bofh/ansible-role-common
9
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Farhad Shahbazi
2016-03-05 16:30:21 +01:00
parent 879fdc14b4
commit acc8f15e9e
18 changed files with 679 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
defaults/main.yml Normal file
View File

@@ -0,0 +1,71 @@
---
common_apt_keys: []
common_apt_repositories:
- "deb http://cdn.debian.net/debian {{ ansible_distribution_release }} main contrib non-free"
- "deb http://cdn.debian.net/debian {{ ansible_distribution_release }}-backports main contrib non-free"
- "deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main contrib non-free"
common_apt_upgrade_policy: ""
common_resolvconf_hnfqdn: true
common_resolvconf_nameservers: []
common_resolvconf_domain: ""
common_resolvconf_search: []
common_rsyslog_forwards: []
common_basic_packages:
- apt-transport-https
- cron-apt
- curl
- dstat
- etckeeper
- git
- htop
- iputils-ping
- mtr-tiny
- ncdu
- strace
- sudo
- tmux
- tree
- vim
- zsh
# for ansible/debian
- lsb-release
- python-apt
- python-pycurl
common_scripts:
- { dest: "/usr/local/bin/zombies", src: "scripts/zombies" }
common_openssh_keys_root: []
common_aliases:
- "mailer-daemon: postmaster"
- "postmaster: root"
- "nobody: root"
- "hostmaster: root"
- "usenet: root"
- "news: root"
- "webmaster: root"
- "www: root"
- "ftp: root"
- "abuse: root"
- "noc: root"
- "security: root"
common_mailer: "postfix"
common_mailname: "{{ ansible_fqdn }}"
common_postfix_debug_peer_list: ""
common_postfix_delay_warning_time: "0h"
common_postfix_hostname: "{{ ansible_fqdn }}"
common_postfix_inet_interfaces: loopback-only
common_postfix_inet_protocols: all
common_postfix_masquerade_domains: []
common_postfix_message_size_limit: 10240000
common_postfix_mydestination: "{{ common_postfix_hostname }}, {{ ansible_hostname }}, localhost.localdomain, localhost"
common_postfix_mynetworks: "127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128"
common_postfix_relay_domains: "{{ common_postfix_mydestination }}"
common_postfix_relayhost: ""
common_postfix_smtpd_tls_security_level: False
common_postfix_smtpd_tls_cert_file: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
common_postfix_smtpd_tls_key_file: "/etc/ssl/private/ssl-cert-snakeoil.key"
common_postfix_smtpd_tls_session_cache_database: "btree:${data_directory}/smtpd_scache"
common_postfix_smtp_tls_session_cache_database: "btree:${data_directory}/smtp_scache"

6
files/scripts/zombies Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/sh
# zombies - list all zombies and their parents to kill
ps f -eo state,pid,ppid,comm | awk '
{ cmds[$2] = $NF }
/^Z/ { print $(NF-1) "/" $2 " zombie child of " cmds[$3] "/" $3 }'

28
handlers/main.yml Normal file
View File

@@ -0,0 +1,28 @@
---
- name: restart ntp
service: name=ntp state=restarted
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: reload openssh
service: name=ssh state=reloaded
- name: restart openssh
service: name=ssh state=restarted
- name: restart resolvconf
service: name=resolvconf state=restarted
- name: reload mailer
service: name="{{ common_mailer }}" state=reloaded
- name: restart mailer
service: name="{{ common_mailer }}" state=restarted
- name: newaliases
command: newaliases
- name: apt-get update
apt: update_cache=yes

15
meta/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
galaxy_info:
author: Farhad Shahbazi
description: Common
company: Spherical Elephant GmbH
license: MIT
min_ansible_version: 1.9
platforms:
- name: Debian
versions:
- jessie
- wheezy
categories:
- system
dependencies: []

