-base}/tasks/ssh.yml | 3 ++- roles/debian-once/handlers/main.yml | 4 ---- roles/debian-once/tasks/main.yml | 2 -- 6 files changed, 12 insertions(+), 7 deletions(-) rename roles/{debian-once => debian-base}/tasks/ssh.yml (92%) delete mode 100644 roles/debian-once/handlers/main.yml diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 92d106e..138dcdc 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -12,3 +12,7 @@ vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb time_server_spain: ntp.roa.es +nagios_packages: + - nagios-nrpe-server + - nagios-plugins-contrib + - monitoring-plugins-basic diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 8ffbd80..6d3fab4 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -14,6 +14,10 @@ systemd: name: nagios-nrpe-server state: restarted +- name: restart sshd + systemd: + name: sshd + state: restarted - name: generate locales command: /usr/sbin/locale-gen - name: reconfigure tzdata diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 74471b2..0228231 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -2,6 +2,8 @@ tags: resolv - import_tasks: timesync.yml tags: timesync +- import_tasks: ssh.yml + tags: ssh - import_tasks: defuser.yml tags: defuser - import_tasks: install.yml diff --git a/roles/debian-once/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml similarity index 92% rename from roles/debian-once/tasks/ssh.yml rename to roles/debian-base/tasks/ssh.yml index 26f7a8b..0fb844b 100644 --- a/roles/debian-once/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -3,7 +3,7 @@ path: /etc/ssh/ssh_host_rsa_key type: rsa size: 4096 - register: new_pair + register: new_pair - name: Configure sshd_config settings lineinfile: path: /etc/ssh/sshd_config @@ -22,3 +22,4 @@ - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key.pub when: new_pair is succeeded + notify: restart sshd diff --git a/roles/debian-once/handlers/main.yml b/roles/debian-once/handlers/main.yml deleted file mode 100644 index 18c505e..0000000 --- a/roles/debian-once/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart sshd - systemd: - name: sshd - state: restarted diff --git a/roles/debian-once/tasks/main.yml b/roles/debian-once/tasks/main.yml index b77c6fc..e5da03c 100644 --- a/roles/debian-once/tasks/main.yml +++ b/roles/debian-once/tasks/main.yml @@ -1,4 +1,2 @@ -- import_tasks: ssh.yml - tags: ssh - import_tasks: root.yml tags: root -- 2.40.1 From e195130241853b83a22a6408cdd556d75f626fcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 14:47:43 +0200 Subject: [PATCH 18/33] Refs #8025 Rol debian-base. Task fail2ban jinga template. --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/templates/jail.local | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 138dcdc..f7f697f 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -5,6 +5,7 @@ fail2ban: bantime: 600 maxretry: 4 ignore: "127.0.0.0/8 {{ dc_net }}" + logpath: "/var/log/auth.log" fail2ban_base_packages: - fail2ban - rsyslog diff --git a/roles/debian-base/templates/jail.local b/roles/debian-base/templates/jail.local index 838b4ed..0e4ef17 100644 --- a/roles/debian-base/templates/jail.local +++ b/roles/debian-base/templates/jail.local @@ -17,4 +17,4 @@ action = %(action_)s enabled = true port = 0:65535 filter = sshd -logpath = %(sshd_log)s +logpath = {{ fail2ban.logpath }} -- 2.40.1 From 94ca22734d1f299e568e20ba3cd08a154e7da312 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 15:48:34 +0200 Subject: [PATCH 19/33] Refs #8025 Rol debian-base. Task ssh to conf.d directory --- roles/debian-base/tasks/ssh.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 0fb844b..1ff39a2 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -5,13 +5,17 @@ size: 4096 register: new_pair - name: Configure sshd_config settings - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - loop: - - { regexp: '^#ListenAddress 0.0.0.0', line: 'ListenAddress 0.0.0.0' } - - { regexp: '^#SyslogFacility AUTH', line: 'SyslogFacility AUTH' } + copy: + dest: /etc/ssh/sshd_config.d/custom.