From 0063f2157c72841da73ddff9c389bc0c314c0973 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Sat, 27 Apr 2024 17:31:37 +0200 Subject: [PATCH 01/10] feat: Add pre-commit Signed-off-by: Julien Riou --- .github/workflows/pre-commit.yml | 15 +++++++++++++++ .pre-commit-config.yaml | 9 +++++++++ files/bacula/make_catalog_backup.pl | 4 ++-- files/nagios/apache2.conf | 2 +- tasks/iptables.yml | 4 ++-- tasks/nagios.yml | 2 +- templates/nrpe/nrpe_local.cfg.j2 | 1 - 7 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/pre-commit.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..59c632c --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,15 @@ +--- +name: pre-commit + +on: + pull_request: + push: + branches: [main] + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v3 + - uses: pre-commit/action@v3.0.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..b71a1c8 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,9 @@ +--- +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: check-yaml + - id: detect-private-key + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/files/bacula/make_catalog_backup.pl b/files/bacula/make_catalog_backup.pl index 90e1045..c683493 100755 --- a/files/bacula/make_catalog_backup.pl +++ b/files/bacula/make_catalog_backup.pl @@ -44,7 +44,7 @@ sub dump_sqlite3 sub setup_env_pgsql { my %args = @_; - my $username = getpwuid $ENV{'UID'}; + my $username = getpwuid $ENV{'UID'}; umask(0077); if ($args{db_address}) { @@ -93,7 +93,7 @@ sub setup_env_mysql my %args = @_; umask(0077); unlink("$wd/.my.cnf"); - open(MY, ">$wd/.my.cnf") + open(MY, ">$wd/.my.cnf") or die "Can't open $wd/.my.cnf for writing $@"; $args{db_address} = $args{db_address} || "localhost"; diff --git a/files/nagios/apache2.conf b/files/nagios/apache2.conf index e87d3e5..5dc43e2 100644 --- a/files/nagios/apache2.conf +++ b/files/nagios/apache2.conf @@ -20,5 +20,5 @@ Alias /nagios4 /usr/share/nagios4/htdocs - Options +ExecCGI + Options +ExecCGI diff --git a/tasks/iptables.yml b/tasks/iptables.yml index f127180..dc42fcb 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -21,7 +21,7 @@ comment: allow ping from the world - name: Deny input connections by default - ansible.builtin.iptables: + ansible.builtin.iptables: chain: INPUT policy: DROP @@ -60,4 +60,4 @@ state: latest - name: Save iptables - ansible.builtin.command: netfilter-persistent save + ansible.builtin.command: netfilter-persistent save diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 298bb55..0375a95 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -59,7 +59,7 @@ dest: /opt/nagios-plugin-bacula - name: Copy global configuration - ansible.builtin.copy: + ansible.builtin.copy: src: files/nagios/nagios.cfg dest: /etc/nagios4/nagios.cfg diff --git a/templates/nrpe/nrpe_local.cfg.j2 b/templates/nrpe/nrpe_local.cfg.j2 index 5d027b5..73c64e8 100644 --- a/templates/nrpe/nrpe_local.cfg.j2 +++ b/templates/nrpe/nrpe_local.cfg.j2 @@ -3,4 +3,3 @@ {% for command in nrpe_commands | default([]) %} command[{{ command['name'] }}]={{ command['line'] }} {% endfor %} - From 38fef42aa61b566de77ddf188277872672dd0549 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Fri, 10 May 2024 13:32:56 +0200 Subject: [PATCH 02/10] style: Add ansible-lint Signed-off-by: Julien Riou --- .ansible-lint | 9 ++++ .github/workflows/pre-commit.yml | 6 +-- .pre-commit-config.yaml | 19 +++++---- TODO.md | 3 -- main.yml | 72 +++++++++++++++++++++++--------- tasks/apt.yml | 1 + tasks/bacula.yml | 2 +- tasks/easyrsa.yml | 8 ++-- tasks/hostname.yml | 3 +- tasks/iptables.yml | 2 +- tasks/mosquitto.yml | 2 +- tasks/motd.yml | 8 +++- tasks/nagios.yml | 15 +++++-- tasks/nrpe.yml | 3 ++ tasks/openvpn.yml | 4 +- tasks/serial2mqtt.yml | 13 +++--- tasks/ssh.yml | 3 +- tasks/sysctl.yml | 2 +- tasks/telegraf.yml | 5 ++- tasks/time.yml | 1 + tasks/users.yml | 1 + tasks/vim.yml | 1 + upgrade.yml | 3 +- 23 files changed, 128 insertions(+), 58 deletions(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..57fe7e6 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,9 @@ +--- +exclude_paths: + - .cache/ + - .github/ + - .pre-commit-config.yaml + - group_vars/pilote.yml + +skip_list: + - latest diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 59c632c..6a474d2 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -10,6 +10,6 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v3 - - uses: pre-commit/action@v3.0.1 + - uses: actions/checkout@v3 + - uses: actions/setup-python@v3 + - uses: pre-commit/action@v3.0.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b71a1c8..34d5ba1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,9 +1,14 @@ --- repos: -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 - hooks: - - id: check-yaml - - id: detect-private-key - - id: end-of-file-fixer - - id: trailing-whitespace + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: check-yaml + - id: detect-private-key + - id: end-of-file-fixer + - id: trailing-whitespace + + - repo: https://github.com/ansible/ansible-lint + rev: v24.2.3 + hooks: + - id: ansible-lint diff --git a/TODO.md b/TODO.md index 9bdf499..b1a75ed 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,3 @@ * EasyRSA tasks * Variables documentation -* Github actions - * pre-commit - * ansible-lint diff --git a/main.yml b/main.yml index 0b65dbb..992ddd7 100644 --- a/main.yml +++ b/main.yml @@ -1,23 +1,55 @@ --- -- hosts: pilote +- name: Configure pilote + hosts: pilote gather_facts: true tasks: - - ansible.builtin.include_tasks: tasks/sysctl.yml - - ansible.builtin.include_tasks: tasks/apt.yml - - ansible.builtin.include_tasks: tasks/users.yml - - ansible.builtin.include_tasks: tasks/profile.yml - - ansible.builtin.include_tasks: tasks/hostname.yml - - ansible.builtin.include_tasks: tasks/motd.yml - - ansible.builtin.include_tasks: tasks/time.yml - - ansible.builtin.include_tasks: tasks/ssh.yml - - ansible.builtin.include_tasks: tasks/openvpn.yml - - ansible.builtin.include_tasks: tasks/nagios.yml - - ansible.builtin.include_tasks: tasks/nrpe.yml - - ansible.builtin.include_tasks: tasks/mosquitto.yml - - ansible.builtin.include_tasks: tasks/serial2mqtt.yml - - ansible.builtin.include_tasks: tasks/telegraf.yml - - ansible.builtin.include_tasks: tasks/bacula.yml - - ansible.builtin.include_tasks: tasks/iptables.yml - # TODO - #- ansible.builtin.include_tasks: tasks/easyrsa.yml - - ansible.builtin.include_tasks: tasks/vim.yml + - name: Configure sysctl + ansible.builtin.include_tasks: tasks/sysctl.yml + + - name: Configure apt + ansible.builtin.include_tasks: tasks/apt.yml + + - name: Configure users + ansible.builtin.include_tasks: tasks/users.yml + + - name: Configure profile + ansible.builtin.include_tasks: tasks/profile.yml + + - name: Configure hostname + ansible.builtin.include_tasks: tasks/hostname.yml + + - name: Configure motd + ansible.builtin.include_tasks: tasks/motd.yml + + - name: Configure time + ansible.builtin.include_tasks: tasks/time.yml + + - name: Configure SSH + ansible.builtin.include_tasks: tasks/ssh.yml + + - name: Configure OpenVPN + ansible.builtin.include_tasks: tasks/openvpn.yml + + - name: Configure Nagios + ansible.builtin.include_tasks: tasks/nagios.yml + + - name: Configure NRPE + ansible.builtin.include_tasks: tasks/nrpe.yml + + - name: Configure Mosquitto + ansible.builtin.include_tasks: tasks/mosquitto.yml + + - name: Configure serial2mqtt + ansible.builtin.include_tasks: tasks/serial2mqtt.yml + + - name: Configure telegraf + ansible.builtin.include_tasks: tasks/telegraf.yml + + - name: Configure bacula + ansible.builtin.include_tasks: tasks/bacula.yml + + - name: Configure iptables + ansible.builtin.include_tasks: tasks/iptables.yml + + - name: Configure vim + ansible.builtin.include_tasks: tasks/vim.yml diff --git a/tasks/apt.yml b/tasks/apt.yml index 0ca4e58..5974737 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -10,6 +10,7 @@ ansible.builtin.template: src: apt/raspi.list.j2 dest: /etc/apt/sources.list.d/raspi.list + mode: "0644" - name: Update system ansible.builtin.apt: diff --git a/tasks/bacula.yml b/tasks/bacula.yml index f015f12..c8f2660 100644 --- a/tasks/bacula.yml +++ b/tasks/bacula.yml @@ -7,7 +7,6 @@ - bacula-fd - bacula-sd - bacula-console - state: latest - name: Configure database ansible.builtin.copy: @@ -61,6 +60,7 @@ ansible.builtin.template: src: "bacula/conf.d/{{ item }}.conf.j2" dest: "/etc/bacula/conf.d/{{ item }}.conf" + mode: "0644" loop: - clients - filesets diff --git a/tasks/easyrsa.yml b/tasks/easyrsa.yml index 16c897c..9e53fd2 100644 --- a/tasks/easyrsa.yml +++ b/tasks/easyrsa.yml @@ -1,13 +1,13 @@ --- # TODO -- name: copy easyrsa sources to /root - copy: +- name: Copy easyrsa sources to /root + ansible.builtin.copy: src: files/easyrsa/EasyRSA-v3.0.6 dest: /root/ mode: preserve -- name: add easyrsa binary to path - file: +- name: Add easyrsa binary to path + ansible.builtin.file: src: /root/EasyRSA-v3.0.6/easyrsa dest: /usr/local/sbin/easyrsa state: link diff --git a/tasks/hostname.yml b/tasks/hostname.yml index 66a03f4..dd31bc9 100644 --- a/tasks/hostname.yml +++ b/tasks/hostname.yml @@ -1,9 +1,10 @@ --- - name: Setup hostname - hostname: + ansible.builtin.hostname: name: "{{ hostname }}" - name: Manage /etc/hosts ansible.builtin.template: src: hostname/hosts.j2 dest: /etc/hosts + mode: "0644" diff --git a/tasks/iptables.yml b/tasks/iptables.yml index dc42fcb..3737468 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -57,7 +57,7 @@ name: - netfilter-persistent - iptables-persistent - state: latest - name: Save iptables ansible.builtin.command: netfilter-persistent save + changed_when: true diff --git a/tasks/mosquitto.yml b/tasks/mosquitto.yml index 4ee6111..d90ea6e 100644 --- a/tasks/mosquitto.yml +++ b/tasks/mosquitto.yml @@ -3,12 +3,12 @@ ansible.builtin.apt: name: - mosquitto - state: latest - name: Configure mosquitto ansible.builtin.copy: src: files/mosquitto/conf.d dest: /etc/mosquitto + mode: "0644" - name: Copy mosquitto password ansible.builtin.template: diff --git a/tasks/motd.yml b/tasks/motd.yml index 3830398..2ad6df3 100644 --- a/tasks/motd.yml +++ b/tasks/motd.yml @@ -6,10 +6,16 @@ - name: Run figlet ansible.builtin.shell: - cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf" + cmd: >- + set -o pipefail + hostname | figlet -f /usr/share/figlet/smslant.flf" + args: + executable: /bin/bash register: _motd + changed_when: true - name: Create motd ansible.builtin.copy: dest: /etc/motd content: "{{ _motd.stdout }}\n" + mode: "0644" diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 0375a95..8a0d08a 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -9,12 +9,12 @@ - python3-requests - python3-jsonschema - python-pexpect - state: latest - name: Generate nagios configurations ansible.builtin.template: src: "nagios/conf.d/{{ item }}.cfg.j2" dest: "/etc/nagios4/conf.d/{{ item }}.cfg" + mode: "0644" loop: - commands - hosts @@ -26,6 +26,7 @@ ansible.builtin.template: src: nagios/contacts.cfg.j2 dest: /etc/nagios4/objects/contacts.cfg + mode: "0644" - name: Copy check_timesyncd ansible.builtin.copy: @@ -47,7 +48,7 @@ - name: Configure notify-by-telegram ansible.builtin.copy: - content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}" + content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}" dest: /etc/nagios4/telegram.json owner: root group: nagios @@ -62,11 +63,13 @@ ansible.builtin.copy: src: files/nagios/nagios.cfg dest: /etc/nagios4/nagios.cfg + mode: "0644" - name: Copy CGI configuration ansible.builtin.copy: src: files/nagios/cgi.cfg dest: /etc/nagios4/cgi.cfg + mode: "0644" - name: Reload nagios ansible.builtin.service: @@ -77,16 +80,19 @@ ansible.builtin.template: src: nagios/htdigest.users.j2 dest: /etc/nagios4/htdigest.users + mode: "0644" - name: Secure Apache - copy: + ansible.builtin.copy: src: files/nagios/security.conf dest: /etc/apache2/conf-available/security.conf + mode: "0644" - name: Configure vhost for the web interface ansible.builtin.copy: src: files/nagios/apache2.conf dest: /etc/nagios4/apache2.conf + mode: "0644" - name: Enable Apache modules ansible.builtin.command: @@ -94,6 +100,7 @@ loop: - auth_digest - headers + changed_when: true - name: Restart apache ansible.builtin.service: @@ -101,7 +108,7 @@ state: restarted - name: Allow HTTP from vpn - iptables: + ansible.builtin.iptables: chain: INPUT protocol: tcp source: "{{ openvpn_subnet }}" diff --git a/tasks/nrpe.yml b/tasks/nrpe.yml index fdf1f72..42e6e7f 100644 --- a/tasks/nrpe.yml +++ b/tasks/nrpe.yml @@ -10,16 +10,19 @@ ansible.builtin.template: src: nrpe/nrpe.cfg.j2 dest: /etc/nagios/nrpe.cfg + mode: "0644" - name: Generate NRPE local configuration ansible.builtin.template: src: nrpe/nrpe_local.cfg.j2 dest: /etc/nagios/nrpe_local.cfg + mode: "0644" - name: Manage daemon settings ansible.builtin.template: src: nrpe/nagios-nrpe-server.j2 dest: /etc/default/nagios-nrpe-server + mode: "0644" - name: Clone check-mqtt source code ansible.builtin.git: diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml index f7089c8..1254c9e 100644 --- a/tasks/openvpn.yml +++ b/tasks/openvpn.yml @@ -2,22 +2,24 @@ - name: Install OpenVPN ansible.builtin.apt: name: openvpn - state: latest - name: Deploy OpenVPN configuration ansible.builtin.template: src: openvpn/client.conf.j2 dest: /etc/openvpn/client.conf + mode: '0644' - name: Deploy OpenVPN CA cert ansible.builtin.copy: content: "{{ openvpn_ca }}" dest: /etc/openvpn/ca.crt + mode: '0644' - name: Deploy OpenVPN TLS auth ansible.builtin.copy: content: "{{ openvpn_ta }}" dest: /etc/openvpn/ta.key + mode: '0600' - name: Deploy OpenVPN client cert ansible.builtin.copy: diff --git a/tasks/serial2mqtt.yml b/tasks/serial2mqtt.yml index 33e1901..74f122f 100644 --- a/tasks/serial2mqtt.yml +++ b/tasks/serial2mqtt.yml @@ -4,7 +4,6 @@ name: - python3-serial - python3-paho-mqtt - state: latest - name: Clone arduino-sensors-toolkit sources ansible.builtin.git: @@ -14,11 +13,11 @@ - name: Add serial2mqtt user ansible.builtin.user: name: serial2mqtt - system: yes + system: true password: '!' home: /var/lib/serial2mqtt - create_home: no - append: yes + create_home: false + append: true groups: - dialout @@ -34,15 +33,17 @@ ansible.builtin.copy: src: files/serial2mqtt/serial2mqtt.default dest: /etc/default/serial2mqtt + mode: '0644' - name: Copy serial2mqtt service unit ansible.builtin.copy: src: files/serial2mqtt/serial2mqtt.service dest: /etc/systemd/system/serial2mqtt.service + mode: '0644' - name: Start serial2mqtt service ansible.builtin.systemd: name: serial2mqtt.service - daemon_reload: yes + daemon_reload: true state: restarted - enabled: yes + enabled: true diff --git a/tasks/ssh.yml b/tasks/ssh.yml index 45c74be..e2a10dc 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -2,7 +2,6 @@ - name: Install OpenSSH ansible.builtin.apt: name: openssh-server - state: latest - name: Allow authorized keys ansible.posix.authorized_key: @@ -20,7 +19,7 @@ mode: '0644' - name: Reload and enable SSH service - service: + ansible.builtin.service: name: ssh state: reloaded enabled: true diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml index fc3e9a9..279f3d4 100644 --- a/tasks/sysctl.yml +++ b/tasks/sysctl.yml @@ -5,4 +5,4 @@ value: '1' state: present sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf - reload: yes + reload: true diff --git a/tasks/telegraf.yml b/tasks/telegraf.yml index a5c5051..681c121 100644 --- a/tasks/telegraf.yml +++ b/tasks/telegraf.yml @@ -3,6 +3,7 @@ ansible.builtin.template: src: telegraf/influxdata.list.j2 dest: /etc/apt/sources.list.d/influxdata.list + mode: '0644' - name: Download influxdata APT key ansible.builtin.apt_key: @@ -15,12 +16,14 @@ - telegraf - lm-sensors update_cache: true - state: latest - name: Generate telegraf configurations ansible.builtin.template: src: "telegraf/{{ item }}.conf.j2" dest: "/etc/telegraf/telegraf.d/{{ item }}.conf" + mode: '0640' + owner: root + group: telegraf loop: - inputs - output diff --git a/tasks/time.yml b/tasks/time.yml index d4410b2..c3ca16f 100644 --- a/tasks/time.yml +++ b/tasks/time.yml @@ -2,3 +2,4 @@ - name: Manage time zone ansible.builtin.command: cmd: "timedatectl set-timezone {{ timezone }}" + changed_when: true diff --git a/tasks/users.yml b/tasks/users.yml index 2355d60..037a880 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -11,4 +11,5 @@ src: files/users/bashrc owner: "{{ item['name'] }}" group: "{{ item['name'] }}" + mode: '0644' loop: "{{ users }}" diff --git a/tasks/vim.yml b/tasks/vim.yml index ea21d14..cdeaeef 100644 --- a/tasks/vim.yml +++ b/tasks/vim.yml @@ -8,6 +8,7 @@ ansible.builtin.copy: src: files/vim/vimrc dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}" + mode: '0644' loop: "{{ users }}" loop_control: label: "{{ item['name'] }}" diff --git a/upgrade.yml b/upgrade.yml index 2654360..659254b 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -2,4 +2,5 @@ - name: Upgrade systems hosts: all tasks: - - include_tasks: tasks/apt-upgrade.yml + - name: Run apt upgrade + ansible.builtin.include_tasks: tasks/apt-upgrade.yml From 436c80ed331192022132b89ca2d9a58cafca6abc Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Sun, 12 May 2024 08:53:44 +0200 Subject: [PATCH 03/10] fix(openvpn): Align cipher and data ciphers Signed-off-by: Julien Riou --- templates/openvpn/client.