jriou/ansible-pilote
1
0
Fork 0
Code Issues Pull requests Activity

Compare commits

base: jriou:7b2b1b832944024d12b384a4a2d969cf693b414a
Branches Tags
jriou:main
...
compare: jriou:97ab3931bb4bc20df2261e351deb414fbb1be426
Branches Tags
jriou:main

10 commits
7b2b1b8329 ... 97ab3931bb

Author SHA1 Message Date
Julien Riou
97ab3931bb
chore: Disable bacula
Some checks failed
pre-commit / pre-commit (push) Has been cancelled
Not used anymore. Moving things to Sanoid instead.

Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-12-17 10:44:57 +01:00
Julien Riou
cf262bbf9e
feat: Use Python3 compatible fork of bacula plugin for Nagios 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-07-27 21:24:31 +02:00
Julien Riou
a8389a7c0a
feat: Enable Nagios and Apache 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-07-27 19:29:14 +02:00
Julien Riou
36c0ce1de6
feat: Debian 12 compatibility 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-07-27 19:20:30 +02:00
Julien Riou
d8c17dad4b
fix: Invalid arguments in MOTD and Nagios 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-07-27 09:51:20 +02:00
Julien Riou
19a7af377e
feat: Manage EasyRSA CA and certificates 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-05-13 18:15:02 +02:00
Julien Riou
f3930ea7d4
doc: Add variables 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-05-13 14:55:58 +02:00
Julien Riou
436c80ed33
fix(openvpn): Align cipher and data ciphers 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-05-12 08:53:44 +02:00
Julien Riou
38fef42aa6
style: Add ansible-lint 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-05-10 13:32:56 +02:00
Julien Riou
0063f2157c
feat: Add pre-commit 
Signed-off-by: Julien Riou <julien@riou.xyz>
 2024-04-27 17:36:49 +02:00
31 changed files with 1070 additions and 78 deletions
Show stats Expand all files Collapse all files

9
.ansible-lint Normal file
View file

@ -0,0 +1,9 @@
---
exclude_paths:
- .cache/
- .github/
- .pre-commit-config.yaml
- group_vars/pilote.yml
skip_list:
- latest

15
.github/workflows/pre-commit.yml vendored Normal file
View file

@ -0,0 +1,15 @@
---
name: pre-commit
on:
pull_request:
push:
branches: [main]
jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v3
- uses: pre-commit/action@v3.0.1

14
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,14 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: check-yaml
- id: detect-private-key
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/ansible/ansible-lint
rev: v24.2.3
hooks:
- id: ansible-lint

6
TODO.md
View file

@ -1,7 +1,3 @@
# TODO
* EasyRSA tasks
* Variables documentation
* Github actions
* pre-commit
* ansible-lint
- EasyRSA: Protect CA with a passphrase

814
group_vars/README.md
View file

@ -1,3 +1,815 @@
# Variables
Soon.
Senstivie data should be encrypted using
[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html).
## bacula_catalog_name
Name of the Bacula catalog.
```yaml
bacula_catalog_name: HomeCatalog
```
## bacula_clients
List of Bacula Clients.
```yaml
bacula_clients:
- name: pilote-fd
address: localhost
catalog: HomeCatalog
password: ***
file_retention: 60 days
job_retention: 6 months
autoprune: 'yes'
- name: vps-fd
address: 192.168.0.1
catalog: HomeCatalog
password: ***
file_retention: 60 days
job_retention: 6 months
autoprune: 'yes'
- name: storage1-fd
address: 192.168.0.2
catalog: HomeCatalog
password: ***
file_retention: 60 days
job_retention: 6 months
autoprune: 'yes'
```
## bacula_device_archive_device
Directory of the Device where to store Bacula backups.
```yaml
bacula_device_archive_device: /storage/bacula/backup
```
## bacula_device_name
Name of the Bacula Device.
```yaml
bacula_device_name: FileStorage
```
## bacula_director_address
Address of the Bacula director.
```yaml
bacula_director_address: 127.0.0.1
```
## bacula_director_name
Name of the Bacula director.
```yaml
bacula_director_name: pilote-dir
```
## bacula_director_password
Password of the Bacula director.
```yaml
bacula_director_password: ***
```
## bacula_filedaemon_address
Address of the Bacula Client (File Daemon).
```yaml
bacula_filedaemon_address: 127.0.0.1
```
## bacula_filedaemon_name
Name of the Bacula Client (File Daemon).
```yaml
bacula_filedaemon_name: pilote-fd
```
## bacula_filedaemon_password
Password of the Bacula Client (File Daemon).
```yaml
bacula_filedaemon_password: ***
```
## bacula_filesets
List of Bacula File Sets.
```yaml
bacula_filesets:
- name: DebianFileSet
include:
options:
signature: MD5
compression: GZIP
files:
- /etc
- /var/log
- /root
- /home
exclude:
files:
- '*~'
- name: CatalogFileSet
include:
options:
signature: MD5
compression: GZIP
files:
- /var/lib/bacula/bacula.sql
- name: InfluxDBFileSet
include:
options:
signature: MD5
files:
- /var/lib/bacula/influxdb
- name: GrafanaFileSet
include:
options:
signature: MD5
files:
- /var/lib/bacula/grafana
```
## bacula_jobs
List of Bacula Jobs.
```yaml
bacula_jobs:
- name: BackupPilote
client: pilote-fd
fileset: DebianFileSet
- name: BackupStorage1
client: storage1-fd
fileset: DebianFileSet
- name: BackupStorage2
client: storage2-fd
fileset: DebianFileSet
- name: BackupStorage3
client: storage3-fd
fileset: DebianFileSet
- name: BackupCatalog
client: pilote-fd
level: Full
fileset: CatalogFileSet
schedule: DefaultScheduleAfterBackup
run_before_job: /etc/bacula/scripts/make_catalog_backup.pl HomeCatalog
run_after_job: /etc/bacula/scripts/delete_catalog_backup
priority: 11 # run after main backup
- name: BackupInfluxDB
client: storage1-fd
fileset: InfluxDBFileSet
schedule: DefaultScheduleAfterBackup
client_run_before_job: /etc/bacula/scripts/influxdb-backup %l
client_run_after_job: /etc/bacula/scripts/influxdb-cleanup
priority: 11 # run after main backup
- name: BackupGrafana
client: storage1-fd
level: Full
fileset: GrafanaFileSet
schedule: DefaultScheduleAfterBackup
client_run_before_job: /etc/bacula/scripts/grafana-backup
client_run_after_job: /etc/bacula/scripts/grafana-cleanup
priority: 11 # run after main backup
- name: RestoreFiles
type: Restore
client: storage1-fd
storage: storage1-sd
fileset: DebianFileSet # required but not used
pool: FullFile # required but not used
messages: Standard
where: /storage/bacula/restore
```
## bacula_pools
List of Bacula Pools.
```yaml
bacula_pools:
- name: FullFile
pool_type: Backup
recycle: 'yes'
auto_prune: 'yes'
volume_retention: 10 years
storage: storage1-sd
maximum_volume_bytes: 1G
maximum_volumes: 100
labelformat: Full-
- name: DiffFile
pool_type: Backup
recycle: 'yes'
auto_prune: 'yes'
volume_retention: 6 weeks
storage: storage1-sd
maximum_volume_bytes: 1G
maximum_volumes: 100
labelformat: Diff-
- name: IncrFile
pool_type: Backup
recycle: 'yes'
auto_prune: 'yes'
volume_retention: 3 weeks
storage: storage1-sd
maximum_volume_bytes: 1G
maximum_volumes: 100
labelformat: Incr-
```
## bacula_schedules
List of Bacula Schedules.
```yaml
bacula_schedules:
- name: DefaultSchedule
runs:
- datetime: 1st sun at 0:00
job_overrides:
level: Full
- datetime: 2nd-5th sun at 0:00
job_overrides:
level: Differential
- datetime: mon-sat at 0:00
job_overrides:
level: Incremental
- name: DefaultScheduleAfterBackup
runs:
- datetime: sun-sat at 0:00
job_overrides:
level: Full
```
## bacula_storage_address
Address of the Bacula Storage.
```yaml
bacula_storage_address: 127.0.0.1
```
## bacula_storage_name
Name of the Bacula Storage.
```yaml
bacula_storage_name: storage1-sd
```
## bacula_storage_password
Password of the Bacula Storage.
```yaml
bacula_storage_password: ***
```
## bacula_storages
List of Bacula Storages.
```yaml
bacula_storages:
- name: storage1-sd
address: 192.168.0.2
password: ***
device: FileStorage
media_type: File
```
## easyrsa_ca_dir
Path to the CA directory to create.
```yaml
easyrsa_ca_dir: /var/lib/easyrsa
```
## easyrsa_clients
List of client hostnames that will have RSA certificates.
```yaml
easyrsa_clients:
- pilote
- storage1
- storage2
- storage3
- vps
```
## hostname
Name of the remote host.
```yaml
hostname: pilote
```
## local_subnet
Local subnet where the remote host lives.
```yaml
local_subnet: 192.168.0.0/24
```
## mosquitto_passwords
List of usernames and passwords to defined mosquitto users.
```yaml
mosquitto_passwords:
- user: telegraf
hash: '$***'
- user: nagios
hash: '$***'
```
See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html)
command to generate the hash file.
## nagios_commands
List of Nagios commands.
```yaml
nagios_commands:
- command_name: check_https_vhost_certificate
command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$'
```
## nagios_contact_groups
List of Nagios contact groups.
```yaml
nagios_contact_groups:
- contactgroup_name: admins
alias: Nagios Administrators
members:
- admin
- telegram
```
## nagios_contacts
List of Nagios contacts.
```yaml
nagios_contacts:
- contact_name: admin
use: generic-contact
alias: Nagios Admin
email: noreply@nonexistant.com
host_notifications_enabled: 0
service_notifications_enabled: 0
- contact_name: telegram
use: generic-contact
alias: Telegram notifications
pager: 000000000
email: noreply@nonexistant.com
service_notification_commands: notify-service-by-telegram
host_notification_commands: notify-host-by-telegram
```
## nagios_hostgroups
List of Nagios host groups.
```yaml
nagios_hostgroups:
- hostgroup_name: linux-servers
alias: Linux servers
members:
- pilote
- vps
- storage1
- storage2
- storage3
- hostgroup_name: web-servers
alias: Web servers
members:
- vps
```
## nagios_hosts
List of Nagios hosts.
```yaml
nagios_hosts:
- use: home-host
host_name: pilote
alias: pilote
address: 127.0.0.1
- use: home-host
host_name: vps
alias: vps
address: 10.8.0.1
```
## nagios_host_templates
List of Nagios host templates.
```yaml
nagios_host_templates:
- name: home-host
use: generic-host
check_command: check-host-alive
contact_groups: admins
notification_options:
- d
- u
- r
check_interval: 5
retry_interval: 5 # retry every 5 minutes
max_check_attempts: 12 # alert at 1 hour (12x5 minutes)
notification_interval: 720 # resend notifications every 12 hours
```
## nagios_htdigest_users
List of users for basic authentication.
```yaml
nagios_htdigest_users:
- name: admin
hash: '...'
```
## nagios_service_dependencies
List of Nagios service dependencies.
```yaml
nagios_service_dependencies:
- host_name: pilote
service_description: ovhcloud_voip
dependent_host_name: pilote
dependent_service_description: ovhcloud_ping
execution_failure_criteria: u
notification_failure_criteria: u
```
## nagios_services
List of Nagios services.
```yaml
nagios_services:
- use: home-service
hostgroup_name: linux-servers
service_description: load
check_command: check_nrpe_nossl!check_load
- use: home-service
hostgroup_name: web-servers
service_description: https_monitoring_tld_certificate
check_command: check_https_vhost_certificate!monitoring.tld!1
```
## nagios_service_templates
List of Nagios service templates.
```yaml
nagios_service_templates:
- name: home-service
use: generic-service
contact_groups: admins
check_interval: 5
retry_interval: 5 # retry every 5 minutes
max_check_attempts: 12 # alert at 1 hour (12x5 minutes)
notification_interval: 720 # 12 hours
- name: public-service
use: generic-service
contact_groups: admins
check_interval: 1
retry_interval: 1 # retry every minute
max_check_attempts: 3 # alert after 3 minutes
notification_interval: 60 # 1 hour
```
## nagios_telegram_auth_key
Key used to authenticate to the Telegram API. See [how to create a
bot](https://core.telegram.org/bots#3-how-do-i-create-a-bot).
```yaml
nagios_telegram_auth_key: '***'
```
## nagios_telegram_chat_id
Unique identifier for the target chat or username of the target channel (in the
format `@channelusername`). See [API
specifications](https://core.telegram.org/bots/api#sendmessage).
```yaml
nagios_telegram_chat_id: 000000000
```
## nrpe_allowed_hosts
List of IP addresses or ranges allowed to talk to the NRPE daemon.
```yaml
nrpe_allowed_hosts:
- 10.8.0.0/24
- 127.0.0.1
```
