commit fa60c442b0afe99e50a5e1bc09b386f4efd697bd Author: benedikt.wismans@sdw.systems Date: Thu Nov 17 19:11:54 2022 +0100 Ansible Rootserver / BBB Projekt Start diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..ed865bf --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +inventory = hosts diff --git a/bootstrapCore.yml b/bootstrapCore.yml new file mode 100644 index 0000000..599cf3e --- /dev/null +++ b/bootstrapCore.yml @@ -0,0 +1,16 @@ +--- +- hosts: "{{ target }}" + remote_user: core + become: true + roles: + - apt_upgrade + - hostnames + - ntp + - users + - sshd + - scripte + - cron + - ufw + - snmp + +... \ No newline at end of file diff --git a/bootstrapRoot.yml b/bootstrapRoot.yml new file mode 100644 index 0000000..050916c --- /dev/null +++ b/bootstrapRoot.yml @@ -0,0 +1,12 @@ +--- +- hosts: "{{ target }}" + remote_user: root + roles: + - apt_upgrade + - hostnames + - users + - sshd + +# sshd schließt den root user von ssh aus, danach läuft das Playbook nicht mehr als root +# Weiter geht's mit bootstrapCore +... \ No newline at end of file diff --git a/host_vars/bbb.xitq.de b/host_vars/bbb.xitq.de new file mode 100644 index 0000000..5f84710 --- /dev/null +++ b/host_vars/bbb.xitq.de @@ -0,0 +1,9 @@ +--- +install_image: + path: /root/.oldroot/nfs/install/installimage + raid: yes -l 1 + image: /root/.oldroot/nfs/images/Ubuntu-2004-focal-64-minimal.tar.gz + drives: sda,sdb + +passwordless_sudo: true +... \ No newline at end of file diff --git a/hosts b/hosts new file mode 100644 index 0000000..f3de1f4 --- /dev/null +++ b/hosts @@ -0,0 +1,2 @@ +bbb.xitq.de + diff --git a/install_image.yml b/install_image.yml new file mode 100644 index 0000000..5add01b --- /dev/null +++ b/install_image.yml @@ -0,0 +1,10 @@ +--- +- hosts: "{{ target }}" + gather_facts: false + remote_user: root + roles: + - install_python + - install_image + + +... \ No newline at end of file diff --git a/install_python.yml b/install_python.yml new file mode 100644 index 0000000..4106699 --- /dev/null +++ b/install_python.yml @@ -0,0 +1,9 @@ +--- +- hosts: "{{ target }}" + gather_facts: false + remote_user: root + roles: + - install_python + + +... \ No newline at end of file diff --git a/installimage b/installimage new file mode 100644 index 0000000..013c54a --- /dev/null +++ b/installimage @@ -0,0 +1,10 @@ +/root/.oldroot/nfs/install/installimage +-a +-n bbb.xitq.de +-b grub +-r yes +-l 1 +-i /root/.oldroot/nfs/images/Ubuntu-2004-focal-64-minimal.tar.gz +-p /boot:ext3:512M,/:ext4:all +-d sda,sdb + diff --git a/roles/apt_upgrade/tasks/main.yml b/roles/apt_upgrade/tasks/main.yml new file mode 100644 index 0000000..4671152 --- /dev/null +++ b/roles/apt_upgrade/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Update and upgrade apt packages + apt: + upgrade: "yes" + update_cache: "yes" \ No newline at end of file diff --git a/roles/cron/tasks/main.yml b/roles/cron/tasks/main.yml new file mode 100644 index 0000000..cc2ccec --- /dev/null +++ b/roles/cron/tasks/main.yml @@ -0,0 +1,23 @@ +- name: Install core user's crontab logCPUandETH + ansible.builtin.cron: + name: logCPUandETH + user: core + minute: "*" + hour: "6-23" + job: "/home/core/Scripte/logCPUandETH" + +- name: Install core user's crontab Delete /tmp files before rebooting at 4 AM + ansible.builtin.cron: + name: delete /tmp/* files before rebooting at 4 AM + user: core + minute: "55" + hour: "3" + job: "/bin/rm -rf /tmp/*" + +- name: Install core user's crontab logCPUandETH + ansible.builtin.cron: + name: reboot each night at 4.00 AM + user: core + minute: "0" + hour: "4" + job: "sudo /sbin/shutdown -r now" \ No newline at end of file diff --git a/roles/hostnames/files/hosts b/roles/hostnames/files/hosts new file mode 100644 index 0000000..0ebd6b9 --- /dev/null +++ b/roles/hostnames/files/hosts @@ -0,0 +1,10 @@ +### Hetzner Online GmbH installimage +127.0.0.1 localhost.localdomain localhost +116.202.217.88 bbb.xitq.de bbb +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts +2a01:4f8:241:1e24::2 bbb.xitq.de bbb diff --git a/roles/hostnames/tasks/main.yml b/roles/hostnames/tasks/main.yml new file mode 100644 index 0000000..15749dc --- /dev/null +++ b/roles/hostnames/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Set hostname + hostname: + name: "{{ inventory_hostname }}" + +- name: Copy hosts file to server + copy: + src: hosts + dest: /etc/hosts + owner: root + group: root + mode: 0644 + + +... \ No newline at end of file diff --git a/roles/install_image/tasks/main.yml b/roles/install_image/tasks/main.yml new file mode 100644 index 0000000..7351c67 --- /dev/null +++ b/roles/install_image/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Check if installimage script exists + stat: + path: /root/.oldroot/nfs/install/installimage + register: stat_result + +- block: + - debug: + msg: "installimage script not found" + - meta: end_play + when: stat_result.stat.exists == false + +- name: Execute installimage + shell: "{{ install_image.path }} -a -n {{ inventory_hostname }} -b grub -r {{ install_image.raid }} -i {{ install_image.image }} -p /boot:ext3:512M,/:ext4:all -d {{ install_image.drives }}" + +- name: Rebooting... + shell: reboot + + \ No newline at end of file diff --git a/roles/install_python/tasks/main.yml b/roles/install_python/tasks/main.yml new file mode 100644 index 0000000..6eda5af --- /dev/null +++ b/roles/install_python/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install Python on system (rescue or final) + raw: test -e /etc/bin/python3 || (apt -y update && apt install -y python3) + +... \ No newline at end of file diff --git a/roles/ntp/tasks/main.yml b/roles/ntp/tasks/main.yml new file mode 100644 index 0000000..c3ad50e --- /dev/null +++ b/roles/ntp/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Install ntp + apt: + name: + - ntp +... diff --git a/roles/scripte/files/bashlib b/roles/scripte/files/bashlib new file mode 100644 index 0000000..372447b --- /dev/null +++ b/roles/scripte/files/bashlib @@ -0,0 +1,12 @@ +# Fügt einen Zeitstempel an jede Zeile an +adddate() { + while IFS= read -r line; do + printf '%s %s\n' "$(date)" "$line"; + done +} + +# Gibt den Namen der 1. aktiven NIC zurück die nicht das Loopback Interface ist +# Funktioniert auf Ubuntu 20.04, andere Versionen ungetestet +getnic() { + echo `ip link show | grep "state UP" | grep -v "LOOPBACK" | awk '{print $2}' | sed 's/://g'` +} diff --git a/roles/scripte/files/logCPUandETH b/roles/scripte/files/logCPUandETH new file mode 100644 index 0000000..49928ca --- /dev/null +++ b/roles/scripte/files/logCPUandETH @@ -0,0 +1,11 @@ +#!/bin/bash + +source /home/core/Scripte/bashlib + +/usr/bin/mpstat 1 59 | adddate > /tmp/mlogtmp +/usr/bin/tail -1 /tmp/mlogtmp >> /tmp/cpulog +# +/usr/bin/ifstat -w -n -i `getnic` 1 1 | adddate > /tmp/ilogtmp +/usr/bin/tail -n 1 /tmp/ilogtmp >> /tmp/ethlog + +# DONE diff --git a/roles/scripte/files/ubuntuVersion b/roles/scripte/files/ubuntuVersion new file mode 100644 index 0000000..1cd8d47 --- /dev/null +++ b/roles/scripte/files/ubuntuVersion @@ -0,0 +1 @@ +lsb_release -a diff --git a/roles/scripte/files/update b/roles/scripte/files/update new file mode 100644 index 0000000..105cf40 --- /dev/null +++ b/roles/scripte/files/update @@ -0,0 +1,10 @@ +#!