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + ListenAddress 0.0.0.0 + SyslogFacility AUTH + permitRootLogin yes + owner: root + group: root + mode: '0644' - name: Delete old host SSH keys file: path: "{{ item }}" -- 2.40.1 From 3e7771ba4c945b162d15047dd8719cdf1433a797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 16:06:01 +0200 Subject: [PATCH 20/33] Refs #8025 Rol debian-base. Task ssh refactor --- roles/debian-base/tasks/ssh.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 1ff39a2..2179974 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -13,9 +13,9 @@ ListenAddress 0.0.0.0 SyslogFacility AUTH permitRootLogin yes - owner: root - group: root - mode: '0644' + owner: root + group: root + mode: '0644' - name: Delete old host SSH keys file: path: "{{ item }}" -- 2.40.1 From 588db894a1cf1e4bc9c179d21f1ea768f91002ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 16:12:29 +0200 Subject: [PATCH 21/33] Refs #8025 Rol debian-base. All task - Refactor from octal permissions to plain text --- roles/debian-base/tasks/bacula.yml | 2 +- roles/debian-base/tasks/fail2ban.yml | 2 +- roles/debian-base/tasks/motd.yml | 2 +- roles/debian-base/tasks/profile.yml | 2 +- roles/debian-base/tasks/relayhost.yml | 2 +- roles/debian-base/tasks/resolv.yml | 2 +- roles/debian-base/tasks/ssh.yml | 5 ++--- roles/debian-base/tasks/timesync.yml | 4 ++-- roles/debian-base/tasks/vim.yml | 2 +- roles/debian-base/tasks/vn-repo.yml | 2 +- 10 files changed, 12 insertions(+), 13 deletions(-) diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index ef04a37..2cfcb6d 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -12,7 +12,7 @@ dest: /etc/bacula/bacula-fd.conf owner: root group: bacula - mode: '0640' + mode: u=rw,g=r,o= backup: true - name: Restart Bacula FD service service: diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 838e89e..a3ed3f1 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -8,5 +8,5 @@ dest: /etc/fail2ban/jail.local owner: root group: root - mode: '0644' + mode: u=rw,g=r,o=r notify: restart-fail2ban diff --git a/roles/debian-base/tasks/motd.yml b/roles/debian-base/tasks/motd.yml index a51f73b..486e705 100644 --- a/roles/debian-base/tasks/motd.yml +++ b/roles/debian-base/tasks/motd.yml @@ -2,6 +2,6 @@ copy: src: motd dest: /etc/update-motd.d/90-vn - mode: '755' + mode: u=rwx,g=rx,o=rx owner: root group: root diff --git a/roles/debian-base/tasks/profile.yml b/roles/debian-base/tasks/profile.yml index 7b02471..e8df993 100644 --- a/roles/debian-base/tasks/profile.yml +++ b/roles/debian-base/tasks/profile.yml @@ -2,6 +2,6 @@ copy: src: profile.sh dest: /etc/profile.d/vn.sh - mode: '644' + mode: u=rw,g=r,o=r owner: root group: root diff --git a/roles/debian-base/tasks/relayhost.yml b/roles/debian-base/tasks/relayhost.yml index 13c46f5..dc04fe1 100644 --- a/roles/debian-base/tasks/relayhost.yml +++ b/roles/debian-base/tasks/relayhost.yml @@ -17,7 +17,7 @@ dc_hide_mailname='true' state: present create: yes - mode: '0644' + mode: u=rw,g=r,o=r notify: update exim configuration register: exim_config - name: Force execution of handlers immediately diff --git a/roles/debian-base/tasks/resolv.yml b/roles/debian-base/tasks/resolv.yml index 60455c0..1ee5af7 100644 --- a/roles/debian-base/tasks/resolv.yml +++ b/roles/debian-base/tasks/resolv.yml @@ -17,6 +17,6 @@ dest: /etc/resolv.conf owner: root group: root - mode: '0644' + mode: u=rw,g=r,o=r backup: true when: not resolv_conf.stat.exists or not dns_configured diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 2179974..0eb418d 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -6,16 +6,15 @@ register: new_pair - name: Configure sshd_config settings copy: - dest: /etc/ssh/sshd_config.d/custom.conf + dest: /etc/ssh/sshd_config.d/vn-custom.conf content: | # Do not edit this file! Ansible will overwrite it. ListenAddress 0.0.0.0 SyslogFacility AUTH - permitRootLogin yes owner: root group: root - mode: '0644' + mode: u=rw,g=r,o=r - name: Delete old host SSH keys file: path: "{{ item }}" diff --git a/roles/debian-base/tasks/timesync.yml