jriou/ansible-pilote
1
0
Fork 0
Code Issues Pull requests Activity

Initial commit

Browse source 
Signed-off-by: Julien Riou <julien@riou.xyz>
This commit is contained in:
Julien Riou 2024-04-27 15:18:41 +02:00
parent d547c7f607
commit 096a3e0540
No known key found for this signature in database
GPG key ID: A2EB1F2CA8E3F677
69 changed files with 1650 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
tasks/apt-upgrade.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Run apt upgrade
ansible.builtin.apt:
update_cache: true
upgrade: dist

17
tasks/apt.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: Remove useless packages
ansible.builtin.apt:
name:
- wpasupplicant
- pi-bluetooth
state: absent
- name: Define repositories
ansible.builtin.copy:
src: files/apt/raspi.list
dest: /etc/apt/sources.list.d/raspi.list
- name: Update system
ansible.builtin.apt:
update_cache: 'yes'
upgrade: 'yes'

89
tasks/bacula.yml Normal file
View file

@ -0,0 +1,89 @@
---
- name: Install bacula
ansible.builtin.apt:
name:
- bacula-director
- bacula-director-sqlite3
- bacula-fd
- bacula-sd
- bacula-console
state: latest
- name: Configure database
ansible.builtin.copy:
src: files/bacula/bacula-director-sqlite3.conf
dest: /etc/dbconfig-common/bacula-director-sqlite3.conf
mode: '0600'
owner: root
group: root
- name: Configure catalog backup script
ansible.builtin.copy:
src: files/bacula/make_catalog_backup.pl
dest: /etc/bacula/scripts/make_catalog_backup.pl
mode: '0755'
owner: root
group: bacula
- name: Configure director
ansible.builtin.template:
src: bacula/bacula-dir.conf.j2
dest: /etc/bacula/bacula-dir.conf
mode: '0640'
owner: root
group: bacula
- name: Configure bconsole
ansible.builtin.template:
src: bacula/bconsole.conf.j2
dest: /etc/bacula/bconsole.conf
mode: '0640'
owner: root
group: nagios
- name: Configure bacula fd
ansible.builtin.template:
src: bacula/bacula-fd.conf.j2
dest: /etc/bacula/bacula-fd.conf
mode: '0640'
owner: root
group: bacula
- name: Configure bacula sd
ansible.builtin.template:
src: bacula/bacula-sd.conf.j2
dest: /etc/bacula/bacula-sd.conf
mode: '0640'
owner: root
group: bacula
- name: Copy configuration files
ansible.builtin.template:
src: "bacula/conf.d/{{ item }}.conf.j2"
dest: "/etc/bacula/conf.d/{{ item }}.conf"
loop:
- clients
- filesets
- jobs
- messages
- pools
- schedules
- storages
- name: Allow bacula from vpn
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: "{{ openvpn_subnet }}"
destination_port: "9102"
jump: ACCEPT
comment: allow bacula from vpn
- name: Restart bacula services
ansible.builtin.service:
name: "{{ item }}"
state: restarted
loop:
- bacula-director
- bacula-sd
- bacula-fd

13
tasks/easyrsa.yml Normal file
View file

@ -0,0 +1,13 @@
---
# TODO
- name: copy easyrsa sources to /root
copy:
src: files/easyrsa/EasyRSA-v3.0.6
dest: /root/
mode: preserve
- name: add easyrsa binary to path
file:
src: /root/EasyRSA-v3.0.6/easyrsa
dest: /usr/local/sbin/easyrsa
state: link

9
tasks/hostname.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Setup hostname
hostname:
name: "{{ hostname }}"
- name: Manage /etc/hosts
ansible.builtin.template:
src: hostname/hosts.j2
dest: /etc/hosts

