benediktwismans
/
ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ansible Rootserver / BBB Projekt Start

This commit is contained in:
Benedikt Wismans 2022-11-17 19:11:54 +01:00
commit fa60c442b0
35 changed files with 540 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible.cfg Normal file
View File

@ -0,0 +1,2 @@
[defaults]
inventory = hosts

16
bootstrapCore.yml Normal file
View File

@ -0,0 +1,16 @@
---
- hosts: "{{ target }}"
remote_user: core
become: true
roles:
- apt_upgrade
- hostnames
- ntp
- users
- sshd
- scripte
- cron
- ufw
- snmp
...

12
bootstrapRoot.yml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: "{{ target }}"
remote_user: root
roles:
- apt_upgrade
- hostnames
- users
- sshd
# sshd schließt den root user von ssh aus, danach läuft das Playbook nicht mehr als root
# Weiter geht's mit bootstrapCore
...

9
host_vars/bbb.xitq.de Normal file
View File

@ -0,0 +1,9 @@
---
install_image:
path: /root/.oldroot/nfs/install/installimage
raid: yes -l 1
image: /root/.oldroot/nfs/images/Ubuntu-2004-focal-64-minimal.tar.gz
drives: sda,sdb
passwordless_sudo: true
...

2
hosts Normal file
View File

@ -0,0 +1,2 @@
bbb.xitq.de

10
install_image.yml Normal file
View File

@ -0,0 +1,10 @@
---
- hosts: "{{ target }}"
gather_facts: false
remote_user: root
roles:
- install_python
- install_image
...

9
install_python.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: "{{ target }}"
gather_facts: false
remote_user: root
roles:
- install_python
...

10
installimage Normal file
View File

@ -0,0 +1,10 @@
/root/.oldroot/nfs/install/installimage
-a
-n bbb.xitq.de
-b grub
-r yes
-l 1
-i /root/.oldroot/nfs/images/Ubuntu-2004-focal-64-minimal.tar.gz
-p /boot:ext3:512M,/:ext4:all
-d sda,sdb

5
roles/apt_upgrade/tasks/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Update and upgrade apt packages
apt:
upgrade: "yes"
update_cache: "yes"

23
roles/cron/tasks/main.yml Normal file
View File

@ -0,0 +1,23 @@
- name: Install core user's crontab logCPUandETH
ansible.builtin.cron:
name: logCPUandETH
user: core
minute: "*"
hour: "6-23"
job: "/home/core/Scripte/logCPUandETH"
- name: Install core user's crontab Delete /tmp files before rebooting at 4 AM
ansible.builtin.cron:
name: delete /tmp/* files before rebooting at 4 AM
user: core
minute: "55"
hour: "3"
job: "/bin/rm -rf /tmp/*"
- name: Install core user's crontab logCPUandETH
ansible.builtin.cron:
name: reboot each night at 4.00 AM
user: core
minute: "0"
hour: "4"
job: "sudo /sbin/shutdown -r now"

10
roles/hostnames/files/hosts Normal file
View File

@ -0,0 +1,10 @@
### Hetzner Online GmbH installimage
127.0.0.1 localhost.localdomain localhost
116.202.217.88 bbb.xitq.de bbb
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
2a01:4f8:241:1e24::2 bbb.xitq.de bbb

15
roles/hostnames/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Set hostname
hostname:
name: "{{ inventory_hostname }}"
- name: Copy hosts file to server
copy:
src: hosts
dest: /etc/hosts
owner: root
group: root
mode: 0644
...

19
roles/install_image/tasks/main.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Check if installimage script exists
stat:
path: /root/.oldroot/nfs/install/installimage
register: stat_result
- block:
- debug:
msg: "installimage script not found"
- meta: end_play
when: stat_result.stat.exists == false
- name: Execute installimage
shell: "{{ install_image.path }} -a -n {{ inventory_hostname }} -b grub -r {{ install_image.raid }} -i {{ install_image.image }} -p /boot:ext3:512M,/:ext4:all -d {{ install_image.drives }}"
- name: Rebooting...
shell: reboot

5
roles/install_python/tasks/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Install Python on system (rescue or final)
raw: test -e /etc/bin/python3 || (apt -y update && apt install -y python3)
...

7
roles/ntp/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install ntp
apt:
name:
- ntp
...

