rhizogenes/configs
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'infra_first_commit'

Browse source
This commit is contained in:
onalyrg 2025-05-09 23:25:40 +02:00
parent 14c23f3f44
commit 1c55a9baed
No known key found for this signature in database
GPG key ID: C5D2708CDF29B4D1
998 changed files with 54874 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
*.passphrase

162
README.md
View file

@ -1,3 +1,165 @@
# configs
Ansible playbooks and roles used to deploy configurations for the Rhizogenes infrastructure.
# Prerequisites
* ssh client with ssh-agent
* git client -- necessary
* bash -- needed only for shell scripts
* ansible (>= 2.7) -- necessary
* rsync -- needed only for the script `sync-test.sh`
* ansible-lint (>= 2.7) -- non-necessary, recommended
* sshpass -- non-necessary (used to type ssh password only once when using postinstall.sh)
* gnupg + pass + pass-ansible repo -- non-necessary, needed for pass-client.sh, recommended for postinstall.sh
If you decide to clone the repo elsewhere than `~/git/configs` :
```bash
$ echo "CONFIGS_DIR=path_of_your_clone" >> .bashrc
```
# Simple usage
```bash
~/git$ export u=ansible; g=gitolite3
~/git$ git clone --recursive ${g}@ov2.rhizogen.es.eu.org/onalyrg-public/configs.git && cd configs
# make your changes
# **TEST** your changes
~/git/configs$ ansible-playbook -v -D -i inventory/hosts --vault-id other/ansible-vault/default@pass-client.sh g02.rhizogen.es.eu.org.yaml
# push :
~/git/configs$ git add -A
~/git/configs$ git commit -p -m "commit message"
~/git/configs$ git push
~/git/configs$ ssh -A ${u}@ov2.rhizogen.es.eu.org 'cd ~/git/configs/ && git pull'
~/git/configs$ ssh -t -A ${u}@ov2.rhizogen.es.eu.org 'ansible-playbook -D -i ~/git/configs/inventory/hosts --ask-vault-pass ~/git/configs/g02.rhizogen.es.eu.org.yaml'
```
# Recommended usage, automated
```bash
~/git$ export u=ansible; g=gitolite3
~/git$ git clone --recursive ${g}@ov2.rhizogen.es.eu.org/onalyrg-public/configs.git && cd configs
# make your changes, in a branch :
~/git/configs$ ./gitwrap.sh newfeature myproject
~/git/configs$ [...] #changes
# **TEST** your changes :
~/git/configs$ ./gitwrap.sh add -A
~/git/configs$ ./gitwrap.sh commit -m "commit message"
~/git/configs$ ./sync-test.sh g02.rhizogen.es.eu.org
# you can also use these tools :
~/git/configs$ ansible-playbook -i ~/git/configs/inventory/hosts --syntax-check ~/git/configs/g02.rhizogen.es.eu.org.yaml
~/git/configs$ ansible-lint g02.rhizogen.es.eu.org.yaml
# if everything's OK, push to prod :
~/git/configs$ ./gitwrap.sh checkout master
~/git/configs$ ./gitwrap.sh fusion myproject
~/git/configs$ ./push-prod.sh g02.rhizogen.es.eu.org
# if you are sure of yourself, delete your branch and cleanup :
~/git/configs$ ./gitwrap.sh branch -D myproject
~/git/configs$ ssh -A ${u}@ov2.rhizogen.es.eu.org "rm -rf /tmp/git/configs-myproject-g02.rhizogen.es.eu.org"
```
# Recommended usage, by hand
```bash
~/git$ export u=ansible; g=gitolite3
~/git$ git clone --recursive ${g}@ov2.rhizogen.es.eu.org/onalyrg-public/configs.git && cd configs
# make your changes, in a branch :
~/git/configs$ cd inventory && git branch myproject ; cd .. && git branch myproject
~/git/configs$ cd inventory && git checkout myproject ; cd .. && git checkout myproject
~/git/configs$ [...] #changes
# **TEST** your changes :
~/git/configs$ cd inventory && git add [...] && git commit -m "commit message"
~/git/configs/inventory$ cd .. && git add [...] && git add inventory && git commit -m "commit message"
~/git/configs$ ./sync-test.sh g02.rhizogen.es.eu.org
# you can also use these tools :
~/git/configs$ ansible-playbook -i ~/git/configs/inventory/hosts --syntax-check ~/git/configs/g02.rhizogen.es.eu.org.yaml
~/git/configs$ ansible-lint g02.rhizogen.es.eu.org.yaml
# if everything's OK, push to prod :
~/git/configs$ cd inventory && git checkout master ; cd .. && git checkout master
~/git/configs$ cd inventory && git merge --no-commit --squash myproject && git commit -m "merging myproject"
~/git/configs/inventory$ cd .. && git merge --no-commit --squash myproject && git add inventory && git commit -m "merging myproject"
~/git/configs$ ./push-prod.sh g02.rhizogen.es.eu.org
# if you are sure of yourself, delete your branch and cleanup :
~/git/configs$ cd inventory && git branch -D myproject ; cd .. && git branch -D myproject
~/git/configs$ ssh -A ${u}@ov2.rhizogen.es.eu.org "rm -rf /tmp/git/configs-myproject-g02.rhizogen.es.eu.org"
```
# Ansible cheatsheet
Encrypt the value `foo-bar-quux` of variable `var_name` :
```bash
~/git/configs$ ansible-vault encrypt_string 'foo-bar-quux' --name 'var_name' --ask-vault-pass
# OR
~/git/configs$ ansible-vault encrypt_string 'foo-bar-quux' --name 'var_name' --vault-id other/ansible-vault/default@~/git/configs/pass-client.sh
```
Encrypt a file :
```bash
~/git/configs$ ansible-vault encrypt inventory/files/secret_file --ask-vault-pass
# OR
~/git/configs$ ansible-vault encrypt inventory/files/secret_file --vault-id other/ansible-vault/default@~/git/configs/pass-client.sh
```
Print the value of the variable `var_name` located in the file `inventory/group_vars/all.yaml` :
```bash
~/git/configs$ ansible localhost -m debug -a var=var_name -e @inventory/group_vars/all.yaml --vault-id other/ansible-vault/default@~/git/configs/pass-client.sh
```
Or, more simply :
```bash
~/git/configs$ ./ansible_decrypt_string.sh var_name --vault-id other/ansible-vault/default@~/git/configs/pass-client.sh
```
Print the content of an encrypted file :
```bash
~/git/configs$ ansible-vault view inventory/files/secret_file --vault-id other/ansible-vault/default@~/git/configs/pass-client.sh
```
Print the result of a template for a specific machine :
```bash
~/git/configs$ ansible-inventory -i inventory/hosts --vault-id other/ansible-vault/default@~/git/configs/pass-client.sh --host g02 | j2 -f json roles/timezone/templates/timezone.j2
```
# Structure
```
.
├── gitwrap.sh : utility to run some git commands recursively across submodules
├── pass-ansible.sh : utility to get the vault password from a configured pass repo and pass it to ansible
├── postinstall.sh : utility to setup dependencies needed for ansible to be able to run on the host
│   (after a fresh install)
├── push-prod.sh : utility to help pushing changes to prod, via a remote administration machine
├── push-test.sh : utility to help testing changes, via a remote administration machine, using git
├── sync-test.sh : utility to help testing changes, via a remote administration machine, using rsync
├── lib/ : dependencies for repo's utilities
│  
├── *.rhizogen.es.eu.org.yaml : yaml of a playbook (usually a host or a group of hosts)
├── inventory/ : contains the definition of every host, their domain names, roles and specific variables
│   ├── files/ : static files containing infra-specific data, usually generated from other repos
│   ├── group_vars : variables common to each group
│   │   └── all.yaml : variables common to the whole inventory
│   ├── hosts : hierarchy of groups and hosts
│   └── host_vars/ : variables specific to hosts
│   └── *.yaml
└── roles/ : contains the various roles and associated playbooks
├── skel/ : A skeleton role containing example files to make role creation easier
│   Usage: $ cp -r roles/skel roles/mynewrole
└── */
├── files/ : the files to copy, links to inventory/files/(...) are found there
├── handlers/ : the handlers necessary for tasks
│   └── main.yaml
├── meta/ : the dependencies (roles to execute before running this one)
│   └── main.yaml
├── tasks/ : the actual tasks for the playbooks
│   └── main.yaml
└── templates/ : the files whose content depends on vars and facts
└── *.j2
```

9
all.yaml Normal file
View file

@ -0,0 +1,9 @@
---
- import_playbook: g00.rhizogen.es.eu.org.yaml
- import_playbook: g01.rhizogen.es.eu.org.yaml
- import_playbook: g02.rhizogen.es.eu.org.yaml
- import_playbook: g03.rhizogen.es.eu.org.yaml
- import_playbook: ov1.rhizogen.es.eu.org.yaml
- import_playbook: ov2.rhizogen.es.eu.org.yaml
- import_playbook: ks1.rhizogen.es.eu.org.yaml
- import_playbook: ks2.rhizogen.es.eu.org.yaml

1
ansible-auto.sh Symbolic link
View file

@ -0,0 +1 @@
roles/auto_ansible/files/auto-ansible/ansible-auto.sh

173
ansible-vault_reencrypt.sh Executable file
View file

@ -0,0 +1,173 @@
#!/bin/sh
# Usage: $0 [ -f old_password_file | -i old_vault_id ] [ -F new_password_file | -I new_vault_id ] vars_file.yaml
usage() {
printf '%s\n' "USAGE: $0 [ -f old_password_file | -i old_vault_id ] [ -F new_password_file | -I new_vault_id ] <vars_file.yaml>"
printf '%s\n' "Example: $0 -f old.passphrase -I other/ansible-vault/default@pass-client.sh inventory/group_vars/all.yaml"
}
hasold=0
hasnew=0
if [ $# -ge 1 ]; then
while getopts 'f:i:F:I:h' opt; do
case $opt in
f) OLD_PASSWORD_FILE=$OPTARG
OLD_PASS_OPT="--vault-password-file ${OLD_PASSWORD_FILE}"
hasold=1 ;;
i) OLD_VAULT_ID=$OPTARG
OLD_PASS_OPT="--vault-id ${OLD_VAULT_ID}"
hasold=1 ;;
F) NEW_PASSWORD_FILE=$OPTARG
NEW_PASS_OPT="--vault-password-file ${NEW_PASSWORD_FILE}"
REKEY_NEW_PASS_OPT="--new-vault-password-file ${NEW_PASSWORD_FILE}"
hasnew=1 ;;
I) NEW_VAULT_ID=$OPTARG
NEW_PASS_OPT="--vault-id ${NEW_VAULT_ID}"
REKEY_NEW_PASS_OPT="--new-vault-id ${NEW_VAULT_ID}"
hasnew=1 ;;
h) usage && exit 0;;
esac
done
fi;
shift $(($OPTIND-1))
if [ "x$OLD_PASSWORD_FILE" != "x" ] && [ "x$OLD_VAULT_ID" != "x" ]; then
printf '%s\n' "ERROR: Both old_password_file and old_vault_id provided."
usage && exit 1;
fi
if [ "x$NEW_PASSWORD_FILE" != "x" ] && [ "x$NEW_VAULT_ID" != "x" ]; then
printf '%s\n' "ERROR: Both new_password_file and new_vault_id provided."
usage && exit 1;
fi
if [ $# -eq 1 ] && [ $hasold -eq 1 ] && [ $hasnew -eq 1 ] ; then
VARS_FILE="$1"
else
usage && exit 1;
fi;
FILE=$(cat "$VARS_FILE")
# Read file line by line
# when line is of type ^[^(: )]: !vault |$
# get variable name
# go to vault mode
# if next line begins with a ' ', stay in vault mode and get the number of spaces before '$ANSIBLE_VAULT;(.*)'
# else, exit vault mode
# if next line begins with a ' ' (number of spaces matching indentation), stay in vault mode
# else, exit vault mode
isvault=0
isvault_data=0
n=0
prevline=''
while IFS= read -r line; do
if [ $isvault -eq 0 ]; then
# if the previous line exists and is a "normal" line,
# print it
if [ $n -gt 0 ]; then
# printf '%s\n' "$n $prevline"
printf '%s\n' "$prevline"
fi
# if we are not in a vault yet, check if the current line
# looks like a vaulted var
printf '%s\n' "$line" | grep -q '^[^#:]*: !vault |$'
if [ $? -eq 0 ]; then
# if the line looks like a vaulted var, save its name
var_name=$(printf '%s\n' "$line" | cut -d':' -f1)
isvault=1
else
# if the line doesn't look like a vaulted var, do nothing
isvault=0
fi
else
# the previous line was a vault line
if [ $isvault_data -eq 0 ]; then
# if we are not in vaulted data yet, check if the line
# starts with a space
printf '%s\n' "$line" | grep -q '^ .*'
if [ $? -eq 0 ]; then
# if this is the first line of vaulted data,
# save the line indentation
data_indent=$(printf '%s\n' "$line" | grep -o '^ *')
# and print the var name
# printf '%s\n' "var_name: $var_name"
isvault_data=1
# printf '%s\n' "${data_indent}nothing"
# printf '%s\n' "ANSIBLE_CALLBACK_RESULT_FORMAT=yaml ansible localhost -m debug -a var=${var_name} -e @${VARS_FILE} ${OLD_PASS_OPT} 2>/dev/null | grep -v 'localhost | .* =>' | sed s/'^ *'//g" >&2
var_value_plain=$( ANSIBLE_CALLBACK_RESULT_FORMAT=yaml ansible localhost -m debug -a var=${var_name} -e @${VARS_FILE} ${OLD_PASS_OPT} 2>/dev/null | grep -v 'localhost | .* =>' | sed s/'^[^:]*: '//g )
if [ $? -eq 0 ]; then
# and print the var name and its plain data
# printf '%s\n' "var_name: $var_name" >&2
# printf '%s\n' "$var_value_plain"
# printf '%s\n' "ansible-vault encrypt_string \"${var_value_plain}\" --name ${var_name} ${NEW_PASS_OPT}" >&2
ansible-vault encrypt_string "${var_value_plain}" --name ${var_name} ${NEW_PASS_OPT} 2>/dev/null
printf '\n'
else
printf '%s\n' "Error when decrypting data for variable ${var_name}. Skipping." >&2
fi
else
# if this is not the first line of vaulted data,
# we are not in a vault
isvault=0
isvault_data=0
# reset vault-related variables
var_name=''
data_indent=''
# # exit with an error
# printf '%s\n' "ERROR: No vault data found at line $n, exiting." >&2
# exit 2
# check if the current line
# looks like a vaulted var
printf '%s\n' "$line" | grep -q '^[^#: ]*: !vault |$'
if [ $? -eq 0 ]; then
# if the line looks like a vaulted var, save its name
var_name=$(printf '%s\n' "$line" | cut -d':' -f1)
isvault=1
else
# if the line doesn't look like a vaulted var, do nothing
isvault=0
fi
fi
else
# if we are in the vaulted data section, check if the line
# starts with the same indentation as the first
# echo "${data_indent}plop"
# printf '%s\n' "$line"
printf '%s\n' "$line" | grep -qE "^${data_indent}[^ ]+"
if [ $? -eq 0 ]; then
# if we are still in the vaulted data section, do nothing
# printf '%s\n' "${data_indent}nothing"
:
else
# if we are out of the vaulted data section, register it
isvault_data=0
isvault=0
# reset vault-related variables
var_name=''
data_indent=''
# check if the current line
# looks like a vaulted var
printf '%s\n' "$line" | grep -q '^[^#: ]*: !vault |$'
if [ $? -eq 0 ]; then
# if the line looks like a vaulted var, save its name
var_name=$(printf '%s\n' "$line" | cut -d':' -f1)
isvault=1
else
# if the line doesn't look like a vaulted var, do nothing
isvault=0
fi
fi
fi
fi
prevline="$line"
n=$(( $n + 1 ))
done <<EOF
$FILE
EOF
# print the last line
# printf '%s\n' "$n $prevline"
printf '%s\n' "$prevline"

25
ansible_decrypt_string.sh Executable file
View file

@ -0,0 +1,25 @@
#!/bin/sh
if [ $# -ge 1 ]; then
v="$1"
shift 1
else
printf "%s\n" "USAGE: $0 inventory_variable [ansible_options]"
printf "%s\n" "EXAMPLES:"
printf "%s\n" "$0 inventory_variable --ask-vault-pass"
printf "%s\n" "$0 inventory_variable --vault-id other/ansible-vault/default@pass-client.sh"
exit 1;
fi;
filelist=$(grep -r "${v}:" | grep -v "#.*${v}" | cut -d':' -f 1 | tr '\n' ' ')
#printf "%s\n" "filelist: $filelist" 1>&2
if [ "$filelist" = "" ]; then
printf "%s\n" "ERROR: No file found containing variable: ${v}" 1>&2
exit 2;
fi;
for f in $filelist ; do
printf "%s\n" "$f"
ansible localhost -m debug -a var=${v} -e @${f} $@ ;
done;

1
auto-ansible.sh Symbolic link
View file

@ -0,0 +1 @@
roles/auto_ansible/files/auto-ansible/auto-ansible.sh

1
config Normal file
View file

@ -0,0 +1 @@
AUTOANSIBLEDIR=data/output

27
g00.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,27 @@
---
- name: Playbook g00
hosts: g00
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
- base
- adminuser
- default_user
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- sshproxy
- openvpn
# # you can do `ansible -i inventory/hosts g00.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
# tasks:
# - debug: var=ansible_facts
# - debug: var=ansible_devices

43
g00_g01.yaml Normal file
View file

@ -0,0 +1,43 @@
---
- name: Common roles for g00 and g01
hosts:
- g00
- g01
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- base
- adminuser
- default_user
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- name: Specific roles for g00
hosts: g00
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- sshproxy
- openvpn
- name: Specific roles for g01
hosts: g01
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- bind_slave
# # you can do `ansible -i inventory/hosts g01.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
# tasks:
# - debug: var=ansible_facts
# - debug: var=ansible_devices

26
g01.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Playbook g01
hosts: g01
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
- base
- adminuser
- default_user
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- bind_slave
# # you can do `ansible -i inventory/hosts g01.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
# tasks:
# - debug: var=ansible_facts
# - debug: var=ansible_devices

55
g02.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,55 @@
---
- name: Playbook g02
hosts: g02
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
# - homedir
# - srvdir
- quota
- base
- cacertificates
- adminuser
- default_user
- adminuser_home
- adminuser_maildir
- adminuser_scripts
- firstuser
- firstuser_home
- firstuser_maildir
- firstuser_gnupg
- firstuser_scripts
- testuser
- testuser_maildir
- sync_user
- ssh
- smtp_primary
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- pureftpd
- nginx
- nginx_homedirs
- imap_server
# - munin
- mail_client
- mailman
- radicale
- prosody_primary
- git_base
- git_server
- rsync_server
- infinoted
- ikiwiki_base
- ikiwiki_repos
- ikiwiki_websites
- git_repos_unix
- mumble_server
- sync_node
- deb_client

26
g03.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Playbook g03
hosts: g03
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
- base
- adminuser
- default_user
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- wesnoth
- openarena
- freedoom
- xonotic
- unvanquished
- supertuxkart

53
g04.rzgn.es.eu.org.yaml Normal file
View file

@ -0,0 +1,53 @@
---
- name: Playbook g04
hosts: g04
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
# - homedir
# - srvdir
# - quota
- base
- cacertificates
- adminuser
- default_user
# - adminuser_home
- adminuser_maildir
# - adminuser_scripts
# - firstuser
# - firstuser_home
# - firstuser_maildir
# - firstuser_gnupg
# - firstuser_scripts
- testuser
- testuser_maildir
# - sync_user
- ssh
- smtp_primary
# - sendmail_gpg
# - rkhunter
# - fail2ban
# - logwatch
# - munin_node
# - nrpe
# - pureftpd
# - nginx
# - nginx_homedirs
- imap_server
# - munin
- mail_client
# - mailman
# - radicale
# - prosody_primary
# - git_base
# - git_server
# - rsync_server
# - infinoted
# - ikiwiki_base
# - ikiwiki_repos
# - ikiwiki_websites
# - git_repos_unix
# - mumble_server
# - sync_node