25
tasks/apt.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: apt - add apt keys
apt_key: id="{{ item.id }}" url="{{ item.url }}" file="{{ item.file }}" state="{{ item.state }}"
tags: ['common', 'apt']
with_items: "{{ common_apt_keys }}"
- name: apt - add repositories
apt_repository: repo="{{ item }}" update_cache=yes
with_items: "{{ common_apt_repositories }}"
tags: ['common', 'apt']
- name: apt - remove /etc/apt/sources.list
file: path=/etc/apt/sources.list state=absent
notify: apt-get update
tags: ['common', 'apt']
- name: install basic tools
apt: pkg="{{ item }}" cache_valid_time=3600 update_cache=yes
with_items: "{{ common_basic_packages }}"
tags: common
#- name: apt - upgrade system
# apt: upgrade="{{ common_apt_upgrade_policy }}"
# when: common_apt_upgrade_policy
# tags: ['common', 'apt']

35
tasks/main.yml Normal file
View File

@@ -0,0 +1,35 @@
---
- include: resolvconf.yml
- include: apt.yml
- name: set vim as default editor
alternatives: name=editor path=/usr/bin/vim.basic
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
tags: common
- name: copy some custom script
copy: dest="{{ item.dest }}" src="{{ item.src }}" owner=root group=root mode=0755
with_items: "{{ common_scripts }}"
tags: common
- name: /etc/mailname
copy: dest=/etc/mailname content="{{ common_mailname }}\n" owner=root group=root mode=0644
notify: restart mailer
when: common_mailer != False
tags: common
- name: /etc/aliases
template: dest=/etc/aliases src=aliases.j2 owner=root group=root mode=0644
notify:
- newaliases
- restart mailer
when: common_mailer != False
tags: common
- include: ntp.yml
- include: openssh.yml
- include: rsyslog.yml
- include: "{{ common_mailer }}.yml"
when: common_mailer != False

11
tasks/ntp.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: ntp - install
apt: name=ntp
when: ansible_virtualization_type != 'lxc' or ansible_virtualization_role == 'host'
tags: ['common', 'ntp']
- name: ntp - run and enable
service: name=ntp state=started enabled=yes
when: ansible_virtualization_type != 'lxc' or ansible_virtualization_role == 'host'
tags: ['common', 'ntp']

20
tasks/openssh.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: openssh - install
apt: name=openssh-server
tags: ['common', 'openssh']
- name: openssh - start and enable
service: name=ssh state=running enabled=yes
tags: ['common', 'openssh']
- name: openssh - config
template: dest=/etc/ssh/sshd_config src=sshd_config.j2 owner=root group=root mode=0600
notify: reload openssh
tags: ['common', 'openssh']
- name: openssh - root keys
authorized_key: user="root" key="{{ item }}"
with_items: "{{ common_openssh_keys_root }}"
when: common_openssh_keys_root
tags: ['common', 'openssh', 'ssh-keys']

13
tasks/postfix.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: install postfix
apt: name="postfix" state=present
tags: ['common', 'postfix']
- name: postfix config
template: dest="/etc/postfix/{{ item }}" src="postfix/{{ item }}.j2" owner=root group=root mode=0644
with_items:
- main.cf
- master.cf
notify: restart mailer
tags: ['common', 'postfix']

16
tasks/resolvconf.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: resolvconf - install
apt: name=resolvconf state=present
tags: ['common', 'resolvconf']
- name: resolvconf - tail file
template: dest=/etc/resolvconf/resolv.conf.d/tail src=resolvconf_tail.j2 owner=root group=root mode=0644
when: common_resolvconf_nameservers
notify: restart resolvconf
tags: ['common', 'resolvconf']
- name: resolvconf - start and enable
service: name=resolvconf state=started enabled=yes
tags: ['common', 'resolvconf']