12
roles/scripte/files/bashlib Normal file
View File

@ -0,0 +1,12 @@
# Fügt einen Zeitstempel an jede Zeile an
adddate() {
while IFS= read -r line; do
printf '%s %s\n' "$(date)" "$line";
done
}
# Gibt den Namen der 1. aktiven NIC zurück die nicht das Loopback Interface ist
# Funktioniert auf Ubuntu 20.04, andere Versionen ungetestet
getnic() {
echo `ip link show | grep "state UP" | grep -v "LOOPBACK" | awk '{print $2}' | sed 's/://g'`
}

11
roles/scripte/files/logCPUandETH Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
source /home/core/Scripte/bashlib
/usr/bin/mpstat 1 59 | adddate > /tmp/mlogtmp
/usr/bin/tail -1 /tmp/mlogtmp >> /tmp/cpulog
#
/usr/bin/ifstat -w -n -i `getnic` 1 1 | adddate > /tmp/ilogtmp
/usr/bin/tail -n 1 /tmp/ilogtmp >> /tmp/ethlog
# DONE

1
roles/scripte/files/ubuntuVersion Normal file
View File

@ -0,0 +1 @@
lsb_release -a

10
roles/scripte/files/update Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
echo Working on host `hostname`
sudo apt-get update && yes Y | sudo apt-get upgrade && yes Y | sudo apt-get dist-upgrade && yes Y | sudo apt autoremove
# sudo cp ~/Scripte/turn-stun-servers.xml.konfiguriert /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
# sudo bbb-conf --setip `hostname`
exit 0

52
roles/scripte/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Craete Scripte directory
file:
path: /home/core/Scripte
state: directory
owner: core
group: users
mode: 0775
- name: Upload ubuntuVersion to core's Scripte directory
copy:
src: ubuntuVersion
dest: /home/core/Scripte/
owner: core
group: users
mode: 0755
- name: Upload bashlib to core's Scripte directory
copy:
src: bashlib
dest: /home/core/Scripte/
owner: core
group: users
mode: 0755
- name: Upload logCPUandETH to core's Scripte directory
copy:
src: logCPUandETH
dest: /home/core/Scripte/
owner: core
group: users
mode: 0755
- name: Install sysstat and ifstat to provide mpstat/ifstat for logCPUandETH script
apt:
name:
- sysstat
- ifstat
- name: Upload update to core's Scripte directory
copy:
src: update
dest: /home/core/Scripte/
owner: core
group: users
mode: 0755
- name: Install vim for script editing
apt:
name:
- vim
...

90
roles/snmp/files/snmpd.conf Normal file
View File

@ -0,0 +1,90 @@
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
rocommunity PRTG 128.1.10.73
rocommunity PRTG 178.15.152.60
rocommunity SDW 138.201.126.41 #root3.sdw.systems
rocommunity SDW 88.99.138.96 #root4.sdw.systems
rocommunity SDW 94.130.135.216 #root5.sdw.systems
rocommunity SDW 178.15.59.28 #core-open-diakonie.de
# Default access to basic system info
rocommunity public default -V systemonly
# rocommunity6 is for IPv6
rocommunity6 public default -V systemonly
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <me@example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes

6
roles/snmp/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart SNMPD
service:
name: snmpd
state: restarted
...

17
roles/snmp/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Install snmpd
apt:
name:
- snmpd
- name: Upload snnmpd configuration file snmpd.conf to /etc/snmp
copy:
src: snmpd.conf
dest: /etc/snmpd/
owner: root
group: root
mode: 0600
notify: Restart SNMPD
...

7
roles/sshd/handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Restart SSHD
service:
name: sshd
state: restarted
...

16
roles/sshd/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: sshd write configuration block to sshd_config
blockinfile:
path: /etc/ssh/sshd_config
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
backup: yes
validate: /usr/sbin/sshd -T -f %s
notify: Restart SSHD
...

37
roles/ufw/files/startufw Normal file
View File

@ -0,0 +1,37 @@
# ssh
sudo ufw allow 22
# dns
sudo ufw allow 53
# http
sudo ufw allow http
# https
sudo ufw allow https
# ntp
sudo ufw allow 123
# rsync
sudo ufw allow 873
# bbb
sudo ufw allow 16384:32768/udp
# snmtp root3
sudo ufw allow from 138.201.126.41 to any port 161 proto udp
# snmtp root4
sudo ufw allow from 88.99.138.96 to any port 161 proto udp
# snmtp root5
sudo ufw allow from 94.130.135.216 to any port 161 proto udp
# snmtp core rudi
sudo ufw allow from 178.15.59.28 to any port 161 proto udp
sudo ufw allow from 178.15.152.60 to any port 161 proto udp
# private Netzwerkte gehen nicht - nach der Portscan-Sache auf dem bbb3
sudo ufw deny out from any to 10.0.0.0/8
# Achtung: Für greenlight-Installationen 172.x NICHT blocken, das wird vom GL-Dockercontainer verwendet
sudo ufw deny out from any to 172.16.0.0/12
sudo ufw deny out from any to 192.168.0.0/16
sudo ufw deny out from any to 100.64.0.0/10
sudo ufw deny out from any to 198.18.0.0/15
sudo ufw deny out from any to 169.254.0.0/16
echo y | sudo ufw enable
sudo ufw status >> /home/core/tmp/ufwstatus.log

6
roles/ufw/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Reconfigure and restart UFW
ansible.builtin.shell:
cmd: "/home/core/Scripte/startufw"
...

17
roles/ufw/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Install ufw
apt:
name:
- ufw
- name: Upload ufw configuration script startufw to core user's Scripte directory
copy:
src: startufw
dest: /home/core/Scripte/
owner: core
group: users
mode: 0755
notify: Reconfigure and restart UFW
...

4
roles/users/files/authorized_keys_core Normal file
View File

@ -0,0 +1,4 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLGR3klHdPzj5rOwoce8JdvkMGXoTSXdp66JhYYO4t5hWQRB+DZjvhpSBjvtKZZH07wHS0Ya69baDmwHiOhzhNwcs3hwi/I2k/ABSjmjRNNAMlxauHvaRviFYtx5/h7ZayKW9gpxU4e22/9k0F9XAaWkN8Mc7PgvagUy9POpP19gyBBS35kjFIKjOMrz1nQ+9jwUza7lARryctnDoaiUd7DHsLfvSa8Q1fVNUka+k0H1YtRxfsdU8CdMrQf+bDtUTjJupyT5xFphXEle31E49+WAsYGwXkpmQA4zM6E1gOJ0rgnmm/DFJeJ/DYaYP79XzwjvJxNSVMRAg6t5P5z93x benediktwismans@macmini
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSqGfwbqDQdkjG8s/iCVYlsXcVzScjm/D5xZ11AnWWTZ2rL4BitjYgTNx+3SRoM6K8mUYHFi5tTw3X5ZWcjIj+4UXqONA0pCfkVSo24obIqiCXa7+ZyI7MEW/lGmt4u02fJYCrrzxZCfHd3qR3hFAfv1b188ebEMDYpDORAek0PtMoKHVpNZDK9EBNotT7v92WGFngNSLd4qqnUexEd89zsv9mDlttQe6Z5oIHeFIpu0VsaOQiKXQHcKdwwsXdoTG7q989jJ9kRb3lC/Bs+fpzKd8Q/rPGLSkpJUA4RN6f7ZXJ7fQ86zNGZ7MsskcHJyQCdFPV/ESXNV9rabE6DX73 benediktwismans@acer
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdvEW4c8+OqO3bdc+5JonpEADbR304X5zXI5j9cOROK0XmK0BQVBrmimlcguEcBPinFRC7XaWgxH70bzPBcwTNVCQOzcAAF3zyuDFfLE5Kv5+vxp0g41AERYLC27Smwo8hQ/ckO+RSxFgM5FKTLErSqXdbtGMlFqA0b/auZhXDHXE+7ft8TSVFnTusrlYovNqwK3wuGHB2xs6gEqlVw5DVwhRsO/hq6pdoSx35GygQYWWPwY8vCSXaqrKbakG9GA0u4TqLE8StpnItEPfvQ3Fe/8AptC4u4JgYuucYZjFOQqzJdv0KHqKOriy7RdO01HxS6Ts7VnbvAc5aL8jZF9bl benediktwismans@intel
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSU++o+8yN2V9ojFnnHgkj7QgciurCxcK5b0Yei/I9BmwE8uAWgQR4DJw3iAkV+NSVJ0dsiqGwc6I9f8e9IsTStfcSlwYA8VENuFSelVu0Xph0CY8jPKV8h6gEM8+AQd4iYUgJeROtEkNZhh3D/ZC68ap5VxfF4PrHeDu0jE0C1fG6MGJ5btgI7IWAoaAkSAtoxC9latnFDhFBNmnJmq+d0DNNPBKoB5DG9wQvVxpeuuKzSZyDv87N3/28Uo8JqLm3r4ftBU0sWctymRS0Z5EDqHlLNFQdqQeSzPtQeNh5QOEKH+aa9aAsjINOaEpI2uIe0EYAmBOMjyzvi5BRy6AJ benediktwismans@vhostbbb