63
tasks/iptables.yml Normal file
View file

@ -0,0 +1,63 @@
---
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: allow related and established connections
- name: Allow local connections
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
comment: allow local connections
- name: Allow ping
ansible.builtin.iptables:
chain: INPUT
protocol: icmp
jump: ACCEPT
comment: allow ping from the world
- name: Deny input connections by default
ansible.builtin.iptables:
chain: INPUT
policy: DROP
- name: Allow SSH to VPN
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: "{{ openvpn_subnet }}"
destination_port: "22"
jump: ACCEPT
comment: allow ssh to vpn
- name: Deny SSH to the world
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: "22"
jump: DROP
comment: deny ssh to the world
- name: Deny IPv6 connections
ansible.builtin.iptables:
ip_version: ipv6
chain: "{{ item }}"
policy: DROP
loop:
- INPUT
- FORWARD
- OUTPUT
- name: Install netfilter-persistent
ansible.builtin.apt:
name:
- netfilter-persistent
- iptables-persistent
state: latest
- name: Save iptables
ansible.builtin.command: netfilter-persistent save

24
tasks/mosquitto.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Install packages
ansible.builtin.apt:
name:
- mosquitto
state: latest
- name: Configure mosquitto
ansible.builtin.copy:
src: files/mosquitto/conf.d
dest: /etc/mosquitto
- name: Copy mosquitto password
ansible.builtin.template:
src: mosquitto/passwd.j2
dest: /etc/mosquitto/passwd
mode: '0600'
owner: root
group: root
- name: Restart mosquitto
ansible.builtin.service:
name: mosquitto
state: restarted

15
tasks/motd.yml Normal file
View file

@ -0,0 +1,15 @@
---
- name: Install figlet
ansible.builtin.package:
name: figlet
state: present
- name: Run figlet
ansible.builtin.shell:
cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf"
register: _motd
- name: Create motd
ansible.builtin.copy:
dest: /etc/motd
content: "{{ _motd.stdout }}\n"

110
tasks/nagios.yml Normal file
View file

@ -0,0 +1,110 @@
---
- name: Install nagios
ansible.builtin.apt:
name:
- nagios4
- git
- nagios-nrpe-plugin
- python3-jinja2
- python3-requests
- python3-jsonschema
- python-pexpect
state: latest
- name: Generate nagios configurations
ansible.builtin.template:
src: "nagios/conf.d/{{ item }}.cfg.j2"
dest: "/etc/nagios4/conf.d/{{ item }}.cfg"
loop:
- commands
- hosts
- hostgroups
- services
- templates
- name: Copy nagios contacts configuration
ansible.builtin.template:
src: nagios/contacts.cfg.j2
dest: /etc/nagios4/objects/contacts.cfg
- name: Copy check_timesyncd
ansible.builtin.copy:
src: files/nagios/check_timesyncd
dest: /usr/lib/nagios/plugins/check_timesyncd
mode: '0755'
- name: Deploy sudoers rule for nagios
community.general.sudoers:
name: nagios
user: nagios
commands:
- /usr/lib/nagios/plugins/
- name: Clone notify-by-telegram source code
ansible.builtin.git:
repo: https://github.com/jouir/notify-by-telegram.git
dest: /opt/notify-by-telegram
- name: Configure notify-by-telegram
ansible.builtin.copy:
content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}"
dest: /etc/nagios4/telegram.json
owner: root
group: nagios
mode: '0640'
- name: Clone nagios-plugin-bacula source code
ansible.builtin.git:
repo: https://github.com/twpayne/nagios-plugin-bacula.git
dest: /opt/nagios-plugin-bacula
- name: Copy global configuration
ansible.builtin.copy:
src: files/nagios/nagios.cfg
dest: /etc/nagios4/nagios.cfg
- name: Copy CGI configuration
ansible.builtin.copy:
src: files/nagios/cgi.cfg
dest: /etc/nagios4/cgi.cfg
- name: Reload nagios
ansible.builtin.service:
name: nagios4
state: reloaded
- name: Configure htaccess for the web interface
ansible.builtin.template:
src: nagios/htdigest.users.j2
dest: /etc/nagios4/htdigest.users
- name: Secure Apache
copy:
src: files/nagios/security.conf
dest: /etc/apache2/conf-available/security.conf
- name: Configure vhost for the web interface
ansible.builtin.copy:
src: files/nagios/apache2.conf
dest: /etc/nagios4/apache2.conf
- name: Enable Apache modules
ansible.builtin.command:
cmd: "a2enmod {{ item }}"
loop:
- auth_digest
- headers
- name: Restart apache
ansible.builtin.service:
name: apache2
state: restarted
- name: Allow HTTP from vpn
iptables:
chain: INPUT
protocol: tcp
source: "{{ openvpn_subnet }}"
destination_port: "80"
jump: ACCEPT
comment: allow http from vpn

66
tasks/nrpe.yml Normal file
View file

@ -0,0 +1,66 @@
---
- name: Install NRPE
ansible.builtin.apt:
name:
- nagios-nrpe-server
- bc
- python3-pip
- name: Copy NRPE global configuration
ansible.builtin.template:
src: nrpe/nrpe.cfg.j2
dest: /etc/nagios/nrpe.cfg
- name: Generate NRPE local configuration
ansible.builtin.template:
src: nrpe/nrpe_local.cfg.j2
dest: /etc/nagios/nrpe_local.cfg
- name: Manage daemon settings
ansible.builtin.template:
src: nrpe/nagios-nrpe-server.j2
dest: /etc/default/nagios-nrpe-server
- name: Clone check-mqtt source code
ansible.builtin.git:
repo: https://github.com/jpmens/check-mqtt.git
dest: /opt/check-mqtt
- name: Clone check_ssl_cert source code
ansible.builtin.git:
repo: https://github.com/matteocorti/check_ssl_cert.git
dest: /opt/check_ssl_cert
- name: Clone check_ovhcloud source code
ansible.builtin.git:
repo: https://github.com/jouir/check_ovhcloud.git
dest: /opt/check_ovhcloud
- name: Configure check_ovhcloud
ansible.builtin.template:
src: nrpe/ovh.conf.j2
dest: /etc/ovh.conf
owner: root
group: nagios
mode: "0640"
- name: Install check_ovhcloud dependencies
ansible.builtin.pip:
requirements: /opt/check_ovhcloud/requirements.txt
extra_args: "--user"
become: true
become_user: nagios
- name: Restart NRPE service
ansible.builtin.service:
name: nagios-nrpe-server
state: restarted
- name: Allow NRPE from vpn
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: "{{ openvpn_subnet }}"
destination_port: "5666"
jump: ACCEPT
comment: allow nrpe from vpn

38
tasks/openvpn.yml Normal file
View file

@ -0,0 +1,38 @@
---
- name: Install OpenVPN
ansible.builtin.apt:
name: openvpn
state: latest
- name: Deploy OpenVPN configuration
ansible.builtin.template:
src: openvpn/client.conf.j2
dest: /etc/openvpn/client.conf
- name: Deploy OpenVPN CA cert
ansible.builtin.copy:
content: "{{ openvpn_ca }}"
dest: /etc/openvpn/ca.crt
- name: Deploy OpenVPN TLS auth
ansible.builtin.copy:
content: "{{ openvpn_ta }}"
dest: /etc/openvpn/ta.key
- name: Deploy OpenVPN client cert
ansible.builtin.copy:
content: "{{ openvpn_cert }}"
dest: /etc/openvpn/client.crt
mode: '0644'
- name: Deploy OpenVPN client key
ansible.builtin.copy:
content: "{{ openvpn_key }}"
dest: /etc/openvpn/client.key
mode: '0600'
- name: Start OpenVPN
ansible.builtin.systemd:
name: "openvpn@client.service"
state: started
enabled: true

8
tasks/profile.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Remove raspberry pi profiles
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/profile.d/sshpwd.sh
- /etc/profile.d/wifi-check.sh

