From 8354baa32f1140f7c34872d4455c8b93afc1a37c Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Sat, 11 Dec 2021 22:46:32 +0100 Subject: [PATCH] Initial Commit --- README.md | 13 ++ ansible.cfg | 3 + client.linuxws2122.de.yaml | 13 ++ gateway.linuxws2122.de.yaml | 14 ++ group_vars/all/ansible.yml | 5 + group_vars/all/sudo_users.yaml | 7 + group_vars/all/unix_users.yaml | 16 ++ group_vars/all/vim_users.yaml | 6 + host_vars/client.linuxws2122.de.yaml | 20 +++ host_vars/gateway.linuxws2122.de.yaml | 116 +++++++++++++ hosts.yaml | 11 ++ pubkeys/markus@markus-nb.pub | 1 + pubkeys/markus@markus-pc.pub | 1 + roles/bind_dhcp/defaults/main.yaml | 90 ++++++++++ roles/bind_dhcp/handlers/main.yaml | 13 ++ roles/bind_dhcp/tasks/bind9.yaml | 36 ++++ roles/bind_dhcp/tasks/dhcpd.yaml | 53 ++++++ roles/bind_dhcp/tasks/main.yaml | 15 ++ roles/bind_dhcp/templates/dhcpd.conf.j2 | 37 +++++ roles/bind_dhcp/templates/named.conf.j2 | 129 +++++++++++++++ roles/bind_dhcp/templates/zone.j2 | 6 + roles/common/tasks/main.yaml | 16 ++ roles/hostname/defaults/main.yaml | 2 + roles/hostname/tasks/main.yml | 20 +++ roles/hostname/templates/hostname.j2 | 1 + roles/hostname/templates/hosts.j2 | 2 + roles/networking/defaults/main.yml | 41 +++++ .../networking/files/wpa_supplicant@.service | 13 ++ roles/networking/handlers/main.yml | 7 + roles/networking/tasks/main.yml | 154 ++++++++++++++++++ roles/networking/templates/10-dhcp.network.j2 | 9 + .../networking/templates/10-static.network.j2 | 31 ++++ roles/networking/templates/after-dbus.conf.j2 | 2 + .../templates/wpa_supplicant.conf.j2 | 9 + roles/sshd/defaults/main.yaml | 3 + roles/sshd/handlers/main.yml | 6 + roles/sshd/tasks/main.yml | 16 ++ roles/sshd/templates/sshd_config.j2 | 120 ++++++++++++++ roles/sudo_users/defaults/main.yml | 5 + roles/sudo_users/tasks/main.yml | 82 ++++++++++ roles/sysctl/tasks/main.yaml | 7 + roles/unix_users/tasks/main.yml | 76 +++++++++ roles/unix_users/templates/authorized_keys.j2 | 16 ++ roles/unix_users/templates/forward.j2 | 1 + roles/vim/defaults/main.yml | 6 + roles/vim/tasks/git-clone.yml | 19 +++ roles/vim/tasks/main.yml | 14 ++ 47 files changed, 1283 insertions(+) create mode 100644 README.md create mode 100644 ansible.cfg create mode 100644 client.linuxws2122.de.yaml create mode 100644 gateway.linuxws2122.de.yaml create mode 100644 group_vars/all/ansible.yml create mode 100644 group_vars/all/sudo_users.yaml create mode 100644 group_vars/all/unix_users.yaml create mode 100644 group_vars/all/vim_users.yaml create mode 100644 host_vars/client.linuxws2122.de.yaml create mode 100644 host_vars/gateway.linuxws2122.de.yaml create mode 100644 hosts.yaml create mode 100644 pubkeys/markus@markus-nb.pub create mode 100644 pubkeys/markus@markus-pc.pub create mode 100644 roles/bind_dhcp/defaults/main.yaml create mode 100644 roles/bind_dhcp/handlers/main.yaml create mode 100644 roles/bind_dhcp/tasks/bind9.yaml create mode 100644 roles/bind_dhcp/tasks/dhcpd.yaml create mode 100644 roles/bind_dhcp/tasks/main.yaml create mode 100644 roles/bind_dhcp/templates/dhcpd.conf.j2 create mode 100644 roles/bind_dhcp/templates/named.conf.j2 create mode 100644 roles/bind_dhcp/templates/zone.j2 create mode 100644 roles/common/tasks/main.yaml create mode 100644 roles/hostname/defaults/main.yaml create mode 100644 roles/hostname/tasks/main.yml create mode 100644 roles/hostname/templates/hostname.j2 create mode 100644 roles/hostname/templates/hosts.j2 create mode 100644 roles/networking/defaults/main.yml create mode 100644 roles/networking/files/wpa_supplicant@.service create mode 100644 roles/networking/handlers/main.yml create mode 100644 roles/networking/tasks/main.yml create mode 100644 roles/networking/templates/10-dhcp.network.j2 create mode 100644 roles/networking/templates/10-static.network.j2 create mode 100644 roles/networking/templates/after-dbus.conf.j2 create mode 100644 roles/networking/templates/wpa_supplicant.conf.j2 create mode 100644 roles/sshd/defaults/main.yaml create mode 100644 roles/sshd/handlers/main.yml create mode 100644 roles/sshd/tasks/main.yml create mode 100644 roles/sshd/templates/sshd_config.j2 create mode 100644 roles/sudo_users/defaults/main.yml create mode 100644 roles/sudo_users/tasks/main.yml create mode 100644 roles/sysctl/tasks/main.yaml create mode 100644 roles/unix_users/tasks/main.yml create mode 100644 roles/unix_users/templates/authorized_keys.j2 create mode 100644 roles/unix_users/templates/forward.j2 create mode 100644 roles/vim/defaults/main.yml create mode 100644 roles/vim/tasks/git-clone.yml create mode 100644 roles/vim/tasks/main.