From 03b20064efd1b1305cf2c9fde81cfadf7b181f30 Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Tue, 4 Feb 2025 21:03:36 +0100 Subject: [PATCH 1/3] refs #8025 Debian roles merged --- roles/debian/defaults/main.yaml | 49 ++++++++++ roles/debian/files/80-hotplug-cpu-mem.rules | 1 + roles/debian/files/hotplug.cfg | 1 + roles/debian/files/motd | 102 ++++++++++++++++++++ roles/debian/files/profile.sh | 47 +++++++++ roles/debian/files/sendmail-common.local | 3 + roles/debian/files/sysctl/30-basic.conf | 4 + roles/debian/files/sysctl/40-network.conf | 7 ++ roles/debian/files/sysctl/42-noipv6.conf | 3 + roles/debian/files/vimrc.local | 5 + roles/debian/handlers/main.yml | 42 ++++++++ roles/debian/tasks/agent.yml | 4 + roles/debian/tasks/apparmor.yml | 16 +++ roles/debian/tasks/auth.yml | 25 +++++ roles/debian/tasks/autofs.yml | 35 +++++++ roles/debian/tasks/bacula.yml | 53 ++++++++++ roles/debian/tasks/blacklist.yml | 7 ++ roles/debian/tasks/defuser.yml | 5 + roles/debian/tasks/fail2ban.yml | 40 ++++++++ roles/debian/tasks/grub_startup.yml | 49 ++++++++++ roles/debian/tasks/hostname.yml | 9 ++ roles/debian/tasks/hotplug.yml | 18 ++++ roles/debian/tasks/install.yml | 4 + roles/debian/tasks/locale.yml | 6 ++ roles/debian/tasks/main.yml | 71 ++++++++++++++ roles/debian/tasks/motd.yml | 7 ++ roles/debian/tasks/nrpe.yml | 22 +++++ roles/debian/tasks/profile.yml | 7 ++ roles/debian/tasks/relayhost.yml | 33 +++++++ roles/debian/tasks/resolv.yml | 22 +++++ roles/debian/tasks/root.yml | 43 +++++++++ roles/debian/tasks/ssh_keys.yml | 21 ++++ roles/debian/tasks/sshd_configure.yml | 17 ++++ roles/debian/tasks/sudoers.yml | 11 +++ roles/debian/tasks/sysctl.yml | 8 ++ roles/debian/tasks/timesync.yml | 28 ++++++ roles/debian/tasks/tzdata.yml | 11 +++ roles/debian/tasks/vim.yml | 11 +++ roles/debian/tasks/vn-repo.yml | 4 + roles/debian/tasks/witness.yml | 17 ++++ roles/debian/templates/auto.homes | 1 + roles/debian/templates/bacula-fd.conf | 24 +++++ roles/debian/templates/homes.autofs | 1 + roles/debian/templates/jail.local | 22 +++++ roles/debian/templates/nrpe.cfg | 13 +++ roles/debian/templates/nslcd.conf | 16 +++ roles/debian/templates/resolv.conf | 7 ++ roles/debian/templates/sudoers | 1 + 48 files changed, 953 insertions(+) create mode 100644 roles/debian/defaults/main.yaml create mode 100644 roles/debian/files/80-hotplug-cpu-mem.rules create mode 100644 roles/debian/files/hotplug.cfg create mode 100644 roles/debian/files/motd create mode 100644 roles/debian/files/profile.sh create mode 100644 roles/debian/files/sendmail-common.local create mode 100644 roles/debian/files/sysctl/30-basic.conf create mode 100644 roles/debian/files/sysctl/40-network.conf create mode 100644 roles/debian/files/sysctl/42-noipv6.conf create mode 100644 roles/debian/files/vimrc.local create mode 100644 roles/debian/handlers/main.yml create mode 100644 roles/debian/tasks/agent.yml create mode 100644 roles/debian/tasks/apparmor.yml create mode 100644 roles/debian/tasks/auth.yml create mode 100644 roles/debian/tasks/autofs.yml create mode 100644 roles/debian/tasks/bacula.yml create mode 100644 roles/debian/tasks/blacklist.yml create mode 100644 roles/debian/tasks/defuser.yml create mode 100644 roles/debian/tasks/fail2ban.yml create mode 100644 roles/debian/tasks/grub_startup.yml create mode 100644 roles/debian/tasks/hostname.yml create mode 100644 roles/debian/tasks/hotplug.yml create mode 100644 roles/debian/tasks/install.yml create mode 100644 roles/debian/tasks/locale.yml create mode 100644 roles/debian/tasks/main.yml create mode 100644 roles/debian/tasks/motd.yml create mode 100644 roles/debian/tasks/nrpe.yml create mode 100644 roles/debian/tasks/profile.yml create mode 100644 roles/debian/tasks/relayhost.yml create mode 100644 roles/debian/tasks/resolv.yml create mode 100644 roles/debian/tasks/root.yml create mode 100644 roles/debian/tasks/ssh_keys.yml create mode 100644 roles/debian/tasks/sshd_configure.yml create mode 100644 roles/debian/tasks/sudoers.yml create mode 100644 roles/debian/tasks/sysctl.yml create mode 100644 roles/debian/tasks/timesync.yml create mode 100644 roles/debian/tasks/tzdata.yml create mode 100644 roles/debian/tasks/vim.yml create mode 100644 roles/debian/tasks/vn-repo.yml create mode 100644 roles/debian/tasks/witness.yml create mode 100644 roles/debian/templates/auto.homes create mode 100644 roles/debian/templates/bacula-fd.conf create mode 100644 roles/debian/templates/homes.autofs create mode 100644 roles/debian/templates/jail.local create mode 100644 roles/debian/templates/nrpe.cfg create mode 100644 roles/debian/templates/nslcd.conf create mode 100644 roles/debian/templates/resolv.conf create mode 100644 roles/debian/templates/sudoers diff --git a/roles/debian/defaults/main.yaml b/roles/debian/defaults/main.yaml new file mode 100644 index 0000000..a861f1c --- /dev/null +++ b/roles/debian/defaults/main.yaml @@ -0,0 +1,49 @@ +vn_first_time: false +vn_witness_checked: false +deb_packages: + - https://apt.verdnatura.es/pool/main/v/vn-host/vn-apt-source_3.0.1_all.deb + - https://apt.verdnatura.es/pool/main/v/vn-host/vn-host_3.0.1_all.deb +grub_user: admin +default_user: user +fail2ban: + email: "{{ sysadmin_mail }}" + bantime: 600 + maxretry: 4 + ignore: "127.0.0.0/8 {{ dc_net }}" + logpath: "/var/log/auth.log" +fail2ban_base_packages: + - fail2ban + - rsyslog +time_server_spain: ntp.roa.es +nagios_packages: + - nagios-nrpe-server + - nagios-plugins-contrib + - monitoring-plugins-basic +base_packages: + - htop + - psmisc + - bash-completion + - screen + - aptitude + - tree + - btop + - ncdu + - debconf-utils + - net-tools + - gpg + - curl + - cloud-guest-utils + - rsync + - parted + - yq +locales_present: + - en_US.UTF-8 + - es_ES.UTF-8 +homes_path: /mnt/homes +autofs_packages: + - nfs-common + - autofs + - libnfs-utils + - autofs-ldap +blacklist_module_kernel: | + blacklist snd_hda_intel diff --git a/roles/debian/files/80-hotplug-cpu-mem.rules b/roles/debian/files/80-hotplug-cpu-mem.rules new file mode 100644 index 0000000..38c16f9 --- /dev/null +++ b/roles/debian/files/80-hotplug-cpu-mem.rules @@ -0,0 +1 @@ +SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" diff --git a/roles/debian/files/hotplug.cfg b/roles/debian/files/hotplug.cfg new file mode 100644 index 0000000..85e1612 --- /dev/null +++ b/roles/debian/files/hotplug.cfg @@ -0,0 +1 @@ +GRUB_CMDLINE_LINUX_DEFAULT="quiet memhp_default_state=online security=none" diff --git a/roles/debian/files/motd b/roles/debian/files/motd new file mode 100644 index 0000000..1a11bc4 --- /dev/null +++ b/roles/debian/files/motd @@ -0,0 +1,102 @@ +#!/bin/bash + +LABEL="\033[0;32m" +SUBLB="\033[0;36m" +RESET="\033[0m" +BLINK="\033[5m" + +. /etc/os-release + +# Environment + +PRO="\033[1;5;31m" +LAB="\033[0;35m" +VN="\033[0;32m" +UNKNOWN="\033[0;33m" + +FQDN=$(hostname --fqdn) +case "$FQDN" in + *.dc.verdnatura.es) + ENVIRONMENT="${PRO}Production${RESET}" + ;; + *.lab.verdnatura.es) + ENVIRONMENT="${LAB}Laboratory${RESET}" + ;; + *.verdnatura.es) + ENVIRONMENT="${VN}Verdnatura${RESET}" + ;; + *) + ENVIRONMENT="${UNKNOWN}Unknown${RESET}" + ;; +esac + +# Last login + +LAST="$(last -n1 | head -1)" +if [ "$LAST" != "" ] ; then + LAST_LOGIN_USER="$(echo $LAST | cut -d' ' -f1)" + LAST_LOGIN_IP="$(echo $LAST | cut -d' ' -f3)" + LAST_LOGIN_TIME="$(echo $LAST | cut -d' ' -f4-)" + LAST_LOGIN="$LAST_LOGIN_USER ($LAST_LOGIN_IP) $LAST_LOGIN_TIME" +fi + +# Packages + +PACKAGES=$(dpkg-query -W -f='${binary:Package}\n' | wc -l) +SHOW_UPGRADEABLE=0 +USER_UID=$(id -u $USER) +USER_GROUPS=$(id -Gn $USER) + +if [ ${USER_UID} -eq 0 ] ; then + SHOW_UPGRADEABLE=1 +fi +if [[ "${USER_GROUPS}" == *"sysadmin"* ]] ; then + SHOW_UPGRADEABLE=1 +fi +if [ $SHOW_UPGRADEABLE -eq 1 ] ; then + UPGRADEABLE="$(apt list --upgradable 2>/dev/null | tail -n +2 | wc -l)" + + if [ "$UPGRADEABLE" -gt 0 ]; then + UPGRADEABLE_ALERT="${BLINK}($UPGRADEABLE upgradeable)${RESET}" + fi +fi + +# Network and users + +NET_IPS=$(ip -o -4 add sh | tail -n +2 | awk '{printf "\033[0;36m%16s >\033[0m %-15s\n",$2,$4}') +CONNECTED_USERS=$(w | tail -n +2 | awk '{printf "\t%15s %12s %8s %s\n",$1,$3,$4, substr( $0, index($0,$8), index($0,$NF)) }') + +# Logo + +FW="\033[1;37m" +FG="\033[1;32m" +GB="\e[48;5;112m" +GL="\e[48;5;70m" +RS="\e[0m" + +echo -e +echo -e " $GL $GB $RS" +echo -e " $GL $GB $GL $RS $GL $GB $RS" " ${FW}__ __ _ ${FG} _ _ _ ${RS}" +echo -e " $GB $GL $RS $GL $GB $GL $RS" " ${FW}\ \ / /__ _ __ __| |${FG}| \ | | __ _| |_ _ _ _ __ __ _ ${RS}" +echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ \ / / _ \ '__/ _' |${FG}| \| |/ _' | __| | | | '__/ _' |${RS}" +echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ V / __/ | | (_| |${FG}| |\ | (_| | |_| |_| | | | (_| |${RS}" +echo -e " " " ${FW} \_/ \___|_| \__,_|${FG}|_| \_|\__,_|\__|\__,_|_| \__,_|${RS}" +echo -e " $GL $GB $RS $GB $GL $RS" +echo -e " $GL $GB $GL $RS $GL $GB $RS" +echo -e " $GB $GL $RS" +echo -e + +# Information + +echo -e "${LABEL}Host :${RESET} $FQDN" +echo -e "${LABEL}OS :${RESET} $NAME $(cat /etc/debian_version) ($VERSION_CODENAME)" +echo -e "${LABEL}Kernel :${RESET} $(uname -r)" +echo -e "${LABEL}Shell :${RESET} $SHELL $(echo $BASH_VERSION | cut -d'(' -f1)" +echo -e "${LABEL}Uptime :${RESET} $(uptime -p | tr -d ',')" +echo -e "${LABEL}Packages :${RESET} $PACKAGES $UPGRADEABLE_ALERT" +echo -e "${LABEL}IP :${RESET}" +echo -e "$NET_IPS" +echo -e "${LABEL}Last Login :${RESET} $LAST_LOGIN" +echo -e "${LABEL}Environment :${RESET} $ENVIRONMENT" +echo -e "${LABEL}Connected users :${RESET}" +echo -e "$CONNECTED_USERS" diff --git a/roles/debian/files/profile.sh b/roles/debian/files/profile.sh new file mode 100644 index 0000000..ab1ac12 --- /dev/null +++ b/roles/debian/files/profile.