--- /dev/null
+## this makes the git diff/merge helper for ansible-vault files work
+## see: https://github.com/building5/ansible-vault-tools
+[defaults]
+vault_password_file = ansible/gpg/get-vault-pass.sh
--- /dev/null
+vault.yml diff=ansible-vault merge=ansible-vault
+*.vault.yml diff=ansible-vault merge=ansible-vault
[defaults]
-inventory = ./hosts
+inventory = ./hosts.ini
log_path = ./log
nocows=1
vault_password_file = ./gpg/get-vault-pass.sh
+++ /dev/null
-user_groups:
- noc:
- - equinox
- - gebi
- - nicoo
- - bernhard
-
-users:
- equinox:
- email: equinox@realraum.at
- gpg: 0xD74907C9E64E6CED8FE3
-
- gebi:
- email: michael@mgeb.org
- gpg: 0x6E302CF4D98B9702
-
- nicoo:
- email: nicolas@braud-santoni.eu
- gpg: 0x3F41B0739AAD91B7CDC0
-
- bernhard:
- email: xro@realraum.at
- gpg: 0xE3468B9CE81EB4F91486
-
-noc_groups:
- - adm
- - sudo
--- /dev/null
+---
+user_groups:
+ noc:
+ - equinox
+ - gebi
+ - nicoo
+ - bernhard
+
+users:
+ equinox:
+ email: equinox@realraum.at
+ gpg: 0xD74907C9E64E6CED8FE3
+
+ gebi:
+ email: michael@mgeb.org
+ gpg: 0x6E302CF4D98B9702
+
+ nicoo:
+ email: nicolas@braud-santoni.eu
+ gpg: 0x3F41B0739AAD91B7CDC0
+
+ bernhard:
+ email: xro@realraum.at
+ gpg: 0xE3468B9CE81EB4F91486
+
+noc_groups:
+ - adm
+ - sudo
+++ /dev/null
-sshd_allowusers_host:
- - luto
- - robelix
- - tomk32
-
--- /dev/null
+---
+sshd_allowusers_host:
+ - luto
+ - robelix
+ - tomk32
+++ /dev/null
-sshd_allowusers_host:
- - f0rki
- - verr
--- /dev/null
+---
+sshd_allowusers_host:
+ - f0rki
+ - verr
--- /dev/null
+---
+root_password: "{{ vault_root_password }}"
--- /dev/null
+$ANSIBLE_VAULT;1.1;AES256
+66323066353065353661346261313235333834343034313532343739343531373035366364303138
+6433663331336264613830643035363962346131353830640a376336363433653437306236656230
+39313361376130316464333566383533396663393863646333393536613230333233333335323938
+3662646635383161360a333661663063343862373638373933383362383164623039383763613036
+61346661346261306465393039343732343635326364306363653666343130383836343539336439
+34306462316666623665323239613561663730353933633663636631323063383164643937366334
+393864666635663237346434613264303532
--- /dev/null
+---
+root_password: "{{ vault_root_password }}"
--- /dev/null
+$ANSIBLE_VAULT;1.1;AES256
+31366163653363386462333866383263366435353838623965653035623138356339633866623932
+3538626561373636313833333434393434616366303633370a346364356161616662666164323063
+30333934663463383034623730366365386536373465383362353132386434396461353039363863
+3861333238386263620a613539393937383264346566613330666165623363313838326638623563
+64643233613539356337613435376130633466313261616235326430326161663263343363343361
+36373736303233333831316266633365306435646634643166663038326364323839386430373438
+373966366161613436646365346339316365
+++ /dev/null
-localconfig_ssh_config_user: root
--- /dev/null
+---
+localconfig_ssh_config_user: root
+++ /dev/null
-sshd_allowusers_host:
- - git
- - www
- - www-data
- - acme
--- /dev/null
+---
+sshd_allowusers_host:
+ - git
+ - www
+ - www-data
+ - acme
+++ /dev/null
-sshd_allowgroup: ssh
--- /dev/null
+---
+sshd_allowgroup: ssh
+++ /dev/null
-[all:vars]
-host_domain=realraum.at
-ansible_host={{ inventory_hostname }}.{{ host_domain }}
-ansible_user=root
-
-[baremetalservers]
-alfred.mgmt
-
-[kvmhosts]
-alfred.mgmt
-
-[virtualservers]
-athsdisc
-calendar.mgmt
-ctf
-entrance
-galley.mgmt
-hacksch.mgmt
-## TODO: remove the variable once https://github.com/ansible/ansible/issues/39119 is fixed
-metrics.mgmt localconfig_ssh_config_user=root
-r3home.mgmt
