bofh/ansible-fet
9
0
Fork 0
Code Issues 9 Pull Requests Releases Wiki Activity

Merge branch 'master' into fetlab

Browse Source
This commit is contained in:
Daniel A. Maierhofer
2019-03-19 16:34:47 +01:00
parent 1fafdf2da9 f46321ae83
commit 48c881f948
46 changed files with 2038 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
README.md Normal file
View File

@@ -0,0 +1,20 @@
# Ansible configuration management for FET IT
# See [Service documentation](./doc)
# Install ansible
```shell
./install
```
Put [ssh_config](./ssh.cfg) in your `~/.ssh/config` or specify local one each time
Put `./roles/common/files/known_hosts` in your `~/.ssh/known_hosts`
# Run ansible
```shell
./ansible-playbook -i hosts/production site.yml --ssh-extra-args "-F ./ssh.cfg"
```
# Run ansible for specific server and role
```shell
./ansible-playbook -i hosts/production site.yml --ssh-extra-args "-F ./ssh.cfg" --limit sputnik --tags openssh
```

8
doc/ariane.md
View File

@@ -88,20 +88,22 @@ zfs create -o canmount=off -o setuid=off -o exec=off ssd/var
zfs create -o com.sun:auto-snapshot=false -o mountpoint=/var/lib/nfs ssd/var/nfs
zfs create -o com.sun:auto-snapshot=false -o exec=on ssd/var/cache
zfs create ssd/var/log
zfs create -o exec=on ssd/var/lxc
zfs create -o setuid=on -o exec=on ssd/var/lxc
mv /var/cache/* /ssd/var/cache/
zfs set mountpoint=/var/cache/ ssd/var/cache
mv /var/log/* /ssd/var/log/
zfs set mountpoint=/var/log ssd/var/log
mv /var/lib/lxc/* /ssd/var/lxc/
zfs set mountpoint=/var/lib/lxc ssd/var/lxc
zfs create -o com.sun:auto-snapshot=false zv1/sojus
zfs create -o com.sun:auto-snapshot=false zv1/laika
zfs create -o com.sun:auto-snapshot=false zv1/daten/Scans
zfs create -o setuid=off -o zv1/zyklon
chown 997:996 /zv1/zyklon
```
### Set dataset quota
```shell
zfs set quota=1T zv1/homes zv1/daten zv1/fotos
zfs set quota=3T zv1/sojus
zfs set quota=3T zv1/laika
zfs set quota=5G zv1/daten/Scans
```
### If intend using ACL someday

1479
doc/configs/dell3465_settings.ucf Normal file
View File

File diff suppressed because it is too large Load Diff

20
doc/fsdrnas.yml Normal file
View File

@@ -0,0 +1,20 @@
# fsdrnas
## Enable SSH and prohibit-password
```shell
xbps-install -Su
vim /etc/ssh/sshd_config
ln -s /etc/sv/sshd/ /var/service/
```
# Create RAID
```shell
xbps-install mdadm
mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
mkfs.btrfs -f /dev/md0
cat /proc/mdstat
```
## Check disks
```shell
xbps-install smartmontools
smartctl -a /dev/sda
smartctl -a /dev/sdb
```

16
doc/gitea.md
View File

@@ -3,7 +3,8 @@
## Setup using installer, create user root
```shell
INSTALL_LOCK to false
vim /etc/gitea.conf # INSTALL_LOCK to false
sv restart gitea
```
## Gitea LDAP Authentication settings
@@ -21,3 +22,16 @@ INSTALL_LOCK to false
- Email attribute: `mail`
No Bind-DN and password needed!
## Create backup dump to file
```shell
cd /var/lib/gitea/
sudo -u _gitea gitea dump -c /etc/gitea.conf
```
## Reset root password
```shell
cd /var/lib/gitea/
sudo -u _gitea gitea admin change-password --config /etc/gitea.conf -u root -p pw
```

6
doc/sojus.md → doc/laika.md
View File

@@ -1,4 +1,4 @@
# sojus
# laika
## test if backups work
```shell
@@ -10,7 +10,7 @@ borg check -v <repo>/system
## test if backups work from remote
```shell
/etc/borg/system_create_<pool>.sh
cat /var/log/borg/system_create_sojus.lastlog
cat /var/log/borg/system_create_laika.lastlog
```
## retrieve files from backup
@@ -30,7 +30,7 @@ zpool import
zpool import lab
zfs create -o com.sun:auto-snapshot=false lab/backup
borg init -e none /lab/backup/ariane.fet.htu.tuwien.ac.at
./borg create --show-rc --verbose --stats backup@sojus:system::ariane-{now} /zv1/daten /zv1/fotos /zv1/homes
./borg create --show-rc --verbose --stats backup@laika:system::ariane-{now} /zv1/daten /zv1/fotos /zv1/homes
zpool export lab
cryptsetup luksClose ata-<ID>-part1
sync

6
doc/progress.md Normal file
View File

@@ -0,0 +1,6 @@
# Check if share works
```shell
smbclient -L //localhost -U dell
smbclient //localhost/scans -U dell
```

