Compare commits

...

12 commits

Author SHA1 Message Date
Víðir Valberg Guðmundsson 253a21432e Add ssl_certs_enabled variable and use it to avoid ssl certs when running on vagrant 2022-11-15 22:06:53 +00:00
Sam A. a6cb0a8e65 Remove state: latest 2022-11-15 22:06:53 +00:00
Sam A. c676d69fc0 Naming changes 2022-11-15 22:06:53 +00:00
Sam A. c74cc4413a Simplify config and rename some files 2022-11-15 22:06:53 +00:00
Sam A. 50fa65d55e Don't use local config for Docker registry login
It doesn't work when deploying in Vagrant :(
2022-11-15 22:06:53 +00:00
Sam A. eeecfca7ef Vagrant: Use same Ubuntu version as in production 2022-11-15 22:06:53 +00:00
Sam A. 1744cf7585 Fix SSH port logic again 2022-11-15 22:06:53 +00:00
Sam A. b310e191f8 Some Vagrant fixes
Only install Dell OpenManage if not running in a VM, and fix SSH port
logic.
2022-11-15 22:06:53 +00:00
Sam A. b56690a33e Make Ansible setup testable in Vagrant
Added logic to change the sshd port if not already configured,
configued Vagrantfile to work properly and fixed a couple of deploy
errors.
2022-11-15 22:06:53 +00:00
Sam A. 52ead4fee5
Remove volume_root_folder from vars.yml
It is defined later in the docker role already.
2022-11-15 20:52:38 +01:00
Sam A. ba44677cf3
Avoid conflicts with built-in function name keys 2022-11-15 20:28:34 +01:00
Sam A. fc0c0c5036
Always update password and overwrite keys 2022-11-15 19:57:17 +01:00
12 changed files with 88 additions and 50 deletions

13
Vagrantfile vendored
View file

@ -1,25 +1,18 @@
Vagrant.require_version ">= 1.7.0" Vagrant.require_version ">= 1.7.0"
Vagrant.configure(2) do |config| Vagrant.configure(2) do |config|
config.vm.network "forwarded_port", guest: 19022, host: 19022, id: "new_ssh"
config.vm.define "datacoop" do |datacoop| config.vm.define "datacoop" do |datacoop|
datacoop.vm.box = "ubuntu/bionic64" datacoop.vm.box = "ubuntu/focal64"
datacoop.vm.hostname = "datacoop" datacoop.vm.hostname = "datacoop"
datacoop.vm.provider "virtualbox" do |v| datacoop.vm.provider "virtualbox" do |v|
v.memory = 4096 v.memory = 4096
end end
datacoop.vm.network "private_network", ip: "192.168.0.42"
datacoop.vm.provision "ansible" do |ansible| datacoop.vm.provision "ansible" do |ansible|
ansible.verbose = "v"
ansible.compatibility_mode = "2.0" ansible.compatibility_mode = "2.0"
ansible.playbook = "playbook.yml" ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true ansible.ask_vault_pass = true
ansible.host_vars = { ansible.verbose = "v"
"datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"}
}
ansible.groups = {
"all" => ["datacoop"]
}
end end
end end
end end

View file

@ -4,14 +4,14 @@ users:
comment: Jesper Hess Nielsen comment: Jesper Hess Nielsen
password: '!' password: '!'
groups: [] groups: []
keys: [] ssh_keys: []
- name: valberg - name: valberg
comment: Vidir Valberg Gudmundsson comment: Vidir Valberg Gudmundsson
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/ password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
groups: groups:
- sudo - sudo
keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
- name: reynir - name: reynir
@ -19,7 +19,7 @@ users:
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0 password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
groups: groups:
- sudo - sudo
keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
@ -28,7 +28,5 @@ users:
password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60 password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
groups: groups:
- sudo - sudo
keys: ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti
volume_root_folder: "/docker-volumes"

View file

@ -1,19 +1,22 @@
--- ---
- hosts: all - hosts: all
gather_facts: False gather_facts: true
become: true become: true
vars: vars:
base_domain: data.coop base_domain: data.coop
letsencrypt_email: admin@data.coop letsencrypt_email: admin@data.coop
ldap_dn: "dc=data,dc=coop" ldap_dn: "dc=data,dc=coop"
vagrant: "{{ ansible_virtualization_role == 'guest' }}"
ssl_certs_enabled: "{{ vagrant == false }}"
services: services:
- nginx-proxy - nginx-proxy
- postfix
- openldap - openldap
- nextcloud - nextcloud
- passit - passit
- gitea - gitea
- postfix
- matrix_riot - matrix_riot
- privatebin - privatebin
- codimd - codimd
@ -36,6 +39,6 @@
- import_role: - import_role:
name: ubuntu_base name: ubuntu_base
tags: tags:
- base_only - base_only
- import_role: - import_role:
name: docker name: docker

View file

@ -28,9 +28,8 @@
args: args:
creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" creates: "{{ docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to local registry - name: log in to registry
docker_login: docker_login:
registry: "{{ docker_registry.domain }}" registry: "{{ docker_registry.domain }}"
username: "docker" username: "docker"
password: "{{ docker_password }}" password: "{{ docker_password }}"
config_path: "{{ docker_registry.volume_folder }}/auth/config.json"