2
inventory

@ -1 +1 @@
Subproject commit 734c611cf0c3eebe37158f31f5155c11b865200c
Subproject commit dbaf4b899e22126a8df06435cc601588157da5fe

1
json2runtable.sh Symbolic link
View file

@ -0,0 +1 @@
roles/auto_ansible/files/auto-ansible/json2runtable.sh

43
ks1.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,43 @@
---
- name: Playbook ks1
hosts: ks1
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
- base
- cacertificates
- adminuser
- default_user
- adminuser_home
- firstuser
- firstuser_home
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- freeculture
- pureftpd
- nginx
- nginx_homedirs
- git_base
- git_server
- rsync_server
- gitolite
- gitolite_config
- ikiwiki_base
- git_repos_unix
- git_repos_gitolite
- sync_server
- deb
# # you can do `ansible -i inventory/hosts ks2.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
# tasks:
# - debug: var=ansible_facts
# - debug: var=ansible_devices

35
ks2.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,35 @@
---
- name: Playbook ks2
hosts: ks2
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- base
- cacertificates
- adminuser
- default_user
- adminuser_home
- firstuser
- firstuser_home
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- pureftpd
- nginx
- nginx_homedirs
- git_base
- git_server
- rsync_server
- ikiwiki_base
# # you can do `ansible -i inventory/hosts ks2.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
# tasks:
# - debug: var=ansible_facts
# - debug: var=ansible_devices

9
lib/autosu.sh Executable file
View file

@ -0,0 +1,9 @@
#!/bin/sh
p="$1"
shift 1
su - root <<EOF
$p
$@
EOF

442
lib/libpostinstall.sh Executable file
View file

@ -0,0 +1,442 @@
#!/bin/bash
ZONE="rhizogen.es.eu.org"
#ZONE="rzgn.es.eu.org"
SUBZONE="${ZONE}"
ADMINUSER="onalyrg"
REPO_DIR="${CONFIGS_DIR:-/mnt/ac/projects/doc_tutos/vps_gandi/configs}"
PASS_REPO=${HOME}/git/pass-ansible
#DEFAULT_USER="debian"
#DEFAULT_PORT="22"
PORT='57473'
TPORT=''
VM_NAME=''
VM_FQDN=''
VM_IP4=''
VM_IP6=''
nosshpass=1
nopass=1
nopassrepo=1
#nosudo=1
autosu=1
usage() {
printf '%s\n' "USAGE: $0 [ -u <default_user> ] [ -c pw|key ] [ -e su|sudo ] [ -p <default_password> ] [ -P <default_root_password> ] [ -s <target_admin_password> ] [ -S <target_root_password> ] [ -t <ssh_port> ] [ -T <target_ssh_port> ] <vm_name>"
printf '%s\n'
printf '%s\n' "EXAMPLE 1: $0 -u debian -c key -e sudo -t 22 -T 22222 vm_name"
printf '%s\n' "EXAMPLE 2: $0 -u root -c pw -p 'PW_1' -t 22 vm_name"
printf '%s\n' "EXAMPLE 3: $0 -u root -c key -t 22 vm_name"
printf '%s\n' "EXAMPLE 4: $0 -u debian -c pw -e su -p 'PW_1' -P 'PW_2' -t 22 vm_name"
printf '%s\n' "EXAMPLE 5: $0 -u debian -c pw -e sudo -p 'PW_1' -t 22 vm_name"
printf '%s\n' "EXAMPLE 6: $0 -u debian -c key -e su -P 'PW_2' -t 22 vm_name"
printf '%s\n' "EXAMPLE 7: $0 -u debian -c key -e sudo -t 22 vm_name"
printf '%s\n' "EXAMPLE 8: $0 -u sysadmin -c key -e sudo -t 22222 vm_name"
# printf '%s\n' "EXAMPLE 9: $0 -u sysadmin -t 22222 vm_name"
}
if [ $# -ge 1 ]; then
while getopts 'u:c:e:p:P:s:S:t:T:h' opt; do
case $opt in
u) DEFAULT_USER=$OPTARG ;;
c) CX_METHOD=$OPTARG;; # connexion method can be pw or key. If not given the script will try to guess
e) SU_METHOD=$OPTARG ;; # authorization method can be su or sudo. If not given the script will try to guess with additional steps which may require interaction
p) DEFAULT_PW=$OPTARG ;; #for now we'll assume the VM doesn't need a pw by default (key auth)
P) DEFAULT_ROOTPW=$OPTARG ;; #for now we'll assume the VM doesn't need a pw by default (key auth)
s) VM_ADMINPW=$OPTARG ;;
S) VM_ROOTPW=$OPTARG ;;
t) PORT=$OPTARG ;;
T) TPORT=$OPTARG ;;
h) usage && exit 0;;
esac
done
fi;
shift $(($OPTIND-1))
if [ $# -eq 1 ]; then
VM_ARG="$1"
else
usage && exit 1;
fi;
# Here we turn the name given on the command line into a short name
# and a FQDN
printf '%s\n' "$VM_ARG" | grep "$ZONE" >/dev/null
if [ $? -eq 1 ]; then
VM_NAME=${VM_ARG}
VM_FQDN=${VM_ARG}.${SUBZONE}
else
printf '%s\n' "$VM_ARG" | grep "$SUBZONE" >/dev/null
if [ $? -eq 1 ]; then
VM_NAME=''
else
VM_NAME=${VM_ARG%.${SUBZONE}}
fi
VM_FQDN=${VM_ARG}
fi
# Here we refresh the server-side SSH keys
if [ "$TPORT" != "" ]; then
printf '%s\n' "* ${REPO_DIR}/lib/refreshkeys.sh -p $TPORT $VM_FQDN"
${REPO_DIR}/lib/refreshkeys.sh -p $TPORT $VM_FQDN
fi
printf '%s\n' "* ${REPO_DIR}/lib/refreshkeys.sh -p $PORT $VM_FQDN"
${REPO_DIR}/lib/refreshkeys.sh -p $PORT $VM_FQDN
# Here we set some unset variables
if [ "$DEFAULT_USER" = "" ]; then
printf '%s\n' "DEFAULT_USER not set, we'll assume it's $ADMINUSER"
DEFAULT_USER=$ADMINUSER
fi
if [ "$DEFAULT_USER" = "root" ] && [ "$DEFAULT_ROOTPW" != "" ]; then
DEFAULT_PW=$DEFAULT_ROOTPW
fi
SSH_PREFIX=""
SSH_PRINTED_PREFIX=""
SSH_CPATHOPT="-o ControlPath=~/.ssh/master-%h-%p-%r"
# Here we determine if we use sshpass (so we can re-use an SSH
# password instead of prompting for it each time we establish a new
# SSH connexion).
BIN_SSHPASS=$(command -v sshpass)
nosshpass=$?
# Here we determine if we use the pass repository, in which case we
# can fetch the SSH and SU/SUDO passwords from there instead of
# prompting for them
BIN_PASS=$(command -v pass >/dev/null)
nopass=$?
if [ -d $PASS_REPO ]; then
nopassrepo=$?
fi
# Here we determine if the SSH connexion uses a password or a key, if
# not already given on the command line
if [ "$CX_METHOD" != "pw" ] && [ "$CX_METHOD" != "key" ]; then
printf '%s\n' "No connexion method given. Checking if SSH connexion uses a key"
authnokey=0
authnopw=0
authline=$(ssh -v -o BatchMode=yes -p $PORT ${DEFAULT_USER}@${VM_FQDN} 'exit' 2>&1 | grep 'debug1: Authentications that can continue:')
printf '%s\n' "$authline" | grep 'publickey'
authnokey=$?
if [ $authnokey -eq 0 ]; then
printf '%s\n' "SSH connexion uses a key."
CX_METHOD="key"
else
printf '%s\n' "SSH connexion doesn't use a key."
printf '%s\n' "Checking if SSH connexion uses a password."
printf '%s\n' "$authline" | grep 'password'
authnopw=$?
if [ $authnopw -eq 0 ]; then
printf '%s\n' "SSH connexion uses a password."
CX_METHOD="pw"
else
printf '%s\n' "SSH connexion doesn't use a password. Exiting."
exit 2;
fi
fi
fi
# Here we try to get the SSH password, if the SSH connexion uses one
# and if the programm sshpass is available. We fetch it from the pass
# repository, if not found we prompt for it.
if [ "$CX_METHOD" = "pw" ]; then
printf '%s\n' "Using password authentication."
if [ $nosshpass -eq 0 ]; then
printf '%s\n' "Program sshpass found at ${BIN_SSHPASS}."
if [ "$DEFAULT_PW" = "" ]; then
if [ $nopass -ne 0 ]; then
printf '%s\n' "Program pass not found. You'll be prompted for passwords." 1>&2
elif [ $nopassrepo -ne 0 ]; then
printf '%s\n' "Repository $PASS_REPO not found. You'll be prompted for passwords." 1>&2
fi
printf '%s\n' "Enter the ${DEFAULT_USER} password for ${VM_ARG}."
printf '%s' "Password: "
read -s DEFAULT_PW
printf '%s\n' ""
fi
else
printf '%s\n' "Program sshpass not found. Ignoring any password given, using classic password prompting."
fi
fi
SSH_PREFIX_1="${BIN_SSHPASS} -p ${DEFAULT_PW}"
SSH_PRINTED_PREFIX_1="${BIN_SSHPASS} -p \${DEFAULT_PW}"
SSH_PREFIX_2=""
SSH_PRINTED_PREFIX_2=""
if [ $nosshpass -eq 0 ]; then
if [ "$DEFAULT_PW" != "" ]; then
SSH_PREFIX="${SSH_PREFIX_1}"
SSH_PRINTED_PREFIX="${SSH_PRINTED_PREFIX_1}"
fi
fi
# Here we check if we can connect to the machine via SSH. We do this
# only if there is key authentication or if a password has been given
# and sshpass is available. If a password must be entered manually
# then we don't perform this check, so we don't bother the user.
if [ "$CX_METHOD" = "key" ] || ( [ $nosshpass -eq 0 ] && [ "$DEFAULT_PW" != "" ] ); then
printf '%s\n' "Checking if SSH connexion is possible"
printf '%s\n' "${SSH_PRINTED_PREFIX} ssh -o BatchMode=yes -p $PORT ${DEFAULT_USER}@${VM_FQDN} 'exit'"
${SSH_PREFIX} ssh -o BatchMode=yes -p $PORT ${DEFAULT_USER}@${VM_FQDN} 'exit'
retq=$?
if [ $retq -ne 0 ]; then
printf '%s\n' "SSH connexion failed. Exiting." 1>&2
exit 2
else
printf '%s\n' "SSH connexion successful." 1>&2
fi
fi
CMD_PREFIX_1="/usr/bin/sh -c"
CMD_PRINTED_PREFIX_1="$CMD_PREFIX_1"
CMD_PREFIX_2="sudo /usr/bin/sh -c"
CMD_PRINTED_PREFIX_2="$CMD_PREFIX_2"
# Doesn't work if we put it into an intermediary var
# CMD_PREFIX_3="./autosu.sh \"${DEFAULT_ROOTPW}\""
# CMD_PRINTED_PREFIX_3="./autosu.sh ${DEFAULT_ROOTPW}"
# Here we determine if the switch user method is su or passwordless
# sudo, if not already given on the command line
if [ "$SU_METHOD" != "su" ] && [ "$SU_METHOD" != "sudo" ]; then
printf '%s\n' "Checking if user ${DEFAULT_USER} has passwordless sudo."
printf '%s\n' "${SSH_PRINTED_PREFIX} ssh -p $PORT ${DEFAULT_USER}@${VM_FQDN} \"sudo -l | grep 'NOPASSWD'\" | grep 'NOPASSWD: ALL'"
${SSH_PREFIX} ssh -p $PORT ${DEFAULT_USER}@${VM_FQDN} "sudo -l | grep 'NOPASSWD'" | grep 'NOPASSWD: ALL'
nosudo=$?
echo "nosudo: $nosudo"
if [ $nosudo -eq 0 ]; then
printf '%s\n' "User has passwordless sudo. Using sudo method."
SU_METHOD="sudo"
else
printf '%s\n' "User doesn't have passwordless sudo. Using classic su method."
SU_METHOD="su"
fi
fi
# Here we try to set the switch user prefix for root commands. If we
# use su authentication and need a root password, we fetch it from the
# pass repository, if not found we prompt for it.
# if default user is root
if [ "$DEFAULT_USER" = "root" ]; then
CMD_PREFIX="${CMD_PREFIX_1}"
CMD_PRINTED_PREFIX="${CMD_PRINTED_PREFIX_1}"
autosu=0
else
# if default user is non-root
printf '%s\n' "Determining authorization method for ${DEFAULT_USER}"
if [ "$SU_METHOD" = "sudo" ]; then
CMD_PREFIX="${CMD_PREFIX_2}"
CMD_PRINTED_PREFIX="${CMD_PRINTED_PREFIX_2}"
autosu=0
else
printf '%s\n' "Using su authorization method"
if [ "$DEFAULT_ROOTPW" = "" ]; then
if [ $nopass -ne 0 ]; then
printf '%s\n' "Program pass not found. You'll be prompted for passwords." 1>&2
elif [ $nopassrepo -ne 0 ]; then
printf '%s\n' "Repository $PASS_REPO not found. You'll be prompted for passwords." 1>&2
fi
printf '%s\n' "Enter the root password for ${VM_ARG}."
printf '%s' "Password: "
read -s DEFAULT_ROOTPW
printf '%s\n' ""
fi
# Doesn't work if we put it into an intermediary var
# CMD_PREFIX="${CMD_PREFIX_3}"
# CMD_PRINTED_PREFIX="${CMD_PRINTED_PREFIX_3}"
CMD_PREFIX="./autosu.sh \"${DEFAULT_ROOTPW}\""
CMD_PRINTED_PREFIX="./autosu.sh ${DEFAULT_ROOTPW}"
autosu=1
fi
fi
# GOAL: ensure the minimal requirements are present for ansible to be able to run:
# * admin user is present
# * sudo is installed
# * admin user is in sudoers
# * apt and python are installed
# * admin user can connect with SSH keys
# * SSH server is running on the expected port
# Note:
# 1. ideally should only do changes you cannot do easily with ansible (installing ansible deps, changing ssh port/auth...)
# 2. should be idempotent with ansible. If you run it again it should not break ansible changes (should not revert config)
# INPUT:
# * host address
# * ssh port
# * default user
# * connexion method (password or key)
# * default user password
# * switch user method (su or sudo)
# * default root password
# * target ssh port
# STEPS:
# 1. Open an SSH Master connexion using the credentials given (DEFAULT_USER + password or key)
# 2. GET ROOT + create admin user
# 3a. SCP authorized_keys file from configs repo
# 3b. give admin user SSH keys
# 4a. SCP sudoers file
# 4b. GET ROOT + install sudo and give admin user sudo rights
# 5. Close SSH Master connexion
# 6. CONNECT via key + GET ROOT via sudo + change SSH port
# 7. USE NEW PORT + CONNECT via key + GET ROOT via sudo + install apt and python
admin_setup(){
# 1a. Open an SSH Master connexion using the credentials given (DEFAULT_USER + password or key)
printf "%s\n" "==== Opening SSH master connexion ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -f -p $PORT -N -M ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN}"
${SSH_PREFIX} ssh -f -p $PORT -N -M ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN}
# 1b. If need be, add in custom authorization method
if [ $autosu = 1 ]; then
printf "%s\n" "==== Copying authorization script ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/lib/autosu.sh ${DEFAULT_USER}@${VM_FQDN}:~/autosu.sh"
${SSH_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/lib/autosu.sh ${DEFAULT_USER}@${VM_FQDN}:~/autosu.sh
fi
# 2. GET ROOT + create admin user
printf "%s\n" "==== Creating admin user ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} 'useradd -m -s /usr/bin/bash '${ADMINUSER}''"
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} "${CMD_PREFIX} 'useradd -m -s /usr/bin/bash '${ADMINUSER}''"
# 3a. SCP authorized_keys file from configs repo
printf "%s\n" "==== Setting up admin user SSH keys ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/roles/adminuser/files/authorized_keys ${DEFAULT_USER}@${VM_FQDN}:~/.${ADMINUSER}.authorized_keys"
${SSH_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/roles/adminuser/files/authorized_keys ${DEFAULT_USER}@${VM_FQDN}:~/.${ADMINUSER}.authorized_keys
# 3b. give admin user SSH keys
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"mkdir -m 0700 /home/${ADMINUSER}/.ssh && chown -R onalyrg:onalyrg /home/${ADMINUSER}/.ssh\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} "${CMD_PREFIX} \"mkdir -m 0700 /home/${ADMINUSER}/.ssh && chown -R onalyrg:onalyrg /home/${ADMINUSER}/.ssh\""
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"mv /home/${DEFAULT_USER}/.${ADMINUSER}.authorized_keys /home/${ADMINUSER}/.ssh/authorized_keys && chown onalyrg:onalyrg /home/${ADMINUSER}/.ssh/authorized_keys && sudo chmod 0700 /home/${ADMINUSER}/.ssh/authorized_keys\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} "${CMD_PREFIX} \"mv /home/${DEFAULT_USER}/.${ADMINUSER}.authorized_keys /home/${ADMINUSER}/.ssh/authorized_keys && chown onalyrg:onalyrg /home/${ADMINUSER}/.ssh/authorized_keys && chmod 0600 /home/${ADMINUSER}/.ssh/authorized_keys\""
# 4a. SCP sudoers file
printf "%s\n" "==== Setting up admin user sudoers rights ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/roles/adminuser/files/sudoers.d/adminuser ${DEFAULT_USER}@${VM_FQDN}:~/.${ADMINUSER}.sudoers"
${SSH_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/roles/adminuser/files/sudoers.d/adminuser ${DEFAULT_USER}@${VM_FQDN}:~/.${ADMINUSER}.sudoers
# 4b. GET ROOT + install sudo and give admin user sudo rights
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"if [ -f /etc/debian_version ]; then apt-get update && apt-get -y install sudo ; fi\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} "${CMD_PREFIX} \"if [ -f /etc/debian_version ]; then apt-get update && apt-get -y install sudo ; fi\""
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"mv /home/${DEFAULT_USER}/.${ADMINUSER}.sudoers /etc/sudoers.d/${ADMINUSER} && chown root:root /etc/sudoers.d/${ADMINUSER} && chmod 0440 /etc/sudoers.d/${ADMINUSER}\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} "${CMD_PREFIX} \"mv /home/${DEFAULT_USER}/.${ADMINUSER}.sudoers /etc/sudoers.d/${ADMINUSER} && chown root:root /etc/sudoers.d/${ADMINUSER} && chmod 0440 /etc/sudoers.d/${ADMINUSER}\""
# 5a. If need be, delete custom authorization method
if [ $autosu = 1 ]; then
printf "%s\n" "==== Deleting authorization script ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} rm -v ~/autosu.sh"
${SSH_PREFIX} ssh -p $PORT ${SSH_CPATHOPT} ${DEFAULT_USER}@${VM_FQDN} "rm -v ~/autosu.sh"
fi
# 5b. Close SSH Master connexion
printf "%s\n" "==== Closing SSH master connexion ===="
printf '%s\n' "* ssh -p $PORT ${SSH_CPATHOPT} -O stop ${DEFAULT_USER}@${VM_FQDN}"
ssh -p $PORT ${SSH_CPATHOPT} -O stop ${DEFAULT_USER}@${VM_FQDN}
printf "%s\n" "==== Done."
}
ssh_setup(){
# 6. CONNECT via key + GET ROOT via sudo + change SSH port
printf "%s\n" "==== Changing port number in SSH config ===="
# printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} sudo /usr/bin/sh -c 'cp /etc/ssh/sshd_config /etc/ssh/sshd_config.postinstall_bkp && sed -i \"1 i\Port 57473\" /etc/ssh/sshd_config'"
# ${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "sudo /usr/bin/sh -c 'cp /etc/ssh/sshd_config /etc/ssh/sshd_config.postinstall_bkp && sed -i \"1 i\Port 57473\" /etc/ssh/sshd_config && sudo /etc/init.d/ssh restart'"
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} sudo /usr/bin/sh -c 'cp /etc/ssh/sshd_config /etc/ssh/sshd_config.postinstall_bkp && sed -i \"1 i\Port ${TPORT}\" /etc/ssh/sshd_config'"
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "sudo /usr/bin/sh -c 'cp /etc/ssh/sshd_config /etc/ssh/sshd_config.postinstall_bkp && sed -i \"1 i\Port ${TPORT}\" /etc/ssh/sshd_config && sudo /etc/init.d/ssh restart'"
printf "%s\n" "==== Done."
}
deps_setup(){
# 7. USE NEW PORT + CONNECT via key + GET ROOT via sudo + install apt and python
printf "%s\n" "==== Installing ansible dependencies ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"if [ -f /etc/debian_version ]; then apt-get update && apt-get -y install python3-apt || apt-get -y install python-apt ; fi\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"if [ -f /etc/debian_version ]; then apt-get update && apt-get -y install python3-apt || apt-get -y install python-apt ; fi\""
printf "%s\n" "==== Done."
}
hostname_setup(){
# 8. USE NEW PORT + CONNECT via key + GET ROOT via sudo + change hostname and hosts file
printf "%s\n" "==== Changing hostname and FQDN ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"cp /etc/hostname /etc/hostname.postinstall_bkp && printf '%s\n' ${VM_NAME} >/etc/hostname\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"cp /etc/hostname /etc/hostname.postinstall_bkp && printf '%s\n' ${VM_NAME} >/etc/hostname\""
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} 'cp /etc/hosts /etc/hosts.postinstall_bkp && sed -i \"1 i\127.0.1.1 ${VM_FQDN} ${VM_NAME}\" /etc/hosts'"
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} 'cp /etc/hosts /etc/hosts.postinstall_bkp && sed -i \"1 i\127.0.1.1 ${VM_FQDN} ${VM_NAME}\" /etc/hosts'"
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"if [ -d /etc/cloud/cloud.cfg.d ]; then printf '%s\n' 'preserve_hostname: true' 'manage_etc_hosts: false' >/etc/cloud/cloud.cfg.d/01_debian_cloud.cfg; fi;\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"if [ -d /etc/cloud/cloud.cfg.d ]; then printf '%s\n' 'preserve_hostname: true' 'manage_etc_hosts: false' >/etc/cloud/cloud.cfg.d/01_debian_cloud.cfg; fi;\""
printf "%s\n" "==== Done."
}
defaultuser_disable(){
# 9. USE NEW PORT + CONNECT via key + GET ROOT via sudo + disable DEFAULT_USER
printf "%s\n" "==== Disabling DEFAULT USER ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"killall -9 -u ${DEFAULT_USER} ; usermod -L -e 1970-01-01 ${DEFAULT_USER}\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"killall -9 -u ${DEFAULT_USER} ; usermod -L -e 1970-01-01 ${DEFAULT_USER}\""
printf "%s\n" "==== Done."
}
network_setup(){
# 10. USE NEW PORT + CONNECT via key + GET ROOT via sudo + change network config
printf "%s\n" "==== Changing network config ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/roles/network/files/interfaces.d/${VM_NAME} ${SSH_USER}@${VM_FQDN}:~/.${VM_NAME}.interfaces"
${SSH_PREFIX} scp -P $PORT ${SSH_CPATHOPT} ${REPO_DIR}/roles/network/files/interfaces.d/${VM_NAME} ${SSH_USER}@${VM_FQDN}:~/.${VM_NAME}.interfaces
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"echo 'network: {config: disabled}' /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg && mv ~/.${VM_NAME}.interfaces /etc/network/interfaces.d/99-main && /etc/init.d/networking restart && rm /etc/network/interfaces.d/50-cloud-init && /etc/init.d/networking restart\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"echo 'network: {config: disabled}' /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg && mv ~/.${VM_NAME}.interfaces /etc/network/interfaces.d/99-main && /etc/init.d/networking restart && rm /etc/network/interfaces.d/50-cloud-init && /etc/init.d/networking restart\""
printf "%s\n" "==== Done."
}
system_upgrade(){
# 11. USE NEW PORT + CONNECT via key + GET ROOT via sudo + upgrade
printf "%s\n" "==== Upgrading packages ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"if [ -f /etc/debian_version ]; then DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' && apt-get dist-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'; fi\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"if [ -f /etc/debian_version ]; then DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' && apt-get dist-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'; fi\""
printf "%s\n" "==== Done."
}
init_install(){
# 12. USE NEW PORT + CONNECT via key + GET ROOT via sudo + install sysvinit
printf "%s\n" "==== Installing sysvinit ===="
printf '%s\n' "* ${SSH_PRINTED_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} ${CMD_PRINTED_PREFIX} \"if [ -f /etc/debian_version ]; then DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y sysvinit-core; fi\""
${SSH_PREFIX} ssh -t -p $PORT ${SSH_CPATHOPT} ${SSH_USER}@${VM_FQDN} "${CMD_PREFIX} \"if [ -f /etc/debian_version ]; then DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y sysvinit-core; fi\""
printf "%s\n" "==== Done."
}
printf "%s\n" "== Setting up admin user =="
admin_setup
SSH_PRINTED_PREFIX="${SSH_PRINTED_PREFIX_2}"
SSH_PREFIX="${SSH_PREFIX_2}"
printf "%s" "WARNING: SSH_PREFIX changed to "
printf "%s" "'"
printf "%s" "${SSH_PRINTED_PREFIX}"
printf "%s\n" "'"
SSH_USER="${ADMINUSER}"
printf "%s\n" "WARNING: SSH_USER changed to ${SSH_USER}"
CMD_PREFIX="${CMD_PREFIX_2}"
CMD_PRINTED_PREFIX="${CMD_PRINTED_PREFIX_2}"
printf "%s" "WARNING: CMD_PREFIX changed to "
printf "%s" "'"
printf "%s" "${CMD_PRINTED_PREFIX}"
printf "%s\n" "'"
printf "%s\n" "== Admin user set up. =="
printf "%s\n" "== Setting up ssh =="
if [ "$TPORT" != "" ]; then
ssh_setup
PORT="${TPORT}"
printf "%s\n" "WARNING: PORT changed to ${PORT}"
printf "%s\n" "== SSH set up. =="
else
printf "%s\n" "== No new SSH port given. Nothing to do. =="
fi
printf "%s\n" "== Setting up ansible dependencies =="
deps_setup
printf "%s\n" "== Ansible dependencies installed. =="
printf "%s\n" "== Setting system hostname =="
hostname_setup
printf "%s\n" "== System hostname set. =="
printf "%s\n" "== Setting up network configuration =="
network_setup
printf "%s\n" "== New network configuration applied =="
printf "%s\n" "== Upgrading system =="
system_upgrade
printf "%s\n" "== System upgraded =="
printf "%s\n" "== Installing SysVinit =="
init_install
printf "%s\n" "== SysVinit installed =="

