From: Christian Pointner Date: Sun, 20 May 2018 23:52:24 +0000 (+0200) Subject: move openwrt image config to host_vars X-Git-Url: https://git.realraum.at/?p=noc.git;a=commitdiff_plain;h=47fbe911e347274a0522c1cdb8e5d0d5a2f695f4 move openwrt image config to host_vars --- diff --git a/ansible/group_vars/openwrt/main.yml b/ansible/group_vars/openwrt/main.yml new file mode 100644 index 0000000..b93d046 --- /dev/null +++ b/ansible/group_vars/openwrt/main.yml @@ -0,0 +1,15 @@ +--- +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - dnsmasq + - firewall + - odhcpd +openwrt_packages_add: + - haveged + - htop + - hwclock + - ip + - less + - nano + - tcpdump diff --git a/ansible/host_vars/torwaechter/main.yml b/ansible/host_vars/torwaechter/main.yml new file mode 100644 index 0000000..86575c9 --- /dev/null +++ b/ansible/host_vars/torwaechter/main.yml @@ -0,0 +1,127 @@ +--- +openwrt_arch: x86 +openwrt_target: geode +openwrt_output_image_suffixes: + - combined-ext4.img.gz + - combined-squashfs.img + +openwrt_packages_extra: + - "-dropbear" + - flashrom + - git + - kmod-usb-acm + - openssh-server + - openssh-sftp-server + - screen + - sudo + - usbutils + +openwrt_mixin: + # Go binaries + /usr/local/bin/door_client: + mode: '0755' + file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client" + /usr/local/bin/door_daemon: + mode: '0755' + file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon" + /usr/local/bin/update-keys: + mode: '0755' + file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" + + /usr/local/bin/authorized_keys.sh: + mode: '0755' + file: "{{ playbook_dir }}/files/tuer/authorized_keys.sh" + + /usr/local/bin/update-keys-from-stdin.sh: + mode: '0755' + file: "{{ playbook_dir }}/files/tuer/update-keys-from-stdin.sh" + + /etc/ssh/sshd_config: + content: | + Port 22000 + + AllowUsers root tuerctl tuergit + AuthenticationMethods publickey + AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u + + AllowAgentForwarding no + AllowTcpForwarding no + X11Forwarding no + UsePrivilegeSeparation sandbox + + Subsystem sftp /usr/libexec/sftp-server + + Match User tuerctl + AuthorizedKeysFile /dev/null + AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh + AuthorizedKeysCommandUser tuergit + + /etc/ssh/authorized_keys.d/root: + content: |- + {% for key in noc_ssh_keys %} + {{ key }} + {% endfor %} + + /etc/ssh/authorized_keys.d/tuergit: + content: |- + {% for key in noc_ssh_keys %} + {{ key }} + {% endfor %} + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ inventory_hostname }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + network: + - name: globals 'globals' + options: + ula_prefix: fdc9:e01f:83db::/48 + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'lan' + options: + ifname: eth0 + accept_ra: 0 + proto: static + ipaddr: 192.168.33.7 + netmask: 255.255.255.0 + gateway: 192.168.33.1 + dns: 192.168.33.1 + dns_search: realraum.at + + +openwrt_mounts: + - path: /run + src: none + fstype: tmpfs + opts: nosuid,nodev,noexec,noatime + +openwrt_users: + tuerd: {} + tuergit: + home: /home/tuergit + shell: /usr/bin/git-shell + tuerctl: + shell: /bin/false # TODO fixme diff --git a/ansible/tuer.yml b/ansible/tuer.yml index 853a0cf..0d26eb3 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -40,144 +40,3 @@ roles: - role: openwrt-image delegate_to: localhost - vars: - openwrt_arch: x86 - openwrt_target: geode - openwrt_output_image_suffixes: - - combined-ext4.img.gz - - combined-squashfs.img - openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - dnsmasq - - firewall - - odhcpd - openwrt_packages_add: - - flashrom - - haveged - - htop - - hwclock - - ip - - less - - nano - - tcpdump - openwrt_packages_extra: - - "-dropbear" - - git - - kmod-usb-acm - - openssh-server - - openssh-sftp-server - - screen - - sudo - - usbutils - - openwrt_mixin: - # Go binaries - /usr/local/bin/door_client: - mode: '0755' - file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client" - /usr/local/bin/door_daemon: - mode: '0755' - file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon" - /usr/local/bin/update-keys: - mode: '0755' - file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" - - /usr/local/bin/authorized_keys.sh: - mode: '0755' - file: "{{ playbook_dir }}/files/tuer/authorized_keys.sh" - - /usr/local/bin/update-keys-from-stdin.sh: - mode: '0755' - file: "{{ playbook_dir }}/files/tuer/update-keys-from-stdin.sh" - - /etc/ssh/sshd_config: - content: | - Port 22000 - - AllowUsers root tuerctl tuergit - AuthenticationMethods publickey - AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u - - AllowAgentForwarding no - AllowTcpForwarding no - X11Forwarding no - UsePrivilegeSeparation sandbox - - Subsystem sftp /usr/libexec/sftp-server - - Match User tuerctl - AuthorizedKeysFile /dev/null - AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh - AuthorizedKeysCommandUser tuergit - - - /etc/ssh/authorized_keys.d/root: - content: |- - {% for key in noc_ssh_keys %} - {{ key }} - {% endfor %} - - /etc/ssh/authorized_keys.d/tuergit: - content: |- - {% for key in noc_ssh_keys %} - {{ key }} - {% endfor %} - - openwrt_uci: - system: - - name: system - options: - hostname: '{{ inventory_hostname }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - network: - - name: globals 'globals' - options: - ula_prefix: fdc9:e01f:83db::/48 - - - name: interface 'loopback' - options: - ifname: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'lan' - options: - ifname: eth0 - accept_ra: 0 - proto: static - ipaddr: 192.168.33.7 - netmask: 255.255.255.0 - gateway: 192.168.33.1 - dns: 192.168.33.1 - dns_search: realraum.at - - - openwrt_mounts: - - path: /run - src: none - fstype: tmpfs - opts: nosuid,nodev,noexec,noatime - - openwrt_users: - tuerd: {} - tuergit: - home: /home/tuergit - shell: /usr/bin/git-shell - tuerctl: - shell: /bin/false # TODO fixme