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..89f2305 --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ +# linuxws2122 - Ansible + +Setup gateway and client vm via ansible. + +- Adapt IP-Adresse of the client and gateway VM in host_vars. +- Adapt name of the interfaces for booth VMs in host_vars. +- Configure your Router (Fritz!Box, SpeedPort, ect) to route traffic for + 192.168.181.0/24 via gateway. + +```bash +ansible-playbook -i hosts.yaml gateway.linuxws2122.de.yaml +ansible-playbook -i hosts.yaml client.linuxws2122.de.yaml +``` diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..79af3cb --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[default] +inventory = hosts.yaml +roles_path = roles \ No newline at end of file diff --git a/client.linuxws2122.de.yaml b/client.linuxws2122.de.yaml new file mode 100644 index 0000000..7487f34 --- /dev/null +++ b/client.linuxws2122.de.yaml @@ -0,0 +1,13 @@ +--- + +- name: setup client.linuxws2122.de + hosts: client.linuxws2122.de + remote_user: root + roles: + - { role: common } + - { role: networking } + - { role: hostname } + - { role: sshd } + - { role: unix_users } + - { role: sudo_users } + - { role: vim } \ No newline at end of file diff --git a/gateway.linuxws2122.de.yaml b/gateway.linuxws2122.de.yaml new file mode 100644 index 0000000..0b7ebcb --- /dev/null +++ b/gateway.linuxws2122.de.yaml @@ -0,0 +1,14 @@ +--- +- name: setup gateway.linuxws2122.de + hosts: gateway.linuxws2122.de + remote_user: root + roles: + - { role: common } + - { role: networking } + - { role: hostname } + - { role: sshd } + - { role: unix_users } + - { role: sudo_users } + - { role: vim } + - { role: sysctl } + - { role: bind_dhcp } diff --git a/group_vars/all/ansible.yml b/group_vars/all/ansible.yml new file mode 100644 index 0000000..bc67c93 --- /dev/null +++ b/group_vars/all/ansible.yml @@ -0,0 +1,5 @@ +--- +ansible_connection: ssh +ansible_ssh_user: root +ansible_ssh_pass: linuxws2122 +ansible_ssh_extra_args: "-o PubkeyAuthentication=no -o PasswordAuthentication=yes" \ No newline at end of file diff --git a/group_vars/all/sudo_users.yaml b/group_vars/all/sudo_users.yaml new file mode 100644 index 0000000..c18e7c9 --- /dev/null +++ b/group_vars/all/sudo_users.yaml @@ -0,0 +1,7 @@ +--- + +sudo_users: +- root +- linuxws2122 + +sudo_without_password: true \ No newline at end of file diff --git a/group_vars/all/unix_users.yaml b/group_vars/all/unix_users.yaml new file mode 100644 index 0000000..d423dbe --- /dev/null +++ b/group_vars/all/unix_users.yaml @@ -0,0 +1,16 @@ +--- + +unix_groups: +- linuxws2122 + +unix_users: + linuxws2122: + name: "linuxws2122" + ssh_key: markus@markus-pc.pub + additional_ssh_keys: + - name: markus@markus-nb.pub + hosts: + - all + shell: /bin/bash + main_group: linuxws2122 + password: "linuxws2122" diff --git a/group_vars/all/vim_users.yaml b/group_vars/all/vim_users.yaml new file mode 100644 index 0000000..89940d6 --- /dev/null +++ b/group_vars/all/vim_users.yaml @@ -0,0 +1,6 @@ +--- +vim_users: +- user: root + branch: no-plugins +- user: linuxws2122 + branch: no-plugins \ No newline at end of file diff --git a/host_vars/client.linuxws2122.de.yaml b/host_vars/client.linuxws2122.de.yaml new file mode 100644 index 0000000..a6c3bcf --- /dev/null +++ b/host_vars/client.linuxws2122.de.yaml @@ -0,0 +1,20 @@ +--- +ansible_host: 192.168.179.73 + +networking: +- type: "ethernet" + filename: "10-enp1s0.network" + interface: "enp1s0" + route_metric: "10" + dhcp: true +- type: "ethernet" + filename: "10-enp2s0.network" + interface: "enp2s0" + route_metric: "20" + dhcp: false + ipv4_address: "192.168.179.251" + ipv4_netmask: "/24" + ipv4_gateway: "192.168.179.1" + ipv6_ignore_ra: true + dns_servers: + - "192.168.179.12" \ No newline at end of file diff --git a/host_vars/gateway.linuxws2122.de.yaml b/host_vars/gateway.linuxws2122.de.yaml new file mode 100644 index 0000000..08e3bca --- /dev/null +++ b/host_vars/gateway.linuxws2122.de.yaml @@ -0,0 +1,116 @@ +--- +ansible_host: 192.168.179.117 + +networking: +- type: "ethernet" + filename: "10-enp1s0.network" + interface: "enp1s0" + route_metric: "10" + dhcp: false + ipv4_address: "192.168.179.250" + ipv4_netmask: "/24" + ipv4_gateway: "192.168.179.1" + ipv6_ignore_ra: true + dns_servers: + - "192.168.179.12" +- type: "ethernet" + filename: "10-enp2s0.network" + interface: "enp2s0" + route_metric: "20" + dhcp: false + ipv4_address: "192.168.181.1" + ipv4_netmask: "/24" + ipv4_gateway: "" + ipv6_ignore_ra: true + dns_servers: + - "192.168.181.1" + + +dhcpd_keys: +- name: dyndns + algorithm: hmac-sha256 + secret: "KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o=" + +dhcpd_zones: +- name: linuxws2122.de + primary: "192.168.181.1" + key: dyndns +- name: 181.168.192.in-addr.arpa + primary: "192.168.181.1" + key: dyndns + +dhcpd_interface: "enp2s0" +dhcpd_network_start: "192.168.181.0" +dhcpd_network_netmask: "255.255.255.0" +dhcpd_network_range: 192.168.181.20 192.168.181.200 + +dhcpd_ddns_domainname: linuxws2122.de + +dhcpd_default_lease_time: "43200" +dhcpd_max_lease_time: "86400" +dhcpd_min_lease_time: "21600" + +dhcpd_option_broadcast_address: "192.168.181.255" +dhcpd_option_domain_name: linuxws2122.de +dhcpd_option_domain_name_servers: "192.168.181.1" +dhcpd_option_routers: "192.168.181.1" +dhcpd_option_subnet_mask: "255.255.255.0" + + +bind9_global_allow_query: +- 192.168.179.0/24 +- 192.168.181.0/24 + +bind9_keys: +- name: dyndns + algorithm: hmac-sha256 + secret: KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o= + +bind9_listen_on_ipv4: +- "192.168.181.1" + +bind9_listen_on_ipv6: [] + +bind9_forward_zones: +- allow_query: + - any + allow_update: + - dyndns + type: master + origin: linuxws2122.de. + ttl: "3600" + records: + - name: "@\t\t" # \t only for indention + class: IN + type: SOA + value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600" + - name: "\t\t" # \t only for indention + class: IN + type: NS + value: gateway + - name: "gateway\t\t" # \t only for indention + class: IN + type: A + value: 192.168.181.1 + +bind9_reverse_zones: +- allow_query: + - any + allow_update: + - dyndns + type: master + origin: 181.168.192.IN-ADDR.ARPA. + ttl: "3600" + records: + - name: "@\t\t" # "\t" only for indention + class: IN + type: SOA + value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600" + - name: "\t\t" # "\t" only for indention + class: IN + type: NS + value: gateway.linuxws2122.de. + - name: "1\t\t" # "\t" only for indention + class: IN + type: PTR + value: gateway.linuxws2122.de. \ No newline at end of file diff --git a/hosts.yaml b/hosts.yaml new file mode 100644 index 0000000..080fe86 --- /dev/null +++ b/hosts.yaml @@ -0,0 +1,11 @@ +all: + hosts: + client.linuxws2122.de: + gateway.linuxws2122.de: + children: + client: + hosts: + client.linuxws2122.de: + gateway: + hosts: + gateway.linuxws2122.de: diff --git a/pubkeys/markus@markus-nb.pub b/pubkeys/markus@markus-nb.pub new file mode 100644 index 0000000..a758988 --- /dev/null +++ b/pubkeys/markus@markus-nb.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUTcUBb+55jRY9TkpLgm8K/8nJfEXyjEX8zljdCCRpi markus@markus-nb \ No newline at end of file diff --git a/pubkeys/markus@markus-pc.pub b/pubkeys/markus@markus-pc.pub new file mode 100644 index 0000000..ea9de81 --- /dev/null +++ b/pubkeys/markus@markus-pc.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOydCxv9/tAV7AdS2HsUIEu547Z5qUJnWYwiO7rI9YL markus@markus-pc \ No newline at end of file diff --git a/roles/bind_dhcp/defaults/main.yaml b/roles/bind_dhcp/defaults/main.yaml new file mode 100644 index 0000000..a9a55e1 --- /dev/null +++ b/roles/bind_dhcp/defaults/main.yaml @@ -0,0 +1,90 @@ +--- + +# dhcpd_interface: "enp7s0" +# dhcpd_network_start: "192.168.181.0" +# dhcpd_network_netmask: "255.255.255.0" +# dhcpd_network_range: "192.168.181.20 192.168.181.200" + +# dhcpd_default_lease_time: "43200" +# dhcpd_max_lease_time: "2168640000" +# dhcpd_min_lease_time: "21600" + +# dhcpd_ddns_domainname: "linuxws2122.de" + +# dhcpd_option_broadcast_address: "192.168.181.255" +# dhcpd_option_domain_name: "linuxws2122.de" +# dhcpd_option_domain_name_servers: "192.168.181.1" +# dhcpd_option_routers: "192.168.181.1" +# dhcpd_option_subnet_mask: "255.255.255.0" + + +# dhcpd_keys: +# - name: dyndns +# algorithm: hmac-sha256 +# secret: "" + +# dhcpd_zones: +# - name: linuxws2122.de +# primary: "192.168.181.1" +# key: dyndns +# - name: 181.168.192.in-addr.arpa +# primary: "192.168.181.1" +# key: dyndns + + +# bind9_global_allow_query: +# - "192.168.181.0/24" + +# bind9_keys: +# - name: dyndns +# algorithm: hmac-sha512 +# secret: "+7bISG4ktFi2ytU9WXvBX41ZlxxfW5G+sHKtetNlQjk=" + +# bind9_listen_on_ipv4: +# - "192.168.181.1" + +# bind9_listen_on_ipv6: [] + +# bind9_forward_zones: +# - allow_query: +# - "any" +# allow_update: +# - dyndns +# type: master +# origin: "linuxws2122.de." +# ttl: "3600" +# records: +# - name: "\t\t" # only for indention +# class: "IN" +# type: "SOA" +# value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600" +# - name: "\t\t" # only for indention +# class: "IN" +# type: "NS" +# value: "gateway" +# - name: "gateway\t\t" +# class: "IN" +# type: "A" +# value: "192.168.181.1" + +# bind9_reverse_zones: +# - allow_query: +# - "any" +# allow_update: +# - dyndns +# type: master +# origin: "181.168.192.IN-ADDR.ARPA." +# ttl: "3600" +# records: +# - name: "\t\t" # "\t" only for indention +# class: "IN" +# type: SOA +# value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600" +# - name: "\t\t" # "\t" only for indention +# class: "IN" +# type: NS +# value: "gateway.linuxws2122.de." +# - name: "1\t\t" # "\t" only for indention +# class: "IN" +# type: A +# value: "gateway.linuxws2122.de." diff --git a/roles/bind_dhcp/handlers/main.yaml b/roles/bind_dhcp/handlers/main.yaml new file mode 100644 index 0000000..aea8a05 --- /dev/null +++ b/roles/bind_dhcp/handlers/main.yaml @@ -0,0 +1,13 @@ +--- + +- name: restart dhcpd + systemd: + name: dhcpd + state: restarted + daemon_reload: true + +- name: restart named + systemd: + name: named + state: restarted + daemon_reload: true diff --git a/roles/bind_dhcp/tasks/bind9.yaml b/roles/bind_dhcp/tasks/bind9.yaml new file mode 100644 index 0000000..08aec06 --- /dev/null +++ b/roles/bind_dhcp/tasks/bind9.yaml @@ -0,0 +1,36 @@ +--- + +- name: create dhcp config dir + file: + path: /etc/named + owner: named + group: named + mode: 0755 + state: directory + +- name: set up zones + template: + src: zone.j2 + dest: /etc/named/{{ item.origin }}db + owner: named + group: named + mode: 0644 + with_items: + - "{{ bind9_forward_zones }}" + - "{{ bind9_reverse_zones }}" + notify: restart named + +- name: set up global bind config + template: + src: named.conf.j2 + dest: /etc/named.conf + owner: named + group: named + mode: 0644 + notify: restart named + +- name: start and enabled named + systemd: + name: named + state: started + enabled: yes \ No newline at end of file diff --git a/roles/bind_dhcp/tasks/dhcpd.yaml b/roles/bind_dhcp/tasks/dhcpd.yaml new file mode 100644 index 0000000..709c1a9 --- /dev/null +++ b/roles/bind_dhcp/tasks/dhcpd.yaml @@ -0,0 +1,53 @@ +--- + +- name: create dhcp config dir + file: + path: /etc/dhcp + owner: root + group: root + mode: 0755 + state: directory + +- name: create dhcpd config + template: + src: dhcpd.conf.j2 + dest: /etc/dhcp/dhcpd.conf + owner: root + group: root + mode: 0644 + +- name: cleanup cache files + block: + - name: check if cache dir exists + stat: + path: /var/lib/dhcpd + register: cache_stats + - name: remove cache dir + file: + path: /var/lib/dhcpd/ + state: absent + when: cache_stats.stat.exists + - name: create cache dir + file: + path: /var/lib/dhcpd/ + owner: dhcpd + group: dhcpd + mode: 0755 + state: directory + - name: create cache files + file: + path: "/var/lib/dhcpd/{{ item }}" + owner: dhcpd + group: dhcpd + mode: 0644 + state: touch + with_items: + - dhcpd.leases + - dhcpd6.leases + notify: restart dhcpd + +- name: start and enable dhcpd + systemd: + name: dhcpd + state: started + enabled: yes diff --git a/roles/bind_dhcp/tasks/main.yaml b/roles/bind_dhcp/tasks/main.yaml new file mode 100644 index 0000000..253b1b9 --- /dev/null +++ b/roles/bind_dhcp/tasks/main.yaml @@ -0,0 +1,15 @@ +--- + +- name: install bind (named) and dependencies + yum: + name: "{{ item }}" + with_items: + - bind + - bind-utils + - dhcp-server + +- name: configure dhcpd server + include_tasks: dhcpd.yaml + +- name: configure bind9 server + include_tasks: bind9.yaml \ No newline at end of file diff --git a/roles/bind_dhcp/templates/dhcpd.conf.j2 b/roles/bind_dhcp/templates/dhcpd.conf.j2 new file mode 100644 index 0000000..b891a4b --- /dev/null +++ b/roles/bind_dhcp/templates/dhcpd.conf.j2 @@ -0,0 +1,37 @@ +authoritative; +ddns-update-style interim; +ignore client-updates; + +{% for key in dhcpd_keys %} +key "{{ key.name }}" { + algorithm {{ key.algorithm }}; + secret "{{ key.secret }}"; +} +{% endfor %} + +{% for zone in dhcpd_zones %} +zone {{ zone.name }} { + primary {{ zone.primary }}; + key "{{ zone.key }}"; +} +{% endfor %} + +subnet {{ dhcpd_network_start }} netmask {{ dhcpd_network_netmask }} { + interface {{ dhcpd_interface }}; + + range {{ dhcpd_network_range }}; + + default-lease-time {{ dhcpd_default_lease_time }}; + max-lease-time {{ dhcpd_max_lease_time }}; + min-lease-time {{ dhcpd_min_lease_time }}; + + ddns-domainname "{{ dhcpd_ddns_domainname }}"; + + update-static-leases on; + + option broadcast-address {{ dhcpd_option_broadcast_address }}; + option domain-name "{{ dhcpd_option_domain_name }}"; + option domain-name-servers {{ dhcpd_option_domain_name_servers }}; + option routers {{ dhcpd_option_routers }}; + option subnet-mask {{ dhcpd_option_subnet_mask }}; +} diff --git a/roles/bind_dhcp/templates/named.conf.j2 b/roles/bind_dhcp/templates/named.conf.j2 new file mode 100644 index 0000000..a62b13a --- /dev/null +++ b/roles/bind_dhcp/templates/named.conf.j2 @@ -0,0 +1,129 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { +{% for ip in bind9_listen_on_ipv4 %} + {{ ip }}; +{% endfor %} + 127.0.0.1; + }; + + listen-on-v6 port 53 { +{% for ip in bind9_listen_on_ipv6 %} + {{ ip }}; +{% endfor %} + ::1; + }; + + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + + allow-query { +{% for ip in bind9_global_allow_query %} + {{ ip }}; +{% endfor %} + localhost; + }; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + geoip-directory "/usr/share/GeoIP"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +{% for zone in bind9_forward_zones %} +zone "{{ zone.origin }}" { + + allow-query { +{% for entry in zone.allow_query %} + {{ entry }}; +{% endfor %} + }; + + allow-update { +{% for entry in zone.allow_update %} + key {{ entry }}; +{% endfor %} + }; + + file "/etc/named/{{ zone.origin }}db"; + + type {{ zone.type }}; + +}; +{% endfor %} + + + +{% for zone in bind9_reverse_zones %} +zone "{{ zone.origin }}" { + + allow-query { +{% for entry in zone.allow_query %} + {{ entry }}; +{% endfor %} + }; + + allow-update { +{% for entry in zone.allow_update %} + key {{ entry }}; +{% endfor %} + }; + + file "/etc/named/{{ zone.origin }}db"; + + type {{ zone.type }}; + +}; +{% endfor %} + +{% for key in bind9_keys %} +key "{{ key.name }}" { + algorithm {{ key.algorithm }}; + secret "{{ key.secret }}"; +}; +{% endfor %} + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; diff --git a/roles/bind_dhcp/templates/zone.j2 b/roles/bind_dhcp/templates/zone.j2 new file mode 100644 index 0000000..f3dbc90 --- /dev/null +++ b/roles/bind_dhcp/templates/zone.j2 @@ -0,0 +1,6 @@ +$ORIGIN {{ item.origin }} +$TTL {{ item.ttl }} + +{% for record in item.records %} +{{ record.name }} {{ record.class | default('IN') }} {{ record.type | default('A') }} {{ record.value }} +{% endfor %} diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml new file mode 100644 index 0000000..9bf751b --- /dev/null +++ b/roles/common/tasks/main.yaml @@ -0,0 +1,16 @@ +--- + +- name: system update + yum: + name: '*' + state: latest + +- name: stop firewalld + systemd: + name: firewalld + state: stopped + enabled: no + +- name: disable SELinux + selinux: + state: disabled diff --git a/roles/hostname/defaults/main.yaml b/roles/hostname/defaults/main.yaml new file mode 100644 index 0000000..4bf2b6d --- /dev/null +++ b/roles/hostname/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +hostname_reboot: true \ No newline at end of file diff --git a/roles/hostname/tasks/main.yml b/roles/hostname/tasks/main.yml new file mode 100644 index 0000000..cde151d --- /dev/null +++ b/roles/hostname/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: update hosts file + ansible.builtin.template: + src: hosts.j2 + dest: /etc/hosts + owner: root + group: root + mode: 0644 + backup: yes + register: _hostname + +- name: update hostname + ansible.builtin.template: + src: hostname.j2 + dest: /etc/hostname + owner: root + group: root + mode: 0644 + backup: yes + register: _hostname \ No newline at end of file diff --git a/roles/hostname/templates/hostname.j2 b/roles/hostname/templates/hostname.j2 new file mode 100644 index 0000000..1ee9db5 --- /dev/null +++ b/roles/hostname/templates/hostname.j2 @@ -0,0 +1 @@ +{{ inventory_hostname }} \ No newline at end of file diff --git a/roles/hostname/templates/hosts.j2 b/roles/hostname/templates/hosts.j2 new file mode 100644 index 0000000..b7607cd --- /dev/null +++ b/roles/hostname/templates/hosts.j2 @@ -0,0 +1,2 @@ +127.0.0.1 localhost.localdomain localhost localhost4 +::1 localhost.localdomain localhost localhost6 \ No newline at end of file diff --git a/roles/networking/defaults/main.yml b/roles/networking/defaults/main.yml new file mode 100644 index 0000000..c6ba0cc --- /dev/null +++ b/roles/networking/defaults/main.yml @@ -0,0 +1,41 @@ +--- + +networking_timezone: Europe/Berlin + +networking: +- type: "ethernet" + filename: "10-en.network" + interface: "en*" + route_metric: "10" + dhcp: true + +# Example: Static IP-Address +# networking: +# - type: "ethernet" +# filename: "10-eth0.network" +# interface: "eth0" +# route_metric: "99" +# dhcp: false +# ipv4_address: "192.168.178.12" +# ipv4_netmask: "/24" +# ipv4_gateway: "192.168.178.1" +# ipv6_address: +# ipv6_netmask: +# ipv6_gateway: +# ipv6_ignore_ra: true +# dns_servers: +# - 10.11.12.13 +# - 13.12.11.10 + +# Example: WLAN interface +# networking: +# - type: "wireless" +# filename: "20-wlp.network" +# interface: "wlp*" +# route_metric: "20" +# dhcp: true + +# networking_wpa_supplicant: +# - interface: "wlp4s0" +# ssid: "" +# psk: "" diff --git a/roles/networking/files/wpa_supplicant@.service b/roles/networking/files/wpa_supplicant@.service new file mode 100644 index 0000000..07a1832 --- /dev/null +++ b/roles/networking/files/wpa_supplicant@.service @@ -0,0 +1,13 @@ +[Unit] +Description=WPA supplicant daemon (interface-specific version) +Requires=sys-subsystem-net-devices-%i.device +After=sys-subsystem-net-devices-%i.device +Before=network.target +Wants=network.target + +[Service] +Type=simple +ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I -Dnl80211,wext + +[Install] +Alias=multi-user.target.wants/wpa_supplicant@%i.service \ No newline at end of file diff --git a/roles/networking/handlers/main.yml b/roles/networking/handlers/main.yml new file mode 100644 index 0000000..88c4830 --- /dev/null +++ b/roles/networking/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: restart networkd + systemd: + name: systemd-networkd + state: restarted + daemon_reload: true diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml new file mode 100644 index 0000000..476fde2 --- /dev/null +++ b/roles/networking/tasks/main.yml @@ -0,0 +1,154 @@ +--- + +- name: "install systemd-networkd" + block: + - name: "install systemd-networkd (Arch Linux)" + pacman: + name: systemd-networkd + state: present + when: ansible_os_family == "Archlinux" + - name: "install systemd-networkd (RedHat)" + yum: + name: systemd-networkd + state: present + when: ansible_os_family == "RedHat" + +- name: "uninstall NetworkManager" + block: + - name: "uninstall NetworkManager (Arch Linux)" + pacman: + name: NetworkManager + state: absent + when: ansible_os_family == "Archlinux" + - name: "uninstall systemd-networkd (RedHat)" + yum: + name: NetworkManager + state: absent + when: ansible_os_family == "RedHat" + +- name: "remove existing systemd-networkd configuration" + file: + path: "/etc/systemd/network" + state: absent + +- name: "create systemd-networkd directory" + file: + path: "/etc/systemd/network" + owner: root + group: root + mode: 0755 + state: directory + +- name: "setup network interfaces via systemd-networkd (DHCP)" + block: + - name: filter dhcp interfaces + set_fact: + dhcp_interfaces: "{{ (dhcp_interfaces | default([])) + [ item ] }}" + when: item.dhcp + with_items: "{{ networking }}" + + - name: "configure network interface {{ item.name }} (DHCP)" + template: + src: 10-dhcp.network.j2 + dest: "/etc/systemd/network/{{ item.filename }}" + owner: root + group: root + mode: 0644 + when: dhcp_interfaces is defined + with_items: "{{ dhcp_interfaces }}" + +- name: "setup network interfaces via systemd-networkd (static)" + block: + - name: filter static interfaces + set_fact: + static_interfaces: "{{ (static_interfaces | default([])) + [ item ] }}" + when: not item.dhcp + with_items: "{{ networking }}" + + - name: "configure network interface {{ item.name }} (static)" + template: + src: 10-static.network.j2 + dest: "/etc/systemd/network/{{ item.filename }}" + owner: root + group: root + mode: 0644 + when: static_interfaces is defined + with_items: "{{ static_interfaces }}" + +- name: "setup wpa_supplicant configurations" + when: networking_wpa_supplicant is defined and networking_wpa_supplicant | length > 0 + block: + - name: "copy systemd unit for custom wpa_supplicant@.service" + copy: + src: files/wpa_supplicant@.service + dest: /etc/systemd/system/wpa_supplicant@.service + owner: root + group: root + + - name: "create wpa_supplicant configuration files" + template: + src: wpa_supplicant.conf.j2 + dest: "/etc/wpa_supplicant/wpa_supplicant-{{ item.interface }}.conf" + owner: root + group: root + mode: 0640 + with_items: "{{ networking_wpa_supplicant }}" + + - name: "start and enable wpa_supplicant for interfaces" + service: + name: wpa_supplicant@{{ item.interface }}.service + state: started + enabled: yes + with_items: "{{ networking_wpa_supplicant }}" + +- name: create symlink to resolv.conf + file: + src: /run/systemd/resolve/stub-resolv.conf + dest: /etc/resolv.conf + state: link + force: yes + follow: no + owner: root + group: root + +- name: enable networkd + service: + name: systemd-networkd + enabled: yes + daemon_reload: yes + +- name: start and enable resolved + service: + name: systemd-resolved + state: started + enabled: yes + daemon_reload: yes + +- name: set timezone + timezone: + name: "{{ networking_timezone }}" + +- name: start and enable timesyncd + service: + name: systemd-timesyncd + state: started + enabled: yes + daemon_reload: yes + +- name: start systemd-networkd after dbus.sock + block: + - name: create drop-in for systemd-networkd + file: + path: /etc/systemd/system/systemd-networkd.d + owner: root + group: root + mode: 0755 + state: directory + - name: template after-dbus.conf + template: + src: after-dbus.conf.j2 + dest: /etc/systemd/system/systemd-networkd.d/after-dbus.conf + owner: root + group: root + mode: 0644 + when: ansible_os_family == "RedHat" \ No newline at end of file diff --git a/roles/networking/templates/10-dhcp.network.j2 b/roles/networking/templates/10-dhcp.network.j2 new file mode 100644 index 0000000..715a657 --- /dev/null +++ b/roles/networking/templates/10-dhcp.network.j2 @@ -0,0 +1,9 @@ +[Match] +Name={{ item.interface }} + +[Network] +DHCP=yes +Domains={{ inventory_hostname.split(".")[1:] | join('.') | lower }} + +[DHCP] +RouteMetric={{ item.route_metric }} diff --git a/roles/networking/templates/10-static.network.j2 b/roles/networking/templates/10-static.network.j2 new file mode 100644 index 0000000..2604689 --- /dev/null +++ b/roles/networking/templates/10-static.network.j2 @@ -0,0 +1,31 @@ +[Match] +Name={{ item.interface }} + +[Network] +Gateway={{ item.ipv4_gateway }} +{% if item.ipv6_gateway is defined %} +Gateway={{ item.ipv6_gateway }} +{% endif %} +{% if item.ipv6_ignore_ra|default(false) is true %} +IPv6AcceptRA=false +{% endif %} +{% for dns_server in item.dns_servers %} +DNS={{ dns_server }} +{% endfor %} + +[Address] +Address={{ item.ipv4_address }}{{ item.ipv4_netmask }} +RouteMetric={{ item.route_metric }} +{% if item.ipv4_netmask == "/32" %} +Peer={{ item.ipv4_gateway }}{{ item.ipv4_netmask}} +{% endif %} + +{% if item.ipv6_address is defined %} +[Address] +Address={{ item.ipv6_address }}{{ item.ipv6_netmask }} +{% endif %} + +{% if item.ipv6_gateway is defined and not item.ipv6_gateway.startswith("fe80") %} +[Route] +Destination={{ item.ipv6_gateway }} +{% endif %} diff --git a/roles/networking/templates/after-dbus.conf.j2 b/roles/networking/templates/after-dbus.conf.j2 new file mode 100644 index 0000000..e0e6aa2 --- /dev/null +++ b/roles/networking/templates/after-dbus.conf.j2 @@ -0,0 +1,2 @@ +[Unit] +After=dbus.sock \ No newline at end of file diff --git a/roles/networking/templates/wpa_supplicant.conf.j2 b/roles/networking/templates/wpa_supplicant.conf.j2 new file mode 100644 index 0000000..8633fba --- /dev/null +++ b/roles/networking/templates/wpa_supplicant.conf.j2 @@ -0,0 +1,9 @@ +ctrl_interface=/run/wpa_supplicant +ctrl_interface_group=wheel +update_config=1 +ap_scan=1 + +network={ + ssid="{{ item.ssid }}" + psk="{{ item.psk }}" +} diff --git a/roles/sshd/defaults/main.yaml b/roles/sshd/defaults/main.yaml new file mode 100644 index 0000000..849d6b0 --- /dev/null +++ b/roles/sshd/defaults/main.yaml @@ -0,0 +1,3 @@ +--- + +# sshd_port: 22 \ No newline at end of file diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..8deef41 --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart sshd + service: + name: sshd + state: restarted \ No newline at end of file diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..7df0ee3 --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: install openssh + yum: + name: openssh + state: present + +- name: configure sshd + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 + validate: '/usr/sbin/sshd -t -f %s' + notify: + - restart sshd \ No newline at end of file diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 new file mode 100644 index 0000000..da206ec --- /dev/null +++ b/roles/sshd/templates/sshd_config.j2 @@ -0,0 +1,120 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +{% if sshd_port is defined and sshd_port > 0 %} +Port {{ sshd_port }} +{% else %} +# Port 22 +{% endif %} +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server \ No newline at end of file diff --git a/roles/sudo_users/defaults/main.yml b/roles/sudo_users/defaults/main.yml new file mode 100644 index 0000000..3bbcb8a --- /dev/null +++ b/roles/sudo_users/defaults/main.yml @@ -0,0 +1,5 @@ +--- +sudo_users: + - root + +sudo_without_password: false \ No newline at end of file diff --git a/roles/sudo_users/tasks/main.yml b/roles/sudo_users/tasks/main.yml new file mode 100644 index 0000000..04066e1 --- /dev/null +++ b/roles/sudo_users/tasks/main.yml @@ -0,0 +1,82 @@ +--- + +- name: install sudo + yum: + name: sudo + state: present + +# https://github.com/ansible/ansible/issues/11024 +- name: remove all users from wheel group + command: groupmems -g wheel --purge + register: groupmems + changed_when: "groupmems.rc == 0" + +- name: add sudo users to wheel + user: + name: "{{ item }}" + append: yes + groups: [ wheel ] + with_items: "{{ sudo_users }}" + +- name: remove wheel group to use sudo + block: + - name: remove wheel group to use sudo with password + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%wheel ALL=\(ALL\) ALL' + line: '# %wheel ALL=(ALL) ALL' + validate: 'visudo -cf %s' + mode: 0440 + owner: root + group: root + + - name: remove wheel group to use sudo without password + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%wheel ALL=\(ALL\) NOPASSWD: ALL' + line: '# %wheel ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' + mode: 0440 + owner: root + group: root + +- name: allow wheel group to use sudo + block: + - name: allow wheel group to use sudo with password + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^# %wheel ALL=\(ALL\) ALL' + line: '%wheel ALL=(ALL) ALL' + validate: 'visudo -cf %s' + mode: 0440 + owner: root + group: root + when: not sudo_without_password + + - name: allow wheel group to use sudo without password + tags: [ sudo_users_no_pwd ] + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^# %wheel ALL=\(ALL\) NOPASSWD: ALL' + line: '%wheel ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' + mode: 0440 + owner: root + group: root + when: sudo_without_password + +# - name: secure path to protect against attacks +# lineinfile: +# dest: /etc/sudoers +# state: present +# regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"' +# insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' +# line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"' +# validate: 'visudo -cf %s' +# mode: 0440 +# owner: root +# group: root diff --git a/roles/sysctl/tasks/main.yaml b/roles/sysctl/tasks/main.yaml new file mode 100644 index 0000000..14a6760 --- /dev/null +++ b/roles/sysctl/tasks/main.yaml @@ -0,0 +1,7 @@ +--- + +- name: configure sysctl properties + sysctl: + name: net.ipv4.ip_forward + value: '1' + state: present \ No newline at end of file diff --git a/roles/unix_users/tasks/main.yml b/roles/unix_users/tasks/main.yml