parallelvirtualcluster/pvc-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit of PVC Ansible role

Browse Source
This commit is contained in:
Joshua Boniface
2023-09-01 15:42:19 -04:00
commit 6dfaf433dc
92 changed files with 4709 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1107
roles/base/files/usr/bin/check_mk_agent Executable file
View File

File diff suppressed because it is too large Load Diff

11
roles/base/files/usr/lib/check_mk_agent/plugins/backup Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Backup check for Check_MK
# Installed by BLSE 2.0 ansible
SHARELIST=( $( cat /var/backups/shares ) )
echo "<<<backup>>>"
for SHARE in ${SHARELIST[@]}; do
echo "${SHARE} $( cat ${SHARE}/.backup )"
done

15
roles/base/files/usr/lib/check_mk_agent/plugins/cephfsmounts Executable file
View File

@ -0,0 +1,15 @@
echo '<<<cephfsmounts>>>'
sed -n '/ ceph\? /s/[^ ]* \([^ ]*\) .*/\1/p' < /proc/mounts |
sed 's/\\040/ /g' |
while read MP
do
if [ ! -r $MP ]; then
echo "$MP Permission denied"
elif [ $STAT_VERSION != $STAT_BROKE ]; then
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" || \
echo "$MP hanging 0 0 0 0"
else
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" && \
printf '\n'|| echo "$MP hanging 0 0 0 0"
fi
done

33
roles/base/files/usr/lib/check_mk_agent/plugins/dpkg Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Apt and dpkg status check for Check_MK
# Installed by BLSE 2.0 ansible
TMP_DPKG="$( COLUMNS=200 dpkg --list )"
TMP_AWK="$( awk '
{ if (NR>5) {
if ($1 != "ii") bad_package[$2]=$1;
}}
END {
print NR-5;
bad_package_count=asort(bad_package,junk)
if (bad_package_count) {
for (package in bad_package)
print package "[" bad_package[package] "]"
exit 1
}
}
' <<<"$TMP_DPKG" )"
DEBIAN_VERSION="$( cat /etc/debian_version )"
TOTAL_PACKAGES=$( head --lines=1 <<<"${TMP_AWK}" )
UPGRADABLE_PACKAGES=( $( apt list --upgradable 2>/dev/null | grep -v '^Listing' | awk '{ gsub(/\]/,"",$NF); print $1 "[" $NF "<>" $2 "]" }' ) )
INCONSISTENT_PACKAGES=( $( tail --lines=+2 <<<"${TMP_AWK}" ) )
OLD_CONFIG_FILES=( $( ionice -c3 find /etc -type f -a \( -name '*.dpkg-*' -o -name '*.ucf-*' \) 2>/dev/null ) )
echo "<<<dpkg>>>"
echo "debian_version ${DEBIAN_VERSION}"
echo "total_packages ${TOTAL_PACKAGES}"
echo "upgradable_packages ${#UPGRADABLE_PACKAGES[*]} ${UPGRADABLE_PACKAGES[*]}"
echo "inconsistent_packages ${#INCONSISTENT_PACKAGES[*]} ${INCONSISTENT_PACKAGES[*]}"
echo "obsolete_configuration_files ${#OLD_CONFIG_FILES[*]} ${OLD_CONFIG_FILES[*]}"

16
roles/base/files/usr/lib/check_mk_agent/plugins/entropy Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
# Entropy availability check for Check_MK
# Installed by BLSE 2.0 ansible
if [ -e /proc/sys/kernel/random/entropy_avail ]; then
echo '<<<entropy_avail>>>'
echo -n "entropy_avail "
cat /proc/sys/kernel/random/entropy_avail
echo -n "poolsize "
cat /proc/sys/kernel/random/poolsize
fi

52
roles/base/files/usr/lib/check_mk_agent/plugins/freshness Executable file
View File

@ -0,0 +1,52 @@
#!/bin/bash
# Open file handle freshness check for Check_MK
# Installed by BLSE 2.0 ansible
OK=0
WARNING=1
FRESHNESS="$( lsof -Fcftn / 2>/dev/null | grep -v '/tmp' | \
awk '
{
field=substr($0,1,1);
data=substr($0,2);
if (field=="f") {
file_descriptor=data;
} else if (field=="t") {
file_type=data;
} else if (field=="c") {
command_name=data;
} else if (field=="n" && file_descriptor=="DEL" && file_type=="REG") {
name=data;
file[command_name]++;
}
}
END {
for (name in file) {
error++;
# Skip these problematic programs
if (name=="systemd-udevd") { continue; }
if (name=="pulseaudio") { continue; }
if (name=="light-locker") { continue; }
if (name=="at-spi-bus-laun") { continue; }
if (name=="node") { continue; }
if (error_name) { error_name=error_name " " };
error_name=error_name name;
}
if (error_name) {
print error_name;
exit error;
} else {
exit;
}
}' )";
echo "<<<freshness>>>"
if [ "$FRESHNESS" ]; then
echo "Applications needing restart: $FRESHNESS"
exit $WARNING
else
echo "No applications needing restart"
exit $OK
fi

14
roles/base/files/usr/lib/check_mk_agent/plugins/kernelversion Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
OK=0
WARNING=1
echo "<<<kernelversion>>>"
ACTIVE="$( uname -v | awk '{ print $4" "$5 }' )"
ONDISK="$( strings /vmlinuz | grep 'Debian' | head -1 | awk '{ print $6" "$7 }' )"
echo ${ACTIVE}
echo ${ONDISK}
if [[ ${ACTIVE} != ${ONDISK} ]]; then
exit $WARNING
else
exit $OK
fi

68
roles/base/files/usr/lib/check_mk_agent/plugins/ownership Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
# File ownership check for Check_MK
# Installed by BLSE 2.0 ansible
UID_MAX=299
# http://www.debian.org/doc/debian-policy/ch-opersys.html
# 0-99: Globally allocated by the Debian project
# 100-199: (BLSE) Dynamically allocated system users and groups
# 200-299: (BLSE) BLSE users and groups
# 300-499: (BLSE) reserved
# 500-599: (BLSE) system administrators
# 600-999: (BLSE) reserved
# 64045: (BLSE) ceph
function is_element_of {
local TO_FIND=$1
shift
for ARRAY_ELEMENT in $*
do
if test $TO_FIND = $ARRAY_ELEMENT
then
return 0
fi
done
return 1
}
OK=0
WARNING=1
FILESYSTEMs=(/ /var/log)
MOUNTs=($(awk '{print $2}' '/proc/mounts'))
FILEs=()
for FILESYSTEM in ${FILESYSTEMs[@]}; do
while IFS= read -r -d $'\0' FILE
do
if ! is_element_of "$FILE" ${FILESYSTEMs[*]}; then
if is_element_of $FILE ${MOUNTs[*]}; then
continue
fi
fi
FILEs+=($FILE)
done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \
-not \( -type d -a \( -path /media -o -path /mnt \) \) \
-not \( -name '.*.swp' -a -mtime -3 \) \
-not \( -path '*/.git' -o -path '*/.git/*' \) \
-not \( -path '*.dirtrack.Storable' \) \
-not \( -path '/home/*' \) \
-not \( -path '/tmp/*' \) \
-not \( -path '/var/home/*' \) \
-not \( -path '/var/log/gitlab/*' \) \
-print0 2>/dev/null )
done
echo "<<<file_ownership>>>"
if ! test ${#FILEs[*]} -eq 0; then
echo -n "${#FILEs[*]} file(s) found with invalid ownership (must be UID <299): "
echo "${FILEs[*]}"
exit $WARNING
else
echo "All files have valid ownership"
exit $OK
fi

BIN
roles/base/files/usr/lib/openssh/ssh-keysign Executable file
View File

Binary file not shown.

36
roles/base/handlers/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
- name: restart rsyslog
service:
name: rsyslog
state: restarted
- name: restart xinetd
service:
name: xinetd
state: restarted
- name: restart postfix
service:
name: postfix
state: restarted
- name: restart ntp
service:
name: ntp
state: restarted
- name: restart ssh
service:
name: ssh
state: restarted
- name: restart fail2ban
service:
name: fail2ban
state: restarted
- name: generate locales
command: locale-gen
- name: newaliases
command: newaliases

