diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index 57fe7e6..0000000 --- a/.ansible-lint +++ /dev/null @@ -1,9 +0,0 @@ ---- -exclude_paths: - - .cache/ - - .github/ - - .pre-commit-config.yaml - - group_vars/pilote.yml - -skip_list: - - latest diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml deleted file mode 100644 index 6a474d2..0000000 --- a/.github/workflows/pre-commit.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -name: pre-commit - -on: - pull_request: - push: - branches: [main] - -jobs: - pre-commit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v3 - - uses: pre-commit/action@v3.0.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 34d5ba1..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -repos: - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 - hooks: - - id: check-yaml - - id: detect-private-key - - id: end-of-file-fixer - - id: trailing-whitespace - - - repo: https://github.com/ansible/ansible-lint - rev: v24.2.3 - hooks: - - id: ansible-lint diff --git a/TODO.md b/TODO.md index 11bcaae..9bdf499 100644 --- a/TODO.md +++ b/TODO.md @@ -1,3 +1,7 @@ # TODO -- EasyRSA: Protect CA with a passphrase +* EasyRSA tasks +* Variables documentation +* Github actions + * pre-commit + * ansible-lint diff --git a/files/bacula/make_catalog_backup.pl b/files/bacula/make_catalog_backup.pl index c683493..90e1045 100755 --- a/files/bacula/make_catalog_backup.pl +++ b/files/bacula/make_catalog_backup.pl @@ -44,7 +44,7 @@ sub dump_sqlite3 sub setup_env_pgsql { my %args = @_; - my $username = getpwuid $ENV{'UID'}; + my $username = getpwuid $ENV{'UID'}; umask(0077); if ($args{db_address}) { @@ -93,7 +93,7 @@ sub setup_env_mysql my %args = @_; umask(0077); unlink("$wd/.my.cnf"); - open(MY, ">$wd/.my.cnf") + open(MY, ">$wd/.my.cnf") or die "Can't open $wd/.my.cnf for writing $@"; $args{db_address} = $args{db_address} || "localhost"; diff --git a/files/nagios/apache2.conf b/files/nagios/apache2.conf index 5dc43e2..e87d3e5 100644 --- a/files/nagios/apache2.conf +++ b/files/nagios/apache2.conf @@ -20,5 +20,5 @@ Alias /nagios4 /usr/share/nagios4/htdocs - Options +ExecCGI + Options +ExecCGI diff --git a/group_vars/README.md b/group_vars/README.md index 9a9e653..18d23c0 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -1,815 +1,3 @@ # Variables -Senstivie data should be encrypted using -[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html). - -## bacula_catalog_name - -Name of the Bacula catalog. - -```yaml -bacula_catalog_name: HomeCatalog -``` - -## bacula_clients - -List of Bacula Clients. - -```yaml -bacula_clients: - - name: pilote-fd - address: localhost - catalog: HomeCatalog - password: *** - file_retention: 60 days - job_retention: 6 months - autoprune: 'yes' - - name: vps-fd - address: 192.168.0.1 - catalog: HomeCatalog - password: *** - file_retention: 60 days - job_retention: 6 months - autoprune: 'yes' - - name: storage1-fd - address: 192.168.0.2 - catalog: HomeCatalog - password: *** - file_retention: 60 days - job_retention: 6 months - autoprune: 'yes' -``` - -## bacula_device_archive_device - -Directory of the Device where to store Bacula backups. - -```yaml -bacula_device_archive_device: /storage/bacula/backup -``` - -## bacula_device_name - -Name of the Bacula Device. - -```yaml -bacula_device_name: FileStorage -``` - -## bacula_director_address - -Address of the Bacula director. - -```yaml -bacula_director_address: 127.0.0.1 -``` - -## bacula_director_name - -Name of the Bacula director. - -```yaml -bacula_director_name: pilote-dir -``` - -## bacula_director_password - -Password of the Bacula director. - -```yaml -bacula_director_password: *** -``` - -## bacula_filedaemon_address - -Address of the Bacula Client (File Daemon). - -```yaml -bacula_filedaemon_address: 127.0.0.1 -``` - -## bacula_filedaemon_name - -Name of the Bacula Client (File Daemon). - -```yaml -bacula_filedaemon_name: pilote-fd -``` - -## bacula_filedaemon_password - -Password of the Bacula Client (File Daemon). - -```yaml -bacula_filedaemon_password: *** -``` - -## bacula_filesets - -List of Bacula File Sets. - -```yaml -bacula_filesets: - - name: DebianFileSet - include: - options: - signature: MD5 - compression: GZIP - files: - - /etc - - /var/log - - /root - - /home - exclude: - files: - - '*~' - - name: CatalogFileSet - include: - options: - signature: MD5 - compression: GZIP - files: - - /var/lib/bacula/bacula.sql - - name: InfluxDBFileSet - include: - options: - signature: MD5 - files: - - /var/lib/bacula/influxdb - - name: GrafanaFileSet - include: - options: - signature: MD5 - files: - - /var/lib/bacula/grafana -``` - -## bacula_jobs - -List of Bacula Jobs. - -```yaml -bacula_jobs: - - name: BackupPilote - client: pilote-fd - fileset: DebianFileSet - - name: BackupStorage1 - client: storage1-fd - fileset: DebianFileSet - - name: BackupStorage2 - client: storage2-fd - fileset: DebianFileSet - - name: BackupStorage3 - client: storage3-fd - fileset: DebianFileSet - - name: BackupCatalog - client: pilote-fd - level: Full - fileset: CatalogFileSet - schedule: DefaultScheduleAfterBackup - run_before_job: /etc/bacula/scripts/make_catalog_backup.pl HomeCatalog - run_after_job: /etc/bacula/scripts/delete_catalog_backup - priority: 11 # run after main backup - - name: BackupInfluxDB - client: storage1-fd - fileset: InfluxDBFileSet - schedule: DefaultScheduleAfterBackup - client_run_before_job: /etc/bacula/scripts/influxdb-backup %l - client_run_after_job: /etc/bacula/scripts/influxdb-cleanup - priority: 11 # run after main backup - - name: BackupGrafana - client: storage1-fd - level: Full - fileset: GrafanaFileSet - schedule: DefaultScheduleAfterBackup - client_run_before_job: /etc/bacula/scripts/grafana-backup - client_run_after_job: /etc/bacula/scripts/grafana-cleanup - priority: 11 # run after main backup - - name: RestoreFiles - type: Restore - client: storage1-fd - storage: storage1-sd - fileset: DebianFileSet # required but not used - pool: FullFile # required but not used - messages: Standard - where: /storage/bacula/restore -``` - -## bacula_pools - -List of Bacula Pools. - -```yaml -bacula_pools: - - name: FullFile - pool_type: Backup - recycle: 'yes' - auto_prune: 'yes' - volume_retention: 10 years - storage: storage1-sd - maximum_volume_bytes: 1G - maximum_volumes: 100 - labelformat: Full- - - name: DiffFile - pool_type: Backup - recycle: 'yes' - auto_prune: 'yes' - volume_retention: 6 weeks - storage: storage1-sd - maximum_volume_bytes: 1G - maximum_volumes: 100 - labelformat: Diff- - - name: IncrFile - pool_type: Backup - recycle: 'yes' - auto_prune: 'yes' - volume_retention: 3 weeks - storage: storage1-sd - maximum_volume_bytes: 1G - maximum_volumes: 100 - labelformat: Incr- -``` - -## bacula_schedules - -List of Bacula Schedules. - -```yaml -bacula_schedules: - - name: DefaultSchedule - runs: - - datetime: 1st sun at 0:00 - job_overrides: - level: Full - - datetime: 2nd-5th sun at 0:00 - job_overrides: - level: Differential - - datetime: mon-sat at 0:00 - job_overrides: - level: Incremental - - name: DefaultScheduleAfterBackup - runs: - - datetime: sun-sat at 0:00 - job_overrides: - level: Full -``` - -## bacula_storage_address - -Address of the Bacula Storage. - -```yaml -bacula_storage_address: 127.0.0.1 -``` - -## bacula_storage_name - -Name of the Bacula Storage. - -```yaml -bacula_storage_name: storage1-sd -``` - -## bacula_storage_password - -Password of the Bacula Storage. - -```yaml -bacula_storage_password: *** -``` - -## bacula_storages - -List of Bacula Storages. - -```yaml -bacula_storages: - - name: storage1-sd - address: 192.168.0.2 - password: *** - device: FileStorage - media_type: File -``` - -## easyrsa_ca_dir - -Path to the CA directory to create. - -```yaml -easyrsa_ca_dir: /var/lib/easyrsa -``` - -## easyrsa_clients - -List of client hostnames that will have RSA certificates. - -```yaml -easyrsa_clients: - - pilote - - storage1 - - storage2 - - storage3 - - vps -``` - -## hostname - -Name of the remote host. - -```yaml -hostname: pilote -``` - -## local_subnet - -Local subnet where the remote host lives. - -```yaml -local_subnet: 192.168.0.0/24 -``` - -## mosquitto_passwords - -List of usernames and passwords to defined mosquitto users. - -```yaml -mosquitto_passwords: - - user: telegraf - hash: '$***' - - user: nagios - hash: '$***' -``` - -See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html) -command to generate the hash file. - -## nagios_commands - -List of Nagios commands. - -```yaml -nagios_commands: - - command_name: check_https_vhost_certificate - command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$' -``` - -## nagios_contact_groups - -List of Nagios contact groups. - -```yaml -nagios_contact_groups: - - contactgroup_name: admins - alias: Nagios Administrators - members: - - admin - - telegram -``` - -## nagios_contacts - -List of Nagios contacts. - -```yaml -nagios_contacts: - - contact_name: admin - use: generic-contact - alias: Nagios Admin - email: noreply@nonexistant.com - host_notifications_enabled: 0 - service_notifications_enabled: 0 - - contact_name: telegram - use: generic-contact - alias: Telegram notifications - pager: 000000000 - email: noreply@nonexistant.com - service_notification_commands: notify-service-by-telegram - host_notification_commands: notify-host-by-telegram -``` - -## nagios_hostgroups - -List of Nagios host groups. - -```yaml -nagios_hostgroups: - - hostgroup_name: linux-servers - alias: Linux servers - members: - - pilote - - vps - - storage1 - - storage2 - - storage3 - - hostgroup_name: web-servers - alias: Web servers - members: - - vps -``` - -## nagios_hosts - -List of Nagios hosts. - -```yaml -nagios_hosts: - - use: home-host - host_name: pilote - alias: pilote - address: 127.0.0.1 - - use: home-host - host_name: vps - alias: vps - address: 10.8.0.1 -``` - -## nagios_host_templates - -List of Nagios host templates. - -```yaml -nagios_host_templates: - - name: home-host - use: generic-host - check_command: check-host-alive - contact_groups: admins - notification_options: - - d - - u - - r - check_interval: 5 - retry_interval: 5 # retry every 5 minutes - max_check_attempts: 12 # alert at 1 hour (12x5 minutes) - notification_interval: 720 # resend notifications every 12 hours -``` - -## nagios_htdigest_users - -List of users for basic authentication. - -```yaml -nagios_htdigest_users: - - name: admin - hash: '...' -``` - -## nagios_service_dependencies - -List of Nagios service dependencies. - -```yaml -nagios_service_dependencies: - - host_name: pilote - service_description: ovhcloud_voip - dependent_host_name: pilote - dependent_service_description: ovhcloud_ping - execution_failure_criteria: u - notification_failure_criteria: u -``` - -## nagios_services - -List of Nagios services. - -```yaml -nagios_services: - - use: home-service - hostgroup_name: linux-servers - service_description: load - check_command: check_nrpe_nossl!check_load - - use: home-service - hostgroup_name: web-servers - service_description: https_monitoring_tld_certificate - check_command: check_https_vhost_certificate!monitoring.tld!1 -``` - -## nagios_service_templates - -List of Nagios service templates. - -```yaml -nagios_service_templates: - - name: home-service - use: generic-service - contact_groups: admins - check_interval: 5 - retry_interval: 5 # retry every 5 minutes - max_check_attempts: 12 # alert at 1 hour (12x5 minutes) - notification_interval: 720 # 12 hours - - name: public-service - use: generic-service - contact_groups: admins - check_interval: 1 - retry_interval: 1 # retry every minute - max_check_attempts: 3 # alert after 3 minutes - notification_interval: 60 # 1 hour -``` - -## nagios_telegram_auth_key - -Key used to authenticate to the Telegram API. See [how to create a -bot](https://core.telegram.org/bots#3-how-do-i-create-a-bot). - -```yaml -nagios_telegram_auth_key: '***' -``` - -## nagios_telegram_chat_id - -Unique identifier for the target chat or username of the target channel (in the -format `@channelusername`). See [API -specifications](https://core.telegram.org/bots/api#sendmessage). - -```yaml -nagios_telegram_chat_id: 000000000 -``` - -## nrpe_allowed_hosts - -List of IP addresses or ranges allowed to talk to the NRPE daemon. - -```yaml -nrpe_allowed_hosts: - - 10.8.0.0/24 - - 127.0.0.1 -``` - -## nrpe_commands - -List of NRPE commands. - -```yaml -nrpe_commands: - - name: check_load - line: /usr/lib/nagios/plugins/check_load -r -w 1,1,1 -c 4,4,4 - - name: check_openvpn - line: '/usr/lib/nagios/plugins/check_procs -c 1: -C openvpn' - - name: check_openvpn_cert - line: >- - /opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity - --ignore-incomplete-chain --allow-empty-san --ignore-sct --warning 15 --critical 1 -``` - -## nrpe_opts - -Options for the NRPE daemon. - -```yaml -nrpe_opts: '-n' # Disable TLS -``` - -## openvpn_ca - -Content of the certificate of the Certificate Authority (CA) used