9
group_vars/all
View File

@@ -17,7 +17,7 @@ common_aliases:
common_hostname: True
common_rsyslog: True
common_openssh_permit_root_login: "yes"
common_openssh_permit_root_login: "prohibit-password"
common_ntp_servers:
- tutimea.tuwien.ac.at
@@ -44,8 +44,9 @@ common_vim_default: False
common_openssh_keys_root:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmv/aixvhRzeQiD3XABD448WHW2sHSX5wj5TkqKmHG3MekovCjacEDwAEdH+3MzXzbQXCD8NOHxlvRsqfzsaIZw6al+i7hd7xeYzRAITeXAod/eQNJY71Czh1xt/rtfjgVrwFKe6kUo+RqUUBxOXjKNtCROxvsa/gxTSJD4xz/TGOTM7EbRfkOGBh3j/xmdBinURTACwKwHCR4SUnpAA7usY/QQGW22Nqczvj9SW1Un0TnYpMm7jAghGo7pvwInTerbbA2OQ07QEp9T/mAbPUks5QGEw1lwMZgEtl0EZrKxDoWjssGPw5ZA6RzwIggjuEN1zzE+pn9jWL+9sd2Tihr pet@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEer+2Q3/bSJv2SpaGo8tjkQdSw/Kqoyy3XZ2RrtEqwzGozfvjyrZ0jd2Vy6LJ37o3n34brfVOvzeBaiSzc+5ciNgRVohaMydM6ADSGvZ9S2BGod1KonKfTbultWA1+BzJAjn7ZTjLlPJmceITYlh5uAnHrWQgZNPipMHLbKnSMUUd7AbkBy/nhg/ad5dO6e9TOXmEY+cNMCcA20R1i/O9nA1LIgXfnx1WKtW40gOf5YioHnhOMo8rNP5WlzZ1Lf5SiMJgxeT0covc3pq+hAHa+Y6KKdeO5oQ36RMi5FJUk2txQHGQtAjLMg0dv+bJgepIakM5wxekk9oY0J8inZOMh0mRH86KMH3SDwXt2xPomXfkGKeHVkM5VO6qfv8CzX/FjMoTTFGVaKDEPngbA8BIrPD7++gicdcnkmYOJLXgBDuJhhpis/Yp8F+F1tMBDT9LRLNvM18BXpekoFJNwTWJOAR8gktsiYP3VMt6oN1Y5lStvzv6MkhaEa0WGqjQoOJsQuI1roVHwlQhyWM/igCeO0Egb7qz/qPJHRRCgNfVjDO/rtFK09EjmG1bQrgOP7dJv0E+3scxilnoIED6ocCpKNVpc/okehgHwC+QdIpWrn5fPrXJt/hifguCn7KziWfQne8eIxaQOWBaZLdcY7HmgtQmOi3KRlKy+ORXtj/+MQ== hans@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZAVxkHZYqjgCBcfHy0yggdVALZKoQbJP1TJAEYgLIAWFQ0ZPMGDaidOQiTzFTE0i35MUlQB6Rc+pTYnW/+h9rzktWbU/8RNirQve2XR5TWiRIUa13p31Xgjyw05O0uF3LEL/SmZruMHy25ncDXGF+xC2VllIttC+fLHJWLXIbWVujHdOA69fBqOonQrcPTsg1l4QQv6ZAxwVgCsbeOccZkdpoT0BJk03nflW+SGsKthTYX2VMGJlc/4QjArfZ2hTykr0I/lSA6E9FkFSLl65ejovGxCp1oXn484DlyajoXqJY7IOD86izXqkQSq4w4bLKEdrfQOnfGKe1XmxzFdk92SNEW41RXokNQ16xOBZzO1ZHkXd6hx0Pj6aBvUbs3PlCn4q764LKIcjSk7ADgeC5OBA4xgRxyZt9vuP93o7jl3vvqLWevsFa0j8orxC0D3cO5SMPbowW9LqrtqHynC0WltrtLT5+Q2tBSavP615NOu+bfcakgiWN8otv41ST+2hWka8qNptOxTRj/h7+MMOyi9bh1vjgB1KkOZYotJtFdXKFiYz+buIKwguWZWEni9uTRMiEsu84x8aJwdptPO0UIgZGroyUZJcWlUkwrkdE5T4cg9zP14M6zmogAYEI7oRX56FyspRVlA7J6VF/mcZ1z6ufH+97cle613gPKUVkpw== andis@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrEdkD1Oecw++r77MVrga1e20FA+e/O37rhMc0etS5MvlbsAHd6Ftx2SIXVtwDnHDzyUAOJb8WlYPdG5r/QJYtXgVMGZrZ31UFdlAZq3K8ytczKkcMgnEEOWYSSyQRJlEW5LkZ9tD0hv1myIg5iw6Vpuqe6YFSkdDHtGxf0lnLAfi1XKwu7b7tARJz7teOAjaFzXumvsZlFx9BdufMW32uu7BSYWjSGcrEzMyyB/5C3kU/d5Q1ZTNK6tceopFr/K1lKBzvj85safD5BH8NpjvLe1QkzHu+C0AVxYNtqGHI5oWJbcR+UOwelBeEM/On+/Xq0ZIVmiLmFx03Qun8t1n berni@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyK21mF11p4DAWSL2x7sAs9brbuRYgbdlEm/npOT1ufV6YGnNGjgrIS+a5VxiyKXhor8TUgTHjlmzcLSdEs3puBB2nZifwIEnbEwxvj5LRIljPp9rx9irPG6wnkpMXmRRuyAijf+Lhf1jMtsSgCH9HVG2F6H5hwFwaXcwiInn8tiKaDyuxl1Y9kNDUayTmbWfu2hyyRTDRvpgG4PITuUpXuA5/lHv9+kEXKl71BlyFsJ2LQx+1Lwruy6cQmfttApsrbowlbdtaJOWwnoFGNKupBpFgcGGqNTUajPGx3R1QREm+44NzPH9vGdYTg/+8vDCcTYe3zX0/XecB+Ka4WI2B3c4NPsxtZJNPWzihCVW8xpV4ipHqqFnZuVThJYtoC5C8h3LKbpQeaBwMIv34sN/AS7y3l8k7/70ttcvH4AmoEjc4OgXOE8nkwly2XZx1ndfevBdUU5osf6UTsCa3gdB/d67djz7jU50q/LtiSsL3oontw5khBR98iZAu4m7MXC7VvbyFz0Ju4OLmDBY6mxwBjakihEdfrs8jwnzxsZ3QuVIq96HC/E8gWpspECzGeXwezwTvT1tUefD7rwz9jD18qLMK8SSteDUqhXION/6gXhZ8FENUnBI2Qj6gHcwFc2tbfKMbXDqHAUHrtDdxgyxRc7JTnOI/9gS5idKXzsanhw== bajo@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGP2Y1fDTbN/fbWBCVYVpXUDyBRgUYo+OwDJq2gdII6O2YHeW7k6wY5wQEIIJR6sjHUrT7lNIx8/xv3SRlaq5w0KLZrI3fpiK07GMy0AxGIBCN1xhKb6fvlgLTTSl+/X2XhsmuxtUREENnq9M909kUuUb/8BiVV4sGSIURk4khN3oh/E7mL/sICDju1N2j+p/V0pn4kWuXRp8BMG73xIBvOMzjP/B7Y0SdLWI08bgQHi/OYLBDSHj17N4B/ZE4f5OqpZI7RqwC+TxkCJey04IMw+AXitm6q25zffGI9Mt+4lrBi/RMlEOjE7bQU4p9ZyZY2OIDNRPSr3nDBqA6g3a/v0C7cpdIYPf3khyNtV61x/irRBcOjsc44g0umaUgrmity5f/ZLyvD/zd+HSF0ft1m3AAp6z9w7bxAWs7m894HWZPJ0l39SRGVF2uiOJhbZEXG1lmCWss+do0jfy+U4hb6vC7LTKUBp6or5PF9tHDsNe3CxOmiRPt5GQmr/AA/FQRBC1BC+PO8INltKO4Np15DZ2v7Y2+nlcI++F2ef/IgJmAEfl5Y7d8N/wT5IyfBYy5+PuqLqCOOFBc/sOb2OJvsR0syX5SJM5roznrQ071G2BpxPWaPIgfABKJ8T0M/R+mdIGxlttD3z6S2LRNLoeNOKF1vIEYkxIErpRBavuvXQ== andis@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGy7lvScEwrJ7/PiykH1b2+K7WQH2WovdUMV/1n7y90kwm2sMERJN9R9mSQIGdF325MPWREAv+cEPIvyRAgER9CuiLF9fWFPas8tKumtu4rPyGim0jR30nn4ARSe5GEn+R8lgdJ9nKiBF0D5kFCeUoxkSu4mF9hqHL4JtmU7