From: nicoo Date: Mon, 17 Dec 2018 15:14:47 +0000 (+0100) Subject: ansible: Split base role into separate task files X-Git-Url: https://git.realraum.at/?p=noc.git;a=commitdiff_plain;h=6150678824b1a67026d65a04835947cc22d32864 ansible: Split base role into separate task files It was becoming difficult to find things in there. --- diff --git a/ansible/roles/base/tasks/01ssh.yml b/ansible/roles/base/tasks/01ssh.yml new file mode 100644 index 0000000..7e9eab5 --- /dev/null +++ b/ansible/roles/base/tasks/01ssh.yml @@ -0,0 +1,51 @@ +--- +- set_fact: + sshd_allowusers: >- + {{ [ 'root' ] | union(user_groups.noc) + | union(sshd_allowusers_group | default([])) + | union(sshd_allowusers_host | default([])) }} + +- name: only allow pubkey auth for root + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PermitRootLogin" + line: "PermitRootLogin without-password" + notify: restart ssh + +- name: limit allowed users (1/2) + when: sshd_allowgroup is not defined + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?AllowUsers" + line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" + notify: restart ssh + +- block: + - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + state: absent + notify: restart ssh + + - name: "limit allowed users (2/2): Set AllowGroups in sshd_config" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?AllowGroups" + line: AllowGroups {{ sshd_allowgroup }} + notify: restart ssh + + - name: "limit allowed users (2/2): Add allowed users to ssh group" + user: + name: "{{ item }}" + groups: "{{ sshd_allowgroup }}" + append: True + with_items: "{{ sshd_allowusers }}" + + when: sshd_allowgroup is defined + +- name: Set authorized keys for root user + authorized_key: + user: root + key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}" + exclusive: yes diff --git a/ansible/roles/base/tasks/02debian.yml b/ansible/roles/base/tasks/02debian.yml new file mode 100644 index 0000000..7aef268 --- /dev/null +++ b/ansible/roles/base/tasks/02debian.yml @@ -0,0 +1,39 @@ +--- +- name: disable apt suggests and recommends + copy: + src: 02no-recommends + dest: /etc/apt/apt.conf.d/ + mode: 0644 + +- name: install basic packages + apt: + name: + - less + - psmisc + - sudo + - dstat + - mtr-tiny + - tcpdump + - debian-goodies + - lsof + - haveged + - net-tools + - screen + - aptitude + - unp + - ca-certificates + - file + - nano + - python-apt + - command-not-found + - man-db + - lshw + state: present + +- name: make sure grml-(etc|scripts)-core is not installed + apt: + name: + - grml-etc-core + - grml-scripts-core + state: absent + purge: yes diff --git a/ansible/roles/base/tasks/03ntp.yml b/ansible/roles/base/tasks/03ntp.yml new file mode 100644 index 0000000..621e7f6 --- /dev/null +++ b/ansible/roles/base/tasks/03ntp.yml @@ -0,0 +1,25 @@ +--- +- when: base_managed_ntpd + block: + - name: check that ISC ntpd is not installed + apt: + name: ntp + state: absent + purge: yes + + - name: install openntpd + apt: + name: openntpd + + - name: configure openntpd + copy: + dest: /etc/openntpd/ntpd.conf + content: | + # Use the ffgraz.net NTP server + servers ntp.ffgraz.net weight 3 + + # Use some servers announced from the NTP Pool + servers 0.debian.pool.ntp.org + servers 1.debian.pool.ntp.org + + notify: restart openntpd diff --git a/ansible/roles/base/tasks/04systemd.yml b/ansible/roles/base/tasks/04systemd.yml new file mode 100644 index 0000000..dca585c --- /dev/null +++ b/ansible/roles/base/tasks/04systemd.yml @@ -0,0 +1,30 @@ +--- +- name: install systemd specific packages + apt: + state: present + name: + - dbus + - libpam-systemd + +- name: set systemd-related environment variables + copy: + src: xdg_runtime_dir.sh + dest: /etc/profile.d/xdg_runtime_dir.sh + mode: 0644 + + +- when: ansible_distribution == "Ubuntu" + block: + - name: workaround console-setup race condition (1/2) + file: + path: /etc/systemd/system/console-setup.service.d/ + state: directory + + - name: workaround console-setup race condition (2/2) + copy: + dest: /etc/systemd/system/console-setup.service.d/override.conf + mode: 0644 + content: | + [Unit] + After=systemd-tmpfiles-setup.service + # no need to reload systemd, it is only there to fix a boot-time race-condition diff --git a/ansible/roles/base/tasks/05tools.yml b/ansible/roles/base/tasks/05tools.yml new file mode 100644 index 0000000..8a25597 --- /dev/null +++ b/ansible/roles/base/tasks/05tools.yml @@ -0,0 +1,34 @@ +--- +- name: install base tools + apt: + name: + - htop + - zsh + +- name: set root default shell to zsh + user: + name: root + shell: /bin/zsh + +- name: set default shell for adduser + with_dict: + DSHELL: /bin/zsh + lineinfile: + dest: /etc/adduser.conf + regexp: "^#?