initial commit

author: Emil Renner Berthing <esmil@labitat.dk> 2017-11-07 16:27:49 +0100
committer: Emil Renner Berthing <esmil@labitat.dk> 2017-11-12 14:56:32 +0100
commit: e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84 (patch)
tree: 41ba5163cf6f110521f2ebc9035f77d2754796a0 /roles/space_server/tasks
download: labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.gz
labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.xz
labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.zip
16 files changed, 645 insertions, 0 deletions
diff --git a/roles/space_server/tasks/ansible.yml b/roles/space_server/tasks/ansible.yml
new file mode 100644
index 0000000..5dc74e2
--- /dev/null
+++ b/roles/space_server/tasks/ansible.yml
@@ -0,0 +1,30 @@
+---
+- name: Create /etc/ansible/hosts
+  copy:
+    src: ansible/hosts
+    dest: '/etc/ansible/hosts'
+
+- name: Configure ansible
+  ini_file:
+    path: /etc/ansible/ansible.cfg
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+  with_items:
+    - section: defaults
+      option: 'gathering'
+      value: 'smart'
+    - section: defaults
+      option: 'fact_caching'
+      value: 'jsonfile'
+    - section: defaults
+      option: 'fact_caching_connection'
+      value: '/tmp/ansible'
+    - section: defaults
+      option: 'fact_caching_timeout'
+      value: '600'
+    - section: defaults
+      option: 'error_on_missing_handler'
+      value: 'True'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml
new file mode 100644
index 0000000..17f0a99
--- /dev/null
+++ b/roles/space_server/tasks/bird.yml
@@ -0,0 +1,68 @@
+---
+- name: Install bird and bird6 packages
+  dnf:
+    name: '{{ item }}'
+    state: latest
+  with_items:
+    - bird
+    - bird6
+  notify:
+    - restart bird
+  tags:
+    - packages
+
+- name: Make sure /etc/bird exists
+  file:
+    dest: '/etc/bird'
+    state: directory
+    mode: 0755
+- name: Create bird configuration
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/bird/'
+  with_fileglob:
+    - 'bird/*'
+  notify:
+    - restart bird
+
+- name: Create bird.conf and bird6.conf symlinks
+  file:
+    path: '/etc/{{ item }}.conf'
+    state: link
+    src: 'bird/{{ item }}.conf'
+    force: yes
+  with_items:
+    - bird
+    - bird6
+
+# bird6 wants the link to have a link-local address
+# when starting, so wait for it
+- name: Create bird6 service drop-in directory
+  file:
+    dest: '/etc/systemd/system/bird6.service.d'
+    state: directory
+- name: Start bird6 after networks are configured
+  copy:
+    src: wait-online.conf
+    dest: '/etc/systemd/system/bird6.service.d/wait-online.conf'
+
+- name: Enable bird and bird6
+  systemd:
+    name: '{{ item }}.service'
+    enabled: yes
+    masked: no
+    state: started
+  with_items:
+    - bird
+    - bird6
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: 'systemctl enable {{ item }}.service'
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/{{ item }}.service'
+  with_items:
+    - bird
+    - bird6
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/blackhole.yml b/roles/space_server/tasks/blackhole.yml
new file mode 100644
index 0000000..b62a7ca
--- /dev/null
+++ b/roles/space_server/tasks/blackhole.yml
@@ -0,0 +1,32 @@
+---
+- name: Create /etc/systemd/scripts
+  file:
+    dest: /etc/systemd/scripts
+    state: directory
+- name: Install blackhole script
+  copy:
+    src: blackhole/blackhole.sh
+    dest: '/etc/systemd/scripts/blackhole.sh'
+    mode: 0755
+  notify:
+    - restart blackhole
+
+- name: Install blackhole service
+  copy:
+    src: blackhole/blackhole.service
+    dest: '/etc/systemd/system/blackhole.service'
+
+- name: Enable blackhole service
+  systemd:
+    name: blackhole.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable blackhole.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/blackhole.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/dhcpd.yml b/roles/space_server/tasks/dhcpd.yml
new file mode 100644
index 0000000..c72fa75
--- /dev/null
+++ b/roles/space_server/tasks/dhcpd.yml
@@ -0,0 +1,31 @@
+---
+- name: Install dhcpd package
+  dnf:
+    name: dhcp-server
+    state: latest
+  notify:
+    - restart dhcpd
+  tags:
+    - packages
+
+- name: Configure dhcpd
+  copy:
+    src: dhcpd/dhcpd.conf
+    dest: '/etc/dhcp/dhcpd.conf'
