ISTI-ansible-roles
/
ansible-roles
4
0
Fork 3
Code Issues Pull Requests Releases Wiki Activity

Add the CentOS roles. Losing history.

This commit is contained in:
Andrea Dell'Amico 2019-05-15 01:22:27 +02:00
parent 4870ab4789
commit 4cb34462d9
185 changed files with 6373 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
library/centos/playbooks/centos-update/main.yml Normal file
View File

@ -0,0 +1,38 @@
# This playbook updates hosts without guests.
#
# requires -e "target=somehostname" -e "yumcommand=update"
- name: update the system
hosts: "{{ target }}"
gather_facts: false
remote_user: root
tasks:
# - name: expire-caches
# command: yum clean expire-cache
# - name: yum -y {{ yumcommand }}
# command: yum -y {{ yumcommand }}
# async: 7200
# poll: 30
- name: Update all the packages
yum: name=* state=latest update_cache=yes
async: 7200
poll: 30
- name: run rkhunter if installed
hosts: "{{ target }}"
remote_user: root
tasks:
- name: check for rkhunter
command: /usr/bin/test -f /usr/bin/rkhunter
register: rkhunter
ignore_errors: true
- name: run rkhunter --propupd
command: /usr/bin/rkhunter --propupd
when: rkhunter|success

77
library/centos/roles/basic-setup/defaults/main.yml Normal file
View File

@ -0,0 +1,77 @@
---
centos_pkg_state: latest
timezone: "Europe/Rome"
#hostname: '{{ ansible_fqdn }}'
hostname: '{{ inventory_hostname }}'
centos_set_dns_servers: False
dns1: 208.67.220.220
dns2: 208.67.222.222
configure_domain_name_in_interface: False
centos_packages_to_install:
- dstat
- lsof
- strace
- traceroute
- bind-utils
- yum-cron
- yum-plugin-fastestmirror
- whois
- iotop
- policycoreutils-python
- firewalld
- ipset
- ntp
- psmisc
- tcpdump
- tuned
- bash-completion
- rsync
- bzip2
- wget
- curl
- unzip
centos_packages_from_epel:
- htop
- lbzip2
centos_ntpd_enabled: True
centos_packages_cleanup: True
centos_remove_avahi: True
centos_remove_networkmanager: False
centos_disable_avahi: True
centos_disable_networkmanager: False
centos_packages_to_remove:
- ppp
- wpa_supplicant
centos_nm_packages:
- NetworkManager-tui
- ModemManager-glib
- NetworkManager-glib
- NetworkManager
centos_avahi_packages:
- avahi
- avahi-libs
- avahi-autoipd
centos_services_to_be_disabled:
- acpid
centos_enable_locate: False
centos_locate_package:
- mlocate
centos_hw_packages:
- smartmontools
- system-storage-manager
centos_selinux_daemons_dump_core: False
manage_root_ssh_keys: True

578
library/centos/roles/basic-setup/files/qemu_ag_provisioning-sepol.te Normal file
View File

@ -0,0 +1,578 @@
module qemu_ag_provisioning-sepol 1.0;
require {
type etc_t;
type systemd_timedated_t;
type virt_qemu_ga_t;
type proc_net_t;
class lnk_file unlink;
class file read;
}
#============= systemd_timedated_t ==============
# audit(1547125065.450:3522):
# scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:etc_t:s0"
# class="lnk_file" perms="unlink"
# comm="systemd-timedat" exe="" path=""
# message="type=AVC msg=audit(1547125065.450:3522): avc: denied { unlink } for
# pid=1597 comm="systemd-timedat" name="localtime" dev="vda1" ino=75
# scontext=system_u:system_r:systemd_timedated_t:s0
# tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file"
# audit(1547125812.510:3650):
# scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:etc_t:s0"
# class="lnk_file" perms="unlink"
# comm="systemd-timedat" exe="" path=""
# message="type=AVC msg=audit(1547125812.510:3650): avc: denied { unlink } for
# pid=1653 comm="systemd-timedat" name="localtime" dev="vda1" ino=75
# scontext=system_u:system_r:systemd_timedated_t:s0
# tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file"
#!!!! WARNING: 'etc_t' is a base type.
allow systemd_timedated_t etc_t:lnk_file unlink;
#============= virt_qemu_ga_t ==============
# audit(1547125125.358:3533):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125125.358:3533): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125125.359:3534):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125125.359:3534): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125125.359:3535):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125125.359:3535): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125125.360:3536):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125125.360:3536): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125245.358:3545):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125245.358:3545): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125245.358:3546):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125245.358:3546): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125245.358:3547):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125245.358:3547): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125245.358:3544):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125245.358:3544): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125365.360:3555):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125365.360:3555): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125365.360:3556):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125365.360:3556): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125365.360:3557):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125365.360:3557): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125365.360:3558):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125365.360:3558): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125485.357:3631):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125485.357:3631): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125485.357:3632):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125485.357:3632): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125485.357:3633):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125485.357:3633): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125485.357:3634):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125485.357:3634): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125605.358:3642):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125605.358:3642): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125605.358:3643):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125605.358:3643): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125605.358:3644):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125605.358:3644): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125605.358:3641):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125605.358:3641): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125725.357:3646):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125725.357:3646): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125725.357:3647):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125725.357:3647): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125725.357:3648):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125725.357:3648): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125725.357:3645):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125725.357:3645): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125845.367:3652):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125845.367:3652): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125845.367:3653):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125845.367:3653): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125845.367:3654):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125845.367:3654): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125845.367:3655):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125845.367:3655): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125965.355:3657):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125965.355:3657): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125965.355:3658):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125965.355:3658): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125965.355:3659):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125965.355:3659): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547125965.355:3656):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547125965.355:3656): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126085.356:3661):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126085.356:3661): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126085.356:3662):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126085.356:3662): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126085.356:3663):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126085.356:3663): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126085.356:3660):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126085.356:3660): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126205.364:3665):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126205.364:3665): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126205.364:3666):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126205.364:3666): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126205.364:3667):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126205.364:3667): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126205.363:3664):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126205.363:3664): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126325.362:3669):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126325.362:3669): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126325.362:3670):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126325.362:3670): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126325.362:3671):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126325.362:3671): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126325.362:3668):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126325.362:3668): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126445.360:3673):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126445.360:3673): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126445.360:3674):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126445.360:3674): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126445.360:3675):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126445.360:3675): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126445.360:3672):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126445.360:3672): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126565.360:3677):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126565.360:3677): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126565.360:3678):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126565.360:3678): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126565.360:3679):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126565.360:3679): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126565.360:3676):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126565.360:3676): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126685.355:3681):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126685.355:3681): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126685.355:3682):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126685.355:3682): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126685.355:3683):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126685.355:3683): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126685.355:3680):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126685.355:3680): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126805.355:3685):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126805.355:3685): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126805.355:3686):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126805.355:3686): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126805.355:3687):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126805.355:3687): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126805.355:3684):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126805.355:3684): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126925.359:3689):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126925.359:3689): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126925.359:3690):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126925.359:3690): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126925.359:3691):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126925.359:3691): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547126925.359:3688):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547126925.359:3688): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547127045.360:3693):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547127045.360:3693): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547127045.360:3694):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547127045.360:3694): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547127045.360:3695):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547127045.360:3695): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
# audit(1547127045.360:3692):
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
# class="file" perms="read"
# comm="qemu-ga" exe="" path=""
# message="type=AVC msg=audit(1547127045.360:3692): avc: denied { read } for
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
# scontext=system_u:system_r:virt_qemu_ga_t:s0
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
allow virt_qemu_ga_t proc_net_t:file read;

12
library/centos/roles/basic-setup/files/systemd-enable.te Normal file
View File

@ -0,0 +1,12 @@
module systemd-enable-sepol 1.0;
require {
type unconfined_t;
type init_t;
class service enable;
}
#============= unconfined_t ==============
allow unconfined_t init_t:service enable;

135
library/centos/roles/basic-setup/tasks/main.yml Normal file
View File

@ -0,0 +1,135 @@
---
- name: Install the basic packages
yum: name={{ centos_packages_to_install }} state={{ centos_pkg_state }}
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Install the basic packages from the EPEL repository
yum: name={{ centos_packages_from_epel }} state={{ centos_pkg_state }}
when: centos_install_epel
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Install the packages we want on a non virtualized host
yum: name={{ centos_hw_packages | default([]) }} state={{ centos_pkg_state }}
when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Install the selinux policy file to fix a timedatectl problem and various qemu-ga ones
copy: src=qemu_ag_provisioning-sepol.te dest=/usr/local/etc/qemu_ag_provisioning-sepol.te
register: qemu_ga_selinux_policy
tags: [ 'centos', 'rhel', 'selinux' ]
- name: Activate the selinux policy for qemu
shell: checkmodule -M -m -o /usr/local/etc/qemu_ag_provisioning-sepol.mod /usr/local/etc/qemu_ag_provisioning-sepol.te ; semodule_package -o /usr/local/etc/qemu_ag_provisioning-sepol.pp -m /usr/local/etc/qemu_ag_provisioning-sepol.mod ; semodule -i /usr/local/etc/qemu_ag_provisioning-sepol.pp
args:
creates: /usr/local/etc/qemu_ag_provisioning-sepol.pp
when: qemu_ga_selinux_policy is changed
tags: [ 'centos', 'rhel', 'selinux' ]
- name: Install the selinux policy file to fix a systemd policy glitch
copy: src=systemd-enable.te dest=/usr/local/etc/systemd-enable-sepol.te
register: systemd_selinux_policy
tags: [ 'centos', 'rhel', 'selinux' ]
- name: Activate the selinux policy for systemd
shell: checkmodule -M -m -o /usr/local/etc/systemd-enable-sepol.mod /usr/local/etc/systemd-enable-sepol.te ; semodule_package -o /usr/local/etc/systemd-enable-sepol.pp -m /usr/local/etc/systemd-enable-sepol.mod ; semodule -i /usr/local/etc/systemd-enable-sepol.pp
args:
creates: /usr/local/etc/systemd-enable-sepol.pp
when: systemd_selinux_policy is changed
tags: [ 'centos', 'rhel', 'selinux' ]
- name: Activate smartmontools on a non virtualized host
service: name=smartd state=started enabled=yes
when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Install the locate utility if needed
yum: name={{ centos_locate_package }} state={{ centos_pkg_state }}
when: centos_enable_locate
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Set the timezone
command: timedatectl set-timezone {{ timezone }}
tags: [ 'centos', 'bootstrap' ]
- name: Set the hostname
hostname: name={{ hostname }}
when: hostname is defined
tags: [ 'centos', 'bootstrap' ]
- name: Configure the main interface to set the correct resolvers. dns1
lineinfile: name=/etc/sysconfig/network-scripts/ifcfg-eth0 regexp="^DNS1=" line="DNS1={{ dns1 }}"
when: centos_set_dns_servers
tags: [ 'centos', 'bootstrap' ]
- name: Configure the main interface to set the correct resolvers. dns2
lineinfile: name=/etc/sysconfig/network-scripts/ifcfg-eth0 regexp="^DNS2=" line="DNS2={{ dns2 }}"
when: centos_set_dns_servers
tags: [ 'centos', 'bootstrap' ]
- name: Configure the main interface to set the correct resolvers. search domain
lineinfile: name=/etc/sysconfig/network-scripts/ifcfg-eth0 regexp="^DOMAIN=" line="DOMAIN={{ domain_name }}"
when: configure_domain_name_in_interface
tags: [ 'centos', 'bootstrap' ]
- name: Ensure that the ntpd service is enabled and running
service: name=ntpd state=started enabled=yes
when: centos_ntpd_enabled
tags: [ 'centos', 'bootstrap', 'ntp' ]
- name: Ensure that the ntpd service is stopped and disabled
service: name=ntpd state=stopped enabled=no
when: not centos_ntpd_enabled
tags: [ 'centos', 'bootstrap', 'ntp' ]
- name: Stop avahi before removing it when it is not needed
service: name=avahi-daemon state=stopped enabled=no
when: centos_remove_avahi or centos_disable_avahi
ignore_errors: True
tags: [ 'centos', 'bootstrap', 'avahi' ]
- name: Stop and disable NetworkManager when we do not need it or we are going to remove it
service: name=NetworkManager state=stopped enabled=no
when: centos_remove_networkmanager or centos_disable_networkmanager
ignore_errors: True
tags: [ 'centos', 'bootstrap', 'networkmanager' ]
- name: Remove some unneeded packages
yum: name={{ centos_packages_to_remove | default ([]) }} state=absent
when: centos_packages_cleanup
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Remove the Avahi packages
yum: name={{ centos_avahi_packages | default ([]) }} state=absent
when: centos_remove_avahi
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Remove the NetworkManager packages
yum: name={{ centos_nm_packages | default ([]) }} state=absent
when: centos_remove_networkmanager
tags: [ 'centos', 'bootstrap', 'packages' ]
- name: Disable some unneeded services
service: name= state=stopped enabled=no
with_items: '{{ centos_services_to_be_disabled }}'
when: centos_services_to_be_disabled is defined
ignore_errors: True
tags: [ 'centos', 'bootstrap', 'daemons' ]
- name: Configure selinux to permit core dumps by daemons
seboolean: name=daemons_dump_core state=yes persistent=yes
when: centos_selinux_daemons_dump_core
tags: [ 'centos', 'bootstrap', 'selinux' ]
- name: various pub ssh keys for users and apps
authorized_key: user=root key="{{ item }}" state=present
with_items: '{{ root_ssh_keys | default([]) }}'
when: manage_root_ssh_keys
tags: root_pubkeys
- name: Remove obsolete keys from the authorized ones
authorized_key: user=root key="{{ item }}" state=absent
with_items: '{{ obsolete_root_ssh_keys | default([]) }}'
when: obsolete_root_ssh_keys is defined
tags: root_pubkeys

