Initial Commit
This commit is contained in:
commit
8354baa32f
13
README.md
Normal file
13
README.md
Normal file
@ -0,0 +1,13 @@
|
||||
# linuxws2122 - Ansible
|
||||
|
||||
Setup gateway and client vm via ansible.
|
||||
|
||||
- Adapt IP-Adresse of the client and gateway VM in host_vars.
|
||||
- Adapt name of the interfaces for booth VMs in host_vars.
|
||||
- Configure your Router (Fritz!Box, SpeedPort, ect) to route traffic for
|
||||
192.168.181.0/24 via gateway.
|
||||
|
||||
```bash
|
||||
ansible-playbook -i hosts.yaml gateway.linuxws2122.de.yaml
|
||||
ansible-playbook -i hosts.yaml client.linuxws2122.de.yaml
|
||||
```
|
3
ansible.cfg
Normal file
3
ansible.cfg
Normal file
@ -0,0 +1,3 @@
|
||||
[default]
|
||||
inventory = hosts.yaml
|
||||
roles_path = roles
|
13
client.linuxws2122.de.yaml
Normal file
13
client.linuxws2122.de.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
|
||||
- name: setup client.linuxws2122.de
|
||||
hosts: client.linuxws2122.de
|
||||
remote_user: root
|
||||
roles:
|
||||
- { role: common }
|
||||
- { role: networking }
|
||||
- { role: hostname }
|
||||
- { role: sshd }
|
||||
- { role: unix_users }
|
||||
- { role: sudo_users }
|
||||
- { role: vim }
|
14
gateway.linuxws2122.de.yaml
Normal file
14
gateway.linuxws2122.de.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
- name: setup gateway.linuxws2122.de
|
||||
hosts: gateway.linuxws2122.de
|
||||
remote_user: root
|
||||
roles:
|
||||
- { role: common }
|
||||
- { role: networking }
|
||||
- { role: hostname }
|
||||
- { role: sshd }
|
||||
- { role: unix_users }
|
||||
- { role: sudo_users }
|
||||
- { role: vim }
|
||||
- { role: sysctl }
|
||||
- { role: bind_dhcp }
|
5
group_vars/all/ansible.yml
Normal file
5
group_vars/all/ansible.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
ansible_connection: ssh
|
||||
ansible_ssh_user: root
|
||||
ansible_ssh_pass: linuxws2122
|
||||
ansible_ssh_extra_args: "-o PubkeyAuthentication=no -o PasswordAuthentication=yes"
|
7
group_vars/all/sudo_users.yaml
Normal file
7
group_vars/all/sudo_users.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
|
||||
sudo_users:
|
||||
- root
|
||||
- linuxws2122
|
||||
|
||||
sudo_without_password: true
|
16
group_vars/all/unix_users.yaml
Normal file
16
group_vars/all/unix_users.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
|
||||
unix_groups:
|
||||
- linuxws2122
|
||||
|
||||
unix_users:
|
||||
linuxws2122:
|
||||
name: "linuxws2122"
|
||||
ssh_key: markus@markus-pc.pub
|
||||
additional_ssh_keys:
|
||||
- name: markus@markus-nb.pub
|
||||
hosts:
|
||||
- all
|
||||
shell: /bin/bash
|
||||
main_group: linuxws2122
|
||||
password: "linuxws2122"
|
6
group_vars/all/vim_users.yaml
Normal file
6
group_vars/all/vim_users.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
vim_users:
|
||||
- user: root
|
||||
branch: no-plugins
|
||||
- user: linuxws2122
|
||||
branch: no-plugins
|
20
host_vars/client.linuxws2122.de.yaml
Normal file
20
host_vars/client.linuxws2122.de.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
ansible_host: 192.168.179.73
|
||||
|
||||
networking:
|
||||
- type: "ethernet"
|
||||
filename: "10-enp1s0.network"
|
||||
interface: "enp1s0"
|
||||
route_metric: "10"
|
||||
dhcp: true
|
||||
- type: "ethernet"
|
||||
filename: "10-enp2s0.network"
|
||||
interface: "enp2s0"
|
||||
route_metric: "20"
|
||||
dhcp: false
|
||||
ipv4_address: "192.168.179.251"
|
||||
ipv4_netmask: "/24"
|
||||
ipv4_gateway: "192.168.179.1"
|
||||
ipv6_ignore_ra: true
|
||||
dns_servers:
|
||||
- "192.168.179.12"
|
116
host_vars/gateway.linuxws2122.de.yaml
Normal file
116
host_vars/gateway.linuxws2122.de.yaml
Normal file
@ -0,0 +1,116 @@
|
||||
---
|
||||
ansible_host: 192.168.179.117
|
||||
|
||||
networking:
|
||||
- type: "ethernet"
|
