Basic deployment on valkyrie
This commit is contained in:
parent
8e690941bf
commit
4c7c0e052b
4
.gitignore
vendored
4
.gitignore
vendored
@ -1 +1,3 @@
|
||||
secrets.yml
|
||||
secrets/common.yml
|
||||
secrets/valkyrie.yml
|
||||
secrets/yggdrasil.yml
|
||||
|
@ -5,5 +5,6 @@ Ansible playbooks for provisioning Yggdrasil.
|
||||
## Secrets vault
|
||||
|
||||
- Encrypt with: ```ansible-vault encrypt secrets.yml```
|
||||
- Decrypt with: ```ansible-vault decrypt secrets.yml```
|
||||
- Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml```
|
||||
- Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```
|
||||
|
@ -2,4 +2,4 @@
|
||||
inventory = ./hosts
|
||||
|
||||
[privilege_escalation]
|
||||
become=True
|
||||
become = True
|
||||
|
@ -3,7 +3,7 @@
|
||||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||
# will not ban a host which matches an address in this list. Several addresses
|
||||
# can be defined using space (and/or comma) separator.
|
||||
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
|
||||
ignoreip = 127.0.0.1/8 ::1 {{ subnet }}
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = 1d
|
1
filesystem/common/etc/mailname.j2
Normal file
1
filesystem/common/etc/mailname.j2
Normal file
@ -0,0 +1 @@
|
||||
{{ hostname }}.{{ domain }}
|
@ -15,3 +15,6 @@ PasswordAuthentication no
|
||||
|
||||
# No X window forwarding.
|
||||
X11Forwarding no
|
||||
|
||||
# Check in with the client every now and then.
|
||||
ClientAliveInterval 120
|
9
filesystem/valkyrie/etc/motd
Normal file
9
filesystem/valkyrie/etc/motd
Normal file
@ -0,0 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
_ _ _
|
||||
__ ____ _| | | ___ _ _ __(_) ___
|
||||
\ \ / / _` | | |/ / | | | '__| |/ _ \
|
||||
\ V / (_| | | <| |_| | | | | __/
|
||||
\_/ \__,_|_|_|\_\\__, |_| |_|\___|
|
||||
|___/
|
||||
|
||||
-------------------------------------------------------------------
|
@ -1 +0,0 @@
|
||||
{{ domain }}
|
@ -10,6 +10,7 @@ hostname:
|
||||
domain:
|
||||
subnet_address:
|
||||
subnet_masklen:
|
||||
subnet:
|
||||
|
||||
# Postfix variables
|
||||
postfix_smtp_server:
|
@ -4,14 +4,14 @@
|
||||
|
||||
- name: Configure fail2ban
|
||||
template:
|
||||
src: ./root/etc/fail2ban/jail.local.j2
|
||||
src: ./filesystem/common/etc/fail2ban/jail.local.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: 0644
|
||||
register: fail2ban_conf
|
||||
|
||||
- name: Configure fail2ban sshd jail
|
||||
template:
|
||||
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
|
||||
src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
|
||||
dest: /etc/fail2ban/jail.d/sshd.local
|
||||
mode: 0644
|
||||
register: fail2ban_sshd_jail
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
- name: Configure nftables
|
||||
template:
|
||||
src: ./root/etc/nftables.conf.j2
|
||||
src: ./filesystem/common/etc/nftables.conf.j2
|
||||
dest: /etc/nftables.conf
|
||||
mode: 0755
|
||||
register: nftables_conf
|
||||
|
5
tasks/fstrim.yml
Normal file
5
tasks/fstrim.yml
Normal file
@ -0,0 +1,5 @@
|
||||
- name: Enable fstrim
|
||||
systemd:
|
||||
name: fstrim.timer
|
||||
enabled: yes
|
||||
state: started
|
@ -6,7 +6,7 @@
|
||||
|
||||
- name: Configure logcheck
|
||||
template:
|
||||
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
|
||||
dest: /etc/logcheck/ignore.d.server/yggdrasil
|
||||
src: ./filesystem/common/etc/logcheck/ignore.d.server/hostname.j2
|
||||
dest: /etc/logcheck/ignore.d.server/{{ hostname }}
|
||||
group: logcheck
|
||||
mode: 0644
|
||||
|
@ -1,24 +1,13 @@
|
||||
- name: Configure mailname
|
||||
template:
|
||||
src: ./root/etc/mailname.j2
|
||||
src: ./filesystem/common/etc/mailname.j2
|
||||
dest: /etc/mailname
|