+  notify:
+    - restart dhcpd
+
+- name: Enable dhcpd service
+  systemd:
+    name: dhcpd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable dhcpd.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/dhcpd.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/gettys.yml b/roles/space_server/tasks/gettys.yml
new file mode 100644
index 0000000..bdf293a
--- /dev/null
+++ b/roles/space_server/tasks/gettys.yml
@@ -0,0 +1,25 @@
+---
+- name: Disable getty@tty1
+  systemd:
+    name: getty@tty1.service
+    enabled: no
+    state: stopped
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl disable getty@tty1.service
+  args:
+    removes: '/etc/systemd/system/getty.target.wants/getty@tty1.service'
+  when: "'container' in ansible_env"
+
+- name: Enable serial-getty@ttyS0
+  systemd:
+    name: serial-getty@ttyS0.service
+    enabled: yes
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable serial-getty@ttyS0.service
+  args:
+    creates: '/etc/systemd/system/getty.target.wants/serial-getty@ttyS0.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml
new file mode 100644
index 0000000..02e115c
--- /dev/null
+++ b/roles/space_server/tasks/kernel.yml
@@ -0,0 +1,42 @@
+---
+- name: Make sure /etc/kernel exists
+  file:
+    path: '/etc/kernel'
+    state: directory
+    mode: 0755
+- name: Make sure /etc/kernel/install.d exists
+  file:
+    path: '/etc/kernel/install.d'
+    state: directory
+    mode: 0755
+
+- name: Mask grubby
+  file:
+    path: '/etc/kernel/install.d/20-grubby.install'
+    state: link
+    src: '/dev/null'
+
+- name: Create syslinux loader entry
+  copy:
+    src: kernel/90-loaderentry.install
+    dest: '/etc/kernel/install.d/90-loaderentry.install'
+    mode: 0755
+- name: Create syslinux menu
+  copy:
+    src: kernel/95-syslinux-menu.install
+    dest: '/etc/kernel/install.d/95-syslinux-menu.install'
+    mode: 0755
+
+- name: Set kernel command line
+  template:
+    src: cmdline.j2
+    dest: '/etc/kernel/cmdline'
+
+- name: Install kernel
+  dnf:
+    name: kernel
+    state: latest
+  tags:
+    - packages
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
new file mode 100644
index 0000000..98a0764
--- /dev/null
+++ b/roles/space_server/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: fstab
+  template:
+    src: fstab.j2
+    dest: /etc/fstab
+  tags:
+    - fstab
+
+- import_tasks: ansible.yml
+  tags: ansible
+- import_tasks: sudo.yml
+  tags: sudo
+- import_tasks: kernel.yml
+  tags: kernel
+- import_tasks: gettys.yml
+  tags: gettys
+- import_tasks: timesyncd.yml
+  tags: timesyncd
+- import_tasks: resolved.yml
+  tags: resolved
+- import_tasks: networkd.yml
+  tags: networkd
+- import_tasks: nftables.yml
+  tags: nftables
+- import_tasks: blackhole.yml
+  tags: blackhole
+- import_tasks: sshd.yml
+  tags: sshd
+- import_tasks: bird.yml
+  tags: bird
+- import_tasks: dhcpd.yml
+  tags: dhcpd
+- import_tasks: radvd.yml
+  tags: radvd
+- import_tasks: radius.yml
+  tags: radius
+  when: radius_passwords is defined
+- import_tasks: named.yml
+  tags: named
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml
new file mode 100644
index 0000000..d295058
--- /dev/null
+++ b/roles/space_server/tasks/named.yml
@@ -0,0 +1,52 @@
+---
+- name: Install bind package
+  dnf:
+    name: bind
+    state: latest
+  notify:
+    - restart named
+  tags:
+    - packages
+
+- name: Configure named
+  copy:
+    src: named/named.conf
+    dest: '/etc/named.conf'
+    mode: 0640
+  notify:
+    - restart named
+- name: Create s zone
+  copy:
+    src: named/s.zone
+    dest: '/etc/named/s.zone'
+  notify:
+    - restart named
+
+- name: Create service drop-in directory
+  file:
+    dest: '/etc/systemd/system/named.service.d'
+    state: directory
+- name: Start named after networks are configured
+  copy:
+    src: wait-online.conf
+    dest: '/etc/systemd/system/named.service.d/wait-online.conf'
+
+- name: Enable named service
+  systemd:
+    name: named.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable named.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/named.service'
+  when: "'container' in ansible_env"
+
+- name: Use our own resolver
+  copy:
+    dest: /etc/resolv.conf
+    content: "nameserver 127.0.0.1\nnameserver ::1\n"
+
+# vim: set ts=2 sw=2 et ft=yaml:
diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml
new file mode 100644
index 0000000..ef97844
--- /dev/null
+++ b/roles/space_server/tasks/networkd.yml
@@ -0,0 +1,48 @@
+---
+- name: Make sure directory exists
+  file:
+    dest: '/etc/systemd/network'
+    state: directory
+- name: Get current network config
+  shell: 'ls -1 /etc/systemd/network/'
+  check_mode: no
+  register: network_files_all
+- name: Configure network
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/systemd/network/'
+  with_fileglob:
+    - 'networkd/network/*'
+  register: network_files
+  notify:
+    - restart networkd
+- name: Clean up old files
+  file:
+    path: '/etc/systemd/network/{{ item }}'
+    state: absent
+  with_items: '{{ network_files_all.stdout_lines }}'
+  when: "item not in network_files.results|map(attribute='path')|map('basename')"
+  notify:
+    - restart networkd
+
+# Unfortunately a drop-in file doesn't seem to work,
+# so overwrite the whole service file :/
+- name: Don't wait for lan and mgt interfaces to come online
+  copy:
+    src: networkd/systemd-networkd-wait-online.service
+    dest: '/etc/systemd/system/systemd-networkd-wait-online.service'
+
+- name: Enable systemd-networkd
+  systemd:
+    name: systemd-networkd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable systemd-networkd.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/systemd-networkd.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml
new file mode 100644
index 0000000..a7fb588
--- /dev/null
+++ b/roles/space_server/tasks/nftables.yml
@@ -0,0 +1,34 @@
+---
+- name: Install our nftables service
+  copy:
+    src: nftables/nftables.service
+    dest: '/etc/systemd/system/nftables.service'
+
+- name: Install nftables package
+  dnf:
+    name: nftables
+    state: latest
+  tags:
+    - packages
+
+- name: Configure nftables
+  copy:
+    src: nftables/nftables.conf
+    dest: '/etc/sysconfig/nftables.conf'
+  notify:
+    - reload nftables
+
+- name: Enable nftables service
+  systemd:
+    name: nftables.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable nftables.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/nftables.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
new file mode 100644
index 0000000..3226d2e
--- /dev/null
+++ b/roles/space_server/tasks/radius.yml
@@ -0,0 +1,105 @@
+---
+- name: Install our freeradius-assha package
+  dnf:
+    name: '{{ item }}'
+    state: latest
+  with_fileglob:
+    - 'radius/freeradius-assha-*.fc{{ ansible_distribution_major_version }}.*.rpm'
+  notify:
+    - restart radiusd
+  tags:
+    - packages
+
+- name: Make sure curl and diffutils are installed
+  dnf:
+    name: '{{ item }}'
+    state: latest
+  with_items:
+    - curl
+    - diffutils
+  tags:
+    - packages
+
+- name: Disable default site
+  file:
+    path: '/etc/raddb/sites-enabled/default'
+    state: absent
+  notify:
+    - restart radiusd
+- name: Configure radiusd
+  copy:
+    src: 'radius/{{ item }}'
+    dest: '/etc/raddb/{{ item }}'
+    owner: root
+    group: radiusd
+    mode: 0640
+  with_items:
+    - radiusd.conf
+    - mods-available/eap
+    - sites-available/labitat
+  notify:
+    - restart radiusd
+- name: Configure radius clients
+  template:
+    src: 'radius/clients.conf.j2'
+    dest: '/etc/raddb/clients.conf'
+    owner: root
+    group: radiusd
+    mode: 0640
+  notify:
+    - restart radiusd
+- name: Enable labitat site
+  file:
+    path: '/etc/raddb/sites-enabled/labitat'
+    state: link
+    src: '../sites-available/labitat'
+    owner: root
+    group: radiusd
+    force: yes
+  notify:
+    - restart radiusd
+
+- name: Create getusers script
+  template:
+    src: 'radius/getusers.sh.j2'
+    dest: '/etc/raddb/getusers.sh'
+    owner: root
+    group: radiusd
+    mode: 0750
+- name: Create getusers service and timer
+  copy:
+    src: 'radius/{{ item }}'
+    dest: '/etc/systemd/system/{{ item }}'
+  with_items:
+    - getusers.service
+    - getusers.timer
+  notify:
+    - restart getusers
+
+- name: Enable getusers timer
+  systemd:
+    name: getusers.timer
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable getusers.timer
+  args:
+    creates: '/etc/systemd/system/timers.target.wants/getusers.timer'
+  when: "'container' in ansible_env"
+
+- name: Enable radiusd service