19
library/centos/roles/bind-nameserver/defaults/main.yml Normal file
View File

@ -0,0 +1,19 @@
---
bind_pkg_state: present
bind_use_chroot: True
bind_chroot_base: /var/named/chroot
bind_service_enabled: True
#bind_config_path: '{{ bind_chroot_base }}/etc'
bind_config_path: '/etc'
bind_user: named
bind_group: named
bind_packages:
- bind
- bind-license
- bind-utils
bind_chroot_packages:
- bind-chroot
- bind-license
- bind-utils

8
library/centos/roles/bind-nameserver/handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: dns server reload
service: name=named state=reloaded
when: not bind_use_chroot
- name: dns server reload
service: name=named-chroot state=reloaded
when: bind_use_chroot

36
library/centos/roles/bind-nameserver/tasks/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
- block:
- name: Install the bind packages to setup a dns server
yum: name={{ bind_packages }} state={{ bind_pkg_state }}
- name: Start and enable the bind service
service: name=named state=started enabled=yes
when: bind_service_enabled
- name: Stop and disable the chroot bind service
service: name=named-chroot state=stopped enabled=no
- name: Stop and disable the bind service
service: name=named state=stopped enabled=no
when: not bind_service_enabled
when: not bind_use_chroot
tags: [ 'bind', 'nameserver' ]
- block:
- name: Install the bind packages to setup a dns server in a chroot environment
yum: name={{ bind_chroot_packages }} state={{ bind_pkg_state }}
- name: Start and enable the chroot bind service
service: name=named-chroot state=started enabled=yes
when: bind_service_enabled
- name: Stop and disable the bind service
service: name=named state=stopped enabled=no
- name: Stop and disable the chroot bind service
service: name=named-chroot state=stopped enabled=no
when: not bind_service_enabled
when: bind_use_chroot
tags: [ 'bind', 'nameserver' ]

7
library/centos/roles/centos-bootstrap/meta/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
dependencies:
- role: '../../library/centos/roles/external-repos'
- role: '../../library/centos/roles/basic-setup'
- role: '../../library/roles/motd'
- role: '../../library/roles/linux-kernel-sysctl'
- role: '../../library/centos/roles/tuned-setup'

12
library/centos/roles/docker/files/docker-tcp-override.conf Normal file
View File

@ -0,0 +1,12 @@
[Service]
ExecStart=
ExecStart=/usr/bin/docker-current daemon \
--exec-opt native.cgroupdriver=systemd \
-H tcp://0.0.0.0:2375 \
-H unix:///var/run/docker.sock \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY

10
library/centos/roles/docker/files/docker-tcp.socket Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=127.0.0.1:2375
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target

45
library/centos/roles/docker/tasks/centos7.yml Normal file
View File

@ -0,0 +1,45 @@
---
### installs pip and docker-py to enable using ansible's docker module
- name: Install python setup tools
yum: name=python-setuptools state=latest
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
tags: docker
- name: Install Pypi
easy_install: name=pip
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
tags: docker
- name: Install docker-py
pip: name=docker-py
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
- name: Install Docker
yum: name=docker state=latest
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
tags: docker
- name: Create a dir to place the service file override "docker-tcp-override.conf"
file: path=/etc/systemd/system/docker.service.d/ state=directory owner=root group=root selevel=s0 seuser=system_u serole=object_r setype=systemd_unit_file_t mode=0755
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
- name: Create a systemd service overrride "docker-tcp-override.conf" to force Docker to actually listen to tcp 127.0.0.1:2375 along the unix socket (required for shinyproxy)
copy: src=docker-tcp-override.conf dest=/etc/systemd/system/docker.service.d/ owner=root group=root selevel=s0 seuser=system_u serole=object_r setype=systemd_unit_file_t mode=0755
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
#### The other way around enabling docker's tcp socket in systemd based distros... Didn't work for me.
#- name: Create a systemd socketfile "docker-tcp.socket" to have Docker listen to tcp port 2375 (required for shinyproxy)
# copy: src=docker-tcp.socket dest=/etc/systemd/system/ owner=root group=root selevel=s0 seuser=system_u serole=object_r setype=systemd_unit_file_t mode=0755
#- name: Make sure Docker is *not* running before starting the socket service, otherwise things *won't* work
# service: name=docker state=stopped enabled=yes
# #when: "changed not in socketfile_changed.src"
#- name: Make sure docker-tcp.socket is enabled and running
# systemd: name=docker-tcp.socket state=restarted enabled=yes daemon_reload=yes
####
#
- name: Force a docker service (re)start since we don't know whether the service file override has been updated/deployed for the first time (can't register file changes from copy module???)
systemd: name=docker state=restarted enabled=yes daemon_reload=yes
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
# service: name=docker state=started enabled=yes

2
library/centos/roles/docker/tasks/main.yml Normal file
View File

@ -0,0 +1,2 @@
- import_tasks: centos7.yml
- import_tasks: ubuntu1404.yml

34
library/centos/roles/docker/tasks/ubuntu1404.yml Normal file
View File

@ -0,0 +1,34 @@
---
### installs pip and docker-py to enable using ansible's docker module
- name: Install python setup tools
apt: name=python-setuptools state=latest
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
tags: docker
- name: Install Pypi
easy_install: name=pip
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
tags: docker
- name: Install docker-py
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
pip: name=docker-py
- name: Install Docker
apt: name=docker state=latest
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
tags: docker
- name: Install Docker
apt: name=docker.io state=latest
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
tags: docker
- name: override DOCKER_OPTS to ensure that the demon listens to a tcp port
lineinfile: dest=/etc/default/docker state=present regexp='^DOCKER_OPTS' line='DOCKER_OPTS=\'-H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock\''
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
- name: Force a docker service (re)start since we don't know whether the service file override has been updated/deployed for the first time (can't register file changes from copy module???)
service: name=docker state=restarted enabled=yes
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")

37
library/centos/roles/duplicity-backup/defaults/main.yml Normal file
View File

@ -0,0 +1,37 @@
---
duplicity_install_duply: True
duplicity_cli_only: True
# ftps is nice but it fails if the target directory does not exist.
duplicity_use_ftps: True
duplicity_target_protocol: sftp
duplicity_use_ssh_keys: False
duplicity_max_backup_age: 1M
duplicity_max_full_backups: 2
duplicity_max_full_with_incrs: 1
duplicity_verbosity: 5
duplicity_temp_dir: /var/cache/duplicity
duplicity_cron_job_logfile: /var/log/duplicity_backup.log
duplicity_volsize: 50
duply_default_profile: '{{ ansible_fqdn }}'
duply_default_targets:
- '+ /etc/'
- '- **'
- '/'
duply_additional_targets:
- '- /var/cache'
- '+ /var/'
- '+ /home'
# Set the values on a vault encrypted file:
# duplicity_passphrase:
# duplicity_ftp_password:
# duplicity_backup_server:
# duplicity_backup_user:
# duplicity_backup_dest_dir:
# TODO: Create the configuration
# a pre script that runs the DB backups
# a exclude file with the list of directories to backup
# change the DB backup scripts to not run if duply is active

44
library/centos/roles/duplicity-backup/tasks/main.yml Normal file
View File

@ -0,0 +1,44 @@
---
- name: Install the duplicity package
yum: name=duplicity state=present
tags: [ 'duplicity', 'duplicity_backup' ]
- name: Install the duply wrapper
yum: name=duply state=present
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Install lftp if we want use ftps
yum: name=lftp state=present
when: duplicity_use_ftps
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Create the duply directory for the default profile
file: dest=/etc/duply/{{ duply_default_profile }} state=directory owner=root group=root mode=0700
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Create the duply temp directory
file: dest={{ duplicity_temp_dir }} state=directory owner=root group=root mode=0700
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Install the duply default profile configuration
template: src=duply-profile-conf.j2 dest=/etc/duply/{{ duply_default_profile }}/conf owner=root group=root mode=0400
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Install the duply pre script
template: src=duply-pre-script.j2 dest=/etc/duply/{{ duply_default_profile }}/pre owner=root group=root mode=0500
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Install the duply pattern files list
template: src=duply-exclude.j2 dest=/etc/duply/{{ duply_default_profile }}/exclude owner=root group=root mode=0400
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
- name: Install the duply cron job
template: src=duplicity_backup.cron.j2 dest=/etc/cron.daily/duplicity_backup owner=root group=root mode=0555
when: duplicity_install_duply
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]