||||
filename: "10-enp1s0.network"
|
||||
interface: "enp1s0"
|
||||
route_metric: "10"
|
||||
dhcp: false
|
||||
ipv4_address: "192.168.179.250"
|
||||
ipv4_netmask: "/24"
|
||||
ipv4_gateway: "192.168.179.1"
|
||||
ipv6_ignore_ra: true
|
||||
dns_servers:
|
||||
- "192.168.179.12"
|
||||
- type: "ethernet"
|
||||
filename: "10-enp2s0.network"
|
||||
interface: "enp2s0"
|
||||
route_metric: "20"
|
||||
dhcp: false
|
||||
ipv4_address: "192.168.181.1"
|
||||
ipv4_netmask: "/24"
|
||||
ipv4_gateway: ""
|
||||
ipv6_ignore_ra: true
|
||||
dns_servers:
|
||||
- "192.168.181.1"
|
||||
|
||||
|
||||
dhcpd_keys:
|
||||
- name: dyndns
|
||||
algorithm: hmac-sha256
|
||||
secret: "KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o="
|
||||
|
||||
dhcpd_zones:
|
||||
- name: linuxws2122.de
|
||||
primary: "192.168.181.1"
|
||||
key: dyndns
|
||||
- name: 181.168.192.in-addr.arpa
|
||||
primary: "192.168.181.1"
|
||||
key: dyndns
|
||||
|
||||
dhcpd_interface: "enp2s0"
|
||||
dhcpd_network_start: "192.168.181.0"
|
||||
dhcpd_network_netmask: "255.255.255.0"
|
||||
dhcpd_network_range: 192.168.181.20 192.168.181.200
|
||||
|
||||
dhcpd_ddns_domainname: linuxws2122.de
|
||||
|
||||
dhcpd_default_lease_time: "43200"
|
||||
dhcpd_max_lease_time: "86400"
|
||||
dhcpd_min_lease_time: "21600"
|
||||
|
||||
dhcpd_option_broadcast_address: "192.168.181.255"
|
||||
dhcpd_option_domain_name: linuxws2122.de
|
||||
dhcpd_option_domain_name_servers: "192.168.181.1"
|
||||
dhcpd_option_routers: "192.168.181.1"
|
||||
dhcpd_option_subnet_mask: "255.255.255.0"
|
||||
|
||||
|
||||
bind9_global_allow_query:
|
||||
- 192.168.179.0/24
|
||||
- 192.168.181.0/24
|
||||
|
||||
bind9_keys:
|
||||
- name: dyndns
|
||||
algorithm: hmac-sha256
|
||||
secret: KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o=
|
||||
|
||||
bind9_listen_on_ipv4:
|
||||
- "192.168.181.1"
|
||||
|
||||
bind9_listen_on_ipv6: []
|
||||
|
||||
bind9_forward_zones:
|
||||
- allow_query:
|
||||
- any
|
||||
allow_update:
|
||||
- dyndns
|
||||
type: master
|
||||
origin: linuxws2122.de.
|
||||
ttl: "3600"
|
||||
records:
|
||||
- name: "@\t\t" # \t only for indention
|
||||
class: IN
|
||||
type: SOA
|
||||
value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600"
|
||||
- name: "\t\t" # \t only for indention
|
||||
class: IN
|
||||
type: NS
|
||||
value: gateway
|
||||
- name: "gateway\t\t" # \t only for indention
|
||||
class: IN
|
||||
type: A
|
||||
value: 192.168.181.1
|
||||
|
||||
bind9_reverse_zones:
|
||||
- allow_query:
|
||||
- any
|
||||
allow_update:
|
||||
- dyndns
|
||||
type: master
|
||||
origin: 181.168.192.IN-ADDR.ARPA.
|
||||
ttl: "3600"
|
||||
records:
|
||||
- name: "@\t\t" # "\t" only for indention
|
||||
class: IN
|
||||
type: SOA
|
||||
value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600"
|
||||
- name: "\t\t" # "\t" only for indention
|
||||
class: IN
|
||||
type: NS
|
||||
value: gateway.linuxws2122.de.
|
||||
- name: "1\t\t" # "\t" only for indention
|
||||
class: IN
|
||||
type: PTR
|
||||
value: gateway.linuxws2122.de.
|
11
hosts.yaml
Normal file
11
hosts.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
all:
|
||||
hosts:
|
||||
client.linuxws2122.de:
|
||||
gateway.linuxws2122.de:
|
||||
children:
|
||||
client:
|
||||
hosts:
|
||||
client.linuxws2122.de:
|
||||
gateway:
|
||||
hosts:
|
||||
gateway.linuxws2122.de:
|
1
pubkeys/markus@markus-nb.pub
Normal file
1
pubkeys/markus@markus-nb.pub
Normal file
@ -0,0 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUTcUBb+55jRY9TkpLgm8K/8nJfEXyjEX8zljdCCRpi markus@markus-nb
|
1
pubkeys/markus@markus-pc.pub
Normal file
1
pubkeys/markus@markus-pc.pub
Normal file
@ -0,0 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOydCxv9/tAV7AdS2HsUIEu547Z5qUJnWYwiO7rI9YL markus@markus-pc
