update ansible roles

2023-05-23 21:50:25 +01:00 · 2023-05-23 21:50:25 +01:00 · a8c0dc7880
commit a8c0dc7880
parent 4cc6fa82fd
8 changed files with 63 additions and 32 deletions
--- a/ansible/redbrick-ansible.yml
+++ b/ansible/redbrick-ansible.yml
@ -8,16 +8,32 @@
  roles:
      - { role: git-compare-head } # Prevent execution on out-of-date or divergent branches

- name: Redbrick general management
-  hosts: all
-  roles:
-    #- { role: apt } # update all packages, equivalent to `apt update && apt upgrade`
-    #- { role: ssh } # add users defined in roles/defaults/main.yml
-    #- { role: fail2ban } # add and configure fail2ban with jail file located in `templates/fail2ban.jail`
+# - name: Redbrick general management
+#   hosts: all
+#   roles:
+#- { role: apt } # update all packages, equivalent to `apt update && apt upgrade`
+#- { role: ssh } # add users defined in roles/defaults/main.yml
+#- { role: fail2ban } # add and configure fail2ban with jail file located in `templates/fail2ban.jail`

- name: Configure Nomad & Consul
-  hosts: nomad
-  roles:
-    #- { role: hashicorp-apt } # add hashicorp apt repo to apt sources
-    #- { role: configure-nomad } # install nomad, configure and start the client & server based on `templates/` on nomad group
-    #- { role: configure-consul } # install consul, configure and start the client & server based on `templates/` on nomad group
+# - name: Configure Nomad & Consul
+#   hosts: nomad
+#   roles:
+#- { role: hashicorp-apt } # add hashicorp apt repo to apt sources
+#- { role: configure-nomad } # install nomad, configure and start the client & server based on `templates/` on nomad group
+#- { role: configure-consul } # install consul, configure and start the client & server based on `templates/` on nomad group
+
+# - name: Configure NFS server
+#   hosts: nfs_servers
+#   roles:
+#       - { role: configure-nfs-server } # install nfs server and configure based on `templates/` on nfs group
+
+# - name: Configure NFS client
+#   hosts: nfs_clients
+#   roles:
+#       - { role: configure-nfs-client } # install nfs client and configure based on `templates/` on nfs_clients group
+
+# - name: Configure logging stack
+#   hosts: all
+#   roles:
+# - { role: elastic-apt } # add elastic apt repo to apt sources
+# - { role: logging } # install and configure logging stack based on `templates/` on all hosts
--- a/ansible/roles/apt/defaults/main.yml
+++ b/ansible/roles/apt/defaults/main.yml
@ -1,4 +1,3 @@
---
 apt_packages:
  - cron
  - curl
@ -13,6 +12,7 @@ apt_packages:
  - psmisc
  - sudo
  - mosh
+  - logstash

-apt_install_packages: false
+apt_install_packages: true
 apt_update_packages: true
--- a/ansible/roles/apt/tasks/main.yml
+++ b/ansible/roles/apt/tasks/main.yml
@ -22,6 +22,14 @@
 - name: install common tools
  become: true
  ansible.builtin.apt:
-    name: "{{ item }}"
-  with_items: "{{ apt_packages }}"
+    name:
+      - cron
+      - curl
+      - git
+      - htop
+      - net-tools
+      - nmap
+      - sysstat
+      - vim
+      - webhook
  when: ansible_os_family == "Debian" and apt_install_packages
--- a/ansible/roles/configure-consul/tasks/main.yml
+++ b/ansible/roles/configure-consul/tasks/main.yml
@ -45,4 +45,4 @@
  debug:
    msg: "{{ consul_members.stdout_lines }}"
  when: ansible_check_mode == false
-  
+# TODO: CONFIGURE CONSUL DNS
--- a/ansible/roles/hashicorp-apt/tasks/main.yml
+++ b/ansible/roles/hashicorp-apt/tasks/main.yml
@ -1,5 +1,12 @@
 ---

+- name: Ensure required packages are installed
+  become: true
+  apt:
+    name: "{{ item }}"
+  with_items: ["software-properties-common", "gnupg"]
+  when: ansible_os_family == "Debian"
+
 - name: Add Hashicorp apt key
  become: true
  shell:
--- a/ansible/roles/ssh/defaults/main.yml
+++ b/ansible/roles/ssh/defaults/main.yml
@ -1,5 +1,4 @@
 ---
-
 # a current listing of all admins who have ssh access to Redbrick.

 github_users:
@ -7,8 +6,11 @@ github_users:
    # omitting account variable won't add any github keys to the user.
    account: DistroByte
    groups: [sudo]
-  - user: slatt
-    account: cawnj
+  - user: poitin
+    account: leath-dub
+    groups: [sudo]
+  - user: jameson
+    account: wizzdom
    groups: [sudo]

 github_url: https://github.com
--- a/ansible/roles/ssh/tasks/main.yml
+++ b/ansible/roles/ssh/tasks/main.yml
@ -49,7 +49,6 @@
 - name: Inform user to add password for account
  debug:
    msg: "Please add a password for the following accounts: {{ github_users | map(attribute='user') | list | join(', ') }}. See https://docs.redbrick.dcu.ie/aperture/ssh/ for more information."
-
 # - name: Remove user account
 #   debug:
 #     msg: 'ansible -i hosts all -m user -a "name={{ user }} state=absent remove=true" --become"'
--- a/ansible/templates/sshd_config.j2
+++ b/ansible/templates/sshd_config.j2
@ -1,15 +1,13 @@
 Include /etc/ssh/sshd_config.d/*.conf

 ChallengeResponseAuthentication no
-
 UsePAM no
-
 X11Forwarding yes
 PrintMotd no
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
-Port 22
-
+Port 80
+GatewayPorts yes
 PermitRootLogin no
 PubkeyAuthentication yes
 AuthorizedKeysFile %h/.ssh/authorized_keys
@ -18,5 +16,6 @@ PermitEmptyPasswords no
 GSSAPIAuthentication no
 AuthenticationMethods publickey,password

+# Disable 2fa while on VPN
 Match address 10.10.0.0/24,10.8.0.0/24,10.230.0.0/16,136.206.15.0/24,136.206.16.0/24
  AuthenticationMethods publickey password