48
tasks/serial2mqtt.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: Install packages
ansible.builtin.apt:
name:
- python3-serial
- python3-paho-mqtt
state: latest
- name: Clone arduino-sensors-toolkit sources
ansible.builtin.git:
repo: https://github.com/jouir/arduino-sensors-toolkit.git
dest: /opt/arduino-sensors-toolkit
- name: Add serial2mqtt user
ansible.builtin.user:
name: serial2mqtt
system: yes
password: '!'
home: /var/lib/serial2mqtt
create_home: no
append: yes
groups:
- dialout
- name: Copy serial2mqtt configuration
ansible.builtin.template:
src: serial2mqtt/serial2mqtt.ini.j2
dest: /etc/serial2mqtt.ini
mode: '0640'
owner: root
group: serial2mqtt
- name: Copy serial2mqtt default file
ansible.builtin.copy:
src: files/serial2mqtt/serial2mqtt.default
dest: /etc/default/serial2mqtt
- name: Copy serial2mqtt service unit
ansible.builtin.copy:
src: files/serial2mqtt/serial2mqtt.service
dest: /etc/systemd/system/serial2mqtt.service
- name: Start serial2mqtt service
ansible.builtin.systemd:
name: serial2mqtt.service
daemon_reload: yes
state: restarted
enabled: yes

38
tasks/ssh.yml Normal file
View file

@ -0,0 +1,38 @@
---
- name: Install OpenSSH
ansible.builtin.apt:
name: openssh-server
state: latest
- name: Allow authorized keys
ansible.posix.authorized_key:
user: "{{ item['user'] }}"
key: "{{ item['key'] }}"
comment: "{{ item['comment'] | default(omit) }}"
loop: "{{ ssh_authorized_keys }}"
- name: Copy configuration file
ansible.builtin.copy:
src: files/ssh/sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
- name: Reload and enable SSH service
service:
name: ssh
state: reloaded
enabled: true
- name: Allow SSH network flows
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: "{{ item }}"
destination_port: "22"
jump: ACCEPT
comment: allow ssh
loop:
- "{{ openvpn_subnet }}"
- "{{ local_subnet }}"

8
tasks/sysctl.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Disable ipv6
ansible.posix.sysctl:
name: net.ipv6.conf.all.disable_ipv6
value: '1'
state: present
sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
reload: yes

31
tasks/telegraf.yml Normal file
View file

@ -0,0 +1,31 @@
---
- name: Configure telegraf repository
ansible.builtin.template:
src: telegraf/influxdata.list.j2
dest: /etc/apt/sources.list.d/influxdata.list
- name: Download influxdata APT key
ansible.builtin.apt_key:
url: https://repos.influxdata.com/influxdb.key
state: present
- name: Install telegraf and dependencies
ansible.builtin.apt:
name:
- telegraf
- lm-sensors
update_cache: true
state: latest
- name: Generate telegraf configurations
ansible.builtin.template:
src: "telegraf/{{ item }}.conf.j2"
dest: "/etc/telegraf/telegraf.d/{{ item }}.conf"
loop:
- inputs
- output
- name: Restart telegraf service
ansible.builtin.service:
name: telegraf
state: restarted

4
tasks/time.yml Normal file
View file

@ -0,0 +1,4 @@
---
- name: Manage time zone
ansible.builtin.command:
cmd: "timedatectl set-timezone {{ timezone }}"

14
tasks/users.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: Create users
ansible.builtin.user:
name: "{{ item['name'] }}"
password: "{{ item['password'] }}"
loop: "{{ users }}"
- name: Define bashrc
ansible.builtin.copy:
dest: "{% if item['name'] == 'root' %}/root{% else %}/home/{{ item['name'] }}{% endif %}/.bashrc"
src: files/users/bashrc
owner: "{{ item['name'] }}"
group: "{{ item['name'] }}"
loop: "{{ users }}"

13
tasks/vim.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: Install vim packages
ansible.builtin.apt:
name: vim
state: present
- name: Copy configurations
ansible.builtin.copy:
src: files/vim/vimrc
dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}"
loop: "{{ users }}"
loop_control:
label: "{{ item['name'] }}"