/bin/bash + +echo Working on host `hostname` +sudo apt-get update && yes Y | sudo apt-get upgrade && yes Y | sudo apt-get dist-upgrade && yes Y | sudo apt autoremove + +# sudo cp ~/Scripte/turn-stun-servers.xml.konfiguriert /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml +# sudo bbb-conf --setip `hostname` + +exit 0 + diff --git a/roles/scripte/tasks/main.yml b/roles/scripte/tasks/main.yml new file mode 100644 index 0000000..5174eb7 --- /dev/null +++ b/roles/scripte/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Craete Scripte directory + file: + path: /home/core/Scripte + state: directory + owner: core + group: users + mode: 0775 + +- name: Upload ubuntuVersion to core's Scripte directory + copy: + src: ubuntuVersion + dest: /home/core/Scripte/ + owner: core + group: users + mode: 0755 + +- name: Upload bashlib to core's Scripte directory + copy: + src: bashlib + dest: /home/core/Scripte/ + owner: core + group: users + mode: 0755 + +- name: Upload logCPUandETH to core's Scripte directory + copy: + src: logCPUandETH + dest: /home/core/Scripte/ + owner: core + group: users + mode: 0755 + +- name: Install sysstat and ifstat to provide mpstat/ifstat for logCPUandETH script + apt: + name: + - sysstat + - ifstat + +- name: Upload update to core's Scripte directory + copy: + src: update + dest: /home/core/Scripte/ + owner: core + group: users + mode: 0755 + +- name: Install vim for script editing + apt: + name: + - vim +... \ No newline at end of file diff --git a/roles/snmp/files/snmpd.conf b/roles/snmp/files/snmpd.conf new file mode 100644 index 0000000..6ffa2ae --- /dev/null +++ b/roles/snmp/files/snmpd.conf @@ -0,0 +1,90 @@ +# Listen for connections on all interfaces (both IPv4 *and* IPv6) +agentAddress udp:161,udp6:[::1]:161 + +view systemonly included .1.3.6.1.2.1.1 +view systemonly included .1.3.6.1.2.1.25.1 + + +rocommunity PRTG 128.1.10.73 +rocommunity PRTG 178.15.152.60 + +rocommunity SDW 138.201.126.41 #root3.sdw.systems +rocommunity SDW 88.99.138.96 #root4.sdw.systems +rocommunity SDW 94.130.135.216 #root5.sdw.systems + +rocommunity SDW 178.15.59.28 #core-open-diakonie.de + + # Default access to basic system info +rocommunity public default -V systemonly + # rocommunity6 is for IPv6 +rocommunity6 public default -V systemonly + + +############################################################################### +# +# SYSTEM INFORMATION +# + +# Note that setting these values here, results in the corresponding MIB objects being 'read-only' +# See snmpd.conf(5) for more details +sysLocation Sitting on the Dock of the Bay +sysContact Me + # Application + End-to-End layers +sysServices 72 + + +# +# Process Monitoring +# + # At least one 'mountd' process +proc mountd + # No more than 4 'ntalkd' processes - 0 is OK +proc ntalkd 4 + # At least one 'sendmail' process, but no more than 10 +proc sendmail 10 1 + +# Walk the UCD-SNMP-MIB::prTable to see the resulting output +# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file + + +# +# Disk Monitoring +# + # 10MBs required on root disk, 5% free on /var, 10% free on all other disks +disk / 10000 +disk /var 5% +includeAllDisks 10% + +# Walk the UCD-SNMP-MIB::dskTable to see the resulting output +# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file + + +# +# System Load +# + # Unacceptable 1-, 5-, and 15-minute load averages +load 12 10 5 + +# Walk the UCD-SNMP-MIB::laTable to see the resulting output +# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file + + + +############################################################################### +# +# ACTIVE MONITORING +# + + # send SNMPv1 traps + trapsink localhost public + # send SNMPv2c traps +# +# Event MIB - automatically generate alerts +# + # Remember to activate the 'createUser' lines above +iquerySecName internalUser +rouser internalUser + # generate traps on UCD error conditions +defaultMonitors yes + # generate traps on linkUp/Down +linkUpDownNotifications yes diff --git a/roles/snmp/handlers/main.yml b/roles/snmp/handlers/main.yml new file mode 100644 index 0000000..09f338f --- /dev/null +++ b/roles/snmp/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart SNMPD + service: + name: snmpd + state: restarted +... \ No newline at end of file diff --git a/roles/snmp/tasks/main.yml b/roles/snmp/tasks/main.yml new file mode 100644 index 0000000..dab3c0e --- /dev/null +++ b/roles/snmp/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- name: Install snmpd + apt: + name: + - snmpd + +- name: Upload snnmpd configuration file snmpd.conf to /etc/snmp + copy: + src: snmpd.conf + dest: /etc/snmpd/ + owner: root + group: root + mode: 0600 + notify: Restart SNMPD + +... diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..7d8e4f7 --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Restart SSHD + service: + name: sshd + state: restarted + +... \ No newline at end of file diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..da5685d --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: sshd write configuration block to sshd_config + blockinfile: + path: /etc/ssh/sshd_config + insertbefore: BOF # Beginning of the file + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + PermitRootLogin no + PubkeyAuthentication yes + AuthorizedKeysFile .ssh/authorized_keys + PasswordAuthentication no + backup: yes + validate: /usr/sbin/sshd -T -f %s + notify: Restart SSHD +... + diff --git a/roles/ufw/files/startufw b/roles/ufw/files/startufw new file mode 100644 index 0000000..758c8d4 --- /dev/null +++ b/roles/ufw/files/startufw @@ -0,0 +1,37 @@ +# ssh +sudo ufw allow 22 +# dns +sudo ufw allow 53 +# http +sudo ufw allow http +# https +sudo ufw allow https +# ntp +sudo ufw allow 123 +# rsync +sudo ufw allow 873 +# bbb +sudo ufw allow 16384:32768/udp +# snmtp root3 +sudo ufw allow from 138.201.126.41 to any port 161 proto udp +# snmtp root4 +sudo ufw allow from 88.99.138.96 to any port 161 proto udp +# snmtp root5 +sudo ufw allow from 94.130.135.216 to any port 161 proto udp +# snmtp core rudi +sudo ufw allow from 178.15.59.28 to any port 161 proto udp +sudo ufw allow from 178.15.152.60 to any port 161 proto udp + +# private Netzwerkte gehen nicht - nach der Portscan-Sache auf dem bbb3 +sudo ufw deny out from any to 10.0.0.0/8 + +# Achtung: Für greenlight-Installationen 172.x NICHT blocken, das wird vom GL-Dockercontainer verwendet +sudo ufw deny out from any to 172.16.0.0/12 + +sudo ufw deny out from any to 192.168.0.0/16 +sudo ufw deny out from any to 100.64.0.0/10 +sudo ufw deny out from any to 198.18.0.0/15 +sudo ufw deny out from any to 169.254.0.0/16 + +echo y | sudo ufw enable +sudo ufw status >> /home/core/tmp/ufwstatus.log diff --git a/roles/ufw/handlers/main.yml b/roles/ufw/handlers/main.yml new file mode 100644 index 0000000..a0b02db --- /dev/null +++ b/roles/ufw/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Reconfigure and restart UFW + ansible.builtin.shell: + cmd: "/home/core/Scripte/startufw" +... \ No newline at end of file diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml new file mode 100644 index 0000000..b7a7fad --- /dev/null +++ b/roles/ufw/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- name: Install ufw + apt: + name: + - ufw + +- name: Upload ufw configuration script startufw to core user's Scripte directory + copy: + src: startufw + dest: /home/core/Scripte/ + owner: core + group: users + mode: 0755 + notify: Reconfigure and restart UFW + +... diff --git a/roles/users/files/authorized_keys_core b/roles/users/files/authorized_keys_core new file mode 100644 index 0000000..cb534f2 --- /dev/null +++ b/roles/users/files/authorized_keys_core @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLGR3klHdPzj5rOwoce8JdvkMGXoTSXdp66JhYYO4t5hWQRB+DZjvhpSBjvtKZZH07wHS0Ya69baDmwHiOhzhNwcs3hwi/I2k/ABSjmjRNNAMlxauHvaRviFYtx5/h7ZayKW9gpxU4e22/9k0F9XAaWkN8Mc7PgvagUy9POpP19gyBBS35kjFIKjOMrz1nQ+9jwUza7lARryctnDoaiUd7DHsLfvSa8Q1fVNUka+k0H1YtRxfsdU8CdMrQf+bDtUTjJupyT5xFphXEle31E49+WAsYGwXkpmQA4zM6E1gOJ0rgnmm/DFJeJ/DYaYP79XzwjvJxNSVMRAg6t5P5z93x benediktwismans@macmini +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSqGfwbqDQdkjG8s/iCVYlsXcVzScjm/D5xZ11AnWWTZ2rL4BitjYgTNx+3SRoM6K8mUYHFi5tTw3X5ZWcjIj+4UXqONA0pCfkVSo24obIqiCXa7+ZyI7MEW/lGmt4u02fJYCrrzxZCfHd3qR3hFAfv1b188ebEMDYpDORAek0PtMoKHVpNZDK9EBNotT7v92WGFngNSLd4qqnUexEd89zsv9mDlttQe6Z5oIHeFIpu0VsaOQiKXQHcKdwwsXdoTG7q989jJ9kRb3lC/Bs+fpzKd8Q/rPGLSkpJUA4RN6f7ZXJ7fQ86zNGZ7MsskcHJyQCdFPV/ESXNV9rabE6DX73 benediktwismans@acer +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdvEW4c8+OqO3bdc+5JonpEADbR304X5zXI5j9cOROK0XmK0BQVBrmimlcguEcBPinFRC7XaWgxH70bzPBcwTNVCQOzcAAF3zyuDFfLE5Kv5+vxp0g41AERYLC27Smwo8hQ/ckO+RSxFgM5FKTLErSqXdbtGMlFqA0b/auZhXDHXE+7ft8TSVFnTusrlYovNqwK3wuGHB2xs6gEqlVw5DVwhRsO/hq6pdoSx35GygQYWWPwY8vCSXaqrKbakG9GA0u4TqLE8StpnItEPfvQ3Fe/8AptC4u4JgYuucYZjFOQqzJdv0KHqKOriy7RdO01HxS6Ts7VnbvAc5aL8jZF9bl benediktwismans@intel +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSU++o+8yN2V9ojFnnHgkj7QgciurCxcK5b0Yei/I9BmwE8uAWgQR4DJw3iAkV+NSVJ0dsiqGwc6I9f8e9IsTStfcSlwYA8VENuFSelVu0Xph0CY8jPKV8h6gEM8+AQd4iYUgJeROtEkNZhh3D/ZC68ap5VxfF4PrHeDu0jE0C1fG6MGJ5btgI7IWAoaAkSAtoxC9latnFDhFBNmnJmq+d0DNNPBKoB5DG9wQvVxpeuuKzSZyDv87N3/28Uo8JqLm3r4ftBU0sWctymRS0Z5EDqHlLNFQdqQeSzPtQeNh5QOEKH+aa9aAsjINOaEpI2uIe0EYAmBOMjyzvi5BRy6AJ benediktwismans@vhostbbb \ No newline at end of file diff --git a/roles/users/files/authorized_keys_root b/roles/users/files/authorized_keys_root new file mode 100644 index 0000000..dbb4273 --- /dev/null +++ b/roles/users/files/authorized_keys_root @@ -0,0 +1,3 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLGR3klHdPzj5rOwoce8JdvkMGXoTSXdp66JhYYO4t5hWQRB+DZjvhpSBjvtKZZH07wHS0Ya69baDmwHiOhzhNwcs3hwi/I2k/ABSjmjRNNAMlxauHvaRviFYtx5/h7ZayKW9gpxU4e22/9k0F9XAaWkN8Mc7PgvagUy9POpP19gyBBS35kjFIKjOMrz1nQ+9jwUza7lARryctnDoaiUd7DHsLfvSa8Q1fVNUka+k0H1YtRxfsdU8CdMrQf+bDtUTjJupyT5xFphXEle31E49+WAsYGwXkpmQA4zM6E1gOJ0rgnmm/DFJeJ/DYaYP79XzwjvJxNSVMRAg6t5P5z93x benediktwismans@macmini +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSqGfwbqDQdkjG8s/iCVYlsXcVzScjm/D5xZ11AnWWTZ2rL4BitjYgTNx+3SRoM6K8mUYHFi5tTw3X5ZWcjIj+4UXqONA0pCfkVSo24obIqiCXa7+ZyI7MEW/lGmt4u02fJYCrrzxZCfHd3qR3hFAfv1b188ebEMDYpDORAek0PtMoKHVpNZDK9EBNotT7v92WGFngNSLd4qqnUexEd89zsv9mDlttQe6Z5oIHeFIpu0VsaOQiKXQHcKdwwsXdoTG7q989jJ9kRb3lC/Bs+fpzKd8Q/rPGLSkpJUA4RN6f7ZXJ7fQ86zNGZ7MsskcHJyQCdFPV/ESXNV9rabE6DX73 