{{ item.key }}=" + line: "{{ item.key }}={{ item.value }}" + +- name: Deploy default configuration for tools + with_dict: + /etc/htoprc: "{{ global_files_dir }}/common/htoprc" + + /etc/zsh/zprofile: zprofile + /etc/zsh/zshrc: zshrc + /etc/skel/.zshrc: zshrc.skel + + loop_control: + label: "{{ item.key }}" + copy: + mode: 0644 + src: "{{ item.value }}" + dest: "{{ item.key }}" diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index b148a6d..1bf4243 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -1,177 +1,7 @@ --- -- set_fact: - sshd_allowusers: >- - {{ [ 'root' ] | union(user_groups.noc) - | union(sshd_allowusers_group | default([])) - | union(sshd_allowusers_host | default([])) }} - -- name: only allow pubkey auth for root - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^PermitRootLogin" - line: "PermitRootLogin without-password" - notify: restart ssh - -- name: limit allowed users (1/2) - when: sshd_allowgroup is not defined - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#?AllowUsers" - line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" - notify: restart ssh - -- block: - - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config" - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - state: absent - notify: restart ssh - - - name: "limit allowed users (2/2): Set AllowGroups in sshd_config" - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#?AllowGroups" - line: AllowGroups {{ sshd_allowgroup }} - notify: restart ssh - - - name: "limit allowed users (2/2): Add allowed users to ssh group" - user: - name: "{{ item }}" - groups: "{{ sshd_allowgroup }}" - append: True - with_items: "{{ sshd_allowusers }}" - - when: sshd_allowgroup is defined - -- name: Set authorized keys for root user - authorized_key: - user: root - key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}" - exclusive: yes - -- name: disable apt suggests and recommends - copy: - src: 02no-recommends - dest: /etc/apt/apt.conf.d/ - mode: 0644 - -- name: install basic packages - apt: - name: - - less - - psmisc - - sudo - - htop - - dstat - - mtr-tiny - - tcpdump - - debian-goodies - - lsof - - haveged - - net-tools - - screen - - aptitude - - unp - - ca-certificates - - file - - nano - - zsh - - python-apt - - command-not-found - - man-db - - lshw - state: present - -- when: base_managed_ntpd - block: - - name: check that ISC ntpd is not installed - apt: - name: ntp - state: absent - purge: yes - - - name: install openntpd - apt: - name: openntpd - - - name: configure openntpd - copy: - dest: /etc/openntpd/ntpd.conf - content: | - # Use the ffgraz.net NTP server - servers ntp.ffgraz.net weight 3 - - # Use some servers announced from the NTP Pool - servers 0.debian.pool.ntp.org - servers 1.debian.pool.ntp.org - - notify: restart openntpd - - -- name: make sure grml-(etc|scripts)-core is not installed - apt: - name: - - grml-etc-core - - grml-scripts-core - state: absent - purge: yes - -- block: - - name: install systemd specific packages - apt: - name: - - dbus - - libpam-systemd - state: present - - - name: set systemd-related environment variables - copy: - src: xdg_runtime_dir.sh - dest: /etc/profile.d/xdg_runtime_dir.sh - mode: 0644 - - when: ansible_service_mgr == "systemd" - -- block: - - name: workaround console-setup race condition (1/2) - file: - path: /etc/systemd/system/console-setup.service.d/ - state: directory - - - name: workaround console-setup race condition (2/2) - copy: - content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n" - dest: /etc/systemd/system/console-setup.service.d/override.conf - mode: 0644 - # no need to relaod systemd here, it is only there to fix a boot-time race-condition - - when: ansible_distribution == "Ubuntu" - -- name: set root default shell to zsh - user: - name: root - shell: /bin/zsh - -- name: set default shell for adduser - with_dict: - DSHELL: /bin/zsh - lineinfile: - dest: /etc/adduser.conf - regexp: "^#?{{ item.key }}=" - line: "{{ item.key }}={{ item.value }}" - -- name: Deploy default configuration for tools - with_dict: - /etc/htoprc: "{{ global_files_dir }}/common/htoprc" - - /etc/zsh/zprofile: zprofile - /etc/zsh/zshrc: zshrc - /etc/skel/.zshrc: zshrc.skel - - loop_control: - label: "{{ item.key }}" - copy: - mode: 0644 - src: "{{ item.value }}" - dest: "{{ item.key }}" +- import_tasks: 01ssh.yml +- import_tasks: 02debian.yml +- import_tasks: 03ntp.yml +- when: ansible_service_mgr == "systemd" + import_tasks: 04systemd.yml +- import_tasks: 05tools.yml