chore: Disable bacula

Not used anymore. Moving things to Sanoid instead.

Signed-off-by: Julien Riou <julien@riou.xyz>

.ansible-lint

@@ -0,0 +1,9 @@
+---
+exclude_paths:
+  - .cache/
+  - .github/
+  - .pre-commit-config.yaml
+  - group_vars/pilote.yml
+
+skip_list:
+  - latest

.github/workflows/pre-commit.yml

@@ -0,0 +1,15 @@
+---
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
+      - uses: pre-commit/action@v3.0.1

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: check-yaml
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v24.2.3
+    hooks:
+      - id: ansible-lint

TODO.md

@@ -1,7 +1,3 @@
 # TODO
 
-* EasyRSA tasks
+- EasyRSA: Protect CA with a passphrase
-* Variables documentation
-* Github actions
-    * pre-commit
-    * ansible-lint

files/bacula/make_catalog_backup.pl

@@ -44,7 +44,7 @@ sub dump_sqlite3
 sub setup_env_pgsql
 {
     my %args = @_;
-    my $username = getpwuid $ENV{'UID'}; 
+    my $username = getpwuid $ENV{'UID'};
     umask(0077);
 
     if ($args{db_address}) {
@@ -93,7 +93,7 @@ sub setup_env_mysql
     my %args = @_;
     umask(0077);
     unlink("$wd/.my.cnf");
-    open(MY, ">$wd/.my.cnf") 
+    open(MY, ">$wd/.my.cnf")
         or die "Can't open $wd/.my.cnf for writing $@";
 
     $args{db_address} = $args{db_address} || "localhost";

files/nagios/apache2.conf

@@ -20,5 +20,5 @@ Alias /nagios4 /usr/share/nagios4/htdocs
 </DirectoryMatch>
 
 <Directory /usr/share/nagios4/htdocs>
-    Options	+ExecCGI	
+    Options	+ExecCGI
 </Directory>