benediktwismans@acer +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdvEW4c8+OqO3bdc+5JonpEADbR304X5zXI5j9cOROK0XmK0BQVBrmimlcguEcBPinFRC7XaWgxH70bzPBcwTNVCQOzcAAF3zyuDFfLE5Kv5+vxp0g41AERYLC27Smwo8hQ/ckO+RSxFgM5FKTLErSqXdbtGMlFqA0b/auZhXDHXE+7ft8TSVFnTusrlYovNqwK3wuGHB2xs6gEqlVw5DVwhRsO/hq6pdoSx35GygQYWWPwY8vCSXaqrKbakG9GA0u4TqLE8StpnItEPfvQ3Fe/8AptC4u4JgYuucYZjFOQqzJdv0KHqKOriy7RdO01HxS6Ts7VnbvAc5aL8jZF9bl benediktwismans@intel diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml new file mode 100644 index 0000000..8cc5ee2 --- /dev/null +++ b/roles/users/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: setup_sudo.yml +- import_tasks: setup_users.yml +- import_tasks: upload_pubkeys.yml + +... \ No newline at end of file diff --git a/roles/users/tasks/setup_sudo.yml b/roles/users/tasks/setup_sudo.yml new file mode 100644 index 0000000..db01c79 --- /dev/null +++ b/roles/users/tasks/setup_sudo.yml @@ -0,0 +1,16 @@ +--- + +- name: Indtall sudo + apt: + name: sudo + +- name: Create sudo-nopasswd group + group: + name: sudo-nopasswd + +- name: Add sudo-nopasswd group to sudoers + lineinfile: + dest: /etc/sudoers + line: "%sudo-nopasswd ALL=(ALL:ALL) NOPASSWD:ALL" + regexp: "^%sudo-nopasswd" +... diff --git a/roles/users/tasks/setup_users.yml b/roles/users/tasks/setup_users.yml new file mode 100644 index 0000000..121fc87 --- /dev/null +++ b/roles/users/tasks/setup_users.yml @@ -0,0 +1,39 @@ +--- + +- name: Create user core + user: + name: core + shell: /bin/bash + uid: 1000 + group: users + groups: sudo + append: "true" + password: $6$A7Sw5gku7$0WqY/Z4Ei0axG.mZwDQlFJfK8Rtx6H0eKuP8CW23V5f/5j9sXendknLtXexQfgDzA4Ri55ZqhJnpf05MJV71J0 + +- name: Add user core tp sudo-nopasswd group + user: + name: core + groups: sudo-nopasswd + append: "true" + when: passwordless_sudo is defined and passwordless_sudo == true + +- name: Remove user core from sudo-nopasswd group + shell: /usr/sbin/delgroup core sudo-nopasswd + when: not (passwordless_sudo is defined and passwordless_sudo == true) + ignore_errors: yes + +- name: Set vi as default editor in .bashrc of user code + lineinfile: + dest: /home/core/.bashrc + line: "export EDITOR=vi" + regexp: "^export EDITOR=vi" + +- name: Craete local tmp directory for user core + file: + path: /home/core/tmp + state: directory + owner: core + group: users + mode: 0775 + +... \ No newline at end of file diff --git a/roles/users/tasks/upload_pubkeys.yml b/roles/users/tasks/upload_pubkeys.yml new file mode 100644 index 0000000..bdb6b3d --- /dev/null +++ b/roles/users/tasks/upload_pubkeys.yml @@ -0,0 +1,35 @@ +--- + +- name: Create root user's .ssh directory + file: + path: /root/.ssh + state: directory + owner: root + group: root + mode: 0700 + +- name: Upload root user's authorized keys file + copy: + src: authorized_keys_root + dest: /root/.ssh/authorized_keys + owner: root + group: root + mode: 0600 + +- name: Create core user's .ssh directory + file: + path: /home/core/.ssh + state: directory + owner: core + group: users + mode: 0700 + +- name: Upload core user's authorized keys file + copy: + src: authorized_keys_core + dest: /home/core/.ssh/authorized_keys + owner: core + group: users + mode: 0600 + +... \ No newline at end of file diff --git a/run b/run new file mode 100644 index 0000000..0abb0a7 --- /dev/null +++ b/run @@ -0,0 +1 @@ +ansible-playbook --extra-vars "target=bbb.xitq.de" install_image.yml