1
lib/pull-prod.sh Symbolic link
View file

@ -0,0 +1 @@
pull-test.sh

209
lib/pull-test.sh Executable file
View file

@ -0,0 +1,209 @@
#!/bin/sh
case $0 in
*pull-prod.sh)
if [ $# -ge 1 ]; then
BRANCH='master'
MACHINE="$1"
shift 1
else
printf "%s\n" "USAGE: $0 machine_fqdn [ansible-playbook_options]"
exit 1;
fi
;;
*pull-test.sh)
if [ $# -ge 2 ]; then
BRANCH="$1"
MACHINE="$2"
shift 2
else
printf "%s\n" "USAGE: $0 branch machine_fqdn [ansible-playbook_options]"
exit 1;
fi
;;
*)
printf "%s\n" "USAGE1: ./pull-prod.sh machine_fqdn [ansible-playbook_options]"
printf "%s\n" "USAGE2: ./pull-test.sh branch machine_fqdn [ansible-playbook_options]"
printf "%s\n" " 'pull-prod.sh [...]' is an equivalent for 'pull-test.sh master [...]'"
exit 1;
;;
esac
BIN_GIT='/usr/bin/git'
BIN_ANSIBLE='/usr/bin/ansible-playbook'
BIN_PASS='/usr/bin/pass'
GIT_SERVER="ov2.rhizogen.es.eu.org"
CONFIGS_CLONE_URL="ssh://gitolite3@${GIT_SERVER}/onalyrg-public/configs.git"
PASS_CLONE_URL="ssh://gitolite3@${GIT_SERVER}/onalyrg-private/pass-ansible.git"
SMACHINE="${MACHINE%.rhizogen.es.eu.org}"
DIRGIT="git"
# Use a security period for locks to avoid conflicts.
SECURITY_PERIOD=60
if [ "x$BRANCH" = "xmaster" ]; then
configs_dir="${CONFIGS_DIR:-${HOME}/${DIRGIT}/configs}"
PASSWORD_STORE_DIR=${HOME}/${DIRGIT}/pass-ansible
else
configs_dir="/tmp/${DIRGIT}/configs-${BRANCH}"
PASSWORD_STORE_DIR="/tmp/${DIRGIT}/pass-ansible-${BRANCH}"
# check if the branch exists in the pass repo
$BIN_GIT ls-remote --exit-code --heads "${PASS_CLONE_URL}" refs/heads/${BRANCH}
if [ $? -eq 0 ]; then
PASS_BRANCH=$BRANCH
else
printf "%s\n" "Branch $branch doesn't seem to exist on the remote. Using master instead." >&2
PASS_BRANCH=master
fi
fi
# KGRP=5E3624B66B97FF9D41315CE0CDBBA3C17E18E46C
# PASS_GPG=''
git_reset_pull () {
repo_dir="$1"
printf "%s\n" "* cd ${repo_dir}"
cd "${repo_dir}"
# reset in case of local changes
printf "%s\n" "* $BIN_GIT reset --hard --recurse-submodules"
$BIN_GIT reset --hard --recurse-submodules
# fetch branches (in case of deleted branches followed by new branches with the same name)
printf "%s\n" "* $BIN_GIT fetch --prune --recurse-submodules"
$BIN_GIT fetch --prune --recurse-submodules
# reset to match upstream (e.g. in case of diverging histories)
printf "%s\n" "* $BIN_GIT reset --hard --recurse-submodules @{u}"
$BIN_GIT reset --hard --recurse-submodules @{u}
# pull the changes
printf "%s\n" "* $BIN_GIT pull --recurse-submodules"
$BIN_GIT pull --recurse-submodules
ret=$?
# reset to match upstream (e.g. in case of rewritten history)
printf "%s\n" "* $BIN_GIT reset --hard --recurse-submodules @{u}"
$BIN_GIT reset --hard --recurse-submodules @{u}
# keep branch list up-to-date
printf "%s\n" "* $BIN_GIT fetch --all --prune --recurse-submodules"
$BIN_GIT fetch --all --prune --recurse-submodules
return $ret
}
git_clone_pull () {
repo_url="$1"
repo_dir="$2"
branch="$3"
# operations on the repo
if [ -d "${repo_dir}" ]; then
git_reset_pull "${repo_dir}"
ret=$?
elif [ -e "${repo_dir}" ]; then
printf "%s\n" "ERROR: Destination ${repo_dir} already exists and is not a dir. Exiting." 1>&2
exit 2;
else
if [ "x$branch" = "xmaster" ]; then
git_opts=""
else
git_opts="-b ${branch} --single-branch"
fi
# clone the branch we want
printf "%s\n" "* $BIN_GIT clone --recursive ${git_opts} ${repo_url} ${repo_dir}"
$BIN_GIT clone --recursive ${git_opts} "${repo_url}" "${repo_dir}"
ret=$?
fi
if [ $ret -ne 0 ]; then
printf '%s\n' "Git clone/pull for ${repo_url} into ${repo_dir} failed. Aborting." 1>&2
exit $ret;
fi
}
cd /tmp
if [ -d "$DIRGIT" ]; then
printf "%s\n" "* cd $DIRGIT"
cd "$DIRGIT"
elif [ -e "$DIRGIT" ]; then
printf "%s\n" "ERROR: Destination $DIRGIT already exists and is not a dir. Exiting." 1>&2
exit 2;
else
printf "%s\n" "* mkdir $DIRGIT ; cd $DIRGIT"
mkdir "$DIRGIT"
cd "$DIRGIT"
fi
# operations on the pass repo
git_clone_pull "${PASS_CLONE_URL}" "${PASSWORD_STORE_DIR}" "${PASS_BRANCH}"
# operations on the configs repo
git_clone_pull "${CONFIGS_CLONE_URL}" "${configs_dir}" "${BRANCH}"
# populate the gnupg cache
# is_cached=$(gpg-connect-agent "keyinfo --list" "/bye" | grep "${KGRP}" | awk '{ print $7 }')
# if [ $is_cached -eq 1 ]; then
# if [ -z "${PASS_GPG}" ]; then
# printf '%s' "Enter passphrase for ansible GPG key: "
# read -s PASS_GPG
# fi
# /usr/lib/gnupg2/gpg-preset-passphrase --preset --passphrase "${PASS_GPG}" "${KGRP}"
# fi
if [ "x$BRANCH" = "xmaster" ]; then
# run the playbook
curdate=$(date +'%s')
# Create a per-host lock on the ansible-playbook operation. Wait for a
# security period before running a new ansible-playbook.
printf '%s\n' "mkdir -- ${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock"
n=2
until mkdir -- "${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock"; do
if [ $n -gt 0 ]; then
printf '%s\n' "${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock exists, waiting 1s..." 1>&2
sleep 1
printf '%s\n' "Trying mkdir -- ${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock" 1>&2
n=$(($n-1))
else
printf '%s\n' "ERROR: ${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock exists. Aborting." 1>&2
exit 2
fi
done
trap 'rm -rf -- "${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock"' 0
last_lockfile=""
printf '%s\n' "find ${HOME}/.auto-ansible -name playbookrun_*_${MACHINE}.lock -printf '%f\n' 2>/dev/null | sort | grep -B1 playbookrun_${curdate}_${MACHINE}.lock | grep -v playbookrun_${curdate}_${MACHINE}.lock"
last_lockfile=$(find ${HOME}/.auto-ansible -name playbookrun_*_${MACHINE}.lock -printf '%f\n' 2>/dev/null | sort | grep -B1 playbookrun_${curdate}_${MACHINE}.lock | grep -v playbookrun_${curdate}_${MACHINE}.lock)
if [ "x$last_lockfile" != "x" ]; then
last_lockfile_time=$(printf '%s\n' ${last_lockfile} | cut -d'_' -f2)
# printf '%s\n' "$curdate - $last_lockfile_time"
delta=$(( $curdate - $last_lockfile_time ))
if [ $delta -gt 0 ] && [ $delta -lt $SECURITY_PERIOD ]; then
printf '%s\n' "Recent lockfile found: $last_lockfile" >> ${LOGFILE2}
time_to_wait=$(( $SECURITY_PERIOD - $delta ))
printf '%s\n' "sleep $time_to_wait" >> ${LOGFILE2}
sleep $time_to_wait
fi
fi
# DO *NOT* use ANSIBLE_SSH_CONTROL_PATH on playbooks targeting several hosts
# curdate=$(date '+%s')
# cpname=$(printf '%s\n' "${0}-${BRANCH}-${MACHINE}-${curdate}" | shasum | cut -d' ' -f1)
# controlpath=~/.ansible/cp/"${cpname}"
# printf "%s\n" "* ANSIBLE_SSH_CONTROL_PATH=${controlpath} $BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i ${configs_dir}/inventory/hosts --diff $@ ${configs_dir}/${MACHINE}.yaml"
# ANSIBLE_SSH_CONTROL_PATH="${controlpath}" $BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i "${configs_dir}"/inventory/hosts --diff "$@" "${configs_dir}"/"${MACHINE}".yaml
printf "%s\n" "* $BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i ${configs_dir}/inventory/hosts --diff $@ ${configs_dir}/${MACHINE}.yaml"
$BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i "${configs_dir}"/inventory/hosts --diff "$@" "${configs_dir}"/"${MACHINE}".yaml
# printf '%s\n' "Killing control connection: ssh ${MACHINE} -o ControlPath=${controlpath} -O stop"
# ssh ${MACHINE} -o ControlPath=${controlpath} -O stop
else
# make sure we're in the proper branch
printf "%s\n" "* cd ${configs_dir}"
cd "${configs_dir}"
# ./gitwrap.sh checkout "${BRANCH}"
printf "%s\n" "* $BIN_GIT checkout ${BRANCH}"
$BIN_GIT checkout "${BRANCH}"
# ./gitwrap.sh branch
# run the playbook via test.sh
printf "%s\n" "RUNNING lib/test-git.sh"
printf "%s\n" "* lib/test-git.sh ${BRANCH} ${MACHINE} $@"
lib/test-git.sh ${BRANCH} ${MACHINE} $@
fi
printf "%s\n" "$0 done."

52
lib/refreshkeys.sh Executable file
View file

@ -0,0 +1,52 @@
#!/bin/sh
ZONE="rhizogen.es.eu.org"
SUBZONE="$ZONE"
VM_NAME=''
VM_FQDN=''
VM_IP4=''
VM_IP6=''
PORT='22'
usage () {
printf '%s\n' "USAGE: $0 [ -p ssh_port ] machine_fqdn"
}
if [ $# -ge 1 ]; then
while getopts 'p:' opt; do
case $opt in
p) PORT=$OPTARG ;;
h) usage && exit 0;;
esac
done
fi;
shift $(($OPTIND-1))
if [ $# -eq 1 ]; then
VM_ARG="$1"
else
usage && exit 1;
fi;
printf '%s\n' "$VM_ARG" | grep "$SUBZONE"
if [ $? -eq 1 ]; then
VM_NAME=''
else
VM_NAME=${VM_ARG%.${SUBZONE}}
fi
VM_FQDN=${VM_ARG}
VM_IP4=$(getent ahostsv4 "$VM_ARG" | grep 'STREAM' | cut -d' ' -f1)
VM_IP6=$(getent ahostsv6 "$VM_ARG" | grep 'STREAM' | cut -d' ' -f1)
printf "%s\n" "==== Clearing old SSH keys and adding new ones ===="
for i in $VM_NAME $VM_IP4 $VM_IP6 $VM_FQDN; do
ssh-keygen -f ~/.ssh/known_hosts -R "${i}"
ssh-keygen -f ~/.ssh/known_hosts -R "[${i}]:${PORT}"
done;
for i in $VM_NAME $VM_IP4 $VM_IP6 $VM_FQDN; do
ssh-keyscan -p $PORT "$i" 2>/dev/null >> ~/.ssh/known_hosts
done;
printf "%s\n" "==== Done."

