diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 2910a66..a75f9f2 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -864,6 +864,38 @@ microcode_package: - amd64-microcode +# --- +# vars used by cron.yml +# --- + +cron_env_entries: [] +#cron_env_entries: +# - name: PATH +# job: /root/bin/admin-stuff:/root/bin:usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# +# - name: SHELLforwarding +# job: /bin/bash + +cron_user_entries: [] +#cron_user_entries: +# +# - name: "Check if Postfix Mailservice is up and running?" +# minute: "*/15" +# job: /root/bin/monitoring/check_postfix.sh +# +# - name: "Check if SSH service is up and running?" +# minute: "*/15" +# job: /root/bin/monitoring/check_ssh.sh + + +cron_user_special_time_entries: [] +#cron_user_special_time_entries: +# +# - name: "Check if Postfix Service is running at boot time" +# special_time: reboot +# job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" +# insertafter: PATH + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/group_vars/all/vars.yml.sample b/group_vars/all/vars.yml.sample index 273c4bd..0b7a514 100644 --- a/group_vars/all/vars.yml.sample +++ b/group_vars/all/vars.yml.sample @@ -20,6 +20,11 @@ # --- +# --- +# vars used by cron.yml +# --- + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/ga-nh-gw.oopen.de.yml b/host_vars/ga-nh-gw.oopen.de.yml index 7e872f7..4257f2f 100644 --- a/host_vars/ga-nh-gw.oopen.de.yml +++ b/host_vars/ga-nh-gw.oopen.de.yml @@ -22,36 +22,27 @@ network_interface_required_packages: network_interfaces: - device: eno1 - headline: eno1 - holds uplink WiDSL Antenna (ppp line widsl) + headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490 auto: true family: inet method: static - address: 10.12.136.254 + address: 172.16.80.1 netmask: 24 - - - - device: dsl-widsl - headline: dsl-widsl - ppp line widsl - auto: true - family: inet - method: ppp - provider: dsl-widsl - pre-up: - - /sbin/ifconfig eno1 up + gateway: 172.16.80.254 + nameservers: + - 192.168.81.1 + - 172.16.81.254 + search: ga.netz ga.intra - device: eno2 - headline: eno2 - uplink Telekom (static line via digitbox) + headline: eno2 - Uplink Telekom (static line via digitbox) auto: true family: inet method: static address: 172.16.81.1 netmask: 24 gateway: 172.16.81.254 - nameservers: - - 192.168.81.1 - - 192.168.11.1 - search: ga.netz - device: eno5 @@ -86,6 +77,43 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: "*/15" + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: "*/15" + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: "*/30" + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: "0-59/2" + job: /root/bin/monitoring/check_forwarding.sh + + - name: "Copy gateway configuration" + minute: "09" + hour: "3" + job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH + + +#cron_user_special_time_entries: [] +cron_user_special_time_entries: + + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/ga-nh-gw.oopen.de.yml.BAK b/host_vars/ga-nh-gw.oopen.de.yml.BAK new file mode 100644 index 0000000..7e872f7 --- /dev/null +++ b/host_vars/ga-nh-gw.oopen.de.yml.BAK @@ -0,0 +1,210 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + +network_interfaces: + + - device: eno1 + headline: eno1 - holds uplink WiDSL Antenna (ppp line widsl) + auto: true + family: inet + method: static + address: 10.12.136.254 + netmask: 24 + + + - device: dsl-widsl + headline: dsl-widsl - ppp line widsl + auto: true + family: inet + method: ppp + provider: dsl-widsl + pre-up: + - /sbin/ifconfig eno1 up + + + - device: eno2 + headline: eno2 - uplink Telekom (static line via digitbox) + auto: true + family: inet + method: static + address: 172.16.81.1 + netmask: 24 + gateway: 172.16.81.254 + nameservers: + - 192.168.81.1 + - 192.168.11.1 + search: ga.netz + + + - device: eno5 + headline: eno5 - LAN + auto: true + family: inet + method: static + address: 192.168.81.254 + netmask: 24 + + + - device: eno5:ns + headline: eno5:ns - Alias on eno5 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.81.1 + netmask: 32 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: wadmin + password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + - wadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/ga-st-gw-ersatz.ga.netz.yml b/host_vars/ga-st-gw-ersatz.ga.netz.yml index e74af02..d6c5108 100644 --- a/host_vars/ga-st-gw-ersatz.ga.netz.yml +++ b/host_vars/ga-st-gw-ersatz.ga.netz.yml @@ -29,7 +29,7 @@ network_interfaces: address: 192.168.11.19 netmask: 24 gateway: 192.168.11.254 - nameserver: + nameservers: - 192.168.11.1 - 192.168.10.3 search: ga.netz ga.intra diff --git a/host_vars/ga-st-kvm5.ga.netz.yml b/host_vars/ga-st-kvm5.ga.netz.yml index 0a37acc..8935fba 100644 --- a/host_vars/ga-st-kvm5.ga.netz.yml +++ b/host_vars/ga-st-kvm5.ga.netz.yml @@ -30,7 +30,7 @@ network_interfaces: method: manual pre-up: - ifconfig $IFACE up - - vconfig add eno2 11 + post-up: - /sbin/ip link add link eno2 name eno2.11 type vlan id 11 post-down: - ifconfig $IFACE down diff --git a/host_vars/test.mx.oopen.de.yml b/host_vars/test.mx.oopen.de.yml index eb9e48f..13f17a9 100644 --- a/host_vars/test.mx.oopen.de.yml +++ b/host_vars/test.mx.oopen.de.yml @@ -26,6 +26,19 @@ dovecot_auth_allowed_network_ipv6: # --- +# --- +# vars used by cron.yml +# --- + +#cron_env_entries: [] +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff:/root/bin:/usr/local/php/bin:/usr/local/apache2/bin:/sbin:/bin:/usr/local/dovecot/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + + # --- # vars used by apt.yml # --- diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index bd528a1..18a1787 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -24,6 +24,11 @@ tags: - symlink-sh + +# ---------- +# systemd stuff +# ---------- + - name: (basic.yml) Ensure directory '/etc/systemd/system.conf.d' exists file: path: /etc/systemd/system.conf.d @@ -55,6 +60,11 @@ tags: - systemd-config + +# ---------- +# kernel parameter +# ---------- + - name: (basic.yml) Ensure directory '/etc/sysctl.d' exists file: path: etc/sysctl.d @@ -86,3 +96,55 @@ tags: - systctl-config + +# ---------- +# unattended upgrades +# ---------- + +- name: (basic.yml) install unattended-upgrades + apt: pkg=unattended-upgrades state=present + tags: + - unattended-upgrades + +- name: (basic.yml) install apt-listchanges + apt: pkg=apt-listchanges state=present + tags: + - unattended-upgrades + +- name: (basic.yml) remove apticron + apt: pkg=apticron state=absent + tags: + - unattended-upgrades + +- name: (basic.yml) check if /etc/apt/apt.conf.d/20auto-upgrades exists + stat: path=/etc/apt/apt.conf.d/20auto-upgrades + register: ua_enabled + tags: + - unattended-upgrades + +- name: (basic.yml) activate unattended upgrades + shell: dpkg-reconfigure -plow unattended-upgrades + when: ua_enabled.stat.exists == False + tags: + - unattended-upgrades + +- name: (basic.yml) copy apt-listchanges.conf + template: + src: etc/apt/listchanges.conf.j2 + dest: /etc/apt/listchanges.conf + owner: root + group: root + mode: 0644 + tags: + - unattended-upgrades + +- name: (basic.yml) copy unattended-upgrades conf + template: + src: etc/apt/apt.conf.d/50unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + backup: yes + owner: root + group: root + mode: 0644 + tags: + - unattended-upgrades diff --git a/roles/common/tasks/cron.yml b/roles/common/tasks/cron.yml new file mode 100644 index 0000000..35a46f2 --- /dev/null +++ b/roles/common/tasks/cron.yml @@ -0,0 +1,47 @@ +--- + +- name: (cron.yml) Set env entries in user crontabs + cron: + name: '{{ item.name }}' + env: 'yes' + user: '{{ item.user | default(omit) }}' + job: '{{ item.job }}' + insertafter: '{{ item.insertafter | default(omit) }}' + loop: "{{ cron_env_entries }}" + loop_control: + label: '{{ item.name }}' + when: item.job is defined + tags: + - user_crontab + + +- name: (cron.yml) Set special time entries in user crontabs + cron: + name: '{{ item.name }}' + special_time: '{{ item.special_time }}' + user: '{{ item.user | default(omit) }}' + job: '{{ item.job }}' + state: present + loop: "{{ cron_user_special_time_entries }}" + loop_control: + label: '{{ item.name }}' + when: item.job is defined + tags: + - user_crontab + + +- name: (cron.yml) Set normal entries in user crontabs + cron: + name: '{{ item.name }}' + minute: '{{ item.minute | default(omit) }}' + hour: '{{ item.hour | default(omit) }}' + day: '{{ day | default(omit) }}' + weekday: '{{ item.weekday | default(omit) }}' + month: '{{ item.month | default(omit) }}' + job: '{{ item.job }}' + loop: "{{ cron_user_entries }}" + loop_control: + label: '{{ item.name }}' + when: item.job is defined + tags: + - user_crontab diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index ba9157b..623e0d6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -28,6 +28,9 @@ - import_tasks: apt.yml tags: apt +- import_tasks: cron.yml + tags: + - cron # tags supported inside shell.yml # diff --git a/roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 b/roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 new file mode 100644 index 0000000..5197090 --- /dev/null +++ b/roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; + "origin=Debian,codename=${distro_codename}-updates"; + "origin=Debian,codename=${distro_codename}-backports"; +}; + +Unattended-Upgrade::Mail "root"; + +Unattended-Upgrade::MinimalSteps "true"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; diff --git a/roles/common/templates/etc/apt/listchanges.conf.j2 b/roles/common/templates/etc/apt/listchanges.conf.j2 new file mode 100644 index 0000000..1102a06 --- /dev/null +++ b/roles/common/templates/etc/apt/listchanges.conf.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +[apt] +frontend=mail +email_address=root +confirm=0 +save_seen=/var/lib/apt/listchanges.db +which=both