Merge branch 'master' of gitorious.research-infrastructures.eu:infrastructure-management/ansible-playbooks

2019-02-14 16:09:18 +01:00 · 2019-02-14 16:09:18 +01:00 · bccdd87c0a
parent 5500ed9afd febb0e55b8
commit bccdd87c0a
24 changed files with 274 additions and 12 deletions
--- a/gcube/authorization_service/meta/main.yml
+++ b/gcube/authorization_service/meta/main.yml
@ -0,0 +1,4 @@
+---
+dependencies:
+  - ../../library/roles/tomcat-multiple-instances
+  - ../../library/roles/nginx
--- a/ipa-server/defaults/main.yml
+++ b/ipa-server/defaults/main.yml
@ -0,0 +1,17 @@
+---
+ipa_server_install: False
+ipa_server_use_dns: True
+
+ipa_server_domain: example.org
+ipa_server_realm: '{{ ipa_server_domain | upper }}'
+
+ipa_server_packages:
+  - ipa-server
+
+ipa_server_dns_packages:
+  - ipa-server-dns
+
+ipa_installation_options: '--external-cert-file=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} --external-cert-file={{ letsencrypt_acme_certs_dir }}/fullchain --external-cert=file={{ letsencrypt_acme_certs_dir }}/privkey -r {{ ipa_server_realm }} -n {{ ipa_server_domain }} -a {{ ipa_admin_password }} -p {{ ipa_manager_password }} --hostname={{ ansible_fqdn }} -U --setup-dns --no-forwarders --no-reverse --zonemgr=s2i2s-master@isti.cnr.it'
+
+ipa_ssl_letsencrypt_managed: True
+ipa_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
--- a/ipa-server/files/lets-encrypt-x3-cross-signed.pem
+++ b/ipa-server/files/lets-encrypt-x3-cross-signed.pem
@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----
--- a/ipa-server/tasks/main.yml
+++ b/ipa-server/tasks/main.yml
@ -0,0 +1,31 @@
+---
+- block:
+#  - name: Create the acme hooks directory if it does not yet exist
+#    file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+#  - name: Install a script that fix the letsencrypt certificate for ipa and then reload the service
+#    template: src=ipa-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/ipa owner=root group=root mode=4555
+
+  - name: Create the ipa certificate directory
+    file: dest=/etc/pki/ipa state=directory owner=root group=root mode=0750
+
+  - name: Install the Letsencrypt CA file with both the root and the trusted CAs
+    copy: src={{ ipa_letsencrypt_ca_filename }} dest=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} mode=0444
+
+  when:
+    - ipa_ssl_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt' ]
+
+- block:
+  - name: Install the FreeIPA server packages
+    yum: pkg={{ ipa_server_packages }} state=present
+
+  - name: Install the FreeIPA DNS server packages
+    yum: pkg={{ ipa_server_dns_packages }} state=present
+
+  when:
+    - ipa_server_install
+    - ansible_distribution_file_variety == "RedHat"
+
+  tags: [ 'ipa' ]
--- a/motd/defaults/main.yml
+++ b/motd/defaults/main.yml
@ -0,0 +1,8 @@
+---
+motd_setup: True
+
+motd_additional_text: "\nThis host runs services\n"
+
+deb_motd_packages:
+  - update-notifier-common
+  - landscape-common
--- a/motd/tasks/deb_motd.yml
+++ b/motd/tasks/deb_motd.yml
@ -0,0 +1,17 @@
+---
+- block:
+  - name: Install the packages that manage the dynamic motd file on debian based distributions
+    apt: pkg={{ deb_motd_packages }} state=present update_cache=yes cache_valid_time=3600
+    register: motd_pkgs
+
+  - name: Install our motd template file on debian based distributions
+    template: src=motd.j2 dest=/etc/static-motd owner=root group=root mode=0644
+
+  - name: Install the dynamic merge script of the motd file on debian based distributions
+    template: src=update_motd.j2 dest=/etc/update-motd.d/05-motd-message owner=root group=root mode=0755
+
+  - name: Initialise the motd prompt on debian based distributions
+    command: run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic
+    when: motd_pkgs is changed
+  
+  tags: motd
--- a/motd/tasks/main.yml
+++ b/motd/tasks/main.yml
@ -0,0 +1,6 @@
+---
+- import_tasks: deb_motd.yml
+  when: ansible_distribution_file_variety == "Debian"
+
+- import_tasks: rh_motd.yml
+  when: ansible_distribution_file_variety == "RedHat"
--- a/motd/tasks/rh_motd.yml
+++ b/motd/tasks/rh_motd.yml
@ -0,0 +1,6 @@
+- block:
+  - name: Install our motd template file on RH/CentOS based distributions
+    template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644
+
+  tags: motd
+  
--- a/motd/templates/motd.j2
+++ b/motd/templates/motd.j2
@ -0,0 +1,2 @@
+
+{{ motd_additional_text }}
--- a/motd/templates/update_motd.j2
+++ b/motd/templates/update_motd.j2
@ -0,0 +1,5 @@
+#!/bin/sh
+
+cat /etc/static-motd
+
+exit 0
--- a/orientdb/defaults/main.yml
+++ b/orientdb/defaults/main.yml
@ -1,10 +1,10 @@
 ---
 orientdb_install: False
 orientdb_enabled: True
-orientdb_version: 2.2.36
+orientdb_version: 3.0.15
 orientdb_archive_commpression: tar.gz
-orientdb_dir: 'orientdb-community'
-orientdb_tar_filename: '{{ orientdb_dir }}-importers-{{ orientdb_version }}'
+orientdb_dir: 'orientdb'
+orientdb_tar_filename: '{{ orientdb_dir }}-{{ orientdb_version }}'
 orientdb_tar_file: '{{ orientdb_tar_filename }}.{{ orientdb_archive_commpression }}'
 orientdb_binary_distribution_url: 'https://s3.us-east-2.amazonaws.com/orientdb3/releases/{{ orientdb_version }}/{{ orientdb_tar_file }}' 
 orientdb_user: orientdb
@ -63,7 +63,7 @@ orientdb_hazelcast_multicast_group: 235.1.1.1
 orientdb_hazelcast_multicast_port: 2434


-# For Reference see http://orientdb.com/docs/2.2/Automatic-Backup.html
+# For Reference see http://orientdb.com/docs/3.0.x/plugins/Automatic-Backup.html
 orientdb_automatic_backup: True
 orientdb_automatic_backup_mode: 'EXPORT'
 orientdb_automatic_backup_export_options: ''
--- a/smartgears/smartgears/vars/main.yml
+++ b/smartgears/smartgears/vars/main.yml
@ -0,0 +1,7 @@
+---
+additional_data_directories:
+  - { name: '{{ d4science_user_home }}', perms: 0755, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
+  - { name: '{{ d4science_user_home }}/tomcat/lib/logback.xml', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+  - { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
+  - { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}.local', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
+  - { name: '/var/log', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
--- a/ubuntu-deb-general/defaults/main.yml
+++ b/ubuntu-deb-general/defaults/main.yml
@ -132,10 +132,14 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates
 #  - { file: "local-ca.crt", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' }

 #
-default_security_limits:
+root_security_limits:
  - { domain: 'root', l_item: 'nofile', type: 'soft', value: '8192' }
  - { domain: 'root', l_item: 'nofile', type: 'hard', value: '8192' }

+users_security_limits: []
+
+default_security_limits: '{{ root_security_limits }}'
+
 # default_rsyslog_custom_rules:
 #   - ':msg, contains, "icmp6_send: no reply to icmp error" ~'
 #   - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~'
--- a/ubuntu-deb-general/meta/main.yml
+++ b/ubuntu-deb-general/meta/main.yml
@ -5,6 +5,7 @@ dependencies:
  - role: '../../library/roles/deb-set-hostname'
  - role: '../../library/roles/deb-set-locale'
  - role: '../../library/roles/timezone'
+  - role: '../../library/roles/motd'
  - role: '../../library/roles/linux-kernel-sysctl'
  - role: '../../library/roles/sshd_config'
  - role: '../../library/roles/fail2ban'
--- a/ubuntu-deb-general/tasks/manage_su_limits.yml
+++ b/ubuntu-deb-general/tasks/manage_su_limits.yml
@ -3,8 +3,13 @@
  lineinfile: dest=/etc/pam.d/su line="session required pam_limits.so" insertafter="^#\ \(Replaces\ the\ use\ of\ /etc/limits.*$"
  tags: [ 'su', 'pam_limits']

- name: Change the default security limits
-  pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }}
-  with_items: '{{ default_security_limits }}'
+- name: Change the root user security limits
+  pam_limits: domain=root limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }}
+  with_items: '{{ root_security_limits }}'
+  tags: [ 'su', 'pam_limits']
+
+- name: Change other users security limits
+  pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }}
+  with_items: '{{ users_security_limits }}'
  tags: [ 'su', 'pam_limits']