1
lib/test-git.sh Symbolic link
View file

@ -0,0 +1 @@
test.sh

96
lib/test.sh Executable file
View file

@ -0,0 +1,96 @@
#!/bin/sh
if [ $# -ge 2 ]; then
BRANCH="$1"
MACHINE="$2"
shift 2
else
printf "%s\n" "USAGE: $0 branch machine_fqdn [ansible-playbook_options]"
exit 1;
fi;
BIN_GIT='/usr/bin/git'
BIN_ANSIBLE='/usr/bin/ansible-playbook'
BIN_PASS='/usr/bin/pass'
SMACHINE="${MACHINE%.rhizogen.es.eu.org}"
DIRGIT="git"
# Use a security period for locks to avoid conflicts.
SECURITY_PERIOD=60
PASS_CLONE_URL="ssh://gitolite3@${GIT_SERVER}/onalyrg-private/pass-ansible.git"
case $0 in
*/test-git.sh)
configs_dir="/tmp/${DIRGIT}/configs-${BRANCH}"
;;
*/test.sh)
configs_dir="/tmp/${DIRGIT}/configs-${BRANCH}-${SMACHINE}"
;;
*)
printf "%s\n" "Script called using name $0" >&2
configs_dir="/tmp/${DIRGIT}/configs-${BRANCH}-${SMACHINE}"
;;
esac
PASSWORD_STORE_DIR="/tmp/${DIRGIT}/pass-ansible-${BRANCH}"
printf '%s\n' "* printf '%s\n\n%s\n' '#!/bin/sh' \"PASSWORD_STORE_DIR=\\\"${PASSWORD_STORE_DIR}\\\" pass \\\"\\\$2\\\" | tr -d '\n'\" > \"${configs_dir}\"/pass-client.sh"
printf '%s\n\n%s\n' '#!/bin/sh' "PASSWORD_STORE_DIR=\"${PASSWORD_STORE_DIR}\" pass \"\$2\" | tr -d '\n'" > "${configs_dir}"/pass-client.sh
# KGRP=5E3624B66B97FF9D41315CE0CDBBA3C17E18E46C
# PASS_GPG=''
# populate the gnupg cache
# is_cached=$(gpg-connect-agent "keyinfo --list" "/bye" | grep "${KGRP}" | awk '{ print $7 }')
# if [ $is_cached -eq 1 ]; then
# if [ -z "${PASS_GPG}" ]; then
# printf '%s' "Enter passphrase for ansible GPG key: "
# read -s PASS_GPG
# fi
# /usr/lib/gnupg2/gpg-preset-passphrase --preset --passphrase "${PASS_GPG}" "${KGRP}"
# fi
# run the playbook
curdate=$(date +'%s')
# Create a per-host lock on the ansible-playbook operation. Wait for a
# security period before running a new ansible-playbook.
printf '%s\n' "mkdir -- ${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock"
n=2
until mkdir -- "${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock"; do
if [ $n -gt 0 ]; then
printf '%s\n' "${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock exists, waiting 1s..." 1>&2
sleep 1
printf '%s\n' "Trying mkdir -- ${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock" 1>&2
n=$(($n-1))
else
printf '%s\n' "ERROR: ${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock exists. Aborting." 1>&2
exit 2
fi
done
trap 'rm -rf -- "${HOME}/.auto-ansible/playbookrun_${curdate}_${MACHINE}.lock"' 0
last_lockfile=""
printf '%s\n' "find ${HOME}/.auto-ansible -name playbookrun_*_${MACHINE}.lock -printf '%f\n' 2>/dev/null | sort | grep -B1 playbookrun_${curdate}_${MACHINE}.lock | grep -v playbookrun_${curdate}_${MACHINE}.lock"
last_lockfile=$(find ${HOME}/.auto-ansible -name playbookrun_*_${MACHINE}.lock -printf '%f\n' 2>/dev/null | sort | grep -B1 playbookrun_${curdate}_${MACHINE}.lock | grep -v playbookrun_${curdate}_${MACHINE}.lock)
if [ "x$last_lockfile" != "x" ]; then
last_lockfile_time=$(printf '%s\n' ${last_lockfile} | cut -d'_' -f2)
# printf '%s\n' "$curdate - $last_lockfile_time"
delta=$(( $curdate - $last_lockfile_time ))
if [ $delta -gt 0 ] && [ $delta -lt $SECURITY_PERIOD ]; then
printf '%s\n' "Recent lockfile found: $last_lockfile" >> ${LOGFILE2}
time_to_wait=$(( $SECURITY_PERIOD - $delta ))
printf '%s\n' "sleep $time_to_wait" >> ${LOGFILE2}
sleep $time_to_wait
fi
fi
# DO *NOT* use ANSIBLE_SSH_CONTROL_PATH on playbooks targeting several hosts
# curdate=$(date '+%s')
# cpname=$(printf '%s\n' "${0}-${BRANCH}-${MACHINE}-${curdate}" | shasum | cut -d' ' -f1)
# controlpath=~/.ansible/cp/"${cpname}"
# printf "%s\n" "* ANSIBLE_SSH_CONTROL_PATH=${controlpath} $BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i ${configs_dir}/inventory/hosts --diff $@ ${configs_dir}/${MACHINE}.yaml"
# ANSIBLE_SSH_CONTROL_PATH="${controlpath}" $BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i "${configs_dir}"/inventory/hosts --diff "$@" "${configs_dir}"/"${MACHINE}".yaml
printf "%s\n" "* $BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i ${configs_dir}/inventory/hosts --diff $@ ${configs_dir}/${MACHINE}.yaml"
$BIN_ANSIBLE --vault-id other/ansible-vault/default@${configs_dir}/pass-client.sh -i "${configs_dir}"/inventory/hosts --diff "$@" "${configs_dir}"/"${MACHINE}".yaml
# printf '%s\n' "Killing control connection: ssh ${MACHINE} -o ControlPath=${controlpath} -O stop"
# ssh ${MACHINE} -o ControlPath=${controlpath} -O stop
printf "%s\n" "$0 done."

84
oldbin/lib/libpostinstall.sh Executable file
View file

@ -0,0 +1,84 @@
#!/bin/bash
ZONE="rhizogen.es.eu.org"
ADMINUSER="onalyrg"
FRONTEND="localhost"
REPO_DIR="/mnt/ac/projects/doc_tutos/vps_gandi/configs"
VM_NAME=''
VM_FQDN=''
VM_IP4=''
VM_IP6=''
if [ $# -eq 1 ]; then
VM_NAME="$1"
else
printf "%s\n" "USAGE: $0 machine"
exit 1;
fi;
VM_IP4=$(getent ahostsv4 "$VM_NAME" | grep 'STREAM' | cut -d' ' -f1)
VM_IP6=$(getent ahostsv6 "$VM_NAME" | grep 'STREAM' | cut -d' ' -f1)
printf '%s\n' "$VM_NAME" | grep "$ZONE"
if [ $? -eq 1 ]; then
VM_FQDN=${VM_NAME}.${ZONE}
else
VM_FQDN=''
fi
printf "%s\n" "==== Clearing old SSH keys and adding new ones ===="
for i in $VM_NAME $VM_IP $VM_FQDN; do
ssh-keygen -f ~/.ssh/known_hosts -R "$i"
done;
for i in $VM_NAME $VM_IP $VM_FQDN; do
ssh-keyscan "$i" 2>/dev/null >> ~/.ssh/known_hosts
done;
printf "%s\n" "==== Done."
BIN_SSHPASS=$(command -v sshpass)
if [ $? -eq 0 ]; then
printf '%s\n' "Program sshpass found at ${BIN_SSHPASS}. You'll be asked to enter the ${ADMINUSER} password."
printf '%s' "Password: "
read -s admin_pw
printf '%s\n' ""
SSH_PREFIX="${BIN_SSHPASS} -p ${admin_pw}"
else
printf '%s\n' "Program sshpass not found. Using classic password prompting."
SSH_PREFIX=""
fi
printf "%s\n" "==== Copying ssh keys for ${ADMINUSER} ===="
#CMD_1="ssh ${ADMINUSER}@${VM_NAME} 'mkdir -m 0700 .ssh'"
${SSH_PREFIX} ssh ${ADMINUSER}@${VM_NAME} 'mkdir -m 0700 .ssh'
#CMD_2="scp ${REPO_DIR}/roles/${ADMINUSER}/files/authorized_keys ${ADMINUSER}@${VM_NAME}:~/.ssh"
${SSH_PREFIX} scp ${REPO_DIR}/roles/${ADMINUSER}/files/authorized_keys ${ADMINUSER}@${VM_NAME}:~/.ssh
#CMD_3="ssh ${ADMINUSER}@${VM_NAME} 'chmod 0600 .ssh/authorized_keys'"
${SSH_PREFIX} ssh ${ADMINUSER}@${VM_NAME} 'chmod 0600 .ssh/authorized_keys'
printf "%s\n" "==== Done."
printf "%s\n" "==== Copying sudoers config for ${ADMINUSER} ===="
j2 ${REPO_DIR}/roles/${ADMINUSER}/templates/sudoers.d/admin_user.j2 ${REPO_DIR}/inventory/group_vars/all.yaml > ${REPO_DIR}/roles/${ADMINUSER}/files/sudoers.d/${ADMINUSER}
#CMD_4="scp ${REPO_DIR}/roles/${ADMINUSER}/files/sudoers.d/${ADMINUSER} ${ADMINUSER}@${VM_NAME}:~/.${ADMINUSER}.sudoers"
${SSH_PREFIX} scp ${REPO_DIR}/roles/${ADMINUSER}/files/sudoers.d/${ADMINUSER} ${ADMINUSER}@${VM_NAME}:~/.${ADMINUSER}.sudoers
#CMD_5="ssh -t ${ADMINUSER}@${VM_NAME} 'su - -c \"apt install sudo && mv /home/${ADMINUSER}/.${ADMINUSER}.sudoers /etc/sudoers.d/${ADMINUSER} && chown root:root /etc/sudoers.d/${ADMINUSER}\"'"
printf "%s\n" "You'll be asked to enter the root password."
${SSH_PREFIX} ssh -t ${ADMINUSER}@${VM_NAME} "su - -c \"if [ -f /etc/debian_version ]; then apt update && apt -y install sudo; fi && mv /home/${ADMINUSER}/.${ADMINUSER}.sudoers /etc/sudoers.d/${ADMINUSER} && chown root:root /etc/sudoers.d/${ADMINUSER}\""
printf "%s\n" "==== Done."
printf "%s\n" "==== Installing python-apt and python3-apt ===="
${SSH_PREFIX} ssh -t ${ADMINUSER}@${VM_NAME} "sudo apt -y install python-apt python3-apt"
printf "%s\n" "==== Done."
printf "%s\n" "==== Copying sudoers config for ${ADMINUSER} ===="
${SSH_PREFIX} scp ${REPO_DIR}/roles/ssh/files/sshd_config_Debian_10 ${ADMINUSER}@${VM_NAME}:~/sshd_config
${SSH_PREFIX} ssh -t ${ADMINUSER}@${VM_NAME} "sudo mv /home/${ADMINUSER}/sshd_config /etc/ssh/sshd_config && sudo chown root:root /etc/ssh/sshd_config && sudo service ssh restart"
printf "%s\n" "==== Done."
printf "%s\n" "==== Installing sysvinit-core ===="
${SSH_PREFIX} ssh -p 57473 -t ${ADMINUSER}@${VM_NAME} "sudo apt -y install sysvinit-core"
printf "%s\n" "==== Done."
printf "%s\n" "==== Rebooting ===="
${SSH_PREFIX} ssh -p 57473 -t ${ADMINUSER}@${VM_NAME} "sudo reboot"
printf "%s\n" "==== Done."

46
oldbin/postinstall.sh Executable file
View file

@ -0,0 +1,46 @@
#!/bin/bash
ZONE="rhizogen.es.eu.org"
ADMINUSER="onalyrg"
FRONTEND="localhost"
REPO_DIR="~/gitlab/configs"
VM_NAME=''
VM_FQDN=''
VM_IP4=''
VM_IP6=''
if [ $# -eq 1 ]; then
VM_NAME="$1"
else
printf "%s\n" "USAGE: $0 machine"
exit 1;
fi;
VM_IP4=$(getent ahostsv4 "$VM_NAME" | grep 'STREAM' | cut -d' ' -f1)
VM_IP6=$(getent ahostsv6 "$VM_NAME" | grep 'STREAM' | cut -d' ' -f1)
printf '%s\n' "$VM_NAME" | grep "$ZONE"
if [ $? -eq 1 ]; then
VM_FQDN=${VM_NAME}.${ZONE}
else
VM_FQDN=''
fi
printf "%s\n" "==== Clearing old SSH keys and adding new ones ===="
for i in $VM_NAME $VM_IP4 $VM_IP6 $VM_FQDN; do
ssh-keygen -f ~/.ssh/known_hosts -R "$i"
done;
for i in $VM_NAME $VM_IP4 $VM_IP6 $VM_FQDN; do
ssh-keyscan "$i" 2>/dev/null >> ~/.ssh/known_hosts
done;
printf "%s\n" "==== Done."
if [ "$FRONTEND" = "localhost" ]; then
./lib/libpostinstall.sh $VM_NAME
else
ssh -t -A ${ADMINUSER}@${FRONTEND} "${REPO_DIR}/lib/libpostinstall.sh $VM_NAME"
fi
printf "%s\n" "==== $0 done."

41
ov1.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,41 @@
---
- name: Playbook ov1
hosts: ov1
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
- base
- cacertificates
- adminuser
- default_user
- adminuser_home
- adminuser_sync
- firstuser
- firstuser_home
- firstuser_sync
- ssh
- smtp_secondary
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
- munin_node
- nrpe
- bind_slave
- pureftpd
- nginx
- prosody_secondary
- git_base
- git_server
- rsync_server
- ikiwiki_base
- ikiwiki_backups
- ikiwiki_websites
- git_repos_unix
- sync_server
# tasks:
# - debug: var=defaultalias_jabber_prosody_dir

52
ov2.rhizogen.es.eu.org.yaml Normal file
View file

@ -0,0 +1,52 @@
---
- name: Playbook ov2
hosts: ov2
remote_user: "{{ admin_user }}"
become_method: sudo
roles:
- hosting_platform
- network
- base
- adminuser
- default_user
- adminuser_home
- sync_user
- ssh
- smtp_client
- sendmail_gpg
- rkhunter
- fail2ban
- logwatch
# - snmp
- munin_node
- nrpe
- munin
# - nsca_client
# - nsca
- nagios
- pureftpd
- nginx
- nginx_homedirs
- git_base
- git_server
- rsync_server
- gitolite
- gitolite_config
- ikiwiki_base
- ikiwiki_repos
- ikiwiki_websites
- git_repos_unix
- git_repos_gitolite
- adminuser_workenv
- ansible
- auto_ansible
- bind_master
- sync_node
- deb
- deb_client
# # you can do `ansible -i inventory/hosts ov2.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
tasks:
# - debug: var=ansible_facts
# - debug: var=ansible_devices

13
pass-client.sh Executable file
View file

@ -0,0 +1,13 @@
#!/bin/sh
if [ $# -ne 2 ]; then
printf '%s\n' "Usage: $0 --vault-id path/to/password"
exit 1
fi
if [ $1 = '--vault-id' ]; then
VAULTID=$2;
fi
PASSWORD_STORE_DIR=~/git/pass-ansible pass "$VAULTID" | tr -d '\n'
#pass-ansible "$VAULTID" | tr -d '\n'

1
periodtable2infratable.sh Symbolic link
View file

@ -0,0 +1 @@
roles/auto_ansible/files/auto-ansible/periodtable2infratable.sh

213
postinstall.sh Executable file
View file

@ -0,0 +1,213 @@
#!/bin/bash
ZONE="rhizogen.es.eu.org"
#ZONE="rzgn.es.eu.org"
SUBZONE=${ZONE}
#ADMINUSER="onalyrg"
ADMINUSER="ansible"
#FRONTEND="auto-ansible.rhizogen.es.eu.org"
FRONTEND="ansible.rhizogen.es.eu.org"
#FRONTEND="localhost"
REPO_DIR=/mnt/ac/projects/doc_tutos/vps_gandi/configs
REMOTE_REPO_DIR=git/configs
#PASS_REPO=${HOME}/git/pass-ansible
VM_NAME=''
VM_FQDN=''
usage() {
printf '%s\n' "USAGE: $0 [ -f frontend ] [ -u <default_user> ] [ -c pw|key ] [ -e su|sudo ] [ -p <default_password> ] [ -P <default_root_password> ] [ -s <target_admin_password> ] [ -S <target_root_password> ] [ -t <ssh_port> ] [ -T <target_ssh_port> ] <vm_name>"
printf "%s\n"
printf '%s\n' "frontend is either localhost or auto-ansible"
printf '%s\n' "If absent, it's assumed to be localhost"
printf '%s\n'
printf '%s\n' "EXAMPLE 1: $0 -f localhost -u debian -c key -e sudo -t 22 -T 22222 vm_name"
printf '%s\n' "EXAMPLE 2: $0 -f auto-ansible -u root -c pw -p 'PW_1' -t 22 vm_name"
printf '%s\n' "EXAMPLE 3: $0 -f auto-ansible -u root -c key -t 22 vm_name"
printf '%s\n' "EXAMPLE 4: $0 -f auto-ansible -u debian -c pw -e su -p 'PW_1' -P 'PW_2' -t 22 vm_name"
printf '%s\n' "EXAMPLE 5: $0 -f auto-ansible -u debian -c pw -e sudo -p 'PW_1' -t 22 vm_name"
printf '%s\n' "EXAMPLE 6: $0 -f auto-ansible -u debian -c key -e su -P 'PW_2' -t 22 vm_name"
printf '%s\n' "EXAMPLE 7: $0 -f auto-ansible -u debian -c key -e sudo -t 22 vm_name"
printf '%s\n' "EXAMPLE 8: $0 -f localhost -u sysadmin -c key -e sudo -t 22222 vm_name"
# printf '%s\n' "EXAMPLE 9: $0 -f localhost -u sysadmin -t 22222 vm_name"
}
DEFAULTPWOPT=""
P_DEFAULTPWOPT=""
DEFAULT_ROOTPWOPT=""
P_DEFAULTROOTPWOPT=""
ARGLIST=""
P_ARGLIST=""
if [ $# -ge 1 ]; then
while getopts 'f:u:c:e:p:P:s:S:t:T:h' opt; do
case $opt in
f) FRONTEND=$OPTARG ;;
u) DEFAULT_USER=$OPTARG
ARGLIST="$ARGLIST -u $DEFAULT_USER"
P_ARGLIST="$P_ARGLIST -u $DEFAULT_USER"
;;
c) CX_METHOD=$OPTARG
ARGLIST="$ARGLIST -c $CX_METHOD"
P_ARGLIST="$P_ARGLIST -c $CX_METHOD"
;; # connexion method can be pw or key. If not given the script will try to guess
e) SU_METHOD=$OPTARG
ARGLIST="$ARGLIST -e $SU_METHOD"
P_ARGLIST="$P_ARGLIST -e $SU_METHOD"
;; # authorization method can be su or sudo. If not given the script will try to guess with additional steps which may require interaction
p) DEFAULT_PW=$OPTARG
DEFAULTPWOPT="-p ${DEFAULT_PW}"
P_DEFAULTPWOPT="-p \${DEFAULT_PW}"
;; #for now we'll assume the VM doesn't need a pw by default (key auth)
P) DEFAULT_ROOTPW=$OPTARG
DEFAULT_ROOTPWOPT="-P ${DEFAULT_ROOTPW}"
P_DEFAULTROOTPWOPT="-P \${DEFAULT_ROOTPW}"
;; #for now we'll assume the VM doesn't need a pw by default (key auth)
s) VM_ADMINPW=$OPTARG
VM_ADMINPWOPT="-s ${VM_ADMINPW}"
P_VMADMINPWOPT="-s \${VM_ADMINPW}"
;;
S) VM_ROOTPW=$OPTARG
VM_ROOTPWOPT="-S ${VM_ROOTPW}"
P_VMROOTPWOPT="-S \${VM_ROOTPW}"
;;
t) PORT=$OPTARG
ARGLIST="$ARGLIST -t $PORT"
P_ARGLIST="$P_ARGLIST -t $PORT"
;;
T) TPORT=$OPTARG
ARGLIST="$ARGLIST -T $TPORT"
P_ARGLIST="$P_ARGLIST -T $TPORT"
;;
h) usage && exit 0;;
esac
done
fi;
shift $(($OPTIND-1))
ARGLIST="$ARGLIST $@"
if [ $# -eq 1 ]; then
VM_ARG="$1"
else
usage && exit 1;
fi;
# Here we turn the name given on the command line into a short name
# and a FQDN
printf '%s\n' "$VM_ARG" | grep "$ZONE" >/dev/null
if [ $? -eq 1 ]; then
VM_NAME=${VM_ARG}
VM_FQDN=${VM_ARG}.${SUBZONE}
else
printf '%s\n' "$VM_ARG" | grep "$SUBZONE" >/dev/null
if [ $? -eq 1 ]; then
VM_NAME=''
else
VM_NAME=${VM_ARG%.${SUBZONE}}
fi
VM_FQDN=${VM_ARG}
fi
# Here we refresh the server-side SSH keys
if [ "$TPORT" != "" ]; then
printf '%s\n' "* ${REPO_DIR}/lib/refreshkeys.sh -p $TPORT $VM_FQDN"
${REPO_DIR}/lib/refreshkeys.sh -p $TPORT $VM_FQDN
fi
printf '%s\n' "* ${REPO_DIR}/lib/refreshkeys.sh -p $PORT $VM_FQDN"
${REPO_DIR}/lib/refreshkeys.sh -p $PORT $VM_FQDN
# Here we set some unset variables
if [ "$DEFAULT_USER" = "" ]; then
printf '%s\n' "DEFAULT_USER not set, we'll assume it's $ADMINUSER"
DEFAULT_USER=$ADMINUSER
fi
if [ "$DEFAULT_USER" = "root" ] && [ "$DEFAULT_ROOTPW" != "" ]; then
DEFAULT_PW=$DEFAULT_ROOTPW
fi
# Here we determine if we use the pass repository, in which case we
# can fetch the SSH and SU/SUDO passwords from there instead of
# prompting for them
nopass=1
nopassrepo=1
BIN_PASS=$(command -v pass >/dev/null)
nopass=$?
if [ "x$PASS_REPO" != "x" ] && [ -d $PASS_REPO ]; then
nopassrepo=$?
fi
# if pass is present and pass repo is present
# if CX_METHOD is pw and DEFAULT_PW not given
# try to get the password from pass
# if SU_METHOD is su and DEFAULT_ROOTPW not given
# try to get the password from pass
if [ "$nopass" -eq 0 ] && [ "$nopassrepo" -eq 0 ]; then
PASSWORD_STORE_DIR=${PASS_REPO} pass git pull
if [ "$CX_METHOD" = "pw" ] && [ "x$DEFAULT_PW" = "x" ]; then
if [ -e ${PASS_REPO}/virtual/linux/${VM_NAME}/${DEFAULT_USER}.gpg ]; then
DEFAULT_PW=$(PASSWORD_STORE_DIR=${PASS_REPO} pass virtual/linux/${VM_NAME}/${DEFAULT_USER})
elif [ -e ${PASS_REPO}/virtual/linux/default/${DEFAULT_USER}.gpg ]; then
printf '%s\n' "${PASS_REPO}/virtual/linux/${VM_NAME}/${DEFAULT_USER}.gpg not found. Using default ${DEFAULT_USER} password." 1>&2
DEFAULT_PW=$(PASSWORD_STORE_DIR=${PASS_REPO} pass virtual/linux/default/${DEFAULT_USER})
else
printf '%s\n' "${PASS_REPO}/virtual/linux/\{${VM_NAME},default\}/${DEFAULT_USER}.gpg not found. You'll be prompted for the ${DEFAULT_USER} password." 1>&2
fi
fi
if [ "$SU_METHOD" = "su" ] && [ "x$DEFAULT_ROOTPW" = "x" ]; then
if [ -e ${PASS_REPO}/virtual/linux/${VM_NAME}/root.gpg ]; then
DEFAULT_ROOTPW=$(PASSWORD_STORE_DIR=${PASS_REPO} pass virtual/linux/${VM_NAME}/root)
elif [ -e ${PASS_REPO}/virtual/linux/default/root.gpg ]; then
printf '%s\n' "${PASS_REPO}/virtual/linux/${VM_NAME}/root.gpg not found. Using default root password." 1>&2
DEFAULT_ROOTPW=$(PASSWORD_STORE_DIR=${PASS_REPO} pass virtual/linux/default/root)
else
printf '%s\n' "${PASS_REPO}/virtual/linux/\{${VM_NAME},default\}/root.gpg not found. You'll be prompted for the root password." 1>&2
fi
fi
fi
if [ "$DEFAULT_PW" != "" ]; then
DEFAULTPWOPT="-p ${DEFAULT_PW}"
P_DEFAULTPWOPT="-p \${DEFAULT_PW}"
fi
if [ "$DEFAULT_ROOTPW" != "" ]; then
DEFAULT_ROOTPWOPT="-P ${DEFAULT_ROOTPW}"
P_DEFAULTROOTPWOPT="-P \${DEFAULT_ROOTPW}"
fi
ARGLIST="$ARGLIST ${DEFAULTPWOPT}"
P_ARGLIST="$P_ARGLIST ${P_DEFAULTPWOPT}"
ARGLIST="$ARGLIST ${DEFAULT_ROOTPWOPT}"
P_ARGLIST="$P_ARGLIST ${P_DEFAULTROOTPWOPT}"
ARGLIST="$ARGLIST ${VM_ADMINPWOPT}"
P_ARGLIST="$P_ARGLIST ${P_VMADMINPWOPT}"
ARGLIST="$ARGLIST ${VM_ROOTPWOPT}"
P_ARGLIST="$P_ARGLIST ${P_VMROOTPWOPT}"
# If the FRONTEND is localhost, we run libpostinstall.sh directly
# if an other FRONTEND is specified, we run libpostinstall.sh from there.
if [ "$FRONTEND" = "localhost" ] || [ "x$FRONTEND" = "x" ]; then
printf '%s\n' "./lib/libpostinstall.sh $ARGLIST"
./lib/libpostinstall.sh $ARGLIST
else
printf '%s\n' "$FRONTEND" | grep "$ZONE" >/dev/null
if [ $? -eq 1 ]; then
FRONT_NAME=${FRONTEND}
FRONT_FQDN=${FRONTEND}.${SUBZONE}
else
printf '%s\n' "$FRONTEND" | grep "$SUBZONE" >/dev/null
if [ $? -eq 1 ]; then
FRONT_NAME=''
else
FRONT_NAME=${FRONTEND%.${SUBZONE}}
fi
FRONT_FQDN=${FRONTEND}
fi
printf '%s %s %s\n' "ssh -t -A ${ADMINUSER}@${FRONT_FQDN}" '. /etc/profile ; ${CONFIGS_DIR}/lib/libpostinstall.sh' "$ARGLIST"
ssh -t -A ${ADMINUSER}@${FRONT_FQDN} '. /etc/profile ; ${CONFIGS_DIR}/lib/libpostinstall.sh' "$ARGLIST"
fi
printf "%s\n" "==== $0 done."