|
90
roles/bind_dhcp/defaults/main.yaml
Normal file
90
roles/bind_dhcp/defaults/main.yaml
Normal file
@ -0,0 +1,90 @@
|
||||
---
|
||||
|
||||
# dhcpd_interface: "enp7s0"
|
||||
# dhcpd_network_start: "192.168.181.0"
|
||||
# dhcpd_network_netmask: "255.255.255.0"
|
||||
# dhcpd_network_range: "192.168.181.20 192.168.181.200"
|
||||
|
||||
# dhcpd_default_lease_time: "43200"
|
||||
# dhcpd_max_lease_time: "2168640000"
|
||||
# dhcpd_min_lease_time: "21600"
|
||||
|
||||
# dhcpd_ddns_domainname: "linuxws2122.de"
|
||||
|
||||
# dhcpd_option_broadcast_address: "192.168.181.255"
|
||||
# dhcpd_option_domain_name: "linuxws2122.de"
|
||||
# dhcpd_option_domain_name_servers: "192.168.181.1"
|
||||
# dhcpd_option_routers: "192.168.181.1"
|
||||
# dhcpd_option_subnet_mask: "255.255.255.0"
|
||||
|
||||
|
||||
# dhcpd_keys:
|
||||
# - name: dyndns
|
||||
# algorithm: hmac-sha256
|
||||
# secret: ""
|
||||
|
||||
# dhcpd_zones:
|
||||
# - name: linuxws2122.de
|
||||
# primary: "192.168.181.1"
|
||||
# key: dyndns
|
||||
# - name: 181.168.192.in-addr.arpa
|
||||
# primary: "192.168.181.1"
|
||||
# key: dyndns
|
||||
|
||||
|
||||
# bind9_global_allow_query:
|
||||
# - "192.168.181.0/24"
|
||||
|
||||
# bind9_keys:
|
||||
# - name: dyndns
|
||||
# algorithm: hmac-sha512
|
||||
# secret: "+7bISG4ktFi2ytU9WXvBX41ZlxxfW5G+sHKtetNlQjk="
|
||||
|
||||
# bind9_listen_on_ipv4:
|
||||
# - "192.168.181.1"
|
||||
|
||||
# bind9_listen_on_ipv6: []
|
||||
|
||||
# bind9_forward_zones:
|
||||
# - allow_query:
|
||||
# - "any"
|
||||
# allow_update:
|
||||
# - dyndns
|
||||
# type: master
|
||||
# origin: "linuxws2122.de."
|
||||
# ttl: "3600"
|
||||
# records:
|
||||
# - name: "\t\t" # only for indention
|
||||
# class: "IN"
|
||||
# type: "SOA"
|
||||
# value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
|
||||
# - name: "\t\t" # only for indention
|
||||
# class: "IN"
|
||||
# type: "NS"
|
||||
# value: "gateway"
|
||||
# - name: "gateway\t\t"
|
||||
# class: "IN"
|
||||
# type: "A"
|
||||
# value: "192.168.181.1"
|
||||
|
||||
# bind9_reverse_zones:
|
||||
# - allow_query:
|
||||
# - "any"
|
||||
# allow_update:
|
||||
# - dyndns
|
||||
# type: master
|
||||
# origin: "181.168.192.IN-ADDR.ARPA."
|
||||
# ttl: "3600"
|
||||
# records:
|
||||
# - name: "\t\t" # "\t" only for indention
|
||||
# class: "IN"
|
||||
# type: SOA
|
||||
# value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
|
||||
# - name: "\t\t" # "\t" only for indention
|
||||
# class: "IN"
|
||||
# type: NS
|
||||
# value: "gateway.linuxws2122.de."
|
||||
# - name: "1\t\t" # "\t" only for indention
|
||||
# class: "IN"
|
||||
# type: A
|
||||
# value: "gateway.linuxws2122.de."
|
13
roles/bind_dhcp/handlers/main.yaml
Normal file
13
roles/bind_dhcp/handlers/main.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
|
||||
- name: restart dhcpd
|
||||
systemd:
|
||||
name: dhcpd
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: restart named
|
||||
systemd:
|
||||
name: named
|
||||
state: restarted
|
||||
daemon_reload: true
|
36
roles/bind_dhcp/tasks/bind9.yaml
Normal file
36
roles/bind_dhcp/tasks/bind9.yaml
Normal file
@ -0,0 +1,36 @@
|
||||
---
|
||||
|
||||
- name: create dhcp config dir
|
||||
file:
|
||||
path: /etc/named
|
||||
owner: named
|
||||
group: named
|
||||
mode: 0755
|
||||
state: directory
|
||||
|
||||
- name: set up zones
|
||||
template:
|
||||
src: zone.j2
|
||||
dest: /etc/named/{{ item.origin }}db
|
||||
owner: named
|
||||
group: named
|
||||
mode: 0644
|
||||
with_items:
|
||||
- "{{ bind9_forward_zones }}"
|
||||
- "{{ bind9_reverse_zones }}"
|
||||
notify: restart named
|
||||
|
||||
- name: set up global bind config
|
||||
template:
|
||||
src: named.conf.j2
|
||||
dest: /etc/named.conf
|
||||
owner: named
|
||||
group: named
|
||||
mode: 0644
|
||||
notify: restart named
|
||||
|
||||
- name: start and enabled named
|
||||
systemd:
|
||||
name: named
|
||||
state: started
|
||||
enabled: yes
|
53
roles/bind_dhcp/tasks/dhcpd.yaml
Normal file
53
roles/bind_dhcp/tasks/dhcpd.yaml
Normal file
@ -0,0 +1,53 @@
|
||||
---
|
||||
|
||||
- name: create dhcp config dir