b/roles/debian-base/tasks/timesync.yml index 103234f..57974cf 100644 --- a/roles/debian-base/tasks/timesync.yml +++ b/roles/debian-base/tasks/timesync.yml @@ -4,7 +4,7 @@ state: directory owner: root group: root - mode: '0755' + mode: u=rwx,g=rx,o=rx - name: Configure NTP settings in /etc/systemd/timesyncd.conf.d/vn-ntp.conf copy: dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf @@ -14,7 +14,7 @@ FallbackNTP={{ time_server_spain }} owner: root group: root - mode: '0644' + mode: u=rw,g=r,o=r notify: restart systemd-timesyncd - name: Ensure systemd-timesyncd service is enabled and started service: diff --git a/roles/debian-base/tasks/vim.yml b/roles/debian-base/tasks/vim.yml index d89ef6f..2d40113 100644 --- a/roles/debian-base/tasks/vim.yml +++ b/roles/debian-base/tasks/vim.yml @@ -6,6 +6,6 @@ copy: src: vimrc.local dest: /etc/vim/ - mode: '644' + mode: u=rw,g=r,o=r owner: root group: root \ No newline at end of file diff --git a/roles/debian-base/tasks/vn-repo.yml b/roles/debian-base/tasks/vn-repo.yml index c0fdfff..b8dc6b0 100644 --- a/roles/debian-base/tasks/vn-repo.yml +++ b/roles/debian-base/tasks/vn-repo.yml @@ -2,7 +2,7 @@ get_url: url: "{{ vn_host.url }}/{{ vn_host.package }}" dest: "/tmp/{{ vn_host.package }}" - mode: '0644' + mode: u=rw,g=r,o=r - name: Install package apt: deb: "/tmp/{{ vn_host.package }}" -- 2.40.1 From 43019754c4724e589fafac193be7a93fe3d400a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 14 Oct 2024 09:36:10 +0200 Subject: [PATCH 22/33] Refs #8025 Rol debian-base. ssh task - add notify to restart sshd when changes came. --- roles/debian-base/tasks/ssh.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 0eb418d..d776420 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -15,6 +15,7 @@ owner: root group: root mode: u=rw,g=r,o=r + notify: restart sshd - name: Delete old host SSH keys file: path: "{{ item }}" -- 2.40.1 From 49c42b412793d9df01e3a0310d7b947684af0856 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 14 Oct 2024 12:10:28 +0200 Subject: [PATCH 23/33] Refs #8025 Rol debian-base. fail2ban task - Add email notification and whois report action for sshd in local jail. --- roles/debian-base/templates/jail.local | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian-base/templates/jail.local b/roles/debian-base/templates/jail.local index 0e4ef17..9c0cd5b 100644 --- a/roles/debian-base/templates/jail.local +++ b/roles/debian-base/templates/jail.local @@ -18,3 +18,4 @@ enabled = true port = 0:65535 filter = sshd logpath = {{ fail2ban.logpath }} +action = %(action_mwl)s \ No newline at end of file -- 2.40.1 From 684a298e03d32f2eae470b74142e7cbf752c2150 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 14 Oct 2024 13:53:36 +0200 Subject: [PATCH 24/33] Refs #8025 Rol debian-base. fail2ban task - ensure /var/log/auth exists before restarting Fail2ban for systemd exit code 0 --- roles/debian-base/handlers/main.yml | 2 +- roles/debian-base/tasks/fail2ban.yml | 9 ++++++++- roles/debian-base/templates/jail.local | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 6d3fab4..e2ee81e 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -6,7 +6,7 @@ systemd: name: ssh state: restarted -- name: restart-fail2ban +- name: restart fail2ban systemd: name: fail2ban state: restarted diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index a3ed3f1..33a8d67 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -9,4 +9,11 @@ owner: root group: root mode: u=rw,g=r,o=r - notify: restart-fail2ban + notify: restart fail2ban +- name: Ensure file for auth sshd custom log exists + file: + path: /var/log/auth.log + state: touch + owner: root + group: adm + mode: u=rw,g=r,o= diff --git a/roles/debian-base/templates/jail.local b/roles/debian-base/templates/jail.local index 9c0cd5b..69847a7 100644 --- a/roles/debian-base/templates/jail.local +++ b/roles/debian-base/templates/jail.local @@ -18,4 +18,4 @@ enabled = true port = 0:65535 filter = sshd logpath = {{ fail2ban.logpath }} -action = %(action_mwl)s \ No newline at end of file +action = %(action_mwl)s -- 2.40.1 From d141bc8a7565a5c472939ee1b79b7d5137d778e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 15 Oct 2024 12:24:26 +0200 Subject: [PATCH 25/33] Refs #8025 Role debian-base: Refactor vn-repo to ensure idempotency and enhance major Bacula task. --- inventories/group_vars/all.yml | 14 -------------- roles/debian-base/defaults/main.yaml | 16 ++++++++++++++++ roles/debian-base/tasks/bacula.yml | 22 ++++++++++++++++++---- roles/debian-base/tasks/main.yml | 4 ++++ roles/debian-base/tasks/vn-repo.yml | 11 +---------- roles/debian-base/templates/bacula-fd.conf | 4 ++-- roles/debian-base/templates/jail.local | 1 + 7 files changed, 42 insertions(+), 30 deletions(-) diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index 28f9649..d1b6a61 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -20,18 +20,4 @@ awx_pub_key: > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzAwWm+IsqZCgMzjdZ7Do3xWtVtoUCpWJpH7KSi2a/H awx@verdnatura.es -base_packages: - - htop - - psmisc - - bash-completion - - screen - - aptitude - - tree - - btop - - ncdu - - debconf-utils - - net-tools -locales_present: - - en_US.UTF-8 - - es_ES.UTF-8 passbolt_folder: e0d517be-6783-4b97-9742-acaa9b09742f diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index f7f697f..ff6a7c7 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -12,8 +12,24 @@ fail2ban_base_packages: vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb + name: vn-host time_server_spain: ntp.roa.es nagios_packages: - nagios-nrpe-server - nagios-plugins-contrib - monitoring-plugins-basic +base_packages: + - htop + - psmisc + - bash-completion + - screen + - aptitude + - tree + - btop + - ncdu + - debconf-utils + - net-tools +locales_present: + - en_US.UTF-8 + - es_ES.UTF-8 + diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index 2cfcb6d..2482ad4 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -2,19 +2,33 @@ apt: name: bacula-fd state: present -- name: Load Bacula default passwords +- name: Read content file in base64 slurp: src: /etc/bacula/common_default_passwords - register: bacula_passwords + register: file_content +- name: Going to text plane + set_fact: + file_content_decoded: "{{ file_content.content | b64decode }}" +- name: Extracting passwords + set_fact: + passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}" +- name: Initialize password dictionary + set_fact: + bacula_passwords: {} +- name: Convert lines to individual variables generating a new dict + set_fact: + bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}" + loop: "{{ passwords }}" + when: "'FDPASSWD' in item or 'FDMPASSWD' in item" - name: Configure Bacula FD template: src: bacula-fd.conf dest: /etc/bacula/bacula-fd.conf owner: root group: bacula - mode: u=rw,g=r,o= + mode: '0640' backup: true - name: Restart Bacula FD service service: name: bacula-fd - state: restarted + state: restarted \ No newline at end of file diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 0228231..ca79ad2 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -24,3 +24,7 @@ tags: nrpe - import_tasks: fail2ban.yml tags: fail2ban +- import_tasks: bacula.yml + tags: bacula +- import_tasks: vn-repo.yml + tags: vn-repo diff --git a/roles/debian-base/tasks/vn-repo.yml b/roles/debian-base/tasks/vn-repo.yml index b8dc6b0..2c63da7 100644 --- a/roles/debian-base/tasks/vn-repo.yml +++ b/roles/debian-base/tasks/vn-repo.yml @@ -1,12 +1,3 @@ -- name: Download vn-host Debian package - get_url: - url: "{{ vn_host.url }}/{{ vn_host.package }}" - dest: "/tmp/{{ vn_host.package }}" - mode: u=rw,g=r,o=r - name: Install package apt: - deb: "/tmp/{{ vn_host.package }}" -- name: Delete package - file: - path: "/tmp/{{ vn_host.package }}" - state: absent + deb: "{{ vn_host.url }}/{{ vn_host.package }}" diff --git a/roles/debian-base/templates/bacula-fd.conf b/roles/debian-base/templates/bacula-fd.conf index e205166..0e2d00a 100644 --- a/roles/debian-base/templates/bacula-fd.conf +++ b/roles/debian-base/templates/bacula-fd.conf @@ -1,10 +1,10 @@ Director { Name = bacula-dir - Password = "{{ FDPASSWD }}" + Password = "{{ bacula_passwords.fdpasswd }}" } Director { Name = bacula-mon - Password = "{{ FDMPASSWD }}" + Password = "{{ bacula_passwords.fdmpasswd }}" Monitor = yes } FileDaemon { diff --git a/roles/debian-base/templates/jail.local b/roles/debian-base/templates/jail.local index 69847a7..d3840df 100644 --- a/roles/debian-base/templates/jail.local +++ b/roles/debian-base/templates/jail.local @@ -14,6 +14,7 @@ action = %(action_)s #+++++++++++++++ Jails [sshd] +ignoreip = 127.0.0.1/8 enabled = true port = 0:65535 filter = sshd -- 2.40.1 From 6e0d940cc0c152853934dade45750c1e17ee6899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 15 Oct 2024 12:28:15 +0200 Subject: [PATCH 26/33] Refs #8025 Role debian-base: Fail2ban task add register to do last step when jail.local changes --- roles/debian-base/tasks/fail2ban.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 33a8d67..2b84b89 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -10,6 +10,7 @@ group: root mode: u=rw,g=r,o=r notify: restart fail2ban + register: jail - name: Ensure file for auth sshd custom log exists file: path: /var/log/auth.log @@ -17,3 +18,4 @@ owner: root group: adm mode: u=rw,g=r,o= + when: jail.changed -- 2.40.1 From 944e91071a6c595886764cbb649e026ae3908d2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 15 Oct 2024 13:40:10 +0200 Subject: [PATCH 27/33] Refs #8025 Role debian-base: task bacula. Copy pub cert. --- roles/debian-base/files/master-cert.pem | 23 +++++++++++++++++++++++ roles/debian-base/tasks/bacula.yml | 9 ++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 roles/debian-base/files/master-cert.pem diff --git a/roles/debian-base/files/master-cert.pem b/roles/debian-base/files/master-cert.pem new file mode 100644 index 0000000..570b2bd --- /dev/null +++ b/roles/debian-base/files/master-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6zCCAtOgAwIBAgIUDwR1QkWYb73hAeNnphytR1tGE0swDQYJKoZIhvcNAQEL +BQAwgYQxCzAJBgNVBAYTAkVTMQ4wDAYDVQQIDAVTcGFpbjERMA8GA1UEBwwIVmFs +ZW5jaWExHjAcBgNVBAoMFVZlcmRuYXR1cmEgTGV2YW50ZSBTTDETMBEGA1UECwwK +TWFzdGVyIEtleTEdMBsGA1UEAwwUYmFjdWxhLnZlcmRuYXR1cmEuZXMwHhcNMjMx +MDAxMTc1MzQyWhcNMzMwOTI4MTc1MzQyWjCBhDELMAkGA1UEBhMCRVMxDjAMBgNV +BAgMBVNwYWluMREwDwYDVQQHDAhWYWxlbmNpYTEeMBwGA1UECgwVVmVyZG5hdHVy +YSBMZXZhbnRlIFNMMRMwEQYDVQQLDApNYXN0ZXIgS2V5MR0wGwYDVQQDDBRiYWN1 +bGEudmVyZG5hdHVyYS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJr2D9thvNVxmMyNO8wvFYZJeWLyc8RcNfjiKaY53RadMgXgsiAl4BlSNxc9ngqA +2z7ef4SK50pU9Pl6w1Ljua4lFnZqW9Ow6J9nT6wbdkkuilVoao+0wZBQCX19ToJg +LtgJ00KU2SH7KCi+mYdEY1oW/BsZy+QTJ6HYbOOjb/yISUp4crGE5h+vph1tyhC1 +Vfj17wACmFjtZ52cQMWyQRT3kSrxTp4Y+xAsFUE9lTQaoBQ5XcRO5tmDnxEVKZIR +B5ZNatpY8em4CFUQ2B+9XPoXYY3KAzAh8U7fEqcZQ8x44LTVZjHvjXOlHwrcgYoh +P0Rbtv7uRbGBn9EviFW6lrUCAwEAAaNTMFEwHQYDVR0OBBYEFM1UYUBPXj82hm+W +UCXVSisi4bv6MB8GA1UdIwQYMBaAFM1UYUBPXj82hm+WUCXVSisi4bv6MA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC2gpGcsT2v2OfdxMaL9oI+B +EqHPrNM4UblRCyLF21JCEhYg3Ow9lseO3ObMz/cOJGsMgrvipUgxUNDuS+DpyG5E +tKO6895t30TIjICm9udVTyNzC3SyyP/kojNqA9mU8QU+fRdale+ruAJ/A0nbmP/v +uETeqHg49PfH98ce2pMpIiIm+UyvLDjH6KMcnt7KlxtSMxAD9ihK19M7m0CKL3PL +iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK +vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index 2482ad4..b4a5a65 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -26,8 +26,15 @@ dest: /etc/bacula/bacula-fd.conf owner: root group: bacula - mode: '0640' + mode: u=rw,g=r,o= backup: true +- name: Configure master cert + copy: + src: master-cert.pem + dest: /etc/bacula/master-cert.pem + owner: root + group: root + mode: u=rw,g=r,o=r - name: Restart Bacula FD service service: name: bacula-fd -- 2.40.1 From ce7f8503f15b7cb3148cfeef2e254e5126758c79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 15 Oct 2024 15:28:06 +0200 Subject: [PATCH 28/33] Refs #8025 - Rol debian-base: Refactor Bacula task to manage certs from a variable - your live in a variable way. --- roles/debian-base/defaults/main.yaml | 26 ++++++++++++++++++++++++- roles/debian-base/files/master-cert.pem | 23 ---------------------- roles/debian-base/tasks/bacula.yml | 9 ++++++++- 3 files changed, 33 insertions(+), 25 deletions(-) delete mode 100644 roles/debian-base/files/master-cert.pem diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index ff6a7c7..85f86af 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -32,4 +32,28 @@ base_packages: locales_present: - en_US.UTF-8 - es_ES.UTF-8 - +master_cert_content: | + -----BEGIN CERTIFICATE----- + MIID6zCCAtOgAwIBAgIUDwR1QkWYb73hAeNnphytR1tGE0swDQYJKoZIhvcNAQEL + BQAwgYQxCzAJBgNVBAYTAkVTMQ4wDAYDVQQIDAVTcGFpbjERMA8GA1UEBwwIVmFs + ZW5jaWExHjAcBgNVBAoMFVZlcmRuYXR1cmEgTGV2YW50ZSBTTDETMBEGA1UECwwK + TWFzdGVyIEtleTEdMBsGA1UEAwwUYmFjdWxhLnZlcmRuYXR1cmEuZXMwHhcNMjMx + MDAxMTc1MzQyWhcNMzMwOTI4MTc1MzQyWjCBhDELMAkGA1UEBhMCRVMxDjAMBgNV + BAgMBVNwYWluMREwDwYDVQQHDAhWYWxlbmNpYTEeMBwGA1UECgwVVmVyZG5hdHVy + YSBMZXZhbnRlIFNMMRMwEQYDVQQLDApNYXN0ZXIgS2V5MR0wGwYDVQQDDBRiYWN1 + bGEudmVyZG5hdHVyYS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AJr2D9thvNVxmMyNO8wvFYZJeWLyc8RcNfjiKaY53RadMgXgsiAl4BlSNxc9ngqA + 2z7ef4SK50pU9Pl6w1Ljua4lFnZqW9Ow6J9nT6wbdkkuilVoao+0wZBQCX19ToJg + LtgJ00KU2SH7KCi+mYdEY1oW/BsZy+QTJ6HYbOOjb/yISUp4crGE5h+vph1tyhC1 + Vfj17wACmFjtZ52cQMWyQRT3kSrxTp4Y+xAsFUE9lTQaoBQ5XcRO5tmDnxEVKZIR + B5ZNatpY8em4CFUQ2B+9XPoXYY3KAzAh8U7fEqcZQ8x44LTVZjHvjXOlHwrcgYoh + P0Rbtv7uRbGBn9EviFW6lrUCAwEAAaNTMFEwHQYDVR0OBBYEFM1UYUBPXj82hm+W + UCXVSisi4bv6MB8GA1UdIwQYMBaAFM1UYUBPXj82hm+WUCXVSisi4bv6MA8GA1Ud + EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC2gpGcsT2v2OfdxMaL9oI+B + EqHPrNM4UblRCyLF21JCEhYg3Ow9lseO3ObMz/cOJGsMgrvipUgxUNDuS+DpyG5E + tKO6895t30TIjICm9udVTyNzC3SyyP/kojNqA9mU8QU+fRdale+ruAJ/A0nbmP/v + uETeqHg49PfH98ce2pMpIiIm+UyvLDjH6KMcnt7KlxtSMxAD9ihK19M7m0CKL3PL + iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK + vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= + -----END CERTIFICATE----- +private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" diff --git a/roles/debian-base/files/master-cert.pem b/roles/debian-base/files/master-cert.pem deleted file mode 100644 index 570b2bd..0000000 --- a/roles/debian-base/files/master-cert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID6zCCAtOgAwIBAgIUDwR1QkWYb73hAeNnphytR1tGE0swDQYJKoZIhvcNAQEL -BQAwgYQxCzAJBgNVBAYTAkVTMQ4wDAYDVQQIDAVTcGFpbjERMA8GA1UEBwwIVmFs -ZW5jaWExHjAcBgNVBAoMFVZlcmRuYXR1cmEgTGV2YW50ZSBTTDETMBEGA1UECwwK -TWFzdGVyIEtleTEdMBsGA1UEAwwUYmFjdWxhLnZlcmRuYXR1cmEuZXMwHhcNMjMx -MDAxMTc1MzQyWhcNMzMwOTI4MTc1MzQyWjCBhDELMAkGA1UEBhMCRVMxDjAMBgNV -BAgMBVNwYWluMREwDwYDVQQHDAhWYWxlbmNpYTEeMBwGA1UECgwVVmVyZG5hdHVy -YSBMZXZhbnRlIFNMMRMwEQYDVQQLDApNYXN0ZXIgS2V5MR0wGwYDVQQDDBRiYWN1 -bGEudmVyZG5hdHVyYS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AJr2D9thvNVxmMyNO8wvFYZJeWLyc8RcNfjiKaY53RadMgXgsiAl4BlSNxc9ngqA -2z7ef4SK50pU9Pl6w1Ljua4lFnZqW9Ow6J9nT6wbdkkuilVoao+0wZBQCX19ToJg -LtgJ00KU2SH7KCi+mYdEY1oW/BsZy+QTJ6HYbOOjb/yISUp4crGE5h+vph1tyhC1 -Vfj17wACmFjtZ52cQMWyQRT3kSrxTp4Y+xAsFUE9lTQaoBQ5XcRO5tmDnxEVKZIR -B5ZNatpY8em4CFUQ2B+9XPoXYY3KAzAh8U7fEqcZQ8x44LTVZjHvjXOlHwrcgYoh -P0Rbtv7uRbGBn9EviFW6lrUCAwEAAaNTMFEwHQYDVR0OBBYEFM1UYUBPXj82hm+W -UCXVSisi4bv6MB8GA1UdIwQYMBaAFM1UYUBPXj82hm+WUCXVSisi4bv6MA8GA1Ud -EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC2gpGcsT2v2OfdxMaL9oI+B -EqHPrNM4UblRCyLF21JCEhYg3Ow9lseO3ObMz/cOJGsMgrvipUgxUNDuS+DpyG5E -tKO6895t30TIjICm9udVTyNzC3SyyP/kojNqA9mU8QU+fRdale+ruAJ/A0nbmP/v -uETeqHg49PfH98ce2pMpIiIm+UyvLDjH6KMcnt7KlxtSMxAD9ihK19M7m0CKL3PL -iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK -vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= ------END CERTIFICATE----- \ No newline at end of file diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index b4a5a65..542da9f 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -30,11 +30,18 @@ backup: true - name: Configure master cert copy: - src: master-cert.pem + content: "{{ master_cert_content }}" dest: /etc/bacula/master-cert.pem owner: root group: root mode: u=rw,g=r,o=r +- name: Configure master cert + copy: + content: "{{ private_key_content }}" + dest: /etc/bacula/fd-cert.pem + owner: root + group: bacula + mode: u=rw,g=r,o= - name: Restart Bacula FD service service: name: bacula-fd -- 2.40.1 From 72e30fa6061e1a82d73aa8cc0b0fc52956a3b1db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 15 Oct 2024 15:58:24 +0200 Subject: [PATCH 29/33] =?UTF-8?q?Refs=20#8025=20Rol=20debian-base.