Skip to content
Snippets Groups Projects
Commit a7da5085 authored by nimrod's avatar nimrod
Browse files

- Removed stunnel, sudo, mail aliases, lock root and ldap login from role....

- Removed stunnel, sudo, mail aliases, lock root and ldap login from role. They're provided by dedicated roles.
parent a6792aa5
Branches
No related tags found
No related merge requests found
......@@ -28,9 +28,6 @@ Role Variables
collectd_riemann_server:
collectd_collectd_server:
collectd_statsd_server:
mail_root_alias:
ldap_login_server:
sudo:
ntp:
unattended_upgrades:
tls_cert: # Filename of the TLS cert for that host.
......
......@@ -14,11 +14,6 @@
name: syslogd
state: restarted
- name: Restart ssh
service:
name: '{{ ssh_daemon[ansible_os_family] }}'
state: restarted
- name: Restart Collectd
service:
name: collectd
......@@ -33,8 +28,3 @@
service:
name: systemd-timesyncd
state: restarted
- name: Restart stunnel
service:
name: '{{ stunnel_service[ansible_os_family] }}'
state: restarted
---
- name: Assert
assert:
that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
- name: apt install
when: ansible_pkg_mgr == 'apt'
apt:
name: bash
state: present
update_cache: yes
cache_valid_time: 3600
- name: pkg install
when: ansible_pkg_mgr == 'openbsd_pkg'
openbsd_pkg:
name: bash
state: present
---
- name: Disable root account
user:
name: root
password: '*************'
register: lock_root
changed_when: not (lock_root.stderr is defined and 'no changes' in lock_root.stderr)
- name: Disable root SSH login
lineinfile:
dest: /etc/ssh/sshd_config
line: 'PermitRootLogin no'
regexp: '^PermitRootLogin '
notify:
- Restart ssh
---
- name: Assert
assert:
that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
- name: apt install exim
when: ansible_pkg_mgr == 'apt'
apt:
name: exim4
state: present
update_cache: yes
cache_valid_time: 3600
- name: Set root mail alias
lineinfile:
dest: '{{ aliases_file[ansible_os_family] }}'
line: 'root: {{ mail_root_alias }}'
regexp: '^root:'
register: root_alias
- name: Update SMTPd database
when: ansible_os_family == 'OpenBSD' and root_alias.changed
command: /usr/sbin/makemap /etc/mail/aliases
---
# tasks file for ansible_common
- include: openbsd_bootstrap.yml
when: openbsd_bootstrap is defined
- setup:
when: openbsd_bootstrap is undefined
- name: Assert
assert:
that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
......@@ -35,26 +29,11 @@
- include: collectd_agent.yml
when: (collectd_graphite_server is defined or collectd_riemann_server is defined or collectd_collectd_server is defined or collectd_statsd_server is defined) and not common_role_finished is defined
- include: mail_forward.yml
when: mail_root_alias is defined and not common_role_finished is defined
- include: ldap_login.yml
when: ldap_login_server is defined and not common_role_finished is defined
- include: sudo.yml
when: sudo|default(True) and not common_role_finished is defined
- include: ntp.yml
when: ntp|default(True) and not common_role_finished is defined
- include: unattended_upgrades.yml
when: unattended_upgrades|default(True) and ansible_os_family == 'Debian' and not common_role_finished is defined
- include: lock_root.yml
when: lock_root|default(True) and not common_role_finished is defined
- include: stunnel.yml
when: stunnel|default(True) and not common_role_finished is defined
- set_fact:
common_role_finished: True
---
# Bootstrap an OpenBSD machine to be able to run Ansible on it.
- name: Install Python
raw: "PKG_PATH={{ openbsd_pkg_mirror }}/OpenBSD/$(uname -r)/packages/$(arch -s)/ /usr/sbin/pkg_add -I py-pip"
register: openbsd_pkg_add_python
changed_when: "'python' in openbsd_pkg_add_python.stdout"
- name: Symlink python
raw: ln -s /usr/local/bin/python2.7 /usr/bin/python
register: symlink_python
changed_when: not 'File exists' in symlink_python.stdout_lines[0]
failed_when: symlink_python|failed and not 'File exists' in symlink_python.stdout_lines[0]
- name: Gather facts
setup:
- name: Configure pkg
lineinfile:
dest: /etc/pkg.conf
line: 'installpath = {{ openbsd_pkg_mirror }}/OpenBSD/{{ ansible_distribution_release }}/packages/{{ ansible_architecture }}/'
regexp: '^installpath ='
state: present
create: yes
---
- assert:
that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
- name: apt install stunnel
when: ansible_pkg_mgr == 'apt'
apt:
name: stunnel4
state: present
update_cache: yes
cache_valid_time: 3600
- name: pkg install stunnel
when: ansible_pkg_mgr == 'openbsd_pkg'
openbsd_pkg:
name: '{{ openbsd_stunnel_version[ansible_distribution_release] }}'
state: present
- name: Configure stunnel
with_dict:
syslog: yes
key: '{{ tls_key_path }}'
cert: '{{ tls_cert_path }}'
CAfile: '{{ ca_store[ansible_os_family] }}'
ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1'
options: NO_SSLv2
options: NO_SSLv3
lineinfile:
dest: /etc/stunnel/stunnel.conf
line: '{{ item.key }} = {{ item.value }}'
regexp: '^{{ item.key }} ='
state: present
notify:
- Restart stunnel
- name: Allow stunnel to access the TLS key
user:
name: '{{ stunnel_user[ansible_os_family] }}'
groups: ssl-cert
append: yes
state: present
notify:
- Restart stunnel
---
- name: Assert
assert:
that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
- name: Add sudo group
group:
name: sudo
state: present
system: yes
- name: Give sudo group sudo permissions
lineinfile:
dest: '{{ sudoers_location[ansible_os_family] }}'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
regexp: '^%sudo'
......@@ -15,51 +15,32 @@ backports_repo:
precise: http://archive.ubuntu.com/ubuntu precise-backports main universe multiverse
trusty: http://archive.ubuntu.com/ubuntu trusty-backports main universe multiverse
sudoers_location:
FreeBSD: '/usr/local/etc/sudoers'
Debian: '/etc/sudoers'
OpenBSD: '/etc/sudoers'
openbsd_collectd_version:
'5.5': 'collectd-4.10.2p4'
'5.6': 'collectd-4.10.2p4'
'5.7': 'collectd-5.4.1p1'
'5.8': 'collectd-5.5.0p1'
openbsd_stunnel_version:
'5.5': 'stunnel-4.56'
'5.6': 'stunnel-5.00p0'
'5.7': 'stunnel-5.06'
'5.8': 'stunnel-5.19'
openbsd_pkg_mirror: http://www.mirrorservice.org/pub
ca_store:
OpenBSD: /etc/ssl/cert.pem
Debian: /etc/ssl/certs/ca-certificates.crt
update_ca_certificates:
OpenBSD: /usr/local/sbin/update-ca-certificates
Debian: /usr/sbin/update-ca-certificates
ssh_daemon:
OpenBSD: sshd
Debian: ssh
cert_dir:
OpenBSD: /etc/ssl/certs
Debian: /usr/local/share/ca-certificates
ntpd_conf:
OpenBSD: /etc/ntpd.conf
Debian: /etc/ntp.conf
ntp_pool:
OpenBSD: pool.ntp.org
Debian: debian.pool.ntp.org
ntpd_service:
OpenBSD: ntpd
Debian: ntp
aliases_file:
OpenBSD: /etc/mail/aliases
Debian: /etc/aliases
stunnel_service:
OpenBSD: stunnel
Debian: stunnel4
stunnel_user:
OpenBSD: _stunnel
Debian: stunnel4
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment