Initial Commit

This commit is contained in:
Markus Pesch 2021-12-11 22:46:32 +01:00
commit 8354baa32f
Signed by: volker.raschek
GPG Key ID: 852BCC170D81A982
47 changed files with 1283 additions and 0 deletions

13
README.md Normal file
View File

@ -0,0 +1,13 @@
# linuxws2122 - Ansible
Setup gateway and client vm via ansible.
- Adapt IP-Adresse of the client and gateway VM in host_vars.
- Adapt name of the interfaces for booth VMs in host_vars.
- Configure your Router (Fritz!Box, SpeedPort, ect) to route traffic for
192.168.181.0/24 via gateway.
```bash
ansible-playbook -i hosts.yaml gateway.linuxws2122.de.yaml
ansible-playbook -i hosts.yaml client.linuxws2122.de.yaml
```

3
ansible.cfg Normal file
View File

@ -0,0 +1,3 @@
[default]
inventory = hosts.yaml
roles_path = roles

View File

@ -0,0 +1,13 @@
---
- name: setup client.linuxws2122.de
hosts: client.linuxws2122.de
remote_user: root
roles:
- { role: common }
- { role: networking }
- { role: hostname }
- { role: sshd }
- { role: unix_users }
- { role: sudo_users }
- { role: vim }

View File

@ -0,0 +1,14 @@
---
- name: setup gateway.linuxws2122.de
hosts: gateway.linuxws2122.de
remote_user: root
roles:
- { role: common }
- { role: networking }
- { role: hostname }
- { role: sshd }
- { role: unix_users }
- { role: sudo_users }
- { role: vim }
- { role: sysctl }
- { role: bind_dhcp }

View File

@ -0,0 +1,5 @@
---
ansible_connection: ssh
ansible_ssh_user: root
ansible_ssh_pass: linuxws2122
ansible_ssh_extra_args: "-o PubkeyAuthentication=no -o PasswordAuthentication=yes"

View File

@ -0,0 +1,7 @@
---
sudo_users:
- root
- linuxws2122
sudo_without_password: true

View File

@ -0,0 +1,16 @@
---
unix_groups:
- linuxws2122
unix_users:
linuxws2122:
name: "linuxws2122"
ssh_key: markus@markus-pc.pub
additional_ssh_keys:
- name: markus@markus-nb.pub
hosts:
- all
shell: /bin/bash
main_group: linuxws2122
password: "linuxws2122"

View File

@ -0,0 +1,6 @@
---
vim_users:
- user: root
branch: no-plugins
- user: linuxws2122
branch: no-plugins

View File

@ -0,0 +1,20 @@
---
ansible_host: 192.168.179.73
networking:
- type: "ethernet"
filename: "10-enp1s0.network"
interface: "enp1s0"
route_metric: "10"
dhcp: true
- type: "ethernet"
filename: "10-enp2s0.network"
interface: "enp2s0"
route_metric: "20"
dhcp: false
ipv4_address: "192.168.179.251"
ipv4_netmask: "/24"
ipv4_gateway: "192.168.179.1"
ipv6_ignore_ra: true
dns_servers:
- "192.168.179.12"