group_vars/README.md

@@ -1,3 +1,815 @@
 # Variables
 
-Soon.
+Senstivie data should be encrypted using
+[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html).
+
+## bacula_catalog_name
+
+Name of the Bacula catalog.
+
+```yaml
+bacula_catalog_name: HomeCatalog
+```
+
+## bacula_clients
+
+List of Bacula Clients.
+
+```yaml
+bacula_clients:
+  - name: pilote-fd
+    address: localhost
+    catalog: HomeCatalog
+    password: ***
+    file_retention: 60 days
+    job_retention: 6 months
+    autoprune: 'yes'
+  - name: vps-fd
+    address: 192.168.0.1
+    catalog: HomeCatalog
+    password: ***
+    file_retention: 60 days
+    job_retention: 6 months
+    autoprune: 'yes'
+  - name: storage1-fd
+    address: 192.168.0.2
+    catalog: HomeCatalog
+    password: ***
+    file_retention: 60 days
+    job_retention: 6 months
+    autoprune: 'yes'
+```
+
+## bacula_device_archive_device
+
+Directory of the Device where to store Bacula backups.
+
+```yaml
+bacula_device_archive_device: /storage/bacula/backup
+```
+
+## bacula_device_name
+
+Name of the Bacula Device.
+
+```yaml
+bacula_device_name: FileStorage
+```
+
+## bacula_director_address
+
+Address of the Bacula director.
+
+```yaml
+bacula_director_address: 127.0.0.1
+```
+
+## bacula_director_name
+
+Name of the Bacula director.
+
+```yaml
+bacula_director_name: pilote-dir
+```
+
+## bacula_director_password
+
+Password of the Bacula director.
+
+```yaml
+bacula_director_password: ***
+```
+
+## bacula_filedaemon_address
+
+Address of the Bacula Client (File Daemon).
+
+```yaml
+bacula_filedaemon_address: 127.0.0.1
+```
+
+## bacula_filedaemon_name
+
+Name of the Bacula Client (File Daemon).
+
+```yaml
+bacula_filedaemon_name: pilote-fd
+```
+
+## bacula_filedaemon_password
+
+Password of the Bacula Client (File Daemon).
+
+```yaml
+bacula_filedaemon_password: ***
+```
+
+## bacula_filesets
+
+List of Bacula File Sets.
+
+```yaml
+bacula_filesets:
+  - name: DebianFileSet
+    include:
+      options:
+        signature: MD5
+        compression: GZIP
+      files:
+        - /etc
+        - /var/log
+        - /root
+        - /home
+    exclude:
+      files:
+        - '*~'
+  - name: CatalogFileSet
+    include:
+      options:
+        signature: MD5
+        compression: GZIP
+      files:
+        - /var/lib/bacula/bacula.sql
+  - name: InfluxDBFileSet
+    include:
+      options:
+        signature: MD5
+      files:
+        - /var/lib/bacula/influxdb
+  - name: GrafanaFileSet
+    include:
+      options:
+        signature: MD5
+      files:
+        - /var/lib/bacula/grafana
+```
+
+## bacula_jobs
+
+List of Bacula Jobs.
+
+```yaml
+bacula_jobs:
+  - name: BackupPilote
+    client: pilote-fd
+    fileset: DebianFileSet
+  - name: BackupStorage1
+    client: storage1-fd
+    fileset: DebianFileSet
+  - name: BackupStorage2
+    client: storage2-fd
+    fileset: DebianFileSet
+  - name: BackupStorage3
+    client: storage3-fd
+    fileset: DebianFileSet
+  - name: BackupCatalog
+    client: pilote-fd
+    level: Full
+    fileset: CatalogFileSet
+    schedule: DefaultScheduleAfterBackup
+    run_before_job: /etc/bacula/scripts/make_catalog_backup.pl HomeCatalog
+    run_after_job: /etc/bacula/scripts/delete_catalog_backup
+    priority: 11  # run after main backup
+  - name: BackupInfluxDB
+    client: storage1-fd
+    fileset: InfluxDBFileSet
+    schedule: DefaultScheduleAfterBackup
+    client_run_before_job: /etc/bacula/scripts/influxdb-backup %l
+    client_run_after_job: /etc/bacula/scripts/influxdb-cleanup
+    priority: 11  # run after main backup
+  - name: BackupGrafana
+    client: storage1-fd
+    level: Full
+    fileset: GrafanaFileSet
+    schedule: DefaultScheduleAfterBackup
+    client_run_before_job: /etc/bacula/scripts/grafana-backup
+    client_run_after_job: /etc/bacula/scripts/grafana-cleanup
+    priority: 11  # run after main backup
+  - name: RestoreFiles
+    type: Restore
+    client: storage1-fd
+    storage: storage1-sd
+    fileset: DebianFileSet  # required but not used
+    pool: FullFile  # required but not used
+    messages: Standard
+    where: /storage/bacula/restore
+```
+
+## bacula_pools
+
+List of Bacula Pools.
+
+```yaml
+bacula_pools:
+  - name: FullFile
+    pool_type: Backup
+    recycle: 'yes'
+    auto_prune: 'yes'
+    volume_retention: 10 years
+    storage: storage1-sd
+    maximum_volume_bytes: 1G
+    maximum_volumes: 100
+    labelformat: Full-
+  - name: DiffFile
+    pool_type: Backup
+    recycle: 'yes'
+    auto_prune: 'yes'
+    volume_retention: 6 weeks
+    storage: storage1-sd
+    maximum_volume_bytes: 1G
+    maximum_volumes: 100
+    labelformat: Diff-
+  - name: IncrFile
+    pool_type: Backup
+    recycle: 'yes'
+    auto_prune: 'yes'
+    volume_retention: 3 weeks
+    storage: storage1-sd
+    maximum_volume_bytes: 1G
+    maximum_volumes: 100
+    labelformat: Incr-
+```
+
+## bacula_schedules
+
+List of Bacula Schedules.
+
+```yaml
+bacula_schedules:
+  - name: DefaultSchedule
+    runs:
+      - datetime: 1st sun at 0:00
+        job_overrides:
+          level: Full
+      - datetime: 2nd-5th sun at 0:00
+        job_overrides:
+          level: Differential
+      - datetime: mon-sat at 0:00
+        job_overrides:
+          level: Incremental
+  - name: DefaultScheduleAfterBackup
+    runs:
+      - datetime: sun-sat at 0:00
+        job_overrides:
+          level: Full
+```
+
+## bacula_storage_address
+
+Address of the Bacula Storage.
+
+```yaml
+bacula_storage_address: 127.0.0.1
+```
+
+## bacula_storage_name
+
+Name of the Bacula Storage.
+
+```yaml
+bacula_storage_name: storage1-sd
+```
+
+## bacula_storage_password
+
+Password of the Bacula Storage.
+
+```yaml
+bacula_storage_password: ***
+```
+
+## bacula_storages
+
+List of Bacula Storages.
+
+```yaml
+bacula_storages:
+  - name: storage1-sd
+    address: 192.168.0.2
+    password: ***
+    device: FileStorage
+    media_type: File
+```
+
+## easyrsa_ca_dir
+
+Path to the CA directory to create.
+
+```yaml
+easyrsa_ca_dir: /var/lib/easyrsa
+```
+
+## easyrsa_clients
+
+List of client hostnames that will have RSA certificates.
+
+```yaml
+easyrsa_clients:
+  - pilote
+  - storage1
+  - storage2
+  - storage3
+  - vps
+```
+
+## hostname
+
+Name of the remote host.
+
+```yaml
+hostname: pilote
+```
+
+## local_subnet
+
+Local subnet where the remote host lives.
+
+```yaml
+local_subnet: 192.168.0.0/24
+```
+
+## mosquitto_passwords
+
+List of usernames and passwords to defined mosquitto users.
+
+```yaml
+mosquitto_passwords:
+  - user: telegraf
+    hash: '$***'
+  - user: nagios
+    hash: '$***'
+```
+
+See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html)
+command to generate the hash file.
+
+## nagios_commands
+
+List of Nagios commands.
+
+```yaml
+nagios_commands:
+  - command_name: check_https_vhost_certificate
+    command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$'
+```
+
+## nagios_contact_groups
+
+List of Nagios contact groups.
+
+```yaml
+nagios_contact_groups:
+  - contactgroup_name: admins
+    alias: Nagios Administrators
+    members:
+      - admin
+      - telegram
+```
+
+## nagios_contacts
+
+List of Nagios contacts.
+
+```yaml
+nagios_contacts:
+  - contact_name: admin
+    use: generic-contact
+    alias: Nagios Admin
+    email: noreply@nonexistant.com
+    host_notifications_enabled: 0
+    service_notifications_enabled: 0
+  - contact_name: telegram
+    use: generic-contact
+    alias: Telegram notifications
+    pager: 000000000
+    email: noreply@nonexistant.com
+    service_notification_commands: notify-service-by-telegram
+    host_notification_commands: notify-host-by-telegram
+```
+
+## nagios_hostgroups
+
+List of Nagios host groups.
+
+```yaml
+nagios_hostgroups:
+  - hostgroup_name: linux-servers
+    alias: Linux servers
+    members:
+      - pilote
+      - vps
+      - storage1
+      - storage2
+      - storage3
+  - hostgroup_name: web-servers
+    alias: Web servers
+    members:
+      - vps
+```
+
+## nagios_hosts
+
+List of Nagios hosts.
+
+```yaml
+nagios_hosts:
+  - use: home-host
+    host_name: pilote
+    alias: pilote
+    address: 127.0.0.1
+  - use: home-host
+    host_name: vps
+    alias: vps
+    address: 10.8.0.1
+```
+
+## nagios_host_templates
+
+List of Nagios host templates.
+
+```yaml
+nagios_host_templates:
+  - name: home-host
+    use: generic-host
+    check_command: check-host-alive
+    contact_groups: admins
+    notification_options:
+      - d
+      - u
+      - r
+    check_interval: 5
+    retry_interval: 5  # retry every 5 minutes
+    max_check_attempts: 12  # alert at 1 hour (12x5 minutes)
+    notification_interval: 720  # resend notifications every 12 hours
+```
+
+## nagios_htdigest_users
+
+List of users for basic authentication.
+
+```yaml
+nagios_htdigest_users:
+  - name: admin
+    hash: '...'
+```
+
+## nagios_service_dependencies
+
+List of Nagios service dependencies.
+
+```yaml
+nagios_service_dependencies:
+  - host_name: pilote
+    service_description: ovhcloud_voip
+    dependent_host_name: pilote
+    dependent_service_description: ovhcloud_ping
+    execution_failure_criteria: u
+    notification_failure_criteria: u
+```
+
+## nagios_services
+
+List of Nagios services.
+
+```yaml
+nagios_services:
+  - use: home-service
+    hostgroup_name: linux-servers
+    service_description: load
+    check_command: check_nrpe_nossl!check_load
+  - use: home-service
+    hostgroup_name: web-servers
+    service_description: https_monitoring_tld_certificate
+    check_command: check_https_vhost_certificate!monitoring.tld!1
+```
+
+## nagios_service_templates
+
+List of Nagios service templates.
+
+```yaml
+nagios_service_templates:
+  - name: home-service
+    use: generic-service
+    contact_groups: admins
+    check_interval: 5
+    retry_interval: 5  # retry every 5 minutes
+    max_check_attempts: 12  # alert at 1 hour (12x5 minutes)
+    notification_interval: 720  # 12 hours
+  - name: public-service
+    use: generic-service
+    contact_groups: admins
+    check_interval: 1
+    retry_interval: 1  # retry every minute
+    max_check_attempts: 3  # alert after 3 minutes
+    notification_interval: 60  # 1 hour
+```
+
+## nagios_telegram_auth_key
+
+Key used to authenticate to the Telegram API. See [how to create a
+bot](https://core.telegram.org/bots#3-how-do-i-create-a-bot).
+
+```yaml
+nagios_telegram_auth_key: '***'
+```
+
+## nagios_telegram_chat_id
+
+Unique identifier for the target chat or username of the target channel (in the
+format `@channelusername`). See [API
+specifications](https://core.telegram.org/bots/api#sendmessage).
+
+```yaml
+nagios_telegram_chat_id: 000000000
+```
+
+## nrpe_allowed_hosts
+
+List of IP addresses or ranges allowed to talk to the NRPE daemon.
+
+```yaml
+nrpe_allowed_hosts:
+  - 10.8.0.0/24
+  - 127.0.0.1
+```
+
+## nrpe_commands
+
+List of NRPE commands.
+
+```yaml
+nrpe_commands:
+  - name: check_load
+    line: /usr/lib/nagios/plugins/check_load -r -w 1,1,1 -c 4,4,4
+  - name: check_openvpn
+    line: '/usr/lib/nagios/plugins/check_procs -c 1: -C openvpn'
+  - name: check_openvpn_cert
+    line: >-
+      /opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity
+      --ignore-incomplete-chain  --allow-empty-san --ignore-sct --warning 15 --critical 1
+```
+
+## nrpe_opts
+
+Options for the NRPE daemon.
+
+```yaml
+nrpe_opts: '-n'  # Disable TLS
+```
+
+## openvpn_ca
+
+Content of the certificate of the Certificate Authority (CA) used to certify
+VPN connections.
+
+```yaml
+openvpn_ca: |
+  -----BEGIN CERTIFICATE-----
+```
+
+## openvpn_cert
+
+Content of the certificate used to authenticate to the VPN server.
+
+```yaml
+openvpn_cert: |
+  -----BEGIN CERTIFICATE-----
+```
+
+## openvpn_key
+
+Content of the private key used to authenticate to the VPN server.
+
+```yaml
+openvpn_key:
+```
+
+## openvpn_remote_host
+
+Hostname or IP address of the remote VPN server.
+
+```yaml
+openvpn_remote_host: vpn.fqdn
+```
+
+## openvpn_subnet
+
+Subnet used by OpenVPN to group clients.
+
+```yaml
+openvpn_subnet: 10.8.0.0/24
+```
+
+## openvpn_ta
+
+Content of the OpenVPN static key used for TLS authentication.
+
+```yaml
+openvpn_ta:
+```
+
+## ovh_application_key
+
+Application key used to authenticate to the OVH API.
+
+```yaml
+ovh_application_key: deadbeef
+```
+
+See [first steps with the OVHcloud
+APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
+
+## ovh_application_secret
+
+Application secret used to authenticate to the OVH API.
+
+```yaml
+ovh_application_secret: deadbeef
+```
+
+See [first steps with the OVHcloud
+APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
+
+## ovh_consumer_key
+
+Consumer key used to authenticate to the OVH API.
+
+```yaml
+ovh_consumer_key: deadbeef
+```
+
+See [first steps with the OVHcloud
+APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
+
+## ovh_endpoint
+
+Endpoint of the OVH API.
+
+```yaml
+ovh_endpoint: ovh-eu
+```
+
+See [first steps with the OVHcloud
+APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
+
+## serial2mqtt_host
+
+Hostname or IP address used by serial2mqtt to send messages to the MQTT broker.
+
+```yaml
+serial2mqtt_host: localhost
+```
+
+## serial2mqtt_interface
+
+Name of the serial interface name used by serial2mqtt to gather metrics
+produced by the Arduino board.
+
+```yaml
+serial2mqtt_interface: /dev/ttyACM0
+```
+
+## serial2mqtt_password
+
+Password used by serial2mqtt to send messages to the MQTT broker.
+
+```yaml
+serial2mqtt_password: ***
+```
+## serial2mqtt_port
+
+Port used by serial2mqtt to send messages to the MQTT broker.
+
+```yaml
+serial2mqtt_port: 1883
+```
+
+## serial2mqtt_topic_prefix
+
+Add this prefix to topic names on the MQTT broker for serial2mqtt messages.
+
+```yaml
+serial2mqtt_topic_prefix: sensors
+```
+
+## serial2mqtt_username
+
+Username used by serial2mqtt to send messages to the MQTT broker.
+
+```yaml
+serial2mqtt_username: telegraf
+```
+
+## ssh_authorized_keys
+
+List of SSH authorized keys.
+
+```yaml
+ssh_authorized_keys:
+  - user: root
+    key: ssh-ed25519 hash
+    comment: desktop
+```
+
+Used by
+[ansible.posix.authorized_keys](https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html)
+module.
+
+## telegraf_influxdb_database
+
+Name of the InfluxDB database used by telegraf to send metrics.
+
+```yaml
+telegraf_influxdb_database: metrics
+```
+
+## telegraf_influxdb_password
+
+Password of the InfluxDB user used by telegraf to send metrics.
+
+```yaml
+telegraf_influxdb_password: ***
+```
+
+## telegraf_influxdb_urls
+
+List of InfluxDB endpoints used by telegraf to send metrics.
+
+```yaml
+telegraf_influxdb_urls:
+  - https://192.168.0.1:8088
+```
+
+## telegraf_influxdb_username
+
+Name of the InfluxDB user used by telegraf to send metrics.
+
+```yaml
+telegraf_influxdb_username: telegraf
+```
+
+## telegraf_mqtt_consumer_password
+
+Password used to authenticate to the MQTT broker for telegraf.
+
+```yaml
+telegraf_mqtt_consumer_password: ***
+```
+
+## telegraf_mqtt_consumer_servers
+
+List of MQTT brokers for telegraf.
+
+```yaml
+telegraf_mqtt_consumer_servers:
+  - tcp://localhost:1883
+```
+
+## telegraf_mqtt_consumer_topics
+
+List of MQTT topics to consume for telegraf.
+
+```yaml
+telegraf_mqtt_consumer_topics:
+  - sensors/humidity
+  - sensors/temperature
+```
+
+## telegraf_mqtt_consumer_username
+
+Name used to authenticate to the MQTT broker for telegraf.
+
+```yaml
+telegraf_mqtt_consumer_username: telegraf
+```
+
+## telegraf_ping_ip
+
+IP address of the host to ping for latency metrics.
+
+```yaml
+telegraf_ping_ip: 192.168.0.1
+```
+
+## timezone
+
+Alias of the time zone.
+
+```yaml
+timezone: Europe/Brussels
+```
+
+## users
+
+List of users to configure on the remote host.
+
+```yaml
+users:
+  - name: root
+    password: hash
+```
+
+Used by
+[ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html)
+module.

main.yml

@@ -1,23 +1,55 @@
 ---
-- hosts: pilote
+- name: Configure pilote
+  hosts: pilote
   gather_facts: true
   tasks:
-    - ansible.builtin.include_tasks: tasks/sysctl.yml
+    - name: Configure sysctl
-    - ansible.builtin.include_tasks: tasks/apt.yml
+      ansible.builtin.include_tasks: tasks/sysctl.yml
-    - ansible.builtin.include_tasks: tasks/users.yml
+
-    - ansible.builtin.include_tasks: tasks/profile.yml
+    - name: Configure apt
-    - ansible.builtin.include_tasks: tasks/hostname.yml
+      ansible.builtin.include_tasks: tasks/apt.yml
-    - ansible.builtin.include_tasks: tasks/motd.yml
+
-    - ansible.builtin.include_tasks: tasks/time.yml
+    - name: Configure users
-    - ansible.builtin.include_tasks: tasks/ssh.yml
+      ansible.builtin.include_tasks: tasks/users.yml
-    - ansible.builtin.include_tasks: tasks/openvpn.yml
+
-    - ansible.builtin.include_tasks: tasks/nagios.yml
+    - name: Configure profile
-    - ansible.builtin.include_tasks: tasks/nrpe.yml
+      ansible.builtin.include_tasks: tasks/profile.yml
-    - ansible.builtin.include_tasks: tasks/mosquitto.yml
+
-    - ansible.builtin.include_tasks: tasks/serial2mqtt.yml
+    - name: Configure hostname
-    - ansible.builtin.include_tasks: tasks/telegraf.yml
+      ansible.builtin.include_tasks: tasks/hostname.yml
-    - ansible.builtin.include_tasks: tasks/bacula.yml
+
-    - ansible.builtin.include_tasks: tasks/iptables.yml
+    - name: Configure motd
-    # TODO
+      ansible.builtin.include_tasks: tasks/motd.yml
-    #- ansible.builtin.include_tasks: tasks/easyrsa.yml
+
-    - ansible.builtin.include_tasks: tasks/vim.yml
+    - name: Configure time
+      ansible.builtin.include_tasks: tasks/time.yml
+
+    - name: Configure iptables
+      ansible.builtin.include_tasks: tasks/iptables.yml
+
+    - name: Configure SSH
+      ansible.builtin.include_tasks: tasks/ssh.yml
+
+    - name: Configure OpenVPN
+      ansible.builtin.include_tasks: tasks/openvpn.yml
+
+    - name: Configure Nagios
+      ansible.builtin.include_tasks: tasks/nagios.yml
+
+    - name: Configure NRPE
+      ansible.builtin.include_tasks: tasks/nrpe.yml
+
+    - name: Configure Mosquitto
+      ansible.builtin.include_tasks: tasks/mosquitto.yml
+
+    - name: Configure serial2mqtt
+      ansible.builtin.include_tasks: tasks/serial2mqtt.yml
+
+    - name: Configure telegraf
+      ansible.builtin.include_tasks: tasks/telegraf.yml
+
+    - name: Configure vim
+      ansible.builtin.include_tasks: tasks/vim.yml
+
+    - name: Configure EasyRSA
+      ansible.builtin.include_tasks: tasks/easyrsa.yml

renew.yml

@@ -0,0 +1,10 @@
+---
+- name: Renew client RSA certificates
+  hosts: pilote
+  gather_facts: false
+  tasks:
+    - name: Delete client certificates
+      ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml
+
+    - name: Configure EasyRSA
+      ansible.builtin.include_tasks: tasks/easyrsa.yml

tasks/apt.yml

@@ -10,6 +10,7 @@
   ansible.builtin.template:
     src: apt/raspi.list.j2
     dest: /etc/apt/sources.list.d/raspi.list
+    mode: "0644"
 
 - name: Update system
   ansible.builtin.apt:

tasks/bacula.yml

@@ -1,13 +1,12 @@
 ---
 - name: Install bacula
-  ansible.builtin.apt:
+  ansible.builtin.package:
     name:
       - bacula-director
       - bacula-director-sqlite3
       - bacula-fd
       - bacula-sd
       - bacula-console
-    state: latest
 
 - name: Configure database
   ansible.builtin.copy:
@@ -57,10 +56,19 @@
     owner: root
     group: bacula
 
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: /etc/bacula/conf.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
 - name: Copy configuration files
   ansible.builtin.template:
     src: "bacula/conf.d/{{ item }}.conf.j2"
     dest: "/etc/bacula/conf.d/{{ item }}.conf"
+    mode: "0644"
   loop:
     - clients
     - filesets

tasks/easyrsa-certs-delete.yml

@@ -0,0 +1,9 @@
+---
+- name: Delete EasyRSA certificates
+  ansible.builtin.file:
+    name: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req"
+    - "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key"
+    - "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt"

tasks/easyrsa.yml

@@ -1,13 +1,62 @@
 ---
-# TODO
+- name: Install EasyRSA
-- name: copy easyrsa sources to /root
+  ansible.builtin.package:
-  copy:
+    name: easy-rsa
-    src: files/easyrsa/EasyRSA-v3.0.6
-    dest: /root/
-    mode: preserve
 
-- name: add easyrsa binary to path
+- name: Add easyrsa binary to path
-  file:
+  ansible.builtin.file:
-    src: /root/EasyRSA-v3.0.6/easyrsa
+    src: /usr/share/easy-rsa/easyrsa
     dest: /usr/local/sbin/easyrsa
     state: link
+
+- name: Create CA directory
+  ansible.builtin.command:
+    cmd: "make-cadir {{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}"
+
+- name: Init PKI
+  ansible.builtin.command:
+    cmd: easyrsa init-pki
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki"
+  environment:
+    EASYRSA_BATCH: "1"
+
+- name: Create symlinks
+  ansible.builtin.file:
+    src: "{{ easyrsa_ca_dir }}/{{ item }}"
+    dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}"
+    state: link
+  loop:
+    - x509-types
+    - openssl-easyrsa.cnf
+
+- name: Create random file
+  ansible.builtin.command:
+    cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd"
+    creates: "{{ easyrsa_ca_dir }}/pki/.rnd"
+
+- name: Build CA
+  ansible.builtin.command:
+    cmd: easyrsa build-ca nopass
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki/ca.crt"
+  environment:
+    EASYRSA_BATCH: "1"
+
+- name: Generate DH parameters
+  ansible.builtin.command:
+    cmd: easyrsa gen-dh
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki/dh.pem"
+  environment:
+    EASYRSA_BATCH: "1"
+
+- name: Generate client certificates
+  ansible.builtin.command:
+    cmd: "easyrsa build-client-full {{ item }} nopass"
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key"
+  environment:
+    EASYRSA_BATCH: "1"
+  loop: "{{ easyrsa_clients | default([]) }}"

tasks/hostname.yml

@@ -1,9 +1,10 @@
 ---
 - name: Setup hostname
-  hostname:
+  ansible.builtin.hostname:
     name: "{{ hostname }}"
 
 - name: Manage /etc/hosts
   ansible.builtin.template:
     src: hostname/hosts.j2
     dest: /etc/hosts
+    mode: "0644"

tasks/iptables.yml

@@ -1,4 +1,9 @@
 ---
+- name: Install iptables
+  ansible.builtin.package:
+    name: iptables
+    state: present
+
 - name: Allow related and established connections
   ansible.builtin.iptables:
     chain: INPUT
@@ -21,7 +26,7 @@
     comment: allow ping from the world
 
 - name: Deny input connections by default
-  ansible.builtin.iptables: 
+  ansible.builtin.iptables:
     chain: INPUT
     policy: DROP
 
@@ -57,7 +62,7 @@
     name:
       - netfilter-persistent
       - iptables-persistent
-    state: latest
 
 - name: Save iptables
-  ansible.builtin.command: netfilter-persistent save  
+  ansible.builtin.command: netfilter-persistent save
+  changed_when: true

tasks/mosquitto.yml

@@ -1,22 +1,23 @@
 ---
 - name: Install packages
-  ansible.builtin.apt:
+  ansible.builtin.package:
-    name:
+    name: mosquitto
-      - mosquitto
-    state: latest
 
-- name: Configure mosquitto
+- name: Deploy general configuration
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: files/mosquitto/conf.d
+    src: mosquitto/default.conf.j2
-    dest: /etc/mosquitto
+    dest: /etc/mosquitto/conf.d/default.conf
+    mode: "0644"
+    owner: root
+    group: root
 
 - name: Copy mosquitto password
   ansible.builtin.template:
     src: mosquitto/passwd.j2
     dest: /etc/mosquitto/passwd
-    mode: '0600'
+    mode: '0640'
     owner: root
-    group: root
+    group: mosquitto
 
 - name: Restart mosquitto
   ansible.builtin.service:

tasks/motd.yml

@@ -6,10 +6,15 @@
 
 - name: Run figlet
   ansible.builtin.shell:
-    cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf"
+    cmd: >-
+      set -o pipefail
+      hostname | figlet -f /usr/share/figlet/smslant.flf
+    executable: /bin/bash
   register: _motd
+  changed_when: true
 
 - name: Create motd
   ansible.builtin.copy:
     dest: /etc/motd
     content: "{{ _motd.stdout }}\n"
+    mode: "0644"

tasks/nagios.yml

@@ -1,6 +1,6 @@
 ---
 - name: Install nagios
-  ansible.builtin.apt:
+  ansible.builtin.package:
     name:
       - nagios4
       - git
@@ -8,13 +8,13 @@
       - python3-jinja2
       - python3-requests
       - python3-jsonschema
-      - python-pexpect
+      - python3-pexpect
-    state: latest
 
 - name: Generate nagios configurations
   ansible.builtin.template:
     src: "nagios/conf.d/{{ item }}.cfg.j2"
     dest: "/etc/nagios4/conf.d/{{ item }}.cfg"
+    mode: "0644"
   loop:
     - commands
     - hosts
@@ -26,6 +26,7 @@
   ansible.builtin.template:
     src: nagios/contacts.cfg.j2
     dest: /etc/nagios4/objects/contacts.cfg
+    mode: "0644"
 
 - name: Copy check_timesyncd
   ansible.builtin.copy:
@@ -47,7 +48,7 @@
 
 - name: Configure notify-by-telegram
   ansible.builtin.copy:
-    content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}"
+    content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}"
     dest: /etc/nagios4/telegram.json
     owner: root
     group: nagios
@@ -55,38 +56,44 @@
 
 - name: Clone nagios-plugin-bacula source code
   ansible.builtin.git:
-    repo: https://github.com/twpayne/nagios-plugin-bacula.git
+    repo: https://github.com/jouir/nagios-plugin-bacula.git
     dest: /opt/nagios-plugin-bacula
 
 - name: Copy global configuration
-  ansible.builtin.copy: 
+  ansible.builtin.copy:
     src: files/nagios/nagios.cfg
     dest: /etc/nagios4/nagios.cfg
+    mode: "0644"
 
 - name: Copy CGI configuration
   ansible.builtin.copy:
     src: files/nagios/cgi.cfg
     dest: /etc/nagios4/cgi.cfg
+    mode: "0644"
 
 - name: Reload nagios
   ansible.builtin.service:
     name: nagios4
     state: reloaded
+    enabled: true
 
 - name: Configure htaccess for the web interface
   ansible.builtin.template:
     src: nagios/htdigest.users.j2
     dest: /etc/nagios4/htdigest.users
+    mode: "0644"
 
 - name: Secure Apache
-  copy:
+  ansible.builtin.copy:
     src: files/nagios/security.conf
     dest: /etc/apache2/conf-available/security.conf
+    mode: "0644"
 
 - name: Configure vhost for the web interface
   ansible.builtin.copy:
     src: files/nagios/apache2.conf
     dest: /etc/nagios4/apache2.conf
+    mode: "0644"
 
 - name: Enable Apache modules
   ansible.builtin.command:
@@ -94,14 +101,17 @@
   loop:
     - auth_digest
     - headers
+    - cgi
+  changed_when: true
 
 - name: Restart apache
   ansible.builtin.service:
     name: apache2
     state: restarted
+    enabled: true
 
 - name: Allow HTTP from vpn
-  iptables:
+  ansible.builtin.iptables:
     chain: INPUT
     protocol: tcp
     source: "{{ openvpn_subnet }}"

tasks/nrpe.yml

@@ -10,16 +10,19 @@
   ansible.builtin.template:
     src: nrpe/nrpe.cfg.j2
     dest: /etc/nagios/nrpe.cfg
+    mode: "0644"
 
 - name: Generate NRPE local configuration
   ansible.builtin.template:
     src: nrpe/nrpe_local.cfg.j2
     dest: /etc/nagios/nrpe_local.cfg
+    mode: "0644"
 
 - name: Manage daemon settings
   ansible.builtin.template:
     src: nrpe/nagios-nrpe-server.j2
     dest: /etc/default/nagios-nrpe-server
+    mode: "0644"
 
 - name: Clone check-mqtt source code
   ansible.builtin.git:
@@ -47,7 +50,7 @@
 - name: Install check_ovhcloud dependencies
   ansible.builtin.pip:
     requirements: /opt/check_ovhcloud/requirements.txt
-    extra_args: "--user"
+    extra_args: "--user --break-system-packages"
   become: true
   become_user: nagios
 

tasks/openvpn.yml

@@ -2,22 +2,24 @@
 - name: Install OpenVPN
   ansible.builtin.apt:
     name: openvpn
-    state: latest
 
 - name: Deploy OpenVPN configuration
   ansible.builtin.template:
     src: openvpn/client.conf.j2
     dest: /etc/openvpn/client.conf
+    mode: '0644'
 