27
library/centos/roles/duplicity-backup/templates/duplicity_backup.cron.j2 Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
DATE=$( date )
DUPLY=/usr/bin/duply
D_PROFILE={{ duply_default_profile }}
LOG_FILE={{ duplicity_cron_job_logfile }}
LOCK_FILE={{ duplicity_temp_dir }}/.duply-backup.lock
if [ ! -f $LOCK_FILE ] ; then
echo $$ > $LOCK_FILE
echo "----------------------" > $LOG_FILE
echo "$DATE: starting backup" >> $LOG_FILE
echo "----------------------" >> $LOG_FILE
$DUPLY $D_PROFILE backup >> $LOG_FILE 2>&1
echo "----------------------" >> $LOG_FILE
echo "Starting the purge old backups operation" >> $LOG_FILE
echo "----------------------" >> $LOG_FILE
$DUPLY $D_PROFILE purge --force >> $LOG_FILE 2>&1
echo "----------------------" >> $LOG_FILE
echo "Backup and purge operations finished" >> $LOG_FILE
echo "----------------------" >> $LOG_FILE
rm -f $LOCK_FILE
else
echo "$DATE: another backup is running, exiting" > $LOG_FILE
fi
exit 0

14
library/centos/roles/duplicity-backup/templates/duply-exclude.j2 Normal file
View File

@ -0,0 +1,14 @@
# although called exclude, this file is actually a globbing file list
# duplicity accepts some globbing patterns, even including ones here
# here is an example, this incl. only 'dir/bar' except it's subfolder 'foo'
# - dir/bar/foo
# + dir/bar
# - **
# for more details see duplicity manpage, section File Selection
# http://duplicity.nongnu.org/duplicity.1.html#sect9
{% for dir in duply_additional_targets %}
{{ dir }}
{% endfor %}
{% for ddir in duply_default_targets %}
{{ ddir }}
{% endfor %}

11
library/centos/roles/duplicity-backup/templates/duply-pre-script.j2 Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Run a DB dump before the backup
if [ -x /usr/local/sbin/postgresql-backup ] ; then
/usr/local/sbin/postgresql-backup
fi
if [ -x /usr/local/sbin/mysql-backup ] ; then
/usr/local/sbin/mysql-backup
fi

150
library/centos/roles/duplicity-backup/templates/duply-profile-conf.j2 Normal file
View File

@ -0,0 +1,150 @@
# gpg encryption settings, simple settings:
# GPG_KEY='disabled' - disables encryption alltogether
# GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys,
# sign if secret key of key1 is available use GPG_PW for sign & decrypt
# Note: you can specify keys via all methods described in gpg manpage,
# section "How to specify a user ID", escape commas (,) via backslash (\)
# e.g. 'Mueller, Horst', 'Bernd' -> 'Mueller\, Horst, Bernd'
# as they are used to separate the entries
# GPG_PW='passphrase' - symmetric encryption using passphrase only
#GPG_KEY='_KEY_ID_'
GPG_PW='{{ duplicity_passphrase }}'
# gpg encryption settings in detail (extended settings)
# the above settings translate to the following more specific settings
# GPG_KEYS_ENC='<keyid1>[,<keyid2>,...]' - list of pubkeys to encrypt to
# GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing
# GPG_PW='<passphrase>' - needed for signing, decryption and symmetric
# encryption. If you want to deliver different passphrases for e.g.
# several keys or symmetric encryption plus key signing you can use
# gpg-agent. Simply make sure that GPG_AGENT_INFO is set in environment.
# also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage
# notes on en/decryption
# private key and passphrase will only be needed for decryption or signing.
# decryption happens on restore and incrementals (compare archdir contents).
# for security reasons it makes sense to separate the signing key from the
# encryption keys. https://answers.launchpad.net/duplicity/+question/107216
#GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...'
#GPG_KEY_SIGN='<prvkey>'
# set if signing key passphrase differs from encryption (key) passphrase
# NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE
#GPG_PW_SIGN='<signpass>'
# gpg options passed from duplicity to gpg process (default='')
# e.g. "--trust-model pgp|classic|direct|always"
# or "--compress-algo=bzip2 --bzip2-compress-level=9"
# or "--personal-cipher-preferences AES256,AES192,AES..."
# or "--homedir ~/.duply" - keep keyring and gpg settings duply specific
#GPG_OPTS=''
# disable preliminary tests with the following setting
#GPG_TEST='disabled'
# credentials & server address of the backup target (URL-Format)
# syntax is
# scheme://[user:password@]host[:port]/[/]path
# for details see duplicity manpage, section URL Format
# http://duplicity.nongnu.org/duplicity.1.html#sect8
# probably one out of
# # for cloudfiles backend user id is CLOUDFILES_USERNAME, password is
# # CLOUDFILES_APIKEY, you might need to set CLOUDFILES_AUTHURL manually
# cf+http://[user:password@]container_name
# dpbx:///some_dir
# file://[relative|/absolute]/local/path
# ftp[s]://user[:password]@other.host[:port]/some_dir
# gdocs://user[:password]@other.host/some_dir
# # for the google cloud storage (since duplicity 0.6.22)
# # user/password are GS_ACCESS_KEY_ID/GS_SECRET_ACCESS_KEY
# gs://bucket[/prefix]
# hsi://user[:password]@other.host/some_dir
# imap[s]://user[:password]@host.com[/from_address_prefix]
# mega://user[:password]@mega.co.nz/some_dir
# rsync://user[:password]@host.com[:port]::[/]module/some_dir
# # rsync over ssh (only keyauth)
# rsync://user@host.com[:port]/[relative|/absolute]_path
# # for the s3 user/password are AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
# s3://[user:password@]host/bucket_name[/prefix]
# s3+http://[user:password@]bucket_name[/prefix]
# # scp and sftp are aliases for the ssh backend
# ssh://user[:password]@other.host[:port]/[/]some_dir
# # for authenticated swift define TARGET_USER or SWIFT_USERNAME,
# # TARGET_PASS or SWIFT_PASSWORD, SWIFT_AUTHURL (mandatory, the path to
# # your identity service, omitting leads to an error with swift),
# # optionally SWIFT_AUTHVERSION (which defaults to "1")
# swift://container_name
# tahoe://alias/directory
# webdav[s]://user[:password]@other.host/some_dir
# ATTENTION: characters other than A-Za-z0-9.-_.~ in the URL have
# to be replaced by their url encoded pendants, see
# http://en.wikipedia.org/wiki/Url_encoding
# if you define the credentials as TARGET_USER, TARGET_PASS below
# duply will try to url_encode them for you if the need arises
{% if duplicity_use_ftps %}
TARGET='ftps://{{ duplicity_backup_server }}/{{ duplicity_backup_dest_dir }}'
{% else %}
TARGET='{{ duplicity_target_protocol }}://{{ duplicity_backup_server }}/{{ duplicity_backup_dest_dir }}'
{% endif %}
# optionally the username/password can be defined as extra variables
# setting them here _and_ in TARGET results in an error
{% if not duplicity_use_ssh_keys %}
TARGET_USER='{{ duplicity_backup_user }}'
TARGET_PASS='{{ duplicity_ftp_password }}'
{% endif %}
# base directory to backup
SOURCE='/'
# a command that runs duplicity e.g.
# shape bandwidth use via trickle
# "trickle -s -u 640 -d 5120" # 5Mb up, 40Mb down"
#DUPL_PRECMD=""
# exclude folders containing exclusion file (since duplicity 0.5.14)
# Uncomment the following two lines to enable this setting.
#FILENAME='.duplicity-ignore'
#DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
# Time frame for old backups to keep, Used for the "purge" command.
# see duplicity man page, chapter TIME_FORMATS)
MAX_AGE={{ duplicity_max_backup_age }}
# Number of full backups to keep. Used for the "purge-full" command.
# See duplicity man page, action "remove-all-but-n-full".
MAX_FULL_BACKUPS={{ duplicity_max_full_backups }}
# Number of full backups for which incrementals will be kept for.
# Used for the "purge-incr" command.
# See duplicity man page, action "remove-all-inc-of-but-n-full".
MAX_FULLS_WITH_INCRS={{ duplicity_max_full_with_incrs }}
# activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3)
# forces a full backup if last full backup reaches a specified age, for the
# format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS
# Uncomment the following two lines to enable this setting.
#MAX_FULLBKP_AGE=1M
#DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
# sets duplicity --volsize option (available since v0.4.3.RC7)
# set the size of backup chunks to VOLSIZE MB instead of the default 25MB.
# VOLSIZE must be number of MB's to set the volume size to.
# Uncomment the following two lines to enable this setting.
VOLSIZE={{ duplicity_volsize }}
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
# verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9)
# default is 4, if not set
VERBOSITY={{ duplicity_verbosity }}
# temporary file space. at least the size of the biggest file in backup
# for a successful restoration process. (default is '/tmp', if not set)
TEMP_DIR={{ duplicity_temp_dir }}
# Modifies archive-dir option (since 0.6.0) Defines a folder that holds
# unencrypted meta data of the backup, enabling new incrementals without the
# need to decrypt backend metadata first. If empty or deleted somehow, the
# private key and it's password are needed.
# NOTE: This is confidential data. Put it somewhere safe. It can grow quite
# big over time so you might want to put it not in the home dir.
# default '~/.cache/duplicity/duply_<profile>/'
# if set '${ARCH_DIR}/<profile>'
#ARCH_DIR=/some/space/safe/.duply-cache

9
library/centos/roles/external-repos/defaults/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
centos_install_epel: true
centos_epel_repo_url: epel-release
centos_pkg_state: latest
centos_install_release_scl: False
rh_install_elrepo: false
rh_elrepo_repo_url: "http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm"

15
library/centos/roles/external-repos/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Install the epel repository
yum: name={{ centos_epel_repo_url }} state={{ centos_pkg_state }}
when: centos_install_epel
tags: [ 'centos', 'repo' ]
- name: Install the SCL release to access the latest versions of some software
yum: name=centos-release-scl state=present
when: centos_install_release_scl
tags: [ 'centos', 'scl', 'repo' ]
- name: Install the elrepo repository
yum: name={{ rh_elrepo_repo_url }} state=present
when: rh_install_elrepo
tags: [ 'centos', 'rhel', 'repo' ]

20
library/centos/roles/fail2ban/defaults/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
# NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
fail2ban_logtarget: SYSLOG
fail2ban_bantime: 600000
fail2ban_findtime: 4800
fail2ban_maxretry: 2
fail2ban_enabled: True
fail2ban_sshd_enabled: True
fail2ban_sshd_ddos_enabled: True
fail2ban_nginx_auth_enabled: False
fail2ban_apache_auth_enabled: False
fail2ban_php_url_fopen_enabled: False
fail2ban_vsftpd_enabled: False
fail2ban_packages:
- fail2ban
- fail2ban-server
- fail2ban-systemd
- fail2ban-firewalld
- fail2ban-sendmail

