Initial commit

2019-06-04 03:20:59 +02:00 · 2019-06-04 03:20:59 +02:00 · 06523efab1
commit 06523efab1
8 changed files with 172 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+*.swp
+*.retry
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,35 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg
+#
+# nearly all parameters can be overridden in ansible-playbook
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+ansible_managed = Ansible managed file, do not edit directly
+#gathering = smart
+#fact_caching = jsonfile
+#fact_caching_connection = ~/.cache/
+#fact_caching_timeout = 86400
+#forks = 20
+inventory = ./hosts
+#remote_user = ansible
+#roles_path = ./roles
+#vault_password_file = open_the_vault.sh
+#retry_files_enabled = False
+#allow_world_readable_tmpfiles = True
+
+[privilege_escalation]
+become=True
+become_method=sudo
+become_ask_pass=True
+
+[ssh_connection]
+
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+#pipelining = True
--- a/apt-upgrade.yml
+++ b/apt-upgrade.yml
@ -0,0 +1,17 @@
+---
+
+- hosts: all
+  tasks:
+   - name: updates a server
+     apt: update_cache=yes
+   - name: upgrade a server
+     apt: upgrade=dist
+
+# Reboot if required
+# 
+#   - name: Check if a reboot is required
+#     register: file
+#     stat: path=/var/run/reboot-required get_md5=no
+#   - name: Reboot the server
+#     command: /sbin/reboot
+#     when: file.stat.exists == true
--- a/first_run.yml
+++ b/first_run.yml
@ -0,0 +1,22 @@
+---
+
+# Intended to be run once for every new server to secure the ssh connection allowing the team access
+# with their public keys. This script will lock itself out from every server it is run on.
+# Further playbooks are intended to be run by logging in as one of the created users.
+# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
+# the time of this writing.
+
+# The used login data depends on the used server provider. In most cases the ansible_user will be
+# root, but we can't safely assume anything.
+# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
+# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
+# For real providers it could look like:
+# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
+# If you don't have a ssh-key on the server and the server expects password authentication use:
+# ansible-playbook first_run.yml -i hosts -u root --ask-pass
+
+- hosts: first_run
+  roles:
+    - { role: ansible_dependencies }
+#    - { role: sudo_users }
+#    - { role: sshd_config }
--- a/git.yml
+++ b/git.yml
@ -0,0 +1,65 @@
+---
+
+- hosts: ubuntu-pcs
+
+  tasks:
+  - name: Install/Update repository admin-stuff
+    git:
+      repo: https://git.oopen.de/script/admin-stuff
+      dest: /root/bin/admin-stuff
+    with_items:
+      - admin-stuff
+      - monitoring
+      - postfix
+
+
+- hosts: fileserver
+
+  tasks:
+  - name: Install/Update script repositories
+    git:
+      repo: https://git.oopen.de/script/{{ item }}
+      dest: /root/bin/{{ item }}
+    with_items:
+      - admin-stuff
+      - monitoring
+      - postfix
+      - samba
+
+  - name: Install/Update repository mailsystem
+    git:
+      repo: https://git.oopen.de/install/mailsystem
+      dest: /usr/local/src/mailsystem
+
+
+- hosts: gateway
+
+  tasks:
+  - name: Install/Update script repositories
+    git:
+      repo: https://git.oopen.de/script/{{ item }}
+      dest: /root/bin/{{ item }}
+    with_items:
+      - admin-stuff
+      - manage-gw-config
+      - monitoring
+      - postfix
+
+  - name: Install/Update install repositories
+    git:
+      repo: https://git.oopen.de/install/{{ item }}
+      dest: /usr/local/src/{{ item }}
+    with_items:
+      - mailsystem
+      - openvpn
+
+  - name: Install/Update repository ipt-gateway
+    git:
+      repo: https://git.oopen.de/firewall/ipt-gateway
+      dest: /usr/local/src/ipt-gateway
+
+  - name: Install/Update repository check_net
+    git:
+      repo: https://git.oopen.de/routing/check_net
+      dest: /usr/local/src/check_net
+
--- a/18
+++ b/18
@ -0,0 +1,18 @@
+
+[fileserver]
+file-ro.ro.netz
+
+[gateway]
+gw-ro.ro.netz
+
+[ubuntu-pcs]
+pc101.ro.netz
+pc102.ro.netz
+pc103.ro.netz
+pc104.ro.netz
+pc105.ro.netz
+pc106.ro.netz
+pc108.ro.netz
+pc109.ro.netz
+
+[first_run]
--- a/poweroff-clients.yml
+++ b/poweroff-clients.yml
@ -0,0 +1,8 @@
+---
+  
+- hosts: ubuntu-pcs
+
+  tasks:
+  - name: Power off client pcs
+    shell: /sbin/poweroff
+
--- a/roles/ansible_dependencies/tasks/main.yml
+++ b/roles/ansible_dependencies/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Ensure aptitude is present
+  raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
+
+- name: Ensure python2 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)