From a8c0dc7880b4746c715752da39c5d14cd238a110 Mon Sep 17 00:00:00 2001 From: DistroByte Date: Tue, 23 May 2023 21:50:25 +0100 Subject: [PATCH] update ansible roles --- ansible/redbrick-ansible.yml | 44 +++++++++++++------ ansible/roles/apt/defaults/main.yml | 4 +- ansible/roles/apt/tasks/main.yml | 16 +++++-- ansible/roles/configure-consul/tasks/main.yml | 2 +- ansible/roles/hashicorp-apt/tasks/main.yml | 7 +++ ansible/roles/ssh/defaults/main.yml | 10 +++-- ansible/roles/ssh/tasks/main.yml | 3 +- ansible/templates/sshd_config.j2 | 9 ++-- 8 files changed, 63 insertions(+), 32 deletions(-) diff --git a/ansible/redbrick-ansible.yml b/ansible/redbrick-ansible.yml index 4bd63d3..78cebfa 100644 --- a/ansible/redbrick-ansible.yml +++ b/ansible/redbrick-ansible.yml @@ -5,19 +5,35 @@ # before running the playbook, ignores uncommitted changes - name: Check local repository is up to date hosts: localhost - roles: - - { role: git-compare-head } # Prevent execution on out-of-date or divergent branches - -- name: Redbrick general management - hosts: all roles: - #- { role: apt } # update all packages, equivalent to `apt update && apt upgrade` - #- { role: ssh } # add users defined in roles/defaults/main.yml - #- { role: fail2ban } # add and configure fail2ban with jail file located in `templates/fail2ban.jail` + - { role: git-compare-head } # Prevent execution on out-of-date or divergent branches -- name: Configure Nomad & Consul - hosts: nomad - roles: - #- { role: hashicorp-apt } # add hashicorp apt repo to apt sources - #- { role: configure-nomad } # install nomad, configure and start the client & server based on `templates/` on nomad group - #- { role: configure-consul } # install consul, configure and start the client & server based on `templates/` on nomad group +# - name: Redbrick general management +# hosts: all +# roles: +#- { role: apt } # update all packages, equivalent to `apt update && apt upgrade` +#- { role: ssh } # add users defined in roles/defaults/main.yml +#- { role: fail2ban } # add and configure fail2ban with jail file located in `templates/fail2ban.jail` + +# - name: Configure Nomad & Consul +# hosts: nomad +# roles: +#- { role: hashicorp-apt } # add hashicorp apt repo to apt sources +#- { role: configure-nomad } # install nomad, configure and start the client & server based on `templates/` on nomad group +#- { role: configure-consul } # install consul, configure and start the client & server based on `templates/` on nomad group + +# - name: Configure NFS server +# hosts: nfs_servers +# roles: +# - { role: configure-nfs-server } # install nfs server and configure based on `templates/` on nfs group + +# - name: Configure NFS client +# hosts: nfs_clients +# roles: +# - { role: configure-nfs-client } # install nfs client and configure based on `templates/` on nfs_clients group + +# - name: Configure logging stack +# hosts: all +# roles: +# - { role: elastic-apt } # add elastic apt repo to apt sources +# - { role: logging } # install and configure logging stack based on `templates/` on all hosts diff --git a/ansible/roles/apt/defaults/main.yml b/ansible/roles/apt/defaults/main.yml index 738a1d7..8be0410 100644 --- a/ansible/roles/apt/defaults/main.yml +++ b/ansible/roles/apt/defaults/main.yml @@ -1,4 +1,3 @@ ---- apt_packages: - cron - curl @@ -13,6 +12,7 @@ apt_packages: - psmisc - sudo - mosh + - logstash -apt_install_packages: false +apt_install_packages: true apt_update_packages: true diff --git a/ansible/roles/apt/tasks/main.yml b/ansible/roles/apt/tasks/main.yml index 98a6c6b..39caace 100644 --- a/ansible/roles/apt/tasks/main.yml +++ b/ansible/roles/apt/tasks/main.yml @@ -5,13 +5,13 @@ upgrade: yes autoclean: yes autoremove: yes - update_cache: yes + update_cache: yes when: ansible_os_family == "Debian" and apt_update_packages register: result - name: List installed and updated packages become: true - shell: + shell: cmd: 'grep -E "^$(date +%Y-%m-%d).+ (install|upgrade) " /var/log/dpkg.log | cut -d " " -f 3-5' register: result @@ -22,6 +22,14 @@ - name: install common tools become: true ansible.builtin.apt: - name: "{{ item }}" - with_items: "{{ apt_packages }}" + name: + - cron + - curl + - git + - htop + - net-tools + - nmap + - sysstat + - vim + - webhook when: ansible_os_family == "Debian" and apt_install_packages diff --git a/ansible/roles/configure-consul/tasks/main.yml b/ansible/roles/configure-consul/tasks/main.yml index 616c7ad..0b1d5fb 100644 --- a/ansible/roles/configure-consul/tasks/main.yml +++ b/ansible/roles/configure-consul/tasks/main.yml @@ -45,4 +45,4 @@ debug: msg: "{{ consul_members.stdout_lines }}" when: ansible_check_mode == false - +# TODO: CONFIGURE CONSUL DNS diff --git a/ansible/roles/hashicorp-apt/tasks/main.yml b/ansible/roles/hashicorp-apt/tasks/main.yml index ea6a548..62da5bf 100644 --- a/ansible/roles/hashicorp-apt/tasks/main.yml +++ b/ansible/roles/hashicorp-apt/tasks/main.yml @@ -1,5 +1,12 @@ --- +- name: Ensure required packages are installed + become: true + apt: + name: "{{ item }}" + with_items: ["software-properties-common", "gnupg"] + when: ansible_os_family == "Debian" + - name: Add Hashicorp apt key become: true shell: diff --git a/ansible/roles/ssh/defaults/main.yml b/ansible/roles/ssh/defaults/main.yml index 74bb32f..3e84c38 100644 --- a/ansible/roles/ssh/defaults/main.yml +++ b/ansible/roles/ssh/defaults/main.yml @@ -1,14 +1,16 @@ --- - # a current listing of all admins who have ssh access to Redbrick. github_users: - user: mojito # omitting account variable won't add any github keys to the user. - account: DistroByte + account: DistroByte groups: [sudo] - - user: slatt - account: cawnj + - user: poitin + account: leath-dub + groups: [sudo] + - user: jameson + account: wizzdom groups: [sudo] github_url: https://github.com diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml index ac0fc61..ac1cb29 100644 --- a/ansible/roles/ssh/tasks/main.yml +++ b/ansible/roles/ssh/tasks/main.yml @@ -49,7 +49,6 @@ - name: Inform user to add password for account debug: msg: "Please add a password for the following accounts: {{ github_users | map(attribute='user') | list | join(', ') }}. See https://docs.redbrick.dcu.ie/aperture/ssh/ for more information." - # - name: Remove user account # debug: -# msg: 'ansible -i hosts all -m user -a "name={{ user }} state=absent remove=true" --become"' \ No newline at end of file +# msg: 'ansible -i hosts all -m user -a "name={{ user }} state=absent remove=true" --become"' diff --git a/ansible/templates/sshd_config.j2 b/ansible/templates/sshd_config.j2 index e11275f..6355d90 100644 --- a/ansible/templates/sshd_config.j2 +++ b/ansible/templates/sshd_config.j2 @@ -1,15 +1,13 @@ Include /etc/ssh/sshd_config.d/*.conf ChallengeResponseAuthentication no - UsePAM no - X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* -Subsystem sftp /usr/lib/openssh/sftp-server -Port 22 - +Subsystem sftp /usr/lib/openssh/sftp-server +Port 80 +GatewayPorts yes PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys @@ -18,5 +16,6 @@ PermitEmptyPasswords no GSSAPIAuthentication no AuthenticationMethods publickey,password +# Disable 2fa while on VPN Match address 10.10.0.0/24,10.8.0.0/24,10.230.0.0/16,136.206.15.0/24,136.206.16.0/24 AuthenticationMethods publickey password \ No newline at end of file