719
roles/base/tasks/main.yml Normal file
View File

@ -0,0 +1,719 @@
---
#
# First run check
#
- name: first run check
shell: "echo 'bootstrapped' > /etc/pvc-install"
register: newhost
args:
creates: "/etc/pvc-install"
#
# Install custom fact scripts
#
- name: create facts directory
file:
dest: "/etc/ansible/facts.d"
state: directory
recurse: yes
- name: install custom facts
template:
src: "etc/ansible/facts.d/{{ item }}.fact.j2"
dest: "/etc/ansible/facts.d/{{ item }}.fact"
mode: 0755
register: installed_facts
with_items:
- host_id
- host_group
- dhcp_status
- name: regather local facts
setup:
gather_subset: "!all,!any,local"
when: installed_facts.changed
- debug:
var: ansible_local.host_group
verbosity: 1
- debug:
var: ansible_local.host_id
verbosity: 1
- debug:
var: ansible_local.dhcp_status
verbosity: 1
#
# Debian Buster pre-release tweaks
#
- name: add proper VERSION line in os-release (Debian 10.X testing only)
lineinfile:
dest: "/etc/os-release"
line: 'VERSION="10 (buster)"'
state: present
register: installed_facts
when:
- ansible_distribution_major_version == "buster/sid"
- name: regather distribution facts
setup:
when:
- installed_facts.changed
- ansible_distribution_major_version == "buster/sid"
- debug:
var: ansible_distribution_release
verbosity: 1
when:
- ansible_distribution_major_version == "buster/sid"
#
# Configure APT
#
- name: install apt config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" }
- { src: "etc/apt/apt.conf.d/50unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
- { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" }
- { src: "etc/apt/sources.list.{{ ansible_machine }}.j2", dest: "/etc/apt/sources.list" }
tags: apt
#
# Safe apt upgrades (on first install only)
#
- name: apt update
apt:
update-cache: yes
when: newhost.changed
- name: aptitude safe upgrade with autoremove
apt:
update_cache: yes
autoremove: yes
upgrade: safe
when: newhost.changed
- name: install dbus
apt:
name:
- dbus
state: latest
when: newhost.changed
- name: clean out apt cache
file:
path: "/var/cache/apt/archives"
state: absent
when: newhost.changed
#
# Purge unneeded packages
#
- name: remove unneeded packages
apt:
name:
- exim4
- exim4-base
- exim4-config
- exim4-daemon-light
- nano
- joe
state: absent
purge: yes
autoremove: yes
#
# Install common packages
#
- name: set override debconf selections
shell: 'echo "{{ item }}" | debconf-set-selections'
with_items:
- "wireshark-common wireshark-common/install-setuid boolean true"
- name: install common packages (all arch)
apt:
name:
- debconf-utils
- iptables
- locales
- acpid
- acpi-support-base
- rsync
- bash
- bash-completion
- net-tools
- check-mk-agent
- dns-root-data
- bind9-host
- dnsutils
- postfix
- ntp
- openssh-client
- openssh-server
- libpam-systemd
- fail2ban
- ca-certificates
- openssl
- sudo
- rsyslog
- logrotate
- man
- less
- vim
- git
- nmap
- netcat-openbsd
- htop
- psmisc
- dstat
- iotop
- lsof
- jnettop
- iperf
- sysstat
- binutils
- deborphan
- wget
- curl
- gawk
- mmv
- pv
- bc
- reptyr
- sharutils
- tcptraceroute
- nethogs
- strace
- tshark
- acl
- bzip2
- haveged
- unattended-upgrades
- linux-image-amd64
- linux-headers-amd64
#
# System configuration
#
# capabilities
- name: set ping capabilities
capabilities:
path: /bin/ping
capability: cap_net_raw=ep
# locale
- name: install locale config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
notify:
- generate locales
with_items:
- { src: "etc/default/locale.j2", dest: "/etc/default/locale" }
- { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" }
- name: set timezone
file:
src: /usr/share/zoneinfo/Canada/Eastern
dest: /etc/localtime
state: link
force: yes
# dns
- name: write the hosts config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: "etc/hosts.j2", dest: "/etc/hosts" }
tags: dns
- name: write the resolver configs
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
- { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" }
tags: dns
# acpi
- name: install sysctl tweaks
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
- name: activate sysctl tweaks
shell: "sysctl -p {{ item }}"
with_items:
- /etc/sysctl.d/pvc.conf
# syslog
- name: install rsyslog and logrotate configs
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
notify:
- restart rsyslog
with_items:
- { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" }
- { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" }
tags: rsyslog
- name: set journalctl persistence
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
with_items:
- { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" }
tags: rsyslog
# cron
- name: install crontab
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
with_items:
- { src: "etc/crontab.j2", dest: "/etc/crontab" }
# mta
- name: install postfix generic config
template:
src: "etc/postfix/main.cf.j2"
dest: "/etc/postfix/main.cf"
notify:
- restart postfix
- name: touch the postfix aliases file
file:
dest: /etc/postfix/aliases
state: touch
#
# Local alias maps
#
- name: install local alias maps for various users
lineinfile:
dest: "/etc/aliases"
regexp: "^{{ item }}:"
line: "{{ item }}: {{ username_email_root }}"
state: present
with_items:
- root
- postmaster
- amavis
- clamav
notify:
- newaliases
# ntp
- name: write the NTP config file
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
notify:
- restart ntp
with_items:
- { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
tags: ntp
# ssl
- name: ensure haveged is running
service:
name: haveged
state: started
- name: generate diffie-hellman parameters
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048
args:
creates: /etc/ssl/dhparams.pem
- name: correct permissions on dhparams
file:
dest: /etc/ssl/dhparams.pem
mode: 0440
# ssh
- name: write the sshd_config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
notify:
- restart ssh
with_items:
- { src: 'etc/ssh/ssh_config.j2', dest: '/etc/ssh/ssh_config' }
- { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' }
- { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' }
- { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' }
tags: ssh
- name: write sshd pam.d config
template:
src: "etc/pam.d/sshd.j2"
dest: "/etc/pam.d/sshd"
tags: ssh
- name: remove unneeded SSH keys (leave only RSA and ED25519)
file:
name: "{{ item }}"
state: "absent"
with_items:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_dsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
notify:
- restart ssh
tags: ssh
- name: set permissions on rsa and ed25519 host keys (just in case they're wrong)
file:
name: "/etc/ssh/{{ item.name }}"
mode: "{{ item.mode }}"
with_items:
- { name: 'ssh_host_rsa_key', mode: '600' }
- { name: 'ssh_host_rsa_key.pub', mode: '644' }
- { name: 'ssh_host_ed25519_key', mode: '600' }
- { name: 'ssh_host_ed25519_key.pub', mode: '644' }
tags: ssh
# sudo
- name: write the sudoers file
template:
src: "etc/sudoers.j2"
dest: "/etc/sudoers"
mode: 0440
# bash
- name: write the bash.bashrc config file
template:
src: "etc/bash.bashrc.j2"
dest: "/etc/bash.bashrc"
# motd
- name: ensure update-motd and w scripts are present
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
with_items:
- { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" }
- { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" }
tags: motd
- name: install update-motd crontab
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
with_items:
- { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" }
tags: motd
- name: ensure /etc/motd is absent
file:
dest: "/etc/motd"
state: absent
tags: motd
# dpkg
- name: install dpkg-cleanup script
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
with_items:
- { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
tags: dpkg
# fail2ban
- name: install fail2ban configurations
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
notify: restart fail2ban
with_items:
- { src: "etc/fail2ban/action.d/route.conf.j2", dest: "/etc/fail2ban/action.d/route.conf" }
- { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" }
- { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" }
- { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" }
tags: fail2ban
#
# Configure users
#
# common
- name: ensure /var/home exists
file:
state: directory
dest: /var/home
tags: users
- name: ensure group media exists
group:
name: media
gid: 9000
state: present
tags: users
# root
- name: set Root password
user:
name: root
password: "{{ passwdhash_root }}"
tags: users
- name: remove Root known_hosts
file:
state: absent
dest: /root/.ssh/known_hosts
tags: users
- name: write vimrc to root homedir
template:
src: var/home/user/vimrc.j2
dest: /root/.vimrc
mode: 0600
tags: users
- name: create vimdir
file:
state: directory
dest: /root/.vim
mode: 0700
tags: users
- name: write htoprc to homedir
template:
src: var/home/user/config/htop/htoprc.j2
dest: /root/.htoprc
mode: 0600
tags: users
# backup
- name: ensure backup user has shell
user:
name: backup
shell: /bin/sh
tags: users
- name: create backup .ssh directory
file:
path: /var/backups/.ssh
state: directory
owner: backup
group: root
mode: 0700
tags: users
- name: create backup authorized_keys file
template:
src: var/backups/ssh/authorized_keys.j2
dest: /var/backups/.ssh/authorized_keys
owner: backup
group: root
mode: 0640
tags: users
- name: write the sudoers file
template:
src: etc/sudoers.d/sudoers-backup.j2
dest: /etc/sudoers.d/backup
tags: users
- name: install the post-backup timestamp script
template:
src: var/backups/timestamp.sh.j2
dest: /var/backups/timestamp.sh
mode: 0755
tags: users
- name: touch shares file
file:
dest: /var/backups/shares
state: touch
owner: backup
tags: users
# deploy
- name: ensure user deploy exists
user:
name: deploy
uid: 200
group: operator
shell: /bin/bash
home: /var/home/deploy
createhome: yes
move_home: yes
state: present
append: yes
tags: users
- name: ensure homedir has right permissions
file:
dest: /var/home/deploy
state: directory
owner: deploy
group: operator
mode: 0700
tags: users
- name: ensure .ssh directory exists
file:
dest: /var/home/deploy/.ssh
state: directory
owner: deploy
group: operator
mode: 0700
tags: users
- name: add authorized keys
authorized_key:
user: "deploy"
key: "{{ item.key }}"
with_items: "{{ admin_users }}"
tags: users
# admin_users
- name: ensure user exists
user:
name: "{{ item.name }}"
uid: "{{ item.uid }}"
group: operator
groups: sudo,adm,media,wireshark
shell: /bin/bash
home: "/var/home/{{ item.name }}"
createhome: yes
state: present
append: yes
with_items: "{{ admin_users }}"
tags: users
- name: ensure homedir has right permissions
file:
dest: "/var/home/{{ item.name }}"
state: directory
owner: "{{ item.name }}"
group: operator
mode: 0700
with_items: "{{ admin_users }}"
tags: users
- name: ensure .ssh directory exists
file:
dest: "/var/home/{{ item.name }}/.ssh"
state: directory
owner: "{{ item.name }}"
group: operator
mode: 0700
with_items: "{{ admin_users }}"
tags: users
- name: add authorized keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.key }}"
with_items: "{{ admin_users }}"
tags: users
- name: write bashrc to homedir
template:
src: var/home/user/bashrc.j2
dest: "/var/home/{{ item.name }}/.bashrc"
owner: "{{ item.name }}"
group: operator
mode: 0700
with_items: "{{ admin_users }}"
tags: users
- name: write bash_logout to homedir
template:
src: var/home/user/bash_logout.j2
dest: "/var/home/{{ item.name }}/.bash_logout"
owner: "{{ item.name }}"
group: operator
mode: 0700
with_items: "{{ admin_users }}"
tags: users
- name: ensure htop config directory exists
file:
dest: "/var/home/{{ item.name }}/.config/htop"
state: directory
owner: "{{ item.name }}"
group: operator
mode: 0755
with_items: "{{ admin_users }}"
tags: users
- name: write htoprc to homedir
template:
src: var/home/user/config/htop/htoprc.j2
dest: "/var/home/{{ item.name }}/.config/htop/htoprc"
owner: "{{ item.name }}"
group: operator
mode: 0644
with_items: "{{ admin_users }}"
tags: users
- name: write profile to homedir
template:
src: var/home/user/profile.j2
dest: "/var/home/{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: operator
mode: 0700
with_items: "{{ admin_users }}"
tags: users
- name: write vimrc to homedir
template:
src: var/home/user/vimrc.j2
dest: "/var/home/{{ item.name }}/.vimrc"
owner: "{{ item.name }}"
group: operator
mode: 0600
with_items: "{{ admin_users }}"
tags: users
- name: create vimdir
file:
state: directory
dest: /var/home/{{ item.name }}/.vim
owner: "{{ item.name }}"
group: operator
mode: 0700
with_items: "{{ admin_users }}"
tags: users
#
# Verify and enable services
#
- name: verify and enable services
service:
name: "{{ item }}"
state: started
enabled: yes
with_items:
- acpid
- rsyslog
- postfix
- ntp
- ssh

5
roles/base/templates/etc/ansible/facts.d/dhcp_status.fact.j2 Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
# Ansible fact - dhcp_status
# {{ ansible_managed }}
DHCP_STATUS="$( grep -o 'dhcp' /etc/network/interfaces | uniq )"
echo "\"${DHCP_STATUS}\""

5
roles/base/templates/etc/ansible/facts.d/host_group.fact.j2 Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
# Ansible fact - host_group
# {{ ansible_managed }}
HOST_GROUP="$( hostname -s | sed 's/[0-9]*//g' )"
echo "\"${HOST_GROUP}\""

8
roles/base/templates/etc/ansible/facts.d/host_id.fact.j2 Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# Ansible fact - host_id
# {{ ansible_managed }}
HOST_ID="$( hostname -s | grep -o '[0-9]\+' )"
if [[ -z ${HOST_ID} ]]; then
HOST_ID="0"
fi
echo "\"${HOST_ID}\""

5
roles/base/templates/etc/apt/apt.conf.d/10norecommends.j2 Normal file
View File

@ -0,0 +1,5 @@
# apt configuration: disable recommends
# {{ ansible_managed }}
APT::Install-Recommends "0";
APT::Install-Suggests "0";

37
roles/base/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 Normal file
View File

@ -0,0 +1,37 @@
# Unattended upgrades configuration
# {{ ansible_managed }}
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
# "libc6$";
# "libc6-dev$";
# "libc6-i686$";
};
# General configurations
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Mail "root@bonilan.net";
Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";
Unattended-Upgrade::Verbose "false";
Unattended-Upgrade::Debug "false";
# Reboot configurations - skip cephX and hvX
{% if 'hv' in group_names or 'ceph' in group_names %}
Unattended-Upgrade::Automatic-Reboot "false";
{% else %}
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
{% set reboot_time_minute = 2 * ansible_local.host_id|int %}
Unattended-Upgrade::Automatic-Reboot-Time "04:{{ '%02d' % reboot_time_minute }}";
{% endif %}

12
roles/base/templates/etc/apt/preferences.d/pins.j2 Normal file
View File

@ -0,0 +1,12 @@
# apt configuration: pinning preferences
# {{ ansible_managed }}
Package: *
Pin: release a={{ ansible_distribution_release }}
Pin-Priority: 999
{% if 'base' in group_names %}
Package: *
Pin: release a={{ ansible_distribution_release }}-backports
Pin-Priority: -1
{% endif %}

14
roles/base/templates/etc/apt/sources.list.x86_64.j2 Normal file
View File

@ -0,0 +1,14 @@
# apt configuration: main sources list
# {{ ansible_managed }}
deb http://debian.mirror.rafal.ca/debian {{ ansible_distribution_release }} main contrib non-free
deb-src http://debian.mirror.rafal.ca/debian {{ ansible_distribution_release }} main contrib
deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main contrib
deb-src http://security.debian.org/ {{ ansible_distribution_release }}/updates main contrib
deb http://debian.mirror.rafal.ca/debian/ {{ ansible_distribution_release }}-updates main contrib
deb-src http://debian.mirror.rafal.ca/debian/ {{ ansible_distribution_release }}-updates main contrib
deb https://repo.bonifacelabs.net/debian/ {{ ansible_distribution_release }}-updates main
deb-src https://repo.bonifacelabs.net/debian/ {{ ansible_distribution_release }}-updates main

126
roles/base/templates/etc/bash.bashrc.j2 Executable file
View File

@ -0,0 +1,126 @@
# System-wide .bashrc file for interactive bash(1) shells.
# {{ ansible_managed }}
# To enable the settings / commands in this file for login shells as well,
# this file has to be sourced in /etc/profile.
# Fix the preceeding space stupidity
export HISTCONTROL=ignorespace
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
#------------------------------------------------------------------------------
# Returncode.
#------------------------------------------------------------------------------
function returncode
{
returncode=$?
if [ $returncode != 0 ]; then
echo "[$returncode]"
else
echo ""
fi
}
alias ll='ls -al'
use_color=false
# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
# first to take advantage of user additions. Use internal bash
# globbing instead of external grep binary.
safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
match_lhs=""
[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
[[ -z ${match_lhs} ]] \
&& type -P dircolors >/dev/null \
&& match_lhs=$(dircolors --print-database)
[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true
if ${use_color} ; then
# Enable colors for ls, etc. Prefer ~/.dir_colors #64489
if type -P dircolors >/dev/null ; then
if [[ -f ~/.dir_colors ]] ; then
eval $(dircolors -b ~/.dir_colors)
elif [[ -f /etc/DIR_COLORS ]] ; then
eval $(dircolors -b /etc/DIR_COLORS)
else
eval $(dircolors)
fi
fi
if [[ ${EUID} == 0 ]] ; then
PS1='\[\033[0;31m\]$(returncode)\[\033[0;37m\]\[\033[0;35m\]${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\H\[\033[01;34m\] \w \$\[\033[00m\] '
elif [[ ${UID} == 200 ]] ; then
PS1='\[\033[0;31m\]$(returncode)\[\033[0;37m\]\[\033[0;35m\]${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[01;34m\] \w \$\[\033[00m\] '
else
PS1='\[\033[0;31m\]$(returncode)\[\033[0;37m\]\[\033[0;35m\]${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[01;34m\] \w \$\[\033[00m\] '
fi
alias ls='ls --color=auto'
alias grep='grep --colour=auto'
alias fgrep='fgrep --colour=auto'
alias egrep='egrep --colour=auto'
alias ll='ls -lF'
alias la='ls -A'
alias l='ls -CF'
else
if [[ ${EUID} == 0 ]] ; then
# show root@ when we don't have colors
PS1='\[$(returncode)\]\u@\H \w \$ '
else
PS1='\[$(returncode)\]\u@\H \w \$ '
fi
fi
# Try to keep environment pollution down, EPA loves us.
unset use_color safe_term match_lhs
# Commented out, don't overwrite xterm -T "title" -n "icontitle" by default.
# If this is an xterm set the title to user@host:dir
#case "$TERM" in
#xterm*|rxvt*)
# PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"'
# ;;
#*)
# ;;
#esac
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
# if the command-not-found package is installed, use it
if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then
function command_not_found_handle {
# check because c-n-f could've been removed in the meantime
if [ -x /usr/lib/command-not-found ]; then
/usr/bin/python /usr/lib/command-not-found -- "$1"
return $?
elif [ -x /usr/share/command-not-found/command-not-found ]; then
/usr/bin/python /usr/share/command-not-found/command-not-found -- "$1"
return $?
else
printf "%s: command not found\n" "$1" >&2
return 127
fi
}
fi

58
roles/base/templates/etc/check_mk/logwatch.cfg.j2 Normal file
View File

@ -0,0 +1,58 @@
# +------------------------------------------------------------------+
# | ____ _ _ __ __ _ __ |
# | / ___| |__ ___ ___| | __ | \/ | |/ / |
# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
# | | |___| | | | __/ (__| < | | | | . \ |
# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
# | |
# | Copyright Mathias Kettner 2013 mk@mathias-kettner.de |
# +------------------------------------------------------------------+
#
# This file is part of Check_MK.
# The official homepage is at http://mathias-kettner.de/check_mk.
#
# {{ ansible_managed }}
#
# check_mk is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation in version 2. check_mk is distributed
# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU General Public License for more de-
# ails. You should have received a copy of the GNU General Public
# License along with GNU Make; see the file COPYING. If not, write
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301 USA.
# logwatch.cfg
# This file configures mk_logwatch. Define your logfiles
# and patterns to be looked for here.
# Name one or more logfiles
/var/log/system.log /var/log/daemon.log
# Patterns are indented with one space are prefixed with:
# C: Critical messages
# W: Warning messages
# I: ignore these lines (OK)
# The first match decided. Lines that do not match any pattern
# are ignored
C Fail event detected on md device
I mdadm.*: Rebuild.*event detected
W mdadm\[
W ata.*hard resetting link
W ata.*soft reset failed (.*FIS failed)
W device-mapper: thin:.*reached low water mark
C device-mapper: thin:.*no free space
/var/log/auth.log
W sshd.*Corrupted MAC on input
/var/log/kern.log
C panic
C Oops
W generic protection rip
W .*Unrecovered read error - auto reallocate failed
# Globbing patterns are allowed:
# /sapdata/*/saptrans.log
# C ORA-

4
roles/base/templates/etc/cron.d/update-motd.j2 Normal file
View File

@ -0,0 +1,4 @@
# cron file for motd
# {{ ansible_managed }}
* * * * * root /bin/sh /usr/local/sbin/update-motd.sh &>/dev/null

12
roles/base/templates/etc/crontab.j2 Normal file
View File

@ -0,0 +1,12 @@
# /etc/crontab: system-wide crontab
# {{ ansible_managed }}
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
00 * * * * root cd / && run-parts --report /etc/cron.hourly
05 0 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
15 0 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
30 0 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

4
roles/base/templates/etc/default/locale.j2 Normal file
View File

@ -0,0 +1,4 @@
LANGUAGE=en_CA.UTF-8
LC_ALL=en_CA.UTF-8
LANG=en_CA.UTF-8
LC_TYPE=en_CA.UTF-8

6
roles/base/templates/etc/dhcp/dhclient-enter-hooks.d/noresolv.j2 Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# Disasble resolv.conf generation from DHCP
# {{ ansible_managed }}
make_resolv_conf() {
:
}

15
roles/base/templates/etc/fail2ban/action.d/route.conf.j2 Normal file
View File

@ -0,0 +1,15 @@
# fail2ban action - route
[Definition]
actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>
actioncheck =
actionstart =
actionstop =
[Init]
# Option: blocktype
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
# Values: STRING
blocktype = blackhole

50
roles/base/templates/etc/fail2ban/filter.d/sshd.conf.j2 Normal file
View File

@ -0,0 +1,50 @@
# Fail2Ban filter for openssh
# {{ ansible_managed }}
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d*)?(?: ssh\d*)? \[preauth\]$
^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
^%(__prefix_line)sUnable to negotiate with <HOST> .*$
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# DEV Notes:
#
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
# it is coming before use of <HOST> which is not hard-anchored at the end as well,
# and later catch-all's could contain user-provided input, which need to be greedily
# matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black

30
roles/base/templates/etc/fail2ban/jail.d/sshd.conf.j2 Normal file
View File

@ -0,0 +1,30 @@
# Fail2Ban configuration file
#
# Author: Wolfgang Karall (based on sshd.conf from Cyril Jaquier)
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sUnable to negotiate with <HOST> .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = ^%(__prefix_line)sDid not receive identification string from .*$

11
roles/base/templates/etc/fail2ban/jail.d/sshd.local.j2 Normal file
View File

@ -0,0 +1,11 @@
[DEFAULT]
maxretry = 3
bantime = 14400
ignoreip = 127.0.0.0/8 10.0.0.0/8 198.55.48.48/28
[ssh]
enabled = true
filter = sshd
action = route
logpath = /var/log/auth.log

6
roles/base/templates/etc/hosts.j2 Normal file
View File

@ -0,0 +1,6 @@
# Local system hosts file
# {{ ansible_managed }}
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allmodes
ff02::2 ip6-allrouters

4
roles/base/templates/etc/locale.gen.j2 Normal file
View File

@ -0,0 +1,4 @@
# Locales configuration file
# {{ ansible_managed }}
en_CA.UTF-8 UTF-8

23
roles/base/templates/etc/logrotate.d/rsyslog-loghost.j2 Normal file
View File

@ -0,0 +1,23 @@
# Logrotate configuration for loghost archives
# {{ ansible_managed }}
/srv/log/kern.log
/srv/log/daemon.log
/srv/log/haproxy.log
/srv/log/auth.log
/srv/log/cron.log
/srv/log/mail.log
/srv/log/boot.log
/srv/log/system.log
{
weekly
missingok
copytruncate
dateext
notifempty
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate &>/dev/null
/usr/local/sbin/loghost-archive.sh &>/dev/null
endscript
}

23
roles/base/templates/etc/logrotate.d/rsyslog.j2 Normal file
View File

@ -0,0 +1,23 @@
# Logrotate configuration for standard log files
# {{ ansible_managed }}
/var/log/kern.log
/var/log/daemon.log
/var/log/haproxy.log
/var/log/auth.log
/var/log/cron.log
/var/log/mail.log
/var/log/boot.log
/var/log/system.log
{
rotate {{ logrotate_keepcount }}
{{ logrotate_interval }}
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate &>/dev/null
endscript
}

27
roles/base/templates/etc/ntp.conf.j2 Normal file
View File

@ -0,0 +1,27 @@
# Main NTP configuration
# {{ ansible_managed }}
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
{% if 'remote' in group_names or 'remote-jellyfin' in group_names %}
server time.nrc.ca
server time.chu.nrc.ca
restrict -4 default kod notrap nomodify nopeer
restrict -6 default kod notrap nomodify nopeer
{% else %}
disable auth
multicastclient 224.0.0.1
multicastclient ff05::101
restrict -4 default notrap nomodify
restrict -6 default notrap nomodify
{% endif %}
restrict 127.0.0.1
restrict ::1

54
roles/base/templates/etc/pam.d/sshd.j2 Normal file
View File

@ -0,0 +1,54 @@
# PAM configuration for the Secure Shell service
# {{ ansible_managed }}
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so motd=/run/pvc-motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
#session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password

17
roles/base/templates/etc/postfix/main.cf.j2 Normal file
View File

@ -0,0 +1,17 @@
# Postfix main configuration for non-MTA hosts
# {{ ansible_managed }}
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_use_tls=no
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
mydestination =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1
inet_protocols = ipv4

7
roles/base/templates/etc/profile.d/w.sh.j2 Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Message of the day script to print active users
# {{ ansible_managed }}
export PROCPS_FROMLEN=36 PROCPS_USERLEN=12
w

5
roles/base/templates/etc/resolv.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
# DNS resolver configuration
# {{ ansible_managed }}
options timeout:1 attempts:3 rotate
nameserver 1.1.1.1

37
roles/base/templates/etc/rsyslog.conf.j2 Normal file
View File

@ -0,0 +1,37 @@
# Main rsyslog configuration
# {{ ansible_managed }}
#### ####
#### MODULES ####
#### ####
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerAddress ::1
$UDPServerRun 514
#### ####
#### GLOBAL DIRECTIVES ####
#### ####
$PreserveFQDN on
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#### ####
#### RULES ####
#### ####
ruleset(name="local") {
kern.* /var/log/kern.log
auth,authpriv.* /var/log/auth.log
cron.* /var/log/cron.log
daemon,user.* /var/log/daemon.log
mail.* /var/log/mail.log
local5.* /var/log/nginx.log
local6.* /var/log/haproxy.log
local7.* /var/log/boot.log
*.info;kern,daemon,user,auth,authpriv,cron,mail,local6.none,local7.none /var/log/system.log
}
$DefaultRuleset local

3
roles/base/templates/etc/ssh/shosts.equiv.j2 Normal file
View File

@ -0,0 +1,3 @@
# SSH remote allowed hosts
# {{ ansible_managed }}

43
roles/base/templates/etc/ssh/ssh_config.j2 Normal file
View File

@ -0,0 +1,43 @@
# Default SSH client configuration
# {{ ansible_managed }}
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# EnableSSHKeysign yes
# HostbasedAuthentication yes
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# PreferredAuthentications hostbased,pubkey
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
PubkeyAuthentication yes
HostbasedAuthentication yes
EnableSSHKeysign yes

3
roles/base/templates/etc/ssh/ssh_known_hosts.j2 Normal file
View File

@ -0,0 +1,3 @@
# SSH remote allowed hosts
# {{ ansible_managed }}

43
roles/base/templates/etc/ssh/sshd_config.j2 Normal file
View File

@ -0,0 +1,43 @@
# Main SSH daemon configuraton
# {{ ansible_managed }}
Port 22
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
UsePAM yes
StrictModes yes
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
{% if 'hv' in group_names %}
HostbasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes
IgnoreRhosts no
PermitRootLogin yes
{% else %}
HostbasedAuthentication no
IgnoreRhosts yes
PermitRootLogin no
{% endif %}
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO

5
roles/base/templates/etc/sudoers.d/sudoers-backup.j2 Normal file
View File

@ -0,0 +1,5 @@
# sudoers configuraton for BackupPC
# {{ ansible_managed }}
Cmnd_Alias BACKUPS = /usr/bin/rsync, /var/backups/timestamp.sh
backup ALL=(root) NOPASSWD: BACKUPS

12
roles/base/templates/etc/sudoers.j2 Normal file
View File

@ -0,0 +1,12 @@
# sudoers configuraton; per-host declarations go in /etc/sudoers.d
# {{ ansible_managed }}
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root ALL=(ALL:ALL) NOPASSWD: ALL
deploy ALL=(ALL:ALL) NOPASSWD: /bin/sh
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
#includedir /etc/sudoers.d

47
roles/base/templates/etc/sysctl.d/pvc.conf.j2 Normal file
View File

@ -0,0 +1,47 @@
# General sysctl parameters for BLSE2
# {{ ansible_managed }}
# Reduce swappiness
vm.swappiness = 1
# enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
{% if not 'rpi' in group_names %}
net.ipv6.conf.all.accept_redirects = 0
{% endif %}
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
{% if not 'rpi' in group_names %}
net.ipv6.conf.all.accept_source_route = 0
{% endif %}
# Don't log Martian Packets
net.ipv4.conf.all.log_martians = 0
# Explicit Congestion Notification (ECN)
net.ipv4.tcp_ecn = 1
# number of seconds the kernel waits before rebooting on a panic
kernel.panic = 60
# Panic on an OOPS
kernel.panic_on_oops = 1
# Restrict dmesg
kernel.dmesg_restrict = 1

4
roles/base/templates/etc/systemd/journald.conf.j2 Normal file
View File

@ -0,0 +1,4 @@
# Journald configuration
# {{ ansible_managed }}
[Journal]
Storage=persistent

10
roles/base/templates/etc/systemd/system/check_mk.socket Normal file
View File

@ -0,0 +1,10 @@
# systemd socket definition file
[Unit]
Description=Check_MK Agent Socket
[Socket]
ListenStream=6556
Accept=true
[Install]
WantedBy=sockets.target

12
roles/base/templates/etc/systemd/system/check_mk@.service Normal file
View File

@ -0,0 +1,12 @@
# systemd service definition file
[Unit]
Description=Check_MK
[Service]
ExecStart=/usr/bin/check_mk_agent
KillMode=process
User=root
Group=root
StandardInput=socket

5
roles/base/templates/root/vimrc.j2 Normal file
View File

@ -0,0 +1,5 @@
set showcmd
set number
set cursorline
syntax on
set mouse=

18
roles/base/templates/usr/local/sbin/dpkg-cleanup.sh.j2 Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# dpkg-cleanup.sh - Remove obsolete packages and config files
# {{ ansible_managed }}
# Phase 1 - purge `rc` packages
PACKAGE_LIST=( $( dpkg --list | awk '/^rc/{ print $2 } /^ri/{ print $2 }' ) )
apt purge -y ${PACKAGE_LIST[@]}
# Phase 2 - autoremove packages
apt autoremove --purge -y
# Phase 3 - clean archives
apt clean
# Phase 4 - find and remove obsolete config files
OLD_FILES_LIST=( $( find /etc -type f -a \( -name '*.dpkg-*' -o -name '*.ucf-*' \) 2>/dev/null ) )
rm -f ${OLD_FILES_LIST[@]}

23
roles/base/templates/usr/local/sbin/loghost-archive.sh.j2 Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
# Archive old logs on loghost
# {{ ansible_managed }}
LOGPATH=/srv/log
ARCHIVEPATH=${LOGPATH}/archive/
test -d $ARCHIVEPATH || mkdir -p $ARCHIVEPATH
for LOGFILE in \
kern.log \
daemon.log \
haproxy.log \
auth.log \
cron.log \
mail.log \
boot.log \
system.log
do
test -d ${ARCHIVEPATH}/${LOGFILE} || mkdir -p ${ARCHIVEPATH}/${LOGFILE}
mv ${LOGPATH}/${LOGFILE}-* ${ARCHIVEPATH}/${LOGFILE}
gzip ${ARCHIVEPATH}/${LOGFILE}/*
find ${ARCHIVEPATH}/${LOGFILE} -type f -ctime +90 -exec rm {} \;
done

26
roles/base/templates/usr/local/sbin/update-motd.sh.j2 Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
# Update dynamic MOTD file
# {{ ansible_managed }}
set -o errexit
TMPFILE=$(mktemp)
TGTFILE=/run/pvc-motd.dynamic
DEBVER="({{ ansible_lsb.description }})"
echo >> $TMPFILE
echo "\033[01;34mParallel Virtual Cluster \033[01;36m${DEBVER}\033[0m" >> $TMPFILE
echo -n "> \033[01;32m$(hostname)\033[0m" >> $TMPFILE
if test -f /etc/hostdesc; then
echo " - $( cat /etc/hostdesc )" >> $TMPFILE
else
echo >> $TMPFILE
fi
# Get machine information
echo "> \033[1;37mPVC node\033[0m on \033[1;31m$(
/usr/sbin/dmidecode | grep -A1 'Chassis Information' | tail -1 | awk -F':' '{print $2}' | tr -s ' '
)\033[0m hardware" >> $TMPFILE
echo "> $(/bin/uname -srvmo)" >> $TMPFILE
mv $TMPFILE $TGTFILE || rm $TMPFILE

4
roles/base/templates/var/backups/ssh/authorized_keys.j2 Normal file
View File

@ -0,0 +1,4 @@
# backup user authorized_keys
# {{ ansible_managed }}
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnndMxkLF+Trm7Zpo59daJbH6C6SbInl8f1PAizxtUkWg8skP5EXkUc0eguos+5o6BG1VL0c8SWBnl4smvZL075l2wC3+cJeDUIyxC6aue6vualFMPj5p0h4gJWrX+L5r1b1hxnR3r5Mqx7/2W9K35/u3M6TPnRXn0XjGN93j8dsywfDOuU4xH+w0INM4iNeEne4l2SEAVA0Sm7nGNss4X18iwjnxyKgqUB+HtG2WHyEPr/Uv5OiEC+4n4LvkMRMpupx33U5ZH7pgyfFKJJsIObBf4nC4xUUZyCG2FlHiWzX0Ua9xxwz9OJIeqlwfYsLFrHEbPS5KpAXukEjshKGY1 backuppc@base.bonilan.net

11
roles/base/templates/var/backups/timestamp.sh.j2 Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Writes timestamps on successful BackupPC completion and updates dynamic share inventory for this host
# {{ ansible_managed }}
OK="$1"
SHARE="$2"
grep -F "${SHARE}" /var/backups/shares || echo "${SHARE}" >> /var/backups/shares
if [[ ${OK} -eq 1 ]]; then
/bin/date +%s > ${SHARE}/.backup
fi

7
roles/base/templates/var/home/user/bash_logout.j2 Executable file
View File

@ -0,0 +1,7 @@
# BLSE 2.0 bash_logout file
# {{ ansible_managed }}
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi

144
roles/base/templates/var/home/user/bashrc.j2 Executable file
View File

@ -0,0 +1,144 @@
#!/bin/bash
# BLSE 2.0 bashrc file
# {{ ansible_managed }}
#
# GENERAL SETTINGS
#
# Before anything, see if we're running interactively. If not, skip everything here.
[[ $- == *i* ]] || return
# Ensure bash completion is enabled if installed
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
# Some other tweaks
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# Set history limits and values
shopt -s cdspell
shopt -s dirspell
shopt -s dotglob
shopt -s histreedit
shopt -s histverify
shopt -s histappend
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
HISTCONTROL=ignoreboth
HISTSIZE=25000
HISTFILESIZE=25000
#
# BASH SETTINGS
#
# Set a shiny Linux Mint-style PS1 with spaces for easy double-click-select
git_branch() {
git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/git:\1 /'
}
export PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\[\033[01;32m\]\H\[\033[01;34m\] \[\e[35m\]$(git_branch)\[\033[01;34m\]\w \$\[\033[00m\] '
# Sensible PATH (find things in *sbin* as non-root user)
export PATH="/usr/lib/check_mk_agent/plugins:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
# Set PATH to include ~/Scripts if it exists
if [ -d ~/Scripts ]; then
export PATH=~/Scripts:$PATH
fi
# Set editor to vim
export EDITOR=/usr/bin/vim
# Force SCREEN to xterm due to Debian weirdness
export SCREEN="xterm"
#
# ALIASES
#
# Coloured command aliases
alias ls='ls --color=always'
alias dir='dir --color=always'
alias vdir='vdir --color=always'
alias grep='grep --color=always'
alias fgrep='fgrep --color=always'
alias egrep='egrep --color=always'
alias xzgrep='xzgrep --color=always'
alias less='less -r'
# Convenient ls aliases
alias ll='ls -alh'
alias la='ls -A'
alias l='ls -lh'
# Always-sudo commands, because fuck typing sudo all the time
alias service='sudo service'
alias systemctl='sudo systemctl'
alias journalctl='sudo journalctl'
alias dmesg='sudo dmesg'
alias apt='sudo apt'
alias dpkg='sudo dpkg'
alias find='sudo find'
alias htop='sudo htop'
alias powertop='sudo powertop'
alias jnettop='sudo jnettop'
alias wavemon='sudo wavemon'
alias parted='sudo parted'
alias fdisk='sudo fdisk'
alias gdisk='sudo gdisk'
alias chroot='sudo chroot'
alias mount='sudo mount'
alias umount='sudo umount'
alias virsh='sudo virsh -c qemu:///system'
alias ceph='sudo ceph'
alias rbd='sudo rbd'
alias mysql='sudo mysql'
alias zpool='sudo zpool'
alias zfs='sudo zfs'
alias crm='sudo crm'
# Cool aliases
alias cccp='sudo rsync -auv --progress'
alias untmp='sudo umount /tmp/tmp.*{/*/*,/*,} 2>/dev/null'
alias txz='tar -p --same-owner -I pxz'
alias stxz='sudo tar -p --same-owner -I pxz'
alias zkcli='sudo /usr/share/zookeeper/bin/zkCli.sh'
alias hatop='sudo hatop -s /var/lib/haproxy/admin.sock'
alias patronictl='sudo patronictl -c /etc/patroni/config.yml -d zookeeper://localhost:2181'
alias repo='sudo reprepro -b /srv/debrepo'
alias beet='sudo -u debian-deluged beet --config=/srv/deluged/config.beets/config.yaml'
{% if 'mon' in group_names %}
alias icli='sudo -u monitor icli --status-file /omd/sites/monitor/tmp/nagios/status.dat --config /omd/sites/monitor/var/nagios/objects.cache -z \!o'
#
# Show monitoring stats
#
icli
{% endif %}
#
# SOURCE OTHER SCRIPTS
#
test -f ~/.bashrc.d/* && . ~/.bashrc.d/*
#
# NICE AND CLEAN
#
echo
#
# END OF FILE
#

25
roles/base/templates/var/home/user/config/htop/htoprc.j2 Normal file
View File

@ -0,0 +1,25 @@
# htop config file
# {{ ansible_managed }}
fields=0 48 17 18 38 39 40 2 46 47 49 1
sort_key=46
sort_direction=1
hide_threads=0
hide_kernel_threads=0
hide_userland_threads=0
shadow_other_users=0
show_thread_names=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=0
header_margin=1
detailed_cpu_time=1
cpu_count_from_zero=0
update_process_names=1
account_guest_in_cpu_meter=1
color_scheme=0
delay=15
left_meters=LeftCPUs2 Blank CPU Blank Blank Memory Swap
left_meter_modes=1 2 1 2 2 1 1
right_meters=RightCPUs2 Blank LoadAverage Tasks Blank Hostname Clock Uptime Blank
right_meter_modes=1 2 2 2 2 2 2 2 2

16
roles/base/templates/var/home/user/profile.j2 Normal file
View File

@ -0,0 +1,16 @@
# {{ ansible_managed }}
EDITOR=/usr/bin/vim
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi

13
roles/base/templates/var/home/user/vimrc.j2 Normal file
View File

@ -0,0 +1,13 @@
set showcmd
set number
set cursorline
set autoindent
set expandtab
set tabstop=4
set viminfo='100,<1000,s1000,h
hi CursorLine term=bold cterm=bold guibg=Grey40
syntax on
set ruler
set directory=~/.vim
set mouse=
autocmd Filetype gitcommit setlocal spell textwidth=72