25
library/centos/roles/fail2ban/files/fail2ban-journal-sepol.te Normal file
View File

@ -0,0 +1,25 @@
module fail2ban-journal-sepol 1.0;
require {
type fail2ban_client_exec_t;
type logrotate_t;
type fail2ban_t;
type var_run_t;
type syslogd_t;
type syslogd_var_run_t;
class dir read;
class file { ioctl read execute execute_no_trans open getattr };
}
#============= fail2ban_t ==============
allow fail2ban_t var_run_t:file { read getattr open };
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file { read getattr open };
#============= syslogd_t ==============
allow syslogd_t var_run_t:file { read getattr open };
#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { ioctl read execute execute_no_trans open };

12
library/centos/roles/fail2ban/handlers/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Enable and start fail2ban
service: name=fail2ban state=started enabled=yes
- name: Reload fail2ban
service: name=fail2ban state=reloaded
- name: Restart fail2ban
service: name=fail2ban state=restarted
- name: Enable and start firewalld
service: name=firewalld state=started enabled=yes

40
library/centos/roles/fail2ban/tasks/main.yml Normal file
View File

@ -0,0 +1,40 @@
---
- block:
- name: Install fail2ban
yum: name={{ fail2ban_packages }} state=present
notify:
- Enable and start fail2ban
- Enable and start firewalld
- name: Install fail2ban local config
template: src={{ item }}.j2 dest=/etc/fail2ban/{{ item }} owner=root group=root mode=0444
with_items: fail2ban.local
notify: Reload fail2ban
- name: Install fail2ban jail custom configuration
template: src=jail-d-{{ item }}.j2 dest=/etc/fail2ban/jail.d/{{ item }} owner=root group=root mode=0444
with_items: customization.local
notify: Reload fail2ban
- name: Install the selinux policy file for fail2ban
copy: src=fail2ban-journal-sepol.te dest=/usr/local/etc/fail2ban-journal-sepol.te
register: fail2ban_selinux_policy
- name: Activate the selinux policy for fail2ban
shell: checkmodule -M -m -o /usr/local/etc/fail2ban-journal-sepol.mod /usr/local/etc/fail2ban-journal-sepol.te ; semodule_package -o /usr/local/etc/fail2ban-journal-sepol.pp -m /usr/local/etc/fail2ban-journal-sepol.mod ; semodule -i /usr/local/etc/fail2ban-journal-sepol.pp
args:
creates: /usr/local/etc/fail2ban-journal-sepol.pp
when: fail2ban_selinux_policy is changed
- name: Ensure that fail2ban and firewalld are started and enabled
service: name={{ item }} state=started enabled=yes
with_items:
- fail2ban
- firewalld
when: centos_install_epel
tags:
- centos
- rhel
- fail2ban
- selinux

2
library/centos/roles/fail2ban/templates/fail2ban.local.j2 Normal file
View File

@ -0,0 +1,2 @@
[Definition]
logtarget = {{ fail2ban_logtarget }}

28
library/centos/roles/fail2ban/templates/jail-d-customization.local.j2 Normal file
View File

@ -0,0 +1,28 @@
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = {{ fail2ban_bantime }}
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = {{ fail2ban_findtime }}
# "maxretry" is the number of failures before a host get banned.
maxretry = {{ fail2ban_maxretry }}
[sshd]
enabled={{ fail2ban_sshd_enabled }}
[sshd-ddos]
enabled={{ fail2ban_sshd_ddos_enabled }}
[nginx-http-auth]
enabled={{ fail2ban_nginx_auth_enabled }}
[apache-auth]
enabled={{ fail2ban_apache_auth_enabled }}
[php-url-fopen]
enabled={{ fail2ban_php_url_fopen_enabled }}
[vsftpd]
enabled={{ fail2ban_vsftpd_enabled }}

19
library/centos/roles/firewalld/defaults/main.yml Normal file
View File

@ -0,0 +1,19 @@
---
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True
firewalld_rules:
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
#firewalld_new_services:
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
# We execute direct rules as they are written
# firewalld_direct_rules:
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
# firewalld_zones_interfaces:
# - { interface: 'eth1', zone: 'internal' }

16
library/centos/roles/firewalld/files/mosh.xml Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Mosh SSH service</short>
<description>This allows mosh to send and receive datagram connections.</description>
<port protocol="udp" port="60000"/>
<port protocol="udp" port="60001"/>
<port protocol="udp" port="60002"/>
<port protocol="udp" port="60003"/>
<port protocol="udp" port="60004"/>
<port protocol="udp" port="60005"/>
<port protocol="udp" port="60006"/>
<port protocol="udp" port="60007"/>
<port protocol="udp" port="60008"/>
<port protocol="udp" port="60009"/>
<port protocol="udp" port="60010"/>
</service>

7
library/centos/roles/firewalld/files/traceroute.xml Normal file
View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ports needed by traceroute</short>
<description>This allows the host to be reached by traceroute.</description>
<port protocol="udp" port="33434"/>
<port protocol="udp" port="33523"/>
</service>

16
library/centos/roles/firewalld/handlers/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Enable and start firewalld
service: name=firewalld state=started enabled=yes
when: firewalld_enabled
- name: Reload firewall config
command: firewall-cmd --reload
notify: Restart fail2ban
when: firewalld_enabled
- name: Restart fail2ban
service: name=fail2ban state=restarted
when:
- fail2ban_enabled is defined and fail2ban_enabled
- centos_install_epel

5
library/centos/roles/firewalld/tasks/disable_firewalld.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Ensure that the firewalld service is stopped and disabled if we do not want it
service: name=firewalld state=stopped enabled=no
when: not firewalld_enabled
tags: [ 'iptables', 'firewall', 'firewalld' ]

91
library/centos/roles/firewalld/tasks/firewalld_rules.yml Normal file
View File

@ -0,0 +1,91 @@
---
- block:
- name: Ensure that the service is enabled and started
service: name=firewalld state=started enabled=yes
notify: Restart fail2ban
- name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
when: firewalld_ssh_enabled_on_default_zone
- name: Set the firewalld default zone.
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
- name: Add sources to the availability zones, if any
firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_src_rules | default([]) }}'
- name: Assign interfaces to firewalld zones if needed
firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_zones_interfaces | default([]) }}'
when:
- firewalld_zones_interfaces is defined
- item.interface is defined
- item.zone is defined
- name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.service is defined
- name: Save the ports firewalld rules that need to be permanent
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.port is defined
- item.protocol is defined
- name: Save the rich_rules firewalld rules that need to be permanent
firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.rich_rule is defined
notify: Reload firewall config
- name: Enable the firewall-cmd direct passthrough rules
shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
with_items: '{{ firewalld_direct_rules }}'
args:
creates: /etc/firewalld/.{{ item.label }}
when:
- firewalld_direct_rules is defined
- item.action is defined
- name: Set the firewall-cmd direct passthrough rules as permanent ones
command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
with_items: '{{ firewalld_direct_rules }}'
when:
- firewalld_direct_rules is defined
- item.action is defined
- name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
command: firewall-cmd --new-service={{ item.name }} --permanent
args:
creates: '/etc/firewalld/services/{{ item.name }}.xml'
with_items: '{{ firewalld_new_services }}'
when: firewalld_new_services is defined
notify: Reload firewall config
- name: Install the custom firewall services
copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
with_items: '{{ firewalld_new_services }}'
when: firewalld_new_services is defined
notify: Reload firewall config
- name: Manage the custom services firewalld rules.
firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_new_services }}'
when:
- firewalld_new_services is defined
- item.name is defined
notify: Reload firewall config
# Last one to not take ourselves out
- name: Set the firewalld default zone.
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
tags: [ 'iptables', 'firewall', 'firewalld' ]

7
library/centos/roles/firewalld/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- import_tasks: firewalld_rules.yml
when: firewalld_enabled
- import_tasks: disable_firewalld.yml
when: not firewalld_enabled

39
library/centos/roles/ganeti/defaults/main.yml Normal file
View File

@ -0,0 +1,39 @@
---
# Installation and cofiguration notes:
# https://github.com/jfut/ganeti-rpm/blob/master/doc/install-rhel.rst
#
integ_ganeti_centos_version: 7
integ_ganeti_repo_url: 'http://jfut.integ.jp/linux/ganeti/{{ integ_ganeti_centos_version }}/x86_64/integ-ganeti-release-{{ integ_ganeti_centos_version }}-1.el{{ integ_ganeti_centos_version }}.noarch.rpm'
integ_ganeti_repo_file: '/etc/yum.repos.d/integ-ganeti.repo'
integ_ganeti_repo:
- { name: 'integ-ganeti', value: '1' }
# Ganeti needs packages from the elrepo repository. drbd, specifically
rh_install_elrepo: True
integ_ganeti_packages:
- ganeti
integ_ganeti_drbd_packages:
- drbd84-utils
- kmod-drbd84
ganeti_cluster_name: "gnt_cluster"
ganeti_cluster: True
ganeti_use_drbd: True
ganeti_first_node: False
ganeti_pkg_state: latest
ganeti_link_int: br0
ganeti_master_netdev: eth0
ganeti_vg_name: vgxen
ganeti_enabled_hypervisors: "kvm,lxc"
ganeti_drbd_conf: "minor_count=128 usermode_helper=/bin/true"
# ganeti does not use the libvirtd service
virtualization_enable_libvirtd: False
ganeti_drbd_sysctl_tuning:
- { name: 'net.ipv4.tcp_rmem', value: '131072 131072 10485760', state: 'present' }
- { name: 'net.ipv4.tcp_wmem', value: '131072 131072 10485760', state: 'present' }
- { name: 'vm.dirty_ratio', value: '10', state: 'present' }
- { name: 'vm.dirty_background_ratio', value: '4', state: 'present' }

3
library/centos/roles/ganeti/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
dependencies:
- { role: '../../library/roles/kvm' }