25
tasks/rsyslog.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: rsyslog - install
apt: name=rsyslog
tags: ['common', 'rsyslog']
- name: rsyslog - rsyslog.conf
template: dest=/etc/rsyslog.conf src=rsyslog.conf.j2 owner=root group=root mode=0644
notify: restart rsyslog
tags: ['common', 'rsyslog']
- name: rsyslog - rsyslog.d
file: path=/etc/rsyslog.d state=directory owner=root group=root mode=0755
notify: restart rsyslog
tags: ['common', 'rsyslog']
- name: rsyslog - syslog forwarding client.conf
template: dest=/etc/rsyslog.d/forwards.conf src=rsyslog_forwards.conf.j2 owner=root group=root mode=0644
when: common_rsyslog_forwards
notify: restart rsyslog
tags: ['common', 'rsyslog']
- name: rsyslog - start and enable
service: name=rsyslog state=started enabled=yes
tags: ['common', 'rsyslog']

7
templates/aliases.j2 Normal file
View File

@@ -0,0 +1,7 @@
# {{ ansible_managed }}
# /etc/aliases
{% for alias in common_aliases %}
{{ alias }}
{% endfor %}

46
templates/postfix/main.cf.j2 Normal file
View File

@@ -0,0 +1,46 @@
# {{ ansible_managed }}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
myorigin = /etc/mailname
debug_peer_list = {{ common_postfix_debug_peer_list }}
{% if common_postfix_masquerade_domains %}
masquerade_domains =
{% for domain in common_postfix_masquerade_domains %}
{{ domain }}
{% endfor %}
{% endif %}
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# generate "delayed mail" warnings
delay_warning_time = {{ common_postfix_delay_warning_time }}
readme_directory = no
{% if common_postfix_smtpd_tls_security_level %}
# TLS parameters
smtpd_tls_security_level={{ common_postfix_smtpd_tls_security_level }}
smtpd_tls_cert_file={{ common_postfix_smtpd_tls_cert_file }}
smtpd_tls_key_file={{ common_postfix_smtpd_tls_key_file }}
smtpd_tls_session_cache_database = {{ common_postfix_smtpd_tls_session_cache_database }}
smtp_tls_session_cache_database = {{ common_postfix_smtp_tls_session_cache_database }}
{% endif %}
myhostname = {{ common_postfix_hostname }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = {{ common_postfix_mydestination }}
relayhost = {{ common_postfix_relayhost }}
mynetworks = {{ common_postfix_mynetworks }}
relay_domains = {{ common_postfix_relay_domains }}
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = {{ common_postfix_inet_interfaces }}
inet_protocols = {{ common_postfix_inet_protocols }}
message_size_limit = {{ common_postfix_message_size_limit }}

122
templates/postfix/master.cf.j2 Normal file
View File

@@ -0,0 +1,122 @@
# {{ansible_managed}}
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#submission inet n - - - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

17
templates/resolvconf_tail.j2 Normal file
View File

@@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% if common_resolvconf_domain %}
domain {{ common_resolvconf_domain }}
{% endif %}
{% if ansible_local is defined and ansible_local.hardwarenode.hnfqdn and common_resolvconf_hnfqdn %}
nameserver {{ lookup('dig', ansible_local.hardwarenode.hnfqdn ) }}
{% else %}
{% for n in common_resolvconf_nameservers %}
nameserver {{ n }}
{% endfor %}
{% endif %}
{% if common_resolvconf_search %}
search {% for s in common_resolvconf_search %}{{ s }} {% endfor %}
{% endif %}

124
templates/rsyslog.conf.j2 Normal file
View File

@@ -0,0 +1,124 @@
# {{ ansible_managed }}
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
{% if ansible_virtualization_type != 'lxc' %}
$ModLoad imklog # provides kernel logging support
{% endif %}
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole

9
templates/rsyslog_forwards.conf.j2 Normal file
View File

@@ -0,0 +1,9 @@
# {{ ansible_managed }}
{% for dest in common_rsyslog_forwards %}
$ActionQueueType LinkedList
$ActionQueueFileName {{ dest.name }}
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* {{ dest.dest }};RSYSLOG_ForwardFormat
{% endfor %}

89
templates/sshd_config.j2 Normal file
View File

@@ -0,0 +1,89 @@
# {{ ansible_managed }}
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp {{ common_openssh_subsystem_sftp | default("/usr/lib/openssh/sftp-server") }}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes