From c27460c47ed8b6af695c6588d9422cacda77c748 Mon Sep 17 00:00:00 2001 From: Ethan Paul Date: Sun, 30 Dec 2018 22:54:33 -0500 Subject: [PATCH] Updates to segregate configs by device class Split cloud VMs out from local VMs in 'cloud' group Generalize networkd install/config Generalize sshd config Create general update playbook Add host vm-host-nextcloud --- groups/cloud.yml | 12 ++++++ hosts/vm-host-nextcloud.yml | 9 +++++ omni.ini | 6 +-- playbooks/dependencies.yml | 1 + playbooks/provision-virtual-machine.yml | 26 +++++++++++++ playbooks/provision.yml | 51 +++++-------------------- playbooks/update-users-local.yml | 6 +++ playbooks/update.yml | 5 +++ tasks/networkd/config.yml | 22 +++++++++++ tasks/networkd/services.yml | 38 ++++++++++++++++++ tasks/sshd/banner.yml | 13 +++++++ tasks/sshd/disable-password-auth.yml | 25 ++++++++++++ vars/users.yml | 6 +++ 13 files changed, 175 insertions(+), 45 deletions(-) create mode 100644 groups/cloud.yml create mode 100644 hosts/vm-host-nextcloud.yml create mode 100644 playbooks/update.yml create mode 100644 tasks/networkd/config.yml create mode 100644 tasks/networkd/services.yml create mode 100644 tasks/sshd/banner.yml create mode 100644 tasks/sshd/disable-password-auth.yml diff --git a/groups/cloud.yml b/groups/cloud.yml new file mode 100644 index 0000000..9d06122 --- /dev/null +++ b/groups/cloud.yml @@ -0,0 +1,12 @@ +--- +enable_gui: False + +enable_ssh: True + +enable_ssh_password_auth: False + +disable_sudo_password: True + +enable_networkd: True + +generate_keys: False diff --git a/hosts/vm-host-nextcloud.yml b/hosts/vm-host-nextcloud.yml new file mode 100644 index 0000000..0f59d7f --- /dev/null +++ b/hosts/vm-host-nextcloud.yml @@ -0,0 +1,9 @@ +--- +description: "Application Host: Nextcloud" + +targets: + - admin + - nextcloud + +networking: + eth0: diff --git a/omni.ini b/omni.ini index 394a9ab..edac538 100644 --- a/omni.ini +++ b/omni.ini @@ -4,15 +4,15 @@ router romulus remus novis -apex [vms] vm-dev-nginx vm-host-gitea vm-host-plex vm-host-bitwarden -vm-db-maria -vm-db-prometheus +vm-host-nextcloud + +[cloud] nimbus-1 [workstations] diff --git a/playbooks/dependencies.yml b/playbooks/dependencies.yml index cf944ad..31b5941 100644 --- a/playbooks/dependencies.yml +++ b/playbooks/dependencies.yml @@ -1,6 +1,7 @@ --- - hosts: all name: Ansible python bindings + tags: always tasks: - import_tasks: tasks/centos/bindings.yml when: ansible_distribution == "CentOS" diff --git a/playbooks/provision-virtual-machine.yml b/playbooks/provision-virtual-machine.yml index e69de29..fe0949f 100644 --- a/playbooks/provision-virtual-machine.yml +++ b/playbooks/provision-virtual-machine.yml @@ -0,0 +1,26 @@ +--- +- hosts: vms + name: Replace NetworkManager with systemd-networkd + tasks: + - name: Install systemd-networkd + when: enable_networkd == true + block: + - import_tasks: tasks/centos/networkd.yml + when: ansible_distribution == "CentOS" + - import_tasks: tasks/fedora/networkd.yml + when: ansible_distribution == "Fedora" + # - import_tasks: common/debian/networkd.yml + # when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" + + - import_tasks: tasks/networkd/config.yml + - import_tasks: tasks/networkd/services.yml + + +- hosts: vms + name: Install ovirt agent + tasks: + - name: Install ovirt-agent + become: true + yum: + name: ovirt-guest-agent + state: latest diff --git a/playbooks/provision.yml b/playbooks/provision.yml index 96238aa..ceca4d9 100644 --- a/playbooks/provision.yml +++ b/playbooks/provision.yml @@ -4,6 +4,7 @@ - hosts: all name: Init + tags: initialize tasks: - name: Set hostname become: true @@ -14,26 +15,15 @@ become: true copy: src: bashrc.sh - dest: /etc/profile.d/30-omni-bashrc.sh + dest: /etc/profile.d/global-bashrc.sh mode: 0644 - - name: Install SSH Banner - become: true - template: - src: motd.j2 - dest: /etc/issue.net - mode: 0644 - - - name: Configure SSH banner - become: true - lineinfile: - path: /etc/ssh/sshd_config - regexp: '#Banner none' - line: 'Banner /etc/issue.net' + - import_tasks: tasks/sshd/banner.yml - hosts: all name: System packages + tags: initialize tasks: - name: Load package variables include_vars: @@ -48,33 +38,10 @@ # when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" -- import_playbook: update-system.yml +#- import_playbook: provision-workstation.yml +#- import_playbook: provision-server.yml +#- import_playbook: provision-hypervisor.yml +- import_playbook: provision-virtual-machine.yml -- hosts: all - name: Replace NetworkManager with systemd-networkd - tasks: - - name: Install systemd-networkd - when: enable_networkd == true - block: - - import_tasks: tasks/centos/networkd.yml - when: ansible_distribution == "CentOS" - - import_tasks: tasks/fedora/networkd.yml - when: ansible_distribution == "Fedora" - # - import_tasks: common/debian/networkd.yml - # when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" - - - import_tasks: tasks/networkd.yml - - -- import_playbook: update-users-local.yml - - -- hosts: vms - name: Install ovirt agent - tasks: - - name: Install ovirt-agent - become: true - yum: - name: ovirt-guest-agent - state: latest +- import_playbook: update.yml diff --git a/playbooks/update-users-local.yml b/playbooks/update-users-local.yml index 017bfea..4281fb4 100644 --- a/playbooks/update-users-local.yml +++ b/playbooks/update-users-local.yml @@ -159,3 +159,9 @@ state: directory with_items: - "{{ local_users | difference([None]) }}" + +- hosts: all + name: Disable SSH password authentication + tasks: + - import_tasks: tasks/sshd/disable-password-auth.yml + when: enable_ssh_password_auth|bool == false diff --git a/playbooks/update.yml b/playbooks/update.yml new file mode 100644 index 0000000..08f7b67 --- /dev/null +++ b/playbooks/update.yml @@ -0,0 +1,5 @@ +--- +- import_playbook: dependencies.yml + +- import_playbook: update-system.yml +- import_playbook: update-users-local.yml diff --git a/tasks/networkd/config.yml b/tasks/networkd/config.yml new file mode 100644 index 0000000..92577bb --- /dev/null +++ b/tasks/networkd/config.yml @@ -0,0 +1,22 @@ +--- +# The directory is deleted ahead of creation to ensure that no old configs +# remain after runnign ansible +- name: Delete networkd config directory + become: true + file: + path: /etc/systemd/network + state: absent + +- name: Create the networkd config directory + become: true + file: + path: /etc/systemd/network + state: directory + +- name: Make .network files + when: networking is defined + become: true + template: + src: network.j2 + dest: "/etc/systemd/network/{{ item.key }}.network" + with_dict: "{{ networking }}" diff --git a/tasks/networkd/services.yml b/tasks/networkd/services.yml new file mode 100644 index 0000000..497ad01 --- /dev/null +++ b/tasks/networkd/services.yml @@ -0,0 +1,38 @@ +--- +- name: Disable network scripts and NetworkManager + become: true + service: + name: "{{ item }}" + enabled: false + with_items: + - network + - NetworkManager + - NetworkManager-wait-online + +- name: Enable systemd-networkd and systemd-resolved + become: true + service: + name: "{{ item }}" + enabled: true + state: started + with_items: + - systemd-networkd + - systemd-resolved + - systemd-networkd-wait-online + +- name: Symlink so systemd-resolved uses /etc/resolv.conf + become: true + file: + dest: /etc/resolv.conf + src: /run/systemd/resolve/resolv.conf + state: link + force: true + setype: net_conf_t + +- name: Symlink so /etc/resolv.conf uses systemd + become: true + file: + dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service + src: /usr/lib/systemd/system/systemd-resolved.service + state: link + force: true diff --git a/tasks/sshd/banner.yml b/tasks/sshd/banner.yml new file mode 100644 index 0000000..907337c --- /dev/null +++ b/tasks/sshd/banner.yml @@ -0,0 +1,13 @@ +- name: Install SSH Banner + become: true + template: + src: motd.j2 + dest: /etc/issue.net + mode: 0644 + +- name: Configure SSH banner + become: true + lineinfile: + path: /etc/ssh/sshd_config + regexp: '#Banner none' + line: 'Banner /etc/issue.net' diff --git a/tasks/sshd/disable-password-auth.yml b/tasks/sshd/disable-password-auth.yml new file mode 100644 index 0000000..d15e0b5 --- /dev/null +++ b/tasks/sshd/disable-password-auth.yml @@ -0,0 +1,25 @@ +- name: Turn off password authentication + become: true + replace: + path: /etc/ssh/sshd_config + regexp: "PasswordAuthentication yes" + replace: "PasswordAuthentication no" + +- name: Turn off challenge response authentication + become: true + replace: + path: /etc/ssh/sshd_config + regexp: "ChallengeResponseAuthentication yes" + replace: "ChallengeResponseAuthentication no" + +- name: Turn off GSSAPI authentication + become: true + replace: + path: /etc/ssh/sshd_config + regexp: "GSSAPIAuthentication yes" + replace: "GSSAPIAuthentication no" + +- name: Restart sshd + service: + name: sshd + state: restarted diff --git a/vars/users.yml b/vars/users.yml index b72f02d..3045cc3 100644 --- a/vars/users.yml +++ b/vars/users.yml @@ -29,6 +29,7 @@ users: - plex - admin - vpn + - nextcloud admin: True svc: True @@ -73,6 +74,7 @@ users: - plex - admin - vpn + - nextcloud admin: True - name: kaisersjr @@ -84,6 +86,7 @@ users: - bitwarden - vpn - workstations + - nextcloud admin: False - name: notsoninja @@ -94,6 +97,7 @@ users: - gitea - vpn - workstations + - nextcloud admin: False - name: avalonburned @@ -104,6 +108,7 @@ users: - gitea - vpn - workstations + - nextcloud admin: False - name: sglagovitch @@ -114,4 +119,5 @@ users: - gitea - vpn - workstations + - nextcloud admin: False