View File

@ -0,0 +1,116 @@
---
ansible_host: 192.168.179.117
networking:
- type: "ethernet"
filename: "10-enp1s0.network"
interface: "enp1s0"
route_metric: "10"
dhcp: false
ipv4_address: "192.168.179.250"
ipv4_netmask: "/24"
ipv4_gateway: "192.168.179.1"
ipv6_ignore_ra: true
dns_servers:
- "192.168.179.12"
- type: "ethernet"
filename: "10-enp2s0.network"
interface: "enp2s0"
route_metric: "20"
dhcp: false
ipv4_address: "192.168.181.1"
ipv4_netmask: "/24"
ipv4_gateway: ""
ipv6_ignore_ra: true
dns_servers:
- "192.168.181.1"
dhcpd_keys:
- name: dyndns
algorithm: hmac-sha256
secret: "KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o="
dhcpd_zones:
- name: linuxws2122.de
primary: "192.168.181.1"
key: dyndns
- name: 181.168.192.in-addr.arpa
primary: "192.168.181.1"
key: dyndns
dhcpd_interface: "enp2s0"
dhcpd_network_start: "192.168.181.0"
dhcpd_network_netmask: "255.255.255.0"
dhcpd_network_range: 192.168.181.20 192.168.181.200
dhcpd_ddns_domainname: linuxws2122.de
dhcpd_default_lease_time: "43200"
dhcpd_max_lease_time: "86400"
dhcpd_min_lease_time: "21600"
dhcpd_option_broadcast_address: "192.168.181.255"
dhcpd_option_domain_name: linuxws2122.de
dhcpd_option_domain_name_servers: "192.168.181.1"
dhcpd_option_routers: "192.168.181.1"
dhcpd_option_subnet_mask: "255.255.255.0"
bind9_global_allow_query:
- 192.168.179.0/24
- 192.168.181.0/24
bind9_keys:
- name: dyndns
algorithm: hmac-sha256
secret: KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o=
bind9_listen_on_ipv4:
- "192.168.181.1"
bind9_listen_on_ipv6: []
bind9_forward_zones:
- allow_query:
- any
allow_update:
- dyndns
type: master
origin: linuxws2122.de.
ttl: "3600"
records:
- name: "@\t\t" # \t only for indention
class: IN
type: SOA
value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600"
- name: "\t\t" # \t only for indention
class: IN
type: NS
value: gateway
- name: "gateway\t\t" # \t only for indention
class: IN
type: A
value: 192.168.181.1
bind9_reverse_zones:
- allow_query:
- any
allow_update:
- dyndns
type: master
origin: 181.168.192.IN-ADDR.ARPA.
ttl: "3600"
records:
- name: "@\t\t" # "\t" only for indention
class: IN
type: SOA
value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600"
- name: "\t\t" # "\t" only for indention
class: IN
type: NS
value: gateway.linuxws2122.de.
- name: "1\t\t" # "\t" only for indention
class: IN
type: PTR
value: gateway.linuxws2122.de.

11
hosts.yaml Normal file
View File

@ -0,0 +1,11 @@
all:
hosts:
client.linuxws2122.de:
gateway.linuxws2122.de:
children:
client:
hosts:
client.linuxws2122.de:
gateway:
hosts:
gateway.linuxws2122.de:

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUTcUBb+55jRY9TkpLgm8K/8nJfEXyjEX8zljdCCRpi markus@markus-nb

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOydCxv9/tAV7AdS2HsUIEu547Z5qUJnWYwiO7rI9YL markus@markus-pc

View File

@ -0,0 +1,90 @@
---
# dhcpd_interface: "enp7s0"
# dhcpd_network_start: "192.168.181.0"
# dhcpd_network_netmask: "255.255.255.0"
# dhcpd_network_range: "192.168.181.20 192.168.181.200"
# dhcpd_default_lease_time: "43200"
# dhcpd_max_lease_time: "2168640000"
# dhcpd_min_lease_time: "21600"
# dhcpd_ddns_domainname: "linuxws2122.de"
# dhcpd_option_broadcast_address: "192.168.181.255"
# dhcpd_option_domain_name: "linuxws2122.de"
# dhcpd_option_domain_name_servers: "192.168.181.1"
# dhcpd_option_routers: "192.168.181.1"
# dhcpd_option_subnet_mask: "255.255.255.0"
# dhcpd_keys:
# - name: dyndns
# algorithm: hmac-sha256
# secret: ""
# dhcpd_zones:
# - name: linuxws2122.de
# primary: "192.168.181.1"
# key: dyndns
# - name: 181.168.192.in-addr.arpa
# primary: "192.168.181.1"
# key: dyndns
# bind9_global_allow_query:
# - "192.168.181.0/24"
# bind9_keys:
# - name: dyndns
# algorithm: hmac-sha512
# secret: "+7bISG4ktFi2ytU9WXvBX41ZlxxfW5G+sHKtetNlQjk="
# bind9_listen_on_ipv4:
# - "192.168.181.1"
# bind9_listen_on_ipv6: []
# bind9_forward_zones:
# - allow_query:
# - "any"
# allow_update:
# - dyndns
# type: master
# origin: "linuxws2122.de."
# ttl: "3600"
# records:
# - name: "\t\t" # only for indention
# class: "IN"
# type: "SOA"
# value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
# - name: "\t\t" # only for indention
# class: "IN"
# type: "NS"
# value: "gateway"
# - name: "gateway\t\t"
# class: "IN"
# type: "A"
# value: "192.168.181.1"
# bind9_reverse_zones:
# - allow_query:
# - "any"
# allow_update:
# - dyndns
# type: master
# origin: "181.168.192.IN-ADDR.ARPA."
# ttl: "3600"
# records:
# - name: "\t\t" # "\t" only for indention
# class: "IN"
# type: SOA
# value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
# - name: "\t\t" # "\t" only for indention
# class: "IN"
# type: NS
# value: "gateway.linuxws2122.de."
# - name: "1\t\t" # "\t" only for indention
# class: "IN"
# type: A
# value: "gateway.linuxws2122.de."

