From b5bd8c8896690670ba4ebe27d0b3a9155200b9b6 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 13 Feb 2019 18:47:54 +0100 Subject: [PATCH 01/11] IPA server role. --- ipa-server/defaults/main.yml | 17 +++++++ .../files/lets-encrypt-x3-cross-signed.pem | 47 +++++++++++++++++++ ipa-server/tasks/main.yml | 31 ++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 ipa-server/defaults/main.yml create mode 100644 ipa-server/files/lets-encrypt-x3-cross-signed.pem create mode 100644 ipa-server/tasks/main.yml diff --git a/ipa-server/defaults/main.yml b/ipa-server/defaults/main.yml new file mode 100644 index 0000000..993e039 --- /dev/null +++ b/ipa-server/defaults/main.yml @@ -0,0 +1,17 @@ +--- +ipa_server_install: False +ipa_server_use_dns: True + +ipa_server_domain: example.org +ipa_server_realm: '{{ ipa_server_domain | upper }}' + +ipa_server_packages: + - ipa-server + +ipa_server_dns_packages: + - ipa-server-dns + +ipa_installation_options: '--external-cert-file=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} --external-cert-file={{ letsencrypt_acme_certs_dir }}/fullchain --external-cert=file={{ letsencrypt_acme_certs_dir }}/privkey -r {{ ipa_server_realm }} -n {{ ipa_server_domain }} -a {{ ipa_admin_password }} -p {{ ipa_manager_password }} --hostname={{ ansible_fqdn }} -U --setup-dns --no-forwarders --no-reverse --zonemgr=s2i2s-master@isti.cnr.it' + +ipa_ssl_letsencrypt_managed: True +ipa_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem diff --git a/ipa-server/files/lets-encrypt-x3-cross-signed.pem b/ipa-server/files/lets-encrypt-x3-cross-signed.pem new file mode 100644 index 0000000..edb4954 --- /dev/null +++ b/ipa-server/files/lets-encrypt-x3-cross-signed.pem @@ -0,0 +1,47 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- diff --git a/ipa-server/tasks/main.yml b/ipa-server/tasks/main.yml new file mode 100644 index 0000000..09e8d00 --- /dev/null +++ b/ipa-server/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- block: +# - name: Create the acme hooks directory if it does not yet exist +# file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + +# - name: Install a script that fix the letsencrypt certificate for ipa and then reload the service +# template: src=ipa-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/ipa owner=root group=root mode=4555 + + - name: Create the ipa certificate directory + file: dest=/etc/pki/ipa state=directory owner=root group=root mode=0750 + + - name: Install the Letsencrypt CA file with both the root and the trusted CAs + copy: src={{ ipa_letsencrypt_ca_filename }} dest=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} mode=0444 + + when: + - ipa_ssl_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt' ] + +- block: + - name: Install the FreeIPA server packages + yum: pkg={{ ipa_server_packages }} state=present + + - name: Install the FreeIPA DNS server packages + yum: pkg={{ ipa_server_dns_packages }} state=present + + when: + - ipa_server_install + - ansible_distribution_file_variety == "RedHat" + + tags: [ 'ipa' ] From b542a58a8ccf616fe152f72bf73db368f3ba9fca Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 13 Feb 2019 18:48:32 +0100 Subject: [PATCH 02/11] RH/CentOS compatibility for the users role. --- users/defaults/main.yml | 4 +++- users/tasks/main.yml | 24 +++++++++++++++++++++--- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/users/defaults/main.yml b/users/defaults/main.yml index 9d0ecda..1ca43f5 100644 --- a/users/defaults/main.yml +++ b/users/defaults/main.yml @@ -5,7 +5,9 @@ # Users can have sudo privileges if the 'admin' property is 'true' # admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true' -users_sudoers_group: sudo +deb_users_sudoers_group: sudo +rh_users_sudoers_group: wheel +users_sudoers_group: '{{ deb_users_sudoers_group }}' users_sudoers_create_group: False users_sudoers_create_sudo_conf: False users_home_dir: /home diff --git a/users/tasks/main.yml b/users/tasks/main.yml index 9f2bfe3..9cf9739 100644 --- a/users/tasks/main.yml +++ b/users/tasks/main.yml @@ -22,10 +22,28 @@ with_items: '{{ users_system_users | default([]) }}' when: item.ssh_key is defined - - name: Add the admin users to the sudoers group - user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes + - name: Add the admin users to the sudoers group on debian based systems + user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes with_items: '{{ users_system_users | default([]) }}' - when: item.admin + when: + - item.admin + - ansible_distribution_file_variety == "Debian" + + - name: Add the admin users to the sudoers group on rh/centos systems + user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: + - item.admin + - ansible_distribution_file_variety == "RedHat" + + - name: Permit sudo without password + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%{{ rh_users_sudoers_group }}\s' + line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' + when: ansible_distribution_file_variety == "RedHat" + tags: [ 'users', 'sudo_wheel' ] - name: ensure that the users can login with their ssh keys as root if we want ensure direct access authorized_key: user=root key="{{ item.ssh_key }}" state=present From efc0b242ba22c2ed49449b2d17d4f056cf72998c Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 13 Feb 2019 18:49:57 +0100 Subject: [PATCH 03/11] Role that configure users and sudo permissions. --- user_services_perms/defaults/main.yml | 24 +++++++++++++++++++ user_services_perms/meta/main.yml | 3 +++ user_services_perms/tasks/common-groups.yml | 23 ++++++++++++++++++ .../tasks/common-users-data-dirs.yml | 16 +++++++++++++ user_services_perms/tasks/main.yml | 7 ++++++ .../tasks/services-data-dirs.yml | 23 ++++++++++++++++++ user_services_perms/tasks/sudo-config.yml | 6 +++++ .../templates/service-sudoers.j2 | 2 ++ 8 files changed, 104 insertions(+) create mode 100644 user_services_perms/defaults/main.yml create mode 100644 user_services_perms/meta/main.yml create mode 100644 user_services_perms/tasks/common-groups.yml create mode 100644 user_services_perms/tasks/common-users-data-dirs.yml create mode 100644 user_services_perms/tasks/main.yml create mode 100644 user_services_perms/tasks/services-data-dirs.yml create mode 100644 user_services_perms/tasks/sudo-config.yml create mode 100644 user_services_perms/templates/service-sudoers.j2 diff --git a/user_services_perms/defaults/main.yml b/user_services_perms/defaults/main.yml new file mode 100644 index 0000000..46373b9 --- /dev/null +++ b/user_services_perms/defaults/main.yml @@ -0,0 +1,24 @@ +--- +service_custom_installation: False +service_user: sys_admin +service_group: '{{ sys_user }}' +service_sudoers_group: adminsu + +service_data_directory: /var/lib/foo +#service_other_directories: +# - /var/lib/bar + +service_log_directories: + - /var/log/foo + - /var/log/foo/search + +# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs +#additional_data_directories: +# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } +# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } +# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } + +# Define the following array when you want to add commands to the sudoers file +#service_sudo_commands: +# - /etc/init.d/virtuoso-opensource-7 +# - /sbin/reboot diff --git a/user_services_perms/meta/main.yml b/user_services_perms/meta/main.yml new file mode 100644 index 0000000..df990e0 --- /dev/null +++ b/user_services_perms/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - '../../library/roles/users' diff --git a/user_services_perms/tasks/common-groups.yml b/user_services_perms/tasks/common-groups.yml new file mode 100644 index 0000000..54ae849 --- /dev/null +++ b/user_services_perms/tasks/common-groups.yml @@ -0,0 +1,23 @@ +--- +- block: + - name: Create the service user, if it is not used to run the tomcat instances + user: name={{ service_user }} home={{ service_data_directory }} createhome=no shell=/usr/sbin/nologin + + - name: Add the additional service groups + group: name={{ item }} state=present + with_items: + - '{{ service_group }}' + - '{{ service_sudoers_group }}' + + - name: Add selected users to the limited sudoers group + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: item.limited_sudoers_user + + - name: Remove selected users to the limited sudoers group + user: name={{ item.login }} groups={{ service_sudoers_group }} + with_items: '{{ users_system_users | default([]) }}' + when: not item.limited_sudoers_user + + when: service_custom_installation + tags: [ 'services', 'users' ] diff --git a/user_services_perms/tasks/common-users-data-dirs.yml b/user_services_perms/tasks/common-users-data-dirs.yml new file mode 100644 index 0000000..8ae7b1b --- /dev/null +++ b/user_services_perms/tasks/common-users-data-dirs.yml @@ -0,0 +1,16 @@ +--- +- block: + - name: Create the users additional data dirs + file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} + with_items: '{{ additional_data_directories | default([]) }}' + when: item.create and not item.file + + - name: Set the read/write/access permissions on the users additional data dirs + acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes + with_items: '{{ additional_data_directories | default([]) }}' + + - name: Set the default read/write/access permissions on the users additional data dirs + acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes + with_items: '{{ additional_data_directories | default([]) }}' + + tags: [ 'users', 'users_acl' ] diff --git a/user_services_perms/tasks/main.yml b/user_services_perms/tasks/main.yml new file mode 100644 index 0000000..2487c89 --- /dev/null +++ b/user_services_perms/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- import_tasks: common-groups.yml +- import_tasks: sudo-config.yml +- import_tasks: services-data-dirs.yml + when: service_custom_installation +- import_tasks: common-users-data-dirs.yml + when: additional_data_directories is defined diff --git a/user_services_perms/tasks/services-data-dirs.yml b/user_services_perms/tasks/services-data-dirs.yml new file mode 100644 index 0000000..443e0fb --- /dev/null +++ b/user_services_perms/tasks/services-data-dirs.yml @@ -0,0 +1,23 @@ +--- +- block: + - name: Create the service data dirs + file: name={{ item }} state=directory owner={{ service_user }} group={{ service_group }} mode=0750 + with_items: '{{ service_other_directories }}' + + - name: Set the read/write permissions on the service data dirs + acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present recursive=yes + with_items: '{{ service_other_directories | default([]) }}' + + - name: Set the default read/write permissions on the service data dirs + acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present default=yes recursive=yes + with_items: '{{ service_other_directories | default([]) }}' + + - name: Set the read permissions on the service log dirs + acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present recursive=yes + with_items: '{{ service_log_directories }}' + + - name: Set the default read permissions on the service log dirs + acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present default=yes recursive=yes + with_items: '{{ service_log_directories }}' + + tags: [ 'service', 'users' ] diff --git a/user_services_perms/tasks/sudo-config.yml b/user_services_perms/tasks/sudo-config.yml new file mode 100644 index 0000000..77c20c5 --- /dev/null +++ b/user_services_perms/tasks/sudo-config.yml @@ -0,0 +1,6 @@ +--- +- name: Install the sudoers config that allows users to execute some privileged commands + template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440 + when: service_sudo_commands is defined + tags: [ 'service', 'sudo', 'users' ] + diff --git a/user_services_perms/templates/service-sudoers.j2 b/user_services_perms/templates/service-sudoers.j2 new file mode 100644 index 0000000..b550ff8 --- /dev/null +++ b/user_services_perms/templates/service-sudoers.j2 @@ -0,0 +1,2 @@ +%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} + From 14df9121a860f7315d6a59b3eec763c614adf359 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:15:54 +0100 Subject: [PATCH 04/11] Manage motd on both deb/ubuntu and centos installations. --- motd/defaults/main.yml | 8 ++++++++ motd/tasks/deb_motd.yml | 17 +++++++++++++++++ motd/tasks/main.yml | 6 ++++++ motd/tasks/rh_motd.yml | 6 ++++++ motd/templates/motd.j2 | 2 ++ motd/templates/update_motd.j2 | 5 +++++ 6 files changed, 44 insertions(+) create mode 100644 motd/defaults/main.yml create mode 100644 motd/tasks/deb_motd.yml create mode 100644 motd/tasks/main.yml create mode 100644 motd/tasks/rh_motd.yml create mode 100644 motd/templates/motd.j2 create mode 100644 motd/templates/update_motd.j2 diff --git a/motd/defaults/main.yml b/motd/defaults/main.yml new file mode 100644 index 0000000..c04b27f --- /dev/null +++ b/motd/defaults/main.yml @@ -0,0 +1,8 @@ +--- +motd_setup: True + +motd_additional_text: "\nThis host runs services\n" + +deb_motd_packages: + - update-notifier-common + - landscape-common \ No newline at end of file diff --git a/motd/tasks/deb_motd.yml b/motd/tasks/deb_motd.yml new file mode 100644 index 0000000..72367a3 --- /dev/null +++ b/motd/tasks/deb_motd.yml @@ -0,0 +1,17 @@ +--- +- block: + - name: Install the packages that manage the dynamic motd file on debian based distributions + apt: pkg={{ deb_motd_packages }} state=present update_cache=yes cache_valid_time=3600 + register: motd_pkgs + + - name: Install our motd template file on debian based distributions + template: src=motd.j2 dest=/etc/static-motd owner=root group=root mode=0644 + + - name: Install the dynamic merge script of the motd file on debian based distributions + template: src=update_motd.j2 dest=/etc/update-motd.d/05-motd-message owner=root group=root mode=0755 + + - name: Initialise the motd prompt on debian based distributions + command: run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic + when: motd_pkgs is changed + + tags: motd diff --git a/motd/tasks/main.yml b/motd/tasks/main.yml new file mode 100644 index 0000000..89caf1d --- /dev/null +++ b/motd/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: deb_motd.yml + when: ansible_distribution_file_variety == "Debian" + +- import_tasks: rh_motd.yml + when: ansible_distribution_file_variety == "RedHat" diff --git a/motd/tasks/rh_motd.yml b/motd/tasks/rh_motd.yml new file mode 100644 index 0000000..ba773d8 --- /dev/null +++ b/motd/tasks/rh_motd.yml @@ -0,0 +1,6 @@ +- block: + - name: Install our motd template file on RH/CentOS based distributions + template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644 + + tags: motd + \ No newline at end of file diff --git a/motd/templates/motd.j2 b/motd/templates/motd.j2 new file mode 100644 index 0000000..b4fd8e8 --- /dev/null +++ b/motd/templates/motd.j2 @@ -0,0 +1,2 @@ + +{{ motd_additional_text }} diff --git a/motd/templates/update_motd.j2 b/motd/templates/update_motd.j2 new file mode 100644 index 0000000..95bff2d --- /dev/null +++ b/motd/templates/update_motd.j2 @@ -0,0 +1,5 @@ +#!/bin/sh + +cat /etc/static-motd + +exit 0 From 7220c2513f748c3585e950e9f54f5eb0db9b90db Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:16:28 +0100 Subject: [PATCH 05/11] Add nginx and tomcat-multiple-instances as dependencies to the authorizazion_service role. --- gcube/authorization_service/meta/main.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 gcube/authorization_service/meta/main.yml diff --git a/gcube/authorization_service/meta/main.yml b/gcube/authorization_service/meta/main.yml new file mode 100644 index 0000000..ca19ed7 --- /dev/null +++ b/gcube/authorization_service/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - ../../library/roles/tomcat-multiple-instances + - ../../library/roles/nginx From e6531ac42cda1bffed107545349e7e86c77aa5e5 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:18:05 +0100 Subject: [PATCH 06/11] user_services_perms: remove more stuff, fix some tasks so that they do not overlap with the users role. --- user_services_perms/defaults/main.yml | 16 +++---------- .../tasks/common-users-data-dirs.yml | 13 +++++++++-- user_services_perms/tasks/main.yml | 4 +--- .../tasks/services-data-dirs.yml | 23 ------------------- .../{common-groups.yml => sudoers-groups.yml} | 7 +----- 5 files changed, 16 insertions(+), 47 deletions(-) delete mode 100644 user_services_perms/tasks/services-data-dirs.yml rename user_services_perms/tasks/{common-groups.yml => sudoers-groups.yml} (71%) diff --git a/user_services_perms/defaults/main.yml b/user_services_perms/defaults/main.yml index 46373b9..8926572 100644 --- a/user_services_perms/defaults/main.yml +++ b/user_services_perms/defaults/main.yml @@ -1,21 +1,11 @@ --- -service_custom_installation: False -service_user: sys_admin -service_group: '{{ sys_user }}' service_sudoers_group: adminsu -service_data_directory: /var/lib/foo -#service_other_directories: -# - /var/lib/bar - -service_log_directories: - - /var/log/foo - - /var/log/foo/search - +common_users_group: service_g # Define the following if you want some directories readable and writable by the common group but outside the default app data dirs #additional_data_directories: -# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } -# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } +# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } +# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } # - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } # Define the following array when you want to add commands to the sudoers file diff --git a/user_services_perms/tasks/common-users-data-dirs.yml b/user_services_perms/tasks/common-users-data-dirs.yml index 8ae7b1b..3a40bcd 100644 --- a/user_services_perms/tasks/common-users-data-dirs.yml +++ b/user_services_perms/tasks/common-users-data-dirs.yml @@ -1,16 +1,25 @@ --- - block: + - name: Create the common group used to setup acls + group: name={{ common_users_group }} state=present system=yes + when: additional_data_directories is defined + + - name: Add selected users to the commong group + user: name={{ item.login }} groups={{ common_users_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: additional_data_directories is defined + - name: Create the users additional data dirs file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} with_items: '{{ additional_data_directories | default([]) }}' when: item.create and not item.file - name: Set the read/write/access permissions on the users additional data dirs - acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes with_items: '{{ additional_data_directories | default([]) }}' - name: Set the default read/write/access permissions on the users additional data dirs - acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes with_items: '{{ additional_data_directories | default([]) }}' tags: [ 'users', 'users_acl' ] diff --git a/user_services_perms/tasks/main.yml b/user_services_perms/tasks/main.yml index 2487c89..be1cc6f 100644 --- a/user_services_perms/tasks/main.yml +++ b/user_services_perms/tasks/main.yml @@ -1,7 +1,5 @@ --- -- import_tasks: common-groups.yml +- import_tasks: sudoers-groups.yml - import_tasks: sudo-config.yml -- import_tasks: services-data-dirs.yml - when: service_custom_installation - import_tasks: common-users-data-dirs.yml when: additional_data_directories is defined diff --git a/user_services_perms/tasks/services-data-dirs.yml b/user_services_perms/tasks/services-data-dirs.yml deleted file mode 100644 index 443e0fb..0000000 --- a/user_services_perms/tasks/services-data-dirs.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- block: - - name: Create the service data dirs - file: name={{ item }} state=directory owner={{ service_user }} group={{ service_group }} mode=0750 - with_items: '{{ service_other_directories }}' - - - name: Set the read/write permissions on the service data dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present recursive=yes - with_items: '{{ service_other_directories | default([]) }}' - - - name: Set the default read/write permissions on the service data dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present default=yes recursive=yes - with_items: '{{ service_other_directories | default([]) }}' - - - name: Set the read permissions on the service log dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present recursive=yes - with_items: '{{ service_log_directories }}' - - - name: Set the default read permissions on the service log dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present default=yes recursive=yes - with_items: '{{ service_log_directories }}' - - tags: [ 'service', 'users' ] diff --git a/user_services_perms/tasks/common-groups.yml b/user_services_perms/tasks/sudoers-groups.yml similarity index 71% rename from user_services_perms/tasks/common-groups.yml rename to user_services_perms/tasks/sudoers-groups.yml index 54ae849..bcacc8a 100644 --- a/user_services_perms/tasks/common-groups.yml +++ b/user_services_perms/tasks/sudoers-groups.yml @@ -1,12 +1,8 @@ --- - block: - - name: Create the service user, if it is not used to run the tomcat instances - user: name={{ service_user }} home={{ service_data_directory }} createhome=no shell=/usr/sbin/nologin - - name: Add the additional service groups group: name={{ item }} state=present with_items: - - '{{ service_group }}' - '{{ service_sudoers_group }}' - name: Add selected users to the limited sudoers group @@ -15,9 +11,8 @@ when: item.limited_sudoers_user - name: Remove selected users to the limited sudoers group - user: name={{ item.login }} groups={{ service_sudoers_group }} + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes with_items: '{{ users_system_users | default([]) }}' when: not item.limited_sudoers_user - when: service_custom_installation tags: [ 'services', 'users' ] From 9cc7c3f2ac81486266a674cbf8c12deedf106f6e Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:18:21 +0100 Subject: [PATCH 07/11] users: append the additional groups. --- users/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/users/tasks/main.yml b/users/tasks/main.yml index 9cf9739..6622e6e 100644 --- a/users/tasks/main.yml +++ b/users/tasks/main.yml @@ -29,6 +29,15 @@ - item.admin - ansible_distribution_file_variety == "Debian" + - name: Permit sudo without password + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%{{ deb_users_sudoers_group }}\s' + line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' + when: ansible_distribution_file_variety == "Debian" + tags: [ 'users', 'sudo_wheel' ] + - name: Add the admin users to the sudoers group on rh/centos systems user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes with_items: '{{ users_system_users | default([]) }}' From 6230a82b0fa71048d74f522b9d450b4c4a31d870 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:20:01 +0100 Subject: [PATCH 08/11] smartgears: list the directories and variables that must be readable by regular users. --- smartgears/smartgears/vars/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 smartgears/smartgears/vars/main.yml diff --git a/smartgears/smartgears/vars/main.yml b/smartgears/smartgears/vars/main.yml new file mode 100644 index 0000000..05867ab --- /dev/null +++ b/smartgears/smartgears/vars/main.yml @@ -0,0 +1,7 @@ +--- +additional_data_directories: + - { name: '{{ d4science_user_home }}', perms: 0755, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } + - { name: '{{ d4science_user_home }}/tomcat/lib/logback.xml', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } + - { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } + - { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}.local', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } + - { name: '/var/log', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } From bad57613669e1f02995fc86e3e28c421aa26fd6e Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:20:25 +0100 Subject: [PATCH 09/11] Manage the users limits in a single place. --- ubuntu-deb-general/tasks/manage_su_limits.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ubuntu-deb-general/tasks/manage_su_limits.yml b/ubuntu-deb-general/tasks/manage_su_limits.yml index 73652c2..3d9ce48 100644 --- a/ubuntu-deb-general/tasks/manage_su_limits.yml +++ b/ubuntu-deb-general/tasks/manage_su_limits.yml @@ -3,8 +3,13 @@ lineinfile: dest=/etc/pam.d/su line="session required pam_limits.so" insertafter="^#\ \(Replaces\ the\ use\ of\ /etc/limits.*$" tags: [ 'su', 'pam_limits'] -- name: Change the default security limits - pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} - with_items: '{{ default_security_limits }}' +- name: Change the root user security limits + pam_limits: domain=root limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} + with_items: '{{ root_security_limits }}' + tags: [ 'su', 'pam_limits'] + +- name: Change other users security limits + pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} + with_items: '{{ users_security_limits }}' tags: [ 'su', 'pam_limits'] From febb0e55b8ab5ed468cc3b1774b596c6e7da613f Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:20:56 +0100 Subject: [PATCH 10/11] Add the motd role to the bootstrap roles as dependency. --- ubuntu-deb-general/defaults/main.yml | 6 +++++- ubuntu-deb-general/meta/main.yml | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index a0c6abe..a5659ad 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -132,10 +132,14 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates # - { file: "local-ca.crt", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' } # -default_security_limits: +root_security_limits: - { domain: 'root', l_item: 'nofile', type: 'soft', value: '8192' } - { domain: 'root', l_item: 'nofile', type: 'hard', value: '8192' } +users_security_limits: [] + +default_security_limits: '{{ root_security_limits }}' + # default_rsyslog_custom_rules: # - ':msg, contains, "icmp6_send: no reply to icmp error" ~' # - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~' diff --git a/ubuntu-deb-general/meta/main.yml b/ubuntu-deb-general/meta/main.yml index efc43e1..8bde601 100644 --- a/ubuntu-deb-general/meta/main.yml +++ b/ubuntu-deb-general/meta/main.yml @@ -5,6 +5,7 @@ dependencies: - role: '../../library/roles/deb-set-hostname' - role: '../../library/roles/deb-set-locale' - role: '../../library/roles/timezone' + - role: '../../library/roles/motd' - role: '../../library/roles/linux-kernel-sysctl' - role: '../../library/roles/sshd_config' - role: '../../library/roles/fail2ban' From 5500ed9afdade8d15a4a343fb49c4d580e0e96e9 Mon Sep 17 00:00:00 2001 From: Roberto Date: Thu, 14 Feb 2019 16:00:47 +0100 Subject: [PATCH 11/11] managed web.xml inside uri-resolver webapp --- smartgears/uri_resolver/tasks/main.yml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/smartgears/uri_resolver/tasks/main.yml b/smartgears/uri_resolver/tasks/main.yml index 5f56e54..8242123 100644 --- a/smartgears/uri_resolver/tasks/main.yml +++ b/smartgears/uri_resolver/tasks/main.yml @@ -21,10 +21,24 @@ file: path={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }} state=absent notify: Restart smartgears when: uri_resolver_download is changed - - - name: Copy the uri-resolver war file into the webapps directory - copy: src={{ smartgears_downloads_dir }}/{{ uri_resolver_file }} dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}.{{ uri_resolver_extension }} remote_src=yes force=yes - notify: Restart smartgears + + - name: Create the uri-resolver webapp directory + file: dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }} state=directory + when: uri_resolver_download + + - name: Unarchive the uri_resolver war file + unarchive: copy=no src={{ smartgears_downloads_dir }}/{{ uri_resolver_file }} dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }} + args: + creates: '{{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}/WEB-INF/web.xml' + notify: Restart smartgears + + - name: Install the uri_resolver web.xml template + template: src=uri-resolver-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}/WEB-INF/web.xml mode=0440 + notify: Restart smartgears + +# - name: Copy the uri-resolver war file into the webapps directory +# copy: src={{ smartgears_downloads_dir }}/{{ uri_resolver_file }} dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}.{{ uri_resolver_extension }} remote_src=yes force=yes +# notify: Restart smartgears become: True become_user: '{{ d4science_user }}'