IfcD05VLTLNivInKAh6OuN2iF6D9BfWS1TkB7LCYjpKPJ94srh86EM5uV5WjPLnERZkBixk0Bi7mVq8qXWZCrMP4o7wwCCeEnbTKUq9zy629fu28O9t7N5J23g0SdH+3Y+WfYjp4CAtFWULdAHwjNp8ql0IbBzY7Q6Pf0+rOKaM7d3HvnV7Ihv8+hEHVtxC/PiCaIQJKpVpi5qhf8mMHMkPmdJZ9a3zmdUvVQVCrCMqXjn6fx0/4s1aogkujXnN5yZP4KfPkiEc0+FtY7j0P4dOZ/Uc6INkxSXphnjDoAi5M8dbH3Gn7prS+jZpSX/S4q7HDxnEZDvhD9gu0v3eaVmjVaVZEiuPgtKiTvXK/kJzIu7RdgHSqTx2kN9rR61oTVu2fcDr1N94axQTqjuey27ixytOMYVP3ZsCNFi+M4Y8ExYGgpDl34ne8IN6JHtCsIiUSPVteLppjOr4C2IkXBuqnHymfzt0Il2RKLnnbJvgxVgzEyqnAMTKuKjv2DWWK7H4w== berni@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC97hn9b7HPGpD2iQTelwxn/xLuvc2ZmOKoczpYequTYYNBf2SGBWTj75rIk7En+6J7cwRd+UDzI1MU09+TPY+e9PenzxCed9cvdhrjkigqBs9Gwz1rTE8Sgl2m9XtIqzg4Pu2ZTyTFB2ZOrF/3BEJ6UBycmnUaxOuoCoxMflEk/Xc14ZXnjAw2M5IZzgZBPYeHtn032noBlglXtgfXQy5dZy2DvbfuEPlc2x/m/zz/QFiWyFHn05FNpvz8grifz+7VIuWvXS0H7uWFFq2Zwjf3yfr8EZo3/bX/fseW5lpkWwYYKjeIXGkwZOnfCFqbbopB+vqhhISwTCQM3ObpY3VlEKyIpKM+0pzfDdQhv3ze4NPLf4wl4fHKvUEdOvpYBkn54s3inft6AzwRw1PRzIiBZbCHM2Lj1/m0s0LB979MvDkkG9wyAWqrRfVRZHO8D/9xfPyDJsNiSpO0R4rpfTV21BRowxBfEjGDsxf+MtzGHSpt6G0MUbg4LOPXmJKecfxK46hFMCDGotQHNf3ZUF2hMpee8dbNhj7Ao0fuf+hYmGrYBdA9SB8XJJLoAjiA0yQpreQD+jTd4pjfofKr5FHZnEBRY0etl6oc4wALfhSDSqd81lBGTEfJx4++6Vm7fI1aQ7UAfqLeT126rXqG9aN20MZ10sEU4isJFgm5741w2w== moses@fet.at"
- key: 'no-pty,no-agent-forwarding,no-X11-forwarding,command="zfs_mount.sh shutdown || shutdown -h +1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCiI41+XkobMT0K8ZrHdCeomdGAIRMZbdX1VjGe5OWa72rcaDFmBtK7MxD5xPZEdSaDkn+Nrpwv5/j10MccvkAOI/tx6PIxcgDF52FnHLMMVrXRM3cnkm9CrBi4kCN0D2fpbDLhknJhiqftIcPdct/a9foZQwkWOzGUN2Rk0mCw2QzkGyWHNxOMzMjV0gpfAWPv6Jg+JKDl5EHf2xJTeJ/l0TG6O0lsc5YY/7cqjRJJzTVFDo1Gy+qNgff0mbPrhcbWepG5R1tjkdT++f8uuoVkBUamwkjwDpH2y57sdESEPB0C5ES2cglOp2X3MMN7EnUBHYU3mMiYU0wV+b7Q3oKmQuG86a2D+yEp+0+WFaUY/TMCNpslGOtTBrNLshMIX/bnrx/aF9DApl9L/kUIlSxwwBNiPIl4VVU1p5Zzj/YAPvRl0kAKjosOZgl108JeRUbhQSGVrcODyhaIMQv4BAzHnV0kii7jNACHhqBR36eo3N6HX7GkbnU1YadZRcrxrpE9z9mrXuqWxzl4Cmz1yHb1JTwsnQQ2Dy0trIklQjEmLxvG8zpxHLV3EQmtIMK/g2Mk6VTdz9HZnwYLU7Mj/uZk0DWhTZ5Eyj6QAbcw2gLPLEUmdQhkHSoQKxHY0at3OjGFGydyc/3n7B7d578uxVBrp04uhTbW7SDi6mYGCkvCRQ== nut ups shutdown'
state: present

7
group_vars/backup
View File

@@ -1,7 +0,0 @@
backup:
repositories:
- path: "/srv/rep1"
name: "Repository1"
- path: "/srv/rep2"
name: "Repository2"

59
host_vars/ariane
View File

@@ -5,26 +5,33 @@ inventory_hostname_short: ariane
common_interfaces: True
common_interfaces_file: interfaces_ariane.j2
common_iptables_v4: "iptables_ariane_v4.j2"
common_iptables_v6: "iptables_ariane_v6.j2"
lxc:
containers:
- name: laika
- name: sputnik
revision: "01"
template: debian
template: voidlinux
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 1c:bd:b9:7f:fe:a4
- lxc.network.link = br0
- lxc.network.hwaddr = 2e:6d:b6:07:13:01
- lxc.network.link = br1
- lxc.network.flags = up
- lxc.network.1.type = veth
- lxc.network.1.hwaddr = 00:50:fc:ce:1b:c3
- lxc.network.1.link = br0
- lxc.network.1.flags = up
- lxc.network.1.ipv4 = 128.131.95.206/24
- lxc.network.1.ipv4.gateway = 128.131.95.1
- lxc.pts = 6
- name: betam
revision: "01"
template: debian
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:14:01
- lxc.network.link = br0
- lxc.network.link = br1
- lxc.network.flags = up
- lxc.cgroup.devices.allow = c 188:0 rwm
@@ -34,9 +41,10 @@ lxc:
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:15:01
- lxc.network.link = br0
- lxc.network.link = br1
- lxc.network.flags = up
- lxc.pts = 6
- lxc.mount.entry = /zv1/zyklon /var/lib/lxc/lxc-zyklon-01/rootfs/var/lib/gitea/ none bind,create=dir 0 0
- name: progress
revision: "01"
@@ -44,21 +52,29 @@ lxc:
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:19:01
- lxc.network.link = br0
- lxc.network.link = br1
- lxc.network.flags = up
- lxc.pts = 6
- lxc.mount.entry = /zv1/daten/Scans /var/lib/lxc/lxc-progress-01/rootfs/mnt/scans none bind,create=dir 0 0
- name: sojus
- name: laika
revision: "01"
template: voidlinux
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:17:01
- lxc.network.link = br0
- lxc.network.link = br1
- lxc.network.flags = up
- lxc.network.1.type = veth
- lxc.network.1.hwaddr = 00:15:c5:5d:78:0e
- lxc.network.1.link = br0
- lxc.network.1.flags = up
- lxc.network.1.ipv4 = 128.131.95.204/24
- lxc.network.1.ipv4.gateway = 128.131.95.1
- lxc.pts = 6
- lxc.mount.entry = /zv1/sojus /var/lib/lxc/lxc-sojus-01/rootfs/home/backup/repos none bind,create=dir 0 0
- lxc.mount.entry = /zv1/laika /var/lib/lxc/lxc-laika-01/rootfs/home/backup/repos none bind,create=dir 0 0
- name: proteus
revision: "01"
@@ -66,10 +82,29 @@ lxc:
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:16:01
- lxc.network.link = br0
- lxc.network.link = br1
- lxc.network.flags = up
- name: juri
revision: "01"
template: debian
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:20:01
- lxc.network.link = br1
- lxc.network.flags = up
- name: fetsite
revision: "01"
template: debian
config:
- lxc.network.type = veth
- lxc.network.hwaddr = 2e:6d:b6:07:10:01
- lxc.network.link = br1
- lxc.network.flags = up
common_zfs: True
common_snapper: False
borgbackup_install_from_repo: False

2
host_vars/baroness
View File

@@ -7,7 +7,7 @@ borgbackup_binary_uri: "https://borg.bauerj.eu/borg-{{ borgbackup_binary_version
borgbackup_encryption_mode: "none"
borgbackup_client_backup_server: sojus
borgbackup_client_backup_server: laika
borgbackup_create_jobs:
- name: system

2
host_vars/buran
View File

@@ -6,7 +6,7 @@ borgbackup_binary_platform: "borg-linux32"
borgbackup_encryption_mode: "none"
borgbackup_client_backup_server: sojus
borgbackup_client_backup_server: laika
borgbackup_create_jobs:
- name: system

47
host_vars/fsdr Normal file
View File

@@ -0,0 +1,47 @@
inventory_hostname: fsdr.htu.tuwien.ac.at
inventory_hostname_short: fsdr
borgbackup_install_from_repo: False
borgbackup_encryption_mode: "none"
borgbackup_client_backup_server: fsdrnas
borgbackup_create_jobs:
- name: system
options: "--lock-wait 7200"
day: "*"
hour: 0 # default value = 1
minute: 0 # default value = 0
random_hour: 5 # default value : ignore randomization
random_minute: 59 # default value : ignore randomization
directories:
- "/srv"
- "/etc"
- "/home"
- "/root"
- "/var/lib/mailman"
- "/var/www"
- "/var/lib/automysqlbackup/daily/"
excludes: []
borgbackup_prune_enabled: yes
borgbackup_prune_jobs:
- name: system
prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1"
day: "*"
hour: 12 # default value = 1
minute: 0 # default value = 0
random_hour: 5 # default value : ignore randomization
random_minute: 59 # default value : ignore randomization
borgbackup_check_enabled: yes
borgbackup_check_jobs:
- name: system
check_options: "--lock-wait 28800"
day: 1
hour: 12 # default value = 1
minute: 0 # default value = 0
random_hour: 5 # default value : ignore randomization
random_minute: 59 # default value : ignore randomization
random_day: 27 # default value : ignore randomization

13
host_vars/fsdrnas Normal file
View File

@@ -0,0 +1,13 @@
inventory_hostname: fsdrnas.htu.tuwien.ac.at
inventory_hostname_short: fsdrnas
common_openssh_keys_root:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at"
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyK21mF11p4DAWSL2x7sAs9brbuRYgbdlEm/npOT1ufV6YGnNGjgrIS+a5VxiyKXhor8TUgTHjlmzcLSdEs3puBB2nZifwIEnbEwxvj5LRIljPp9rx9irPG6wnkpMXmRRuyAijf+Lhf1jMtsSgCH9HVG2F6H5hwFwaXcwiInn8tiKaDyuxl1Y9kNDUayTmbWfu2hyyRTDRvpgG4PITuUpXuA5/lHv9+kEXKl71BlyFsJ2LQx+1Lwruy6cQmfttApsrbowlbdtaJOWwnoFGNKupBpFgcGGqNTUajPGx3R1QREm+44NzPH9vGdYTg/+8vDCcTYe3zX0/XecB+Ka4WI2B3c4NPsxtZJNPWzihCVW8xpV4ipHqqFnZuVThJYtoC5C8h3LKbpQeaBwMIv34sN/AS7y3l8k7/70ttcvH4AmoEjc4OgXOE8nkwly2XZx1ndfevBdUU5osf6UTsCa3gdB/d67djz7jU50q/LtiSsL3oontw5khBR98iZAu4m7MXC7VvbyFz0Ju4OLmDBY6mxwBjakihEdfrs8jwnzxsZ3QuVIq96HC/E8gWpspECzGeXwezwTvT1tUefD7rwz9jD18qLMK8SSteDUqhXION/6gXhZ8FENUnBI2Qj6gHcwFc2tbfKMbXDqHAUHrtDdxgyxRc7JTnOI/9gS5idKXzsanhw== bajo@fet.at"
common_resolvconf: False
borgbackup_install_from_repo: True
borgbackup_binary: "/usr/bin/borg"
borgbackup_encryption_mode: "none"

