Merge branch 'master' of gitorious.research-infrastructures.eu:infrastructure-management/ansible-playbooks

This commit is contained in:
Luca Frosini 2019-02-14 17:12:32 +01:00
commit 3f0205cf34
24 changed files with 288 additions and 12 deletions

View File

@ -0,0 +1,4 @@
---
dependencies:
- ../../library/roles/tomcat-multiple-instances
- ../../library/roles/nginx

View File

@ -0,0 +1,17 @@
---
ipa_server_install: False
ipa_server_use_dns: True
ipa_server_domain: example.org
ipa_server_realm: '{{ ipa_server_domain | upper }}'
ipa_server_packages:
- ipa-server
ipa_server_dns_packages:
- ipa-server-dns
ipa_installation_options: '--external-cert-file=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} --external-cert-file={{ letsencrypt_acme_certs_dir }}/fullchain --external-cert=file={{ letsencrypt_acme_certs_dir }}/privkey -r {{ ipa_server_realm }} -n {{ ipa_server_domain }} -a {{ ipa_admin_password }} -p {{ ipa_manager_password }} --hostname={{ ansible_fqdn }} -U --setup-dns --no-forwarders --no-reverse --zonemgr=s2i2s-master@isti.cnr.it'
ipa_ssl_letsencrypt_managed: True
ipa_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem

View File

@ -0,0 +1,47 @@
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

31
ipa-server/tasks/main.yml Normal file
View File

@ -0,0 +1,31 @@
---
- block:
# - name: Create the acme hooks directory if it does not yet exist
# file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
# - name: Install a script that fix the letsencrypt certificate for ipa and then reload the service
# template: src=ipa-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/ipa owner=root group=root mode=4555
- name: Create the ipa certificate directory
file: dest=/etc/pki/ipa state=directory owner=root group=root mode=0750
- name: Install the Letsencrypt CA file with both the root and the trusted CAs
copy: src={{ ipa_letsencrypt_ca_filename }} dest=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} mode=0444
when:
- ipa_ssl_letsencrypt_managed
- letsencrypt_acme_install
tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt' ]
- block:
- name: Install the FreeIPA server packages
yum: pkg={{ ipa_server_packages }} state=present
- name: Install the FreeIPA DNS server packages
yum: pkg={{ ipa_server_dns_packages }} state=present
when:
- ipa_server_install
- ansible_distribution_file_variety == "RedHat"
tags: [ 'ipa' ]

8
motd/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
motd_setup: True
motd_additional_text: "\nThis host runs services\n"
deb_motd_packages:
- update-notifier-common
- landscape-common

17
motd/tasks/deb_motd.yml Normal file
View File

@ -0,0 +1,17 @@
---
- block:
- name: Install the packages that manage the dynamic motd file on debian based distributions
apt: pkg={{ deb_motd_packages }} state=present update_cache=yes cache_valid_time=3600
register: motd_pkgs
- name: Install our motd template file on debian based distributions
template: src=motd.j2 dest=/etc/static-motd owner=root group=root mode=0644
- name: Install the dynamic merge script of the motd file on debian based distributions
template: src=update_motd.j2 dest=/etc/update-motd.d/05-motd-message owner=root group=root mode=0755
- name: Initialise the motd prompt on debian based distributions
command: run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic
when: motd_pkgs is changed
tags: motd

6
motd/tasks/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- import_tasks: deb_motd.yml
when: ansible_distribution_file_variety == "Debian"
- import_tasks: rh_motd.yml
when: ansible_distribution_file_variety == "RedHat"

6
motd/tasks/rh_motd.yml Normal file
View File

@ -0,0 +1,6 @@
- block:
- name: Install our motd template file on RH/CentOS based distributions
template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644
tags: motd