to certify -VPN connections. - -```yaml -openvpn_ca: | - -----BEGIN CERTIFICATE----- -``` - -## openvpn_cert - -Content of the certificate used to authenticate to the VPN server. - -```yaml -openvpn_cert: | - -----BEGIN CERTIFICATE----- -``` - -## openvpn_key - -Content of the private key used to authenticate to the VPN server. - -```yaml -openvpn_key: -``` - -## openvpn_remote_host - -Hostname or IP address of the remote VPN server. - -```yaml -openvpn_remote_host: vpn.fqdn -``` - -## openvpn_subnet - -Subnet used by OpenVPN to group clients. - -```yaml -openvpn_subnet: 10.8.0.0/24 -``` - -## openvpn_ta - -Content of the OpenVPN static key used for TLS authentication. - -```yaml -openvpn_ta: -``` - -## ovh_application_key - -Application key used to authenticate to the OVH API. - -```yaml -ovh_application_key: deadbeef -``` - -See [first steps with the OVHcloud -APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). - -## ovh_application_secret - -Application secret used to authenticate to the OVH API. - -```yaml -ovh_application_secret: deadbeef -``` - -See [first steps with the OVHcloud -APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). - -## ovh_consumer_key - -Consumer key used to authenticate to the OVH API. - -```yaml -ovh_consumer_key: deadbeef -``` - -See [first steps with the OVHcloud -APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). - -## ovh_endpoint - -Endpoint of the OVH API. - -```yaml -ovh_endpoint: ovh-eu -``` - -See [first steps with the OVHcloud -APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). - -## serial2mqtt_host - -Hostname or IP address used by serial2mqtt to send messages to the MQTT broker. - -```yaml -serial2mqtt_host: localhost -``` - -## serial2mqtt_interface - -Name of the serial interface name used by serial2mqtt to gather metrics -produced by the Arduino board. - -```yaml -serial2mqtt_interface: /dev/ttyACM0 -``` - -## serial2mqtt_password - -Password used by serial2mqtt to send messages to the MQTT broker. - -```yaml -serial2mqtt_password: *** -``` -## serial2mqtt_port - -Port used by serial2mqtt to send messages to the MQTT broker. - -```yaml -serial2mqtt_port: 1883 -``` - -## serial2mqtt_topic_prefix - -Add this prefix to topic names on the MQTT broker for serial2mqtt messages. - -```yaml -serial2mqtt_topic_prefix: sensors -``` - -## serial2mqtt_username - -Username used by serial2mqtt to send messages to the MQTT broker. - -```yaml -serial2mqtt_username: telegraf -``` - -## ssh_authorized_keys - -List of SSH authorized keys. - -```yaml -ssh_authorized_keys: - - user: root - key: ssh-ed25519 hash - comment: desktop -``` - -Used by -[ansible.posix.authorized_keys](https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html) -module. - -## telegraf_influxdb_database - -Name of the InfluxDB database used by telegraf to send metrics. - -```yaml -telegraf_influxdb_database: metrics -``` - -## telegraf_influxdb_password - -Password of the InfluxDB user used by telegraf to send metrics. - -```yaml -telegraf_influxdb_password: *** -``` - -## telegraf_influxdb_urls - -List of InfluxDB endpoints used by telegraf to send metrics. - -```yaml -telegraf_influxdb_urls: - - https://192.168.0.1:8088 -``` - -## telegraf_influxdb_username - -Name of the InfluxDB user used by telegraf to send metrics. - -```yaml -telegraf_influxdb_username: telegraf -``` - -## telegraf_mqtt_consumer_password - -Password used to authenticate to the MQTT broker for telegraf. - -```yaml -telegraf_mqtt_consumer_password: *** -``` - -## telegraf_mqtt_consumer_servers - -List of MQTT brokers for telegraf. - -```yaml -telegraf_mqtt_consumer_servers: - - tcp://localhost:1883 -``` - -## telegraf_mqtt_consumer_topics - -List of MQTT topics to consume for telegraf. - -```yaml -telegraf_mqtt_consumer_topics: - - sensors/humidity - - sensors/temperature -``` - -## telegraf_mqtt_consumer_username - -Name used to authenticate to the MQTT broker for telegraf. - -```yaml -telegraf_mqtt_consumer_username: telegraf -``` - -## telegraf_ping_ip - -IP address of the host to ping for latency metrics. - -```yaml -telegraf_ping_ip: 192.168.0.1 -``` - -## timezone - -Alias of the time zone. - -```yaml -timezone: Europe/Brussels -``` - -## users - -List of users to configure on the remote host. - -```yaml -users: - - name: root - password: hash -``` - -Used by -[ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html) -module. +Soon. diff --git a/main.yml b/main.yml index e202e8d..0b65dbb 100644 --- a/main.yml +++ b/main.yml @@ -1,55 +1,23 @@ --- -- name: Configure pilote - hosts: pilote +- hosts: pilote gather_facts: true tasks: - - name: Configure sysctl - ansible.builtin.include_tasks: tasks/sysctl.yml - - - name: Configure apt - ansible.builtin.include_tasks: tasks/apt.yml - - - name: Configure users - ansible.builtin.include_tasks: tasks/users.yml - - - name: Configure profile - ansible.builtin.include_tasks: tasks/profile.yml - - - name: Configure hostname - ansible.builtin.include_tasks: tasks/hostname.yml - - - name: Configure motd - ansible.builtin.include_tasks: tasks/motd.yml - - - name: Configure time - ansible.builtin.include_tasks: tasks/time.yml - - - name: Configure iptables - ansible.builtin.include_tasks: tasks/iptables.yml - - - name: Configure SSH - ansible.builtin.include_tasks: tasks/ssh.yml - - - name: Configure OpenVPN - ansible.builtin.include_tasks: tasks/openvpn.yml - - - name: Configure Nagios - ansible.builtin.include_tasks: tasks/nagios.yml - - - name: Configure NRPE - ansible.builtin.include_tasks: tasks/nrpe.yml - - - name: Configure Mosquitto - ansible.builtin.include_tasks: tasks/mosquitto.yml - - - name: Configure serial2mqtt - ansible.builtin.include_tasks: tasks/serial2mqtt.yml - - - name: Configure telegraf - ansible.builtin.include_tasks: tasks/telegraf.yml - - - name: Configure vim - ansible.builtin.include_tasks: tasks/vim.yml - - - name: Configure EasyRSA - ansible.builtin.include_tasks: tasks/easyrsa.yml + - ansible.builtin.include_tasks: tasks/sysctl.yml + - ansible.builtin.include_tasks: tasks/apt.yml + - ansible.builtin.include_tasks: tasks/users.yml + - ansible.builtin.include_tasks: tasks/profile.yml + - ansible.builtin.include_tasks: tasks/hostname.yml + - ansible.builtin.include_tasks: tasks/motd.yml + - ansible.builtin.include_tasks: tasks/time.yml + - ansible.builtin.include_tasks: tasks/ssh.yml + - ansible.builtin.include_tasks: tasks/openvpn.yml + - ansible.builtin.include_tasks: tasks/nagios.yml + - ansible.builtin.include_tasks: tasks/nrpe.yml + - ansible.builtin.include_tasks: tasks/mosquitto.yml + - ansible.builtin.include_tasks: tasks/serial2mqtt.yml + - ansible.builtin.include_tasks: tasks/telegraf.yml + - ansible.builtin.include_tasks: tasks/bacula.yml + - ansible.builtin.include_tasks: tasks/iptables.yml + # TODO + #- ansible.builtin.include_tasks: tasks/easyrsa.yml + - ansible.builtin.include_tasks: tasks/vim.yml diff --git a/renew.yml b/renew.yml deleted file mode 100644 index 2686afe..0000000 --- a/renew.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Renew client RSA certificates - hosts: pilote - gather_facts: false - tasks: - - name: Delete client certificates - ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml - - - name: Configure EasyRSA - ansible.builtin.include_tasks: tasks/easyrsa.yml diff --git a/tasks/apt.yml b/tasks/apt.yml index 5974737..0ca4e58 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -10,7 +10,6 @@ ansible.builtin.template: src: apt/raspi.list.j2 dest: /etc/apt/sources.list.d/raspi.list - mode: "0644" - name: Update system ansible.builtin.apt: diff --git a/tasks/bacula.yml b/tasks/bacula.yml index f3e5fd6..f015f12 100644 --- a/tasks/bacula.yml +++ b/tasks/bacula.yml @@ -1,12 +1,13 @@ --- - name: Install bacula - ansible.builtin.package: + ansible.builtin.apt: name: - bacula-director - bacula-director-sqlite3 - bacula-fd - bacula-sd - bacula-console + state: latest - name: Configure database ansible.builtin.copy: @@ -56,19 +57,10 @@ owner: root group: bacula -- name: Create configuration directory - ansible.builtin.file: - path: /etc/bacula/conf.d - state: directory - owner: root - group: root - mode: '0755' - - name: Copy configuration files ansible.builtin.template: src: "bacula/conf.d/{{ item }}.conf.j2" dest: "/etc/bacula/conf.d/{{ item }}.conf" - mode: "0644" loop: - clients - filesets diff --git a/tasks/easyrsa-certs-delete.yml b/tasks/easyrsa-certs-delete.yml deleted file mode 100644 index 33421f6..0000000 --- a/tasks/easyrsa-certs-delete.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Delete EasyRSA certificates - ansible.builtin.file: - name: "{{ item }}" - state: absent - loop: - - "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req" - - "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key" - - "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt" diff --git a/tasks/easyrsa.yml b/tasks/easyrsa.yml index d1ebda7..16c897c 100644 --- a/tasks/easyrsa.yml +++ b/tasks/easyrsa.yml @@ -1,62 +1,13 @@ --- -- name: Install EasyRSA - ansible.builtin.package: - name: easy-rsa +# TODO +- name: copy easyrsa sources to /root + copy: + src: files/easyrsa/EasyRSA-v3.0.6 + dest: /root/ + mode: preserve -- name: Add easyrsa binary to path - ansible.builtin.file: - src: /usr/share/easy-rsa/easyrsa +- name: add easyrsa binary to path + file: + src: /root/EasyRSA-v3.0.6/easyrsa dest: /usr/local/sbin/easyrsa state: link - -- name: Create CA directory - ansible.builtin.command: - cmd: "make-cadir {{ easyrsa_ca_dir }}" - creates: "{{ easyrsa_ca_dir }}" - -- name: Init PKI - ansible.builtin.command: - cmd: easyrsa init-pki - chdir: "{{ easyrsa_ca_dir }}" - creates: "{{ easyrsa_ca_dir }}/pki" - environment: - EASYRSA_BATCH: "1" - -- name: Create symlinks - ansible.builtin.file: - src: "{{ easyrsa_ca_dir }}/{{ item }}" - dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}" - state: link - loop: - - x509-types - - openssl-easyrsa.cnf - -- name: Create random file - ansible.builtin.command: - cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd" - creates: "{{ easyrsa_ca_dir }}/pki/.rnd" - -- name: Build CA - ansible.builtin.command: - cmd: easyrsa build-ca nopass - chdir: "{{ easyrsa_ca_dir }}" - creates: "{{ easyrsa_ca_dir }}/pki/ca.crt" - environment: - EASYRSA_BATCH: "1" - -- name: Generate DH parameters - ansible.builtin.command: - cmd: easyrsa gen-dh - chdir: "{{ easyrsa_ca_dir }}" - creates: "{{ easyrsa_ca_dir }}/pki/dh.pem" - environment: - EASYRSA_BATCH: "1" - -- name: Generate client certificates - ansible.builtin.command: - cmd: "easyrsa build-client-full {{ item }} nopass" - chdir: "{{ easyrsa_ca_dir }}" - creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key" - environment: - EASYRSA_BATCH: "1" - loop: "{{ easyrsa_clients | default([]) }}" diff --git a/tasks/hostname.yml b/tasks/hostname.yml index dd31bc9..66a03f4 100644 --- a/tasks/hostname.yml +++ b/tasks/hostname.yml @@ -1,10 +1,9 @@ --- - name: Setup hostname - ansible.builtin.hostname: + hostname: name: "{{ hostname }}" - name: Manage /etc/hosts ansible.builtin.template: src: hostname/hosts.j2 dest: /etc/hosts - mode: "0644" diff --git a/tasks/iptables.yml b/tasks/iptables.yml index 9cdb9b4..f127180 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -1,9 +1,4 @@ --- -- name: Install iptables - ansible.builtin.package: - name: iptables - state: present - - name: Allow related and established connections ansible.builtin.iptables: chain: INPUT @@ -26,7 +21,7 @@ comment: allow ping from the world - name: Deny input connections by default - ansible.builtin.iptables: + ansible.builtin.iptables: chain: INPUT policy: DROP @@ -62,7 +57,7 @@ name: - netfilter-persistent - iptables-persistent + state: latest - name: Save iptables - ansible.builtin.command: netfilter-persistent save - changed_when: true + ansible.builtin.command: netfilter-persistent save diff --git a/tasks/mosquitto.yml b/tasks/mosquitto.yml index 1921cee..4ee6111 100644 --- a/tasks/mosquitto.yml +++ b/tasks/mosquitto.yml @@ -1,23 +1,22 @@ --- - name: Install packages - ansible.builtin.package: - name: mosquitto + ansible.builtin.apt: + name: + - mosquitto + state: latest -- name: Deploy general configuration - ansible.builtin.template: - src: mosquitto/default.conf.j2 - dest: /etc/mosquitto/conf.d/default.conf - mode: "0644" - owner: root - group: root +- name: Configure mosquitto + ansible.builtin.copy: + src: files/mosquitto/conf.d + dest: /etc/mosquitto - name: Copy mosquitto password ansible.builtin.template: src: mosquitto/passwd.j2 dest: /etc/mosquitto/passwd - mode: '0640' + mode: '0600' owner: root - group: mosquitto + group: root - name: Restart mosquitto ansible.builtin.service: diff --git a/tasks/motd.yml b/tasks/motd.yml index 26dd543..3830398 100644 --- a/tasks/motd.yml +++ b/tasks/motd.yml @@ -6,15 +6,10 @@ - name: Run figlet ansible.builtin.shell: - cmd: >- - set -o pipefail - hostname | figlet -f /usr/share/figlet/smslant.flf - executable: /bin/bash + cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf" register: _motd - changed_when: true - name: Create motd ansible.builtin.copy: dest: /etc/motd content: "{{ _motd.stdout }}\n" - mode: "0644" diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 5dc9c31..298bb55 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -1,6 +1,6 @@ --- - name: Install nagios - ansible.builtin.package: + ansible.builtin.apt: name: - nagios4 - git @@ -8,13 +8,13 @@ - python3-jinja2 - python3-requests - python3-jsonschema - - python3-pexpect + - python-pexpect + state: latest - name: Generate nagios configurations ansible.builtin.template: src: "nagios/conf.d/{{ item }}.cfg.j2" dest: "/etc/nagios4/conf.d/{{ item }}.cfg" - mode: "0644" loop: - commands - hosts @@ -26,7 +26,6 @@ ansible.builtin.template: src: nagios/contacts.cfg.j2 dest: /etc/nagios4/objects/contacts.cfg - mode: "0644" - name: Copy check_timesyncd ansible.builtin.copy: @@ -48,7 +47,7 @@ - name: Configure notify-by-telegram ansible.builtin.copy: - content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}" + content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}" dest: /etc/nagios4/telegram.json owner: root group: nagios @@ -56,44 +55,38 @@ - name: Clone nagios-plugin-bacula source code ansible.builtin.git: - repo: https://github.com/jouir/nagios-plugin-bacula.git + repo: https://github.com/twpayne/nagios-plugin-bacula.git dest: /opt/nagios-plugin-bacula - name: Copy global configuration - ansible.builtin.copy: + ansible.builtin.copy: src: files/nagios/nagios.cfg dest: /etc/nagios4/nagios.cfg - mode: "0644" - name: Copy CGI configuration ansible.builtin.copy: src: files/nagios/cgi.cfg dest: /etc/nagios4/cgi.cfg - mode: "0644" - name: Reload nagios ansible.builtin.service: name: nagios4 state: reloaded - enabled: true - name: Configure htaccess for the web interface ansible.builtin.template: src: nagios/htdigest.users.j2 dest: /etc/nagios4/htdigest.users - mode: "0644" - name: Secure Apache - ansible.builtin.copy: + copy: src: files/nagios/security.conf dest: /etc/apache2/conf-available/security.conf - mode: "0644" - name: Configure vhost for the web interface ansible.builtin.copy: src: files/nagios/apache2.conf dest: /etc/nagios4/apache2.conf - mode: "0644" - name: Enable Apache modules ansible.builtin.command: @@ -101,17 +94,14 @@ loop: - auth_digest - headers - - cgi - changed_when: true - name: Restart apache ansible.builtin.service: name: apache2 state: restarted - enabled: true - name: Allow HTTP from vpn - ansible.builtin.iptables: + iptables: chain: INPUT protocol: tcp source: "{{ openvpn_subnet }}" diff --git a/tasks/nrpe.yml b/tasks/nrpe.yml index 05c2623..fdf1f72 100644 --- a/tasks/nrpe.yml +++ b/tasks/nrpe.yml @@ -10,19 +10,16 @@ ansible.builtin.template: src: nrpe/nrpe.cfg.j2 dest: /etc/nagios/nrpe.cfg - mode: "0644" - name: Generate NRPE local configuration ansible.builtin.template: src: nrpe/nrpe_local.cfg.j2 dest: /etc/nagios/nrpe_local.cfg - mode: "0644" - name: Manage daemon settings ansible.builtin.template: src: nrpe/nagios-nrpe-server.j2 dest: /etc/default/nagios-nrpe-server - mode: "0644" - name: Clone check-mqtt source code ansible.builtin.git: @@ -50,7 +47,7 @@ - name: Install check_ovhcloud dependencies ansible.builtin.pip: requirements: /opt/check_ovhcloud/requirements.txt - extra_args: "--user --break-system-packages" + extra_args: "--user" become: true become_user: nagios diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml index 1254c9e..f7089c8 100644 --- a/tasks/openvpn.yml +++ b/tasks/openvpn.yml @@ -2,24 +2,22 @@ - name: Install OpenVPN ansible.builtin.apt: name: openvpn + state: latest - name: Deploy OpenVPN configuration ansible.builtin.template: src: openvpn/client.conf.j2 dest: /etc/openvpn/client.conf - mode: '0644' - name: Deploy OpenVPN CA cert ansible.builtin.copy: content: "{{ openvpn_ca }}" dest: /etc/openvpn/ca.crt - mode: '0644' - name: Deploy OpenVPN TLS auth ansible.builtin.copy: content: "{{ openvpn_ta }}" dest: /etc/openvpn/ta.key - mode: '0600' - name: Deploy OpenVPN client cert ansible.builtin.copy: diff --git a/tasks/serial2mqtt.yml b/tasks/serial2mqtt.yml index 74f122f..33e1901 100644 --- a/tasks/serial2mqtt.yml +++ b/tasks/serial2mqtt.yml @@ -4,6 +4,7 @@ name: - python3-serial - python3-paho-mqtt + state: latest - name: Clone arduino-sensors-toolkit sources ansible.builtin.git: @@ -13,11 +14,11 @@ - name: Add serial2mqtt user ansible.builtin.user: name: serial2mqtt - system: true + system: yes password: '!' home: /var/lib/serial2mqtt - create_home: false - append: true + create_home: no + append: yes groups: - dialout @@ -33,17 +34,15 @@ ansible.builtin.copy: src: files/serial2mqtt/serial2mqtt.default dest: /etc/default/serial2mqtt - mode: '0644' - name: Copy serial2mqtt service unit ansible.builtin.copy: src: files/serial2mqtt/serial2mqtt.service dest: /etc/systemd/system/serial2mqtt.service - mode: '0644' - name: Start serial2mqtt service ansible.builtin.systemd: name: serial2mqtt.service - daemon_reload: true + daemon_reload: yes state: restarted - enabled: true + enabled: yes diff --git a/tasks/ssh.yml b/tasks/ssh.yml index e2a10dc..45c74be 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -2,6 +2,7 @@ - name: Install OpenSSH ansible.builtin.apt: name: openssh-server + state: latest - name: Allow authorized keys ansible.posix.authorized_key: @@ -19,7 +20,7 @@ mode: '0644' - name: Reload and enable SSH service - ansible.builtin.service: + service: name: ssh state: reloaded enabled: true diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml index 279f3d4..fc3e9a9 100644 --- a/tasks/sysctl.yml +++ b/tasks/sysctl.yml @@ -5,4 +5,4 @@ value: '1' state: present sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf - reload: true + reload: yes diff --git a/tasks/telegraf.yml b/tasks/telegraf.yml index 842258c..a5c5051 100644 --- a/tasks/telegraf.yml +++ b/tasks/telegraf.yml @@ -3,11 +3,10 @@ ansible.builtin.template: src: telegraf/influxdata.list.j2 dest: /etc/apt/sources.list.d/influxdata.list - mode: '0644' - name: Download influxdata APT key ansible.builtin.apt_key: - url: https://repos.influxdata.com/influxdata-archive_compat.key + url: https://repos.influxdata.com/influxdb.key state: present - name: Install telegraf and dependencies @@ -16,14 +15,12 @@ - telegraf - lm-sensors update_cache: true + state: latest - name: Generate telegraf configurations ansible.builtin.template: src: "telegraf/{{ item }}.conf.j2" dest: "/etc/telegraf/telegraf.d/{{ item }}.conf" - mode: '0640' - owner: root - group: telegraf loop: - inputs - output diff --git a/tasks/time.yml b/tasks/time.yml index c3ca16f..d4410b2 100644 --- a/tasks/time.yml +++ b/tasks/time.yml @@ -2,4 +2,3 @@ - name: Manage time zone ansible.builtin.command: cmd: "timedatectl set-timezone {{ timezone }}" - changed_when: true diff --git a/tasks/users.yml b/tasks/users.yml index 037a880..2355d60 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -11,5 +11,4 @@ src: files/users/bashrc owner: "{{ item['name'] }}" group: "{{ item['name'] }}" - mode: '0644' loop: "{{ users }}" diff --git a/tasks/vim.yml b/tasks/vim.yml index cdeaeef..ea21d14 100644 --- a/tasks/vim.yml +++ b/tasks/vim.yml @@ -8,7 +8,6 @@ ansible.builtin.copy: src: files/vim/vimrc dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}" - mode: '0644' loop: "{{ users }}" loop_control: label: "{{ item['name'] }}" diff --git a/templates/mosquitto/default.conf.j2 b/templates/mosquitto/default.conf.j2 deleted file mode 100644 index f1d2456..0000000 --- a/templates/mosquitto/default.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ ansible_managed | comment }} -allow_anonymous false -password_file /etc/mosquitto/passwd diff --git a/templates/nrpe/nrpe_local.cfg.j2 b/templates/nrpe/nrpe_local.cfg.j2 index 73c64e8..5d027b5 100644 --- a/templates/nrpe/nrpe_local.cfg.j2 +++ b/templates/nrpe/nrpe_local.cfg.j2 @@ -3,3 +3,4 @@ {% for command in nrpe_commands | default([]) %} command[{{ command['name'] }}]={{ command['line'] }} {% endfor %} + diff --git a/templates/openvpn/client.conf.j2 b/templates/openvpn/client.conf.j2 index 9e773d8..c1a291b 100644 --- a/templates/openvpn/client.conf.j2 +++ b/templates/openvpn/client.conf.j2 @@ -16,7 +16,6 @@ key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC -data-ciphers AES-256-CBC auth SHA256 verb 3 key-direction 1 diff --git a/upgrade.yml b/upgrade.yml index 659254b..2654360 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -2,5 +2,4 @@ - name: Upgrade systems hosts: all tasks: - - name: Run apt upgrade - ansible.builtin.include_tasks: tasks/apt-upgrade.yml + - include_tasks: tasks/apt-upgrade.yml