|
||||
file:
|
||||
path: /etc/dhcp
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
state: directory
|
||||
|
||||
- name: create dhcpd config
|
||||
template:
|
||||
src: dhcpd.conf.j2
|
||||
dest: /etc/dhcp/dhcpd.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: cleanup cache files
|
||||
block:
|
||||
- name: check if cache dir exists
|
||||
stat:
|
||||
path: /var/lib/dhcpd
|
||||
register: cache_stats
|
||||
- name: remove cache dir
|
||||
file:
|
||||
path: /var/lib/dhcpd/
|
||||
state: absent
|
||||
when: cache_stats.stat.exists
|
||||
- name: create cache dir
|
||||
file:
|
||||
path: /var/lib/dhcpd/
|
||||
owner: dhcpd
|
||||
group: dhcpd
|
||||
mode: 0755
|
||||
state: directory
|
||||
- name: create cache files
|
||||
file:
|
||||
path: "/var/lib/dhcpd/{{ item }}"
|
||||
owner: dhcpd
|
||||
group: dhcpd
|
||||
mode: 0644
|
||||
state: touch
|
||||
with_items:
|
||||
- dhcpd.leases
|
||||
- dhcpd6.leases
|
||||
notify: restart dhcpd
|
||||
|
||||
- name: start and enable dhcpd
|
||||
systemd:
|
||||
name: dhcpd
|
||||
state: started
|
||||
enabled: yes
|
15
roles/bind_dhcp/tasks/main.yaml
Normal file
15
roles/bind_dhcp/tasks/main.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
- name: install bind (named) and dependencies
|
||||
yum:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- bind
|
||||
- bind-utils
|
||||
- dhcp-server
|
||||
|
||||
- name: configure dhcpd server
|
||||
include_tasks: dhcpd.yaml
|
||||
|
||||
- name: configure bind9 server
|
||||
include_tasks: bind9.yaml
|
37
roles/bind_dhcp/templates/dhcpd.conf.j2
Normal file
37
roles/bind_dhcp/templates/dhcpd.conf.j2
Normal file
@ -0,0 +1,37 @@
|
||||
authoritative;
|
||||
ddns-update-style interim;
|
||||
ignore client-updates;
|
||||
|
||||
{% for key in dhcpd_keys %}
|
||||
key "{{ key.name }}" {
|
||||
algorithm {{ key.algorithm }};
|
||||
secret "{{ key.secret }}";
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
{% for zone in dhcpd_zones %}
|
||||
zone {{ zone.name }} {
|
||||
primary {{ zone.primary }};
|
||||
key "{{ zone.key }}";
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
subnet {{ dhcpd_network_start }} netmask {{ dhcpd_network_netmask }} {
|
||||
interface {{ dhcpd_interface }};
|
||||
|
||||
range {{ dhcpd_network_range }};
|
||||
|
||||
default-lease-time {{ dhcpd_default_lease_time }};
|
||||
max-lease-time {{ dhcpd_max_lease_time }};
|
||||
min-lease-time {{ dhcpd_min_lease_time }};
|
||||
|
||||
ddns-domainname "{{ dhcpd_ddns_domainname }}";
|
||||
|
||||
update-static-leases on;
|
||||
|
||||
option broadcast-address {{ dhcpd_option_broadcast_address }};
|
||||
option domain-name "{{ dhcpd_option_domain_name }}";
|
||||
option domain-name-servers {{ dhcpd_option_domain_name_servers }};
|
||||
option routers {{ dhcpd_option_routers }};
|
||||
option subnet-mask {{ dhcpd_option_subnet_mask }};
|
||||
}
|
129
roles/bind_dhcp/templates/named.conf.j2
Normal file
129
roles/bind_dhcp/templates/named.conf.j2
Normal file
@ -0,0 +1,129 @@
|
||||
//
|
||||
// named.conf
|
||||
//
|
||||
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
||||
// server as a caching only nameserver (as a localhost DNS resolver only).
|
||||
//
|
||||
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||
//
|
||||
|
||||
options {
|
||||
listen-on port 53 {
|
||||
{% for ip in bind9_listen_on_ipv4 %}
|
||||
{{ ip }};
|
||||
{% endfor %}
|
||||
127.0.0.1;
|
||||
};
|
||||
|
||||
listen-on-v6 port 53 {
|
||||
{% for ip in bind9_listen_on_ipv6 %}
|
||||
{{ ip }};
|
||||
{% endfor %}
|
||||
::1;
|
||||
};
|
||||
|
||||
directory "/var/named";
|
||||
dump-file "/var/named/data/cache_dump.db";
|
||||
statistics-file "/var/named/data/named_stats.txt";
|
||||
memstatistics-file "/var/named/data/named_mem_stats.txt";
|
||||
secroots-file "/var/named/data/named.secroots";
|
||||
recursing-file "/var/named/data/named.recursing";
|
||||
|
||||
allow-query {
|
||||
{% for ip in bind9_global_allow_query %}
|
||||
{{ ip }};
|
||||
{% endfor %}
|
||||
localhost;
|
||||
};
|
||||
|
||||
/*
|
||||
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||
recursion.
