From 96ea66b77a5ada8deee62a9bb237ea55a736fe0c Mon Sep 17 00:00:00 2001 From: Ethan Paul Date: Fri, 5 Nov 2021 21:53:47 -0400 Subject: [PATCH] Reorganize provision playbook Split server-specific configs out into server role Add symlink to roles for playbook directory --- playbooks/provision.yaml | 134 +++--------------- playbooks/roles | 1 + playbooks/update.yaml | 9 ++ .../files}/wheel-group-no-sudo-password | 0 roles/server/handlers/main.yaml | 6 + roles/server/tasks/main.yaml | 6 + roles/server/tasks/sshd.yaml | 44 ++++++ roles/server/tasks/sudoers.yaml | 30 ++++ {resources => roles/server/templates}/motd.j2 | 0 9 files changed, 112 insertions(+), 118 deletions(-) create mode 120000 playbooks/roles rename {resources => roles/server/files}/wheel-group-no-sudo-password (100%) create mode 100644 roles/server/handlers/main.yaml create mode 100644 roles/server/tasks/main.yaml create mode 100644 roles/server/tasks/sshd.yaml create mode 100644 roles/server/tasks/sudoers.yaml rename {resources => roles/server/templates}/motd.j2 (100%) diff --git a/playbooks/provision.yaml b/playbooks/provision.yaml index 923617b..4da5208 100644 --- a/playbooks/provision.yaml +++ b/playbooks/provision.yaml @@ -9,57 +9,16 @@ - name: Bootstrap remote ansible environment hosts: linux + gather_facts: false tags: - always tasks: - - name: Install CentOS 8 python bindings - when: ansible_distribution == "Rocky" - become: true - ansible.builtin.dnf: - state: present - name: - - python3-libselinux - - python3-policycoreutils - - python3-firewall - - - name: Create state directory - become: true - ansible.builtin.file: - path: "{{ skylab_state_dir }}" - state: directory - owner: "{{ ansible_user }}" - group: "{{ ansible_user }}" - mode: 0755 - - - name: Create bootstrap virtualenv - ansible.builtin.command: - cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages" - creates: "{{ skylab_ansible_venv }}/bin/python" - - - name: Pin bootstrap virtualenv pip - ansible.builtin.pip: - executable: "{{ skylab_ansible_venv }}/bin/pip" - name: pip - state: present - version: "{{ skylab_pip_version }}" - - - name: Copy requirements file to remote - ansible.builtin.copy: - src: remote-requirements.txt - dest: "{{ skylab_ansible_venv }}/requirements.txt" - owner: "{{ ansible_user }}" - group: "{{ ansible_user }}" - mode: 0644 - - - name: Install remote requirements - ansible.builtin.pip: - executable: "{{ skylab_ansible_venv }}/bin/pip" - requirements: "{{ skylab_ansible_venv }}/requirements.txt" - state: present + - include_tasks: tasks/meta/bootstrap-remote-env.yaml -- name: Configure common server settings +- name: Configure common settings hosts: linux + gather_facts: false vars_files: - vars/packages.yaml tasks: @@ -69,6 +28,15 @@ name: "{{ inventory_hostname }}" use: systemd + - name: Install global bash config + become: true + ansible.builtin.copy: + src: global.sh + dest: /etc/profile.d/ZZ-skylab-global.sh + owner: root + group: "{{ ansible_user }}" + mode: 0644 + - name: Install EPEL repository config when: ansible_distribution == "Rocky" become: true @@ -84,25 +52,6 @@ state: present key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }} - - name: Disable sudo password for WHEEL group - when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS" - become: true - ansible.builtin.copy: - src: wheel-group-no-sudo-password - dest: /etc/sudoers.d/30-wheel - owner: root - group: "{{ ansible_user }}" - mode: 0644 - - - name: Install global bash config - become: true - ansible.builtin.copy: - src: global.sh - dest: /etc/profile.d/ZZ-skylab-global.sh - owner: root - group: "{{ ansible_user }}" - mode: 0644 - - name: Install universal packages when: ansible_distribution == "Rocky" become: true @@ -111,58 +60,7 @@ state: present -- name: Configure SSH - hosts: linux - handlers: - - name: restart-sshd - become: true - ansible.builtin.systemd: - name: sshd - state: restarted - tasks: - - name: Configure SSH authentication settings - become: true - ansible.builtin.replace: - path: /etc/ssh/sshd_config - regexp: "{{ item.regex }}" - replace: "{{ item.value }}" - notify: [restart-sshd] - loop: - - name: disable root login - regex: "^.*PermitRootLogin (yes|no).*$" - value: PermitRootLogin no - - name: disable password auth - regex: "^.*PasswordAuthentication (yes|no).*$" - value: PasswordAuthentication no - - name: disable challenge response auth - regex: "^.*ChallengeResponseAuthentication (yes|no).*$" - value: ChallengeResponseAuthentication no - - name: disable GSSAPI auth - regex: "^.*GSSAPIAuthentication (yes|no).*$" - value: GSSAPIAuthentication no - loop_control: - label: "{{ item.name }}" - - - name: Disable dynamic MOTD on debian systems - when: ansible_os_family == "Debian" - ansible.builtin.replace: - path: /etc/pam.d/sshd - regexp: "^session optional pam_motd.so motd=/run/motd.dynamic" - replace: "#session optional pam_motd.so motd=/run/motd.dynamic" - - - name: Disable Cockpit activation message on Rocky - when: ansible_distribution == "Rocky" - become: true - ansible.builtin.file: - path: /etc/motd.d/cockpit - state: absent - - - name: Copy MOTD to remote - become: true - ansible.builtin.template: - src: motd.j2 - dest: /etc/motd - mode: 0644 - - - import_playbook: update.yaml + + +- import_playbook: configure.yaml diff --git a/playbooks/roles b/playbooks/roles new file mode 120000 index 0000000..d8c4472 --- /dev/null +++ b/playbooks/roles @@ -0,0 +1 @@ +../roles \ No newline at end of file diff --git a/playbooks/update.yaml b/playbooks/update.yaml index d3ae92e..d1e918a 100644 --- a/playbooks/update.yaml +++ b/playbooks/update.yaml @@ -7,6 +7,15 @@ - include_tasks: tasks/meta/runtime-group-determination.yaml +- name: Bootstrap remote ansible environment + hosts: linux + gather_facts: false + tags: + - always + tasks: + - include_tasks: tasks/meta/bootstrap-remote-env.yaml + + - name: Update system hosts: linux tags: diff --git a/resources/wheel-group-no-sudo-password b/roles/server/files/wheel-group-no-sudo-password similarity index 100% rename from resources/wheel-group-no-sudo-password rename to roles/server/files/wheel-group-no-sudo-password diff --git a/roles/server/handlers/main.yaml b/roles/server/handlers/main.yaml new file mode 100644 index 0000000..ba12abf --- /dev/null +++ b/roles/server/handlers/main.yaml @@ -0,0 +1,6 @@ +--- +- name: restart-sshd + become: true + ansible.builtin.systemd: + name: sshd + state: restarted diff --git a/roles/server/tasks/main.yaml b/roles/server/tasks/main.yaml new file mode 100644 index 0000000..e2fe4c1 --- /dev/null +++ b/roles/server/tasks/main.yaml @@ -0,0 +1,6 @@ +--- +- name: Configure sudoers file + ansible.builtin.import_tasks: sudoers.yaml + +- name: Configure SSH server + ansible.builtin.import_tasks: sshd.yaml diff --git a/roles/server/tasks/sshd.yaml b/roles/server/tasks/sshd.yaml new file mode 100644 index 0000000..244182c --- /dev/null +++ b/roles/server/tasks/sshd.yaml @@ -0,0 +1,44 @@ +--- +- name: Configure SSH authentication settings + become: true + ansible.builtin.replace: + path: /etc/ssh/sshd_config + regexp: "{{ item.regex }}" + replace: "{{ item.value }}" + notify: [restart-sshd] + loop: + - name: disable root login + regex: "^.*PermitRootLogin (yes|no).*$" + value: PermitRootLogin no + - name: disable password auth + regex: "^.*PasswordAuthentication (yes|no).*$" + value: PasswordAuthentication no + - name: disable challenge response auth + regex: "^.*ChallengeResponseAuthentication (yes|no).*$" + value: ChallengeResponseAuthentication no + - name: disable GSSAPI auth + regex: "^.*GSSAPIAuthentication (yes|no).*$" + value: GSSAPIAuthentication no + loop_control: + label: "{{ item.name }}" + +- name: Disable dynamic MOTD on debian systems + when: ansible_os_family == "Debian" + ansible.builtin.replace: + path: /etc/pam.d/sshd + regexp: "^session optional pam_motd.so motd=/run/motd.dynamic" + replace: "#session optional pam_motd.so motd=/run/motd.dynamic" + +- name: Disable Cockpit activation message on Rocky + when: ansible_distribution == "Rocky" + become: true + ansible.builtin.file: + path: /etc/motd.d/cockpit + state: absent + +- name: Copy MOTD to remote + become: true + ansible.builtin.template: + src: motd.j2 + dest: /etc/motd + mode: 0644 diff --git a/roles/server/tasks/sudoers.yaml b/roles/server/tasks/sudoers.yaml new file mode 100644 index 0000000..c5767f1 --- /dev/null +++ b/roles/server/tasks/sudoers.yaml @@ -0,0 +1,30 @@ +--- +- name: Disable sudo password for WHEEL group + when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS" + become: true + ansible.builtin.copy: + src: wheel-group-no-sudo-password + dest: /etc/sudoers.d/30-wheel + owner: root + group: "{{ ansible_user }}" + mode: 0644 + +# Note that the cleanup tasks need to be after the new installation tasks +# since one or more files being cleaned up might be being relied on to +# allow ansible access +- name: Fetch content of sudoers config directory + become: true + changed_when: false + ansible.builtin.command: + cmd: /usr/bin/ls /etc/sudoers.d/ + register: _sudoers_files_raw + +- name: Remove legacy sudoers config files + when: item.strip() not in ["30-wheel"] + become: true + ansible.builtin.file: + path: /etc/sudoers.d/{{ item.strip() }} + state: absent + loop: "{{ _sudoers_files_raw.stdout.split(' ') }}" + loop_control: + label: "/etc/sudoers.d/{{ item.strip() }}" diff --git a/resources/motd.j2 b/roles/server/templates/motd.j2 similarity index 100% rename from resources/motd.j2 rename to roles/server/templates/motd.j2