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/openvpn/client.conf.j2 b/templates/openvpn/client.conf.j2 index c1a291b..9e773d8 100644 --- a/templates/openvpn/client.conf.j2 +++ b/templates/openvpn/client.conf.j2 @@ -16,6 +16,7 @@ key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC +data-ciphers AES-256-CBC auth SHA256 verb 3 key-direction 1 From f3930ea7d450dfc2d24e412dafde90c73abbdd48 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Mon, 13 May 2024 14:52:27 +0200 Subject: [PATCH 04/10] doc: Add variables Signed-off-by: Julien Riou --- TODO.md | 1 - group_vars/README.md | 795 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 794 insertions(+), 2 deletions(-) diff --git a/TODO.md b/TODO.md index b1a75ed..298ed07 100644 --- a/TODO.md +++ b/TODO.md @@ -1,4 +1,3 @@ # TODO * EasyRSA tasks -* Variables documentation diff --git a/group_vars/README.md b/group_vars/README.md index 18d23c0..36904c3 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -1,3 +1,796 @@ # Variables -Soon. +Senstivie data should be encrypted using +[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html). + +## bacula_catalog_name + +Name of the Bacula catalog. + +```yaml +bacula_catalog_name: HomeCatalog +``` + +## bacula_clients + +List of Bacula Clients. + +```yaml +bacula_clients: + - name: pilote-fd + address: localhost + catalog: HomeCatalog + password: *** + file_retention: 60 days + job_retention: 6 months + autoprune: 'yes' + - name: vps-fd + address: 192.168.0.1 + catalog: HomeCatalog + password: *** + file_retention: 60 days + job_retention: 6 months + autoprune: 'yes' + - name: storage1-fd + address: 192.168.0.2 + catalog: HomeCatalog + password: *** + file_retention: 60 days + job_retention: 6 months + autoprune: 'yes' +``` + +## bacula_device_archive_device + +Directory of the Device where to store Bacula backups. + +```yaml +bacula_device_archive_device: /storage/bacula/backup +``` + +## bacula_device_name + +Name of the Bacula Device. + +```yaml +bacula_device_name: FileStorage +``` + +## bacula_director_address + +Address of the Bacula director. + +```yaml +bacula_director_address: 127.0.0.1 +``` + +## bacula_director_name + +Name of the Bacula director. + +```yaml +bacula_director_name: pilote-dir +``` + +## bacula_director_password + +Password of the Bacula director. + +```yaml +bacula_director_password: *** +``` + +## bacula_filedaemon_address + +Address of the Bacula Client (File Daemon). + +```yaml +bacula_filedaemon_address: 127.0.0.1 +``` + +## bacula_filedaemon_name + +Name of the Bacula Client (File Daemon). + +```yaml +bacula_filedaemon_name: pilote-fd +``` + +## bacula_filedaemon_password + +Password of the Bacula Client (File Daemon). + +```yaml +bacula_filedaemon_password: *** +``` + +## bacula_filesets + +List of Bacula File Sets. + +```yaml +bacula_filesets: + - name: DebianFileSet + include: + options: + signature: MD5 + compression: GZIP + files: + - /etc + - /var/log + - /root + - /home + exclude: + files: + - '*~' + - name: CatalogFileSet + include: + options: + signature: MD5 + compression: GZIP + files: + - /var/lib/bacula/bacula.sql + - name: InfluxDBFileSet + include: + options: + signature: MD5 + files: + - /var/lib/bacula/influxdb + - name: GrafanaFileSet + include: + options: + signature: MD5 + files: + - /var/lib/bacula/grafana +``` + +## bacula_jobs + +List of Bacula Jobs. + +```yaml +bacula_jobs: + - name: BackupPilote + client: pilote-fd + fileset: DebianFileSet + - name: BackupStorage1 + client: storage1-fd + fileset: DebianFileSet + - name: BackupStorage2 + client: storage2-fd + fileset: DebianFileSet + - name: BackupStorage3 + client: storage3-fd + fileset: DebianFileSet + - name: BackupCatalog + client: pilote-fd + level: Full + fileset: CatalogFileSet + schedule: DefaultScheduleAfterBackup + run_before_job: /etc/bacula/scripts/make_catalog_backup.pl HomeCatalog + run_after_job: /etc/bacula/scripts/delete_catalog_backup + priority: 11 # run after main backup + - name: BackupInfluxDB + client: storage1-fd + fileset: InfluxDBFileSet + schedule: DefaultScheduleAfterBackup + client_run_before_job: /etc/bacula/scripts/influxdb-backup %l + client_run_after_job: /etc/bacula/scripts/influxdb-cleanup + priority: 11 # run after main backup + - name: BackupGrafana + client: storage1-fd + level: Full + fileset: GrafanaFileSet + schedule: DefaultScheduleAfterBackup + client_run_before_job: /etc/bacula/scripts/grafana-backup + client_run_after_job: /etc/bacula/scripts/grafana-cleanup + priority: 11 # run after main backup + - name: RestoreFiles + type: Restore + client: storage1-fd + storage: storage1-sd + fileset: DebianFileSet # required but not used + pool: FullFile # required but not used + messages: Standard + where: /storage/bacula/restore +``` + +## bacula_pools + +List of Bacula Pools. + +```yaml +bacula_pools: + - name: FullFile + pool_type: Backup + recycle: 'yes' + auto_prune: 'yes' + volume_retention: 10 years + storage: storage1-sd + maximum_volume_bytes: 1G + maximum_volumes: 100 + labelformat: Full- + - name: DiffFile + pool_type: Backup + recycle: 'yes' + auto_prune: 'yes' + volume_retention: 6 weeks + storage: storage1-sd + maximum_volume_bytes: 1G + maximum_volumes: 100 + labelformat: Diff- + - name: IncrFile + pool_type: Backup + recycle: 'yes' + auto_prune: 'yes' + volume_retention: 3 weeks + storage: storage1-sd + maximum_volume_bytes: 1G + maximum_volumes: 100 + labelformat: Incr- +``` + +## bacula_schedules + +List of Bacula Schedules. + +```yaml +bacula_schedules: + - name: DefaultSchedule + runs: + - datetime: 1st sun at 0:00 + job_overrides: + level: Full + - datetime: 2nd-5th sun at 0:00 + job_overrides: + level: Differential + - datetime: mon-sat at 0:00 + job_overrides: + level: Incremental + - name: DefaultScheduleAfterBackup + runs: + - datetime: sun-sat at 0:00 + job_overrides: + level: Full +``` + +## bacula_storage_address + +Address of the Bacula Storage. + +```yaml +bacula_storage_address: 127.0.0.1 +``` + +## bacula_storage_name + +Name of the Bacula Storage. + +```yaml +bacula_storage_name: storage1-sd +``` + +## bacula_storage_password + +Password of the Bacula Storage. + +```yaml +bacula_storage_password: *** +``` + +## bacula_storages + +List of Bacula Storages. + +```yaml +bacula_storages: + - name: storage1-sd + address: 192.168.0.2 + password: *** + device: FileStorage + media_type: File +``` + +## hostname + +Name of the remote host. + +```yaml +hostname: pilote +``` + +## local_subnet + +Local subnet where the remote host lives. + +```yaml +local_subnet: 192.168.0.0/24 +``` + +## mosquitto_passwords + +List of usernames and passwords to defined mosquitto users. + +```yaml +mosquitto_passwords: + - user: telegraf + hash: '$***' + - user: nagios + hash: '$***' +``` + +See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html) +command to generate the hash file. + +## nagios_commands + +List of Nagios commands. + +```yaml +nagios_commands: + - command_name: check_nrpe_nossl + command_line: /usr/lib/nagios/plugins/check_nrpe -2 -H '$HOSTADDRESS$' -c '$ARG1$' -n + - command_name: check_https_vhost_certificate + command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$' +``` + +## nagios_contact_groups + +List of Nagios contact groups. + +```yaml +nagios_contact_groups: + - contactgroup_name: admins + alias: Nagios Administrators + members: + - admin + - telegram +``` + +## nagios_contacts + +List of Nagios contacts. + +```yaml +nagios_contacts: + - contact_name: admin + use: generic-contact + alias: Nagios Admin + email: noreply@nonexistant.com + host_notifications_enabled: 0 + service_notifications_enabled: 0 + - contact_name: telegram + use: generic-contact + alias: Telegram notifications + pager: 000000000 + email: noreply@nonexistant.com + service_notification_commands: notify-service-by-telegram + host_notification_commands: notify-host-by-telegram +``` + +## nagios_hostgroups + +List of Nagios host groups. + +```yaml +nagios_hostgroups: + - hostgroup_name: linux-servers + alias: Linux servers + members: + - pilote + - vps + - storage1 + - storage2 + - storage3 + - hostgroup_name: web-servers + alias: Web servers + members: + - vps +``` + +## nagios_hosts + +List of Nagios hosts. + +```yaml +nagios_hosts: + - use: home-host + host_name: pilote + alias: pilote + address: 127.0.0.1 + - use: home-host + host_name: vps + alias: vps + address: 10.8.0.1 +``` + +## nagios_host_templates + +List of Nagios host templates. + +```yaml +nagios_host_templates: + - name: home-host + use: generic-host + check_command: check-host-alive + contact_groups: admins + notification_options: + - d + - u + - r + check_interval: 5 + retry_interval: 5 # retry every 5 minutes + max_check_attempts: 12 # alert at 1 hour (12x5 minutes) + notification_interval: 720 # resend notifications every 12 hours +``` + +## nagios_htdigest_users + +List of users for basic authentication. + +```yaml +nagios_htdigest_users: + - name: admin + hash: '...' +``` + +## nagios_service_dependencies + +List of Nagios service dependencies. + +```yaml +nagios_service_dependencies: + - host_name: pilote + service_description: ovhcloud_voip + dependent_host_name: pilote + dependent_service_description: ovhcloud_ping + execution_failure_criteria: u + notification_failure_criteria: u +``` + +## nagios_services + +List of Nagios services. + +```yaml +nagios_services: + - use: home-service + hostgroup_name: linux-servers + service_description: load + check_command: check_nrpe_nossl!check_load + - use: home-service + hostgroup_name: web-servers + service_description: https_monitoring_tld_certificate + check_command: check_https_vhost_certificate!monitoring.tld!1 +``` + +## nagios_service_templates + +List of Nagios service templates. + +```yaml +nagios_service_templates: + - name: home-service + use: generic-service + contact_groups: admins + check_interval: 5 + retry_interval: 5 # retry every 5 minutes + max_check_attempts: 12 # alert at 1 hour (12x5 minutes) + notification_interval: 720 # 12 hours + - name: public-service + use: generic-service + contact_groups: admins + check_interval: 1 + retry_interval: 1 # retry every minute + max_check_attempts: 3 # alert after 3 minutes + notification_interval: 60 # 1 hour +``` + +## nagios_telegram_auth_key + +Key used to authenticate to the Telegram API. See [how to create a +bot](https://core.telegram.org/bots#3-how-do-i-create-a-bot). + +```yaml +nagios_telegram_auth_key: '***' +``` + +## nagios_telegram_chat_id + +Unique identifier for the target chat or username of the target channel (in the +format `@channelusername`). See [API +specifications](https://core.telegram.org/bots/api#sendmessage). + +```yaml +nagios_telegram_chat_id: 000000000 +``` + +## nrpe_allowed_hosts + +List of IP addresses