-tickets.mgmt
-vex
-
-[servers:children]
-baremetalservers
-virtualservers
-
-
-[desktops]
-wuerfel
-
-
-#[alix]
-#gw
-#torwaechter.mgmt
-
-#[apu]
-#gnocchi1
-#gnocchi2
-
--- /dev/null
+[all:vars]
+host_domain=realraum.at
+ansible_host={{ inventory_hostname }}.{{ host_domain }}
+ansible_user=root
+
+[baremetalservers]
+alfred.mgmt
+
+[kvmhosts]
+alfred.mgmt
+
+[virtualservers]
+athsdisc
+calendar.mgmt
+ctf
+entrance
+galley.mgmt
+hacksch.mgmt
+## TODO: remove the variable once https://github.com/ansible/ansible/issues/39119 is fixed
+metrics.mgmt localconfig_ssh_config_user=root
+r3home.mgmt
+tickets.mgmt
+vex
+
+[servers:children]
+baremetalservers
+virtualservers
+
+
+[desktops]
+wuerfel
+
+
+#[alix]
+#gw
+#torwaechter.mgmt
+
+#[apu]
+#gnocchi1
+#gnocchi2
+
+++ /dev/null
----
-- name: restart ssh
- service:
- name: ssh
- state: restarted
--- /dev/null
+---
+- name: restart ssh
+ service:
+ name: ssh
+ state: restarted
+++ /dev/null
----
-- set_fact:
- sshd_allowusers: >-
- {{ [ 'root' ] | union(user_groups.noc)
- | union(sshd_allowusers_group | default([]))
- | union(sshd_allowusers_host | default([])) }}
-
-- name: only allow pubkey auth for root
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^PermitRootLogin"
- line: "PermitRootLogin without-password"
- notify: restart ssh
-
-- name: limit allowed users (1/2)
- when: sshd_allowgroup is not defined
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowUsers"
- line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
- notify: restart ssh
-
-- block:
- - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
- state: absent
- notify: restart ssh
-
- - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowGroups"
- line: AllowGroups {{ sshd_allowgroup }}
- notify: restart ssh
-
- - name: "limit allowed users (2/2): Add allowed users to ssh group"
- user:
- name: "{{ item }}"
- groups: "{{ sshd_allowgroup }}"
- append: True
- with_items: "{{ sshd_allowusers }}"
-
- when: sshd_allowgroup is defined
-
-- name: Set authorized keys for root user
- authorized_key:
- user: root
- key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
- exclusive: yes
-
-- name: disable apt suggests and recommends
- copy:
- src: 02no-recommends
- dest: /etc/apt/apt.conf.d/
- mode: 0644
-
-- name: install basic packages
- apt:
- name:
- - less
- - psmisc
- - sudo
- - htop
- - dstat
- - mtr-tiny
- - tcpdump
- - debian-goodies
- - lsof
- - haveged
- - net-tools
- - ntp
- - screen
- - aptitude
- - unp
- - ca-certificates
- - file
- - zsh
- - python-apt
- state: present
-
-- name: make sure grml-(etc|scripts)-core is not installed
- apt:
- name:
- - grml-etc-core
- - grml-scripts-core
- state: absent
- purge: yes
-
-- block:
- - name: install systemd specific packages
- apt:
- name:
- - dbus
- - libpam-systemd
- state: present
-
- - name: set systemd-related environment variables
- copy:
- src: xdg_runtime_dir.sh
- dest: /etc/profile.d/xdg_runtime_dir.sh
- mode: 0644
-
- when: ansible_service_mgr == "systemd"
-
-- name: install zshrc
- with_items:
- - src: "zprofile"
- dest: "/etc/zsh/zprofile"
- - src: "zshrc"
- dest: "/etc/zsh/zshrc"
- - src: "zshrc.skel"
- dest: "/etc/skel/.zshrc"
- copy:
- src: "{{ item.src }}"
- dest: "{{ item.dest }}"
- mode: 0644
-
-- name: set root default shell to zsh
- user:
- name: root
- shell: /bin/zsh
-
-- name: set default shell for adduser
- with_items:
- - regexp: "^DSHELL"
- line: "DSHELL=/bin/zsh"
- lineinfile:
- dest: /etc/adduser.conf
- regexp: "{{ item.regexp }}"
- line: "{{ item.line }}"
--- /dev/null
+---
+- set_fact:
+ sshd_allowusers: >-
+ {{ [ 'root' ] | union(user_groups.noc)
+ | union(sshd_allowusers_group | default([]))
+ | union(sshd_allowusers_host | default([])) }}
+
+- name: only allow pubkey auth for root
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^PermitRootLogin"
+ line: "PermitRootLogin without-password"
+ notify: restart ssh
+
+- name: limit allowed users (1/2)
+ when: sshd_allowgroup is not defined
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowUsers"
+ line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
+ notify: restart ssh
+
+- block:
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowGroups"
+ line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
+ user:
+ name: "{{ item }}"
+ groups: "{{ sshd_allowgroup }}"
+ append: True
+ with_items: "{{ sshd_allowusers }}"
+
+ when: sshd_allowgroup is defined
+
+- name: Set authorized keys for root user
+ authorized_key:
+ user: root
+ key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
+ exclusive: yes
+
+- name: disable apt suggests and recommends
+ copy:
+ src: 02no-recommends
+ dest: /etc/apt/apt.conf.d/
+ mode: 0644
+
+- name: install basic packages
+ apt:
+ name:
+ - less
+ - psmisc
+ - sudo
+ - htop
+ - dstat
+ - mtr-tiny
+ - tcpdump
+ - debian-goodies
+ - lsof
+ - haveged
+ - net-tools
+ - ntp
+ - screen
+ - aptitude
+ - unp
+ - ca-certificates
+ - file
+ - zsh
+ - python-apt
+ state: present
+
+- name: make sure grml-(etc|scripts)-core is not installed
+ apt:
+ name:
+ - grml-etc-core
+ - grml-scripts-core
+ state: absent
+ purge: yes
+
+- block:
+ - name: install systemd specific packages
+ apt:
+ name:
+ - dbus
+ - libpam-systemd
+ state: present
+
+ - name: set systemd-related environment variables
+ copy:
+ src: xdg_runtime_dir.sh
+ dest: /etc/profile.d/xdg_runtime_dir.sh
+ mode: 0644
+
+ when: ansible_service_mgr == "systemd"
+
+- name: install zshrc
+ with_items:
+ - src: "zprofile"
+ dest: "/etc/zsh/zprofile"
+ - src: "zshrc"
+ dest: "/etc/zsh/zshrc"
+ - src: "zshrc.skel"
+ dest: "/etc/skel/.zshrc"
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ mode: 0644
+
+- name: set root default shell to zsh
+ user:
+ name: root
+ shell: /bin/zsh
+
+- name: set default shell for adduser
+ with_items:
+ - regexp: "^DSHELL"
+ line: "DSHELL=/bin/zsh"
+ lineinfile:
+ dest: /etc/adduser.conf
+ regexp: "{{ item.regexp }}"
+ line: "{{ item.line }}"
+++ /dev/null
-$ANSIBLE_VAULT;1.1;AES256
-63633133636538336262323866386232386466376135633663353433316330303961643764613237
-3938333265333865396431386266326434323164333465390a363262326439646133653261646665
-37643938346564656131353235343136313162333933633537386532393639613233383435373735
-6564363831336563330a353964616431313530356434353761316335326331613364633363663465
-31653938363765643264623463636461623832376263326539353138383937656562636632393337
-38653030393762323934356335393536336262363333633032303938633730623463353130333163
-313434356336366164633761323263313866
+++ /dev/null
-$ANSIBLE_VAULT;1.1;AES256
-39663934616437353434303961306630306237653763383830346462306164616366393437386163
-3462386237313763376236356331363936306564663965640a633762313637303663373865653032
-36633536633232623236386164616234383936306265383363633531373038623035636230623531
-6363376361373934640a626231613462373139623137313134663331336165613164346135306535
-30343063666162303430356466343338643165383839626537323666613463653463333464393234
-38373434306565623565326463386531623838616566633330626334363639393131383832356439
-613836626638366337646637363339363334
projects / noc.git / commitdiff