2
motd/templates/motd.j2 Normal file
View File

@ -0,0 +1,2 @@
{{ motd_additional_text }}

View File

@ -0,0 +1,5 @@
#!/bin/sh
cat /etc/static-motd
exit 0

View File

@ -0,0 +1,7 @@
---
additional_data_directories:
- { name: '{{ d4science_user_home }}', perms: 0755, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
- { name: '{{ d4science_user_home }}/tomcat/lib/logback.xml', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
- { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
- { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}.local', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }
- { name: '/var/log', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' }

View File

@ -22,10 +22,24 @@
notify: Restart smartgears notify: Restart smartgears
when: uri_resolver_download is changed when: uri_resolver_download is changed
- name: Copy the uri-resolver war file into the webapps directory - name: Create the uri-resolver webapp directory
copy: src={{ smartgears_downloads_dir }}/{{ uri_resolver_file }} dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}.{{ uri_resolver_extension }} remote_src=yes force=yes file: dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }} state=directory
when: uri_resolver_download
- name: Unarchive the uri_resolver war file
unarchive: copy=no src={{ smartgears_downloads_dir }}/{{ uri_resolver_file }} dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}
args:
creates: '{{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}/WEB-INF/web.xml'
notify: Restart smartgears notify: Restart smartgears
- name: Install the uri_resolver web.xml template
template: src=uri-resolver-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}/WEB-INF/web.xml mode=0440
notify: Restart smartgears
# - name: Copy the uri-resolver war file into the webapps directory
# copy: src={{ smartgears_downloads_dir }}/{{ uri_resolver_file }} dest={{ smartgears_instance_path }}/webapps/{{ uri_resolver_name }}.{{ uri_resolver_extension }} remote_src=yes force=yes
# notify: Restart smartgears
become: True become: True
become_user: '{{ d4science_user }}' become_user: '{{ d4science_user }}'
tags: [ 'smartgears', 'uri_resolver', 'tomcat' ] tags: [ 'smartgears', 'uri_resolver', 'tomcat' ]

View File

@ -132,10 +132,14 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates
# - { file: "local-ca.crt", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' } # - { file: "local-ca.crt", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' }
# #
default_security_limits: root_security_limits:
- { domain: 'root', l_item: 'nofile', type: 'soft', value: '8192' } - { domain: 'root', l_item: 'nofile', type: 'soft', value: '8192' }
- { domain: 'root', l_item: 'nofile', type: 'hard', value: '8192' } - { domain: 'root', l_item: 'nofile', type: 'hard', value: '8192' }
users_security_limits: []
default_security_limits: '{{ root_security_limits }}'
# default_rsyslog_custom_rules: # default_rsyslog_custom_rules:
# - ':msg, contains, "icmp6_send: no reply to icmp error" ~' # - ':msg, contains, "icmp6_send: no reply to icmp error" ~'
# - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~' # - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~'

View File

@ -5,6 +5,7 @@ dependencies:
- role: '../../library/roles/deb-set-hostname' - role: '../../library/roles/deb-set-hostname'
- role: '../../library/roles/deb-set-locale' - role: '../../library/roles/deb-set-locale'
- role: '../../library/roles/timezone' - role: '../../library/roles/timezone'
- role: '../../library/roles/motd'
- role: '../../library/roles/linux-kernel-sysctl' - role: '../../library/roles/linux-kernel-sysctl'
- role: '../../library/roles/sshd_config' - role: '../../library/roles/sshd_config'
- role: '../../library/roles/fail2ban' - role: '../../library/roles/fail2ban'

View File

@ -3,8 +3,13 @@
lineinfile: dest=/etc/pam.d/su line="session required pam_limits.so" insertafter="^#\ \(Replaces\ the\ use\ of\ /etc/limits.*$" lineinfile: dest=/etc/pam.d/su line="session required pam_limits.so" insertafter="^#\ \(Replaces\ the\ use\ of\ /etc/limits.*$"
tags: [ 'su', 'pam_limits'] tags: [ 'su', 'pam_limits']
- name: Change the default security limits - name: Change the root user security limits
pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} pam_limits: domain=root limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }}
with_items: '{{ default_security_limits }}' with_items: '{{ root_security_limits }}'
tags: [ 'su', 'pam_limits']
- name: Change other users security limits
pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }}
with_items: '{{ users_security_limits }}'
tags: [ 'su', 'pam_limits'] tags: [ 'su', 'pam_limits']