View File

@ -0,0 +1,13 @@
---
- name: restart dhcpd
systemd:
name: dhcpd
state: restarted
daemon_reload: true
- name: restart named
systemd:
name: named
state: restarted
daemon_reload: true

View File

@ -0,0 +1,36 @@
---
- name: create dhcp config dir
file:
path: /etc/named
owner: named
group: named
mode: 0755
state: directory
- name: set up zones
template:
src: zone.j2
dest: /etc/named/{{ item.origin }}db
owner: named
group: named
mode: 0644
with_items:
- "{{ bind9_forward_zones }}"
- "{{ bind9_reverse_zones }}"
notify: restart named
- name: set up global bind config
template:
src: named.conf.j2
dest: /etc/named.conf
owner: named
group: named
mode: 0644
notify: restart named
- name: start and enabled named
systemd:
name: named
state: started
enabled: yes

View File

@ -0,0 +1,53 @@
---
- name: create dhcp config dir
file:
path: /etc/dhcp
owner: root
group: root
mode: 0755
state: directory
- name: create dhcpd config
template:
src: dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
owner: root
group: root
mode: 0644
- name: cleanup cache files
block:
- name: check if cache dir exists
stat:
path: /var/lib/dhcpd
register: cache_stats
- name: remove cache dir
file:
path: /var/lib/dhcpd/
state: absent
when: cache_stats.stat.exists
- name: create cache dir
file:
path: /var/lib/dhcpd/
owner: dhcpd
group: dhcpd
mode: 0755
state: directory
- name: create cache files
file:
path: "/var/lib/dhcpd/{{ item }}"
owner: dhcpd
group: dhcpd
mode: 0644
state: touch
with_items:
- dhcpd.leases
- dhcpd6.leases
notify: restart dhcpd
- name: start and enable dhcpd
systemd:
name: dhcpd
state: started
enabled: yes

View File

@ -0,0 +1,15 @@
---
- name: install bind (named) and dependencies
yum:
name: "{{ item }}"
with_items:
- bind
- bind-utils
- dhcp-server
- name: configure dhcpd server
include_tasks: dhcpd.yaml
- name: configure bind9 server
include_tasks: bind9.yaml

View File

@ -0,0 +1,37 @@
authoritative;
ddns-update-style interim;
ignore client-updates;
{% for key in dhcpd_keys %}
key "{{ key.name }}" {
algorithm {{ key.algorithm }};
secret "{{ key.secret }}";
}
{% endfor %}
{% for zone in dhcpd_zones %}
zone {{ zone.name }} {
primary {{ zone.primary }};
key "{{ zone.key }}";
}
{% endfor %}
subnet {{ dhcpd_network_start }} netmask {{ dhcpd_network_netmask }} {
interface {{ dhcpd_interface }};
range {{ dhcpd_network_range }};
default-lease-time {{ dhcpd_default_lease_time }};
max-lease-time {{ dhcpd_max_lease_time }};
min-lease-time {{ dhcpd_min_lease_time }};
ddns-domainname "{{ dhcpd_ddns_domainname }}";
update-static-leases on;
option broadcast-address {{ dhcpd_option_broadcast_address }};
option domain-name "{{ dhcpd_option_domain_name }}";
option domain-name-servers {{ dhcpd_option_domain_name_servers }};
option routers {{ dhcpd_option_routers }};
option subnet-mask {{ dhcpd_option_subnet_mask }};
}

View File

@ -0,0 +1,129 @@
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 {
{% for ip in bind9_listen_on_ipv4 %}
{{ ip }};
{% endfor %}
127.0.0.1;
};
listen-on-v6 port 53 {
{% for ip in bind9_listen_on_ipv6 %}
{{ ip }};
{% endfor %}
::1;
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query {
{% for ip in bind9_global_allow_query %}
{{ ip }};
{% endfor %}
localhost;
};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
{% for zone in bind9_forward_zones %}
zone "{{ zone.origin }}" {
allow-query {
{% for entry in zone.allow_query %}
{{ entry }};
{% endfor %}
};
allow-update {
{% for entry in zone.allow_update %}
key {{ entry }};
{% endfor %}
};
file "/etc/named/{{ zone.origin }}db";
type {{ zone.type }};
};
{% endfor %}
{% for zone in bind9_reverse_zones %}
zone "{{ zone.origin }}" {
allow-query {
{% for entry in zone.allow_query %}
{{ entry }};
{% endfor %}
};
allow-update {
{% for entry in zone.allow_update %}
key {{ entry }};
{% endfor %}
};
file "/etc/named/{{ zone.origin }}db";
type {{ zone.type }};
};
{% endfor %}
{% for key in bind9_keys %}
key "{{ key.name }}" {
algorithm {{ key.algorithm }};
secret "{{ key.secret }}";
};
{% endfor %}
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

View File

@ -0,0 +1,6 @@
$ORIGIN {{ item.origin }}
$TTL {{ item.ttl }}
{% for record in item.records %}
{{ record.name }} {{ record.class | default('IN') }} {{ record.type | default('A') }} {{ record.value }}
{% endfor %}

View File

@ -0,0 +1,16 @@
---
- name: system update
yum:
name: '*'
state: latest
- name: stop firewalld
systemd:
name: firewalld
state: stopped
enabled: no
- name: disable SELinux
selinux:
state: disabled

View File

@ -0,0 +1,2 @@
---
hostname_reboot: true

View File

@ -0,0 +1,20 @@
---
- name: update hosts file
ansible.builtin.template:
src: hosts.j2
dest: /etc/hosts
owner: root
group: root
mode: 0644
backup: yes
register: _hostname
- name: update hostname
ansible.builtin.template:
src: hostname.j2
dest: /etc/hostname
owner: root
group: root
mode: 0644
backup: yes
register: _hostname

View File

@ -0,0 +1 @@
{{ inventory_hostname }}

View File

@ -0,0 +1,2 @@
127.0.0.1 localhost.localdomain localhost localhost4
::1 localhost.localdomain localhost localhost6

View File

@ -0,0 +1,41 @@
---
networking_timezone: Europe/Berlin
networking:
- type: "ethernet"
filename: "10-en.network"
interface: "en*"
route_metric: "10"
dhcp: true
# Example: Static IP-Address
# networking:
# - type: "ethernet"
# filename: "10-eth0.network"
# interface: "eth0"
# route_metric: "99"
# dhcp: false
# ipv4_address: "192.168.178.12"
# ipv4_netmask: "/24"
# ipv4_gateway: "192.168.178.1"
# ipv6_address:
# ipv6_netmask:
# ipv6_gateway:
# ipv6_ignore_ra: true
# dns_servers:
# - 10.11.12.13
# - 13.12.11.10
# Example: WLAN interface
# networking:
# - type: "wireless"
# filename: "20-wlp.network"
# interface: "wlp*"
# route_metric: "20"
# dhcp: true
# networking_wpa_supplicant:
# - interface: "wlp4s0"
# ssid: ""
# psk: ""

View File

@ -0,0 +1,13 @@
[Unit]
Description=WPA supplicant daemon (interface-specific version)
Requires=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device
Before=network.target
Wants=network.target
[Service]
Type=simple
ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I -Dnl80211,wext
[Install]
Alias=multi-user.target.wants/wpa_supplicant@%i.service

View File

@ -0,0 +1,7 @@
---
- name: restart networkd
systemd:
name: systemd-networkd
state: restarted
daemon_reload: true

View File

@ -0,0 +1,154 @@
---
- name: "install systemd-networkd"
block:
- name: "install systemd-networkd (Arch Linux)"
pacman:
name: systemd-networkd
state: present
when: ansible_os_family == "Archlinux"
- name: "install systemd-networkd (RedHat)"
yum:
name: systemd-networkd
state: present
when: ansible_os_family == "RedHat"
- name: "uninstall NetworkManager"
block:
- name: "uninstall NetworkManager (Arch Linux)"
pacman:
name: NetworkManager
state: absent
when: ansible_os_family == "Archlinux"
- name: "uninstall systemd-networkd (RedHat)"
yum:
name: NetworkManager
state: absent
when: ansible_os_family == "RedHat"
- name: "remove existing systemd-networkd configuration"
file:
path: "/etc/systemd/network"
state: absent
- name: "create systemd-networkd directory"
file:
path: "/etc/systemd/network"
owner: root
group: root
mode: 0755
state: directory
- name: "setup network interfaces via systemd-networkd (DHCP)"
block:
- name: filter dhcp interfaces
set_fact:
dhcp_interfaces: "{{ (dhcp_interfaces | default([])) + [ item ] }}"
when: item.dhcp
with_items: "{{ networking }}"
- name: "configure network interface {{ item.name }} (DHCP)"
template:
src: 10-dhcp.network.j2
dest: "/etc/systemd/network/{{ item.filename }}"
owner: root
group: root
mode: 0644
when: dhcp_interfaces is defined
with_items: "{{ dhcp_interfaces }}"
- name: "setup network interfaces via systemd-networkd (static)"
block:
- name: filter static interfaces
set_fact:
static_interfaces: "{{ (static_interfaces | default([])) + [ item ] }}"
when: not item.dhcp
with_items: "{{ networking }}"
- name: "configure network interface {{ item.name }} (static)"
template:
src: 10-static.network.j2
dest: "/etc/systemd/network/{{ item.filename }}"
owner: root
group: root
mode: 0644
when: static_interfaces is defined
with_items: "{{ static_interfaces }}"
- name: "setup wpa_supplicant configurations"
when: networking_wpa_supplicant is defined and networking_wpa_supplicant | length > 0
block:
- name: "copy systemd unit for custom wpa_supplicant@.service"
copy:
src: files/wpa_supplicant@.service
dest: /etc/systemd/system/wpa_supplicant@.service
owner: root
group: root
- name: "create wpa_supplicant configuration files"
template:
src: wpa_supplicant.conf.j2
dest: "/etc/wpa_supplicant/wpa_supplicant-{{ item.interface }}.conf"
owner: root
group: root
mode: 0640
with_items: "{{ networking_wpa_supplicant }}"
- name: "start and enable wpa_supplicant for interfaces"
service:
name: wpa_supplicant@{{ item.interface }}.service
state: started
enabled: yes
with_items: "{{ networking_wpa_supplicant }}"
- name: create symlink to resolv.conf
file:
src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf
state: link
force: yes
follow: no
owner: root
group: root
- name: enable networkd
service:
name: systemd-networkd
enabled: yes
daemon_reload: yes
- name: start and enable resolved
service:
name: systemd-resolved
state: started
enabled: yes
daemon_reload: yes
- name: set timezone
timezone:
name: "{{ networking_timezone }}"
- name: start and enable timesyncd
service:
name: systemd-timesyncd
state: started
enabled: yes
daemon_reload: yes
- name: start systemd-networkd after dbus.sock
block:
- name: create drop-in for systemd-networkd
file:
path: /etc/systemd/system/systemd-networkd.d
owner: root
group: root
mode: 0755
state: directory
- name: template after-dbus.conf
template:
src: after-dbus.conf.j2
dest: /etc/systemd/system/systemd-networkd.d/after-dbus.conf
owner: root
group: root
mode: 0644
when: ansible_os_family == "RedHat"

View File

@ -0,0 +1,9 @@
[Match]
Name={{ item.interface }}
[Network]
DHCP=yes
Domains={{ inventory_hostname.split(".")[1:] | join('.') | lower }}
[DHCP]
RouteMetric={{ item.route_metric }}

View File

@ -0,0 +1,31 @@
[Match]
Name={{ item.interface }}
[Network]
Gateway={{ item.ipv4_gateway }}
{% if item.ipv6_gateway is defined %}
Gateway={{ item.ipv6_gateway }}
{% endif %}
{% if item.ipv6_ignore_ra|default(false) is true %}
IPv6AcceptRA=false
{% endif %}
{% for dns_server in item.dns_servers %}
DNS={{ dns_server }}
{% endfor %}
[Address]
Address={{ item.ipv4_address }}{{ item.ipv4_netmask }}
RouteMetric={{ item.route_metric }}
{% if item.ipv4_netmask == "/32" %}
Peer={{ item.ipv4_gateway }}{{ item.ipv4_netmask}}
{% endif %}
{% if item.ipv6_address is defined %}
[Address]
Address={{ item.ipv6_address }}{{ item.ipv6_netmask }}
{% endif %}
{% if item.ipv6_gateway is defined and not item.ipv6_gateway.startswith("fe80") %}
[Route]
Destination={{ item.ipv6_gateway }}
{% endif %}

View File

@ -0,0 +1,2 @@
[Unit]
After=dbus.sock

View File

@ -0,0 +1,9 @@
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
ap_scan=1
network={
ssid="{{ item.ssid }}"
psk="{{ item.psk }}"
}

View File

@ -0,0 +1,3 @@
---
# sshd_port: 22

View File

@ -0,0 +1,6 @@
---
- name: restart sshd
service:
name: sshd
state: restarted

16
roles/sshd/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: install openssh
yum:
name: openssh
state: present
- name: configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: '/usr/sbin/sshd -t -f %s'
notify:
- restart sshd

View File

@ -0,0 +1,120 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
{% if sshd_port is defined and sshd_port > 0 %}
Port {{ sshd_port }}
{% else %}
# Port 22
{% endif %}
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

View File

@ -0,0 +1,5 @@
---
sudo_users:
- root
sudo_without_password: false

View File

@ -0,0 +1,82 @@
---
- name: install sudo
yum:
name: sudo
state: present
# https://github.com/ansible/ansible/issues/11024
- name: remove all users from wheel group
command: groupmems -g wheel --purge
register: groupmems
changed_when: "groupmems.rc == 0"
- name: add sudo users to wheel
user:
name: "{{ item }}"
append: yes
groups: [ wheel ]
with_items: "{{ sudo_users }}"
- name: remove wheel group to use sudo
block:
- name: remove wheel group to use sudo with password
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel ALL=\(ALL\) ALL'
line: '# %wheel ALL=(ALL) ALL'
validate: 'visudo -cf %s'
mode: 0440
owner: root
group: root
- name: remove wheel group to use sudo without password
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel ALL=\(ALL\) NOPASSWD: ALL'
line: '# %wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
mode: 0440
owner: root
group: root
- name: allow wheel group to use sudo
block:
- name: allow wheel group to use sudo with password
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^# %wheel ALL=\(ALL\) ALL'
line: '%wheel ALL=(ALL) ALL'
validate: 'visudo -cf %s'
mode: 0440
owner: root
group: root
when: not sudo_without_password
- name: allow wheel group to use sudo without password
tags: [ sudo_users_no_pwd ]
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^# %wheel ALL=\(ALL\) NOPASSWD: ALL'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
mode: 0440
owner: root
group: root
when: sudo_without_password
# - name: secure path to protect against attacks
# lineinfile:
# dest: /etc/sudoers
# state: present
# regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
# insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
# line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
# validate: 'visudo -cf %s'
# mode: 0440
# owner: root
# group: root

View File

@ -0,0 +1,7 @@
---
- name: configure sysctl properties
sysctl:
name: net.ipv4.ip_forward
value: '1'
state: present

View File

@ -0,0 +1,76 @@
---
- name: create unix groups
group:
name: "{{ item }}"
state: present
system: no
with_items: "{{ unix_groups }}"
when: unix_groups is defined
- name: filter unix_users for users with non-matching hosts
set_fact:
unix_users_filtered: "{{ (unix_users_filtered | default([])) + [ item ] }}"
when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
with_dict: "{{ unix_users }}"
- name: create unix users
block:
- name: create unix users
user:
name: "{{ item.key }}"
group: "{{ item.value.main_group | default('users') }}"
comment: "{{ item.value.name }}"
shell: "{{ item.value.shell | default('/bin/bash') }}"
password: "{{ item.value.password | password_hash('sha512') }}"
state: present
loop: "{{ unix_users_filtered }}"
when: "item.value.groups is not defined"
- name: create unix users with additional groups
user:
name: "{{ item.key }}"
group: "{{ item.value.main_group }}"
groups: "{{ item.value.groups | join(',') }}"
comment: "{{ item.value.name }}"
shell: "{{ item.value.shell | default('/bin/bash') }}"
password: "{{ item.value.password | password_hash('sha512') }}"
state: present
loop: "{{ unix_users_filtered }}"
when: "item.value.groups is defined"
- name: create .ssh directory
file:
path: "/home/{{ item.key }}/.ssh"
state: directory
owner: "{{ item.key }}"
group: "{{ item.value.main_group | default('users') }}"
mode: 0700
loop: "{{ unix_users_filtered }}"
- name: configure ssh keys
template:
src: authorized_keys.j2
dest: "/home/{{ item.key }}/.ssh/authorized_keys"
owner: "{{ item.key }}"
group: "{{ item.value.main_group | default('users') }}"
mode: 0600
when: item.value.ssh_key is defined
loop: "{{ unix_users_filtered }}"
- name: remove ssh keys if undefined
file:
path: "/home/{{ item.key }}/.ssh/authorized_keys"
state: absent
when: item.value.ssh_key is not defined
loop: "{{ unix_users_filtered }}"
- name: create email forward file if defined
template:
src: forward.j2
dest: "/home/{{ item.key }}/.forward"
owner: "{{ item.key }}"
group: "{{ item.value.main_group | default('users') }}"
mode: 0644
when: item.value.email is defined
loop: "{{ unix_users_filtered }}"

View File

@ -0,0 +1,16 @@
#jinja2: lstrip_blocks: True
{% set keys = [item.value.ssh_key] %}
{% if item.value.additional_ssh_keys is defined %}
{% for key in item.value.additional_ssh_keys %}
{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
{{- keys.append(key.name) -}}
{% endif %}
{% endfor %}
{% endif %}
{% for key in keys %}
{% if unix_users_ssh_options is defined %}
{{ lookup('file', 'pubkeys/' + key) | regex_replace('(.*\S.*)', unix_users_ssh_options + ' \\1') }}
{% else %}
{{ lookup('file', 'pubkeys/' + key) }}
{% endif %}
{% endfor %}

View File

@ -0,0 +1 @@
{{ item.value.email }}

View File

@ -0,0 +1,6 @@
---
vimrc_repository: https://git.cryptic.systems/volker.raschek/vim.git
vim_users: []
# - user: markus
# branch: master

View File

@ -0,0 +1,19 @@
---
- name: "getent for user {{ item.user }}"
getent:
database: passwd
key: "{{ item.user }}"
- name: "clone vimrc repository for user {{ item.user }}"
git:
repo: https://git.cryptic.systems/volker.raschek/vim.git
dest: "{{ getent_passwd[item.user][4] }}/.vim"
version: "{{ item.branch }}"
- name: correct permissions
file:
path: "{{ getent_passwd[item.user][4] }}/.vim"
owner: "{{ getent_passwd[item.user][1] }}"
group: "{{ getent_passwd[item.user][2] }}"
state: directory
recurse: yes

14
roles/vim/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: install vim
yum:
name: vim
state: present
- name: install git to clone vimrc repository
yum:
name: git
state: present
- name: clone vimrc repository
include_tasks: git-clone.yml
with_items: "{{ vim_users }}"