From e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84 Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Tue, 7 Nov 2017 16:27:49 +0100 Subject: initial commit --- roles/space_server/tasks/ansible.yml | 30 ++++++++++ roles/space_server/tasks/bird.yml | 68 +++++++++++++++++++++ roles/space_server/tasks/blackhole.yml | 32 ++++++++++ roles/space_server/tasks/dhcpd.yml | 31 ++++++++++ roles/space_server/tasks/gettys.yml | 25 ++++++++ roles/space_server/tasks/kernel.yml | 42 +++++++++++++ roles/space_server/tasks/main.yml | 41 +++++++++++++ roles/space_server/tasks/named.yml | 52 ++++++++++++++++ roles/space_server/tasks/networkd.yml | 48 +++++++++++++++ roles/space_server/tasks/nftables.yml | 34 +++++++++++ roles/space_server/tasks/radius.yml | 105 +++++++++++++++++++++++++++++++++ roles/space_server/tasks/radvd.yml | 40 +++++++++++++ roles/space_server/tasks/resolved.yml | 34 +++++++++++ roles/space_server/tasks/sshd.yml | 32 ++++++++++ roles/space_server/tasks/sudo.yml | 16 +++++ roles/space_server/tasks/timesyncd.yml | 15 +++++ 16 files changed, 645 insertions(+) create mode 100644 roles/space_server/tasks/ansible.yml create mode 100644 roles/space_server/tasks/bird.yml create mode 100644 roles/space_server/tasks/blackhole.yml create mode 100644 roles/space_server/tasks/dhcpd.yml create mode 100644 roles/space_server/tasks/gettys.yml create mode 100644 roles/space_server/tasks/kernel.yml create mode 100644 roles/space_server/tasks/main.yml create mode 100644 roles/space_server/tasks/named.yml create mode 100644 roles/space_server/tasks/networkd.yml create mode 100644 roles/space_server/tasks/nftables.yml create mode 100644 roles/space_server/tasks/radius.yml create mode 100644 roles/space_server/tasks/radvd.yml create mode 100644 roles/space_server/tasks/resolved.yml create mode 100644 roles/space_server/tasks/sshd.yml create mode 100644 roles/space_server/tasks/sudo.yml create mode 100644 roles/space_server/tasks/timesyncd.yml (limited to 'roles/space_server/tasks') diff --git a/roles/space_server/tasks/ansible.yml b/roles/space_server/tasks/ansible.yml new file mode 100644 index 0000000..5dc74e2 --- /dev/null +++ b/roles/space_server/tasks/ansible.yml @@ -0,0 +1,30 @@ +--- +- name: Create /etc/ansible/hosts + copy: + src: ansible/hosts + dest: '/etc/ansible/hosts' + +- name: Configure ansible + ini_file: + path: /etc/ansible/ansible.cfg + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + with_items: + - section: defaults + option: 'gathering' + value: 'smart' + - section: defaults + option: 'fact_caching' + value: 'jsonfile' + - section: defaults + option: 'fact_caching_connection' + value: '/tmp/ansible' + - section: defaults + option: 'fact_caching_timeout' + value: '600' + - section: defaults + option: 'error_on_missing_handler' + value: 'True' + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml new file mode 100644 index 0000000..17f0a99 --- /dev/null +++ b/roles/space_server/tasks/bird.yml @@ -0,0 +1,68 @@ +--- +- name: Install bird and bird6 packages + dnf: + name: '{{ item }}' + state: latest + with_items: + - bird + - bird6 + notify: + - restart bird + tags: + - packages + +- name: Make sure /etc/bird exists + file: + dest: '/etc/bird' + state: directory + mode: 0755 +- name: Create bird configuration + copy: + src: '{{ item }}' + dest: '/etc/bird/' + with_fileglob: + - 'bird/*' + notify: + - restart bird + +- name: Create bird.conf and bird6.conf symlinks + file: + path: '/etc/{{ item }}.conf' + state: link + src: 'bird/{{ item }}.conf' + force: yes + with_items: + - bird + - bird6 + +# bird6 wants the link to have a link-local address +# when starting, so wait for it +- name: Create bird6 service drop-in directory + file: + dest: '/etc/systemd/system/bird6.service.d' + state: directory +- name: Start bird6 after networks are configured + copy: + src: wait-online.conf + dest: '/etc/systemd/system/bird6.service.d/wait-online.conf' + +- name: Enable bird and bird6 + systemd: + name: '{{ item }}.service' + enabled: yes + masked: no + state: started + with_items: + - bird + - bird6 + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: 'systemctl enable {{ item }}.service' + args: + creates: '/etc/systemd/system/multi-user.target.wants/{{ item }}.service' + with_items: + - bird + - bird6 + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/blackhole.yml b/roles/space_server/tasks/blackhole.yml new file mode 100644 index 0000000..b62a7ca --- /dev/null +++ b/roles/space_server/tasks/blackhole.yml @@ -0,0 +1,32 @@ +--- +- name: Create /etc/systemd/scripts + file: + dest: /etc/systemd/scripts + state: directory +- name: Install blackhole script + copy: + src: blackhole/blackhole.sh + dest: '/etc/systemd/scripts/blackhole.sh' + mode: 0755 + notify: + - restart blackhole + +- name: Install blackhole service + copy: + src: blackhole/blackhole.service + dest: '/etc/systemd/system/blackhole.service' + +- name: Enable blackhole service + systemd: + name: blackhole.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable blackhole.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/blackhole.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/dhcpd.yml b/roles/space_server/tasks/dhcpd.yml new file mode 100644 index 0000000..c72fa75 --- /dev/null +++ b/roles/space_server/tasks/dhcpd.yml @@ -0,0 +1,31 @@ +--- +- name: Install dhcpd package + dnf: + name: dhcp-server + state: latest + notify: + - restart dhcpd + tags: + - packages + +- name: Configure dhcpd + copy: + src: dhcpd/dhcpd.conf + dest: '/etc/dhcp/dhcpd.conf' + notify: + - restart dhcpd + +- name: Enable dhcpd service + systemd: + name: dhcpd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable dhcpd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/dhcpd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/gettys.yml b/roles/space_server/tasks/gettys.yml new file mode 100644 index 0000000..bdf293a --- /dev/null +++ b/roles/space_server/tasks/gettys.yml @@ -0,0 +1,25 @@ +--- +- name: Disable getty@tty1 + systemd: + name: getty@tty1.service + enabled: no + state: stopped + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl disable getty@tty1.service + args: + removes: '/etc/systemd/system/getty.target.wants/getty@tty1.service' + when: "'container' in ansible_env" + +- name: Enable serial-getty@ttyS0 + systemd: + name: serial-getty@ttyS0.service + enabled: yes + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable serial-getty@ttyS0.service + args: + creates: '/etc/systemd/system/getty.target.wants/serial-getty@ttyS0.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml new file mode 100644 index 0000000..02e115c --- /dev/null +++ b/roles/space_server/tasks/kernel.yml @@ -0,0 +1,42 @@ +--- +- name: Make sure /etc/kernel exists + file: + path: '/etc/kernel' + state: directory + mode: 0755 +- name: Make sure /etc/kernel/install.d exists + file: + path: '/etc/kernel/install.d' + state: directory + mode: 0755 + +- name: Mask grubby + file: + path: '/etc/kernel/install.d/20-grubby.install' + state: link + src: '/dev/null' + +- name: Create syslinux loader entry + copy: + src: kernel/90-loaderentry.install + dest: '/etc/kernel/install.d/90-loaderentry.install' + mode: 0755 +- name: Create syslinux menu + copy: + src: kernel/95-syslinux-menu.install + dest: '/etc/kernel/install.d/95-syslinux-menu.install' + mode: 0755 + +- name: Set kernel command line + template: + src: cmdline.j2 + dest: '/etc/kernel/cmdline' + +- name: Install kernel + dnf: + name: kernel + state: latest + tags: + - packages + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml new file mode 100644 index 0000000..98a0764 --- /dev/null +++ b/roles/space_server/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: fstab + template: + src: fstab.j2 + dest: /etc/fstab + tags: + - fstab + +- import_tasks: ansible.yml + tags: ansible +- import_tasks: sudo.yml + tags: sudo +- import_tasks: kernel.yml + tags: kernel +- import_tasks: gettys.yml + tags: gettys +- import_tasks: timesyncd.yml + tags: timesyncd +- import_tasks: resolved.yml + tags: resolved +- import_tasks: networkd.yml + tags: networkd +- import_tasks: nftables.yml + tags: nftables +- import_tasks: blackhole.yml + tags: blackhole +- import_tasks: sshd.yml + tags: sshd +- import_tasks: bird.yml + tags: bird +- import_tasks: dhcpd.yml + tags: dhcpd +- import_tasks: radvd.yml + tags: radvd +- import_tasks: radius.yml + tags: radius + when: radius_passwords is defined +- import_tasks: named.yml + tags: named + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml new file mode 100644 index 0000000..d295058 --- /dev/null +++ b/roles/space_server/tasks/named.yml @@ -0,0 +1,52 @@ +--- +- name: Install bind package + dnf: + name: bind + state: latest + notify: + - restart named + tags: + - packages + +- name: Configure named + copy: + src: named/named.conf + dest: '/etc/named.conf' + mode: 0640 + notify: + - restart named +- name: Create s zone + copy: + src: named/s.zone + dest: '/etc/named/s.zone' + notify: + - restart named + +- name: Create service drop-in directory + file: + dest: '/etc/systemd/system/named.service.d' + state: directory +- name: Start named after networks are configured + copy: + src: wait-online.conf + dest: '/etc/systemd/system/named.service.d/wait-online.conf' + +- name: Enable named service + systemd: + name: named.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable named.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/named.service' + when: "'container' in ansible_env" + +- name: Use our own resolver + copy: + dest: /etc/resolv.conf + content: "nameserver 127.0.0.1\nnameserver ::1\n" + +# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml new file mode 100644 index 0000000..ef97844 --- /dev/null +++ b/roles/space_server/tasks/networkd.yml @@ -0,0 +1,48 @@ +--- +- name: Make sure directory exists + file: + dest: '/etc/systemd/network' + state: directory +- name: Get current network config + shell: 'ls -1 /etc/systemd/network/' + check_mode: no + register: network_files_all +- name: Configure network + copy: + src: '{{ item }}' + dest: '/etc/systemd/network/' + with_fileglob: + - 'networkd/network/*' + register: network_files + notify: + - restart networkd +- name: Clean up old files + file: + path: '/etc/systemd/network/{{ item }}' + state: absent + with_items: '{{ network_files_all.stdout_lines }}' + when: "item not in network_files.results|map(attribute='path')|map('basename')" + notify: + - restart networkd + +# Unfortunately a drop-in file doesn't seem to work, +# so overwrite the whole service file :/ +- name: Don't wait for lan and mgt interfaces to come online + copy: + src: networkd/systemd-networkd-wait-online.service + dest: '/etc/systemd/system/systemd-networkd-wait-online.service' + +- name: Enable systemd-networkd + systemd: + name: systemd-networkd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable systemd-networkd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/systemd-networkd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml new file mode 100644 index 0000000..a7fb588 --- /dev/null +++ b/roles/space_server/tasks/nftables.yml @@ -0,0 +1,34 @@ +--- +- name: Install our nftables service + copy: + src: nftables/nftables.service + dest: '/etc/systemd/system/nftables.service' + +- name: Install nftables package + dnf: + name: nftables + state: latest + tags: + - packages + +- name: Configure nftables + copy: + src: nftables/nftables.conf + dest: '/etc/sysconfig/nftables.conf' + notify: + - reload nftables + +- name: Enable nftables service + systemd: + name: nftables.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable nftables.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/nftables.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml new file mode 100644 index 0000000..3226d2e --- /dev/null +++ b/roles/space_server/tasks/radius.yml @@ -0,0 +1,105 @@ +--- +- name: Install our freeradius-assha package + dnf: + name: '{{ item }}' + state: latest + with_fileglob: + - 'radius/freeradius-assha-*.fc{{ ansible_distribution_major_version }}.*.rpm' + notify: + - restart radiusd + tags: + - packages + +- name: Make sure curl and diffutils are installed + dnf: + name: '{{ item }}' + state: latest + with_items: + - curl + - diffutils + tags: + - packages + +- name: Disable default site + file: + path: '/etc/raddb/sites-enabled/default' + state: absent + notify: + - restart radiusd +- name: Configure radiusd + copy: + src: 'radius/{{ item }}' + dest: '/etc/raddb/{{ item }}' + owner: root + group: radiusd + mode: 0640 + with_items: + - radiusd.conf + - mods-available/eap + - sites-available/labitat + notify: + - restart radiusd +- name: Configure radius clients + template: + src: 'radius/clients.conf.j2' + dest: '/etc/raddb/clients.conf' + owner: root + group: radiusd + mode: 0640 + notify: + - restart radiusd +- name: Enable labitat site + file: + path: '/etc/raddb/sites-enabled/labitat' + state: link + src: '../sites-available/labitat' + owner: root + group: radiusd + force: yes + notify: + - restart radiusd + +- name: Create getusers script + template: + src: 'radius/getusers.sh.j2' + dest: '/etc/raddb/getusers.sh' + owner: root + group: radiusd + mode: 0750 +- name: Create getusers service and timer + copy: + src: 'radius/{{ item }}' + dest: '/etc/systemd/system/{{ item }}' + with_items: + - getusers.service + - getusers.timer + notify: + - restart getusers + +- name: Enable getusers timer + systemd: + name: getusers.timer + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable getusers.timer + args: + creates: '/etc/systemd/system/timers.target.wants/getusers.timer' + when: "'container' in ansible_env" + +- name: Enable radiusd service + systemd: + name: radiusd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable radiusd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/radvd.yml b/roles/space_server/tasks/radvd.yml new file mode 100644 index 0000000..3c25c5c --- /dev/null +++ b/roles/space_server/tasks/radvd.yml @@ -0,0 +1,40 @@ +--- +- name: Install radvd package + dnf: + name: radvd + state: latest + notify: + - restart radvd + tags: + - packages + +- name: Configure radvd + copy: + src: radvd/radvd.conf + dest: '/etc/radvd.conf' + notify: + - restart radvd + +- name: Create service drop-in directory + file: + dest: '/etc/systemd/system/radvd.service.d' + state: directory +- name: Start radvd after networks are configured + copy: + src: wait-online.conf + dest: '/etc/systemd/system/radvd.service.d/wait-online.conf' + +- name: Enable radvd service + systemd: + name: radvd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable radvd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/radvd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/resolved.yml b/roles/space_server/tasks/resolved.yml new file mode 100644 index 0000000..d95d1d1 --- /dev/null +++ b/roles/space_server/tasks/resolved.yml @@ -0,0 +1,34 @@ +--- +#- name: Enable systemd-resolved +# systemd: +# name: systemd-resolved.service +# enabled: yes +# masked: no +# state: started +# when: "'container' not in ansible_env" +#- name: '- when in nspawn' +# command: systemctl enable systemd-resolved.service +# args: +# creates: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service' +# when: "'container' in ansible_env" +# +#- name: Use systemd-resolved +# lineinfile: +# path: /etc/nsswitch.conf +# regexp: '^hosts:' +# line: 'hosts: files resolve [!UNAVAIL=return] dns myhostname' + +- name: Disable systemd-resolved + systemd: + name: systemd-resolved.service + enabled: no + masked: no + state: stopped + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl disable systemd-resolved.service + args: + removes: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/sshd.yml b/roles/space_server/tasks/sshd.yml new file mode 100644 index 0000000..8eaa8fc --- /dev/null +++ b/roles/space_server/tasks/sshd.yml @@ -0,0 +1,32 @@ +--- +- name: Install sshd package + dnf: + name: openssh-server + state: latest + notify: + - restart sshd + tags: + - packages + +- name: Configure sshd + lineinfile: + path: '/etc/ssh/sshd_config' + regexp: '^PasswordAuthentication' + line: 'PasswordAuthentication no' + notify: + - restart sshd + +- name: Enable sshd service + systemd: + name: sshd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable sshd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/sshd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/sudo.yml b/roles/space_server/tasks/sudo.yml new file mode 100644 index 0000000..b8497c3 --- /dev/null +++ b/roles/space_server/tasks/sudo.yml @@ -0,0 +1,16 @@ +--- +- name: Install sudo package + dnf: + name: sudo + state: latest + tags: + - packages + +- name: Install sudoers file + copy: + src: sudo/sudoers + dest: '/etc/sudoers' + mode: 0440 + validate: visudo -cf %s + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/timesyncd.yml b/roles/space_server/tasks/timesyncd.yml new file mode 100644 index 0000000..cf964e3 --- /dev/null +++ b/roles/space_server/tasks/timesyncd.yml @@ -0,0 +1,15 @@ +--- +- name: Enable systemd-timesyncd + systemd: + name: systemd-timesyncd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable systemd-timesyncd.service + args: + creates: '/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: -- cgit v1.2.1