|
||||
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||
control to limit queries to your legitimate users. Failing to do so will
|
||||
cause your server to become part of large scale DNS amplification
|
||||
attacks. Implementing BCP38 within your network would greatly
|
||||
reduce such attack surface
|
||||
*/
|
||||
recursion yes;
|
||||
|
||||
dnssec-validation yes;
|
||||
|
||||
managed-keys-directory "/var/named/dynamic";
|
||||
geoip-directory "/usr/share/GeoIP";
|
||||
|
||||
pid-file "/run/named/named.pid";
|
||||
session-keyfile "/run/named/session.key";
|
||||
|
||||
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||
include "/etc/crypto-policies/back-ends/bind.config";
|
||||
};
|
||||
|
||||
logging {
|
||||
channel default_debug {
|
||||
file "data/named.run";
|
||||
severity dynamic;
|
||||
};
|
||||
};
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "named.ca";
|
||||
};
|
||||
|
||||
{% for zone in bind9_forward_zones %}
|
||||
zone "{{ zone.origin }}" {
|
||||
|
||||
allow-query {
|
||||
{% for entry in zone.allow_query %}
|
||||
{{ entry }};
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
allow-update {
|
||||
{% for entry in zone.allow_update %}
|
||||
key {{ entry }};
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
file "/etc/named/{{ zone.origin }}db";
|
||||
|
||||
type {{ zone.type }};
|
||||
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
|
||||
|
||||
{% for zone in bind9_reverse_zones %}
|
||||
zone "{{ zone.origin }}" {
|
||||
|
||||
allow-query {
|
||||
{% for entry in zone.allow_query %}
|
||||
{{ entry }};
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
allow-update {
|
||||
{% for entry in zone.allow_update %}
|
||||
key {{ entry }};
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
file "/etc/named/{{ zone.origin }}db";
|
||||
|
||||
type {{ zone.type }};
|
||||
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
{% for key in bind9_keys %}
|
||||
key "{{ key.name }}" {
|
||||
algorithm {{ key.algorithm }};
|
||||
secret "{{ key.secret }}";
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
include "/etc/named.rfc1912.zones";
|
||||
include "/etc/named.root.key";
|
6
roles/bind_dhcp/templates/zone.j2
Normal file
6
roles/bind_dhcp/templates/zone.j2
Normal file
@ -0,0 +1,6 @@
|
||||
$ORIGIN {{ item.origin }}
|
||||
$TTL {{ item.ttl }}
|
||||
|
||||
{% for record in item.records %}
|
||||
{{ record.name }} {{ record.class | default('IN') }} {{ record.type | default('A') }} {{ record.value }}
|
||||
{% endfor %}
|
16
roles/common/tasks/main.yaml
Normal file
16
roles/common/tasks/main.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
|
||||
- name: system update
|
||||
yum:
|
||||
name: '*'
|
||||
state: latest
|
||||
|
||||
- name: stop firewalld
|
||||
systemd:
|
||||
name: firewalld
|
||||
state: stopped
|
||||
enabled: no
|
||||
|
||||
- name: disable SELinux
|
||||
selinux:
|
||||
state: disabled
|
2
roles/hostname/defaults/main.yaml
Normal file
2
roles/hostname/defaults/main.yaml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
hostname_reboot: true
|
20
roles/hostname/tasks/main.yml
Normal file
20
roles/hostname/tasks/main.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: update hosts file
|
||||
ansible.builtin.template:
|
||||
src: hosts.j2
|
||||
dest: /etc/hosts
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
backup: yes
|
||||
register: _hostname
|
||||
|
||||
- name: update hostname
|
||||
ansible.builtin.template:
|
||||
src: hostname.j2
|
||||
dest: /etc/hostname
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
backup: yes
|
||||
register: _hostname
|
1
roles/hostname/templates/hostname.j2
Normal file
1
roles/hostname/templates/hostname.j2
Normal file
@ -0,0 +1 @@
|
||||
{{ inventory_hostname }}
|
2
roles/hostname/templates/hosts.j2
Normal file
2
roles/hostname/templates/hosts.j2
Normal file
@ -0,0 +1,2 @@
|
||||
127.0.0.1 localhost.localdomain localhost localhost4
|
||||
::1 localhost.localdomain localhost localhost6
|
41
roles/networking/defaults/main.yml
Normal file
41
roles/networking/defaults/main.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
|
||||
networking_timezone: Europe/Berlin
|
||||
|
||||
networking:
|
||||
- type: "ethernet"
|
||||
filename: "10-en.network"
|
||||
interface: "en*"
|
||||
route_metric: "10"
|
||||
dhcp: true
|
||||
|
||||
# Example: Static IP-Address
|
||||
# networking:
|
||||
# - type: "ethernet"
|
||||
# filename: "10-eth0.network"
|
||||
# interface: "eth0"
|
||||
# route_metric: "99"
|
||||
# dhcp: false
|
||||
# ipv4_address: "192.168.178.12"
|
||||
# ipv4_netmask: "/24"
|
||||
# ipv4_gateway: "192.168.178.1"
|
||||
# ipv6_address:
|
||||
# ipv6_netmask:
|
||||
# ipv6_gateway:
|
||||
# ipv6_ignore_ra: true
|
||||
# dns_servers:
|
||||
# - 10.11.12.13
|
||||
# - 13.12.11.10
|
||||
|
||||
# Example: WLAN interface
|
||||
# networking:
|
||||
# - type: "wireless"
|
||||
# filename: "20-wlp.network"
|
||||
# interface: "wlp*"
|
||||
# route_metric: "20"
|
||||
# dhcp: true
|
||||
|
||||
# networking_wpa_supplicant:
|
||||
# - interface: "wlp4s0"
|
||||
# ssid: ""
|
||||
# psk: ""
|
13
roles/networking/files/wpa_supplicant@.service
Normal file
13
roles/networking/files/wpa_supplicant@.service
Normal file
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=WPA supplicant daemon (interface-specific version)
|
||||
Requires=sys-subsystem-net-devices-%i.device
|
||||