114
library/centos/roles/ganeti/tasks/main.yml Normal file
View File

@ -0,0 +1,114 @@
---
- name: "*** Install the Integ ganeti repo ***"
yum: name={{ integ_ganeti_repo_url }} state=present
when: ganeti_use_drbd
tags:
- ganeti
- kvm
- name: "*** Enable Integ ganeti repo ***"
ini_file: dest={{ integ_ganeti_repo_file }} section={{ item.1.name }} option=enabled value={{ item.1.value }}
with_nested:
- integ_ganeti_centos_version
- integ_ganeti_repo
tags:
- ganeti
- kvm
- name: Install the ganeti packages
yum: name={{ item }} state={{ ganeti_pkg_state }}
with_items: integ_ganeti_packages
tags:
- ganeti
- kvm
- name: Install drbd
yum: name={{ item }} state={{ ganeti_pkg_state }}
with_items: integ_ganeti_drbd_packages
when: ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Tell the system that we want the drbd module loaded
copy: content="drbd\n" dest=/etc/modules-load.d/drbd.conf
when: ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Tell modprobe that the drbd kernel module needs some parameters
copy: content="options drbd {{ ganeti_drbd_conf }}\n" dest=/etc/modprobe.d/drbd.conf
when: ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Tell modprobe that the drbd kernel module needs some parameters on centos < 6
copy: content='ADD_MOD_PARAM="{{ ganeti_drbd_conf }}\n"' dest=/etc/default/drbd
when:
- integ_ganeti_centos_version < '7'
- ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Tell lvm to ignore the drbd devices
lineinfile: name=/etc/lvm/lvm.conf regexp="^\ \ \ \ filter\ =.*$" line=" filter = [ \"r|/dev/cdrom|\", \"r|/dev/drbd[0-9]+|\" ]"
when: ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Ensure that systemd loads the drbd module
service: name=systemd-modules-load state=started
when:
- integ_ganeti_centos_version == '7'
- ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Load the drbd module on CentOS < 7
command: modprobe drbd
when:
- integ_ganeti_centos_version < '7'
- ganeti_use_drbd
tags:
- ganeti
- drbd
- name: Change some kernel parameters to optimize the drbd performances
sysctl: name={{ item.name }} state={{ item.state }} value={{ item.value }} sysctl_file=/etc/sysctl.d/60-drbd-tuning.conf reload=yes sysctl_set=yes
with_items: ganeti_drbd_sysctl_tuning
when: ganeti_use_drbd
tags:
- ganeti
# Important: we need a way to get the ssh keys and store them without a manual intervention.
- name: Create a ssh key for root on the ganeti first node
user: name=root generate_ssh_key=yes ssh_key_bits=2048 ssh_key_comment="ganeti {{ ganeti_cluster_name }}"
when: ganeti_first_node
tags:
- ganeti
- name: Copy the ssh private key on the first node
copy: content="{{ id_rsa }}" dest=/root/.ssh/id_rsa mode=0600
when: ganeti_first_node
tags:
- ganeti
- ssh_priv
- name: Ensure the first node public key is distributed on all the other ganeti nodes
authorized_key: user=root key="{{ ganeti_cluster_key }}" state=present
tags:
- ganeti
- name: Install a script that initializes the ganeti cluster on the first node
template: src={{ item }}.sh.j2 dest=/usr/local/sbin/{{ item }} owner=root mode=0550
with_items:
- ganeti_cluster_init
when: ganeti_first_node
tags:
- ganeti
- gnt_init

84
library/centos/roles/httpd/defaults/main.yml Normal file
View File

@ -0,0 +1,84 @@
---
httpd_service_enabled: True
httpd_pkg_state: latest
httpd_base_conf_dir: /etc/httpd
httpd_base_document_root: /var/www
httpd_document_root: '{{ httpd_base_document_root }}/html'
httpd_main_packages:
- httpd
- httpd-tools
httpd_ssl_enabled: True
httpd_ssl_packages:
- mod_ssl
httpd_listen_ports:
- 80
- 443
httpd_user: apache
httpd_group: apache
httpd_server_admin: root@localhost
httpd_base_document_root_override: None
httpd_base_document_root_access: 'denied'
httpd_document_root_options: 'Indexes FollowSymLinks'
httpd_document_root_override: 'None'
httpd_document_root_access: 'granted'
httpd_cgi_enabled: False
httpd_sendfile_enabled: 'on'
httpd_mmap_enabled: 'on'
httpd_use_canonicalname: 'off'
httpd_servertokens: 'OS'
httpd_hostname_lookups: 'off'
httpd_default_charset: 'UTF-8'
httpd_languages:
- en
- it
httpd_timeout: 60
httpd_keepalive_enabled: True
httpd_keepalive_timeout: 5
httpd_keepalive_requests: 100
# Options: prefork, worker, event
httpd_mpm_mode: "worker"
httpd_startservers: 8
httpd_maxclients: 300
httpd_min_spare: 25
httpd_max_spare: 75
httpd_max_requests_per_child: 0
httpd_threads_per_child: 25
httpd_serverlimit: 256
httpd_modules:
- { name: 'systemd' }
- { name: 'alias' }
- { name: 'allowmethods' }
- { name: 'auth_basic' }
- { name: 'deflate' }
- { name: 'headers' }
- { name: 'include' }
- { name: 'log_config' }
- { name: 'logio' }
- { name: 'mime_magic' }
- { name: 'mime' }
- { name: 'remoteip' }
- { name: 'reqtimeout' }
- { name: 'rewrite' }
- { name: 'setenvif' }
- { name: 'socache_memcache' }
- { name: 'socache_shmcb' }
- { name: 'unixd' }
- { name: 'vhost_alias' }
apache_letsencrypt_managed: True
apache_letsencrypt_proxy_modules:
- proxy
- proxy_http
apache_letsencrypt_proxy_conf:
- letsencrypt-proxy.conf

25
library/centos/roles/httpd/files/apache-letsencrypt-acme.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/apache.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/apache.log
fi
echo "Reload the apache service" >> $LE_LOG_DIR/apache.log
if [ -x /bin/systemctl ] ; then
systemctl reload httpd >> $LE_LOG_DIR/apache.log 2>&1
else
service httpd reload >> $LE_LOG_DIR/apache.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/apache.log
exit 0

7
library/centos/roles/httpd/handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: httpd reload
service: name=httpd state=reloaded
- name: httpd restart
service: name=httpd state=restarted

34
library/centos/roles/httpd/tasks/httpd-letsencrypt.yml Normal file
View File

@ -0,0 +1,34 @@
---
- block:
- name: Enable the proxy modules needed by letsencrypt
apache2_module: name={{ item }} state=present
with_items: '{{ apache_letsencrypt_proxy_modules }}'
notify: httpd reload
- name: Install the apache letsencrypt directives
template: src={{ item }}.j2 dest=/etc/httpd/conf.d/00-{{ item }} owner=root group=root mode=0644
with_items: '{{ apache_letsencrypt_proxy_conf }}'
notify: httpd reload
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for apache
copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/httpd owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- apache_letsencrypt_managed
tags: [ 'apache', 'letsencrypt' ]
- block:
- name: Disable the letsencrypt conf
file: dest=/etc/apache2/conf.d/letsencrypt-proxy.conf state=absent
notify: apache2 reload
- name: Remove the letsencrypt hook for apache
file: path={{ letsencrypt_acme_services_scripts_dir }}/httpd state=absent
when: not apache_letsencrypt_managed
tags: [ 'apache', 'letsencrypt' ]

36
library/centos/roles/httpd/tasks/httpd.yml Normal file
View File

@ -0,0 +1,36 @@
---
- block:
- name: install the apache httpd packages
yum: name={{ item }} state={{ httpd_pkg_state }}
with_items: '{{ httpd_main_packages }}'
- name: install the apache httpd mod_ssl packages
yum: name={{ item }} state={{ httpd_pkg_state }}
when: httpd_ssl_enabled
with_items: '{{ httpd_ssl_packages }}'
- name: Install the main httpd configuration file
template: src=httpd.conf.j2 dest={{ httpd_base_conf_dir }}/conf/httpd.conf
notify: httpd reload
- name: Enable the modules we want active
apache2_module: name={{ item.name }} state={{ item.state | default('present') }}
with_items: '{{ httpd_modules }}'
- name: Manage additional modules, if any
apache2_module: name={{ item.name }} state={{ item.state | default('present') }}
with_items: '{{ httpd_additional_modules | default([])}}'
- name: Set the MPM mode
template: src=00-mpm.conf.j2 dest={{ httpd_base_conf_dir }}/conf.modules.d/00-mpm.conf mode=0444 owner=root group=root
notify: httpd reload
- name: Ensure that httpd is stopped if it is not meant to be running
service: name=httpd state=stopped enabled=no
when: not httpd_service_enabled
- name: Ensure that httpd is running and enabled
service: name=httpd state=started enabled=yes
when: httpd_service_enabled
tags: [ 'httpd', 'apache' ]

5
library/centos/roles/httpd/tasks/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- import_tasks: httpd.yml
- import_tasks: httpd-letsencrypt.yml
when: apache_letsencrypt_managed

1
library/centos/roles/httpd/templates/00-mpm.conf.j2 Normal file
View File

@ -0,0 +1 @@
LoadModule mpm_{{ httpd_mpm_mode }}_module modules/mod_mpm_{{ http_mpm_mode }}.so

395
library/centos/roles/httpd/templates/httpd.conf.j2 Normal file
View File

@ -0,0 +1,395 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "{{ httpd_base_conf_dir }}"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
{% for port in httpd_listen_ports %}
Listen {{ port }}
{% endfor %}
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User {{ httpd_user }}
Group {{ httpd_group }}
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin {{ httpd_server_admin }}
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "{{ httpd_document_root }}"
#
# Regulate access to the main root directories
#
<Directory "{{ httpd_base_document_root }}">
AllowOverride {{ httpd_base_document_root_override }}
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options {{ httpd_document_root_options }}
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride {{ httpd_document_root_override }}
#
# Controls who can get stuff from this server.
#
Require all {{ httpd_document_root_access }}
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
{% if httpd_cgi_enabled %}
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
{% endif %}
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
EnableMMAP {{ httpd_mmap_enabled }}
EnableSendfile {{ httpd_mmap_enabled }}
ServerTokens {{ httpd_servertokens }}
UseCanonicalName {{ httpd_use_canonicalname }}
HostnameLookups {{ httpd_hostname_lookups }}
AddDefaultCharset {{ httpd_default_charset}}
{% for lang in httpd_languages %}
AddLanguage {{ lang }} .{{ lang }}
{% endfor %}
Timeout {{ httpd_timeout }}
{% if httpd_keepalive_enabled %}
KeepAlive On
MaxKeepAliveRequests {{ httpd_keepalive_requests }}
KeepAliveTimeout {{ httpd_keepalive_timeout }}
{% else %}
KeepAlive Off
{% endif %}
{% if httpd_mpm_mode == 'prefork' %}
<IfModule prefork.c>
StartServers {{ httpd_startservers }}
MinSpareServers {{ httpd_min_spare }}
MaxSpareServers {{ httpd_max_spare }}
ServerLimit {{ httpd_serverlimit }}
MaxClients {{ httpd_maxclients }}
MaxRequestsPerChild {{ httpd_max_requests_per_child }}
</IfModule>
{% endif %}
{% if httpd_mpm_mode == 'worker' %}
<IfModule worker.c>
StartServers {{ httpd_startservers }}
MaxClients {{ httpd_maxclients }}
MinSpareThreads {{ httpd_min_spare }}
MaxSpareThreads {{ httpd_max_spare }}
ThreadsPerChild {{ httpd_threads_per_child }}
MaxRequestsPerChild {{ httpd_max_requests_per_child }}
</IfModule>
{% endif %}
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

1
library/centos/roles/httpd/templates/letsencrypt-proxy.conf.j2 Normal file
View File

@ -0,0 +1 @@
ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge"

51
library/centos/roles/kvm/defaults/main.yml Normal file
View File

@ -0,0 +1,51 @@
---
virtualization_pkg_state: latest
virtualization_packages:
- qemu-kvm
- libvirt
- bridge-utils
- virt-install
virtualization_centos6_packages:
- python-virtinst
virtualization_centos_netinst_url: "http://mi.mirror.garr.it/mirrors/CentOS/7/os/x86_64/"
virtualization_os_boot_dir: /var/lib/libvirt/boot
virtualization_os_boot_images:
- "http://mi.mirror.garr.it/mirrors/CentOS/7.0.1406/isos/x86_64/CentOS-7.0-1406-x86_64-Minimal.iso"
- "http://mi.mirror.garr.it/mirrors/CentOS/5.11/isos/x86_64/CentOS-5.11-x86_64-netinstall.iso"
- "http://cdimage.debian.org/debian-cd/7.7.0/amd64/iso-cd/debian-7.7.0-amd64-netinst.iso"
- "http://releases.ubuntu.com/14.04.1/ubuntu-14.04.1-server-amd64.iso"
virtualization_activate_forwarding: True
virtualization_disable_nfs: True
virtualization_nfs_services_to_be_disabled:
- nfslock
- rpcbind
- gssproxy
virtualization_disable_iscsi: True
virtualization_iscsi_services_to_be_disabled:
- iprupdate
- iprinit
- iprdump
- iscsid
# Set this to false if ganeti is used for VM management
virtualization_enable_libvirtd: True
virtualization_services_to_be_enabled:
- libvirtd
virtualization_sysctl_tuning:
- { name: 'net.ipv4.ip_forward', value: '1', state: 'present' }
virtualization_kvm_create_lvm_pv: False
virtualization_kvm_create_lvm_vg: False
virtualization_kvm_lvm_pv:
- /dev/fake_disk_1
virtualization_kvm_lvm_vg: vgxen
# Disable tuned on the host
centos_tuned_enabled: False

49
library/centos/roles/kvm/tasks/main.yml Normal file
View File

@ -0,0 +1,49 @@
---
- name: Install the virtualization packages
yum: name={{ item }} state={{ virtualization_pkg_state }}
with_items: virtualization_packages
tags: kvm
- name: Enable libvirtd when needed
service: name={{ item }} state=started enabled=yes
with_items: virtualization_services_to_be_enabled
when: virtualization_enable_libvirtd
tags: [ 'kvm', 'libvirt' ]
- name: Disable nfs
service: name={{ item }} state=stopped enabled=no
with_items: virtualization_nfs_services_to_be_disabled
when: virtualization_disable_nfs
tags: [ 'kvm', 'nfs' ]
- name: Disable iscsi
service: name={{ item }} state=stopped enabled=no
with_items: virtualization_iscsi_services_to_be_disabled
when: virtualization_disable_iscsi
tags: [ 'kvm' , 'iscsi' ]
- name: Set some kernel parameters needed by virtualization. IP forwarding for example, if we need NAT
sysctl: name={{ item.name }} state={{ item.state }} value={{ item.value }} sysctl_file=/etc/sysctl.d/90-virtualization.conf reload=yes sysctl_set=yes
with_items: virtualization_sysctl_tuning
tags: kvm
- name: Collect the ISO boot images
get_url: url="{{ item }}" dest={{ virtualization_os_boot_dir }}/
with_items: virtualization_os_boot_images
tags: [ 'kvm', 'iso_images' ]
- name: Create the LVM PV
command: pvcreate {{ item }}
with_items: virtualization_kvm_lvm_pv
when: virtualization_kvm_create_lvm_pv
tags: [ 'kvm', 'lvm_pv' ]
- name: Create the LVM VG to be used by the virtual guests
lvg: vg={{ virtualization_kvm_lvm_vg }} pvs={{ item }}
with_items: virtualization_kvm_lvm_pv
when: virtualization_kvm_create_lvm_vg
tags: [ 'kvm', 'lvm_vg' ]
- name: Fix the /dev/kvm permissions
file: dest=/dev/kvm owner=root group=kvm mode=0660
tags: kvm

38
library/centos/roles/letsencrypt-acmetool-client/defaults/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
# https://copr.fedorainfracloud.org/coprs/hlandau/acmetool/
letsencrypt_acme_install: True
letsencrypt_acme_pkgs:
- acmetool
- libcap
letsencrypt_acme_repo_ver: 7
letsencrypt_acme_repo_name: 'hlandau-acmetool-epel-{{ letsencrypt_acme_repo_ver }}.repo'
letsencrypt_acme_repo_url: 'https://copr.fedorainfracloud.org/coprs/hlandau/acmetool/repo/epel-{{ letsencrypt_acme_repo_ver }}/{{ letsencrypt_acme_repo_name }}'
letsencrypt_acme_user: acme
letsencrypt_acme_user_home: /var/lib/acme
letsencrypt_acme_log_dir: /var/log/acme
letsencrypt_acme_command: acmetool
letsencrypt_acme_command_opts: '--batch --xlog.syslog --xlog.severity=info'
letsencrypt_acme_config_dir: '{{ letsencrypt_acme_user_home }}/conf'
letsencrypt_acme_certsconf_dir: '{{ letsencrypt_acme_user_home }}/desired'
letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}'
# The various services maintainers need to put the reconfigure/restart scripts there
letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
# responses parameters
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
letsencrypt_acme_agree_tos: true
letsencrypt_acme_rsa_key_size: 4096
# rsa|ecdsa
letsencrypt_acme_key_type: ecdsa
letsencrypt_acme_ecdsa_curve: nistp256
letsencrypt_acme_email: sysadmin@example.com
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
letsencrypt_acme_authenticator: listener
# desired parameters
letsencrypt_acme_domains:
- '{{ ansible_fqdn }}'
letsencrypt_acme_standalone_port: 4402

8
library/centos/roles/letsencrypt-acmetool-client/handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Initialize letsencrypt acmetool
become: True
become_user: '{{ letsencrypt_acme_user }}'
command: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1'
when: letsencrypt_acme_install
ignore_errors: True

3
library/centos/roles/letsencrypt-acmetool-client/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
dependencies:
- role: '../../library/centos/roles/self-signed-cert'

76
library/centos/roles/letsencrypt-acmetool-client/tasks/main.yml Normal file
View File

@ -0,0 +1,76 @@
---
- block:
- name: Install the letsencrypt acmetool repo on CentOS
get_url: url={{ letsencrypt_acme_repo_url }} dest=/etc/yum.repos.d/{{ letsencrypt_acme_repo_name }}
notify: Initialize letsencrypt acmetool
- name: Create the letsencrypt acme user
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/nologin system=yes
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
- name: Install the letsencrypt acmetool package and some deps
yum: pkg={{ letsencrypt_acme_pkgs }} state=present
- name: Create the letsencrypt acme config directory
become: True
become_user: '{{ letsencrypt_acme_user }}'
file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755
- name: Create the letsencrypt acme desired domains directory
become: True
become_user: '{{ letsencrypt_acme_user }}'
file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755
- name: Create the letsencrypt acme hooks directory
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755
- name: Install a default file that shell scripts can include
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
- name: Install the letsencrypt acme responses file
become: True
become_user: '{{ letsencrypt_acme_user }}'
template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644
tags: [ 'letsencrypt', 'letsencrypt_responses' ]
- name: Install the letsencrypt acme certs config file
become: True
become_user: '{{ letsencrypt_acme_user }}'
template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644
- name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
when:
- letsencrypt_acme_install
- letsencrypt_acme_authenticator == 'listener'
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent
when:
- letsencrypt_acme_install
- letsencrypt_acme_authenticator != 'listener'
ignore_errors: True
- name: Install the sudoers config needed to run the acmetool hooks
template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440
- name: Create a directory where to put the cron job and hooks logs
file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750
- name: Install a script that requests the certificates and manage the self signed certificate
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
- name: Install a daily cron job to renew the certificates when needed
cron: name="Letsencrypt certificate renewal" special_time=daily job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" user={{ letsencrypt_acme_user }}
- name: letsencrypt acmetool request the first certificate
become: True
become_user: '{{ letsencrypt_acme_user }}'
shell: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-init.log 2>&1'
ignore_errors: True
when: letsencrypt_acme_install
tags: letsencrypt

28
library/centos/roles/letsencrypt-acmetool-client/templates/acme-cert-request.sh.j2 Normal file
View File

@ -0,0 +1,28 @@
#!/bin/bash
TMP_DIR=/var/tmp/acmetool
BASE_DIR=/var/lib/acme
RETVAL=
if [ -d $BASE_DIR/keys/fakeselfsignedcert -a -d $BASE_DIR/certs/fakeselfsignedcert ] ; then
mkdir -p $TMP_DIR/{keys,certs}
mv $BASE_DIR/keys/fakeselfsignedcert $TMP_DIR/keys
mv $BASE_DIR/certs/fakeselfsignedcert $TMP_DIR/certs
/bin/rm live/{{ ansible_fqdn }}
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart
fi
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile
RETVAL=$?
if [ -d $TMP_DIR ] ; then
if [ $RETVAL -ne 0 ] ; then
mv $TMP_DIR/keys/fakeselfsignedcert $BASE_DIR/keys
mv $TMP_DIR/certs/fakeselfsignedcert $BASE_DIR/certs
cd $BASE_DIR/live
ln -s ../certs/fakeselfsignedcert {{ ansible_fqdn }}
fi
rm -fr $TMP_DIR
fi
exit $RETVAL

2
library/centos/roles/letsencrypt-acmetool-client/templates/acme-sudoers.j2 Normal file
View File

@ -0,0 +1,2 @@
{{ letsencrypt_acme_user }} ALL=(root) NOPASSWD: {{ letsencrypt_acme_services_scripts_dir }}/

20
library/centos/roles/letsencrypt-acmetool-client/templates/cert-requirements.j2 Normal file
View File

@ -0,0 +1,20 @@
satisfy:
names:
{% for d in letsencrypt_acme_domains %}
- {{ d }}
{% endfor %}
request:
challenge:
http-ports:
- {{ letsencrypt_acme_standalone_port }}
key:
type: {{ letsencrypt_acme_key_type }}
{% if letsencrypt_acme_key_type == 'rsa' %}
rsa-size: {{ letsencrypt_acme_rsa_key_size }}
{% else %}
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
{% endif %}

4
library/centos/roles/letsencrypt-acmetool-client/templates/letsencrypt-default.j2 Normal file
View File

@ -0,0 +1,4 @@
LE_EMAIL={{ letsencrypt_acme_email }}
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_acme_services_scripts_dir }}
LE_CERTS_DIR={{ letsencrypt_acme_certs_dir }}
LE_LOG_DIR={{ letsencrypt_acme_log_dir }}

13
library/centos/roles/letsencrypt-acmetool-client/templates/responses.j2 Normal file
View File