+  systemd:
+    name: radiusd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable radiusd.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/radvd.yml b/roles/space_server/tasks/radvd.yml
new file mode 100644
index 0000000..3c25c5c
--- /dev/null
+++ b/roles/space_server/tasks/radvd.yml
@@ -0,0 +1,40 @@
+---
+- name: Install radvd package
+  dnf:
+    name: radvd
+    state: latest
+  notify:
+    - restart radvd
+  tags:
+    - packages
+
+- name: Configure radvd
+  copy:
+    src: radvd/radvd.conf
+    dest: '/etc/radvd.conf'
+  notify:
+    - restart radvd
+
+- name: Create service drop-in directory
+  file:
+    dest: '/etc/systemd/system/radvd.service.d'
+    state: directory
+- name: Start radvd after networks are configured
+  copy:
+    src: wait-online.conf
+    dest: '/etc/systemd/system/radvd.service.d/wait-online.conf'
+
+- name: Enable radvd service
+  systemd:
+    name: radvd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable radvd.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/radvd.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/resolved.yml b/roles/space_server/tasks/resolved.yml
new file mode 100644
index 0000000..d95d1d1
--- /dev/null
+++ b/roles/space_server/tasks/resolved.yml
@@ -0,0 +1,34 @@
+---
+#- name: Enable systemd-resolved
+#  systemd:
+#    name: systemd-resolved.service
+#    enabled: yes
+#    masked: no
+#    state: started
+#  when: "'container' not in ansible_env"
+#- name: '- when in nspawn'
+#  command: systemctl enable systemd-resolved.service
+#  args:
+#    creates: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service'
+#  when: "'container' in ansible_env"
+#
+#- name: Use systemd-resolved
+#  lineinfile:
+#    path: /etc/nsswitch.conf
+#    regexp: '^hosts:'
+#    line: 'hosts: files resolve [!UNAVAIL=return] dns myhostname'
+
+- name: Disable systemd-resolved
+  systemd:
+    name: systemd-resolved.service
+    enabled: no
+    masked: no
+    state: stopped
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl disable systemd-resolved.service
+  args:
+    removes: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/sshd.yml b/roles/space_server/tasks/sshd.yml
new file mode 100644
index 0000000..8eaa8fc
--- /dev/null
+++ b/roles/space_server/tasks/sshd.yml
@@ -0,0 +1,32 @@
+---
+- name: Install sshd package
+  dnf:
+    name: openssh-server
+    state: latest
+  notify:
+    - restart sshd
+  tags:
+    - packages
+
+- name: Configure sshd
+  lineinfile:
+    path: '/etc/ssh/sshd_config'
+    regexp: '^PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+  notify:
+    - restart sshd
+
+- name: Enable sshd service
+  systemd:
+    name: sshd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable sshd.service
+  args:
+    creates: '/etc/systemd/system/multi-user.target.wants/sshd.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/sudo.yml b/roles/space_server/tasks/sudo.yml
new file mode 100644
index 0000000..b8497c3
--- /dev/null
+++ b/roles/space_server/tasks/sudo.yml
@@ -0,0 +1,16 @@
+---
+- name: Install sudo package
+  dnf:
+    name: sudo
+    state: latest
+  tags:
+    - packages
+
+- name: Install sudoers file
+  copy:
+    src: sudo/sudoers
+    dest: '/etc/sudoers'
+    mode: 0440
+    validate: visudo -cf %s
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/timesyncd.yml b/roles/space_server/tasks/timesyncd.yml
new file mode 100644
index 0000000..cf964e3
--- /dev/null
+++ b/roles/space_server/tasks/timesyncd.yml
@@ -0,0 +1,15 @@
+---
+- name: Enable systemd-timesyncd
+  systemd:
+    name: systemd-timesyncd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+  command: systemctl enable systemd-timesyncd.service
+  args:
+    creates: '/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service'
+  when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
author	Emil Renner Berthing <esmil@labitat.dk>	2017-11-07 16:27:49 +0100
committer	Emil Renner Berthing <esmil@labitat.dk>	2017-11-12 14:56:32 +0100
commit	e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84 (patch)
tree	41ba5163cf6f110521f2ebc9035f77d2754796a0 /roles/space_server/tasks
download	labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.gz labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.xz labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.zip