new file mode 100644 index 0000000..0430178 --- /dev/null +++ b/roles/unix_users/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +- name: create unix groups + group: + name: "{{ item }}" + state: present + system: no + with_items: "{{ unix_groups }}" + when: unix_groups is defined + +- name: filter unix_users for users with non-matching hosts + set_fact: + unix_users_filtered: "{{ (unix_users_filtered | default([])) + [ item ] }}" + when: item.value.hosts is not defined or inventory_hostname in item.value.hosts + with_dict: "{{ unix_users }}" + +- name: create unix users + block: + - name: create unix users + user: + name: "{{ item.key }}" + group: "{{ item.value.main_group | default('users') }}" + comment: "{{ item.value.name }}" + shell: "{{ item.value.shell | default('/bin/bash') }}" + password: "{{ item.value.password | password_hash('sha512') }}" + state: present + loop: "{{ unix_users_filtered }}" + when: "item.value.groups is not defined" + + - name: create unix users with additional groups + user: + name: "{{ item.key }}" + group: "{{ item.value.main_group }}" + groups: "{{ item.value.groups | join(',') }}" + comment: "{{ item.value.name }}" + shell: "{{ item.value.shell | default('/bin/bash') }}" + password: "{{ item.value.password | password_hash('sha512') }}" + state: present + loop: "{{ unix_users_filtered }}" + when: "item.value.groups is defined" + +- name: create .ssh directory + file: + path: "/home/{{ item.key }}/.ssh" + state: directory + owner: "{{ item.key }}" + group: "{{ item.value.main_group | default('users') }}" + mode: 0700 + loop: "{{ unix_users_filtered }}" + +- name: configure ssh keys + template: + src: authorized_keys.j2 + dest: "/home/{{ item.key }}/.ssh/authorized_keys" + owner: "{{ item.key }}" + group: "{{ item.value.main_group | default('users') }}" + mode: 0600 + when: item.value.ssh_key is defined + loop: "{{ unix_users_filtered }}" + +- name: remove ssh keys if undefined + file: + path: "/home/{{ item.key }}/.ssh/authorized_keys" + state: absent + when: item.value.ssh_key is not defined + loop: "{{ unix_users_filtered }}" + +- name: create email forward file if defined + template: + src: forward.j2 + dest: "/home/{{ item.key }}/.forward" + owner: "{{ item.key }}" + group: "{{ item.value.main_group | default('users') }}" + mode: 0644 + when: item.value.email is defined + loop: "{{ unix_users_filtered }}" diff --git a/roles/unix_users/templates/authorized_keys.j2 b/roles/unix_users/templates/authorized_keys.j2 new file mode 100644 index 0000000..62999d5 --- /dev/null +++ b/roles/unix_users/templates/authorized_keys.j2 @@ -0,0 +1,16 @@ +#jinja2: lstrip_blocks: True +{% set keys = [item.value.ssh_key] %} +{% if item.value.additional_ssh_keys is defined %} + {% for key in item.value.additional_ssh_keys %} + {% if inventory_hostname in key.hosts or 'all' in key.hosts %} + {{- keys.append(key.name) -}} + {% endif %} + {% endfor %} +{% endif %} +{% for key in keys %} + {% if unix_users_ssh_options is defined %} +{{ lookup('file', 'pubkeys/' + key) | regex_replace('(.*\S.*)', unix_users_ssh_options + ' \\1') }} + {% else %} +{{ lookup('file', 'pubkeys/' + key) }} + {% endif %} +{% endfor %} diff --git a/roles/unix_users/templates/forward.j2 b/roles/unix_users/templates/forward.j2 new file mode 100644 index 0000000..b6db813 --- /dev/null +++ b/roles/unix_users/templates/forward.j2 @@ -0,0 +1 @@ +{{ item.value.email }} \ No newline at end of file diff --git a/roles/vim/defaults/main.yml b/roles/vim/defaults/main.yml new file mode 100644 index 0000000..bd78099 --- /dev/null +++ b/roles/vim/defaults/main.yml @@ -0,0 +1,6 @@ +--- +vimrc_repository: https://git.cryptic.systems/volker.raschek/vim.git + +vim_users: [] +# - user: markus +# branch: master diff --git a/roles/vim/tasks/git-clone.yml b/roles/vim/tasks/git-clone.yml new file mode 100644 index 0000000..bd5ef8f --- /dev/null +++ b/roles/vim/tasks/git-clone.yml @@ -0,0 +1,19 @@ +--- +- name: "getent for user {{ item.user }}" + getent: + database: passwd + key: "{{ item.user }}" + +- name: "clone vimrc repository for user {{ item.user }}" + git: + repo: https://git.cryptic.systems/volker.raschek/vim.git + dest: "{{ getent_passwd[item.user][4] }}/.vim" + version: "{{ item.branch }}" + +- name: correct permissions + file: + path: "{{ getent_passwd[item.user][4] }}/.vim" + owner: "{{ getent_passwd[item.user][1] }}" + group: "{{ getent_passwd[item.user][2] }}" + state: directory + recurse: yes diff --git a/roles/vim/tasks/main.yml b/roles/vim/tasks/main.yml new file mode 100644 index 0000000..93429d0 --- /dev/null +++ b/roles/vim/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: install vim + yum: + name: vim + state: present + +- name: install git to clone vimrc repository + yum: + name: git + state: present + +- name: clone vimrc repository + include_tasks: git-clone.yml + with_items: "{{ vim_users }}"