Refactor vm-common (old ubuntu_base) role

This commit is contained in:
Sam A. 2024-03-31 19:31:27 +02:00
parent 23735ac517
commit 7476dba0e6
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
12 changed files with 102 additions and 69 deletions

View file

@ -2,24 +2,16 @@
# code: language=ansible # code: language=ansible
--- ---
users: users:
- name: graffen - name: ansible
comment: Jesper Hess Nielsen comment: Ansible User
password: '!' password_lock: true
groups: [] groups: []
ssh_keys: [] ssh_keys: []
- name: valberg
comment: Vidir Valberg Gudmundsson
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
groups:
- sudo
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
- name: reynir - name: reynir
comment: Reynir Björnsson comment: Reynir Björnsson
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0 password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
password_lock: false
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
@ -29,8 +21,19 @@ users:
- name: samsapti - name: samsapti
comment: Sam Al-Sapti comment: Sam Al-Sapti
password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60 password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
password_lock: false
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
- name: valberg
comment: Vidir Valberg Gudmundsson
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
password_lock: false
groups:
- sudo
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=

View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
ansible_host: 85.209.118.134 ansible_host: 85.209.118.134 # TODO: Change to DNS name
ansible_port: 22 ansible_port: 22
hostname: "{{ inventory_hostname }}" hostname: "{{ inventory_hostname }}"

View file

@ -1,9 +1,10 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
ansible_host: 85.209.118.134 ansible_host: 85.209.118.134 # TODO: Change to DNS name
ansible_port: 19022 ansible_port: 19022
internal_ipv4: 10.2.1.5
vm_host: cavall vm_host: cavall
vm_type: control vm_type: control

View file

@ -1,11 +1,11 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
ansible_host: 159.223.17.241 ansible_host: 159.223.17.241 # TODO: Change to DNS name
ansible_port: 22 ansible_port: 22
vm_host: cloud vm_host: cloud
vm_type: app vm_type: uptime
hostname: "{{ inventory_hostname }}" hostname: "{{ inventory_hostname }}"
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop" fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

View file

@ -1,9 +1,10 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
ansible_host: 85.209.118.142 ansible_host: 85.209.118.142 # TODO: Change to DNS name
ansible_port: 19022 ansible_port: 19022
internal_ipv4: 10.2.1.2
vm_host: cavall vm_host: cavall
vm_type: app vm_type: app

View file

@ -1,9 +1,10 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
ansible_host: 85.209.118.143 ansible_host: 85.209.118.143 # TODO: Change to DNS name
ansible_port: 19022 ansible_port: 19022
internal_ipv4: 10.2.1.3
vm_host: cavall vm_host: cavall
vm_type: app vm_type: app

View file

@ -24,14 +24,19 @@
- docker-compose-plugin - docker-compose-plugin
state: present state: present
- name: Create group for Docker socket
ansible.builtin.group:
name: docker
state: present
- name: Configure rootful Docker - name: Configure rootful Docker
when: not docker_rootless when: not docker_rootless
block: block:
- name: Make sure Docker is running - name: Make sure Docker is running
ansible.builtin.service: ansible.builtin.service:
name: docker name: docker
state: started
enabled: true enabled: true
state: started
- name: Configure cron job to prune unused Docker data weekly - name: Configure cron job to prune unused Docker data weekly
ansible.builtin.cron: ansible.builtin.cron:
@ -47,10 +52,10 @@
block: block:
- name: Make sure rootful Docker is stopped and disabled - name: Make sure rootful Docker is stopped and disabled
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
scope: system
name: docker name: docker
state: stopped
enabled: false enabled: false
scope: system
state: stopped
- name: Install packages needed by rootless Docker - name: Install packages needed by rootless Docker
ansible.builtin.apt: ansible.builtin.apt:
@ -62,11 +67,6 @@
- slirp4netns - slirp4netns
state: present state: present
- name: Create group for Docker socket
ansible.builtin.group:
name: docker
state: present
- name: Create user for rootless Docker - name: Create user for rootless Docker
ansible.builtin.user: ansible.builtin.user:
name: "{{ docker_rootless_user }}" name: "{{ docker_rootless_user }}"
@ -97,10 +97,10 @@
- name: Make sure rootless Docker is running - name: Make sure rootless Docker is running
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
scope: user
name: docker.service name: docker.service
state: started
enabled: true enabled: true
scope: user
state: started
become: true become: true
become_user: "{{ docker_rootless_user }}" become_user: "{{ docker_rootless_user }}"

View file

@ -0,0 +1,7 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Reload firewalld
ansible.builtin.service:
name: firewalld
state: reloaded

View file

@ -1,13 +1,26 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Install necessary packages via apt - name: Install system packages
ansible.builtin.apt: ansible.builtin.apt:
name: "{{ packages }}" name:
vars:
packages:
- apparmor - apparmor
- bind-utils
- firewalld
- haveged - haveged
- mosh - htop
- ufw - jq
- lsof
- mtr
- telnet
- vim - vim
state: present
- name: Ensure services are enabled and running
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: started
loop:
- firewalld
- haveged

View file

@ -1,25 +1,23 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Setup firewall with UFW - name: Move internal network to zone 'internal'
community.general.ufw: ansible.posix.firewalld:
zone: internal
source: 10.2.1.0/24
permanent: true
state: enabled state: enabled
policy: deny
- name: Allow necessary ports - name: Allow incoming connections to SSH port in zone 'internal'
community.general.ufw: ansible.posix.firewalld:
rule: allow zone: internal
port: "{{ item.port }}" port: "{{ ansible_port }}"
proto: "{{ item.proto | default('tcp') }}" permanent: true
loop: state: enabled
- port: 22 # Gitea SSH
- port: 80 # HTTP # Until control VM is deployed
- port: 443 # HTTPS - name: Allow incoming connections to SSH port in default zone
- port: 389 # OpenLDAP ansible.posix.firewalld:
- port: 636 # OpenLDAP port: "{{ ansible_port }}"
- port: 25 # Email permanent: true
- port: 465 # Email state: enabled
- port: 587 # Email
- port: 993 # Email
- port: 19022 # SSH
when: hostname in groups['virtual']

View file

@ -1,11 +1,18 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- ansible.builtin.import_tasks: base.yml - name: Base configuration
tags: [install-base-packages] ansible.builtin.import_tasks: base.yml
tags:
- install-base-packages
- ansible.builtin.import_tasks: users.yml - name: User configuration
tags: [setup-users] ansible.builtin.import_tasks: users.yml
tags:
- setup-users
- ansible.builtin.import_tasks: firewall.yml - name: Firewall configuration
tags: [setup-firewall] ansible.builtin.import_tasks: firewall.yml
notify: Reload firewalld
tags:
- setup-firewall

View file

@ -1,25 +1,27 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: "Add users" - name: Add users
user: ansible.builtin.user:
name: "{{ item.name }}" name: "{{ item.name }}"
comment: "{{ item.comment }}" comment: "{{ item.comment }}"
password: "{{ item.password }}" password: "{{ item.password | default(omit) }}"
password_lock: "{{ item.password_lock }}"
groups: "{{ item.groups }}" groups: "{{ item.groups }}"
update_password: always update_password: always
shell: /bin/bash shell: /bin/bash
loop: "{{ users | default([]) }}" loop: "{{ users }}"
no_log: true
- name: "Add ssh authorized_keys" - name: Add SSH keys to users
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{ item.name }}" user: "{{ item.name }}"
key: "{{ item.ssh_keys | join('\n') }}" key: "{{ item.ssh_keys | join('\n') }}"
exclusive: true exclusive: true
loop: "{{ users | default([]) }}" loop: "{{ users }}"
- name: "Add ssh authorized_keys to root user" - name: Add SSH keys to Ansible user
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "root" user: ansible
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}" key: "{{ users | map(attribute='ssh_keys') | flatten | join('\n') }}"
exclusive: true exclusive: true