@ -0,0 +1,13 @@
"acme-enter-email": "{{ letsencrypt_acme_email }}"
"acme-agreement:{{ letsencrypt_tos_url }}": {{ letsencrypt_acme_agree_tos }}
# https://acme-staging.api.letsencrypt.org/directory is the staging site.
# This is the production site
"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
"acmetool-quickstart-choose-method": {{ letsencrypt_acme_authenticator }}
"acmetool-quickstart-complete": true
"acmetool-quickstart-install-cronjob": false
"acmetool-quickstart-install-haproxy-script": false
"acmetool-quickstart-install-redirector-systemd": false
"acmetool-quickstart-key-type": {{ letsencrypt_acme_key_type }}
"acmetool-quickstart-rsa-key-size": {{ letsencrypt_acme_rsa_key_size }}
"acmetool-quickstart-ecdsa-curve": {{ letsencrypt_acme_ecdsa_curve }}

49
library/centos/roles/mariadb/defaults/main.yml Normal file
View File

@ -0,0 +1,49 @@
---
mysql_server_install: False
mysql_enabled: True
mysql_pkg_state: present
mysql_conf_dir: /etc/mysql/conf.d
mysql_socket: /var/run/mysqld/mysqld.sock
mysql_data_dir: /var/lib/mysql
mysql_log_dir: /var/log/mysql
# MySQL-python is needed by ansible to manage users and databases
mysql_packages_list:
- mariadb
- mariadb-server
- innotop
- mytop
- MySQL-python
mysql_db_name: db_name
mysql_db_user: db_user
mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
# Alternatives: utf8
mysql_default_encoding: utf8mb4
# Alternatives: utf8_unicode_ci utf8_bin
mysql_default_collation: utf8mb4_unicode_ci
mysql_db_host: localhost
mysql_db_port: 3306
mysql_db_max_connections: 100
mysqld_db_read_buffer_size: 128K
mysql_db_read_rnd_buffer_size: 256K
mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend'
mysql_db_innodb_buffer_pool_size: 256M
mysql_db_innodb_additional_mem_pool_size: 5M
# Set .._log_file_size to 25 % of buffer pool size
mysql_db_innodb_log_file_size: 64M
mysql_db_innodb_log_buffer_size: 9M
mysql_safe_open_files_limit: 1024
mysql_listen_on_ext_int: False
#mysql_db_data:
# - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32' ] }
mysql_backup_use_nagios: True
mysql_backup_logdir: '{{ mysql_log_dir }}'
mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log'
mysql_backup_retain_copies: 2
mysql_backup_destdir: /var/lib/mysql-backup
mysql_backup_exclude_list: "performance_schema"

11
library/centos/roles/mariadb/files/mysql-backup.cron Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
LOG_FILE=/var/log/mysql-backup.log
if [ -x /etc/cron.daily/duplicity_backup ] ; then
echo "duplicity backups active. Exiting" > $LOG_FILE
exit 0
fi
/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1
exit 0

77
library/centos/roles/mariadb/files/mysql-backup.sh Executable file
View File

@ -0,0 +1,77 @@
#!/bin/bash
RETVAL=0
MY_BACKUP_USE_NAGIOS="False"
MY_BACKUP_DIR=/var/lib/mysql-backup
MY_DATA_DIR=/var/lib/mysql
N_DAYS_TO_SPARE=7
# Exclude list
EXCLUDE_LIST='performance_schema'
if [ -f /etc/sysconfig/mysql_backup ] ; then
. /etc/sysconfig/mysql_backup
fi
if [ ! -f /root/.my.cnf ] ; then
exit 1
fi
umask 0077
# Year month day - hour minute second
SAVE_TIME=$( date +%Y%m%d-%H%M%S )
TIMESTAMP=
TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp
if [ ! -d $MY_BACKUP_DIR ] ; then
mkdir -p $MY_BACKUP_DIR
fi
if [ ! -d $MY_BACKUP_LOG_DIR ] ; then
mkdir -p $MY_BACKUP_LOG_DIR
fi
if [ ! -d $MY_BACKUP_DIR/history ] ; then
mkdir -p $MY_BACKUP_DIR/history
fi
chmod 700 $MY_BACKUP_DIR
LOCKFILE=$MY_DATA_DIR/.mysqldump.lock
NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status
if [ ! -f $LOCKFILE ] ; then
touch $LOCKFILE
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
> $NAGIOS_LOG
fi
for db in $( mysql -Bse "show databases;" | grep -v $EXCLUDE_LIST ) ; do
mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
DUMP_RESULT=$?
chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME}
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
if [ $DUMP_RESULT -ne 0 ] ; then
echo "$db:FAILED" >> $NAGIOS_LOG
RETVAL=$DUMP_RESULT
else
echo "$db:OK" >> $NAGIOS_LOG
fi
fi
pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1
rm -f $db.sql
ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql
popd >/dev/null 2>&1
done
# Do a "flush-hosts" after the backup
mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log
TIMESTAMP=$( date +%s )
echo "$TIMESTAMP" > $TIMESTAMP_LOG
rm -f $LOCKFILE
else
echo "Old backup still running" > /var/log/mysql-backup.log
RETVAL=2
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
echo "old backup still running:WARNING" >> $NAGIOS_LOG
fi
fi
# Remove the old backups
find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \;
exit $RETVAL

6
library/centos/roles/mariadb/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart mariadb
service: name=mariadb state=restarted
- name: Reload mariadb
service: name=mariadb state=reloaded

46
library/centos/roles/mariadb/tasks/configure_root_access.yml Normal file
View File

@ -0,0 +1,46 @@
---
# 'localhost' needs to be the last item for idempotency, the mysql_user docs
- name: Secure the mysql root user
mysql_user: name=root host={{ item }} password={{ mysql_root_password }}
when: mysql_root_password is defined
with_items:
- '{{ ansible_hostname }}'
- 127.0.0.1
- ::1
- localhost
ignore_errors: True
tags:
- mysql
- name: Secure the mysql root user
mysql_user: name=root host={{ item }} password=""
when: mysql_root_password is not defined
with_items:
- '{{ ansible_hostname }}'
- 127.0.0.1
- ::1
- localhost
ignore_errors: True
tags:
- mysql
- name: Install the .my.cnf file with root password credentials
template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
when: mysql_root_password is defined
tags:
- mysql
- name: delete anonymous MySQL server user for {{ server_hostname }}
mysql_user: user="" host="{{ ansible_hostname }}" state="absent"
tags:
- mysql
- name: delete anonymous MySQL server user for localhost
mysql_user: user="" state="absent"
tags:
- mysql
- name: remove the MySQL test database
mysql_db: db=test state=absent
tags:
- mysql

8
library/centos/roles/mariadb/tasks/disable-mariadb-service.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Stop and disable the mariadb server if we do not want it running
service: name=mariadb state=stopped enabled=no
when: not mysql_enabled
tags:
- mysql
- mariadb

13
library/centos/roles/mariadb/tasks/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
- import_tasks: packages.yml
- import_tasks: mysql-conf.yml
when: mysql_enabled
- import_tasks: disable-mariadb-service.yml
when: not mysql_enabled
- import_tasks: configure_root_access.yml
when: mysql_enabled
- import_tasks: manage_my_db.yml
when: mysql_enabled
- import_tasks: mysql-backup.yml
when: mysql_enabled

21
library/centos/roles/mariadb/tasks/manage_my_db.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Add databases to mysql, if any
mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present
with_items: '{{ mysql_db_data }}'
when:
- mysql_db_data is defined
- item.name is defined
tags:
- mysql
- mysql_db
- name: Add a user for the databases
mysql_user: name={{ item.user }} password={{ item.pwd }} host={{ item.allowed_hosts }} priv={{ item.name }}.*:{{ item.user_grant }} state=present
with_items: '{{ mysql_db_data }}'
when:
- mysql_db_data is defined
- item.name is defined
tags:
- mysql
- mysql_db

12
library/centos/roles/mariadb/tasks/mysql-backup.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Install a script that performs mysql dumps
copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
tags: [ 'mysql', 'mysql_backup' ]
- name: Install the mysql backup defaults
template: src=mysql_backup-default.j2 dest=/etc/sysconfig/mysql_backup owner=root group=root mode=0440
tags: [ 'mysql', 'mysql_backup' ]
- name: Cron job that executes mysql nightly backups
copy: src=mysql-backup.cron dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
tags: [ 'mysql', 'mysql_backup' ]

13
library/centos/roles/mariadb/tasks/mysql-conf.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Install the main configuration files.
template: src={{ item }}.cnf.j2 dest=/etc/my.cnf.d/{{ item }}.cnf owner=root group=root mode=0644
with_items:
- client
- server
- mysql-clients
when: mysql_enabled
notify: Restart mariadb
tags:
- mysql
- mariadb
- mysql-conf

15
library/centos/roles/mariadb/tasks/packages.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: install the mariadb packages
yum: pkg={{ item }} state={{ mysql_pkg_state }}
with_items: mysql_packages_list
tags:
- mysql
- mariadb
- name: Ensure that the mariadb server is enabled and running
service: name=mariadb state=started enabled=yes
when: mysql_enabled
tags:
- mysql
- mariadb

6
library/centos/roles/mariadb/templates/client.cnf.j2 Normal file
View File

@ -0,0 +1,6 @@
# The following options will be passed to all MariaDB clients
[client]
#password = your_password
port = 3306
socket = /var/lib/mysql/mysql.sock

4
library/centos/roles/mariadb/templates/dot_my.cnf.j2 Normal file
View File

@ -0,0 +1,4 @@
[client]
user=root
password={{ mysql_root_password }}

20
library/centos/roles/mariadb/templates/mysql-clients.cnf.j2 Normal file
View File

@ -0,0 +1,20 @@
[mysql]
[mysql_upgrade]
[mysqladmin]
[mysqlbinlog]
[mysqlcheck]
[mysqldump]
quick
max_allowed_packet = 16M
[mysqlimport]
[mysqlshow]
[mysqlslap]

8
library/centos/roles/mariadb/templates/mysql_backup-default.j2 Normal file
View File

@ -0,0 +1,8 @@
MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}'
MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}'
MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}'
N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}'
MY_BACKUP_DIR='{{ mysql_backup_destdir }}'
MY_DATA_DIR='{{ mysql_data_dir }}'
# Exclude list
EXCLUDE_LIST='{{ mysql_backup_exclude_list }}'

52
library/centos/roles/mariadb/templates/server.cnf.j2 Normal file
View File

@ -0,0 +1,52 @@
# Here follows entries for some specific programs
# The MariaDB server
[mysqld]
port = {{ mysql_db_port }}
socket = /var/lib/mysql/mysql.sock
max_connections = {{ mysql_db_max_connections }}
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 1M
table_open_cache = 512
sort_buffer_size = 8M
net_buffer_length = 8K
read_buffer_size = {{ mysqld_db_read_buffer_size }}
read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
myisam_sort_buffer_size = 16M
# Point the following paths to different dedicated disks
#tmpdir = /tmp/
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
# Enable binary logging. This is required for acting as a MASTER in a
# replication configuration. You also need the binary log if you need
# the ability to do point in time recovery from your latest backup.
log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=mixed
# Uncomment the following if you are using InnoDB tables
innodb_data_home_dir = /var/lib/mysql
innodb_data_file_path = {{ mysql_db_innodb_data_file_path }}
innodb_log_group_home_dir = /var/lib/mysql
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }}
innodb_additional_mem_pool_size = {{ mysql_db_innodb_additional_mem_pool_size }}
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = {{ mysql_db_innodb_log_file_size }}
innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
[mysqld_safe]
open-files-limit = {{ mysql_safe_open_files_limit }}