After=sys-subsystem-net-devices-%i.device
|
||||
Before=network.target
|
||||
Wants=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I -Dnl80211,wext
|
||||
|
||||
[Install]
|
||||
Alias=multi-user.target.wants/wpa_supplicant@%i.service
|
7
roles/networking/handlers/main.yml
Normal file
7
roles/networking/handlers/main.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
|
||||
- name: restart networkd
|
||||
systemd:
|
||||
name: systemd-networkd
|
||||
state: restarted
|
||||
daemon_reload: true
|
154
roles/networking/tasks/main.yml
Normal file
154
roles/networking/tasks/main.yml
Normal file
@ -0,0 +1,154 @@
|
||||
---
|
||||
|
||||
- name: "install systemd-networkd"
|
||||
block:
|
||||
- name: "install systemd-networkd (Arch Linux)"
|
||||
pacman:
|
||||
name: systemd-networkd
|
||||
state: present
|
||||
when: ansible_os_family == "Archlinux"
|
||||
- name: "install systemd-networkd (RedHat)"
|
||||
yum:
|
||||
name: systemd-networkd
|
||||
state: present
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- name: "uninstall NetworkManager"
|
||||
block:
|
||||
- name: "uninstall NetworkManager (Arch Linux)"
|
||||
pacman:
|
||||
name: NetworkManager
|
||||
state: absent
|
||||
when: ansible_os_family == "Archlinux"
|
||||
- name: "uninstall systemd-networkd (RedHat)"
|
||||
yum:
|
||||
name: NetworkManager
|
||||
state: absent
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- name: "remove existing systemd-networkd configuration"
|
||||
file:
|
||||
path: "/etc/systemd/network"
|
||||
state: absent
|
||||
|
||||
- name: "create systemd-networkd directory"
|
||||
file:
|
||||
path: "/etc/systemd/network"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
state: directory
|
||||
|
||||
- name: "setup network interfaces via systemd-networkd (DHCP)"
|
||||
block:
|
||||
- name: filter dhcp interfaces
|
||||
set_fact:
|
||||
dhcp_interfaces: "{{ (dhcp_interfaces | default([])) + [ item ] }}"
|
||||
when: item.dhcp
|
||||
with_items: "{{ networking }}"
|
||||
|
||||
- name: "configure network interface {{ item.name }} (DHCP)"
|
||||
template:
|
||||
src: 10-dhcp.network.j2
|
||||
dest: "/etc/systemd/network/{{ item.filename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: dhcp_interfaces is defined
|
||||
with_items: "{{ dhcp_interfaces }}"
|
||||
|
||||
- name: "setup network interfaces via systemd-networkd (static)"
|
||||
block:
|
||||
- name: filter static interfaces
|
||||
set_fact:
|
||||
static_interfaces: "{{ (static_interfaces | default([])) + [ item ] }}"
|
||||
when: not item.dhcp
|
||||
with_items: "{{ networking }}"
|
||||
|
||||
- name: "configure network interface {{ item.name }} (static)"
|
||||
template:
|
||||
src: 10-static.network.j2
|
||||
dest: "/etc/systemd/network/{{ item.filename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: static_interfaces is defined
|
||||
with_items: "{{ static_interfaces }}"
|
||||
|
||||
- name: "setup wpa_supplicant configurations"
|
||||
when: networking_wpa_supplicant is defined and networking_wpa_supplicant | length > 0
|
||||
block:
|
||||
- name: "copy systemd unit for custom wpa_supplicant@.service"
|
||||
copy:
|
||||
src: files/wpa_supplicant@.service
|
||||
dest: /etc/systemd/system/wpa_supplicant@.service
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: "create wpa_supplicant configuration files"
|
||||
template:
|
||||
src: wpa_supplicant.conf.j2
|
||||
dest: "/etc/wpa_supplicant/wpa_supplicant-{{ item.interface }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
with_items: "{{ networking_wpa_supplicant }}"
|
||||
|
||||
- name: "start and enable wpa_supplicant for interfaces"
|
||||
service:
|
||||
name: wpa_supplicant@{{ item.interface }}.service
|
||||
state: started
|
||||
enabled: yes
|
||||
with_items: "{{ networking_wpa_supplicant }}"
|
||||
|
||||
- name: create symlink to resolv.conf
|
||||
file:
|
||||
src: /run/systemd/resolve/stub-resolv.conf
|
||||
dest: /etc/resolv.conf
|
||||
state: link
|
||||
force: yes
|
||||
follow: no
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: enable networkd
|
||||
service:
|
||||
name: systemd-networkd
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
|
||||
- name: start and enable resolved
|
||||
service:
|
||||
name: systemd-resolved
|
||||
state: started
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
|
||||
- name: set timezone
|
||||
timezone:
|
||||
name: "{{ networking_timezone }}"
|
||||
|
||||
- name: start and enable timesyncd
|
||||
service:
|
||||
name: systemd-timesyncd
|
||||
state: started
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
|
||||
- name: start systemd-networkd after dbus.sock
|
||||
block:
|
||||
- name: create drop-in for systemd-networkd
|
||||
file:
|
||||
path: /etc/systemd/system/systemd-networkd.d
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
state: directory
|
||||
- name: template after-dbus.conf
|
||||
template:
|
||||
src: after-dbus.conf.j2
|
||||
dest: /etc/systemd/system/systemd-networkd.d/after-dbus.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: ansible_os_family == "RedHat"
|
9
roles/networking/templates/10-dhcp.network.j2
Normal file
9
roles/networking/templates/10-dhcp.network.j2
Normal file
@ -0,0 +1,9 @@
|
||||
[Match]
|
||||
Name={{ item.interface }}
|
||||
|
||||
[Network]
|
||||
DHCP=yes
|
||||
Domains={{ inventory_hostname.split(".")[1:] | join('.') | lower }}
|
||||
|
||||
[DHCP]
|
||||
RouteMetric={{ item.route_metric }}
|
31
roles/networking/templates/10-static.network.j2
Normal file
31
roles/networking/templates/10-static.network.j2
Normal file
@ -0,0 +1,31 @@
|
||||
[Match]
|
||||
Name={{ item.interface }}
|
||||
|
||||
[Network]
|
||||
Gateway={{ item.ipv4_gateway }}
|
||||
{% if item.ipv6_gateway is defined %}
|
||||
Gateway={{ item.ipv6_gateway }}
|
||||
{% endif %}
|
||||
{% if item.ipv6_ignore_ra|default(false) is true %}
|
||||
IPv6AcceptRA=false
|
||||
{% endif %}
|
||||
{% for dns_server in item.dns_servers %}
|
||||
DNS={{ dns_server }}
|
||||
{% endfor %}
|
||||
|
||||
[Address]
|
||||
Address={{ item.ipv4_address }}{{ item.ipv4_netmask }}
|
||||
RouteMetric={{ item.route_metric }}
|
||||
{% if item.ipv4_netmask == "/32" %}
|
||||
Peer={{ item.ipv4_gateway }}{{ item.ipv4_netmask}}
|
||||
{% endif %}
|
||||
|
||||
{% if item.ipv6_address is defined %}
|
||||
[Address]
|
||||
Address={{ item.ipv6_address }}{{ item.ipv6_netmask }}
|
||||
{% endif %}
|
||||
|
||||
{% if item.ipv6_gateway is defined and not item.ipv6_gateway.startswith("fe80") %}
|
||||
[Route]
|
||||
Destination={{ item.ipv6_gateway }}
|
||||
{% endif %}
|
2
roles/networking/templates/after-dbus.conf.j2
Normal file
2
roles/networking/templates/after-dbus.conf.j2
Normal file
@ -0,0 +1,2 @@
|
||||
[Unit]
|
||||
After=dbus.sock
|
9
roles/networking/templates/wpa_supplicant.conf.j2
Normal file
9
roles/networking/templates/wpa_supplicant.conf.j2
Normal file
@ -0,0 +1,9 @@
|
||||
ctrl_interface=/run/wpa_supplicant
|
||||
ctrl_interface_group=wheel
|
||||
update_config=1
|
||||
ap_scan=1
|
||||
|
||||
network={
|
||||
ssid="{{ item.ssid }}"
|
||||
psk="{{ item.psk }}"
|
||||
}
|
3
roles/sshd/defaults/main.yaml
Normal file
3
roles/sshd/defaults/main.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
|
||||
# sshd_port: 22
|
6
roles/sshd/handlers/main.yml
Normal file
6
roles/sshd/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
- name: restart sshd
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
16
roles/sshd/tasks/main.yml
Normal file
16
roles/sshd/tasks/main.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: install openssh
|
||||
yum:
|
||||
name: openssh
|
||||
state: present
|
||||
|
||||
- name: configure sshd
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify:
|
||||
- restart sshd
|
120
roles/sshd/templates/sshd_config.j2
Normal file
120
roles/sshd/templates/sshd_config.j2
Normal file
@ -0,0 +1,120 @@
|
||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
{% if sshd_port is defined and sshd_port > 0 %}
|
||||
Port {{ sshd_port }}
|
||||
{% else %}
|
||||
# Port 22
|
||||
{% endif %}
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication no
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
PrintMotd no # pam does that
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
UseDNS no
|
||||
#PidFile /run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
5
roles/sudo_users/defaults/main.yml
Normal file
5
roles/sudo_users/defaults/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
sudo_users:
|
||||
- root
|
||||
|
||||
sudo_without_password: false
|
82
roles/sudo_users/tasks/main.yml
Normal file
82
roles/sudo_users/tasks/main.yml
Normal file
@ -0,0 +1,82 @@
|
||||
---
|
||||
|
||||
- name: install sudo
|
||||
yum:
|
||||
name: sudo
|
||||
state: present
|
||||
|
||||
# https://github.com/ansible/ansible/issues/11024
|
||||
- name: remove all users from wheel group
|
||||
command: groupmems -g wheel --purge
|
||||
register: groupmems
|
||||
changed_when: "groupmems.rc == 0"
|
||||
|
||||
- name: add sudo users to wheel
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
append: yes
|
||||
groups: [ wheel ]
|
||||
with_items: "{{ sudo_users }}"
|
||||
|
||||
- name: remove wheel group to use sudo
|
||||
block:
|
||||
- name: remove wheel group to use sudo with password
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%wheel ALL=\(ALL\) ALL'
|
||||
line: '# %wheel ALL=(ALL) ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
mode: 0440
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: remove wheel group to use sudo without password
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%wheel ALL=\(ALL\) NOPASSWD: ALL'
|
||||
line: '# %wheel ALL=(ALL) NOPASSWD: ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
mode: 0440
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: allow wheel group to use sudo
|
||||
block:
|
||||
- name: allow wheel group to use sudo with password
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^# %wheel ALL=\(ALL\) ALL'
|
||||
line: '%wheel ALL=(ALL) ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
mode: 0440
|
||||
owner: root
|
||||
group: root
|
||||
when: not sudo_without_password
|
||||
|
||||
- name: allow wheel group to use sudo without password
|
||||
tags: [ sudo_users_no_pwd ]
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^# %wheel ALL=\(ALL\) NOPASSWD: ALL'
|
||||
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
mode: 0440
|
||||
owner: root
|
||||
group: root
|
||||
when: sudo_without_password
|
||||
|
||||
# - name: secure path to protect against attacks
|
||||
# lineinfile:
|
||||
# dest: /etc/sudoers
|
||||
# state: present
|
||||
# regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
|
||||
# insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
|
||||
# line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
|
||||
# validate: 'visudo -cf %s'
|
||||
# mode: 0440
|
||||
# owner: root
|
||||
# group: root
|
7
roles/sysctl/tasks/main.yaml
Normal file
7
roles/sysctl/tasks/main.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
|
||||
- name: configure sysctl properties
|
||||
sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: '1'
|
||||
state: present
|
76
roles/unix_users/tasks/main.yml
Normal file
76
roles/unix_users/tasks/main.yml
Normal file
@ -0,0 +1,76 @@
|
||||
---
|
||||
|
||||
- name: create unix groups
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
system: no
|
||||
with_items: "{{ unix_groups }}"
|
||||
when: unix_groups is defined
|
||||
|
||||
- name: filter unix_users for users with non-matching hosts
|
||||
set_fact:
|
||||
unix_users_filtered: "{{ (unix_users_filtered | default([])) + [ item ] }}"
|
||||
when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
|
||||
with_dict: "{{ unix_users }}"
|
||||
|
||||
- name: create unix users
|
||||
block:
|
||||
- name: create unix users
|
||||
user:
|
||||
name: "{{ item.key }}"
|
||||
group: "{{ item.value.main_group | default('users') }}"
|
||||
comment: "{{ item.value.name }}"
|
||||
shell: "{{ item.value.shell | default('/bin/bash') }}"
|
||||
password: "{{ item.value.password | password_hash('sha512') }}"
|
||||
state: present
|
||||
loop: "{{ unix_users_filtered }}"
|
||||
when: "item.value.groups is not defined"
|
||||
|
||||
- name: create unix users with additional groups
|
||||
user:
|
||||
name: "{{ item.key }}"
|
||||
group: "{{ item.value.main_group }}"
|
||||
groups: "{{ item.value.groups | join(',') }}"
|
||||
comment: "{{ item.value.name }}"
|
||||
shell: "{{ item.value.shell | default('/bin/bash') }}"
|
||||
password: "{{ item.value.password | password_hash('sha512') }}"
|
||||
state: present
|
||||
loop: "{{ unix_users_filtered }}"
|
||||
when: "item.value.groups is defined"
|
||||
|
||||
- name: create .ssh directory
|
||||
file:
|
||||
path: "/home/{{ item.key }}/.ssh"
|
||||
state: directory
|
||||
owner: "{{ item.key }}"
|
||||
group: "{{ item.value.main_group | default('users') }}"
|
||||
mode: 0700
|
||||
loop: "{{ unix_users_filtered }}"
|
||||
|
||||
- name: configure ssh keys
|
||||
template:
|
||||
src: authorized_keys.j2
|
||||
dest: "/home/{{ item.key }}/.ssh/authorized_keys"
|
||||
owner: "{{ item.key }}"
|
||||
group: "{{ item.value.main_group | default('users') }}"
|
||||
mode: 0600
|
||||
when: item.value.ssh_key is defined
|
||||
loop: "{{ unix_users_filtered }}"
|
||||
|
||||
- name: remove ssh keys if undefined
|
||||
file:
|
||||
path: "/home/{{ item.key }}/.ssh/authorized_keys"
|
||||
state: absent
|
||||
when: item.value.ssh_key is not defined
|
||||
loop: "{{ unix_users_filtered }}"
|
||||
|
||||
- name: create email forward file if defined
|
||||
template:
|
||||
src: forward.j2
|
||||
dest: "/home/{{ item.key }}/.forward"
|
||||
owner: "{{ item.key }}"
|
||||
group: "{{ item.value.main_group | default('users') }}"
|
||||
mode: 0644
|
||||
when: item.value.email is defined
|
||||
loop: "{{ unix_users_filtered }}"
|
16
roles/unix_users/templates/authorized_keys.j2
Normal file
16
roles/unix_users/templates/authorized_keys.j2
Normal file
@ -0,0 +1,16 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{% set keys = [item.value.ssh_key] %}
|
||||
{% if item.value.additional_ssh_keys is defined %}
|
||||
{% for key in item.value.additional_ssh_keys %}
|
||||
{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
|
||||
{{- keys.append(key.name) -}}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for key in keys %}
|
||||
{% if unix_users_ssh_options is defined %}
|
||||
{{ lookup('file', 'pubkeys/' + key) | regex_replace('(.*\S.*)', unix_users_ssh_options + ' \\1') }}
|
||||
{% else %}
|
||||
{{ lookup('file', 'pubkeys/' + key) }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
1
roles/unix_users/templates/forward.j2
Normal file
1
roles/unix_users/templates/forward.j2
Normal file
@ -0,0 +1 @@
|
||||
{{ item.value.email }}
|
6
roles/vim/defaults/main.yml
Normal file
6
roles/vim/defaults/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
vimrc_repository: https://git.cryptic.systems/volker.raschek/vim.git
|
||||
|
||||
vim_users: []
|
||||
# - user: markus
|
||||
# branch: master
|
19
roles/vim/tasks/git-clone.yml
Normal file
19
roles/vim/tasks/git-clone.yml
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
- name: "getent for user {{ item.user }}"
|
||||
getent:
|
||||
database: passwd
|
||||
key: "{{ item.user }}"
|
||||
|
||||
- name: "clone vimrc repository for user {{ item.user }}"
|
||||
git:
|
||||
repo: https://git.cryptic.systems/volker.raschek/vim.git
|
||||
dest: "{{ getent_passwd[item.user][4] }}/.vim"
|
||||
version: "{{ item.branch }}"
|
||||
|
||||
- name: correct permissions
|
||||
file:
|
||||
path: "{{ getent_passwd[item.user][4] }}/.vim"
|
||||
owner: "{{ getent_passwd[item.user][1] }}"
|
||||
group: "{{ getent_passwd[item.user][2] }}"
|
||||
state: directory
|
||||
recurse: yes
|
14
roles/vim/tasks/main.yml
Normal file
14
roles/vim/tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
- name: install vim
|
||||
yum:
|
||||
name: vim
|
||||
state: present
|
||||
|
||||
- name: install git to clone vimrc repository
|
||||
yum:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: clone vimrc repository
|
||||
include_tasks: git-clone.yml
|
||||
with_items: "{{ vim_users }}"
|
Loading…
Reference in New Issue
Block a user