or ranges allowed to talk to the NRPE daemon. + +```yaml +nrpe_allowed_hosts: + - 10.8.0.0/24 + - 127.0.0.1 +``` + +## nrpe_commands + +List of NRPE commands. + +```yaml +nrpe_commands: + - name: check_load + line: /usr/lib/nagios/plugins/check_load -r -w 1,1,1 -c 4,4,4 + - name: check_openvpn + line: '/usr/lib/nagios/plugins/check_procs -c 1: -C openvpn' + - name: check_openvpn_cert + line: >- + /opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity + --ignore-incomplete-chain --allow-empty-san --ignore-sct --warning 15 --critical 1 +``` + +## nrpe_opts + +Options for the NRPE daemon. + +```yaml +nrpe_opts: '-n' # Disable TLS +``` + +## openvpn_ca + +Content of the certificate of the Certificate Authority (CA) used to certify +VPN connections. + +```yaml +openvpn_ca: | + -----BEGIN CERTIFICATE----- +``` + +## openvpn_cert + +Content of the certificate used to authenticate to the VPN server. + +```yaml +openvpn_cert: | + -----BEGIN CERTIFICATE----- +``` + +## openvpn_key + +Content of the private key used to authenticate to the VPN server. + +```yaml +openvpn_key: +``` + +## openvpn_remote_host + +Hostname or IP address of the remote VPN server. + +```yaml +openvpn_remote_host: vpn.fqdn +``` + +## openvpn_subnet + +Subnet used by OpenVPN to group clients. + +```yaml +openvpn_subnet: 10.8.0.0/24 +``` + +## openvpn_ta + +Content of the OpenVPN static key used for TLS authentication. + +```yaml +openvpn_ta: +``` + +## ovh_application_key + +Application key used to authenticate to the OVH API. + +```yaml +ovh_application_key: deadbeef +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## ovh_application_secret + +Application secret used to authenticate to the OVH API. + +```yaml +ovh_application_secret: deadbeef +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## ovh_consumer_key + +Consumer key used to authenticate to the OVH API. + +```yaml +ovh_consumer_key: deadbeef +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## ovh_endpoint + +Endpoint of the OVH API. + +```yaml +ovh_endpoint: ovh-eu +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## serial2mqtt_host + +Hostname or IP address used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_host: localhost +``` + +## serial2mqtt_interface + +Name of the serial interface name used by serial2mqtt to gather metrics +produced by the Arduino board. + +```yaml +serial2mqtt_interface: /dev/ttyACM0 +``` + +## serial2mqtt_password + +Password used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_password: *** +``` +## serial2mqtt_port + +Port used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_port: 1883 +``` + +## serial2mqtt_topic_prefix + +Add this prefix to topic names on the MQTT broker for serial2mqtt messages. + +```yaml +serial2mqtt_topic_prefix: sensors +``` + +## serial2mqtt_username + +Username used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_username: telegraf +``` + +## ssh_authorized_keys + +List of SSH authorized keys. + +```yaml +ssh_authorized_keys: + - user: root + key: ssh-ed25519 hash + comment: desktop +``` + +Used by +[ansible.posix.authorized_keys](https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html) +module. + +## telegraf_influxdb_database + +Name of the InfluxDB database used by telegraf to send metrics. + +```yaml +telegraf_influxdb_database: metrics +``` + +## telegraf_influxdb_password + +Password of the InfluxDB user used by telegraf to send metrics. + +```yaml +telegraf_influxdb_password: *** +``` + +## telegraf_influxdb_urls + +List of InfluxDB endpoints used by telegraf to send metrics. + +```yaml +telegraf_influxdb_urls: + - https://192.168.0.1:8088 +``` + +## telegraf_influxdb_username + +Name of the InfluxDB user used by telegraf to send metrics. + +```yaml +telegraf_influxdb_username: telegraf +``` + +## telegraf_mqtt_consumer_password + +Password used to authenticate to the MQTT broker for telegraf. + +```yaml +telegraf_mqtt_consumer_password: *** +``` + +## telegraf_mqtt_consumer_servers + +List of MQTT brokers for telegraf. + +```yaml +telegraf_mqtt_consumer_servers: + - tcp://localhost:1883 +``` + +## telegraf_mqtt_consumer_topics + +List of MQTT topics to consume for telegraf. + +```yaml +telegraf_mqtt_consumer_topics: + - sensors/humidity + - sensors/temperature +``` + +## telegraf_mqtt_consumer_username + +Name used to authenticate to the MQTT broker for telegraf. + +```yaml +telegraf_mqtt_consumer_username: telegraf +``` + +## telegraf_ping_ip + +IP address of the host to ping for latency metrics. + +```yaml +telegraf_ping_ip: 192.168.0.1 +``` + +## timezone + +Alias of the time zone. + +```yaml +timezone: Europe/Brussels +``` + +## users + +List of users to configure on the remote host. + +```yaml +users: + - name: root + password: hash +``` + +Used by +[ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html) +module. From 19a7af377eaddfeae275bc2e7a5116986945835b Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Mon, 13 May 2024 18:14:16 +0200 Subject: [PATCH 05/10] feat: Manage EasyRSA CA and certificates Signed-off-by: Julien Riou --- TODO.md | 2 +- group_vars/README.md | 21 ++++++++++++ main.yml | 3 ++ renew.yml | 10 ++++++ tasks/easyrsa-certs-delete.yml | 9 +++++ tasks/easyrsa.yml | 63 ++++++++++++++++++++++++++++++---- 6 files changed, 100 insertions(+), 8 deletions(-) create mode 100644 renew.yml create mode 100644 tasks/easyrsa-certs-delete.yml diff --git a/TODO.md b/TODO.md index 298ed07..11bcaae 100644 --- a/TODO.md +++ b/TODO.md @@ -1,3 +1,3 @@ # TODO -* EasyRSA tasks +- EasyRSA: Protect CA with a passphrase diff --git a/group_vars/README.md