5
host_vars/laika
View File

@@ -1,2 +1,7 @@
inventory_hostname: laika.fet.htu.tuwien.ac.at
inventory_hostname_short: laika
borgbackup_install_from_repo: True
borgbackup_binary: "/usr/bin/borg"
borgbackup_encryption_mode: "none"

2
host_vars/maria-storage
View File

@@ -5,7 +5,7 @@ borgbackup_install_from_repo: False
borgbackup_encryption_mode: "none"
borgbackup_client_backup_server: sojus
borgbackup_client_backup_server: laika
borgbackup_create_jobs:
- name: system

2
host_vars/nauka
View File

@@ -5,7 +5,7 @@ borgbackup_install_from_repo: False
borgbackup_encryption_mode: "none"
borgbackup_client_backup_server: sojus
borgbackup_client_backup_server: laika
borgbackup_create_jobs:
- name: system

1
host_vars/progress
View File

@@ -2,5 +2,4 @@ inventory_hostname: progress.fet.htu.tuwien.ac.at
inventory_hostname_short: progress
common_iptables_v4: "iptables_progress_v4.j2"
common_iptables_v6: "iptables_progress_v6.j2"
printer_ip: dell3465

2
host_vars/proteus
View File

@@ -1,2 +1,4 @@
inventory_hostname: proteus.fet.htu.tuwien.ac.at
inventory_hostname_short: proteus
common_iptables_v4: "iptables_proteus_v4.j2"

42
host_vars/ruby Normal file
View File

@@ -0,0 +1,42 @@
inventory_hostname: ruby.fet.htu.tuwien.ac.at
inventory_hostname_short: ruby
borgbackup_install_from_repo: False
borgbackup_encryption_mode: "none"
borgbackup_client_backup_server: laika
borgbackup_create_jobs:
- name: system
options: "--lock-wait 7200"
day: "*"
hour: 0 # default value = 1
minute: 0 # default value = 0
random_hour: 5 # default value : ignore randomization
random_minute: 59 # default value : ignore randomization
directories:
- "/var/lib/mysql"
- "/srv"
excludes: []
borgbackup_prune_enabled: yes
borgbackup_prune_jobs:
- name: system
prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1"
day: "*"
hour: 12 # default value = 1
minute: 0 # default value = 0
random_hour: 5 # default value : ignore randomization
random_minute: 59 # default value : ignore randomization
borgbackup_check_enabled: yes
borgbackup_check_jobs:
- name: system
check_options: "--lock-wait 28800"
day: 1
hour: 12 # default value = 1
minute: 0 # default value = 0
random_hour: 5 # default value : ignore randomization
random_minute: 59 # default value : ignore randomization
random_day: 27 # default value : ignore randomization

7
host_vars/sojus
View File

@@ -1,7 +0,0 @@
inventory_hostname: sojus.fet.htu.tuwien.ac.at
inventory_hostname_short: sojus
borgbackup_install_from_repo: True
borgbackup_binary: "/usr/bin/borg"
borgbackup_encryption_mode: "none"

4
host_vars/sputnik Normal file
View File

@@ -0,0 +1,4 @@
inventory_hostname: sputnik.fet.htu.tuwien.ac.at
inventory_hostname_short: sputnik
common_openssh_password_authentication: "yes"

2
host_vars/zyklon
View File

@@ -1,2 +1,4 @@
inventory_hostname: zyklon.fet.htu.tuwien.ac.at
inventory_hostname_short: zyklon
common_iptables_v4: "iptables_zyklon_v4.j2"

9
hosts/production
View File

@@ -6,20 +6,23 @@ all:
fetlab:
fet_lxc_debian:
hosts:
lxc-pet-01:
laika:
betam:
proteus:
juri:
fet_lxc_void:
hosts:
sputnik:
zyklon:
sojus:
laika:
progress:
fsdrnas:
fet_qemu:
hosts:
maria-storage:
buran:
nauka:
ruby:
fsdr:
fet_pi:
hosts:
baroness:

2
hosts/production_pet
View File

@@ -1,2 +0,0 @@
[fet_container]
lxc-pet-01

3
hosts/test_andi
View File

@@ -1,3 +0,0 @@
[ruby]
#test01
test03

4
roles/ariane/files/lxc-voidlinux
View File

@@ -60,7 +60,7 @@ userns_config="/usr/share/lxc/config/voidlinux.userns.conf"
pkg_blacklist=("linux>=0" "e2fsprogs>=0" "btrfs-progs>=0" "xfsprogs>=0" "f2fs-tools>=0" "dosfstools>=0")
base_packages=()
for pkg in $(xbps-query -Mv --repository="http://repo2.voidlinux.eu/current/" -x base-system); do
for pkg in $(xbps-query -Mv --repository="https://alpha.de.repo.voidlinux.org/current/" -x base-system); do
containsElement "$pkg" "${pkg_blacklist[@]}" || base_packages+=($pkg)
done
declare -a additional_packages
@@ -87,7 +87,7 @@ copy_configuration() {
}
install_void() {
if ! yes | xbps-install -Sy -R http://repo2.voidlinux.eu/current -r "${rootfs_path}" "${base_packages[@]}"
if ! yes | xbps-install -Sy -R https://alpha.de.repo.voidlinux.org/current -r "${rootfs_path}" "${base_packages[@]}"
then
echo "Failed to install container packages"
return 1

1
roles/ariane/files/lxc_default.conf
View File

@@ -1 +0,0 @@
lxc.aa_profile = unconfined

4
roles/ariane/tasks/lxc_void.yml
View File

@@ -1,11 +1,11 @@
---
- name: lxc - install xbps build depencies
package: name="{{ item }}"
package: "name={{ item }}"
with_items:
- zlib1g-dev
- pkg-config
- libarchive-dev
- libssl1.0-dev
- libssl-dev
- name: lxc - xbps git
git:

8
roles/gitea/tasks/gitea.yml
View File

@@ -5,9 +5,9 @@
- git-all
- gitea
- name: gitea - /etc/gitea.conf
template: dest=/etc/gitea.conf src=gitea.conf.j2 owner=root group=root mode=0644
notify: restart gitea
- name: gitea - git user
user: name=_gitea shell=/bin/bash
- name: gitea - /etc/gitea.conf
template: dest=/etc/gitea.conf src=gitea.conf.j2 owner=_gitea group=root mode=0640
notify: restart gitea

3
roles/ldap/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart nslcd
service: name=nslcd enabled=yes state=restarted

56
roles/ldap/tasks/ldap.yml Normal file
View File

@@ -0,0 +1,56 @@
---
- name: ldap - install
package: name={{ item }}
with_items:
- nss-pam-ldapd
- name: ldap - /etc/nsswitch.conf
template: dest=/etc/nsswitch.conf src=nsswitch.conf.j2 owner=root group=root mode=0644
- name: ldap - /etc/nslcd.conf
template: dest=/etc/nslcd.conf src=nslcd.conf.j2 owner=root group=nslcd mode=0640
notify: restart nslcd
- name: ldap - start nslcd
service: name=nslcd enabled=yes state=started
- name: ldap - PAM
pamd:
name: "{{ item.name }}"
type: "{{ item.type }}"
new_type: "{{ item.type }}"
control: required
new_control: "{{ item.control }}"
module_path: pam_unix.so
new_module_path: "{{ item.module_path }}"
module_arguments: "{{ item.module_arguments }}"
state: "{{ item.state }}"
with_items:
- { name: system-auth, type: auth, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
- { name: system-auth, type: account, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
- { name: system-auth, type: password, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
- { name: system-auth, type: session, control: optional, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: after }
- name: ldap - enable passwd change
lineinfile:
dest: /etc/pam.d/passwd
line: "password sufficient pam_ldap.so"
insertbefore: "^password"
firstmatch: yes
state: present
- name: ldap - sudoers ensure includedir
lineinfile:
dest: /etc/sudoers
line: "#includedir /etc/sudoers.d"
state: present
validate: "/usr/sbin/visudo -cf %s"
- name: sudoers - create
copy:
content: "%admin ALL=(ALL) ALL"
dest: "/etc/sudoers.d/admin"
mode: 0440
owner: root
group: root
validate: "/usr/sbin/visudo -cf %s"

3
roles/ldap/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- import_tasks: ldap.yml
tags: [ ldap ]

9
roles/ldap/templates/nslcd.conf.j2 Normal file
View File

@@ -0,0 +1,9 @@
# {{ ansible_managed }}
# See the manual page nslcd.conf(5) for more information.
uid nslcd
gid nslcd
uri ldap://gagarin.fet.htu.tuwien.ac.at/
base dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at

17
roles/ldap/templates/nsswitch.conf.j2 Normal file
View File

@@ -0,0 +1,17 @@
# {{ ansible_managed }}
# /etc/nsswitch.conf
#
# See nsswitch.conf(5) for information.
#
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns mdns4_minimal mdns4 myhostname dns
networks: files
protocols: files
services: files
ethers: files
rpc: files

3
roles/nfs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- import_tasks: nfs.yml
tags: [ nfs ]