## nrpe_commands
List of NRPE commands.
```yaml
nrpe_commands:
- name: check_load
line: /usr/lib/nagios/plugins/check_load -r -w 1,1,1 -c 4,4,4
- name: check_openvpn
line: '/usr/lib/nagios/plugins/check_procs -c 1: -C openvpn'
- name: check_openvpn_cert
line: >-
/opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity
--ignore-incomplete-chain --allow-empty-san --ignore-sct --warning 15 --critical 1
```
## nrpe_opts
Options for the NRPE daemon.
```yaml
nrpe_opts: '-n' # Disable TLS
```
## openvpn_ca
Content of the certificate of the Certificate Authority (CA) used to certify
VPN connections.
```yaml
openvpn_ca: |
-----BEGIN CERTIFICATE-----
```
## openvpn_cert
Content of the certificate used to authenticate to the VPN server.
```yaml
openvpn_cert: |
-----BEGIN CERTIFICATE-----
```
## openvpn_key
Content of the private key used to authenticate to the VPN server.
```yaml
openvpn_key:
```
## openvpn_remote_host
Hostname or IP address of the remote VPN server.
```yaml
openvpn_remote_host: vpn.fqdn
```
## openvpn_subnet
Subnet used by OpenVPN to group clients.
```yaml
openvpn_subnet: 10.8.0.0/24
```
## openvpn_ta
Content of the OpenVPN static key used for TLS authentication.
```yaml
openvpn_ta:
```
## ovh_application_key
Application key used to authenticate to the OVH API.
```yaml
ovh_application_key: deadbeef
```
See [first steps with the OVHcloud
APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
## ovh_application_secret
Application secret used to authenticate to the OVH API.
```yaml
ovh_application_secret: deadbeef
```
See [first steps with the OVHcloud
APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
## ovh_consumer_key
Consumer key used to authenticate to the OVH API.
```yaml
ovh_consumer_key: deadbeef
```
See [first steps with the OVHcloud
APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
## ovh_endpoint
Endpoint of the OVH API.
```yaml
ovh_endpoint: ovh-eu
```
See [first steps with the OVHcloud
APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784).
## serial2mqtt_host
Hostname or IP address used by serial2mqtt to send messages to the MQTT broker.
```yaml
serial2mqtt_host: localhost
```
## serial2mqtt_interface
Name of the serial interface name used by serial2mqtt to gather metrics
produced by the Arduino board.
```yaml
serial2mqtt_interface: /dev/ttyACM0
```
## serial2mqtt_password
Password used by serial2mqtt to send messages to the MQTT broker.
```yaml
serial2mqtt_password: ***
```
## serial2mqtt_port
Port used by serial2mqtt to send messages to the MQTT broker.
```yaml
serial2mqtt_port: 1883
```
## serial2mqtt_topic_prefix
Add this prefix to topic names on the MQTT broker for serial2mqtt messages.
```yaml
serial2mqtt_topic_prefix: sensors
```
## serial2mqtt_username
Username used by serial2mqtt to send messages to the MQTT broker.
```yaml
serial2mqtt_username: telegraf
```
## ssh_authorized_keys
List of SSH authorized keys.
```yaml
ssh_authorized_keys:
- user: root
key: ssh-ed25519 hash
comment: desktop
```
Used by
[ansible.posix.authorized_keys](https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html)
module.
## telegraf_influxdb_database
Name of the InfluxDB database used by telegraf to send metrics.
```yaml
telegraf_influxdb_database: metrics
```
## telegraf_influxdb_password
Password of the InfluxDB user used by telegraf to send metrics.
```yaml
telegraf_influxdb_password: ***
```
## telegraf_influxdb_urls
List of InfluxDB endpoints used by telegraf to send metrics.
```yaml
telegraf_influxdb_urls:
- https://192.168.0.1:8088
```
## telegraf_influxdb_username
Name of the InfluxDB user used by telegraf to send metrics.
```yaml
telegraf_influxdb_username: telegraf
```
## telegraf_mqtt_consumer_password
Password used to authenticate to the MQTT broker for telegraf.
```yaml
telegraf_mqtt_consumer_password: ***
```
## telegraf_mqtt_consumer_servers
List of MQTT brokers for telegraf.
```yaml
telegraf_mqtt_consumer_servers:
- tcp://localhost:1883
```
## telegraf_mqtt_consumer_topics
List of MQTT topics to consume for telegraf.
```yaml
telegraf_mqtt_consumer_topics:
- sensors/humidity
- sensors/temperature
```
## telegraf_mqtt_consumer_username
Name used to authenticate to the MQTT broker for telegraf.
```yaml
telegraf_mqtt_consumer_username: telegraf
```
## telegraf_ping_ip
IP address of the host to ping for latency metrics.
```yaml
telegraf_ping_ip: 192.168.0.1
```
## timezone
Alias of the time zone.
```yaml
timezone: Europe/Brussels
```
## users
List of users to configure on the remote host.
```yaml
users:
- name: root
password: hash
```
Used by
[ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html)
module.