b/group_vars/README.md index 36904c3..eea9993 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -291,6 +291,27 @@ bacula_storages: media_type: File ``` +## easyrsa_ca_dir + +Path to the CA directory to create. + +```yaml +easyrsa_ca_dir: /var/lib/easyrsa +``` + +## easyrsa_clients + +List of client hostnames that will have RSA certificates. + +```yaml +easyrsa_clients: + - pilote + - storage1 + - storage2 + - storage3 + - vps +``` + ## hostname Name of the remote host. diff --git a/main.yml b/main.yml index 992ddd7..a413b86 100644 --- a/main.yml +++ b/main.yml @@ -53,3 +53,6 @@ - name: Configure vim ansible.builtin.include_tasks: tasks/vim.yml + + - name: Configure EasyRSA + ansible.builtin.include_tasks: tasks/easyrsa.yml diff --git a/renew.yml b/renew.yml new file mode 100644 index 0000000..2686afe --- /dev/null +++ b/renew.yml @@ -0,0 +1,10 @@ +--- +- name: Renew client RSA certificates + hosts: pilote + gather_facts: false + tasks: + - name: Delete client certificates + ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml + + - name: Configure EasyRSA + ansible.builtin.include_tasks: tasks/easyrsa.yml diff --git a/tasks/easyrsa-certs-delete.yml b/tasks/easyrsa-certs-delete.yml new file mode 100644 index 0000000..33421f6 --- /dev/null +++ b/tasks/easyrsa-certs-delete.yml @@ -0,0 +1,9 @@ +--- +- name: Delete EasyRSA certificates + ansible.builtin.file: + name: "{{ item }}" + state: absent + loop: + - "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req" + - "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key" + - "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt" diff --git a/tasks/easyrsa.yml b/tasks/easyrsa.yml index 9e53fd2..d1ebda7 100644 --- a/tasks/easyrsa.yml +++ b/tasks/easyrsa.yml @@ -1,13 +1,62 @@ --- -# TODO -- name: Copy easyrsa sources to /root - ansible.builtin.copy: - src: files/easyrsa/EasyRSA-v3.0.6 - dest: /root/ - mode: preserve +- name: Install EasyRSA + ansible.builtin.package: + name: easy-rsa - name: Add easyrsa binary to path ansible.builtin.file: - src: /root/EasyRSA-v3.0.6/easyrsa + src: /usr/share/easy-rsa/easyrsa dest: /usr/local/sbin/easyrsa state: link + +- name: Create CA directory + ansible.builtin.command: + cmd: "make-cadir {{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}" + +- name: Init PKI + ansible.builtin.command: + cmd: easyrsa init-pki + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki" + environment: + EASYRSA_BATCH: "1" + +- name: Create symlinks + ansible.builtin.file: + src: "{{ easyrsa_ca_dir }}/{{ item }}" + dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}" + state: link + loop: + - x509-types + - openssl-easyrsa.cnf + +- name: Create random file + ansible.builtin.command: + cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd" + creates: "{{ easyrsa_ca_dir }}/pki/.rnd" + +- name: Build CA + ansible.builtin.command: + cmd: easyrsa build-ca nopass + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki/ca.crt" + environment: + EASYRSA_BATCH: "1" + +- name: Generate DH parameters + ansible.builtin.command: + cmd: easyrsa gen-dh + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki/dh.pem" + environment: + EASYRSA_BATCH: "1" + +- name: Generate client certificates + ansible.builtin.command: + cmd: "easyrsa build-client-full {{ item }} nopass" + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key" + environment: + EASYRSA_BATCH: "1" + loop: "{{ easyrsa_clients | default([]) }}" From d8c17dad4b40f3d1ec1440e2b30076859c962af3 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Sat, 27 Jul 2024 09:51:20 +0200 Subject: [PATCH 06/10] fix: Invalid arguments in MOTD and Nagios Signed-off-by: Julien Riou --- tasks/motd.yml | 5 ++--- tasks/nagios.yml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/motd.yml b/tasks/motd.yml index 2ad6df3..26dd543 100644 --- a/tasks/motd.yml +++ b/tasks/motd.yml @@ -8,9 +8,8 @@ ansible.builtin.shell: cmd: >- set -o pipefail - hostname | figlet -f /usr/share/figlet/smslant.flf" - args: - executable: /bin/bash + hostname | figlet -f /usr/share/figlet/smslant.flf + executable: /bin/bash register: _motd changed_when: true diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 8a0d08a..8075580 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -69,7 +69,7 @@ ansible.builtin.copy: src: files/nagios/cgi.cfg dest: /etc/nagios4/cgi.cfg - mode: "0644" + mode: "0644" - name: Reload nagios ansible.builtin.service: From 36c0ce1de655ea606641918193ad9bed43d9faed Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Sat, 27 Jul 2024 19:20:30 +0200 Subject: [PATCH 07/10] feat: Debian 12 compatibility Signed-off-by: Julien Riou --- group_vars/README.md | 2 -- main.yml | 6 +++--- tasks/bacula.yml | 10 +++++++++- tasks/iptables.yml | 5 +++++ tasks/mosquitto.yml | 19 ++++++++++--------- tasks/nagios.yml | 3 ++- tasks/nrpe.yml | 2 +- tasks/telegraf.yml | 2 +- templates/mosquitto/default.conf.j2 | 3 +++ 9 files changed, 34 insertions(+), 18 deletions(-) create mode 100644 templates/mosquitto/default.conf.j2 diff --git a/group_vars/README.md b/group_vars/README.md index eea9993..9a9e653 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -349,8 +349,6 @@ List of Nagios commands. ```yaml nagios_commands: - - command_name: check_nrpe_nossl - command_line: /usr/lib/nagios/plugins/check_nrpe -2 -H '$HOSTADDRESS$' -c '$ARG1$' -n - command_name: check_https_vhost_certificate command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$' ``` diff --git a/main.yml b/main.yml index a413b86..893d476 100644 --- a/main.yml +++ b/main.yml @@ -24,6 +24,9 @@ - name: Configure time ansible.builtin.include_tasks: tasks/time.yml + - name: Configure iptables + ansible.builtin.include_tasks: tasks/iptables.yml + - name: Configure SSH ansible.builtin.include_tasks: tasks/ssh.yml @@ -48,9 +51,6 @@ - name: Configure bacula ansible.builtin.include_tasks: tasks/bacula.yml - - name: Configure iptables - ansible.builtin.include_tasks: tasks/iptables.yml - - name: Configure vim ansible.builtin.include_tasks: tasks/vim.yml diff --git a/tasks/bacula.yml b/tasks/bacula.yml index c8f2660..f3e5fd6 100644 --- a/tasks/bacula.yml +++ b/tasks/bacula.yml @@ -1,6 +1,6 @@ --- - name: Install bacula - ansible.builtin.apt: + ansible.builtin.package: name: - bacula-director - bacula-director-sqlite3 @@ -56,6 +56,14 @@ owner: root group: bacula +- name: Create configuration directory + ansible.builtin.file: + path: /etc/bacula/conf.d + state: directory + owner: root + group: root + mode: '0755' + - name: Copy configuration files ansible.builtin.template: src: "bacula/conf.d/{{ item }}.conf.j2" diff --git a/tasks/iptables.yml b/tasks/iptables.yml index 3737468..9cdb9b4 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -1,4 +1,9 @@ --- +- name: Install iptables + ansible.builtin.package: + name: iptables + state: present + - name: Allow related and established connections ansible.builtin.iptables: chain: INPUT diff --git a/tasks/mosquitto.yml b/tasks/mosquitto.yml index d90ea6e..1921cee 100644 --- a/tasks/mosquitto.yml +++ b/tasks/mosquitto.yml @@ -1,22 +1,23 @@ --- - name: Install packages - ansible.builtin.apt: - name: - - mosquitto + ansible.builtin.package: + name: mosquitto -- name: Configure mosquitto - ansible.builtin.copy: - src: files/mosquitto/conf.d - dest: /etc/mosquitto +- name: Deploy general configuration + ansible.builtin.template: + src: mosquitto/default.conf.j2 + dest: /etc/mosquitto/conf.d/default.conf mode: "0644" + owner: root + group: root - name: Copy mosquitto password ansible.builtin.template: src: mosquitto/passwd.j2 dest: /etc/mosquitto/passwd - mode: '0600' + mode: '0640' owner: root - group: root + group: mosquitto - name: Restart mosquitto ansible.builtin.service: diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 8075580..e04f70e 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -8,7 +8,7 @@ - python3-jinja2 - python3-requests - python3-jsonschema - - python-pexpect + - python3-pexpect - name: Generate nagios configurations ansible.builtin.template: @@ -100,6 +100,7 @@ loop: - auth_digest - headers + - cgi changed_when: true - name: Restart apache diff --git a/tasks/nrpe.yml b/tasks/nrpe.yml index 42e6e7f..05c2623 100644 --- a/tasks/nrpe.yml +++ b/tasks/nrpe.yml @@ -50,7 +50,7 @@ - name: Install check_ovhcloud dependencies ansible.builtin.pip: requirements: /opt/check_ovhcloud/requirements.txt - extra_args: "--user" + extra_args: "--user --break-system-packages" become: true become_user: nagios diff --git a/tasks/telegraf.yml b/tasks/telegraf.yml index 681c121..842258c 100644 --- a/tasks/telegraf.yml +++ b/tasks/telegraf.yml @@ -7,7 +7,7 @@ - name: Download influxdata APT key ansible.builtin.apt_key: - url: https://repos.influxdata.com/influxdb.key + url: https://repos.influxdata.com/influxdata-archive_compat.key state: present - name: Install telegraf and dependencies diff --git a/templates/mosquitto/default.conf.j2 b/templates/mosquitto/default.conf.j2 new file mode 100644 index 0000000..f1d2456 --- /dev/null +++ b/templates/mosquitto/default.conf.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} +allow_anonymous false +password_file /etc/mosquitto/passwd From a8389a7c0ae1fad45e82bef7de5b02f1a6523613 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Sat, 27 Jul 2024 19:29:14 +0200 Subject: [PATCH 08/10] feat: Enable Nagios and Apache Signed-off-by: Julien Riou --- tasks/nagios.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/nagios.yml b/tasks/nagios.yml index e04f70e..6a7d1ad 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -1,6 +1,6 @@ --- - name: Install nagios - ansible.builtin.apt: + ansible.builtin.package: name: - nagios4 - git @@ -75,6 +75,7 @@ ansible.builtin.service: name: nagios4 state: reloaded + enabled: true - name: Configure htaccess for the web interface ansible.builtin.template: @@ -107,6 +108,7 @@ ansible.builtin.service: name: apache2 state: restarted + enabled: true - name: Allow HTTP from vpn ansible.builtin.iptables: From cf262bbf9e709b2336bc0e40086b525b2ed89f99 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Sat, 27 Jul 2024 21:24:31 +0200 Subject: [PATCH 09/10] feat: Use Python3 compatible fork of bacula plugin for Nagios Signed-off-by: Julien Riou --- tasks/nagios.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 6a7d1ad..5dc9c31 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -56,7 +56,7 @@ - name: Clone nagios-plugin-bacula source code ansible.builtin.git: - repo: https://github.com/twpayne/nagios-plugin-bacula.git + repo: https://github.com/jouir/nagios-plugin-bacula.git dest: /opt/nagios-plugin-bacula - name: Copy global configuration From 97ab3931bb4bc20df2261e351deb414fbb1be426 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Tue, 17 Dec 2024 10:44:57 +0100 Subject: [PATCH 10/10] chore: Disable bacula Not used anymore. Moving things to Sanoid instead. Signed-off-by: Julien Riou --- main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.yml b/main.yml index 893d476..e202e8d 100644 --- a/main.yml +++ b/main.yml @@ -48,9 +48,6 @@ - name: Configure telegraf ansible.builtin.include_tasks: tasks/telegraf.yml - - name: Configure bacula - ansible.builtin.include_tasks: tasks/bacula.yml - - name: Configure vim ansible.builtin.include_tasks: tasks/vim.yml