3
roles/users/files/authorized_keys_root Normal file
View File

@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLGR3klHdPzj5rOwoce8JdvkMGXoTSXdp66JhYYO4t5hWQRB+DZjvhpSBjvtKZZH07wHS0Ya69baDmwHiOhzhNwcs3hwi/I2k/ABSjmjRNNAMlxauHvaRviFYtx5/h7ZayKW9gpxU4e22/9k0F9XAaWkN8Mc7PgvagUy9POpP19gyBBS35kjFIKjOMrz1nQ+9jwUza7lARryctnDoaiUd7DHsLfvSa8Q1fVNUka+k0H1YtRxfsdU8CdMrQf+bDtUTjJupyT5xFphXEle31E49+WAsYGwXkpmQA4zM6E1gOJ0rgnmm/DFJeJ/DYaYP79XzwjvJxNSVMRAg6t5P5z93x benediktwismans@macmini
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSqGfwbqDQdkjG8s/iCVYlsXcVzScjm/D5xZ11AnWWTZ2rL4BitjYgTNx+3SRoM6K8mUYHFi5tTw3X5ZWcjIj+4UXqONA0pCfkVSo24obIqiCXa7+ZyI7MEW/lGmt4u02fJYCrrzxZCfHd3qR3hFAfv1b188ebEMDYpDORAek0PtMoKHVpNZDK9EBNotT7v92WGFngNSLd4qqnUexEd89zsv9mDlttQe6Z5oIHeFIpu0VsaOQiKXQHcKdwwsXdoTG7q989jJ9kRb3lC/Bs+fpzKd8Q/rPGLSkpJUA4RN6f7ZXJ7fQ86zNGZ7MsskcHJyQCdFPV/ESXNV9rabE6DX73 benediktwismans@acer
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdvEW4c8+OqO3bdc+5JonpEADbR304X5zXI5j9cOROK0XmK0BQVBrmimlcguEcBPinFRC7XaWgxH70bzPBcwTNVCQOzcAAF3zyuDFfLE5Kv5+vxp0g41AERYLC27Smwo8hQ/ckO+RSxFgM5FKTLErSqXdbtGMlFqA0b/auZhXDHXE+7ft8TSVFnTusrlYovNqwK3wuGHB2xs6gEqlVw5DVwhRsO/hq6pdoSx35GygQYWWPwY8vCSXaqrKbakG9GA0u4TqLE8StpnItEPfvQ3Fe/8AptC4u4JgYuucYZjFOQqzJdv0KHqKOriy7RdO01HxS6Ts7VnbvAc5aL8jZF9bl benediktwismans@intel

6
roles/users/tasks/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- import_tasks: setup_sudo.yml
- import_tasks: setup_users.yml
- import_tasks: upload_pubkeys.yml
...

16
roles/users/tasks/setup_sudo.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Indtall sudo
apt:
name: sudo
- name: Create sudo-nopasswd group
group:
name: sudo-nopasswd
- name: Add sudo-nopasswd group to sudoers
lineinfile:
dest: /etc/sudoers
line: "%sudo-nopasswd ALL=(ALL:ALL) NOPASSWD:ALL"
regexp: "^%sudo-nopasswd"
...

39
roles/users/tasks/setup_users.yml Normal file
View File

@ -0,0 +1,39 @@
---
- name: Create user core
user:
name: core
shell: /bin/bash
uid: 1000
group: users
groups: sudo
append: "true"
password: $6$A7Sw5gku7$0WqY/Z4Ei0axG.mZwDQlFJfK8Rtx6H0eKuP8CW23V5f/5j9sXendknLtXexQfgDzA4Ri55ZqhJnpf05MJV71J0
- name: Add user core tp sudo-nopasswd group
user:
name: core
groups: sudo-nopasswd
append: "true"
when: passwordless_sudo is defined and passwordless_sudo == true
- name: Remove user core from sudo-nopasswd group
shell: /usr/sbin/delgroup core sudo-nopasswd
when: not (passwordless_sudo is defined and passwordless_sudo == true)
ignore_errors: yes
- name: Set vi as default editor in .bashrc of user code
lineinfile:
dest: /home/core/.bashrc
line: "export EDITOR=vi"
regexp: "^export EDITOR=vi"
- name: Craete local tmp directory for user core
file:
path: /home/core/tmp
state: directory
owner: core
group: users
mode: 0775
...

35
roles/users/tasks/upload_pubkeys.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Create root user's .ssh directory
file:
path: /root/.ssh
state: directory
owner: root
group: root
mode: 0700
- name: Upload root user's authorized keys file
copy:
src: authorized_keys_root
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: 0600
- name: Create core user's .ssh directory
file:
path: /home/core/.ssh
state: directory
owner: core
group: users
mode: 0700
- name: Upload core user's authorized keys file
copy:
src: authorized_keys_core
dest: /home/core/.ssh/authorized_keys
owner: core
group: users
mode: 0600
...

1
run Normal file
View File

@ -0,0 +1 @@
ansible-playbook --extra-vars "target=bbb.xitq.de" install_image.yml