=20bacul?= =?UTF-8?q?a=20task=20-=20don=C2=B4t=20restart=20if=20no=20changes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/debian-base/tasks/bacula.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index 542da9f..64ddc9d 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -28,6 +28,7 @@ group: bacula mode: u=rw,g=r,o= backup: true + register: bacula_config - name: Configure master cert copy: content: "{{ master_cert_content }}" @@ -45,4 +46,5 @@ - name: Restart Bacula FD service service: name: bacula-fd - state: restarted \ No newline at end of file + state: restarted + when: bacula_config.changed \ No newline at end of file -- 2.40.1 From 921e3538cd61388339f9ae9bdd6b39b8a8885570 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 16 Oct 2024 14:04:55 +0200 Subject: [PATCH 30/33] Refs #8025 Rol debian-base&guest. ssh task - unify generate SSH key pairs. Add witness task to control initial setup. Separate conf ssh files for failban & ssh task. Remove handler that uses shell, no need it for pam update. --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/tasks/fail2ban.yml | 11 +++++++++ roles/debian-base/tasks/main.yml | 2 ++ roles/debian-base/tasks/ssh.yml | 34 ++++++++++++---------------- roles/debian-base/tasks/witness.yml | 12 ++++++++++ roles/debian-guest/handlers/main.yml | 2 -- roles/debian-guest/tasks/auth.yml | 2 +- 7 files changed, 41 insertions(+), 23 deletions(-) create mode 100644 roles/debian-base/tasks/witness.yml diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 85f86af..b31ba85 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -57,3 +57,4 @@ master_cert_content: | vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= -----END CERTIFICATE----- private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" +vn_witness: false diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 2b84b89..b0123d3 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -2,6 +2,17 @@ apt: name: "{{ fail2ban_base_packages }}" state: present +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + SyslogFacility AUTH + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd - name: Configure fail2ban service template: src: jail.local diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index ca79ad2..4db5680 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,3 +1,5 @@ +- import_tasks: witness.yml + tags: witness - import_tasks: resolv.yml tags: resolv - import_tasks: timesync.yml diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index d776420..442fc15 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -1,29 +1,23 @@ -- name: Generate a new SSH key pair +- name: Generate SSH key pairs openssh_keypair: - path: /etc/ssh/ssh_host_rsa_key - type: rsa - size: 4096 - register: new_pair + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + when: vn_witness + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + register: new_pairs + notify: restart sshd - name: Configure sshd_config settings copy: - dest: /etc/ssh/sshd_config.d/vn-custom.conf + dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf content: | # Do not edit this file! Ansible will overwrite it. - + ListenAddress 0.0.0.0 - SyslogFacility AUTH owner: root group: root mode: u=rw,g=r,o=r - notify: restart sshd -- name: Delete old host SSH keys - file: - path: "{{ item }}" - state: absent - with_items: - - /etc/ssh/ssh_host_ecdsa_key - - /etc/ssh/ssh_host_ecdsa_key.pub - - /etc/ssh/ssh_host_ed25519_key - - /etc/ssh/ssh_host_ed25519_key.pub - when: new_pair is succeeded - notify: restart sshd + notify: restart sshd \ No newline at end of file diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml new file mode 100644 index 0000000..26129d8 --- /dev/null +++ b/roles/debian-base/tasks/witness.yml @@ -0,0 +1,12 @@ +- name: Check if witness have been generated + stat: + path: /etc/vn.witness + register: keys_generated_marker +- name: Generate variable if not exists + set_fact: + vn_witness: "{{ not keys_generated_marker.stat.exists }}" +- name: Create marker file to indicate vn happends + file: + path: /etc/vn.witness + state: touch + when: vn_witness \ No newline at end of file diff --git a/roles/debian-guest/handlers/main.yml b/roles/debian-guest/handlers/main.yml index 1764d05..2da7a1c 100644 --- a/roles/debian-guest/handlers/main.yml +++ b/roles/debian-guest/handlers/main.yml @@ -2,5 +2,3 @@ service: name: nslcd state: restarted -- name: pam-update-ldap - shell: pam-auth-update --enable ldap diff --git a/roles/debian-guest/tasks/auth.yml b/roles/debian-guest/tasks/auth.yml index 7930b91..62506be 100644 --- a/roles/debian-guest/tasks/auth.yml +++ b/roles/debian-guest/tasks/auth.yml @@ -11,7 +11,7 @@ mode: '0640' notify: - restart-nslcd - - pam-update-ldap + register: nslcd - name: Configure nsswitch to use NSLCD lineinfile: dest: /etc/nsswitch.conf -- 2.40.1 From ddfa6cdef95f0a9e17e5f298dbb413fd593f9bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 16 Oct 2024 14:12:48 +0200 Subject: [PATCH 31/33] Refs #8025 Rol debian-bas. ssh task - remove no necessary register --- roles/debian-base/tasks/ssh.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 442fc15..da7bca2 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -8,7 +8,6 @@ - { type: 'rsa' } - { type: 'ecdsa' } - { type: 'ed25519' } - register: new_pairs notify: restart sshd - name: Configure sshd_config settings copy: -- 2.40.1 From 39c493c306efd683bf1cbf1d36751324328671e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 16 Oct 2024 16:18:22 +0200 Subject: [PATCH 32/33] Refs #8025 Rol debian-bas. bacula task - Configure master cert directly to passbolt without global variable --- roles/debian-base/defaults/main.yaml | 1 - roles/debian-base/tasks/bacula.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index b31ba85..c9428f9 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -56,5 +56,4 @@ master_cert_content: | iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= -----END CERTIFICATE----- -private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" vn_witness: false diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index 64ddc9d..c42026c 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -38,7 +38,7 @@ mode: u=rw,g=r,o=r - name: Configure master cert copy: - content: "{{ private_key_content }}" + content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" dest: /etc/bacula/fd-cert.pem owner: root group: bacula -- 2.40.1 From 0864b8a2f52e841f0e9898f8be41c192a5a5784e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 16 Oct 2024 16:29:41 +0200 Subject: [PATCH 33/33] Refs #8025 Rol debian-bas. nrpe task - add server_address={{ ansible_default_ipv4.address }} to 90-vn.cfg --- roles/debian-base/tasks/nrpe.yml | 7 +------ roles/debian-base/templates/nrpe.cfg | 1 + 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index d5e98a1..b0aaf5e 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -10,6 +10,7 @@ owner: root group: root mode: u=rw,g=r,o=r + notify: restart-nrpe - name: Create NRPE local configuration file file: path: /etc/nagios/nrpe.d/99-local.cfg @@ -19,9 +20,3 @@ mode: u=rw,g=r,o= modification_time: preserve access_time: preserve -- name: Configure nrpe.cfg to bind ipv4 - lineinfile: - path: /etc/nagios/nrpe.cfg - regexp: '^#server_address=127.0.0.1' - line: 'server_address={{ ansible_default_ipv4.address }}' - notify: restart-nrpe \ No newline at end of file diff --git a/roles/debian-base/templates/nrpe.cfg b/roles/debian-base/templates/nrpe.cfg index 7efab1f..99329fd 100644 --- a/roles/debian-base/templates/nrpe.cfg +++ b/roles/debian-base/templates/nrpe.cfg @@ -1,4 +1,5 @@ allowed_hosts={{ nagios_server }} +server_address={{ ansible_default_ipv4.address }} command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var -- 2.40.1