||||
mode: 0644
|
||||
register: mail_mailname
|
||||
|
||||
- name: Configure aliases
|
||||
template:
|
||||
src: ./root/etc/aliases.j2
|
||||
dest: /etc/aliases
|
||||
mode: 0644
|
||||
register: mail_aliases
|
||||
|
||||
- name: Update aliases
|
||||
command: newaliases
|
||||
when: mail_aliases is changed
|
||||
|
||||
- name: Configure mailutils
|
||||
template:
|
||||
src: ./root/etc/mailutils.conf.j2
|
||||
src: ./filesystem/common/etc/mailutils.conf.j2
|
||||
dest: /etc/mailutils.conf
|
||||
mode: 0644
|
||||
|
||||
@ -29,16 +18,27 @@
|
||||
- ca-certificates
|
||||
- libsasl2-modules
|
||||
|
||||
- name: Configure aliases
|
||||
template:
|
||||
src: ./filesystem/common/etc/aliases.j2
|
||||
dest: /etc/aliases
|
||||
mode: 0644
|
||||
register: mail_aliases
|
||||
|
||||
- name: Update aliases
|
||||
command: newaliases
|
||||
when: mail_aliases is changed
|
||||
|
||||
- name: Configure postfix
|
||||
template:
|
||||
src: ./root/etc/postfix/main.cf.j2
|
||||
src: ./filesystem/common/etc/postfix/main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
mode: 0644
|
||||
register: mail_postfix_conf
|
||||
|
||||
- name: Configure credentials
|
||||
template:
|
||||
src: ./root/etc/postfix/sasl_passwd.j2
|
||||
src: ./filesystem/common/etc/postfix/sasl_passwd.j2
|
||||
dest: /etc/postfix/sasl_passwd
|
||||
mode: 0600
|
||||
register: mail_postfix_credentials
|
||||
|
@ -1,5 +1,5 @@
|
||||
- name: Set MotD
|
||||
copy:
|
||||
src: ./root/etc/motd
|
||||
src: ./filesystem/{{ hostname }}/etc/motd
|
||||
dest: /etc/motd
|
||||
mode: 0644
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
- name: Disable su for non-wheel users
|
||||
copy:
|
||||
src: ./root/etc/pam.d/su
|
||||
src: ./filesystem/common/etc/pam.d/su
|
||||
dest: /etc/pam.d/su
|
||||
mode: 0644
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
- name: Smartd configuration
|
||||
copy:
|
||||
src: ./root/etc/smartd.conf
|
||||
src: ./filesystem/yggdrasil/etc/smartd.conf
|
||||
dest: /etc/smartd.conf
|
||||
mode: 0644
|
||||
register: smartd_conf
|
||||
|
@ -3,8 +3,8 @@
|
||||
|
||||
- name: Configure sshd
|
||||
template:
|
||||
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
|
||||
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
|
||||
src: ./filesystem/common/etc/ssh/sshd_config.d/00-local.conf.j2
|
||||
dest: /etc/ssh/sshd_config.d/00-local.conf
|
||||
mode: 0600
|
||||
register: sshd_conf
|
||||
|
||||
|
@ -1,12 +1,12 @@
|
||||
- name: SystemD mail script
|
||||
template:
|
||||
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
|
||||
src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-systemctl-status.j2
|
||||
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
||||
mode: 0755
|
||||
|
||||
- name: SystemD mail service
|
||||
copy:
|
||||
src: ./root/etc/systemd/system/status-mail@.service
|
||||
src: ./filesystem/yggdrasil/etc/systemd/system/status-mail@.service
|
||||
dest: /etc/systemd/system/status-mail@.service
|
||||
mode: 0644
|
||||
register: systemd_status_mail_service_file
|
||||
|
@ -4,12 +4,12 @@
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
copy:
|
||||
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
|
||||
src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
|
||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
mode: 0644
|
||||
|
||||
- name: Enable unattended-upgrades
|
||||
copy:
|
||||
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
|
||||
src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
mode: 0644
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
- name: Apcupsd configuration
|
||||
copy:
|
||||
src: ./root/etc/apcupsd/apcupsd.conf
|
||||
src: ./filesystem/yggdrasil/etc/apcupsd/apcupsd.conf
|
||||
dest: /etc/apcupsd/apcupsd.conf
|
||||
mode: 0644
|
||||
register: apcupsd_conf
|
||||
|
@ -8,14 +8,14 @@
|
||||
- name: Configure tmux
|
||||
become: no
|
||||
copy:
|
||||
src: ./root/home/user/tmux.conf
|
||||
src: ./filesystem/common/home/user/tmux.conf
|
||||
dest: .tmux.conf
|
||||
mode: 0644
|
||||
|
||||
- name: Configure bashrc
|
||||
become: no
|
||||
copy:
|
||||
src: ./root/home/user/bashrc
|
||||
src: ./filesystem/common/home/user/bashrc
|
||||
dest: .bashrc
|
||||
mode: 0644
|
||||
|
||||
|
@ -4,4 +4,5 @@
|
||||
- git
|
||||
- htop
|
||||
- man
|
||||
- perl
|
||||
- tmux
|
||||
|
@ -1,19 +1,19 @@
|
||||
- name: Zpool status mail script
|
||||
template:
|
||||
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
|
||||
src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-zpool-status.j2
|
||||
dest: /usr/local/sbin/systemd-mail-zpool-status
|
||||
mode: 0755
|
||||
|
||||
- name: Zfs scrub service file
|
||||
copy:
|
||||
src: ./root/etc/systemd/system/zfs-scrub@.service
|
||||
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub@.service
|
||||
dest: /etc/systemd/system/zfs-scrub@.service
|
||||
mode: 0644
|
||||
register: systemd_zfs_scrub_service_file
|
||||
|
||||
- name: Zfs scrub timer file
|
||||
copy:
|
||||
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
|
||||
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub-monthly@.timer
|
||||
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
|
||||
mode: 0644
|
||||
register: systemd_zfs_scrub_monthly_timer_file
|
||||
|
@ -1,19 +1,13 @@
|
||||
- name: Enable fstrim
|
||||
systemd:
|
||||
name: fstrim.timer
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: Zfs trim service file
|
||||
copy:
|
||||
src: ./root/etc/systemd/system/zfs-trim@.service
|
||||
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim@.service
|
||||
dest: /etc/systemd/system/zfs-trim@.service
|
||||
mode: 0644
|
||||
register: systemd_zfs_trim_service_file
|
||||
|
||||
- name: Zfs trim timer file
|
||||
copy:
|
||||
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
|
||||
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim-monthly@.timer
|
||||
dest: /etc/systemd/system/zfs-trim-monthly@.timer
|
||||
mode: 0644
|
||||
register: systemd_zfs_trim_monthly_timer_file
|
20
valkyrie.yml
Normal file
20
valkyrie.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- hosts: valkyrie
|
||||
|
||||
vars_files:
|
||||
- secrets/common.yml
|
||||
- secrets/valkyrie.yml
|
||||
|
||||
tasks:
|
||||
- import_tasks: tasks/sshd.yml
|
||||
- import_tasks: tasks/firewall.yml
|
||||
- import_tasks: tasks/ntp.yml
|
||||
- import_tasks: tasks/mail.yml
|
||||
- import_tasks: tasks/unattended-upgrades.yml
|
||||
- import_tasks: tasks/fail2ban.yml
|
||||
- import_tasks: tasks/fstrim.yml
|
||||
- import_tasks: tasks/logs.yml
|
||||
- import_tasks: tasks/motd.yml
|
||||
- import_tasks: tasks/utils.yml
|
||||
- import_tasks: tasks/user.yml
|
||||
- import_tasks: tasks/root-shell.yml
|
@ -2,7 +2,8 @@
|
||||
- hosts: yggdrasil
|
||||
|
||||
vars_files:
|
||||
- secrets.yml
|
||||
- secrets/common.yml
|
||||
- secrets/yggdrasil.yml
|
||||
|
||||
tasks:
|
||||
- import_tasks: tasks/sshd.yml
|
||||
@ -13,7 +14,8 @@
|
||||
- import_tasks: tasks/fail2ban.yml
|
||||
- import_tasks: tasks/systemd-mail.yml
|
||||
- import_tasks: tasks/zfs-scrub.yml
|
||||
- import_tasks: tasks/trim.yml
|
||||
- import_tasks: tasks/zfs-trim.yml
|
||||
- import_tasks: tasks/fstrim.yml
|
||||
- import_tasks: tasks/zfsutils-cron.yml
|
||||
- import_tasks: tasks/ups.yml
|
||||
- import_tasks: tasks/smart.yml
|
Loading…
Reference in New Issue
Block a user