--- a/user_services_perms/defaults/main.yml
+++ b/user_services_perms/defaults/main.yml
@ -0,0 +1,14 @@
+---
+service_sudoers_group: adminsu
+
+common_users_group: service_g
+# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs
+#additional_data_directories:
+#  - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+#  - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+#  - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
+
+# Define the following array when you want to add commands to the sudoers file
+#service_sudo_commands:
+#  - /etc/init.d/virtuoso-opensource-7
+#  - /sbin/reboot
--- a/user_services_perms/meta/main.yml
+++ b/user_services_perms/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+  - '../../library/roles/users' 
--- a/user_services_perms/tasks/common-users-data-dirs.yml
+++ b/user_services_perms/tasks/common-users-data-dirs.yml
@ -0,0 +1,25 @@
+---
+- block:
+  - name: Create the common group used to setup acls
+    group: name={{ common_users_group }} state=present system=yes
+    when: additional_data_directories is defined
+
+  - name: Add selected users to the commong group
+    user: name={{ item.login }} groups={{ common_users_group }} append=yes
+    with_items: '{{ users_system_users | default([]) }}'
+    when: additional_data_directories is defined
+
+  - name: Create the users additional data dirs
+    file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+    with_items: '{{ additional_data_directories | default([]) }}'
+    when: item.create and not item.file
+
+  - name: Set the read/write/access permissions on the users additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
+    with_items: '{{ additional_data_directories | default([])  }}'
+
+  - name: Set the default read/write/access permissions on the users additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
+    with_items: '{{ additional_data_directories | default([])  }}'
+
+  tags: [ 'users', 'users_acl' ]
--- a/user_services_perms/tasks/main.yml
+++ b/user_services_perms/tasks/main.yml
@ -0,0 +1,5 @@
+---
+- import_tasks: sudoers-groups.yml
+- import_tasks: sudo-config.yml
+- import_tasks: common-users-data-dirs.yml
+  when: additional_data_directories is defined
--- a/user_services_perms/tasks/sudo-config.yml
+++ b/user_services_perms/tasks/sudo-config.yml
@ -0,0 +1,6 @@
+---
+- name: Install the sudoers config that allows users to execute some privileged commands
+  template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
+  when: service_sudo_commands is defined
+  tags: [ 'service', 'sudo', 'users' ]
+
--- a/user_services_perms/tasks/sudoers-groups.yml
+++ b/user_services_perms/tasks/sudoers-groups.yml
@ -0,0 +1,18 @@
+---
+- block:
+  - name: Add the additional service groups
+    group: name={{ item }} state=present
+    with_items:
+      - '{{ service_sudoers_group }}'
+    
+  - name: Add selected users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users | default([]) }}'
+    when: item.limited_sudoers_user
+
+  - name: Remove selected users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users | default([]) }}'
+    when: not item.limited_sudoers_user
+
+  tags: [ 'services', 'users' ]
--- a/user_services_perms/templates/service-sudoers.j2
+++ b/user_services_perms/templates/service-sudoers.j2
@ -0,0 +1,2 @@
+%{{ service_sudoers_group }}  ALL=(ALL) NOPASSWD:   {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}
+
--- a/users/defaults/main.yml
+++ b/users/defaults/main.yml
@ -5,7 +5,9 @@
 # Users can have sudo privileges if the 'admin' property is 'true'
 # admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true'

-users_sudoers_group: sudo
+deb_users_sudoers_group: sudo
+rh_users_sudoers_group: wheel
+users_sudoers_group: '{{ deb_users_sudoers_group }}'
 users_sudoers_create_group: False
 users_sudoers_create_sudo_conf: False
 users_home_dir: /home
--- a/users/tasks/main.yml
+++ b/users/tasks/main.yml
@ -22,10 +22,37 @@
      with_items: '{{ users_system_users | default([]) }}'
      when: item.ssh_key is defined

-    - name: Add the admin users to the sudoers group
-      user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
+    - name: Add the admin users to the sudoers group on debian based systems
+      user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
      with_items: '{{ users_system_users | default([]) }}'
-      when: item.admin
+      when:
+        - item.admin
+        - ansible_distribution_file_variety == "Debian" 
+
+    - name: Permit sudo without password
+      lineinfile:
+        path: /etc/sudoers
+        state: present
+        regexp: '^%{{ deb_users_sudoers_group }}\s'
+        line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
+      when: ansible_distribution_file_variety == "Debian"
+      tags: [ 'users', 'sudo_wheel' ]
+
+    - name: Add the admin users to the sudoers group on rh/centos systems
+      user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
+      with_items: '{{ users_system_users | default([]) }}'
+      when:
+        - item.admin
+        - ansible_distribution_file_variety == "RedHat" 
+
+    - name: Permit sudo without password
+      lineinfile:
+        path: /etc/sudoers
+        state: present
+        regexp: '^%{{ rh_users_sudoers_group }}\s'
+        line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
+      when: ansible_distribution_file_variety == "RedHat" 
+      tags: [ 'users', 'sudo_wheel' ]

    - name: ensure that the users can login with their ssh keys as root if we want ensure direct access
      authorized_key: user=root key="{{ item.ssh_key }}" state=present
				`@ -0,0 +1,2 @@`
				`%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}`