72
main.yml
View file

@ -1,23 +1,55 @@
---
- hosts: pilote
- name: Configure pilote
hosts: pilote
gather_facts: true
tasks:
- ansible.builtin.include_tasks: tasks/sysctl.yml
- ansible.builtin.include_tasks: tasks/apt.yml
- ansible.builtin.include_tasks: tasks/users.yml
- ansible.builtin.include_tasks: tasks/profile.yml
- ansible.builtin.include_tasks: tasks/hostname.yml
- ansible.builtin.include_tasks: tasks/motd.yml
- ansible.builtin.include_tasks: tasks/time.yml
- ansible.builtin.include_tasks: tasks/ssh.yml
- ansible.builtin.include_tasks: tasks/openvpn.yml
- ansible.builtin.include_tasks: tasks/nagios.yml
- ansible.builtin.include_tasks: tasks/nrpe.yml
- ansible.builtin.include_tasks: tasks/mosquitto.yml
- ansible.builtin.include_tasks: tasks/serial2mqtt.yml
- ansible.builtin.include_tasks: tasks/telegraf.yml
- ansible.builtin.include_tasks: tasks/bacula.yml
- ansible.builtin.include_tasks: tasks/iptables.yml
# TODO
#- ansible.builtin.include_tasks: tasks/easyrsa.yml
- ansible.builtin.include_tasks: tasks/vim.yml
- name: Configure sysctl
ansible.builtin.include_tasks: tasks/sysctl.yml
- name: Configure apt
ansible.builtin.include_tasks: tasks/apt.yml
- name: Configure users
ansible.builtin.include_tasks: tasks/users.yml
- name: Configure profile
ansible.builtin.include_tasks: tasks/profile.yml
- name: Configure hostname
ansible.builtin.include_tasks: tasks/hostname.yml
- name: Configure motd
ansible.builtin.include_tasks: tasks/motd.yml
- name: Configure time
ansible.builtin.include_tasks: tasks/time.yml
- name: Configure iptables
ansible.builtin.include_tasks: tasks/iptables.yml
- name: Configure SSH
ansible.builtin.include_tasks: tasks/ssh.yml
- name: Configure OpenVPN
ansible.builtin.include_tasks: tasks/openvpn.yml
- name: Configure Nagios
ansible.builtin.include_tasks: tasks/nagios.yml
- name: Configure NRPE
ansible.builtin.include_tasks: tasks/nrpe.yml
- name: Configure Mosquitto
ansible.builtin.include_tasks: tasks/mosquitto.yml
- name: Configure serial2mqtt
ansible.builtin.include_tasks: tasks/serial2mqtt.yml
- name: Configure telegraf
ansible.builtin.include_tasks: tasks/telegraf.yml
- name: Configure vim
ansible.builtin.include_tasks: tasks/vim.yml
- name: Configure EasyRSA
ansible.builtin.include_tasks: tasks/easyrsa.yml

10
renew.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: Renew client RSA certificates
hosts: pilote
gather_facts: false
tasks:
- name: Delete client certificates
ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml
- name: Configure EasyRSA
ansible.builtin.include_tasks: tasks/easyrsa.yml

1
tasks/apt.yml
View file

@ -10,6 +10,7 @@
ansible.builtin.template:
src: apt/raspi.list.j2
dest: /etc/apt/sources.list.d/raspi.list
mode: "0644"
- name: Update system
ansible.builtin.apt:

12
tasks/bacula.yml
View file

@ -1,13 +1,12 @@
---
- name: Install bacula
ansible.builtin.apt:
ansible.builtin.package:
name:
- bacula-director
- bacula-director-sqlite3
- bacula-fd
- bacula-sd
- bacula-console
state: latest
- name: Configure database
ansible.builtin.copy:
@ -57,10 +56,19 @@
owner: root
group: bacula
- name: Create configuration directory
ansible.builtin.file:
path: /etc/bacula/conf.d
state: directory
owner: root
group: root
mode: '0755'
- name: Copy configuration files
ansible.builtin.template:
src: "bacula/conf.d/{{ item }}.conf.j2"
dest: "/etc/bacula/conf.d/{{ item }}.conf"
mode: "0644"
loop:
- clients
- filesets

9
tasks/easyrsa-certs-delete.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Delete EasyRSA certificates
ansible.builtin.file:
name: "{{ item }}"
state: absent
loop:
- "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req"
- "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key"
- "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt"

67
tasks/easyrsa.yml
View file

@ -1,13 +1,62 @@
---
# TODO
- name: copy easyrsa sources to /root
copy:
src: files/easyrsa/EasyRSA-v3.0.6
dest: /root/
mode: preserve
- name: Install EasyRSA
ansible.builtin.package:
name: easy-rsa
- name: add easyrsa binary to path
file:
src: /root/EasyRSA-v3.0.6/easyrsa
- name: Add easyrsa binary to path
ansible.builtin.file:
src: /usr/share/easy-rsa/easyrsa
dest: /usr/local/sbin/easyrsa
state: link
- name: Create CA directory
ansible.builtin.command:
cmd: "make-cadir {{ easyrsa_ca_dir }}"
creates: "{{ easyrsa_ca_dir }}"
- name: Init PKI
ansible.builtin.command:
cmd: easyrsa init-pki
chdir: "{{ easyrsa_ca_dir }}"
creates: "{{ easyrsa_ca_dir }}/pki"
environment:
EASYRSA_BATCH: "1"
- name: Create symlinks
ansible.builtin.file:
src: "{{ easyrsa_ca_dir }}/{{ item }}"
dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}"
state: link
loop:
- x509-types
- openssl-easyrsa.cnf
- name: Create random file
ansible.builtin.command:
cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd"
creates: "{{ easyrsa_ca_dir }}/pki/.rnd"
- name: Build CA
ansible.builtin.command:
cmd: easyrsa build-ca nopass
chdir: "{{ easyrsa_ca_dir }}"
creates: "{{ easyrsa_ca_dir }}/pki/ca.crt"
environment:
EASYRSA_BATCH: "1"
- name: Generate DH parameters
ansible.builtin.command:
cmd: easyrsa gen-dh
chdir: "{{ easyrsa_ca_dir }}"
creates: "{{ easyrsa_ca_dir }}/pki/dh.pem"
environment:
EASYRSA_BATCH: "1"
- name: Generate client certificates
ansible.builtin.command:
cmd: "easyrsa build-client-full {{ item }} nopass"
chdir: "{{ easyrsa_ca_dir }}"
creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key"
environment:
EASYRSA_BATCH: "1"
loop: "{{ easyrsa_clients | default([]) }}"

3
tasks/hostname.yml
View file

@ -1,9 +1,10 @@
---
- name: Setup hostname
hostname:
ansible.builtin.hostname:
name: "{{ hostname }}"
- name: Manage /etc/hosts
ansible.builtin.template:
src: hostname/hosts.j2
dest: /etc/hosts
mode: "0644"

7
tasks/iptables.yml
View file

@ -1,4 +1,9 @@
---
- name: Install iptables
ansible.builtin.package:
name: iptables
state: present
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
@ -57,7 +62,7 @@
name:
- netfilter-persistent
- iptables-persistent
state: latest
- name: Save iptables
ansible.builtin.command: netfilter-persistent save
changed_when: true

21
tasks/mosquitto.yml
View file

@ -1,22 +1,23 @@
---
- name: Install packages
ansible.builtin.apt:
name:
- mosquitto
state: latest
ansible.builtin.package:
name: mosquitto
- name: Configure mosquitto
ansible.builtin.copy:
src: files/mosquitto/conf.d
dest: /etc/mosquitto
- name: Deploy general configuration
ansible.builtin.template:
src: mosquitto/default.conf.j2
dest: /etc/mosquitto/conf.d/default.conf
mode: "0644"
owner: root
group: root
- name: Copy mosquitto password
ansible.builtin.template:
src: mosquitto/passwd.j2
dest: /etc/mosquitto/passwd
mode: '0600'
mode: '0640'
owner: root
group: root
group: mosquitto
- name: Restart mosquitto
ansible.builtin.service:

7
tasks/motd.yml
View file

@ -6,10 +6,15 @@
- name: Run figlet
ansible.builtin.shell:
cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf"
cmd: >-
set -o pipefail
hostname | figlet -f /usr/share/figlet/smslant.flf
executable: /bin/bash
register: _motd
changed_when: true
- name: Create motd
ansible.builtin.copy:
dest: /etc/motd
content: "{{ _motd.stdout }}\n"
mode: "0644"

24
tasks/nagios.yml
View file

@ -1,6 +1,6 @@
---
- name: Install nagios
ansible.builtin.apt:
ansible.builtin.package:
name:
- nagios4
- git
@ -8,13 +8,13 @@
- python3-jinja2
- python3-requests
- python3-jsonschema
- python-pexpect
state: latest
- python3-pexpect
- name: Generate nagios configurations
ansible.builtin.template:
src: "nagios/conf.d/{{ item }}.cfg.j2"
dest: "/etc/nagios4/conf.d/{{ item }}.cfg"
mode: "0644"
loop:
- commands
- hosts
@ -26,6 +26,7 @@
ansible.builtin.template:
src: nagios/contacts.cfg.j2
dest: /etc/nagios4/objects/contacts.cfg
mode: "0644"
- name: Copy check_timesyncd
ansible.builtin.copy:
@ -47,7 +48,7 @@
- name: Configure notify-by-telegram
ansible.builtin.copy:
content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}"
content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}"
dest: /etc/nagios4/telegram.json
owner: root
group: nagios
@ -55,38 +56,44 @@
- name: Clone nagios-plugin-bacula source code
ansible.builtin.git:
repo: https://github.com/twpayne/nagios-plugin-bacula.git
repo: https://github.com/jouir/nagios-plugin-bacula.git
dest: /opt/nagios-plugin-bacula
- name: Copy global configuration
ansible.builtin.copy:
src: files/nagios/nagios.cfg
dest: /etc/nagios4/nagios.cfg
mode: "0644"
- name: Copy CGI configuration
ansible.builtin.copy:
src: files/nagios/cgi.cfg
dest: /etc/nagios4/cgi.cfg
mode: "0644"
- name: Reload nagios
ansible.builtin.service:
name: nagios4
state: reloaded
enabled: true
- name: Configure htaccess for the web interface
ansible.builtin.template:
src: nagios/htdigest.users.j2
dest: /etc/nagios4/htdigest.users
mode: "0644"
- name: Secure Apache
copy:
ansible.builtin.copy:
src: files/nagios/security.conf
dest: /etc/apache2/conf-available/security.conf
mode: "0644"
- name: Configure vhost for the web interface
ansible.builtin.copy:
src: files/nagios/apache2.conf
dest: /etc/nagios4/apache2.conf
mode: "0644"
- name: Enable Apache modules
ansible.builtin.command:
@ -94,14 +101,17 @@
loop:
- auth_digest
- headers
- cgi
changed_when: true
- name: Restart apache
ansible.builtin.service:
name: apache2
state: restarted
enabled: true
- name: Allow HTTP from vpn
iptables:
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: "{{ openvpn_subnet }}"

5
tasks/nrpe.yml
View file

@ -10,16 +10,19 @@
ansible.builtin.template:
src: nrpe/nrpe.cfg.j2
dest: /etc/nagios/nrpe.cfg
mode: "0644"
- name: Generate NRPE local configuration
ansible.builtin.template:
src: nrpe/nrpe_local.cfg.j2
dest: /etc/nagios/nrpe_local.cfg
mode: "0644"
- name: Manage daemon settings
ansible.builtin.template:
src: nrpe/nagios-nrpe-server.j2
dest: /etc/default/nagios-nrpe-server
mode: "0644"
- name: Clone check-mqtt source code
ansible.builtin.git:
@ -47,7 +50,7 @@
- name: Install check_ovhcloud dependencies
ansible.builtin.pip:
requirements: /opt/check_ovhcloud/requirements.txt
extra_args: "--user"
extra_args: "--user --break-system-packages"
become: true
become_user: nagios

4
tasks/openvpn.yml
View file

@ -2,22 +2,24 @@
- name: Install OpenVPN
ansible.builtin.apt:
name: openvpn
state: latest
- name: Deploy OpenVPN configuration
ansible.builtin.template:
src: openvpn/client.conf.j2
dest: /etc/openvpn/client.conf
mode: '0644'
- name: Deploy OpenVPN CA cert
ansible.builtin.copy:
content: "{{ openvpn_ca }}"
dest: /etc/openvpn/ca.crt
mode: '0644'
- name: Deploy OpenVPN TLS auth
ansible.builtin.copy:
content: "{{ openvpn_ta }}"
dest: /etc/openvpn/ta.key
mode: '0600'
- name: Deploy OpenVPN client cert
ansible.builtin.copy:

13
tasks/serial2mqtt.yml
View file

@ -4,7 +4,6 @@
name:
- python3-serial
- python3-paho-mqtt
state: latest
- name: Clone arduino-sensors-toolkit sources
ansible.builtin.git:
@ -14,11 +13,11 @@
- name: Add serial2mqtt user
ansible.builtin.user:
name: serial2mqtt
system: yes
system: true
password: '!'
home: /var/lib/serial2mqtt
create_home: no
append: yes
create_home: false
append: true
groups:
- dialout
@ -34,15 +33,17 @@
ansible.builtin.copy:
src: files/serial2mqtt/serial2mqtt.default
dest: /etc/default/serial2mqtt
mode: '0644'
- name: Copy serial2mqtt service unit
ansible.builtin.copy:
src: files/serial2mqtt/serial2mqtt.service
dest: /etc/systemd/system/serial2mqtt.service
mode: '0644'
- name: Start serial2mqtt service
ansible.builtin.systemd:
name: serial2mqtt.service
daemon_reload: yes
daemon_reload: true
state: restarted
enabled: yes
enabled: true

3
tasks/ssh.yml
View file

@ -2,7 +2,6 @@
- name: Install OpenSSH
ansible.builtin.apt:
name: openssh-server
state: latest
- name: Allow authorized keys
ansible.posix.authorized_key:
@ -20,7 +19,7 @@
mode: '0644'
- name: Reload and enable SSH service
service:
ansible.builtin.service:
name: ssh
state: reloaded
enabled: true

2
tasks/sysctl.yml
View file

@ -5,4 +5,4 @@
value: '1'
state: present
sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
reload: yes
reload: true

7
tasks/telegraf.yml
View file

@ -3,10 +3,11 @@
ansible.builtin.template:
src: telegraf/influxdata.list.j2
dest: /etc/apt/sources.list.d/influxdata.list
mode: '0644'
- name: Download influxdata APT key
ansible.builtin.apt_key:
url: https://repos.influxdata.com/influxdb.key
url: https://repos.influxdata.com/influxdata-archive_compat.key
state: present
- name: Install telegraf and dependencies
@ -15,12 +16,14 @@
- telegraf
- lm-sensors
update_cache: true
state: latest
- name: Generate telegraf configurations
ansible.builtin.template:
src: "telegraf/{{ item }}.conf.j2"
dest: "/etc/telegraf/telegraf.d/{{ item }}.conf"
mode: '0640'
owner: root
group: telegraf
loop:
- inputs
- output

1
tasks/time.yml
View file

@ -2,3 +2,4 @@
- name: Manage time zone
ansible.builtin.command:
cmd: "timedatectl set-timezone {{ timezone }}"
changed_when: true

1
tasks/users.yml
View file

@ -11,4 +11,5 @@
src: files/users/bashrc
owner: "{{ item['name'] }}"
group: "{{ item['name'] }}"
mode: '0644'
loop: "{{ users }}"

1
tasks/vim.yml
View file

@ -8,6 +8,7 @@
ansible.builtin.copy:
src: files/vim/vimrc
dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}"
mode: '0644'
loop: "{{ users }}"
loop_control:
label: "{{ item['name'] }}"

3
templates/mosquitto/default.conf.j2 Normal file
View file

@ -0,0 +1,3 @@
{{ ansible_managed | comment }}
allow_anonymous false
password_file /etc/mosquitto/passwd

1
templates/nrpe/nrpe_local.cfg.j2
View file

@ -3,4 +3,3 @@
{% for command in nrpe_commands | default([]) %}
command[{{ command['name'] }}]={{ command['line'] }}
{% endfor %}

1
templates/openvpn/client.conf.j2
View file

@ -16,6 +16,7 @@ key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
verb 3
key-direction 1

3
upgrade.yml
View file

@ -2,4 +2,5 @@
- name: Upgrade systems
hosts: all
tasks:
- include_tasks: tasks/apt-upgrade.yml
- name: Run apt upgrade
ansible.builtin.include_tasks: tasks/apt-upgrade.yml