9
library/centos/roles/memcached/defaults/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
mc_pkg_state: present
mc_enabled: True
mc_port: 11211
mc_user: memcached
mc_maxconn: 1024
mc_cachesize: 256
mc_options: ""

4
library/centos/roles/memcached/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Restart memcached
service: name=memcached state=restarted

31
library/centos/roles/memcached/tasks/main.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: Install the memcached package
yum: pkg={{ item }} state={{ mc_pkg_state }}
with_items:
- memcached
tags:
- memcache
- memcached
- name: Install the memcached sysconfig file
template: src={{ item }}.sysconfig.j2 dest=/etc/sysconfig/{{ item }} owner=root group=root mode=0444
with_items:
- memcached
notify: Restart memcached
tags:
- memcache
- memcached
- name: Ensure that the memcached service is started and enabled
service: name=memcached state=started enabled=yes
when: mc_enabled
tags:
- memcache
- memcached
- name: Ensure that the memcached service is stopped and disabled
service: name=memcached state=stopped enabled=no
when: not mc_enabled
tags:
- memcache
- memcached

5
library/centos/roles/memcached/templates/memcached.sysconfig.j2 Normal file
View File

@ -0,0 +1,5 @@
PORT="{{ mc_port }}"
USER="{{ mc_user }}"
MAXCONN="{{ mc_maxconn }}"
CACHESIZE="{{ mc_cachesize }}"
OPTIONS="{{ mc_options }}"

113
library/centos/roles/nginx/defaults/main.yml Normal file
View File

@ -0,0 +1,113 @@
---
nginx_enabled: True
nginx_package_state: installed
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
nginx_snippets_dir: /etc/nginx/snippets
nginx_default_conf_dir: /etc/nginx/default.d
nginx_conf_snippets:
- nginx-compression.conf
- nginx-websockets.conf
- nginx-browser-cache.conf
- letsencrypt-proxy.conf
- nginx-proxy-params.conf
- nginx-server-ssl.conf
- nginx-cors.conf
nginx_old_snippets:
- compression.conf
nginx_workers: 4
nginx_worker_connections: 1024
nginx_multi_accept: 'off'
nginx_worker_rlimit_nofile: 2048
nginx_server_tokens: 'off'
nginx_large_client_header_buffers: 4 8k
nginx_enable_compression: True
nginx_gzip_vary: "on"
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_buffers: 16 8k
nginx_gzip_http_version: 1.1
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
nginx_enable_browser_cache: True
nginx_cache_control: public
nginx_html_cache_expire: -1
nginx_feed_cache_expire_enabled: False
nginx_feed_cache_expire: 1h
nginx_media_cache_expire: 1M
nginx_css_js_cache_expire: -1
nginx_reverse_proxy: False
nginx_define_x_real_ip: False
nginx_proxy_buffering: "on"
nginx_proxy_redirect: "off"
nginx_proxy_buffer_size: 128k
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
nginx_proxy_busy_buffers_size: 256k
nginx_proxy_connect_timeout: 30s
nginx_proxy_read_timeout: 480s
nginx_proxy_send_timeout: 120s
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
nginx_client_max_body_size: 100M
nginx_client_body_timeout: 240s
nginx_cors_limit_origin: True
nginx_cors_extended_rules: False
nginx_cors_acl_origin: 'http?://(localhost)'
# Find a set of acceptable defaults for the cache setup
nginx_cache_enabled: False
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.example.org"
nginx_ldap_base_dn: "dc=example,dc=org"
nginx_basic_auth: False
nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
# Use 'ssl http2' if the nginx version supports it
nginx_ssl_type: ssl http2
# When we do not use letsencrypt:
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
# Virtualhost example
# nginx_virthosts:
# - virthost_name: '{{ ansible_fqdn }}'
# listen: '{{ http_port }}'
# server_name: '{{ ansible_fqdn }}'
# server_aliases: ''
# index: index.html
# error_page: /path_to_error_page.html
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: /usr/share/nginx/html/
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
# proxies:
# - location: /
# target: http://localhost:{{ local_http_port }};
#
# extra_parameters: |
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }

25
library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/nginx.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
fi
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
if [ -x /bin/systemctl ] ; then
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
else
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/nginx.log
exit 0

26
library/centos/roles/nginx/files/nginx.pam Normal file
View File

@ -0,0 +1,26 @@
#
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so
auth requisite pam_deny.so
auth required pam_permit.so
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
#
password [success=1 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
#
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

7
library/centos/roles/nginx/handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Reload nginx
service: name=nginx state=reloaded
- name: Restart nginx
service: name=nginx state=restarted

12
library/centos/roles/nginx/tasks/basic-auth.yml Normal file
View File

@ -0,0 +1,12 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'
when: nginx_basic_auth
tags: nginx

21
library/centos/roles/nginx/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml
- import_tasks: pam-ldap.yml
- name: Ensure that the webserver is running and enabled at boot time
service: name=nginx state=started enabled=yes
when: nginx_enabled
ignore_errors: True
tags: nginx
- name: Ensure that the webserver is stopped and disabled
service: name=nginx state=stopped enabled=no
when: not nginx_enabled
ignore_errors: True
tags: nginx

29
library/centos/roles/nginx/tasks/nginx-config.yml Normal file
View File

@ -0,0 +1,29 @@
---
- block:
- name: Create the snippets directory
file: dest={{ nginx_snippets_dir }} state=directory
- name: Create the pki directory
file: dest={{ {{ pki_dir }}/nginx }} state=directory
- name: Create a dhparams file 2048 bits long
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
args:
creates: '{{ pki_dir }}/nginx/dhparams.pem'
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
- name: Install the main nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
notify: Reload nginx
- name: Remove the old configuration snippets
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
with_items: '{{ nginx_old_snippets }}'
when: nginx_enabled
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

20
library/centos/roles/nginx/tasks/nginx-letsencrypt.yml Normal file
View File

@ -0,0 +1,20 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for nginx
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]
- block:
- name: Remove the letsencrypt hook for nginx
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
when: not nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]

7
library/centos/roles/nginx/tasks/nginx-virtualhosts.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]

7
library/centos/roles/nginx/tasks/nginx.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install the nginx web server
yum: pkg={{ item }} state={{ nginx_package_state }}
with_items:
- nginx
tags: nginx

8
library/centos/roles/nginx/tasks/pam-ldap.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Install pam service for nginx
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx

16
library/centos/roles/nginx/templates/ldap.conf.j2 Normal file
View File

@ -0,0 +1,16 @@
# The distinguished name of the search base.
base {{ nginx_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
uri {{ nginx_ldap_uri }}
if {% nginx_ldap_login_attribute is defined %}
pam_login_attribute {{ nginx_ldap_login_attribute }}
{% endif %}
if {% nginx_ldap_pam_groupdn is defined %}
pam_groupdn
{% endif %}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

9
library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 Normal file
View File

@ -0,0 +1,9 @@
# Include this one inside a "server" directive listening on port 80, this way:
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
}

27
library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 Normal file
View File

@ -0,0 +1,27 @@
# include inside a 'server' directive
#
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires {{ nginx_html_cache_expire }};
}
{% if nginx_feed_cache_expire_enabled %}
#
location ~* \.(?:rss|atom)$ {
expires {{ nginx_feed_cache_expire }};
add_header Cache-Control "{{ nginx_cache_control }}";
}
{% endif %}
#
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires {{ nginx_media_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}
#
location ~* \.(?:css|js)$ {
expires {{ nginx_css_js_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}

6
library/centos/roles/nginx/templates/nginx-compression.conf.j2 Normal file
View File

@ -0,0 +1,6 @@
gzip_vary {{ nginx_gzip_vary }};
gzip_proxied {{ nginx_gzip_proxied }};
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_buffers {{ nginx_gzip_buffers }};
gzip_http_version {{ nginx_gzip_http_version }};
gzip_types {{ nginx_gzip_types }};

60
library/centos/roles/nginx/templates/nginx-cors.conf.j2 Normal file
View File

@ -0,0 +1,60 @@
{% if nginx_cors_extended_rules %}
if ($request_method = 'OPTIONS') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
if ($request_method = 'GET') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
{% else %}
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
{% if nginx_cors_limit_origin %}
}
if ($request_method = 'OPTIONS') {
return 204;
}
{% endif %}
{% endif %}

25
library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 Normal file
View File

@ -0,0 +1,25 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
{% else %}
proxy_set_header Host $host;
{% if nginx_define_x_real_ip %}
proxy_set_header X-Real-IP $remote_addr;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
proxy_buffer_size {{ nginx_proxy_buffer_size }};
proxy_buffers {{ nginx_proxy_buffers }};
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
proxy_redirect {{ nginx_proxy_redirect }};
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
proxy_read_timeout {{ nginx_proxy_read_timeout }};
proxy_send_timeout {{ nginx_proxy_send_timeout }};

24
library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 Normal file
View File

@ -0,0 +1,24 @@
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
{% else %}
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
{% if nginx_ssl_level == 'intermediate' %}
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{% endif %}
{% if nginx_ssl_level == 'modern' %}
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

184
library/centos/roles/nginx/templates/nginx-virthost.j2 Normal file
View File

@ -0,0 +1,184 @@
server {
listen {{ item.http_port | default (80) }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if letsencrypt_acme_install %}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %}
location / {
return 301 https://{{ item.server_name }}$request_uri;
}
{% else %}
# This is the default for nginx on Ubuntu 14.04
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }};
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
{% endif %}
}
{% if item.ssl_enabled %}
server {
listen {{ https_port | default(443) }} {{ nginx_ssl_type }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
include /etc/nginx/snippets/nginx-server-ssl.conf;
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }}
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
}
{% endif %}

4
library/centos/roles/nginx/templates/nginx-websockets.conf.j2 Normal file
View File

@ -0,0 +1,4 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

102
library/centos/roles/nginx/templates/nginx.conf.j2 Normal file
View File

@ -0,0 +1,102 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections {{ nginx_worker_connections }};
multi_accept {{ nginx_multi_accept }};
}
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens {{ nginx_server_tokens }};
include /etc/nginx/mime.types;
default_type application/octet-stream;
large_client_header_buffers {{ nginx_large_client_header_buffers }};
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

18
library/centos/roles/openjdk/defaults/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
openjdk_install: False
openjdk_default: 7
openjdk_default_version: '1.{{ openjdk_default }}.0'
openjdk_pkg_state: latest
openjdk_version:
- '{{ openjdk_default_version }}'
jdk_java_home: '/usr/lib/jvm/java-{{ openjdk_default_version }}-openjdk'
# -devel is needed if we want javac.
openjdk_pkgs:
- openjdk-headless
- openjdk-devel
openjdk_commands:
- java
- javac

Some files were not shown because too many files have changed in this diff Show More