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# Prompt + +FQDN=$(hostname --fqdn) + +if [[ $FQDN == *.verdnatura.es ]]; then + SHORT_HOST=${FQDN%.verdnatura.es} + + case "$SHORT_HOST" in + *.dc) + ENVIRONMENT="\[\033[01;31m\]PRO\[\033[00m\]" + ;; + *.lab) + ENVIRONMENT="\[\033[01;35m\]LAB\[\033[00m\]" + ;; + *) + ENVIRONMENT="\[\033[01;32m\]VN\[\033[00m\]" + ;; + esac + + PS1="\u@$SHORT_HOST[$ENVIRONMENT]:\w" + + if [ "$(id -u)" -eq 0 ]; then + PS1="$PS1# " + else + PS1="$PS1\$ " + fi +fi + +# History + +HISTSIZE=10000 +HISTFILESIZE=50000 +HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " + +# Security + +TMOUT=3600 + +# Aliases + +#export LS_OPTIONS='--color=auto' +#eval "$(dircolors)" +#alias ls='ls $LS_OPTIONS' +#alias ll='ls $LS_OPTIONS -l' +#alias la='ls $LS_OPTIONS -la' diff --git a/roles/debian/files/sendmail-common.local b/roles/debian/files/sendmail-common.local new file mode 100644 index 0000000..b389b31 --- /dev/null +++ b/roles/debian/files/sendmail-common.local @@ -0,0 +1,3 @@ +[Definition] +actionstart = +actionstop = diff --git a/roles/debian/files/sysctl/30-basic.conf b/roles/debian/files/sysctl/30-basic.conf new file mode 100644 index 0000000..3c6f393 --- /dev/null +++ b/roles/debian/files/sysctl/30-basic.conf @@ -0,0 +1,4 @@ +vm.swappiness=10 +vm.dirty_ratio=30 +vm.dirty_background_ratio=5 +net.core.somaxconn=65536 diff --git a/roles/debian/files/sysctl/40-network.conf b/roles/debian/files/sysctl/40-network.conf new file mode 100644 index 0000000..46a4e09 --- /dev/null +++ b/roles/debian/files/sysctl/40-network.conf @@ -0,0 +1,7 @@ +net.core.rmem_max=134217728 +net.core.wmem_max=134217728 +net.core.netdev_max_backlog=250000 +net.ipv4.tcp_rmem=4096 87380 67108864 +net.ipv4.tcp_wmem=4096 65536 67108864 +net.ipv4.tcp_congestion_control=htcp +net.ipv4.tcp_mtu_probing=1 diff --git a/roles/debian/files/sysctl/42-noipv6.conf b/roles/debian/files/sysctl/42-noipv6.conf new file mode 100644 index 0000000..81073be --- /dev/null +++ b/roles/debian/files/sysctl/42-noipv6.conf @@ -0,0 +1,3 @@ +net.ipv6.conf.all.disable_ipv6=1 +net.ipv6.conf.default.disable_ipv6=1 +net.ipv6.conf.lo.disable_ipv6=1 \ No newline at end of file diff --git a/roles/debian/files/vimrc.local b/roles/debian/files/vimrc.local new file mode 100644 index 0000000..005d05c --- /dev/null +++ b/roles/debian/files/vimrc.local @@ -0,0 +1,5 @@ +syntax on +set showcmd +set showmatch +set ignorecase +set smartcase diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml new file mode 100644 index 0000000..cc20d9c --- /dev/null +++ b/roles/debian/handlers/main.yml @@ -0,0 +1,42 @@ +- name: restart systemd-timesyncd + systemd: + name: systemd-timesyncd + state: restarted +- name: restart-ssh + systemd: + name: ssh + state: restarted +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted +- name: restart-nrpe + systemd: + name: nagios-nrpe-server + state: restarted +- name: restart sshd + systemd: + name: sshd + state: restarted +- name: restart-sysctl + systemd: + name: systemd-sysctl + state: restarted +- name: restart-nslcd + service: + name: nslcd + state: restarted +- name: restart-ssh + systemd: + name: ssh + state: restarted +- name: restart-autofs + service: + name: autofs + state: restarted +- name: generate locales + command: /usr/sbin/locale-gen +- name: reconfigure tzdata + command: dpkg-reconfigure -f noninteractive tzdata +- name: update exim configuration + command: /usr/sbin/update-exim4.conf diff --git a/roles/debian/tasks/agent.yml b/roles/debian/tasks/agent.yml new file mode 100644 index 0000000..db2b4ee --- /dev/null +++ b/roles/debian/tasks/agent.yml @@ -0,0 +1,4 @@ +- name: Install QEMU guest agent + apt: + name: qemu-guest-agent + state: present diff --git a/roles/debian/tasks/apparmor.yml b/roles/debian/tasks/apparmor.yml new file mode 100644 index 0000000..887d95f --- /dev/null +++ b/roles/debian/tasks/apparmor.yml @@ -0,0 +1,16 @@ +- name: Getting service facts to check for apparmor + service_facts: +- when: "'apparmor.service' in ansible_facts.services" + block: + - name: Stop AppArmor + systemd: + name: apparmor + state: stopped + - name: Disable AppArmor service + systemd: + name: apparmor + enabled: no + - name: Mask AppArmor service + systemd: + name: apparmor + masked: yes \ No newline at end of file diff --git a/roles/debian/tasks/auth.yml b/roles/debian/tasks/auth.yml new file mode 100644 index 0000000..62506be --- /dev/null +++ b/roles/debian/tasks/auth.yml @@ -0,0 +1,25 @@ +- name: Install packages + apt: + name: nslcd + state: present +- name: Configure NSLCD + template: + src: nslcd.conf + dest: /etc/nslcd.conf + owner: root + group: nslcd + mode: '0640' + notify: + - restart-nslcd + register: nslcd +- name: Configure nsswitch to use NSLCD + lineinfile: + dest: /etc/nsswitch.conf + regexp: "{{item.regexp}}" + line: "{{item.line}}" + state: present + with_items: + - regexp: "^passwd:" + line: "passwd: files systemd ldap" + - regexp: "^group:" + line: "group: files systemd ldap" diff --git a/roles/debian/tasks/autofs.yml b/roles/debian/tasks/autofs.yml new file mode 100644 index 0000000..8ae6dde --- /dev/null +++ b/roles/debian/tasks/autofs.yml @@ -0,0 +1,35 @@ +- name: Update apt cache + apt: + update_cache: yes +- name: Install autofs packages + apt: + name: "{{ autofs_packages }}" + state: present +- name: Create homes directory + file: + path: "{{ homes_path }}" + state: directory + mode: '0755' +- name: Configure nsswitch for autofs + lineinfile: + path: /etc/nsswitch.conf + line: "automount: files" +- name: Add file homes.autofs configured to autofs + template: + src: homes.autofs + dest: /etc/auto.master.d/homes.autofs + owner: root + group: root + mode: '0644' +- name: Add file /etc/auto.homes configured to the systemd + template: + src: auto.homes + dest: /etc/auto.homes + owner: root + group: root + mode: '0644' + notify: restart-autofs +- name: Service autofs service + systemd: + name: autofs + enabled: yes \ No newline at end of file diff --git a/roles/debian/tasks/bacula.yml b/roles/debian/tasks/bacula.yml new file mode 100644 index 0000000..8ae1525 --- /dev/null +++ b/roles/debian/tasks/bacula.yml @@ -0,0 +1,53 @@ +- name: Install Bacula FD packages + apt: + name: bacula-fd + state: present +- name: Read content file in base64 + slurp: + src: /etc/bacula/common_default_passwords + register: file_content +- name: Going to text plane + no_log: true + set_fact: + file_content_decoded: "{{ file_content.content | b64decode }}" +- name: Extracting passwords + no_log: true + set_fact: + passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}" +- name: Initialize password dictionary + set_fact: + bacula_passwords: {} +- name: Convert lines to individual variables generating a new dict + no_log: true + set_fact: + bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}" + loop: "{{ passwords }}" + when: "'FDPASSWD' in item or 'FDMPASSWD' in item" +- name: Configure Bacula FD + template: + src: bacula-fd.conf + dest: /etc/bacula/bacula-fd.conf + owner: root + group: bacula + mode: u=rw,g=r,o= + backup: true + register: bacula_config +- name: Configure master cert + copy: + content: "{{ ca_bacula }}" + dest: /etc/bacula/master-cert.pem + owner: root + group: root + mode: u=rw,g=r,o=r +- name: Configure master cert + copy: + content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" + dest: /etc/bacula/fd-cert.pem + owner: root + group: bacula + mode: u=rw,g=r,o= +- name: Restart Bacula FD service + service: + name: bacula-fd + state: restarted + when: bacula_config.changed diff --git a/roles/debian/tasks/blacklist.yml b/roles/debian/tasks/blacklist.yml new file mode 100644 index 0000000..7076911 --- /dev/null +++ b/roles/debian/tasks/blacklist.yml @@ -0,0 +1,7 @@ +- name: Configure blacklist modprobe on VM + copy: + content: "{{ blacklist_module_kernel }}" + dest: /etc/modprobe.d/vn-blacklist.conf + owner: root + group: root + mode: u=rw,g=r,o=r \ No newline at end of file diff --git a/roles/debian/tasks/defuser.yml b/roles/debian/tasks/defuser.yml new file mode 100644 index 0000000..b41897b --- /dev/null +++ b/roles/debian/tasks/defuser.yml @@ -0,0 +1,5 @@ +- name: Delete default user + user: + name: "{{ default_user }}" + state: absent + remove: yes diff --git a/roles/debian/tasks/fail2ban.yml b/roles/debian/tasks/fail2ban.yml new file mode 100644 index 0000000..8474033 --- /dev/null +++ b/roles/debian/tasks/fail2ban.yml @@ -0,0 +1,40 @@ +- name: Install fail2ban and rsyslog packages + apt: + name: "{{ fail2ban_base_packages }}" + state: present +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + SyslogFacility AUTH + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd +- name: Adjust action configuration to reduce noise + copy: + src: sendmail-common.local + dest: /etc/fail2ban/action.d/sendmail-common.local + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd +- name: Configure fail2ban service + template: + src: jail.local + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart fail2ban + register: jail +- name: Ensure file for auth sshd custom log exists + file: + path: /var/log/auth.log + state: touch + owner: root + group: adm + mode: u=rw,g=r,o= + when: jail.changed diff --git a/roles/debian/tasks/grub_startup.yml b/roles/debian/tasks/grub_startup.yml new file mode 100644 index 0000000..cbc6173 --- /dev/null +++ b/roles/debian/tasks/grub_startup.yml @@ -0,0 +1,49 @@ +# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication. +# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template. +# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html +# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html +# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks +# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help. +- name: GRUB edit unrestricted option + copy: + content: | + #!/bin/sh + exec tail -n +3 $0 + # This file provides an easy way to add custom menu entries. Simply type the + # menu entries you want to add after this comment. Be careful not to change + # the 'exec tail' line above. + menuentry_id_option="--unrestricted $menuentry_id_option" + dest: /etc/grub.d/09_make_OS_entries_unrestricted + owner: root + group: root + checksum: fed5c365f11a919b857b78207565cf341b86082b + mode: u=rwx,g=rx,o=rx + register: grubunrestricted +- name: Search grub password in Passbolt + no_log: true + set_fact: + grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}" +- name: GRUB edit password protection + copy: + content: | + #!/bin/sh + exec tail -n +3 $0 + set superusers="{{ grub_user }}" + password_pbkdf2 {{ grub_user }} {{ grub_code }} + dest: /etc/grub.d/00_before + owner: root + group: root + mode: u=rwx,g=rx,o=rx + register: grubpass +- name: Change GRUB_TIMEOUT from 5 to 1 + copy: + content: | + GRUB_TIMEOUT=1 + dest: /etc/default/grub.d/timeout.cfg + owner: root + group: root + mode: u=rw,g=r,o=r + register: grubtime +- name: Generate GRUB configuration + command: update-grub + when: grubunrestricted.changed or grubpass.changed or grubtime.changed diff --git a/roles/debian/tasks/hostname.yml b/roles/debian/tasks/hostname.yml new file mode 100644 index 0000000..e1ed68b --- /dev/null +++ b/roles/debian/tasks/hostname.yml @@ -0,0 +1,9 @@ +- name: Set the hostname + hostname: + name: "{{ inventory_hostname_short }}" + use: debian +- name: Populating hosts file with hostname + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.1\.1' + line: '127.0.1.1 {{ hostname_fqdn }} {{ inventory_hostname_short }}' diff --git a/roles/debian/tasks/hotplug.yml b/roles/debian/tasks/hotplug.yml new file mode 100644 index 0000000..ce51e64 --- /dev/null +++ b/roles/debian/tasks/hotplug.yml @@ -0,0 +1,18 @@ +- name: Configure udev hotplug rules + copy: + src: 80-hotplug-cpu-mem.rules + dest: /usr/lib/udev/rules.d/ + mode: u=rw,g=r,o=r + owner: root + group: root +- name: Configure GRUB for hotplug + copy: + src: hotplug.cfg + dest: /etc/default/grub.d/ + mode: u=rw,g=r,o=r + owner: root + group: root + register: grub +- name: Generate GRUB configuration + command: update-grub + when: grub.changed diff --git a/roles/debian/tasks/install.yml b/roles/debian/tasks/install.yml new file mode 100644 index 0000000..396832c --- /dev/null +++ b/roles/debian/tasks/install.yml @@ -0,0 +1,4 @@ +- name: Install base packages + apt: + name: "{{ base_packages }}" + state: present diff --git a/roles/debian/tasks/locale.yml b/roles/debian/tasks/locale.yml new file mode 100644 index 0000000..9063486 --- /dev/null +++ b/roles/debian/tasks/locale.yml @@ -0,0 +1,6 @@ +- name: make sure locales in variable are generated + locale_gen: + name: "{{ item }}" + state: present + with_items: "{{ locales_present }}" + notify: generate locales diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml new file mode 100644 index 0000000..87dcf43 --- /dev/null +++ b/roles/debian/tasks/main.yml @@ -0,0 +1,71 @@ + +- name: Configure virtual machine or host (not LXC) + when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm' + block: + - import_tasks: hostname.yml + tags: hostname + - import_tasks: sysctl.yml + tags: sysctl + - import_tasks: apparmor.yml + tags: apparmor + +- name: Configure base system (all) + block: + - import_tasks: witness.yml + tags: witness + - import_tasks: root.yml + tags: root + - import_tasks: resolv.yml + tags: resolv + - import_tasks: timesync.yml + tags: timesync + - import_tasks: sshd_configure.yml + tags: sshd_configure + - import_tasks: defuser.yml + tags: defuser + - import_tasks: install.yml + tags: install + - import_tasks: locale.yml + tags: locale + - import_tasks: tzdata.yml + tags: tzdata + - import_tasks: relayhost.yml + tags: relayhost + - import_tasks: motd.yml + tags: motd + - import_tasks: profile.yml + tags: profile + - import_tasks: vim.yml + tags: vim + - import_tasks: nrpe.yml + tags: nrpe + - import_tasks: fail2ban.yml + tags: fail2ban + - import_tasks: bacula.yml + tags: bacula + - import_tasks: vn-repo.yml + tags: vn-repo + +- name: Configure guest + when: ansible_virtualization_role == 'guest' + block: + - import_tasks: auth.yml + tags: auth + - import_tasks: sudoers.yml + tags: sudoers + - import_tasks: ssh_keys.yml + tags: ssh_keys + +- name: Configure virtual machine + when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm' + block: + - import_tasks: agent.yml + tags: agent + - import_tasks: hotplug.yml + tags: hotplug + - import_tasks: autofs.yml + tags: autofs + - import_tasks: blacklist.yml + tags: blacklist + - import_tasks: grub_startup.yml + tags: grub_startup diff --git a/roles/debian/tasks/motd.yml b/roles/debian/tasks/motd.yml new file mode 100644 index 0000000..486e705 --- /dev/null +++ b/roles/debian/tasks/motd.yml @@ -0,0 +1,7 @@ +- name: Copy MOTD configuration file + copy: + src: motd + dest: /etc/update-motd.d/90-vn + mode: u=rwx,g=rx,o=rx + owner: root + group: root diff --git a/roles/debian/tasks/nrpe.yml b/roles/debian/tasks/nrpe.yml new file mode 100644 index 0000000..b0aaf5e --- /dev/null +++ b/roles/debian/tasks/nrpe.yml @@ -0,0 +1,22 @@ +- name: Install NRPE packages + apt: + name: "{{ nagios_packages }}" + state: present + install_recommends: no +- name: Set NRPE generic configuration + template: + src: nrpe.cfg + dest: /etc/nagios/nrpe.d/90-vn.cfg + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart-nrpe +- name: Create NRPE local configuration file + file: + path: /etc/nagios/nrpe.d/99-local.cfg + state: touch + owner: nagios + group: nagios + mode: u=rw,g=r,o= + modification_time: preserve + access_time: preserve diff --git a/roles/debian/tasks/profile.yml b/roles/debian/tasks/profile.yml new file mode 100644 index 0000000..e8df993 --- /dev/null +++ b/roles/debian/tasks/profile.yml @@ -0,0 +1,7 @@ +- name: Copy profile configuration file + copy: + src: profile.sh + dest: /etc/profile.d/vn.sh + mode: u=rw,g=r,o=r + owner: root + group: root diff --git a/roles/debian/tasks/relayhost.yml b/roles/debian/tasks/relayhost.yml new file mode 100644 index 0000000..f912812 --- /dev/null +++ b/roles/debian/tasks/relayhost.yml @@ -0,0 +1,33 @@ +- name: Getting service facts to check for postfix + service_facts: +- when: "'postfix.service' not in ansible_facts.services" + block: + - name: Install exim packages + apt: + name: exim4 + state: present + - name: Prepare exim configuration + blockinfile: + path: /etc/exim4/update-exim4.conf.conf + marker_begin: '--- BEGIN VN ---' + marker_end: '--- END VN ---' + marker: "# {mark}" + block: | + dc_eximconfig_configtype='satellite' + dc_other_hostnames='{{ ansible_fqdn }}' + dc_local_interfaces='127.0.0.1' + dc_readhost='{{ ansible_fqdn }}' + dc_smarthost='{{ smtp_server }}' + dc_hide_mailname='true' + state: present + create: yes + mode: u=rw,g=r,o=r + notify: update exim configuration + register: exim_config + - name: Force execution of handlers immediately + meta: flush_handlers + - name: Sending mail to verify relay host configuration works + shell: > + sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ + | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" + when: exim_config.changed diff --git a/roles/debian/tasks/resolv.yml b/roles/debian/tasks/resolv.yml new file mode 100644 index 0000000..1ee5af7 --- /dev/null +++ b/roles/debian/tasks/resolv.yml @@ -0,0 +1,22 @@ +- name: Check if DNS is already configured + stat: + path: /etc/resolv.conf + register: resolv_conf +- name: Read /etc/resolv.conf + slurp: + path: /etc/resolv.conf + register: resolv_conf_content + when: resolv_conf.stat.exists +- name: Check if DNS servers are already present + set_fact: + dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}" + when: resolv_conf.stat.exists +- name: Apply resolv.conf template only if DNS is not configured + template: + src: templates/resolv.conf + dest: /etc/resolv.conf + owner: root + group: root + mode: u=rw,g=r,o=r + backup: true + when: not resolv_conf.stat.exists or not dns_configured diff --git a/roles/debian/tasks/root.yml b/roles/debian/tasks/root.yml new file mode 100644 index 0000000..9f3d548 --- /dev/null +++ b/roles/debian/tasks/root.yml @@ -0,0 +1,43 @@ +- name: Set the root password changed witness variable + set_fact: + root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}" +- when: vn_witness_checked and not root_pass_changed + no_log: true + block: + - name: Search root password in Passbolt + ignore_errors: true + set_fact: + passbolt_password: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + uri='ssh://'+hostname_fqdn + ) + }} + - when: passbolt_password is not defined + block: + - name: Generate a random root password + set_fact: + root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" + - name: Save root password into Passbolt + set_fact: + msg: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + password=root_password, + uri='ssh://'+hostname_fqdn+'/' + ) + }} + environment: + PASSBOLT_CREATE_NEW_RESOURCE: true + - name: Change root password + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + - name: Set root password generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: root_pass_changed + value: true diff --git a/roles/debian/tasks/ssh_keys.yml b/roles/debian/tasks/ssh_keys.yml new file mode 100644 index 0000000..0fd4c6f --- /dev/null +++ b/roles/debian/tasks/ssh_keys.yml @@ -0,0 +1,21 @@ +- name: Set the SSH keys generated witness variable + set_fact: + ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}" +- when: vn_witness_checked and not ssh_keys_generated + block: + - name: Generate SSH key pairs + openssh_keypair: + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + notify: restart sshd + - name: Set SSH keys generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: ssh_keys_generated + value: true \ No newline at end of file diff --git a/roles/debian/tasks/sshd_configure.yml b/roles/debian/tasks/sshd_configure.yml new file mode 100644 index 0000000..6c6b19d --- /dev/null +++ b/roles/debian/tasks/sshd_configure.yml @@ -0,0 +1,17 @@ +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf + content: | + # Do not edit this file! Ansible will overwrite it. + ListenAddress 0.0.0.0 + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd +- name: Deploy custom authorized_keys for root + copy: + dest: /root/.ssh/authorized_keys2 + content: "{{ public_keys }}" + owner: root + group: root + mode: u=rw,g=,o= diff --git a/roles/debian/tasks/sudoers.yml b/roles/debian/tasks/sudoers.yml new file mode 100644 index 0000000..45e1d8c --- /dev/null +++ b/roles/debian/tasks/sudoers.yml @@ -0,0 +1,11 @@ +- name: Install sudo package + apt: + name: sudo + state: present +- name: Add sysadmin to sudoers + template: + src: sudoers + dest: /etc/sudoers.d/vn + mode: u=rw,g=r,o= + owner: root + group: root diff --git a/roles/debian/tasks/sysctl.yml b/roles/debian/tasks/sysctl.yml new file mode 100644 index 0000000..aab1e57 --- /dev/null +++ b/roles/debian/tasks/sysctl.yml @@ -0,0 +1,8 @@ +- name: Set systctl custom vn configuration + copy: + src: sysctl/ + dest: /etc/sysctl.d/ + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart-sysctl diff --git a/roles/debian/tasks/timesync.yml b/roles/debian/tasks/timesync.yml new file mode 100644 index 0000000..57d45df --- /dev/null +++ b/roles/debian/tasks/timesync.yml @@ -0,0 +1,28 @@ +- name: Getting service facts to check for timesyncd + service_facts: +- when: "'systemd-timesyncd.service' in ansible_facts.services" + block: + - name: Ensure directory for timesyncd custom configuration exists + file: + path: /etc/systemd/timesyncd.conf.d/ + state: directory + owner: root + group: root + mode: u=rwx,g=rx,o=rx + - name: Configure timesyncd service + copy: + dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf + content: | + [Time] + NTP={{ time_server }} + FallbackNTP={{ time_server_spain }} + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart systemd-timesyncd + - name: Ensure timesyncd service is enabled and started + when: "ansible_facts.services['systemd-timesyncd.service'].status == 'enabled'" + service: + name: systemd-timesyncd + enabled: yes + state: started diff --git a/roles/debian/tasks/tzdata.yml b/roles/debian/tasks/tzdata.yml new file mode 100644 index 0000000..3f9bf17 --- /dev/null +++ b/roles/debian/tasks/tzdata.yml @@ -0,0 +1,11 @@ +- name: Configure debconf for tzdata + debconf: + name: tzdata + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "string" + loop: + - { question: "tzdata/Areas", value: "Europe" } + - { question: "tzdata/Zones/Europe", value: "Madrid" } + - { question: "tzdata/Zones/Etc", value: "UTC" } + notify: reconfigure tzdata diff --git a/roles/debian/tasks/vim.yml b/roles/debian/tasks/vim.yml new file mode 100644 index 0000000..798a20d --- /dev/null +++ b/roles/debian/tasks/vim.yml @@ -0,0 +1,11 @@ +- name: Install vim packages + apt: + name: vim + state: present +- name: Copy vim configuration file + copy: + src: vimrc.local + dest: /etc/vim/ + mode: u=rw,g=r,o=r + owner: root + group: root diff --git a/roles/debian/tasks/vn-repo.yml b/roles/debian/tasks/vn-repo.yml new file mode 100644 index 0000000..c3db0ca --- /dev/null +++ b/roles/debian/tasks/vn-repo.yml @@ -0,0 +1,4 @@ +- name: Install package + apt: + deb: "{{ item }}" + with_items: "{{ deb_packages }}" diff --git a/roles/debian/tasks/witness.yml b/roles/debian/tasks/witness.yml new file mode 100644 index 0000000..32fb644 --- /dev/null +++ b/roles/debian/tasks/witness.yml @@ -0,0 +1,17 @@ +- name: Check if witness INI file exists + stat: + path: /etc/vn.ini + register: witness_file +- name: Set witness related variables + set_fact: + vn_first_time: "{{ not witness_file.stat.exists }}" + vn_witness_checked: true +- when: not vn_first_time + block: + - name: Slurp witness INI file + slurp: + src: /etc/vn.ini + register: vn_ini_file + - name: Put witness as dictionary into variable + set_fact: + vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}" diff --git a/roles/debian/templates/auto.homes b/roles/debian/templates/auto.homes new file mode 100644 index 0000000..8b16230 --- /dev/null +++ b/roles/debian/templates/auto.homes @@ -0,0 +1 @@ +* -fstype=nfs4,rw {{ homes_server }}:{{ homes_path }}/& diff --git a/roles/debian/templates/bacula-fd.conf b/roles/debian/templates/bacula-fd.conf new file mode 100644 index 0000000..0e2d00a --- /dev/null +++ b/roles/debian/templates/bacula-fd.conf @@ -0,0 +1,24 @@ +Director { + Name = bacula-dir + Password = "{{ bacula_passwords.fdpasswd }}" +} +Director { + Name = bacula-mon + Password = "{{ bacula_passwords.fdmpasswd }}" + Monitor = yes +} +FileDaemon { + Name = bacula-fd + WorkingDirectory = /var/lib/bacula + Pid Directory = /run/bacula + Maximum Concurrent Jobs = 20 + Plugin Directory = /usr/lib/bacula + PKI Signatures = Yes + PKI Encryption = Yes + PKI Keypair = "/etc/bacula/fd-cert.pem" + PKI Master Key = "/etc/bacula/master-cert.pem" +} +Messages { + Name = Standard + director = bacula-dir = all, !skipped, !restored +} diff --git a/roles/debian/templates/homes.autofs b/roles/debian/templates/homes.autofs new file mode 100644 index 0000000..c18bad3 --- /dev/null +++ b/roles/debian/templates/homes.autofs @@ -0,0 +1 @@ +{{ homes_path }} /etc/auto.homes --timeout=30 diff --git a/roles/debian/templates/jail.local b/roles/debian/templates/jail.local new file mode 100644 index 0000000..d3840df --- /dev/null +++ b/roles/debian/templates/jail.local @@ -0,0 +1,22 @@ +# Do not edit this file! Ansible will overwrite it. + +[DEFAULT] + +ignoreip = {{ fail2ban.ignore }} +bantime = {{ fail2ban.bantime }} +findtime = {{ fail2ban.bantime }} +maxretry = {{ fail2ban.maxretry }} +destemail = {{ fail2ban.email }} +sender = root@{{ ansible_fqdn }} +banaction = nftables-multiport +action = %(action_)s + +#+++++++++++++++ Jails + +[sshd] +ignoreip = 127.0.0.1/8 +enabled = true +port = 0:65535 +filter = sshd +logpath = {{ fail2ban.logpath }} +action = %(action_mwl)s diff --git a/roles/debian/templates/nrpe.cfg b/roles/debian/templates/nrpe.cfg new file mode 100644 index 0000000..99329fd --- /dev/null +++ b/roles/debian/templates/nrpe.cfg @@ -0,0 +1,13 @@ +allowed_hosts={{ nagios_server }} +server_address={{ ansible_default_ipv4.address }} + +command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / +command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var +command[check_disk_usr]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /usr +command[check_disk_home]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /home +command[check_disk_tmp]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /tmp +command[check_dummy]=/usr/lib/nagios/plugins/check_dummy 0 +command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 40% -c 20% -n OK +command[check_load]=/usr/lib/nagios/plugins/check_load -r -w 3.5,3.25,3 -c 4.5,4.25,4 +command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 400 -c 500 +command[check_memory]=/usr/lib/nagios/plugins/check_memory --available -m -w 20%: -c 10%: diff --git a/roles/debian/templates/nslcd.conf b/roles/debian/templates/nslcd.conf new file mode 100644 index 0000000..aeb7aa4 --- /dev/null +++ b/roles/debian/templates/nslcd.conf @@ -0,0 +1,16 @@ +# See nslcd.conf(5) for details. + +uid nslcd +gid nslcd + +uri {{ ldap_uri }} +idle_timelimit 60 + +base {{ ldap_base }} +binddn cn=nss,ou=admins,{{ ldap_base }} +bindpw {{ lookup(passbolt, 'nslcd', folder_parent_id=passbolt_folder).password }} +pagesize 500 + +filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }})) +filter passwd (&(objectClass=posixAccount)(memberOf=cn={{ sysadmin_group }},ou=dnGroups,{{ ldap_base }})) +pam_authz_search (&(objectClass=posixGroup)(cn={{ sysadmin_group }})(memberuid=$username)) diff --git a/roles/debian/templates/resolv.conf b/roles/debian/templates/resolv.conf new file mode 100644 index 0000000..52a1891 --- /dev/null +++ b/roles/debian/templates/resolv.conf @@ -0,0 +1,7 @@ +domain {{ host_domain }} +search {{ host_domain }} +{% if resolvers is defined %} +{% for resolver in resolvers %} +nameserver {{resolver}} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/roles/debian/templates/sudoers b/roles/debian/templates/sudoers new file mode 100644 index 0000000..0479f3a --- /dev/null +++ b/roles/debian/templates/sudoers @@ -0,0 +1 @@ +%{{ sysadmin_group }} ALL=(ALL) NOPASSWD: ALL -- 2.40.1 From ccb95837fa26384eb32e238ed26a701021d583c4 Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Tue, 4 Feb 2025 21:03:45 +0100 Subject: [PATCH 2/3] refs #8025 Debian roles merged --- playbooks/debian.yml | 17 +-- playbooks/kube.yml | 2 + playbooks/pve.yml | 2 + roles/debian-base/defaults/main.yaml | 41 ------- roles/debian-base/files/motd | 102 ------------------ roles/debian-base/files/profile.sh | 47 -------- roles/debian-base/files/sendmail-common.local | 3 - roles/debian-base/files/vimrc.local | 5 - roles/debian-base/handlers/main.yml | 26 ----- roles/debian-base/tasks/bacula.yml | 53 --------- roles/debian-base/tasks/defuser.yml | 5 - roles/debian-base/tasks/fail2ban.yml | 40 ------- roles/debian-base/tasks/install.yml | 4 - roles/debian-base/tasks/locale.yml | 6 -- roles/debian-base/tasks/main.yml | 34 ------ roles/debian-base/tasks/motd.yml | 7 -- roles/debian-base/tasks/nrpe.yml | 22 ---- roles/debian-base/tasks/profile.yml | 7 -- roles/debian-base/tasks/relayhost.yml | 33 ------ roles/debian-base/tasks/resolv.yml | 22 ---- roles/debian-base/tasks/root.yml | 43 -------- roles/debian-base/tasks/sshd_configure.yml | 17 --- roles/debian-base/tasks/timesync.yml | 28 ----- roles/debian-base/tasks/tzdata.yml | 11 -- roles/debian-base/tasks/vim.yml | 11 -- roles/debian-base/tasks/vn-repo.yml | 4 - roles/debian-base/tasks/witness.yml | 17 --- roles/debian-base/templates/bacula-fd.conf | 24 ----- roles/debian-base/templates/jail.local | 22 ---- roles/debian-base/templates/nrpe.cfg | 13 --- roles/debian-base/templates/resolv.conf | 7 -- roles/debian-guest/handlers/main.yml | 8 -- roles/debian-guest/tasks/auth.yml | 25 ----- roles/debian-guest/tasks/main.yml | 6 -- roles/debian-guest/tasks/ssh_keys.yml | 21 ---- roles/debian-guest/tasks/sudoers.yml | 11 -- roles/debian-guest/templates/nslcd.conf | 16 --- roles/debian-guest/templates/sudoers | 1 - roles/debian-host/files/sysctl/30-basic.conf | 4 - .../debian-host/files/sysctl/40-network.conf | 7 -- roles/debian-host/files/sysctl/42-noipv6.conf | 3 - roles/debian-host/handlers/main.yml | 4 - roles/debian-host/tasks/apparmor.yml | 16 --- roles/debian-host/tasks/hostname.yml | 9 -- roles/debian-host/tasks/main.yml | 6 -- roles/debian-host/tasks/sysctl.yml | 8 -- roles/debian-qemu/defaults/main.yml | 8 -- .../files/80-hotplug-cpu-mem.rules | 1 - roles/debian-qemu/files/hotplug.cfg | 1 - roles/debian-qemu/handlers/main.yml | 4 - roles/debian-qemu/tasks/agent.yml | 4 - roles/debian-qemu/tasks/autofs.yml | 35 ------ roles/debian-qemu/tasks/blacklist.yml | 7 -- roles/debian-qemu/tasks/grub_startup.yml | 49 --------- roles/debian-qemu/tasks/hotplug.yml | 18 ---- roles/debian-qemu/tasks/main.yml | 10 -- roles/debian-qemu/templates/auto.homes | 1 - roles/debian-qemu/templates/homes.autofs | 1 - 58 files changed, 6 insertions(+), 953 deletions(-) delete mode 100644 roles/debian-base/defaults/main.yaml delete mode 100644 roles/debian-base/files/motd delete mode 100644 roles/debian-base/files/profile.sh delete mode 100644 roles/debian-base/files/sendmail-common.local delete mode 100644 roles/debian-base/files/vimrc.local delete mode 100644 roles/debian-base/handlers/main.yml delete mode 100644 roles/debian-base/tasks/bacula.yml delete mode 100644 roles/debian-base/tasks/defuser.yml delete mode 100644 roles/debian-base/tasks/fail2ban.yml delete mode 100644 roles/debian-base/tasks/install.yml delete mode 100644 roles/debian-base/tasks/locale.yml delete mode 100644 roles/debian-base/tasks/main.yml delete mode 100644 roles/debian-base/tasks/motd.yml delete mode 100644 roles/debian-base/tasks/nrpe.yml delete mode 100644 roles/debian-base/tasks/profile.yml delete mode 100644 roles/debian-base/tasks/relayhost.yml delete mode 100644 roles/debian-base/tasks/resolv.yml delete mode 100644 roles/debian-base/tasks/root.yml delete mode 100644 roles/debian-base/tasks/sshd_configure.yml delete mode 100644 roles/debian-base/tasks/timesync.yml delete mode 100644 roles/debian-base/tasks/tzdata.yml delete mode 100644 roles/debian-base/tasks/vim.yml delete mode 100644 roles/debian-base/tasks/vn-repo.yml delete mode 100644 roles/debian-base/tasks/witness.yml delete mode 100644 roles/debian-base/templates/bacula-fd.conf delete mode 100644 roles/debian-base/templates/jail.local delete mode 100644 roles/debian-base/templates/nrpe.cfg delete mode 100644 roles/debian-base/templates/resolv.conf delete mode 100644 roles/debian-guest/handlers/main.yml delete mode 100644 roles/debian-guest/tasks/auth.yml delete mode 100644 roles/debian-guest/tasks/main.yml delete mode 100644 roles/debian-guest/tasks/ssh_keys.yml delete mode 100644 roles/debian-guest/tasks/sudoers.yml delete mode 100644 roles/debian-guest/templates/nslcd.conf delete mode 100644 roles/debian-guest/templates/sudoers delete mode 100644 roles/debian-host/files/sysctl/30-basic.conf delete mode 100644 roles/debian-host/files/sysctl/40-network.conf delete mode 100644 roles/debian-host/files/sysctl/42-noipv6.conf delete mode 100644 roles/debian-host/handlers/main.yml delete mode 100644 roles/debian-host/tasks/apparmor.yml delete mode 100644 roles/debian-host/tasks/hostname.yml delete mode 100644 roles/debian-host/tasks/main.yml delete mode 100644 roles/debian-host/tasks/sysctl.yml delete mode 100644 roles/debian-qemu/defaults/main.yml delete mode 100644 roles/debian-qemu/files/80-hotplug-cpu-mem.rules delete mode 100644 roles/debian-qemu/files/hotplug.cfg delete mode 100644 roles/debian-qemu/handlers/main.yml delete mode 100644 roles/debian-qemu/tasks/agent.yml delete mode 100644 roles/debian-qemu/tasks/autofs.yml delete mode 100644 roles/debian-qemu/tasks/blacklist.yml delete mode 100644 roles/debian-qemu/tasks/grub_startup.yml delete mode 100644 roles/debian-qemu/tasks/hotplug.yml delete mode 100644 roles/debian-qemu/tasks/main.yml delete mode 100644 roles/debian-qemu/templates/auto.homes delete mode 100644 roles/debian-qemu/templates/homes.autofs diff --git a/playbooks/debian.yml b/playbooks/debian.yml index 1180f9d..0e337af 100644 --- a/playbooks/debian.yml +++ b/playbooks/debian.yml @@ -1,18 +1,5 @@ - name: Configure base Debian host hosts: all tasks: - - name: Configure virtual machine or host (not LXC) - import_role: - name: debian-host - when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm' - - name: Configure base system (all) - import_role: - name: debian-base - - name: Configure guest - import_role: - name: debian-guest - when: ansible_virtualization_role == 'guest' - - name: Configure virtual machine - import_role: - name: debian-qemu - when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm' + - import_role: + name: debian diff --git a/playbooks/kube.yml b/playbooks/kube.yml index 0b7d9bf..8628eb1 100644 --- a/playbooks/kube.yml +++ b/playbooks/kube.yml @@ -1,5 +1,7 @@ - name: Configure Kubernetes hosts: all tasks: + - import_role: + name: debian - import_role: name: kube diff --git a/playbooks/pve.yml b/playbooks/pve.yml index ab7c817..a351148 100644 --- a/playbooks/pve.yml +++ b/playbooks/pve.yml @@ -1,5 +1,7 @@ - name: Configure PVE hosts: all tasks: + - import_role: + name: debian - import_role: name: pve diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml deleted file mode 100644 index fb89b46..0000000 --- a/roles/debian-base/defaults/main.yaml +++ /dev/null @@ -1,41 +0,0 @@ -vn_first_time: false -vn_witness_checked: false -deb_packages: - - https://apt.verdnatura.es/pool/main/v/vn-host/vn-apt-source_3.0.1_all.deb - - https://apt.verdnatura.es/pool/main/v/vn-host/vn-host_3.0.1_all.deb -grub_user: admin -default_user: user -fail2ban: - email: "{{ sysadmin_mail }}" - bantime: 600 - maxretry: 4 - ignore: "127.0.0.0/8 {{ dc_net }}" - logpath: "/var/log/auth.log" -fail2ban_base_packages: - - fail2ban - - rsyslog -time_server_spain: ntp.roa.es -nagios_packages: - - nagios-nrpe-server - - nagios-plugins-contrib - - monitoring-plugins-basic -base_packages: - - htop - - psmisc - - bash-completion - - screen - - aptitude - - tree - - btop - - ncdu - - debconf-utils - - net-tools - - gpg - - curl - - cloud-guest-utils - - rsync - - parted - - yq -locales_present: - - en_US.UTF-8 - - es_ES.UTF-8 diff --git a/roles/debian-base/files/motd b/roles/debian-base/files/motd deleted file mode 100644 index 1a11bc4..0000000 --- a/roles/debian-base/files/motd +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/bash - -LABEL="\033[0;32m" -SUBLB="\033[0;36m" -RESET="\033[0m" -BLINK="\033[5m" - -. /etc/os-release - -# Environment - -PRO="\033[1;5;31m" -LAB="\033[0;35m" -VN="\033[0;32m" -UNKNOWN="\033[0;33m" - -FQDN=$(hostname --fqdn) -case "$FQDN" in - *.dc.verdnatura.es) - ENVIRONMENT="${PRO}Production${RESET}" - ;; - *.lab.verdnatura.es) - ENVIRONMENT="${LAB}Laboratory${RESET}" - ;; - *.verdnatura.es) - ENVIRONMENT="${VN}Verdnatura${RESET}" - ;; - *) - ENVIRONMENT="${UNKNOWN}Unknown${RESET}" - ;; -esac - -# Last login - -LAST="$(last -n1 | head -1)" -if [ "$LAST" != "" ] ; then - LAST_LOGIN_USER="$(echo $LAST | cut -d' ' -f1)" - LAST_LOGIN_IP="$(echo $LAST | cut -d' ' -f3)" - LAST_LOGIN_TIME="$(echo $LAST | cut -d' ' -f4-)" - LAST_LOGIN="$LAST_LOGIN_USER ($LAST_LOGIN_IP) $LAST_LOGIN_TIME" -fi - -# Packages - -PACKAGES=$(dpkg-query -W -f='${binary:Package}\n' | wc -l) -SHOW_UPGRADEABLE=0 -USER_UID=$(id -u $USER) -USER_GROUPS=$(id -Gn $USER) - -if [ ${USER_UID} -eq 0 ] ; then - SHOW_UPGRADEABLE=1 -fi -if [[ "${USER_GROUPS}" == *"sysadmin"* ]] ; then - SHOW_UPGRADEABLE=1 -fi -if [ $SHOW_UPGRADEABLE -eq 1 ] ; then - UPGRADEABLE="$(apt list --upgradable 2>/dev/null | tail -n +2 | wc -l)" - - if [ "$UPGRADEABLE" -gt 0 ]; then - UPGRADEABLE_ALERT="${BLINK}($UPGRADEABLE upgradeable)${RESET}" - fi -fi - -# Network and users - -NET_IPS=$(ip -o -4 add sh | tail -n +2 | awk '{printf "\033[0;36m%16s >\033[0m %-15s\n",$2,$4}') -CONNECTED_USERS=$(w | tail -n +2 | awk '{printf "\t%15s %12s %8s %s\n",$1,$3,$4, substr( $0, index($0,$8), index($0,$NF)) }') - -# Logo - -FW="\033[1;37m" -FG="\033[1;32m" -GB="\e[48;5;112m" -GL="\e[48;5;70m" -RS="\e[0m" - -echo -e -echo -e " $GL $GB $RS" -echo -e " $GL $GB $GL $RS $GL $GB $RS" " ${FW}__ __ _ ${FG} _ _ _ ${RS}" -echo -e " $GB $GL $RS $GL $GB $GL $RS" " ${FW}\ \ / /__ _ __ __| |${FG}| \ | | __ _| |_ _ _ _ __ __ _ ${RS}" -echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ \ / / _ \ '__/ _' |${FG}| \| |/ _' | __| | | | '__/ _' |${RS}" -echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ V / __/ | | (_| |${FG}| |\ | (_| | |_| |_| | | | (_| |${RS}" -echo -e " " " ${FW} \_/ \___|_| \__,_|${FG}|_| \_|\__,_|\__|\__,_|_| \__,_|${RS}" -echo -e " $GL $GB $RS $GB $GL $RS" -echo -e " $GL $GB $GL $RS $GL $GB $RS" -echo -e " $GB $GL $RS" -echo -e - -# Information - -echo -e "${LABEL}Host :${RESET} $FQDN" -echo -e "${LABEL}OS :${RESET} $NAME $(cat /etc/debian_version) ($VERSION_CODENAME)" -echo -e "${LABEL}Kernel :${RESET} $(uname -r)" -echo -e "${LABEL}Shell :${RESET} $SHELL $(echo $BASH_VERSION | cut -d'(' -f1)" -echo -e "${LABEL}Uptime :${RESET} $(uptime -p | tr -d ',')" -echo -e "${LABEL}Packages :${RESET} $PACKAGES $UPGRADEABLE_ALERT" -echo -e "${LABEL}IP :${RESET}" -echo -e "$NET_IPS" -echo -e "${LABEL}Last Login :${RESET} $LAST_LOGIN" -echo -e "${LABEL}Environment :${RESET} $ENVIRONMENT" -echo -e "${LABEL}Connected users :${RESET}" -echo -e "$CONNECTED_USERS" diff --git a/roles/debian-base/files/profile.sh b/roles/debian-base/files/profile.sh deleted file mode 100644 index ab1ac12..0000000 --- a/roles/debian-base/files/profile.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -# Prompt - -FQDN=$(hostname --fqdn) - -if [[ $FQDN == *.verdnatura.es ]]; then - SHORT_HOST=${FQDN%.verdnatura.es} - - case "$SHORT_HOST" in - *.dc) - ENVIRONMENT="\[\033[01;31m\]PRO\[\033[00m\]" - ;; - *.lab) - ENVIRONMENT="\[\033[01;35m\]LAB\[\033[00m\]" - ;; - *) - ENVIRONMENT="\[\033[01;32m\]VN\[\033[00m\]" - ;; - esac - - PS1="\u@$SHORT_HOST[$ENVIRONMENT]:\w" - - if [ "$(id -u)" -eq 0 ]; then - PS1="$PS1# " - else - PS1="$PS1\$ " - fi -fi - -# History - -HISTSIZE=10000 -HISTFILESIZE=50000 -HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " - -# Security - -TMOUT=3600 - -# Aliases - -#export LS_OPTIONS='--color=auto' -#eval "$(dircolors)" -#alias ls='ls $LS_OPTIONS' -#alias ll='ls $LS_OPTIONS -l' -#alias la='ls $LS_OPTIONS -la' diff --git a/roles/debian-base/files/sendmail-common.local b/roles/debian-base/files/sendmail-common.local deleted file mode 100644 index b389b31..0000000 --- a/roles/debian-base/files/sendmail-common.local +++ /dev/null @@ -1,3 +0,0 @@ -[Definition] -actionstart = -actionstop = diff --git a/roles/debian-base/files/vimrc.local b/roles/debian-base/files/vimrc.local deleted file mode 100644 index 005d05c..0000000 --- a/roles/debian-base/files/vimrc.local +++ /dev/null @@ -1,5 +0,0 @@ -syntax on -set showcmd -set showmatch -set ignorecase -set smartcase diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml deleted file mode 100644 index e2ee81e..0000000 --- a/roles/debian-base/handlers/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: restart systemd-timesyncd - systemd: - name: systemd-timesyncd - state: restarted -- name: restart-ssh - systemd: - name: ssh - state: restarted -- name: restart fail2ban - systemd: - name: fail2ban - state: restarted -- name: restart-nrpe - systemd: - name: nagios-nrpe-server - state: restarted -- name: restart sshd - systemd: - name: sshd - state: restarted -- name: generate locales - command: /usr/sbin/locale-gen -- name: reconfigure tzdata - command: dpkg-reconfigure -f noninteractive tzdata -- name: update exim configuration - command: /usr/sbin/update-exim4.conf diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml deleted file mode 100644 index 8ae1525..0000000 --- a/roles/debian-base/tasks/bacula.yml +++ /dev/null @@ -1,53 +0,0 @@ -- name: Install Bacula FD packages - apt: - name: bacula-fd - state: present -- name: Read content file in base64 - slurp: - src: /etc/bacula/common_default_passwords - register: file_content -- name: Going to text plane - no_log: true - set_fact: - file_content_decoded: "{{ file_content.content | b64decode }}" -- name: Extracting passwords - no_log: true - set_fact: - passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}" -- name: Initialize password dictionary - set_fact: - bacula_passwords: {} -- name: Convert lines to individual variables generating a new dict - no_log: true - set_fact: - bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}" - loop: "{{ passwords }}" - when: "'FDPASSWD' in item or 'FDMPASSWD' in item" -- name: Configure Bacula FD - template: - src: bacula-fd.conf - dest: /etc/bacula/bacula-fd.conf - owner: root - group: bacula - mode: u=rw,g=r,o= - backup: true - register: bacula_config -- name: Configure master cert - copy: - content: "{{ ca_bacula }}" - dest: /etc/bacula/master-cert.pem - owner: root - group: root - mode: u=rw,g=r,o=r -- name: Configure master cert - copy: - content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" - dest: /etc/bacula/fd-cert.pem - owner: root - group: bacula - mode: u=rw,g=r,o= -- name: Restart Bacula FD service - service: - name: bacula-fd - state: restarted - when: bacula_config.changed diff --git a/roles/debian-base/tasks/defuser.yml b/roles/debian-base/tasks/defuser.yml deleted file mode 100644 index b41897b..0000000 --- a/roles/debian-base/tasks/defuser.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Delete default user - user: - name: "{{ default_user }}" - state: absent - remove: yes diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml deleted file mode 100644 index 8474033..0000000 --- a/roles/debian-base/tasks/fail2ban.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: Install fail2ban and rsyslog packages - apt: - name: "{{ fail2ban_base_packages }}" - state: present -- name: Configure sshd_config settings - copy: - dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf - content: | - # Do not edit this file! Ansible will overwrite it. - - SyslogFacility AUTH - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart sshd -- name: Adjust action configuration to reduce noise - copy: - src: sendmail-common.local - dest: /etc/fail2ban/action.d/sendmail-common.local - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart sshd -- name: Configure fail2ban service - template: - src: jail.local - dest: /etc/fail2ban/jail.local - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart fail2ban - register: jail -- name: Ensure file for auth sshd custom log exists - file: - path: /var/log/auth.log - state: touch - owner: root - group: adm - mode: u=rw,g=r,o= - when: jail.changed diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml deleted file mode 100644 index 396832c..0000000 --- a/roles/debian-base/tasks/install.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Install base packages - apt: - name: "{{ base_packages }}" - state: present diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml deleted file mode 100644 index 9063486..0000000 --- a/roles/debian-base/tasks/locale.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: make sure locales in variable are generated - locale_gen: - name: "{{ item }}" - state: present - with_items: "{{ locales_present }}" - notify: generate locales diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml deleted file mode 100644 index dcd5f94..0000000 --- a/roles/debian-base/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ -- import_tasks: witness.yml - tags: witness -- import_tasks: root.yml - tags: root -- import_tasks: resolv.yml - tags: resolv -- import_tasks: timesync.yml - tags: timesync -- import_tasks: sshd_configure.yml - tags: sshd_configure -- import_tasks: defuser.yml - tags: defuser -- import_tasks: install.yml - tags: install -- import_tasks: locale.yml - tags: locale -- import_tasks: tzdata.yml - tags: tzdata -- import_tasks: relayhost.yml - tags: relayhost -- import_tasks: motd.yml - tags: motd -- import_tasks: profile.yml - tags: profile -- import_tasks: vim.yml - tags: vim -- import_tasks: nrpe.yml - tags: nrpe -- import_tasks: fail2ban.yml - tags: fail2ban -- import_tasks: bacula.yml - tags: bacula -- import_tasks: vn-repo.yml - tags: vn-repo diff --git a/roles/debian-base/tasks/motd.yml b/roles/debian-base/tasks/motd.yml deleted file mode 100644 index 486e705..0000000 --- a/roles/debian-base/tasks/motd.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Copy MOTD configuration file - copy: - src: motd - dest: /etc/update-motd.d/90-vn - mode: u=rwx,g=rx,o=rx - owner: root - group: root diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml deleted file mode 100644 index b0aaf5e..0000000 --- a/roles/debian-base/tasks/nrpe.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: Install NRPE packages - apt: - name: "{{ nagios_packages }}" - state: present - install_recommends: no -- name: Set NRPE generic configuration - template: - src: nrpe.cfg - dest: /etc/nagios/nrpe.d/90-vn.cfg - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart-nrpe -- name: Create NRPE local configuration file - file: - path: /etc/nagios/nrpe.d/99-local.cfg - state: touch - owner: nagios - group: nagios - mode: u=rw,g=r,o= - modification_time: preserve - access_time: preserve diff --git a/roles/debian-base/tasks/profile.yml b/roles/debian-base/tasks/profile.yml deleted file mode 100644 index e8df993..0000000 --- a/roles/debian-base/tasks/profile.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Copy profile configuration file - copy: - src: profile.sh - dest: /etc/profile.d/vn.sh - mode: u=rw,g=r,o=r - owner: root - group: root diff --git a/roles/debian-base/tasks/relayhost.yml b/roles/debian-base/tasks/relayhost.yml deleted file mode 100644 index f912812..0000000 --- a/roles/debian-base/tasks/relayhost.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Getting service facts to check for postfix - service_facts: -- when: "'postfix.service' not in ansible_facts.services" - block: - - name: Install exim packages - apt: - name: exim4 - state: present - - name: Prepare exim configuration - blockinfile: - path: /etc/exim4/update-exim4.conf.conf - marker_begin: '--- BEGIN VN ---' - marker_end: '--- END VN ---' - marker: "# {mark}" - block: | - dc_eximconfig_configtype='satellite' - dc_other_hostnames='{{ ansible_fqdn }}' - dc_local_interfaces='127.0.0.1' - dc_readhost='{{ ansible_fqdn }}' - dc_smarthost='{{ smtp_server }}' - dc_hide_mailname='true' - state: present - create: yes - mode: u=rw,g=r,o=r - notify: update exim configuration - register: exim_config - - name: Force execution of handlers immediately - meta: flush_handlers - - name: Sending mail to verify relay host configuration works - shell: > - sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ - | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" - when: exim_config.changed diff --git a/roles/debian-base/tasks/resolv.yml b/roles/debian-base/tasks/resolv.yml deleted file mode 100644 index 1ee5af7..0000000 --- a/roles/debian-base/tasks/resolv.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: Check if DNS is already configured - stat: - path: /etc/resolv.conf - register: resolv_conf -- name: Read /etc/resolv.conf - slurp: - path: /etc/resolv.conf - register: resolv_conf_content - when: resolv_conf.stat.exists -- name: Check if DNS servers are already present - set_fact: - dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}" - when: resolv_conf.stat.exists -- name: Apply resolv.conf template only if DNS is not configured - template: - src: templates/resolv.conf - dest: /etc/resolv.conf - owner: root - group: root - mode: u=rw,g=r,o=r - backup: true - when: not resolv_conf.stat.exists or not dns_configured diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml deleted file mode 100644 index 9f3d548..0000000 --- a/roles/debian-base/tasks/root.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: Set the root password changed witness variable - set_fact: - root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}" -- when: vn_witness_checked and not root_pass_changed - no_log: true - block: - - name: Search root password in Passbolt - ignore_errors: true - set_fact: - passbolt_password: > - {{ - lookup(passbolt, inventory_hostname_short, - username='root', - uri='ssh://'+hostname_fqdn - ) - }} - - when: passbolt_password is not defined - block: - - name: Generate a random root password - set_fact: - root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" - - name: Save root password into Passbolt - set_fact: - msg: > - {{ - lookup(passbolt, inventory_hostname_short, - username='root', - password=root_password, - uri='ssh://'+hostname_fqdn+'/' - ) - }} - environment: - PASSBOLT_CREATE_NEW_RESOURCE: true - - name: Change root password - user: - name: root - password: "{{ root_password | password_hash('sha512') }}" - - name: Set root password generated witness - ini_file: - path: /etc/vn.ini - section: witness - option: root_pass_changed - value: true diff --git a/roles/debian-base/tasks/sshd_configure.yml b/roles/debian-base/tasks/sshd_configure.yml deleted file mode 100644 index 6c6b19d..0000000 --- a/roles/debian-base/tasks/sshd_configure.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Configure sshd_config settings - copy: - dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf - content: | - # Do not edit this file! Ansible will overwrite it. - ListenAddress 0.0.0.0 - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart sshd -- name: Deploy custom authorized_keys for root - copy: - dest: /root/.ssh/authorized_keys2 - content: "{{ public_keys }}" - owner: root - group: root - mode: u=rw,g=,o= diff --git a/roles/debian-base/tasks/timesync.yml b/roles/debian-base/tasks/timesync.yml deleted file mode 100644 index 57d45df..0000000 --- a/roles/debian-base/tasks/timesync.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: Getting service facts to check for timesyncd - service_facts: -- when: "'systemd-timesyncd.service' in ansible_facts.services" - block: - - name: Ensure directory for timesyncd custom configuration exists - file: - path: /etc/systemd/timesyncd.conf.d/ - state: directory - owner: root - group: root - mode: u=rwx,g=rx,o=rx - - name: Configure timesyncd service - copy: - dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf - content: | - [Time] - NTP={{ time_server }} - FallbackNTP={{ time_server_spain }} - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart systemd-timesyncd - - name: Ensure timesyncd service is enabled and started - when: "ansible_facts.services['systemd-timesyncd.service'].status == 'enabled'" - service: - name: systemd-timesyncd - enabled: yes - state: started diff --git a/roles/debian-base/tasks/tzdata.yml b/roles/debian-base/tasks/tzdata.yml deleted file mode 100644 index 3f9bf17..0000000 --- a/roles/debian-base/tasks/tzdata.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Configure debconf for tzdata - debconf: - name: tzdata - question: "{{ item.question }}" - value: "{{ item.value }}" - vtype: "string" - loop: - - { question: "tzdata/Areas", value: "Europe" } - - { question: "tzdata/Zones/Europe", value: "Madrid" } - - { question: "tzdata/Zones/Etc", value: "UTC" } - notify: reconfigure tzdata diff --git a/roles/debian-base/tasks/vim.yml b/roles/debian-base/tasks/vim.yml deleted file mode 100644 index 798a20d..0000000 --- a/roles/debian-base/tasks/vim.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Install vim packages - apt: - name: vim - state: present -- name: Copy vim configuration file - copy: - src: vimrc.local - dest: /etc/vim/ - mode: u=rw,g=r,o=r - owner: root - group: root diff --git a/roles/debian-base/tasks/vn-repo.yml b/roles/debian-base/tasks/vn-repo.yml deleted file mode 100644 index c3db0ca..0000000 --- a/roles/debian-base/tasks/vn-repo.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Install package - apt: - deb: "{{ item }}" - with_items: "{{ deb_packages }}" diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml deleted file mode 100644 index 32fb644..0000000 --- a/roles/debian-base/tasks/witness.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Check if witness INI file exists - stat: - path: /etc/vn.ini - register: witness_file -- name: Set witness related variables - set_fact: - vn_first_time: "{{ not witness_file.stat.exists }}" - vn_witness_checked: true -- when: not vn_first_time - block: - - name: Slurp witness INI file - slurp: - src: /etc/vn.ini - register: vn_ini_file - - name: Put witness as dictionary into variable - set_fact: - vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}" diff --git a/roles/debian-base/templates/bacula-fd.conf b/roles/debian-base/templates/bacula-fd.conf deleted file mode 100644 index 0e2d00a..0000000 --- a/roles/debian-base/templates/bacula-fd.conf +++ /dev/null @@ -1,24 +0,0 @@ -Director { - Name = bacula-dir - Password = "{{ bacula_passwords.fdpasswd }}" -} -Director { - Name = bacula-mon - Password = "{{ bacula_passwords.fdmpasswd }}" - Monitor = yes -} -FileDaemon { - Name = bacula-fd - WorkingDirectory = /var/lib/bacula - Pid Directory = /run/bacula - Maximum Concurrent Jobs = 20 - Plugin Directory = /usr/lib/bacula - PKI Signatures = Yes - PKI Encryption = Yes - PKI Keypair = "/etc/bacula/fd-cert.pem" - PKI Master Key = "/etc/bacula/master-cert.pem" -} -Messages { - Name = Standard - director = bacula-dir = all, !skipped, !restored -} diff --git a/roles/debian-base/templates/jail.local b/roles/debian-base/templates/jail.local deleted file mode 100644 index d3840df..0000000 --- a/roles/debian-base/templates/jail.local +++ /dev/null @@ -1,22 +0,0 @@ -# Do not edit this file! Ansible will overwrite it. - -[DEFAULT] - -ignoreip = {{ fail2ban.ignore }} -bantime = {{ fail2ban.bantime }} -findtime = {{ fail2ban.bantime }} -maxretry = {{ fail2ban.maxretry }} -destemail = {{ fail2ban.email }} -sender = root@{{ ansible_fqdn }} -banaction = nftables-multiport -action = %(action_)s - -#+++++++++++++++ Jails - -[sshd] -ignoreip = 127.0.0.1/8 -enabled = true -port = 0:65535 -filter = sshd -logpath = {{ fail2ban.logpath }} -action = %(action_mwl)s diff --git a/roles/debian-base/templates/nrpe.cfg b/roles/debian-base/templates/nrpe.cfg deleted file mode 100644 index 99329fd..0000000 --- a/roles/debian-base/templates/nrpe.cfg +++ /dev/null @@ -1,13 +0,0 @@ -allowed_hosts={{ nagios_server }} -server_address={{ ansible_default_ipv4.address }} - -command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / -command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var -command[check_disk_usr]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /usr -command[check_disk_home]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /home -command[check_disk_tmp]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /tmp -command[check_dummy]=/usr/lib/nagios/plugins/check_dummy 0 -command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 40% -c 20% -n OK -command[check_load]=/usr/lib/nagios/plugins/check_load -r -w 3.5,3.25,3 -c 4.5,4.25,4 -command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 400 -c 500 -command[check_memory]=/usr/lib/nagios/plugins/check_memory --available -m -w 20%: -c 10%: diff --git a/roles/debian-base/templates/resolv.conf b/roles/debian-base/templates/resolv.conf deleted file mode 100644 index 52a1891..0000000 --- a/roles/debian-base/templates/resolv.conf +++ /dev/null @@ -1,7 +0,0 @@ -domain {{ host_domain }} -search {{ host_domain }} -{% if resolvers is defined %} -{% for resolver in resolvers %} -nameserver {{resolver}} -{% endfor %} -{% endif %} \ No newline at end of file diff --git a/roles/debian-guest/handlers/main.yml b/roles/debian-guest/handlers/main.yml deleted file mode 100644 index dd3e923..0000000 --- a/roles/debian-guest/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: restart-nslcd - service: - name: nslcd - state: restarted -- name: restart-ssh - systemd: - name: ssh - state: restarted diff --git a/roles/debian-guest/tasks/auth.yml b/roles/debian-guest/tasks/auth.yml deleted file mode 100644 index 62506be..0000000 --- a/roles/debian-guest/tasks/auth.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: Install packages - apt: - name: nslcd - state: present -- name: Configure NSLCD - template: - src: nslcd.conf - dest: /etc/nslcd.conf - owner: root - group: nslcd - mode: '0640' - notify: - - restart-nslcd - register: nslcd -- name: Configure nsswitch to use NSLCD - lineinfile: - dest: /etc/nsswitch.conf - regexp: "{{item.regexp}}" - line: "{{item.line}}" - state: present - with_items: - - regexp: "^passwd:" - line: "passwd: files systemd ldap" - - regexp: "^group:" - line: "group: files systemd ldap" diff --git a/roles/debian-guest/tasks/main.yml b/roles/debian-guest/tasks/main.yml deleted file mode 100644 index bb9b76f..0000000 --- a/roles/debian-guest/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -- import_tasks: auth.yml - tags: auth -- import_tasks: sudoers.yml - tags: sudoers -- import_tasks: ssh_keys.yml - tags: ssh_keys \ No newline at end of file diff --git a/roles/debian-guest/tasks/ssh_keys.yml b/roles/debian-guest/tasks/ssh_keys.yml deleted file mode 100644 index 0fd4c6f..0000000 --- a/roles/debian-guest/tasks/ssh_keys.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Set the SSH keys generated witness variable - set_fact: - ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}" -- when: vn_witness_checked and not ssh_keys_generated - block: - - name: Generate SSH key pairs - openssh_keypair: - path: "/etc/ssh/ssh_host_{{ item.type }}_key" - type: "{{ item.type }}" - force: yes - loop: - - { type: 'rsa' } - - { type: 'ecdsa' } - - { type: 'ed25519' } - notify: restart sshd - - name: Set SSH keys generated witness - ini_file: - path: /etc/vn.ini - section: witness - option: ssh_keys_generated - value: true \ No newline at end of file diff --git a/roles/debian-guest/tasks/sudoers.yml b/roles/debian-guest/tasks/sudoers.yml deleted file mode 100644 index 45e1d8c..0000000 --- a/roles/debian-guest/tasks/sudoers.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Install sudo package - apt: - name: sudo - state: present -- name: Add sysadmin to sudoers - template: - src: sudoers - dest: /etc/sudoers.d/vn - mode: u=rw,g=r,o= - owner: root - group: root diff --git a/roles/debian-guest/templates/nslcd.conf b/roles/debian-guest/templates/nslcd.conf deleted file mode 100644 index aeb7aa4..0000000 --- a/roles/debian-guest/templates/nslcd.conf +++ /dev/null @@ -1,16 +0,0 @@ -# See nslcd.conf(5) for details. - -uid nslcd -gid nslcd - -uri {{ ldap_uri }} -idle_timelimit 60 - -base {{ ldap_base }} -binddn cn=nss,ou=admins,{{ ldap_base }} -bindpw {{ lookup(passbolt, 'nslcd', folder_parent_id=passbolt_folder).password }} -pagesize 500 - -filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }})) -filter passwd (&(objectClass=posixAccount)(memberOf=cn={{ sysadmin_group }},ou=dnGroups,{{ ldap_base }})) -pam_authz_search (&(objectClass=posixGroup)(cn={{ sysadmin_group }})(memberuid=$username)) diff --git a/roles/debian-guest/templates/sudoers b/roles/debian-guest/templates/sudoers deleted file mode 100644 index 0479f3a..0000000 --- a/roles/debian-guest/templates/sudoers +++ /dev/null @@ -1 +0,0 @@ -%{{ sysadmin_group }} ALL=(ALL) NOPASSWD: ALL diff --git a/roles/debian-host/files/sysctl/30-basic.conf b/roles/debian-host/files/sysctl/30-basic.conf deleted file mode 100644 index 3c6f393..0000000 --- a/roles/debian-host/files/sysctl/30-basic.conf +++ /dev/null @@ -1,4 +0,0 @@ -vm.swappiness=10 -vm.dirty_ratio=30 -vm.dirty_background_ratio=5 -net.core.somaxconn=65536 diff --git a/roles/debian-host/files/sysctl/40-network.conf b/roles/debian-host/files/sysctl/40-network.conf deleted file mode 100644 index 46a4e09..0000000 --- a/roles/debian-host/files/sysctl/40-network.conf +++ /dev/null @@ -1,7 +0,0 @@ -net.core.rmem_max=134217728 -net.core.wmem_max=134217728 -net.core.netdev_max_backlog=250000 -net.ipv4.tcp_rmem=4096 87380 67108864 -net.ipv4.tcp_wmem=4096 65536 67108864 -net.ipv4.tcp_congestion_control=htcp -net.ipv4.tcp_mtu_probing=1 diff --git a/roles/debian-host/files/sysctl/42-noipv6.conf b/roles/debian-host/files/sysctl/42-noipv6.conf deleted file mode 100644 index 81073be..0000000 --- a/roles/debian-host/files/sysctl/42-noipv6.conf +++ /dev/null @@ -1,3 +0,0 @@ -net.ipv6.conf.all.disable_ipv6=1 -net.ipv6.conf.default.disable_ipv6=1 -net.ipv6.conf.lo.disable_ipv6=1 \ No newline at end of file diff --git a/roles/debian-host/handlers/main.yml b/roles/debian-host/handlers/main.yml deleted file mode 100644 index 45b25b1..0000000 --- a/roles/debian-host/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart-sysctl - systemd: - name: systemd-sysctl - state: restarted \ No newline at end of file diff --git a/roles/debian-host/tasks/apparmor.yml b/roles/debian-host/tasks/apparmor.yml deleted file mode 100644 index 887d95f..0000000 --- a/roles/debian-host/tasks/apparmor.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Getting service facts to check for apparmor - service_facts: -- when: "'apparmor.service' in ansible_facts.services" - block: - - name: Stop AppArmor - systemd: - name: apparmor - state: stopped - - name: Disable AppArmor service - systemd: - name: apparmor - enabled: no - - name: Mask AppArmor service - systemd: - name: apparmor - masked: yes \ No newline at end of file diff --git a/roles/debian-host/tasks/hostname.yml b/roles/debian-host/tasks/hostname.yml deleted file mode 100644 index e1ed68b..0000000 --- a/roles/debian-host/tasks/hostname.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Set the hostname - hostname: - name: "{{ inventory_hostname_short }}" - use: debian -- name: Populating hosts file with hostname - lineinfile: - path: /etc/hosts - regexp: '^127\.0\.1\.1' - line: '127.0.1.1 {{ hostname_fqdn }} {{ inventory_hostname_short }}' diff --git a/roles/debian-host/tasks/main.yml b/roles/debian-host/tasks/main.yml deleted file mode 100644 index e4f179a..0000000 --- a/roles/debian-host/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -- import_tasks: hostname.yml - tags: hostname -- import_tasks: sysctl.yml - tags: sysctl -- import_tasks: apparmor.yml - tags: apparmor diff --git a/roles/debian-host/tasks/sysctl.yml b/roles/debian-host/tasks/sysctl.yml deleted file mode 100644 index aab1e57..0000000 --- a/roles/debian-host/tasks/sysctl.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Set systctl custom vn configuration - copy: - src: sysctl/ - dest: /etc/sysctl.d/ - owner: root - group: root - mode: u=rw,g=r,o=r - notify: restart-sysctl diff --git a/roles/debian-qemu/defaults/main.yml b/roles/debian-qemu/defaults/main.yml deleted file mode 100644 index dc2a884..0000000 --- a/roles/debian-qemu/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -homes_path: /mnt/homes -autofs_packages: - - nfs-common - - autofs - - libnfs-utils - - autofs-ldap -blacklist_module_kernel: | - blacklist snd_hda_intel diff --git a/roles/debian-qemu/files/80-hotplug-cpu-mem.rules b/roles/debian-qemu/files/80-hotplug-cpu-mem.rules deleted file mode 100644 index 38c16f9..0000000 --- a/roles/debian-qemu/files/80-hotplug-cpu-mem.rules +++ /dev/null @@ -1 +0,0 @@ -SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" diff --git a/roles/debian-qemu/files/hotplug.cfg b/roles/debian-qemu/files/hotplug.cfg deleted file mode 100644 index 85e1612..0000000 --- a/roles/debian-qemu/files/hotplug.cfg +++ /dev/null @@ -1 +0,0 @@ -GRUB_CMDLINE_LINUX_DEFAULT="quiet memhp_default_state=online security=none" diff --git a/roles/debian-qemu/handlers/main.yml b/roles/debian-qemu/handlers/main.yml deleted file mode 100644 index 0bca163..0000000 --- a/roles/debian-qemu/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart-autofs - service: - name: autofs - state: restarted \ No newline at end of file diff --git a/roles/debian-qemu/tasks/agent.yml b/roles/debian-qemu/tasks/agent.yml deleted file mode 100644 index db2b4ee..0000000 --- a/roles/debian-qemu/tasks/agent.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Install QEMU guest agent - apt: - name: qemu-guest-agent - state: present diff --git a/roles/debian-qemu/tasks/autofs.yml b/roles/debian-qemu/tasks/autofs.yml deleted file mode 100644 index 8ae6dde..0000000 --- a/roles/debian-qemu/tasks/autofs.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: Update apt cache - apt: - update_cache: yes -- name: Install autofs packages - apt: - name: "{{ autofs_packages }}" - state: present -- name: Create homes directory - file: - path: "{{ homes_path }}" - state: directory - mode: '0755' -- name: Configure nsswitch for autofs - lineinfile: - path: /etc/nsswitch.conf - line: "automount: files" -- name: Add file homes.autofs configured to autofs - template: - src: homes.autofs - dest: /etc/auto.master.d/homes.autofs - owner: root - group: root - mode: '0644' -- name: Add file /etc/auto.homes configured to the systemd - template: - src: auto.homes - dest: /etc/auto.homes - owner: root - group: root - mode: '0644' - notify: restart-autofs -- name: Service autofs service - systemd: - name: autofs - enabled: yes \ No newline at end of file diff --git a/roles/debian-qemu/tasks/blacklist.yml b/roles/debian-qemu/tasks/blacklist.yml deleted file mode 100644 index 7076911..0000000 --- a/roles/debian-qemu/tasks/blacklist.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Configure blacklist modprobe on VM - copy: - content: "{{ blacklist_module_kernel }}" - dest: /etc/modprobe.d/vn-blacklist.conf - owner: root - group: root - mode: u=rw,g=r,o=r \ No newline at end of file diff --git a/roles/debian-qemu/tasks/grub_startup.yml b/roles/debian-qemu/tasks/grub_startup.yml deleted file mode 100644 index cbc6173..0000000 --- a/roles/debian-qemu/tasks/grub_startup.yml +++ /dev/null @@ -1,49 +0,0 @@ -# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication. -# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template. -# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html -# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html -# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks -# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help. -- name: GRUB edit unrestricted option - copy: - content: | - #!/bin/sh - exec tail -n +3 $0 - # This file provides an easy way to add custom menu entries. Simply type the - # menu entries you want to add after this comment. Be careful not to change - # the 'exec tail' line above. - menuentry_id_option="--unrestricted $menuentry_id_option" - dest: /etc/grub.d/09_make_OS_entries_unrestricted - owner: root - group: root - checksum: fed5c365f11a919b857b78207565cf341b86082b - mode: u=rwx,g=rx,o=rx - register: grubunrestricted -- name: Search grub password in Passbolt - no_log: true - set_fact: - grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}" -- name: GRUB edit password protection - copy: - content: | - #!/bin/sh - exec tail -n +3 $0 - set superusers="{{ grub_user }}" - password_pbkdf2 {{ grub_user }} {{ grub_code }} - dest: /etc/grub.d/00_before - owner: root - group: root - mode: u=rwx,g=rx,o=rx - register: grubpass -- name: Change GRUB_TIMEOUT from 5 to 1 - copy: - content: | - GRUB_TIMEOUT=1 - dest: /etc/default/grub.d/timeout.cfg - owner: root - group: root - mode: u=rw,g=r,o=r - register: grubtime -- name: Generate GRUB configuration - command: update-grub - when: grubunrestricted.changed or grubpass.changed or grubtime.changed diff --git a/roles/debian-qemu/tasks/hotplug.yml b/roles/debian-qemu/tasks/hotplug.yml deleted file mode 100644 index ce51e64..0000000 --- a/roles/debian-qemu/tasks/hotplug.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Configure udev hotplug rules - copy: - src: 80-hotplug-cpu-mem.rules - dest: /usr/lib/udev/rules.d/ - mode: u=rw,g=r,o=r - owner: root - group: root -- name: Configure GRUB for hotplug - copy: - src: hotplug.cfg - dest: /etc/default/grub.d/ - mode: u=rw,g=r,o=r - owner: root - group: root - register: grub -- name: Generate GRUB configuration - command: update-grub - when: grub.changed diff --git a/roles/debian-qemu/tasks/main.yml b/roles/debian-qemu/tasks/main.yml deleted file mode 100644 index 1b49a8d..0000000 --- a/roles/debian-qemu/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -- import_tasks: agent.yml - tags: agent -- import_tasks: hotplug.yml - tags: hotplug -- import_tasks: autofs.yml - tags: autofs -- import_tasks: blacklist.yml - tags: blacklist -- import_tasks: grub_startup.yml - tags: grub_startup diff --git a/roles/debian-qemu/templates/auto.homes b/roles/debian-qemu/templates/auto.homes deleted file mode 100644 index 8b16230..0000000 --- a/roles/debian-qemu/templates/auto.homes +++ /dev/null @@ -1 +0,0 @@ -* -fstype=nfs4,rw {{ homes_server }}:{{ homes_path }}/& diff --git a/roles/debian-qemu/templates/homes.autofs b/roles/debian-qemu/templates/homes.autofs deleted file mode 100644 index c18bad3..0000000 --- a/roles/debian-qemu/templates/homes.autofs +++ /dev/null @@ -1 +0,0 @@ -{{ homes_path }} /etc/auto.homes --timeout=30 -- 2.40.1 From b07704bf7150297f139ccf306b8b24cdb726561e Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Wed, 5 Feb 2025 09:17:08 +0100 Subject: [PATCH 3/3] refs #8025 Native ansible aproach for local inventory and vars --- .gitignore | 11 ++++++----- run-playbook.sh | 22 ---------------------- 2 files changed, 6 insertions(+), 27 deletions(-) diff --git a/.gitignore b/.gitignore index 9ded514..99c4055 100644 --- a/.gitignore +++ b/.gitignore @@ -4,8 +4,9 @@ venv .vault.yml .passbolt.yml inventories/local -inventories/local-* -inventories/*/local-*.yml -inventories/*/local-*.yaml -inventories/host_vars/*.local.yml -inventories/host_vars/*.local.yaml +inventories/local.yml +inventories/local.yaml +inventories/host_vars/*/local.yml +inventories/host_vars/*/local.yaml +inventories/group_vars/*/local.yml +inventories/group_vars/*/local.yaml diff --git a/run-playbook.sh b/run-playbook.sh index 2670ca6..23f5d6a 100755 --- a/run-playbook.sh +++ b/run-playbook.sh @@ -2,34 +2,12 @@ EXTRA_ARGS=() -OPTSTRING=":i:l:" -while getopts ${OPTSTRING} opt; do - case ${opt} in - i) - INVENTORY="$OPTARG" - ;; - l) - LIMIT="$OPTARG" - ;; - esac -done - if [ -f .passbolt.yml ]; then EXTRA_ARGS+=("--extra-vars" "@.passbolt.yml") fi if [ -f .vault-pass ]; then EXTRA_ARGS+=("--vault-password-file" ".vault-pass") fi -if [[ -n "${LIMIT:-}" && -n "${INVENTORY:-}" ]]; then - INVENTORY_DIR=$(dirname "$INVENTORY") - LOCAL_HOST_VARS="$INVENTORY_DIR/host_vars/$LIMIT.local" - if [ -f "$LOCAL_HOST_VARS.yml" ]; then - EXTRA_ARGS+=("--extra-vars" "@$LOCAL_HOST_VARS.yml") - fi - if [ -f "$LOCAL_HOST_VARS.yaml" ]; then - EXTRA_ARGS+=("--extra-vars" "@$LOCAL_HOST_VARS.yaml") - fi -fi #export PYTHONPATH=./venv/lib/python3.12/site-packages/ ansible-playbook ${EXTRA_ARGS[@]} $@ -- 2.40.1