View file

@ -28,7 +28,7 @@
dest: "{{ mailu.volume_folder }}/certs/cert.pem" dest: "{{ mailu.volume_folder }}/certs/cert.pem"
state: hard state: hard
force: yes force: yes
when: ssl_certs_enabled
- name: hard link to Let's Encrypt TLS key - name: hard link to Let's Encrypt TLS key
file: file:
@ -36,6 +36,7 @@
dest: "{{ mailu.volume_folder }}/certs/key.pem" dest: "{{ mailu.volume_folder }}/certs/key.pem"
state: hard state: hard
force: yes force: yes
when: ssl_certs_enabled
- name: run mail server containers - name: run mail server containers
docker_compose: docker_compose:

View file

@ -44,4 +44,5 @@
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
env: env:
NGINX_PROXY_CONTAINER: nginx-proxy NGINX_PROXY_CONTAINER: nginx-proxy
when: ssl_certs_enabled

View file

@ -0,0 +1,5 @@
---
- name: Restart sshd
service:
name: sshd
state: restarted

View file

@ -4,12 +4,16 @@
name: "{{ packages }}" name: "{{ packages }}"
vars: vars:
packages: packages:
- aptitude - aptitude
- python3-pip - python3-pip
- apparmor - apparmor
- haveged - haveged
- mosh - mosh
- srvadmin-all # Dell OpenManage
- name: Install Dell OpenManage
apt:
name: srvadmin-all
when: ansible_virtualization_role != "guest"
- name: Install necessary packages via pip - name: Install necessary packages via pip
pip: pip:

View file

@ -1,15 +1,15 @@
--- ---
- name: import dell apt signing key - name: Import dell apt signing key
apt_key: apt_key:
id: "1285491434D8786F" id: "1285491434D8786F"
keyserver: "keyserver.ubuntu.com" keyserver: "keyserver.ubuntu.com"
- name: "configure dell apt repo" - name: Configure dell apt repo
apt_repository: apt_repository:
repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main" repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main"
state: "present" state: present
- name: "restrict dell apt repo" - name: Restrict dell apt repo"
copy: copy:
dest: "/etc/apt/preferences.d/dell" dest: "/etc/apt/preferences.d/dell"
content: | content: |
@ -17,7 +17,3 @@
Package: * Package: *
Pin: origin "linux.dell.com" Pin: origin "linux.dell.com"
Pin-Priority: 400 Pin-Priority: 400
- name: update apt cache
apt:
update_cache: yes

View file

@ -1,10 +1,12 @@
--- ---
- import_tasks: custom-apt-repos.yml - import_tasks: ssh-port.yml
tags: [setup-custom-apt] tags: [change-ssh-port]
- import_tasks: dell-apt-repo.yml
tags: [setup-dell-apt-repo]
when: vagrant == false
- import_tasks: upgrade.yml - import_tasks: upgrade.yml
tags: [do-full-system-upgrade] tags: [do-full-system-upgrade]
- import_tasks: base.yml - import_tasks: base.yml
tags: [install-base-packages] tags: [install-base-packages]
- import_tasks: users.yml - import_tasks: users.yml
tags: [setup-users] tags: [setup-users]

View file

@ -0,0 +1,38 @@
---
- name: Check if SSH port is already configured
wait_for:
port: 19022
host: "{{ ansible_host }}"
search_regex: "OpenSSH"
connect_timeout: 5
timeout: 10
become: false
delegate_to: localhost
ignore_errors: true
register: ssh_configured
# If we're running in Vagrant, ansible_port is 2222
- name: Change Ansible port to 22 if needed
set_fact:
ansible_port: 22
when: ssh_configured is defined and
ssh_configured.state is undefined and
ansible_port != 2222
- name: Change SSH port on host
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "^#?Port"
line: "Port 19022"
register: ssh_changed
notify: "Restart sshd"
when: ssh_configured is defined and
ssh_configured.state is undefined
- name: Ensure sshd is reloaded if needed
meta: flush_handlers
- name: Change Ansible port to 19022
set_fact:
ansible_port: 19022
when: ssh_changed is defined

View file

@ -4,22 +4,20 @@
name: "{{ item.name }}" name: "{{ item.name }}"
comment: "{{ item.comment }}" comment: "{{ item.comment }}"
password: "{{ item.password }}" password: "{{ item.password }}"
update_password: "on_create" groups: "{{ item.groups }}"
groups: "{{ item.groups }}" update_password: "always"
loop: "{{ users | default([]) }}" loop: "{{ users | default([]) }}"
- name: "Add ssh authorized_keys" - name: "Add ssh authorized_keys"
authorized_key: authorized_key:
user: "{{ item.0.name }}" user: "{{ item.name }}"
key: "{{ item.1 }}" key: "{{ item.ssh_keys | join('\n') }}"
with_subelements: exclusive: true
- "{{ users | default([]) }}" loop: "{{ users | default([]) }}"
- keys
- name: "Add ssh authorized_keys to root user" - name: "Add ssh authorized_keys to root user"
authorized_key: authorized_key:
user: "root" user: "root"
key: "{{ item.1 }}" key: "{{ item.ssh_keys | join('\n') }}"
with_subelements: exclusive: true
- "{{ users | default([]) }}" loop: "{{ users | default([]) }}"
- keys