1
push-prod.sh Symbolic link
View file

@ -0,0 +1 @@
push-test.sh

54
push-test.sh Executable file
View file

@ -0,0 +1,54 @@
#!/bin/sh
if [ $# -ge 1 ]; then
MACHINE="$1"
shift 1
else
printf "%s\n" "USAGE: $0 machine_fqdn [ansible-playbook_options]"
exit 1;
fi;
ADMIN_USER='ansible'
ANSIBLE_SERVER="ov2.rhizogen.es.eu.org"
SSH_PORT="57473"
configs_dir="${CONFIGS_DIR:-${HOME}/git/configs}"
DIRGIT="git"
#BIN_GIT="git"
BIN_GIT="./gitwrap.sh"
remote_configs_dir='~/git/configs'
# Check syntax locally before pushing
printf "%s\n" "[SYNTAX CHECK]"
printf "%s\n" "* ansible-playbook -i ${configs_dir}/inventory/hosts --syntax-check ${configs_dir}/${MACHINE}.yaml"
ansible-playbook -i "${configs_dir}/inventory/hosts" --syntax-check "${configs_dir}/${MACHINE}.yaml"
ret=$?
if [ $ret -ne 0 ]; then
printf "%s\n" "ERROR: Syntax check failed. Changes won't be pushed. Aborting." >&2
exit 2
fi
case $0 in
*/push-prod.sh)
# Push and run remote prod command
printf "%s\n" "[PUSH-PROD]"
printf "%s\n" "* ${BIN_GIT} push && ssh -t -A -p ${SSH_PORT} ${ADMIN_USER}@${ANSIBLE_SERVER} ${remote_configs_dir}/lib/pull-prod.sh $MACHINE $@"
${BIN_GIT} push && \
ssh -t -A -p ${SSH_PORT} "${ADMIN_USER}"@"${ANSIBLE_SERVER}" "${remote_configs_dir}/lib/pull-prod.sh $MACHINE $@"
;;
*/push-test.sh)
# Push and run remote test command
BRANCH="$(git branch --show-current || git rev-parse --abbrev-ref HEAD)"
printf "%s\n" "[PUSH-TEST]"
printf "%s\n" "* ${BIN_GIT} push && ssh -t -A -p ${SSH_PORT} ${ADMIN_USER}@${ANSIBLE_SERVER} ${remote_configs_dir}/lib/pull-test.sh $BRANCH $MACHINE $@"
${BIN_GIT} push && \
ssh -t -A -p ${SSH_PORT} "${ADMIN_USER}"@"${ANSIBLE_SERVER}" "${remote_configs_dir}/lib/pull-test.sh $BRANCH $MACHINE $@"
;;
*)
printf "%s\n" "Script has been called with unknown name $0" >&2
printf "%s\n" "Exiting." >&2
exit 2;
esac
printf "%s\n" "$0 done."

1
roles/COPYING Normal file
View file

@ -0,0 +1 @@
The content of this repository is under WTFPLv2, see `LICENSE` for a full text of the license.

14
roles/LICENSE Normal file
View file

@ -0,0 +1,14 @@
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.

1
roles/adminuser/files/authorized_keys Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUAdxc5IR3zuh5W0pfgp/x0/iLhyNaoP03v2x87ZTVApyCdkNAWFTCvIqJc+ddc3Pn3UkUUFvmgdp4yYKbxXtwxCl9FaiIeRyiJHj4LdP4os5ldZPtU70w+KU75/2hMRWJkCpAAQYraJeyELiNxe+Mh/kCQry3YirlUVvd52/1cdme1rCsQ5oZXoqx4ylpR25Ibc0evb46dE5jfl/S/FubW/aFlzHZ4NeOUz8F62wOaEYqhAXlnDOOyki7KpKImWzqL/cb0vxpdbzH8/hEaMZ/LXX2LmI+R5D2RRe0FZcIs0Ymgw+ydZ9daLOAf/L6yeInM/K6SkaqOzExg1ttHLSj/1u15siX+jucoVV5tBXQQnJRA/kxBNp85G62bYNVzKeYcEeGKi1zFfoG9E0nnPdV7kCxobk030P7HPfEVGWdU0vO2fOzVlvLueqH6LNCTv8q6QCFZ2KA/HjPFlUV5r2p+HllYHfzVq4j6JBNdLgRHleUhQzol6X+PhkFHd25+B9gPIDGTJJCBxrlMUEYezjqUsqYqtuur6yP8WTLIr4KYGcKdaNJEstRA22i+3uxpiXke9VsGTb8Ju00mNWKvgzur6wTubQP/mexKjSJmkSr5sKL9Xybgmp/go2KCW8zR2IozHlKr9U0M+a4fXgVmgD19rzgoWd53FA8GO/4Vd4myw== ac@t530

1
roles/adminuser/files/ssh Symbolic link
View file

@ -0,0 +1 @@
../../../inventory/files/ssh

1
roles/adminuser/files/sudoers.d/adminuser Normal file
View file

@ -0,0 +1 @@
onalyrg ALL=(ALL:ALL) NOPASSWD:ALL

95
roles/adminuser/tasks/main.yaml Normal file
View file

@ -0,0 +1,95 @@
---
- name: Update root password
ansible.builtin.user:
name: root
password: "{{ root_pwhash }}"
state: present
become: yes
- name: Create group for admin user
ansible.builtin.group:
name: "{{ admin_user }}"
state: present
become: yes
- name: Make sure admin user is properly set
ansible.builtin.user:
name: "{{ admin_user }}"
group: "{{ admin_user }}"
password: "{{ admin_user_pwhash }}"
shell: /bin/bash
comment: "{{ admin_user_fullname }}"
state: present
become: yes
- name: Create .ssh/ directory with proper permissions
ansible.builtin.file:
path: /home/{{ admin_user }}/.ssh/
state: directory
mode: '0700'
- name: Copy admin ssh keys
ansible.builtin.template:
src: authorized_keys.j2
dest: /home/{{ admin_user }}/.ssh/authorized_keys
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0600'
# - name: Set SSH pubkeys and dotfiles for admin user
# ansible.builtin.copy:
# src: "{{ item.src }}"
# dest: "{{ item.dest }}"
# owner: "{{ admin_user }}"
# group: "{{ admin_user }}"
# mode: "{{ item.mode }}"
# with_items:
# - { src: 'adminuser/id_rsa_adminuser_{{ ansible_hostname }}_gitmirror.pub', dest: '/home/{{ admin_user }}/.ssh/id_rsa_{{ ansible_hostname }}_gitmirror.pub', mode: '0644' }
# - name: Set SSH keys and dotfiles for admin user
# ansible.builtin.copy:
# src: "{{ item.src }}"
# dest: "{{ item.dest }}"
# owner: "{{ admin_user }}"
# group: "{{ admin_user }}"
# mode: "{{ item.mode }}"
# with_items:
# - { src: 'adminuser/id_rsa_adminuser_{{ ansible_hostname }}_gitmirror', dest: '/home/{{ admin_user }}/.ssh/id_rsa_{{ ansible_hostname }}_gitmirror', mode: '0600' }
- name: Install sudo
ansible.builtin.package:
name: sudo
state: present
become: yes
- name: Copy sudo configuration for admin user
ansible.builtin.template:
src: sudoers.d/adminuser.j2
dest: /etc/sudoers.d/{{ admin_user }}
owner: root
group: root
mode: '0440'
validate: /usr/sbin/visudo -csf %s
become: yes
- name: Copy sendmail-gpg config for admin user
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0644'
become: yes
with_items:
- { src: 'sendmail-gpg.conf.j2', dest: '/home/{{ admin_user }}/.sendmail-gpg.conf' }
# contains an e-mail address
no_log: true
- name: Configure cron for admin_user
ansible.builtin.cron:
name: MAILTO
env: yes
user: "{{ admin_user }}"
job: "root+crontab@{{ zone }}"
# contains an e-mail address
no_log: true

6
roles/adminuser/templates/authorized_keys.j2 Normal file
View file

@ -0,0 +1,6 @@
{% for key in admin_user_authorized_keys %}
{{ key }}
{% endfor %}
{% if admin_user_authorized_keys_gitmirror is defined %}{% for key in admin_user_authorized_keys_gitmirror %}
command="/usr/bin/git-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ key }}
{% endfor %}{% endif %}

3
roles/adminuser/templates/sendmail-gpg.conf.j2 Normal file
View file

@ -0,0 +1,3 @@
#GPG_ID='{{ admin_user }}-{{ ansible_hostname }}'
#GPG_ID='{{ admin_user }}@{{ ansible_fqdn }}'
GPG_ID='0x{{ admin_user_key }}'

1
roles/adminuser/templates/sudoers.d/adminuser.j2 Normal file
View file

@ -0,0 +1 @@
{{ admin_user }} ALL=(ALL:ALL) NOPASSWD:ALL

7
roles/adminuser_home/meta/main.yaml Normal file
View file

@ -0,0 +1,7 @@
---
dependencies:
# needed:
- role: adminuser
- role: cacertificates
- role: git_client
# bundled:

20
roles/adminuser_home/tasks/main.yaml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Create www/ directory with proper permissions
ansible.builtin.file:
path: /home/{{ admin_user }}/www/
state: directory
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0755'
- name: Copy git config
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0644'
with_items:
- { src: 'git/gitconfig.j2', dest: '/home/{{ admin_user }}/.gitconfig' }
# contains an e-mail address
no_log: true

16
roles/adminuser_home/templates/git/gitconfig.j2 Normal file
View file

@ -0,0 +1,16 @@
[hooks]
allowunannotated = false
allowcommitunsigned = false
allowcommitinvalid = false
allowcommituntrusted = false
allowtagunsigned = false
allowtaguntrusted = false
gpgkeyserver = {{ githook_keyserver }}
publicgitusers = {{ git_user }}
unixgitusers = {{ admin_user }} {{ first_user }}
mailinglist = root+git@{{ zone }}
announcelist = root+git@{{ zone }}
[user]
name = {{ admin_user }}
email = {{ admin_user_mail_local }}
signingkey = {{ admin_user_key_local }}

7
roles/adminuser_maildir/meta/main.yaml Normal file
View file

@ -0,0 +1,7 @@
---
dependencies:
# needed:
- role: adminuser
- role: cacertificates
- role: git_client
# bundled:

58
roles/adminuser_maildir/tasks/main.yaml Normal file
View file

@ -0,0 +1,58 @@
---
- name: Create maildir tree
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0700'
with_items:
- { path: '/home/{{ admin_user }}/Maildir' }
- { path: '/home/{{ admin_user }}/Maildir/cur' }
- { path: '/home/{{ admin_user }}/Maildir/new' }
- { path: '/home/{{ admin_user }}/Maildir/tmp' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.reports/cur' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.reports/new' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.reports/tmp' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.alerts/cur' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.alerts/new' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.alerts/tmp' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.tests/cur' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.tests/new' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.system.tests/tmp' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.abuse/cur' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.abuse/new' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.abuse/tmp' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.postmaster/cur' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.postmaster/new' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.postmaster/tmp' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.webmaster/cur' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.webmaster/new' }
- { path: '/home/{{ admin_user }}/Maildir/.INBOX.meatbags.webmaster/tmp' }
- { path: '/home/{{ admin_user }}/.procmail' }
- name: Copy procmail configuration for admin user
ansible.builtin.template:
src: procmailrc.j2
dest: /home/{{ admin_user }}/.procmailrc
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0644'
- name: Create mcabber config dir
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0700'
with_items:
- { path: '/home/{{ admin_user }}/.mcabber' }
- name: Copy mcabber configuration for admin user
ansible.builtin.template:
src: mcabberrc.j2
dest: /home/{{ admin_user }}/.mcabber/mcabberrc
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0600'

602
roles/adminuser_maildir/templates/mcabberrc.j2 Normal file
View file

@ -0,0 +1,602 @@
# Please provide your Jabber (XMPP) identifier:
#set jid = yourusername@domain
set jid = {{ admin_user }}@{{ defaultalias_jabber }}
# If password is not given, it will be interactively asked for.
# Note: if the password contains leading or trailing spaces, you must
# enclose it with quotes: set password = " example password "
#set password = yourpassword
# Read password from output of the given command.
# This is a way to use password managers like 'pass' in order
# to avoid writing plain passwords into config files.
#set password_eval = "your command"
# You can provide a server name if you want mcabber to connect
# to a specific server.
#set server = your.jabber.server
# To automatically append the server to the JID in say_to, use this option:
#set default_server = jabber.org
# If port is not given, mcabber will try to find it out.
#set port = 5222
# If you don't know what a resource is, do not set it.
# Set disable_random_resource to 1 if you don't want mcabber to add a random
# suffix to the resource name.
#set resource = mcabber
#set disable_random_resource = 0
#set priority = 3
#set priority_away = 0
# Set 'ignore_self_presence' to 1 if you do not want to see your own
# presence in your roster (default: 0). Other resources will still be
# displayed.
set ignore_self_presence = 1
# SSL/TLS options:
# TLS is now regarded as the default encryption for connecting to jabber.
# You can require TLS by setting tls to 1. If your jabber server
# still doesn't support TLS, you can use the old-style SSL by setting
# ssl to 1. It's not possible to use old-style SSL and TLS together.
#set ssl = 0
set tls = 1
# It is possible to set the allowed ciphers which openssl/gnutls can use for
# the encrypted connection.
# openssl (get the name of the available ciphers via 'openssl ciphers'):
#set ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
# gnutls (check the priorities option of 'man gnutls_priority_init'):
#set ssl_ciphers = PFS
# If you'd like to explicitly specify trusted certificates, set the ssl_ca
# option to a certificate file or path.
#set ssl_ca = ~/.mcabber/trusted_cert.pem
# Moreover, it's possible to check whether the fingerprint of the
# ssl certificate matches ssl_fingerprint.
# You can get the fingerprint of your server either with gnutls or openssl:
# 1. gnutls-cli -p 5223 $your_server
# 2. openssl s_client -starttls xmpp -connect $yourserver:5222 | \
# openssl x509 -fingerprint -sha256 -noout
#set ssl_fingerprint = SHA256:647d2eef7f972001d4fe8b6bedb3007d095dcd982ebb6773c6fb74adb8cc27c0
# Set ssl_ignore_checks to 1 to disable all certificate checks except the
# fingerprint check.
#set ssl_ignore_checks = 0
# PGP support
# Set pgp to 1 to enable OpenPGP.
# To sign outgoing messages, select your private key id with
# the pgp_private_key option. You cannot change these options once
# mcabber is running.
# Note: you can get the Key Id with gpg: "gpg --list-keys --keyid-format long"
#set pgp = 0
#set pgp_private_key = "C9940A9BB0B92210"
#
# You can set your PGP passhrase here, although it's NOT advised.
#set pgp_passphrase = "PGPpassword"
#
# If you don't like the default number of passphrase retries (2), you
# can change it here. If this number is < 0, mcabber will keep asking
# until the passphrase is good.
#set pgp_passphrase_retries = 2
#
# You can specify the path to the gpg binary, e.g. to force the use of
# GnuPG version 1 on systems which have both versions installed.
#set gpg_path = /usr/bin/gpg
#
# If GnuPG should use a custom configuration directory, you can set
# 'gpg_home' to the desired path.
#set gpg_home = ~/.mcabber/gpg
# Conference nickname
# This nickname is used when joining a room, when no nick is explicitly
# specified by the user. Note that when the nickname option is not set,
# the jid variable can be used.
#set nickname = Abitbol
# Proxy
# mcabber can use a proxy if it supports the CONNECT method
# The proxy_user/proxy_pass variables are optional.
#set proxy_host = "proxy-hostname"
#set proxy_port = 3128
#set proxy_user = "username"
#set proxy_pass = "password"
# Keepalive
# If you need a ping/keepalive to leave your connection open, you
# can use the pinginterval. Setting this option to 0 disables the ping.
# Default value is 40 seconds.
#set pinginterval = 40
# Language
# Help files have been translated into a few languages.
# You can set lang to a semicolon separated list of the following
# values: en, cs, de, fr, it, nl, pl, ru, uk. If you omit this,
# mcabber will try to autodetect it from your locale, with fallback
# to en.
# You also can specify a list of directories, where help is located,
# for example, if your mcabber is installed with another prefix than
# your modules.
# This may be convenient to print help not into the status buffer, but into
# currently opened buffer. For that set help_to_current option.
#set lang = en
#set help_dirs = "/usr/share/mcabber/help;~/share/mcabber/help"
#set help_to_current = 0
# Aspell
# If your mcabber has been built with Aspell support, you can enable spell
# checking with the following options (you can't change them once mcabber is
# running).
#set spell_enable = 1
#set spell_lang = en_US ru_RU
#set spell_encoding = iso8859-1
#set spell_encoding = UTF-8
# History
# Number of lines to remember for the command line history
# (default: 0, unlimited).
set cmdhistory_lines = 250
# You can set up a mask to filter buddies and display them according to
# their status. The mask should contain the shortcut letters of the
# status you want to see ([o]nline, [f]ree_for_chat, [d]o_not_disturb,
# [n]ot_available, [a]way, [_]offline).
# For example, to display everybody the filter should be "ofdna_" (default).
# To display only the connected buddies, use "ofdna".
# Please note that this option is only used at startup (once mcabber is
# running you can use "/roster display").
#set roster_display_filter = ofdna_
# By default, mcabber adds a leading space before each buddy in the roster. You
# can remove it to gain a little space.
#set roster_no_leading_space = 0
# By default command line completion is case-sensitive; this can be changed
# by setting the option 'completion_ignore_case' to 1.
#set completion_ignore_case = 0
# Message Carbons (XEP-0280)
# If you want to enable Message Carbons at startup (and if your server
# supports them), set the 'carbons' option to 1. Default is 0.
#set carbons = 1
# Set the 'clear_unread_on_carbon' option to 1 if the unread messages flag
# should be cleared when an outgoing copy of a message sent to that contact
# is received from another client. Default is 0.
#set clear_unread_on_carbon = 1
# Typing notifications, Chat States, Events (XEP-22/85)
# Set disable_chatstates to 1 if you don't want to use typing notifications.
# Note: changing this option once mcabber is running has no effect.
#set disable_chatstates = 0
# History logging
# You can save the messages history: set logging = 1
# Set 'logging_ignore_status' to 1 if you do not want to save status changes
# (and status messages) to the log files (default: 0).
# You can load (read) the messages history: set load_logs = 1
# If you enable load_logs, you can use the 'max_history_age' setting below.
# The default logging directory (logging_dir) is $HOME/.mcabber/histo/
# (or $XDG_CONFIG_HOME/mcabber/histo/).
# Defaults for logging, load_logs are 0 (disabled)
# Note: the logging directory path is created if absent.
# Note: these options, except 'max_history_age' and 'max_history_blocks',
# are used at startup time.
#set logging = 1
#set load_logs = 1
#set logging_dir = ~/.mcabber/histo/
#set logging_ignore_status = 1
# Set log_muc_conf to 1 to enable MUC chatrooms logging (default = 0)
#set log_muc_conf = 1
# Set load_muc_logs to 1 to read MUC chatrooms logs (default = 0). These
# logs will be displayed in the buffer window _before_ any history received
# from the server.
#set load_muc_logs = 0
# When load_logs (or load_muc_logs) is enabled, you can specify a maximum
# number of history days to load into memory with max_history_age.
# Default = 0 (disabled -- everything is loaded)
# Note: this option is only used when reading history files, not later.
#set max_history_age = 0
# mcabber can store the list of unread messages in a state file,
# so that the message flags are set back at next startup.
# Note that 'logging' must be enabled for this feature to work.
#set statefile = ~/.mcabber/mcabber.state
# You can specify a maximum number of data blocks per buffer (1 block contains
# about 8kB). The default is 0 (unlimited). If set, this value must be > 2.
set max_history_blocks = 8
# IQ settings
# Set iq_version_hide_os to 1 if you do not want to allow people to retrieve
# your OS version.
#set iq_version_hide_os = 0
#
# Set iq_version_hide_version to 1 if you do not want to allow people to
# retrieve your mcabber version.
#set iq_version_hide_version = 0
#
# Set iq_time_hide to 1 if you do not want to allow people to retrieve
# your OS time.
#set iq_time_hide = 0
#
# Set iq_last_disable to 1 if you want to disable response to jabber:iq:last
# queries (XEP-0012). Set iq_last_disable_when_notavail to 1 if you want
# to disable Last Activity reports only when the not-available status is set.
# (Default is 0 for both options)
#set iq_last_disable = 0
#set iq_last_disable_when_notavail = 1
#
# Set iq_hide_requests to 1 if you don't want received IQ requests to be
# displayed in the status window (default: 0).
#set iq_hide_requests = 1
# Modules
# If mcabber is built with modules support, you can specify the path
# to the directory where your modules reside. Though, default compiled-in
# value should be appropriate.
#set modules_dir = /usr/lib/mcabber/
# Beep
# Set beep_on_message to 1 if you want mcabber to beep when receiving
# a new message (except in chatrooms). If you want a more sophisticated
# system (e.g. play a sound), have a look at 'events_command' below.
#set beep_on_message = 0
# External command for events
# You can specify a script or process to be launched when an event occurs.
# Set 'events_ignore_active_window' to 1 if you don't want the script to
# be run for a message to the current active window (default: 0).
#
# If 'event_log_files' is set, a file is created and contains the body of
# the message (incoming messages only); the file name is the last parameter.
# If you enable this, you can specify the directory mcabber will use to
# create these messages with the 'event_log_dir' variable (default is the
# system temp dir, or MCABBERTMPDIR environment variable). Please note
# that mcabber won't delete these files, it's your script's job.
#
# The command is called the following way:
# $events_command MSG IN jabber@id [file] (when receiving a message)
# $events_command MSG OUT jabber@id (when sending a message)
# $events_command MSG MUC room_id [file] (when receiving a MUC message)
# $events_command STATUS X jabber@id (new buddy status is X)
# $events_command UNREAD "N x y z" (number of unread buddy buffers)
# (x=attention y=muc unread buffers z=muc unread buffers with attention sign)
# See sample script in contrib/ directory.
#set events_command = ~/.mcabber/eventcmd
#
#set events_ignore_active_window = 0
#
#set event_log_files = 0
#set event_log_dir = ~/.mcabber/event_files
# If you set 'eventcmd_use_nickname' to 1, mcabber will pass the nickname
# (if it is defined) to the event script instead of the JID (default: 0).
#set eventcmd_use_nickname = 0
# External command status check
# You can request mcabber to inspect exit status value after each
# events_command. If this option is set, mcabber will beep if the
# exit value is 2.
#set eventcmd_checkstatus = 0
# Internal hooks
# You can ask mcabber to execute an internal command when a special event
# occurs (for example when it connects to the server).
#
# 'hook-post-connect' is executed when mcabber has connected to the server
# and the roster has been received.
#set hook-post-connect = status dnd
#
# 'hook-pre-disconnect' is executed just before mcabber disconnects from
# the server.
#set hook-pre-disconnect = say_to foo@bar Goodbye!
# FIFO
# mcabber can create a FIFO named pipe and listen to this pipe for commands.
# Don't forget to load the FIFO module if you plan to use this feature!
# Default: disabled.
# Set 'fifo_hide_commands' to 1 if you don't want to see the FIFO commands
# in the log window (they will still be written to the tracelog file).
# When FIFO is configured, you can turn it off and on in real time with
# the 'fifo_ignore' option (default: 0). When set to 1, the FIFO input is
# still read but it is discarded.
#set fifo_name = ~/.mcabber/mcabber.fifo
#set fifo_hide_commands = 0
#set fifo_ignore = 0
#
#module load fifo
# URL extractor
# Set 'url_regex' to a regular expression matching urls. If it matches an
# url in an incoming messages, it'll print it to the log window.
# Don't forget to load the urlregex module if you plan to use this feature!
#set url_regex = "(((https?|ftps?|nntp)://)|www[.][-a-z0-9.]+|(mailto:|news:))(%[0-9A-F]{2}|[-_.!~*';/?:@&=+$,#[:alnum:]])+"
#
#module load urlregex
# Traces logging
# If you want advanced traces, please specify a file and a level here.
# There are currently 4 tracelog levels:
# lvl 1: most events of the log window are written to the file
# lvl 2: Loudmouth verbose logging
# lvl 3: debug logging (XML, etc.)
# lvl 4: noisy debug logging (Loudmouth parser...)
# Default is level 0, no trace logging
#set tracelog_level = 1
#set tracelog_file = ~/.mcabber/mcabber.log
# Set the auto-away timeout, in seconds. If set to a value >0,
# mcabber will change your status to away if no real activity is detected
# (command, message, move in the buddylist...). Note: auto-away only changes
# the status when it is "available" (online) or "free_for_chat".
# See 'message_autoaway' below.
#set autoaway = 0
# Message blocking
# Set 'block_unsubscribed' to 1 if you want to block (drop) incoming
# messages from people you haven't authorized. (default: 0)
#set block_unsubscribed = 0
#
# Set 'delete_on_reject' to 1 if you want to delete buddies from your
# roster when you reject their subscription request. (default: 0)
# (See documentation for /event)
# The buddy is actually deleted only if there is no other subscription,
# so for example if you are subscribed to this buddy's presence updates it
# won't be deleted.
#set delete_on_reject = 0
# MUC
# Set 'muc_flag_joins' to 1 if you want the MUC rooms to be flagged in
# the roster when somebody joins a room. Set it to 2 if you want a flag
# for leaves too.
#set muc_flag_joins = 0
# Set 'muc_print_status' to see status changes in MUC rooms:
# 1: (none) do not display joining/leaving members
# 2: (in_and_out) display joining/leaving members
# 3: (all) display joining/leaving members and member status changes
# (default: in_and_out)
#set muc_print_status = 2
# Set 'muc_auto_whois' to 1 if you want to call /room whois each time
# somebody joins a room. (default: 0)
#set muc_auto_whois = 0
# Set 'muc_print_jid' to see real jid in non-anonynmous room when somebody
# joins. This setting will be ignored when auto_whois is enabled.
# 0: only nick (don't print jid even if available)
# 1: nick and bare jid
# 2: nick and full jid with resource
#set muc_print_jid = 1
#
# Set 'muc_disable_nick_hl' to 1 if you don't want mcabber to color lines
# containing your nickname in a MUC room.
#set muc_disable_nick_hl = 0
#
# Set 'muc_completion_suffix' if you want mcabber to append a string to
# suggested nicknames (only at the beginning of a line), like ":" or ",".
# (Default: none)
#set muc_completion_suffix = ": "
#
# Set 'muc_bookmark_autoupdate' to 1 if you want changes made to room options
# be stored automatically on server. Otherwise you'll have to manually use
# command /room bookmark, or changes will not be permanent (for session only).
# This setting will not add any bookmark, only update already existing ones.
#set muc_bookmark_autoupdate = 0
# Status messages
# The 'message' value will override all others, take care!
#set message = Unique message status
#set message_avail = I'm available
#set message_free = I'm free for chat
#set message_dnd = Please do not disturb
#set message_notavail = I'm not available
#set message_away = I'm away
#
# The auto-away message is only used when 'autoaway' is set. The previous
# message will be restored when leaving auto-away status. If this message
# isn't defined, the status message will stay unchanged.
set message_autoaway = Auto-away (idle)
# Escape timeout delay (ESCDELAY)
# The ESCDELAY variable specifies the time, in milliseconds, for which
# the ncurses interface will await a character sequence.
# The default is 1000 (1 second).
# If you want mcabber to react faster after hitting Escape, you can lower
# this value by setting the ESCDELAY environment variable or setting the
# 'escdelay' option.
set escdelay = 50
# Colors
# Colors are: black, red, green, yellow, blue, magenta, cyan, white
# For text colors (i.e. not background and bg* colors) you can also use
# the "bright" prefix to get a bright/bold color. Example: brightblue
# You can use the "default" color, too (i.e. for transparent background).
# If your terminal supports 256 colors, you can use the color number
# directly (16-255).
#
# Have a look at the contrib/themes/ directory to see some sample
# color settings.
#
# background: background color of the chat window and the log window
# general: text color in the chat window and the log window
# info: text color in the chat window for info messages
# msgin: text color in the chat window for incoming messages
# msgout: text color in the chat window for outgoing messages
# msghl: text color in the chat window for highlighted messages (MUC)
# bgstatus: background color of the status lines
# status: text color of the status lines
# log: text color in the log window
# roster: text color of the roster (buddylist) normal items
# bgrostersel: background color of the selected roster item
# rostersel: text color of the selected roster item
# rosterselmsg:text color of the selected roster item, if there is a new msg
# rosternewmsg: text color of items with unread messages
# readmark: text color of the "read mark" line in buffers
# timestamp: text color in the chat window for delayed timestamps
#
#set color_background = black
#set color_general = white
#set color_info = white
#set color_msgin = white
#set color_msgout = cyan
#set color_msghl = yellow
#set color_bgstatus = blue
#set color_status = white
#set color_log = white
#set color_roster = green
#set color_bgrostersel = cyan
#set color_rostersel = blue
#set color_rosterselmsg = red
#set color_rosternewmsg = red
#set color_readmark = red
#set color_timestamp = brightblue
# You can color roster items by their status and JID. For example, to have
# all roster items white, just all contacts from jabber.org that are away,
# not available or do not disturb yellow, you do this:
#
#color roster * * white
#color roster adn *@jabber.org yellow
# You can let mcabber color nicks in MUC.
# These colors will by used automatically:
#set nick_colors = red green blue
# This turns coloring of all mucs on:
#color muc * on
#
# If you want someone's nick to be the same all the time:
#color mucnick my_friend yellow
# Style
# Note: the 'log_win_height' and 'roster_width' values below can be set
# in real time when mcabber is running. Refresh the screen (Ctrl-l) to
# use the new values.
#
# Log window height (minimum 1, default 5)
#set log_win_height = 5
# Buddylist window width (minimum 2, default 24)
#set roster_width=24
#
# The options 'log_win_on_top' and 'roster_win_on_right' can change the
# position of the log window (top/bottom) and the position of the roster
# (left/right).
#set log_win_on_top = 0
#set roster_win_on_right = 0
#
# The attention sign (default: '!') used when a private message is received
# can be changed with the 'attention_char' option.
#set attention_char = !
#
# By default, the displayed name of a contact in the roster window will
# be the JID if no name has been specified. You can use the following
# option if you only want to see the username part.
#set roster_hide_domain = 0
#
# Buddy name format (in status window):
# - 0: (default) "<jid/resource>"
# - 1: "name <jid/resource>" (name is omitted if same as the JID)
# - 2: "name/resource" (if the name is the same as the JID, use <jid/res>)
# - 3: "name" (if the name is the same as the JID, use <jid/res>)
#set buddy_format = 2
#
# Time format:
# - 0: (default) Date and time
# - 1: Time only
# - 2: None
#set time_prefix = 0
#
# When a contact sends "/me ", mcabber displays "*user ", where user
# is the local part of the contact's JID.
# If you want mcabber to display the complete bare JID (user@server.com),
# set 'buddy_me_fulljid' to 1 (default: 0)
#set buddy_me_fulljid = 1
#
# Display the status changes in the log window (default: 0, never)
# Set 'log_display_presence' to 1 to enable.
#set log_display_presence = 0
#
# Display the status changes in the chat buffers (default: 0, never)
# Values: 0: never 1: only connect/disconnect 2: all
#set show_status_in_buffer = 1
#
# Set 'log_display_sender' to 1 to display the message sender's JID in the
# log window (default: 0, no)
#set log_display_sender = 0
#
# Set 'info' to anything you'd like to see in your lower status line.
#set info = woot
#
# Automatic locking on buddy resource that messages are coming from.
# Useful when your buddies are chatting from their non-highest priority
# resources, forcing you to use /say_to command.
#set roster_autolock_resource = 1
#
# Automatic locking of buffer when scrolled up, and unlocking when scrolled
# to bottom.
# Set 'buffer_smart_scrolling' to 1 to enable.
# Note: manual command "/buffer scroll_lock" will not work when smart scrolling
# is enabled. Command "/buffer scroll_unlock" will only work if there is a new
# message received.
#set buffer_smart_scrolling = 0
# Contacts PGP information
# You can provide a PGP key to be used for a given Jabber user, or
# disable PGP on a per-account basis.
# If you provide a KeyId for a contact, it will be compared to the key the
# contact uses to sign their presence/messages and it will be used for
# all outgoing encrypted messages (that is, the contact signature key will
# be ignored).
# Please note that the key must match exactly the id seen with /info.
#pgp disable foo@bar.org
#pgp setkey bar@foo.net C9940A9BB0B92210
# OTR (Off-The-Record messaging) support
# (Only available if mcabber is built with OTR support)
# Set otr to 1 to enable OTR support.
# You cannot change this option once mcabber is running.
#set otr = 0
#
# OTR directory
# You can specify the OTR directory with the otr_dir option
# (default = ~/.mcabber/otr/).
#set otr_dir = "~/.mcabber/otr/"
#
# You can set OTR policies from the configuration file (use /help otrpolicy
# for the details).
#otrpolicy default manual
# Entity Caps cache
# You can provide a directory where mcabber will store an offline cache
# of other clients' capabilities. This will likely reduce network overhead
# on start of new session.
#set caps_directory = "~/.mcabber/caps"
# Aliases
alias me = say /me
alias online = status online
alias away = status away
alias dnd = status dnd
alias notavail = status notavail
#alias names = room names
#alias topic = room topic
# Set use_mouse to 1 to map mouse buttons like keycodes.
#set use_mouse = 1
# Key bindings
# Ctrl-q (17) bound to /roster unread_next
bind 17 = roster unread_next
# Ctrl-x (24) bound to /roster alternate
bind 24 = roster alternate
# F5 (269) bound to /roster toggle_offline (centericq-like, IIRC)
bind 269 = roster toggle_offline
# F12 (276) bound to /roster toggle
bind 276 = roster toggle
# Ctrl-Up/Ctrl-Down bound to /buffer up/down (like Ctrl-p/Ctrl-n)
bind 521 = buffer up
bind 514 = buffer down
# Sample alias to join mcabber channel with "/jmc"
#alias jmc = room join mcabber@conf.lilotux.net

38
roles/adminuser_maildir/templates/procmailrc.j2 Normal file
View file

@ -0,0 +1,38 @@
#VERBOSE=yes
LOGFILE=.procmail/procmail.log
SHELL=/bin/sh
PATH=/bin:/usr/bin:/usr/local/bin
MAILDIR=Maildir/
DEFAULT=./
:0
* ^To: .*root\+(fail2ban|apticron|nagios|aptlistchanges|munin|muninnode|unattended-upgrades|ssl-cert-check|zone-rrsig-check)@
.INBOX.system.alerts/
:0
* ^From: .*(fail2ban|alerts)@.*{{ zone }}$
.INBOX.system.alerts/
:0
* ^To: .*root\+(rkhunter|chkrootkit|.*crontab|logwatch)@
.INBOX.system.reports/
:0
* ^From: .*reports@.*{{ zone }}$
.INBOX.system.reports/
:0
* ^From: .*{{ admin_user }}\+nagiostest@
.INBOX.system.tests/
:0
* ^Delivered-To: .*abuse@
.INBOX.meatbags.abuse/
:0
* ^Delivered-To: .*postmaster@
.INBOX.meatbags.postmaster/
:0
* ^Delivered-To: .*webmaster@
.INBOX.meatbags.webmaster/

7
roles/adminuser_scripts/meta/main.yaml Normal file
View file

@ -0,0 +1,7 @@
---
dependencies:
# needed:
- role: adminuser
- role: cacertificates
- role: git_client
# bundled:

62
roles/adminuser_scripts/tasks/main.yaml Normal file
View file

@ -0,0 +1,62 @@
---
- name: Clone ssl-cert-check repo
ansible.builtin.git:
repo: "https://github.com/Matty9191/ssl-cert-check.git"
dest: /home/{{ admin_user }}/git/ssl-cert-check
- name: Download the check_zone_rrsig_expiration script
# first source (http): http://dns.measurement-factory.com/tools/nagios-plugins/src/check_zone_rrsig_expiration
ansible.builtin.get_url:
url: http://dns.measurement-factory.com/tools/nagios-plugins/src/check_zone_rrsig_expiration
dest: "/home/{{ admin_user }}/check_zone_rrsig_expiration"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0750'
# # alternative source (git): https://github.com/DNS-OARC/tldmon.git
# ansible.builtin.git:
# repo: "https://github.com/DNS-OARC/tldmon.git"
# dest: /home/{{ admin_user }}/git/tldmon
- name: Copy check scripts
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: "{{ item.mode }}"
with_items:
- { src: "project-services-check.sh.j2", dest: "/home/{{ admin_user }}/{{ project_lname }}-services-check.sh", mode: '0750' }
- { src: "ssldomains.j2", dest: "/home/{{ admin_user }}/ssldomains", mode: '0644' }
- name: Copy check wrapper script
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: "{{ item.mode }}"
with_items:
- { src: "zone-project-check.sh.j2", dest: "/home/{{ admin_user }}/zone-{{ project_lname }}-check.sh", mode: '0750' }
# contains an e-mail address
no_log: true
- name: Make cron execute the zone check script every day
ansible.builtin.cron:
name: check DNSSEC signatures expiration
minute: "00"
hour: "01"
day: "*"
user: "{{ admin_user }}"
job: "/home/{{ admin_user }}/zone-{{ project_lname }}-check.sh"
- name: Make cron execute ssl-cert-check every day
ansible.builtin.cron:
name: check tls certificates expiration
minute: "01"
hour: "01"
day: "*"
user: "{{ admin_user }}"
job: "/home/{{ admin_user }}/git/ssl-cert-check/ssl-cert-check -a -e 'root+ssl-cert-check@{{ zone }}' -f ssldomains -q -x 14"
# contains an e-mail address
no_log: true

28
roles/adminuser_scripts/templates/project-services-check.sh.j2 Normal file
View file

@ -0,0 +1,28 @@
#!/bin/bash
DOMAIN[0]=smtp
PORT[0]=587
DOMAIN[1]=imap
PORT[1]=993
DOMAIN[2]=jabber
PORT[2]=5222
#DOMAIN[3]=conference
#PORT[3]=5222
#DOMAIN[4]=jabber
#PORT[4]=5269
#DOMAIN[5]=conference
#PORT[5]=5269
DOMAIN[6]=ftp1
PORT[6]=21
#DOMAIN[7]=infinote
#PORT[7]=6523
DOMAIN[8]=mumble
PORT[8]=64738
REPORTMAIL='root+ssl-cert-check@{{ zone }}'
SSLCHECK_BIN=/home/{{ admin_user }}/git/ssl-cert-check/ssl-cert-check
ZONE="{{ zone }}"
for service in 0 1 2 6 8; do
$SSLCHECK_BIN -e "${REPORTMAIL}" -s "${DOMAIN[$service]}.${ZONE}" -p "${PORT[$service]}";
done;

13
roles/adminuser_scripts/templates/ssldomains.j2 Normal file
View file

@ -0,0 +1,13 @@
ftp.{{ zone }} 21
www.{{ zone }} 443
smtp.{{ zone }} 587
imap.{{ zone }} 993
jabber.{{ zone }} 5222
#conference.{{ zone }} 5222
jabber.{{ zone }} 5269
#conference.{{ zone }} 5269
radicale.{{ zone }} 5232
#infinote.{{ zone }} 6523
mumble.{{ zone }} 64738
ftp3.{{ zone }} 21
www3.{{ zone }} 443

23
roles/adminuser_scripts/templates/zone-project-check.sh.j2 Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh
REPORTMAIL='root+zone-rrsig-check@{{ zone }}'
SIGCHECK_BIN=/home/{{ admin_user }}/check_zone_rrsig_expiration
ZONE='{{ zone }}'
WARNDAYS=12
output=$(perl "$SIGCHECK_BIN" -Z "${ZONE}" -W "$WARNDAYS")
nbok=$(printf '%s\n' "${output}" | grep -ic "OK")
nbwarn=$(printf '%s\n' "${output}" | grep -ic "WARNING")
nbcrit=$(printf '%s\n' "${output}" | grep -ic "CRITICAL")
if [ "$nbok" -ge 1 ]; then
printf '%s\n' "${output}";
fi
if [ "$nbwarn" -ge 1 ]; then
printf '%s\n' "${output}" | mail -s "[DNSSEC] WARNING: RRSIG will expire soon" "$REPORTMAIL";
fi
if [ "$nbcrit" -ge 1 ]; then
printf '%s\n' "${output}" | mail -s "[DNSSEC] CRITICAL: RRSIG must be changed" "$REPORTMAIL";
fi

17
roles/adminuser_sync/files/ExclusionRSync_admin_user Normal file
View file

@ -0,0 +1,17 @@
.bash*
.zsh*
.histfile
.profile
.selected_editor
.procmail*
.mcabber
.nano
.ssh
.cache
.local
.w3m
.sendmail-gpg.conf
*.setup
git-repos
gitrepos-public
public

1
roles/adminuser_sync/files/ssh/id_rsa_sync_admin_user Symbolic link
View file

@ -0,0 +1 @@
../../../../inventory/files/ssh/id_rsa_sync_admin_user

1
roles/adminuser_sync/files/ssh/id_rsa_sync_admin_user.pub Symbolic link
View file

@ -0,0 +1 @@
../../../../inventory/files/ssh/id_rsa_sync_admin_user.pub

5
roles/adminuser_sync/meta/main.yaml Normal file
View file

@ -0,0 +1,5 @@
---
dependencies:
# needed:
- role: adminuser
# bundled:

20
roles/adminuser_sync/tasks/known_hosts.yaml Normal file
View file

@ -0,0 +1,20 @@
---
# - name: Search for primary servers SSH host keys
# ansible.builtin.command:
# cmd: "ssh-keygen -f /home/{{ admin_user }}/.ssh/known_hosts -F {{ v[0].name }}"
# become: yes
# register: check_key
# ignore_errors: yes
# changed_when: check_key.rc != 0
- name: Edit ssh known_hosts file
ansible.builtin.lineinfile:
path: /home/{{ admin_user }}/.ssh/known_hosts
regexp: '^{{ v[0].name }} {{ v[1].type }}'
line: '{{ v[0].name }} {{ v[1].type }} {{ v[1].data }}'
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0644'
create: yes
become: yes
# when: check_key.rc != 0

70
roles/adminuser_sync/tasks/main.yaml Normal file
View file

@ -0,0 +1,70 @@
---
- name: Copy ssh pubkeys for synchronization
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'ssh/id_rsa_sync_admin_user.pub', dest: '/home/{{ admin_user }}/.ssh/id_rsa_sync.pub', owner: "{{ admin_user }}", group: "{{ admin_user }}", mode: '0644' }
- name: Copy ssh keys for synchronization
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'ssh/id_rsa_sync_admin_user', dest: '/home/{{ admin_user }}/.ssh/id_rsa_sync', owner: "{{ admin_user }}", group: "{{ admin_user }}", mode: '0600' }
- name: Copy ssh config file
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'ssh/config.j2', dest: '/home/{{ admin_user }}/.ssh/config', owner: "{{ admin_user }}", group: "{{ admin_user }}", mode: '0644' }
# - { src: 'ssh/known_hosts.j2', dest: '/home/{{ admin_user }}/.ssh/known_hosts', owner: "{{ admin_user }}", group: "{{ admin_user }}", mode: '0600' }
- name: Add primary servers keys to known_hosts file
ansible.builtin.include_tasks: known_hosts.yaml
vars:
v: "{{ item }}"
loop: "{{ primary_servers | subelements('hostkeys') }}"
no_log: true
- name: Copy rsync config for users
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'ExclusionRSync_admin_user', dest: '/home/{{ admin_user }}/ExclusionRSync', owner: "{{ admin_user }}", group: "{{ admin_user }}", mode: '0644' }
- name: Make cron sync admin user home every day
ansible.builtin.cron:
name: sync admin user home every day
minute: "00"
hour: "01"
day: "*"
user: "{{ admin_user }}"
job: "rsync -aHAX --exclude-from=ExclusionRSync {{ admin_user }}@{{ primary_server }}:~/ /home/{{ admin_user }}"
# contains an e-mail address
no_log: true
- name: Make cron sync admin user public dir every day
ansible.builtin.cron:
name: sync admin user public dir every day
minute: "15"
hour: "01"
day: "*"
user: "{{ admin_user }}"
job: "rsync -aHAX --exclude-from=ExclusionRSync {{ admin_user }}@{{ primary_server }}:~/public/ /home/{{ admin_user }}/public"
# contains an e-mail address
no_log: true

17
roles/adminuser_sync/templates/ExclusionRSync.j2 Normal file
View file

@ -0,0 +1,17 @@
.bash*
.zsh*
.histfile
.profile
.selected_editor
.procmail*
.mcabber
.nano
.ssh
.cache
.local
.w3m
.sendmail-gpg.conf
*.setup
git-repos
{{ git_subdir_prefix }}-public
public

9
roles/adminuser_sync/templates/ssh/config.j2 Normal file
View file

@ -0,0 +1,9 @@
#VerifyHostKeyDNS yes
#VerifyHostKeyDNS ask
{% for server in primary_servers %}
Host {{ server.name }}
HostName {{ server.name }}
Port {{ ssh_port }}
IdentityFile ~/.ssh/id_rsa_sync
{% endfor %}

5
roles/adminuser_sync/templates/ssh/known_hosts.j2 Normal file
View file

@ -0,0 +1,5 @@
{% for server in primary_servers %}
{% for key in server.hostkeys %}
{{ server.name }} {{ key.type }} {{ key.data }}
{% endfor %}
{% endfor %}

1
roles/adminuser_workenv/files/adminuser/bash_aliases Normal file
View file

@ -0,0 +1 @@
alias pass-ansible="PASSWORD_STORE_DIR=${HOME}/git/pass-ansible pass"

6
roles/adminuser_workenv/files/adminuser/bash_completion Normal file
View file

@ -0,0 +1,6 @@
source /usr/share/bash-completion/completions/pass
_pass-ansible(){
PASSWORD_STORE_DIR=${HOME}/git/pass-ansible _pass
}
complete -o filenames -o nospace -F _pass-ansible pass-ansible

116
roles/adminuser_workenv/files/adminuser/bashrc Normal file
View file

@ -0,0 +1,116 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
# Infra project stuff
export CONFIGS_DIR=${HOME}/git/configs

1
roles/adminuser_workenv/files/adminuser/gpg-agent.conf Normal file
View file

@ -0,0 +1 @@
allow-preset-passphrase

1
roles/adminuser_workenv/files/adminuser/id_rsa_adminuser_ov2 Symbolic link
View file

@ -0,0 +1 @@
../../../../inventory/files/ssh/id_rsa_adminuser_ov2

1
roles/adminuser_workenv/files/adminuser/id_rsa_adminuser_ov2.pub Symbolic link
View file

@ -0,0 +1 @@
../../../../inventory/files/ssh/id_rsa_adminuser_ov2.pub

4
roles/adminuser_workenv/files/adminuser/user_tmux.conf Normal file
View file

@ -0,0 +1,4 @@
# global options
set-option -g history-limit 5000
#session
new-session -s configs -c ~/git/configs

1
roles/adminuser_workenv/files/gpg/pub/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.pub.asc Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/pub/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.pub.asc

1
roles/adminuser_workenv/files/gpg/sec/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.key.asc Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/sec/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.key.asc

1
roles/adminuser_workenv/files/gpg/sec/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.key.pass Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/sec/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.key.pass

1
roles/adminuser_workenv/files/gpg/sec/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.otrust Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/sec/onalyrg@ov2-26E4803AC2FC6F01C94CDD5E2571294CF26A8841.otrust

1
roles/adminuser_workenv/files/ssh Symbolic link
View file

@ -0,0 +1 @@
../../../inventory/files/ssh

15
roles/adminuser_workenv/handlers/main.yaml Normal file
View file

@ -0,0 +1,15 @@
---
- name: Restart foo daemon
ansible.builtin.service:
name: foo
state: restarted
become: yes
listen: "restart_foo"
- name: Reload foo
ansible.builtin.service:
name: foo
state: reloaded
become: yes
listen: "reload_foo"
when: ansible_facts['os_family'] == "Debian"

9
roles/adminuser_workenv/meta/main.yaml Normal file
View file

@ -0,0 +1,9 @@
---
dependencies:
# needed:
- role: package_manager
# for the rsync package:
- role: base
- role: git_client
- role: ansible_base
# bundled:

165
roles/adminuser_workenv/tasks/main.yaml Normal file
View file

@ -0,0 +1,165 @@
---
- name: Set SSH pubkeys and dotfiles for admin user
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: "{{ item.mode }}"
with_items:
# - { src: 'adminuser/id_rsa_adminuser_ov2.pub', dest: '/home/{{ admin_user }}/.ssh/id_rsa.pub', mode: '0644' }
- { src: 'adminuser/user_tmux.conf', dest: '/home/{{ admin_user }}/.tmux.conf', mode: '0644' }
- { src: 'adminuser/bashrc', dest: '/home/{{ admin_user }}/.bashrc', mode: '0644' }
- { src: 'adminuser/bash_aliases', dest: '/home/{{ admin_user }}/.bash_aliases', mode: '0644' }
- { src: 'adminuser/bash_completion', dest: '/home/{{ admin_user }}/.bash_completion', mode: '0644' }
# - name: Set SSH keys for admin user
# ansible.builtin.copy:
# src: "{{ item.src }}"
# dest: "{{ item.dest }}"
# owner: "{{ admin_user }}"
# group: "{{ admin_user }}"
# mode: "{{ item.mode }}"
# with_items:
# # - { src: 'adminuser/id_rsa_adminuser_ov2', dest: '/home/{{ admin_user }}/.ssh/id_rsa', mode: '0600' }
- name: Create git directory with proper permissions
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: '0775'
with_items:
- { path: '/home/{{ admin_user }}/git', owner: "{{ admin_user }}", group: "{{ admin_user }}" }
# - name: Search for git_server SSH host key
# ansible.builtin.command:
# cmd: "ssh-keygen -f /home/{{ admin_user }}/.ssh/known_hosts -F {{ git_server_4.name }}.{{ zone }}"
# register: check_key
# ignore_errors: yes
# changed_when: check_key.rc != 0
- name: Add git_server SSH host key if absent
ansible.builtin.lineinfile:
path: "/home/{{ admin_user }}/.ssh/known_hosts"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0644'
line: "{{ git_servers[0].name }} {{ git_servers[0].hostkeys[0].type }} {{ git_servers[0].hostkeys[0].data }}"
create: yes
# when: check_key.rc != 0
- name: Init gnupg homedir
ansible.builtin.command:
cmd: "gpg --batch --list-keys"
creates: "{{ item.creates }}"
with_items:
- { creates: "/home/{{ admin_user }}/.gnupg/pubring.kbx" }
- { creates: "/home/{{ admin_user }}/.gnupg/trustdb.gpg" }
- name: Set gpg-agent config for admin user
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'adminuser/gpg-agent.conf', dest: '/home/{{ admin_user }}/.gnupg/gpg-agent.conf', mode: '0644' }
- name: Create revocs dir
ansible.builtin.file:
path: "/home/{{ admin_user }}/.gnupg/openpgp-revocs.d"
state: directory
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0700'
- name: Copy gpg pubkey
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'gpg/pub/{{ ov2admin_user_keyfile }}.pub.asc', dest: '/home/{{ admin_user }}/.gnupg/{{ ov2admin_user_keyfile }}.pub.asc', mode: '0644' }
- name: Copy gpg key and gpg passphrase
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: "{{ item.mode }}"
with_items:
- { src: 'gpg/sec/{{ ov2admin_user_keyfile }}.key.asc', dest: '/home/{{ admin_user }}/.gnupg/{{ ov2admin_user_keyfile }}.key.asc', mode: '0400' }
# - { src: 'gpg/sec/{{ ov2admin_user_keyfile }}.rev.asc', dest: '/home/{{ admin_user }}/.gnupg/openpgp-revocs.d/{{ ov2admin_user_keyfile }}.rev.asc', mode: '0400' }
- { src: 'gpg/sec/{{ ov2admin_user_keyfile }}.key.pass', dest: '/home/{{ admin_user }}/.gnupg/passphrase', mode: '0400' }
- { src: 'gpg/sec/{{ ov2admin_user_keyfile }}.otrust', dest: '/home/{{ admin_user }}/.gnupg/otrust.lst', mode: '0400' }
no_log: true
- name: Check admin_user public key presence
ansible.builtin.command:
cmd: "gpg --batch --list-key {{ ov2admin_user_key }}"
register: check_pubkey
# changed_when: "check_pubkey.stderr is search('gpg: error reading key: No public key')"
changed_when: "check_pubkey.stderr.find('gpg: error reading key: No public key') != -1"
# changed_when: "check_pubkey.stderr == 'gpg: error reading key: No public key'"
ignore_errors: yes
- name: Import admin_user public key
ansible.builtin.command:
cmd: "gpg --batch --import /home/{{ admin_user }}/.gnupg/{{ ov2admin_user_keyfile }}.pub.asc"
# when: "check_pubkey.stderr is search('gpg: error reading key: No public key')"
when: "check_pubkey.stderr.find('gpg: error reading key: No public key') != -1"
changed_when: "check_pubkey.stderr.find('gpg: error reading key: No public key') != -1"
# when: "check_pubkey.stderr == 'gpg: error reading key: No public key'"
- name: Check admin_user private key presence
ansible.builtin.command:
cmd: "gpg --batch --list-secret-keys {{ ov2admin_user_key }}"
register: check_privkey
# changed_when: "check_privkey.stderr is search('gpg: error reading key: No secret key')"
changed_when: "check_privkey.stderr.find('gpg: error reading key: No secret key') != -1"
# changed_when: "check_privkey.stderr == 'gpg: error reading key: No secret key'"
ignore_errors: yes
- name: Import admin_user private key
ansible.builtin.command:
cmd: "gpg --batch --passphrase-file /home/{{ admin_user }}/.gnupg/passphrase --pinentry-mode loopback --import /home/{{ admin_user }}/.gnupg/{{ ov2admin_user_keyfile }}.key.asc"
# when: "check_privkey.stderr is search('gpg: error reading key: No secret key')"
when: "check_privkey.stderr.find('gpg: error reading key: No secret key') != -1"
changed_when: "check_privkey.stderr.find('gpg: error reading key: No secret key') != -1"
# when: "check_privkey.stderr == 'gpg: error reading key: No secret key'"
- name: Check admin_user private key trust
ansible.builtin.command:
cmd: "gpg --batch --list-secret-keys --with-colons {{ ov2admin_user_key }}"
register: check_trust
changed_when: check_trust.stdout.find('sec:u:') == -1
ignore_errors: yes
- name: Set admin_user private key trust
ansible.builtin.command:
cmd: "gpg --batch --import-ownertrust /home/{{ admin_user }}/.gnupg/otrust.lst"
changed_when: check_trust.stdout.find('sec:u:') == -1
## Do this by hand only
# - name: Clone git repo configs for admin user
# ansible.builtin.command:
# cmd: "git clone --recursive {{ configs_repo_url }} /home/{{ admin_user }}/git/configs"
# creates: /home/{{ admin_user }}/git/configs
# - name: Clone git repo pass-ansible for admin user
# command:
# cmd: "git clone {{ passansible_repo_url }} /home/{{ admin_user }}/git/pass-ansible"
# creates: /home/{{ admin_user }}/git/pass-ansible
# If you want to use this with pass:
# gpg -k --with-keygrip #(to get the keygrip of the key)
# /usr/lib/gnupg2/gpg-preset-passphrase --preset -v D9B6F182EE25485EB004D95B47A39A77AFAF1159
# (and enter the passphrase on the next line)
# or
# /usr/lib/gnupg2/gpg-preset-passphrase --preset -v --passphrase '******' D9B6F182EE25485EB004D95B47A39A77AFAF1159