 - name: Deploy OpenVPN CA cert
   ansible.builtin.copy:
     content: "{{ openvpn_ca }}"
     dest: /etc/openvpn/ca.crt
+    mode: '0644'
 
 - name: Deploy OpenVPN TLS auth
   ansible.builtin.copy:
     content: "{{ openvpn_ta }}"
     dest: /etc/openvpn/ta.key
+    mode: '0600'
 
 - name: Deploy OpenVPN client cert
   ansible.builtin.copy:

tasks/serial2mqtt.yml

@@ -4,7 +4,6 @@
     name:
       - python3-serial
       - python3-paho-mqtt
-    state: latest
 
 - name: Clone arduino-sensors-toolkit sources
   ansible.builtin.git:
@@ -14,11 +13,11 @@
 - name: Add serial2mqtt user
   ansible.builtin.user:
     name: serial2mqtt
-    system: yes
+    system: true
     password: '!'
     home: /var/lib/serial2mqtt
-    create_home: no
+    create_home: false
-    append: yes
+    append: true
     groups:
       - dialout
 
@@ -34,15 +33,17 @@
   ansible.builtin.copy:
     src: files/serial2mqtt/serial2mqtt.default
     dest: /etc/default/serial2mqtt
+    mode: '0644'
 
 - name: Copy serial2mqtt service unit
   ansible.builtin.copy:
     src: files/serial2mqtt/serial2mqtt.service
     dest: /etc/systemd/system/serial2mqtt.service
+    mode: '0644'
 
 - name: Start serial2mqtt service
   ansible.builtin.systemd:
     name: serial2mqtt.service
-    daemon_reload: yes
+    daemon_reload: true
     state: restarted
-    enabled: yes
+    enabled: true

tasks/ssh.yml

@@ -2,7 +2,6 @@
 - name: Install OpenSSH
   ansible.builtin.apt:
     name: openssh-server
-    state: latest
 
 - name: Allow authorized keys
   ansible.posix.authorized_key:
@@ -20,7 +19,7 @@
     mode: '0644'
 
 - name: Reload and enable SSH service
-  service:
+  ansible.builtin.service:
     name: ssh
     state: reloaded
     enabled: true

tasks/sysctl.yml

@@ -5,4 +5,4 @@
     value: '1'
     state: present
     sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
-    reload: yes
+    reload: true

tasks/telegraf.yml

@@ -3,10 +3,11 @@
   ansible.builtin.template:
     src: telegraf/influxdata.list.j2
     dest: /etc/apt/sources.list.d/influxdata.list
+    mode: '0644'
 
 - name: Download influxdata APT key
   ansible.builtin.apt_key:
-    url: https://repos.influxdata.com/influxdb.key
+    url: https://repos.influxdata.com/influxdata-archive_compat.key
     state: present
 
 - name: Install telegraf and dependencies
@@ -15,12 +16,14 @@
       - telegraf
       - lm-sensors
     update_cache: true
-    state: latest
 
 - name: Generate telegraf configurations
   ansible.builtin.template:
     src: "telegraf/{{ item }}.conf.j2"
     dest: "/etc/telegraf/telegraf.d/{{ item }}.conf"
+    mode: '0640'
+    owner: root
+    group: telegraf
   loop:
     - inputs
     - output

tasks/time.yml

@@ -2,3 +2,4 @@
 - name: Manage time zone
   ansible.builtin.command:
     cmd: "timedatectl set-timezone {{ timezone }}"
+  changed_when: true

tasks/users.yml

@@ -11,4 +11,5 @@
     src: files/users/bashrc
     owner: "{{ item['name'] }}"
     group: "{{ item['name'] }}"
+    mode: '0644'
   loop: "{{ users }}"

tasks/vim.yml

@@ -8,6 +8,7 @@
   ansible.builtin.copy:
     src: files/vim/vimrc
     dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}"
+    mode: '0644'
   loop: "{{ users }}"
   loop_control:
     label: "{{ item['name'] }}"

templates/mosquitto/default.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+allow_anonymous false
+password_file /etc/mosquitto/passwd

templates/nrpe/nrpe_local.cfg.j2

@@ -3,4 +3,3 @@
 {% for command in nrpe_commands | default([]) %}
 command[{{ command['name'] }}]={{ command['line'] }}
 {% endfor %}
-

templates/openvpn/client.conf.j2

@@ -16,6 +16,7 @@ key client.key
 remote-cert-tls server
 tls-auth ta.key 1
 cipher AES-256-CBC
+data-ciphers AES-256-CBC
 auth SHA256
 verb 3
 key-direction 1

upgrade.yml

@@ -2,4 +2,5 @@
 - name: Upgrade systems
   hosts: all
   tasks:
-    - include_tasks: tasks/apt-upgrade.yml
+    - name: Run apt upgrade
+      ansible.builtin.include_tasks: tasks/apt-upgrade.yml