View File

@ -0,0 +1,14 @@
---
service_sudoers_group: adminsu
common_users_group: service_g
# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs
#additional_data_directories:
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
# Define the following array when you want to add commands to the sudoers file
#service_sudo_commands:
# - /etc/init.d/virtuoso-opensource-7
# - /sbin/reboot

View File

@ -0,0 +1,3 @@
---
dependencies:
- '../../library/roles/users'

View File

@ -0,0 +1,25 @@
---
- block:
- name: Create the common group used to setup acls
group: name={{ common_users_group }} state=present system=yes
when: additional_data_directories is defined
- name: Add selected users to the commong group
user: name={{ item.login }} groups={{ common_users_group }} append=yes
with_items: '{{ users_system_users | default([]) }}'
when: additional_data_directories is defined
- name: Create the users additional data dirs
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
with_items: '{{ additional_data_directories | default([]) }}'
when: item.create and not item.file
- name: Set the read/write/access permissions on the users additional data dirs
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
with_items: '{{ additional_data_directories | default([]) }}'
- name: Set the default read/write/access permissions on the users additional data dirs
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
with_items: '{{ additional_data_directories | default([]) }}'
tags: [ 'users', 'users_acl' ]

View File

@ -0,0 +1,5 @@
---
- import_tasks: sudoers-groups.yml
- import_tasks: sudo-config.yml
- import_tasks: common-users-data-dirs.yml
when: additional_data_directories is defined

View File

@ -0,0 +1,6 @@
---
- name: Install the sudoers config that allows users to execute some privileged commands
template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
when: service_sudo_commands is defined
tags: [ 'service', 'sudo', 'users' ]

View File

@ -0,0 +1,18 @@
---
- block:
- name: Add the additional service groups
group: name={{ item }} state=present
with_items:
- '{{ service_sudoers_group }}'
- name: Add selected users to the limited sudoers group
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
with_items: '{{ users_system_users | default([]) }}'
when: item.limited_sudoers_user
- name: Remove selected users to the limited sudoers group
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
with_items: '{{ users_system_users | default([]) }}'
when: not item.limited_sudoers_user
tags: [ 'services', 'users' ]

View File

@ -0,0 +1,2 @@
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}

View File

@ -5,7 +5,9 @@
# Users can have sudo privileges if the 'admin' property is 'true' # Users can have sudo privileges if the 'admin' property is 'true'
# admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true' # admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true'
users_sudoers_group: sudo deb_users_sudoers_group: sudo
rh_users_sudoers_group: wheel
users_sudoers_group: '{{ deb_users_sudoers_group }}'
users_sudoers_create_group: False users_sudoers_create_group: False
users_sudoers_create_sudo_conf: False users_sudoers_create_sudo_conf: False
users_home_dir: /home users_home_dir: /home

View File

@ -22,10 +22,37 @@
with_items: '{{ users_system_users | default([]) }}' with_items: '{{ users_system_users | default([]) }}'
when: item.ssh_key is defined when: item.ssh_key is defined
- name: Add the admin users to the sudoers group - name: Add the admin users to the sudoers group on debian based systems
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
with_items: '{{ users_system_users | default([]) }}' with_items: '{{ users_system_users | default([]) }}'
when: item.admin when:
- item.admin
- ansible_distribution_file_variety == "Debian"
- name: Permit sudo without password
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%{{ deb_users_sudoers_group }}\s'
line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
when: ansible_distribution_file_variety == "Debian"
tags: [ 'users', 'sudo_wheel' ]
- name: Add the admin users to the sudoers group on rh/centos systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users | default([]) }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: Permit sudo without password
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%{{ rh_users_sudoers_group }}\s'
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'users', 'sudo_wheel' ]
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access - name: ensure that the users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present authorized_key: user=root key="{{ item.ssh_key }}" state=present