6
roles/aliases/handlers/main.yaml Normal file
View file

@ -0,0 +1,6 @@
---
- name: Regen aliases
ansible.builtin.command:
cmd: newaliases
become: yes
listen: "new_aliases"

5
roles/aliases/meta/main.yaml Normal file
View file

@ -0,0 +1,5 @@
---
dependencies:
# needed:
- role: smtp_base
# bundled:

9
roles/aliases/tasks/main.yaml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Insert root alias
ansible.builtin.lineinfile:
path: /etc/aliases
regexp: '^root:'
line: 'root: {{ admin_mail }}'
backup: yes
become: yes
notify: new_aliases

16
roles/ansible/files/ansible/ansible-load-key.sh Normal file
View file

@ -0,0 +1,16 @@
#!/bin/sh
PASSFILE=~/.gnupg/passphrase
KGRP=5E3624B66B97FF9D41315CE0CDBBA3C17E18E46C;
if [ -r "$PASSFILE" ]; then
P=$(cat ~/.gnupg/passphrase);
else
printf '%s' "Enter passphrase: "
read -s P
fi
printf '%s\n' "* /usr/lib/gnupg2/gpg-preset-passphrase --preset --passphrase ****** ${KGRP}" >&2
/usr/lib/gnupg2/gpg-preset-passphrase --preset --passphrase "${P}" "${KGRP}"
printf '%s\n' "* gpg-connect-agent \"KEYINFO ${KGRP}\" /bye"
gpg-connect-agent "KEYINFO ${KGRP}" /bye

1
roles/ansible/files/ansible/bash_aliases Normal file
View file

@ -0,0 +1 @@
alias pass-ansible="PASSWORD_STORE_DIR=${HOME}/git/pass-ansible pass"

6
roles/ansible/files/ansible/bash_completion Normal file
View file

@ -0,0 +1,6 @@
source /usr/share/bash-completion/completions/pass
_pass-ansible(){
PASSWORD_STORE_DIR=${HOME}/git/pass-ansible _pass
}
complete -o filenames -o nospace -F _pass-ansible pass-ansible

116
roles/ansible/files/ansible/bashrc Normal file
View file

@ -0,0 +1,116 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
# Infra project stuff
export CONFIGS_DIR=${HOME}/git/configs

23
roles/ansible/files/ansible/gnupg-load-key.sh Executable file
View file

@ -0,0 +1,23 @@
#!/bin/bash
# Usage: ./gnupg-load-key.sh $GPGID
usage() {
printf '%s\n' "Usage: $0 <GPGID>"
}
if [ $# -lt 1 ]; then
usage && exit 1
fi
KEY_ID="$1"
printf '%s\n' "* gpg -k --with-colons --with-keygrip $KEY_ID | grep -A2 '^sub:.*:.*:.*:.*:.*:.*:.*:.*:.*:.*:e' | grep '^grp:' | cut -d':' -f 10" >&2
KEYGRIP=$(gpg -k --with-colons --with-keygrip $KEY_ID | grep -A2 '^sub:.*:.*:.*:.*:.*:.*:.*:.*:.*:.*:e' | grep '^grp:' | cut -d':' -f 10)
printf '%s\n' "KEYGRIP: $KEYGRIP" >&2
printf '%s' "Enter passphrase: "
read -s P
printf '\n'
printf '%s\n' "* /usr/lib/gnupg2/gpg-preset-passphrase --preset --passphrase ****** ${KEYGRIP}" >&2
/usr/lib/gnupg2/gpg-preset-passphrase --preset --passphrase "${P}" "${KEYGRIP}"

8
roles/ansible/files/ansible/gpg-agent.conf Normal file
View file

@ -0,0 +1,8 @@
allow-preset-passphrase
#default-cache-ttl 600
default-cache-ttl 86400
#max-cache-ttl 7200
#max-cache-ttl 86400 # 1day
#max-cache-ttl 2592000 # 1month
max-cache-ttl 5184000 # 2month
#max-cache-ttl 31536000 # 1year

1
roles/ansible/files/ansible/id_rsa_ansible Symbolic link
View file

@ -0,0 +1 @@
../../../../inventory/files/ssh/id_rsa_ansible

1
roles/ansible/files/ansible/id_rsa_ansible.pub Symbolic link
View file

@ -0,0 +1 @@
../../../../inventory/files/ssh/id_rsa_ansible.pub

4
roles/ansible/files/ansible/user_tmux.conf Normal file
View file

@ -0,0 +1,4 @@
# global options
set-option -g history-limit 4000
#session
new-session -s configs -c ~/git/configs

1
roles/ansible/files/gpg/pub/ansible@rhizogen.es.eu.org-4D8FE2E32F2D86F3CBB5C702E6F20D2D43E259F6.pub.asc Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/pub/ansible@rhizogen.es.eu.org-4D8FE2E32F2D86F3CBB5C702E6F20D2D43E259F6.pub.asc

1
roles/ansible/files/gpg/sec/ansible@rhizogen.es.eu.org-4D8FE2E32F2D86F3CBB5C702E6F20D2D43E259F6.key.asc Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/sec/ansible@rhizogen.es.eu.org-4D8FE2E32F2D86F3CBB5C702E6F20D2D43E259F6.key.asc

1
roles/ansible/files/gpg/sec/ansible@rhizogen.es.eu.org-4D8FE2E32F2D86F3CBB5C702E6F20D2D43E259F6.key.pass Symbolic link
View file

@ -0,0 +1 @@
../../../../../inventory/files/gpg/sec/ansible@rhizogen.es.eu.org-4D8FE2E32F2D86F3CBB5C702E6F20D2D43E259F6.key.pass

55
roles/ansible/files/playbook.sh Executable file
View file

@ -0,0 +1,55 @@
#!/bin/bash
if [ $# -ge 1 ]; then
MACHINE="$1"
shift 1
else
printf "%s\n" "USAGE: $0 machine_fqdn [ansible-playbook_options]"
exit 1;
fi;
BIN_GIT='/usr/bin/git'
BIN_ANSIBLE='/usr/bin/ansible-playbook'
BRANCH="master"
configs_dir="${CONFIGS_DIR:-${HOME}/git/configs}"
if [ -d "${configs_dir}" ]; then
printf "%s\n" "* cd ${configs_dir}"
cd "${configs_dir}"
# reset to match upstream (e.g. in case of local changes and/or diverging histories)
printf "%s\n" "* $BIN_GIT reset --hard @{u}"
$BIN_GIT reset --hard @{u}
# make sure we're in master branch
printf "%s\n" "* $BIN_GIT checkout master"
$BIN_GIT checkout master
# pull the changes
printf "%s\n" "* $BIN_GIT pull"
$BIN_GIT pull
# keep branch list up-to-date
printf "%s\n" "* $BIN_GIT fetch --all --prune"
$BIN_GIT fetch --all --prune
elif [ -e "${configs_dir}" ]; then
printf "%s\n" "ERROR: Destination ${configs_dir} already exists and is not a dir. Exiting."
exit 2;
else
# clone the branch we want
printf "%s\n" "* $BIN_GIT clone ${CLONE_URL} ${configs_dir}"
$BIN_GIT clone "${CLONE_URL}" "${configs_dir}"
printf "%s\n" "* cd ${configs_dir}"
cd "${configs_dir}"
fi
# run the playbook
# DO *NOT* use ANSIBLE_SSH_CONTROL_PATH on playbooks targeting several hosts
# curdate=$(date '+%s')
# cpname=$(printf '%s\n' "${0}-${BRANCH}-${MACHINE}-${curdate}" | shasum | cut -d' ' -f1)
# controlpath=~/.ansible/cp/"${cpname}"
# printf "%s\n" "* ANSIBLE_SSH_CONTROL_PATH=${controlpath} $BIN_ANSIBLE [...] --diff $@ ${configs_dir}/${MACHINE}.yaml"
# ANSIBLE_SSH_CONTROL_PATH="${controlpath}" $BIN_ANSIBLE --ask-vault-pass -i "${configs_dir}"/inventory/hosts --diff "$@" "${configs_dir}"/"${MACHINE}".yaml
printf "%s\n" "* $BIN_ANSIBLE [...] --diff $@ ${configs_dir}/${MACHINE}.yaml"
$BIN_ANSIBLE --ask-vault-pass -i "${configs_dir}"/inventory/hosts --diff "$@" "${configs_dir}"/"${MACHINE}".yaml
printf '%s\n' "Killing control connection: ssh ${MACHINE} -o ControlPath=${controlpath} -O stop"
# ssh ${MACHINE} -o ControlPath=${controlpath} -O stop
printf "%s\n" "$0 done."

1
roles/ansible/files/ssh Symbolic link
View file

@ -0,0 +1 @@
../../../inventory/files/ssh

15
roles/ansible/handlers/main.yaml Normal file
View file

@ -0,0 +1,15 @@
---
- name: Restart foo daemon
ansible.builtin.service:
name: foo
state: restarted
become: yes
listen: "restart_foo"
- name: Reload foo
ansible.builtin.service:
name: foo
state: reloaded
become: yes
listen: "reload_foo"
when: ansible_facts['os_family'] == "Debian"

9
roles/ansible/meta/main.yaml Normal file
View file

@ -0,0 +1,9 @@
---
dependencies:
# needed:
- role: package_manager
# for the rsync package:
- role: base
- role: git_client
- role: ansible_base
# bundled:

245
roles/ansible/tasks/main.yaml Normal file
View file

@ -0,0 +1,245 @@
---
- name: Create group ansible
ansible.builtin.group:
name: "{{ autoansible_user }}"
state: present
become: yes
- name: Create user ansible
ansible.builtin.user:
name: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
home: "{{ autoansible_user_home }}"
shell: /bin/bash
comment: Ansible
state: present
become: yes
- name: Create .ssh/ directory with proper permissions
ansible.builtin.file:
path: "{{ autoansible_user_home }}/.ssh/"
state: directory
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: '0700'
become: yes
- name: Insert user ansible alias
ansible.builtin.lineinfile:
path: /etc/aliases
regexp: '^{{ autoansible_user }}:'
line: '{{ autoansible_user }}: root'
backup: yes
become: yes
notify: new_aliases
- name: Configure cron for user ansible
ansible.builtin.cron:
name: MAILTO
env: yes
user: "{{ autoansible_user }}"
# job: "{{ autoansible_user }}+crontab@{{ zone }}"
job: "root+{{ autoansible_user }}-crontab@{{ zone }}"
become: yes
# contains an e-mail address
no_log: true
- name: Copy admin ssh keys for ansible user
ansible.builtin.template:
src: authorized_keys.j2
dest: "{{ autoansible_user_home }}/.ssh/authorized_keys"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: '0600'
become: yes
- name: Set env vars for the whole system
ansible.builtin.template:
src: profile.d/ansible_configs.sh.j2
dest: /etc/profile.d/ansible_configs.sh
owner: root
group: root
mode: '0644'
become: yes
- name: Set SSH pubkeys and dotfiles for ansible user
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: "{{ item.mode }}"
become: yes
with_items:
- { src: 'ansible/id_rsa_ansible.pub', dest: '{{ autoansible_user_home }}/.ssh/id_rsa.pub', mode: '0644' }
- { src: 'ansible/user_tmux.conf', dest: '{{ autoansible_user_home }}/.tmux.conf', mode: '0644' }
- { src: 'ansible/bashrc', dest: '{{ autoansible_user_home }}/.bashrc', mode: '0644' }
- { src: 'ansible/bash_aliases', dest: '{{ autoansible_user_home }}/.bash_aliases', mode: '0644' }
- { src: 'ansible/bash_completion', dest: '{{ autoansible_user_home }}/.bash_completion', mode: '0644' }
# - { src: 'ansible/gnupg-load-key.sh', dest: '{{ autoansible_user_home }}/gnupg-load-key.sh', mode: '0755' }
- { src: 'ansible/ansible-load-key.sh', dest: '{{ autoansible_user_home }}/ansible-load-key.sh', mode: '0755' }
- name: Set SSH keys for ansible user
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: "{{ item.mode }}"
become: yes
with_items:
- { src: 'ansible/id_rsa_ansible', dest: '{{ autoansible_user_home }}/.ssh/id_rsa', mode: '0600' }
no_log: true
- name: Create git directory with proper permissions
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: '0775'
become: yes
with_items:
- { path: '/var/tmp/ansible/git', owner: 'ansible', group: 'ansible' }
# - { path: '/var/tmp/{{ admin_user }}/git', owner: "{{ admin_user }}", group: "{{ admin_user }}" }
- name: Create link to local repo for ansible
ansible.builtin.file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: "{{ item.state }}"
become: yes
with_items:
- { src: '/var/tmp/ansible/git', dest: '{{ autoansible_user_home }}/git', state: link }
# - { src: '/var/tmp/{{ admin_user }}/git', dest: '/home/{{ admin_user }}/git', state: link }
# - name: Search for git_server SSH host key
# ansible.builtin.command:
# cmd: "ssh-keygen -f {{ autoansible_user_home }}/.ssh/known_hosts -F {{ git_server_4.name }}.{{ zone }}"
# become: yes
# register: check_key
# ignore_errors: yes
# changed_when: check_key.rc != 0
- name: Add git_server SSH host key if absent
ansible.builtin.lineinfile:
path: "{{ autoansible_user_home }}/.ssh/known_hosts"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: '0644'
line: "{{ git_servers[0].name }} {{ git_servers[0].hostkeys[0].type }} {{ git_servers[0].hostkeys[0].data }}"
create: yes
become: yes
# when: check_key.rc != 0
- name: Clone git repo configs for ansible user
ansible.builtin.command:
cmd: "su - ansible -c 'git clone --recursive {{ configs_repo_url }} {{ autoansible_user_home }}/git/configs'"
creates: "{{ autoansible_user_home }}/git/configs"
become: yes
- name: Init gnupg homedir
ansible.builtin.command:
cmd: su - "{{ autoansible_user }}" -c "gpg --batch --list-keys"
creates: "{{ item.creates }}"
become: yes
with_items:
- { creates: "{{ autoansible_user_home }}/.gnupg/pubring.kbx" }
- { creates: "{{ autoansible_user_home }}/.gnupg/trustdb.gpg" }
- name: Set gpg-agent config for ansible user
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: "{{ item.mode }}"
become: yes
with_items:
- { src: 'ansible/gpg-agent.conf', dest: '{{ autoansible_user_home }}/.gnupg/gpg-agent.conf', mode: '0644' }
- name: Create revocs dir
ansible.builtin.file:
path: "{{ autoansible_user_home }}/.gnupg/openpgp-revocs.d"
state: directory
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: '0700'
become: yes
- name: Copy gpg pubkey
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: "{{ item.mode }}"
become: yes
with_items:
- { src: 'gpg/pub/{{ autoansible_user_keyfile }}.pub.asc', dest: '{{ autoansible_user_home }}/.gnupg/{{ autoansible_user_keyfile }}.pub.asc', mode: '0644' }
- name: Copy gpg key and gpg passphrase
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ autoansible_user }}"
group: "{{ autoansible_user }}"
mode: "{{ item.mode }}"
become: yes
with_items:
- { src: 'gpg/sec/{{ autoansible_user_keyfile }}.key.asc', dest: '{{ autoansible_user_home }}/.gnupg/{{ autoansible_user_keyfile }}.key.asc', mode: '0400' }
# - { src: 'gpg/sec/{{ autoansible_user_keyfile }}.rev.asc', dest: '{{ autoansible_user_home }}/.gnupg/openpgp-revocs.d/{{ autoansible_user_keyfile }}.rev.asc', mode: '0400' }
- { src: 'gpg/sec/{{ autoansible_user_keyfile }}.key.pass', dest: '{{ autoansible_user_home }}/.gnupg/passphrase', mode: '0400' }
# - { src: 'gpg/sec/{{ autoansible_user_keyfile }}.otrust', dest: '{{ autoansible_user_home }}/.gnupg/otrust.lst', mode: '0400' }
no_log: true
- name: Check autoansible_user public key presence
ansible.builtin.command:
cmd: su - "{{ autoansible_user }}" -c "gpg --batch --list-key {{ autoansible_user_key }}"
become: yes
register: check_pubkey
# changed_when: "check_pubkey.stderr is search('gpg: error reading key: No public key')"
changed_when: "check_pubkey.stderr.find('gpg: error reading key: No public key') != -1"
# changed_when: "check_pubkey.stderr == 'gpg: error reading key: No public key'"
ignore_errors: yes
- name: Import autoansible_user public key
ansible.builtin.command:
cmd: su - "{{ autoansible_user }}" -c "gpg --batch --import {{ autoansible_user_home }}/.gnupg/{{ autoansible_user_keyfile }}.pub.asc"
become: yes
# when: "check_pubkey.stderr is search('gpg: error reading key: No public key')"
when: "check_pubkey.stderr.find('gpg: error reading key: No public key') != -1"
changed_when: "check_pubkey.stderr.find('gpg: error reading key: No public key') != -1"
# when: "check_pubkey.stderr == 'gpg: error reading key: No public key'"
- name: Check autoansible_user private key presence
ansible.builtin.command:
cmd: su - "{{ autoansible_user }}" -c "gpg --batch --list-secret-keys {{ autoansible_user_key }}"
become: yes
register: check_privkey
# changed_when: "check_privkey.stderr is search('gpg: error reading key: No secret key')"
changed_when: "check_privkey.stderr.find('gpg: error reading key: No secret key') != -1"
# changed_when: "check_privkey.stderr == 'gpg: error reading key: No secret key'"
ignore_errors: yes
- name: Import autoansible_user private key
ansible.builtin.command:
cmd: su - "{{ autoansible_user }}" -c "gpg --batch --passphrase-file {{ autoansible_user_home }}/.gnupg/passphrase --pinentry-mode loopback --import {{ autoansible_user_home }}/.gnupg/{{ autoansible_user_keyfile }}.key.asc"
become: yes
# when: "check_privkey.stderr is search('gpg: error reading key: No secret key')"
when: "check_privkey.stderr.find('gpg: error reading key: No secret key') != -1"
changed_when: "check_privkey.stderr.find('gpg: error reading key: No secret key') != -1"
# when: "check_privkey.stderr == 'gpg: error reading key: No secret key'"
- name: Clone git repo pass-ansible for ansible user
ansible.builtin.command:
cmd: "su - ansible -c 'git clone {{ passansible_repo_url }} {{ autoansible_user_home }}/git/pass-ansible'"
creates: "{{ autoansible_user_home }}/git/pass-ansible"
become: yes
# If you want to use this with pass:
# gpg -k --with-keygrip #(to get the keygrip of the key)
# /usr/lib/gnupg2/gpg-preset-passphrase --preset -v 5E3624B66B97FF9D41315CE0CDBBA3C17E18E46C
# (and enter the passphrase on the next line)
# or
# /usr/lib/gnupg2/gpg-preset-passphrase --preset -v --passphrase '******' 5E3624B66B97FF9D41315CE0CDBBA3C17E18E46C

3
roles/ansible/templates/authorized_keys.j2 Normal file
View file

@ -0,0 +1,3 @@
{% for key in autoansible_user_authorized_keys %}
{{ key }}
{% endfor %}

Some files were not shown because too many files have changed in this diff Show more