20
roles/nfs/tasks/nfs.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: nfs - install
package: name=nfs-utils
- name: nfs - create mountpoints
file: "path={{ item }} owner=root group=root mode=0755 state=directory"
with_items:
- /mnt/save/daten
- /mnt/save/fotos
failed_when: False
- name: nfs - add mountpoints
blockinfile:
path: /etc/fstab
block: |
ariane:/zv1/homes /home nfs intr,hard,rw,fsc 0 0
ariane:/zv1/daten /mnt/save/daten nfs intr,hard,rw,fsc 0 0
ariane:/zv1/fotos /mnt/save/fotos nfs intr,hard,rw,fsc 0 0
validate: "mount -a -T %s"

8
roles/scans/tasks/samba.yml
View File

@@ -3,6 +3,7 @@
package: name={{ item }}
with_items:
- samba
- smbclient
- name: samba - /etc/smb.conf
template: dest=/etc/samba/smb.conf src=smb.conf.j2 owner=root group=root mode=0644
@@ -18,3 +19,10 @@
- name: samba - set smbpasswds
shell: "(echo {{ item['smbpasswd'] }}; echo {{ item['smbpasswd'] }}) | smbpasswd -s -a {{ item['name'] }}"
with_items: '{{ samba_users }}'
changed_when: False
- name: samba - add cronjob for fixing IPv4
cron:
name: samba reboot restart
special_time : reboot
job: "sleep 15 && sv restart smbd"

19
site.yml
View File

@@ -27,6 +27,11 @@
- borg_client
# - rvm1-ansible
- hosts: sputnik
roles:
- ldap
- nfs
- hosts: betam
roles:
- ups
@@ -35,7 +40,7 @@
roles:
- gitea
- hosts: sojus
- hosts: laika
roles:
- borg_server
@@ -61,6 +66,18 @@
roles:
- borg_client
- hosts: ruby
roles:
- borg_client
- hosts: fsdr
roles:
- borg_client
- hosts: fsdrnas
roles:
- borg_server
- hosts: progress
roles:
- scans

121
ssh.cfg Normal file
View File

@@ -0,0 +1,121 @@
# FET
Host sputnik
Hostname sputnik.htu.tuwien.ac.at
Host kistl
ProxyJump sputnik
Host wlan
User root
ProxyJump sputnik
Host atlas
ProxyJump sputnik
Host ariane
Hostname ariane.htu.tuwien.ac.at
User root
ProxyJump sputnik
## virtual on ariane
Host laika
User root
ProxyJump ariane
Host betam
User root
ProxyJump ariane
Host proteus
User root
ProxyJump ariane
Host zyklon
User root
ProxyJump ariane
Host sojus
User root
ProxyJump sputnik
Host progress
User root
Proxyjump sputnik
Host energija
Hostname energija.htu.tuwien.ac.at
ProxyJump sputnik
## virtual on energija
Host nauka
User root
ProxyJump sputnik
Host buran
Hostname buran.htu.tuwien.ac.at
User root
ProxyJump sputnik
Host backup
ProxyJump sputnik
Host gagarin
ProxyJump sputnik
Host horde5
ProxyJump sputnik
Host triton
User root
ProxyJump sputnik
DynamicForward 127.0.0.1:4444
Host mogok
ProxyJump sputnik
Host maria-storage
User root
ProxyJump sputnik
Host miruk
Port 222
User root
ProxyJump triton
Host cloud
ProxyJump sputnik
Host fetruby
ProxyJump sputnik
Host fetwiki # triton-2
Hostname 192.168.95.12
ProxyJump sputnik
Host triton-amp
ProxyJump sputnik
Host fet
ProxyJump miruk
Host baroness
User root
Proxyjump sputnik
## Workstations
Host potemkin
ProxyJump sputnik
Host proton
ProxyJump sputnik
Host suchoi
ProxyJump sputnik
Host lunik
ProxyJump sputnik
# FET Ende
EscapeChar ~

20
templates/interfaces_ariane.j2
View File

@@ -2,16 +2,22 @@
source /etc/network/interfaces.d/*
auto lo
auto lo br0 br1
iface lo inet loopback
allow-hotplug enp8s0
iface enp8s0 inet dhcp
allow-hotplug enp8s0 enp10s0
auto br0
iface br0 inet manual
bridge_ports enp9s0
iface br0 inet static
bridge_ports enp10s0
bridge_fd 0
bridge_maxwait 0
address 128.131.95.207
netmask 255.255.255.0
network 128.131.95.0
broadcast 128.131.95.255
gateway 128.131.95.1
dns-nameservers 192.168.86.1
iface br1 inet dhcp
bridge_ports enp8s0
bridge_fd 0
bridge_maxwait 0

8
templates/iptables_ariane_v4.j2
View File

@@ -4,14 +4,14 @@
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

12
templates/iptables_ariane_v6.j2
View File

@@ -1,12 +0,0 @@
# {{ ansible_managed }}
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp --syn -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

12
templates/iptables_progress_v6.j2
View File

@@ -1,12 +0,0 @@
# {{ ansible_managed }}
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp --syn -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

15
templates/iptables_proteus_v4.j2 Normal file
View File

@@ -0,0 +1,15 @@
# {{ ansible_managed }}
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

15
templates/iptables_zyklon_v4.j2 Normal file
View File

@@ -0,0 +1,15 @@
# {{ ansible_managed }}
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT