diff --git a/hosts b/hosts index 0f033a5..9e44801 100644 --- a/hosts +++ b/hosts @@ -26,6 +26,7 @@ coruscant.universe.local [mailserver] coruscant.universe.local mewitoot.de +mail.mewissen.site [mobile] tuxedo-book-xp1511.universe.local diff --git a/files/sudoers_ansible b/roles/base/files/ansible_setup/sudoers_ansible similarity index 100% rename from files/sudoers_ansible rename to roles/base/files/ansible_setup/sudoers_ansible diff --git a/roles/base/files/system_setup/sshd_custom.conf b/roles/base/files/system_setup/sshd_custom.conf new file mode 100644 index 0000000..3915ee6 --- /dev/null +++ b/roles/base/files/system_setup/sshd_custom.conf @@ -0,0 +1,27 @@ +PermitRootLogin prohibit-password +MaxAuthTries 3 + +PubkeyAuthentication yes + +PasswordAuthentication no + +ChallengeResponseAuthentication no + +UsePAM yes + +X11Forwarding no +PrintMotd no +PrintLastLog no + +AllowUsers rene +Match Address 192.168.1.240 + AllowUsers root,rene + +Match User root + PasswordAuthentication no + +Match User rene + PasswordAuthentication no + +Match Host * + MaxAuthTries 1 \ No newline at end of file diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index f07a509..143d825 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -5,6 +5,24 @@ - block: - debug: msg: Debug + # install software + # - import_tasks: software/repositories.yml + - import_tasks: software/packages_zsh.yml + # - import_tasks: software/packages_development.yml + - import_tasks: software/packages_cleanup.yml + # - import_tasks: software/packages_pip.yml + - import_tasks: software/packages_utilities.yml + + # Perform remaining tasks: + - import_tasks: system_setup/clock.yml + # - import_tasks: system_setup/cron.yml + - import_tasks: system_setup/locale.yml + # - import_tasks: system_setup/logging.yml + # - import_tasks: system_setup/memory.yml + # - import_tasks: system_setup/microcode.yml + - import_tasks: system_setup/openssh.yml + # - import_tasks: system_setup/scripts.yml + # Make sure users exist on the system #- import_tasks: users/rene.yml #- import_tasks: users/root.yml @@ -12,22 +30,5 @@ # Set up the ansible environment # - import_tasks: ansible_setup.yml - # install software - # - import_tasks: software/repositories.yml - # - import_tasks: software/packages_development.yml - # - import_tasks: software/packages_cleanup.yml - # - import_tasks: software/packages_pip.yml - # - import_tasks: software/packages_utilities.yml - - # Perform remeining tasks: - # - import_tasks: system_setup/clock.yml - # - import_tasks: system_setup/cron.yml - # - import_tasks: system_setup/locale.yml - # - import_tasks: system_setup/logging.yml - # - import_tasks: system_setup/memory.yml - # - import_tasks: system_setup/microcode.yml - # - import_tasks: system_setup/openssh.yml - # - import_tasks: system_setup/scripts.yml - rescue: - set_fact: task_failed=true diff --git a/roles/base/tasks/software/utils.yml b/roles/base/tasks/software/packages_utilities.yml similarity index 100% rename from roles/base/tasks/software/utils.yml rename to roles/base/tasks/software/packages_utilities.yml diff --git a/roles/base/tasks/software/zsh.yml b/roles/base/tasks/software/packages_zsh.yml similarity index 100% rename from roles/base/tasks/software/zsh.yml rename to roles/base/tasks/software/packages_zsh.yml diff --git a/roles/base/tasks/system_setup/openssh.yml b/roles/base/tasks/system_setup/openssh.yml index 0f0cc0c..125296c 100644 --- a/roles/base/tasks/system_setup/openssh.yml +++ b/roles/base/tasks/system_setup/openssh.yml @@ -14,10 +14,17 @@ - name: system setup | openssh | generate sshd_config file from template tags: openssh,ssh,system,settings - template: - src: sshd_config.j2 - dest: /etc/ssh/sshd_config + copy: + src: system_setup/sshd_custom.conf + dest: /etc/ssh/sshd_config.d/custom.conf owner: root group: root - mode: 0644 - notify: restart_sshd + mode: '0644' + +# template: +# src: sshd_config.j2 +# dest: /etc/ssh/sshd_config +# owner: root +# group: root +# mode: 0644 +# notify: restart_sshd diff --git a/roles/base/tasks/users/ansible.yml b/roles/base/tasks/users/ansible.yml new file mode 100644 index 0000000..560e10d --- /dev/null +++ b/roles/base/tasks/users/ansible.yml @@ -0,0 +1,14 @@ +- name: users | ansible | add user + user: + name: ansible + comment: Ansible-Pull user + shell: /bin/bash + password_lock: yes + +- name: users | ansible | add sudoers file + copy: + src: users/sudoers_ansible + dst: /etc/sudoers.d/ansible + owner: root + group: root + mode: 0440 \ No newline at end of file diff --git a/roles/base/tasks/users/rene.yml b/roles/base/tasks/users/rene.yml index a857544..c963eaf 100644 --- a/roles/base/tasks/users/rene.yml +++ b/roles/base/tasks/users/rene.yml @@ -3,30 +3,30 @@ name: rene password_lock: yes -- name: users | rene | create config directories - file: - path: /rene/{{ item.dir }} - state: directory - owner: rene - group: rene - mode: 0700 - with_items: - - {dir: '.vim'} - - {dir: '.vim/colors'} - tags: dotfiles +# - name: users | rene | create config directories +# file: +# path: /rene/{{ item.dir }} +# state: directory +# owner: rene +# group: rene +# mode: 0700 +# with_items: +# - {dir: '.vim'} +# - {dir: '.vim/colors'} +# tags: dotfiles -- name: users | rene | copy dotfiles - copy: - src: users/rene/{{ item.src }} - dest: /rene/{{ item.dest }} - owner: rene - group: rene - mode: 0600 - with_items: - - {src: 'bash/bashrc', dest: '.bashrc'} - - {src: 'bash/bash_profile', dest: '.bash_profile'} - - {src: 'bash/profile', dest: '.profile'} - - {src: 'tmux/tmux.conf', dest: '.tmux.conf'} - - {src: 'vim/vimrc', dest: '.vimrc'} - - {src: 'zsh/zshrc', dest: '.zshrc'} - tags: dotfiles +# - name: users | rene | copy dotfiles +# copy: +# src: users/rene/{{ item.src }} +# dest: /rene/{{ item.dest }} +# owner: rene +# group: rene +# mode: 0600 +# with_items: +# - {src: 'bash/bashrc', dest: '.bashrc'} +# - {src: 'bash/bash_profile', dest: '.bash_profile'} +# - {src: 'bash/profile', dest: '.profile'} +# - {src: 'tmux/tmux.conf', dest: '.tmux.conf'} +# - {src: 'vim/vimrc', dest: '.vimrc'} +# - {src: 'zsh/zshrc', dest: '.zshrc'} +# tags: dotfiles diff --git a/roles/base/tasks/users/root.yml b/roles/base/tasks/users/root.yml index 62be074..0278d83 100644 --- a/roles/base/tasks/users/root.yml +++ b/roles/base/tasks/users/root.yml @@ -3,30 +3,30 @@ name: root password_lock: yes -- name: users | root | create config directories - file: - path: /root/{{ item.dir }} - state: directory - owner: root - group: root - mode: 0700 - with_items: - - {dir: '.vim'} - - {dir: '.vim/colors'} - tags: dotfiles +# - name: users | root | create config directories +# file: +# path: /root/{{ item.dir }} +# state: directory +# owner: root +# group: root +# mode: 0700 +# with_items: +# - {dir: '.vim'} +# - {dir: '.vim/colors'} +# tags: dotfiles -- name: users | root | copy dotfiles - copy: - src: users/root/{{ item.src }} - dest: /root/{{ item.dest }} - owner: root - group: root - mode: 0600 - with_items: - - {src: 'bash/bashrc', dest: '.bashrc'} - - {src: 'bash/bash_profile', dest: '.bash_profile'} - - {src: 'bash/profile', dest: '.profile'} - - {src: 'tmux/tmux.conf', dest: '.tmux.conf'} - - {src: 'vim/vimrc', dest: '.vimrc'} - - {src: 'zsh/zshrc', dest: '.zshrc'} - tags: dotfiles +# - name: users | root | copy dotfiles +# copy: +# src: users/root/{{ item.src }} +# dest: /root/{{ item.dest }} +# owner: root +# group: root +# mode: 0600 +# with_items: +# - {src: 'bash/bashrc', dest: '.bashrc'} +# - {src: 'bash/bash_profile', dest: '.bash_profile'} +# - {src: 'bash/profile', dest: '.profile'} +# - {src: 'tmux/tmux.conf', dest: '.tmux.conf'} +# - {src: 'vim/vimrc', dest: '.vimrc'} +# - {src: 'zsh/zshrc', dest: '.zshrc'} +# tags: dotfiles diff --git a/roles/base/templates/provision.sh.j2 b/roles/base/templates/provision.sh.j2 new file mode 100644 index 0000000..b804fdc --- /dev/null +++ b/roles/base/templates/provision.sh.j2 @@ -0,0 +1,24 @@ +#!/bin/bash + + +# Options +ANSIBLEUSER="ansible" +BRANCH="{{ branch | default('master') }}" +LOGFILE="/var/log/ansible.log" +REPO="https://gitlab.social.my-wan.de/rene/ansible-pull.git" +VAULT_KEY="" +PRECMD="sudo systemd-inhibit --who='ansible-pull' --why='provisioning'" + + +# check if ansible-pull is already running, and if not, run it +if pgrep -f ansible-pull; then + printf "\n$(date +"%Y-%m-%d %H:%M:%S") A running ansible-pull process was found.\nExiting.\n"\ + | tee -a "${LOGFILE}" + exit 1 +else + if [[ ! $1 == "" ]]; then + "${PRECMD}" sudo -iH -u "${ANSIBLEUSER}" ansible-pull --vault-password-file="${VAULT_KEY}" -U "${REPO}" -C "${BRANCH}" --tags $1 2>&1 + else + "${PRECMD}" sudo -iH -u "${ANSIBLEUSER}" ansible-pull --vault-password-file="${VAULT_KEY}" -o -U "${REPO}" -C "${BRANCH}" 2>&1 + fi +fi \ No newline at end of file