Add initial project
This commit is contained in:
parent
cbeba95528
commit
b555fb1222
50 changed files with 1993 additions and 0 deletions
146
README.md
Normal file
146
README.md
Normal file
|
@ -0,0 +1,146 @@
|
|||
# EvoBSD 1.0
|
||||
|
||||
EvoBSD is an ansible project used for customising OpenBSD hosts
|
||||
used by Evolix.
|
||||
|
||||
## How to install an OpenBSD machine
|
||||
|
||||
**Note :** The system must be installed with a root account only. Put your public key in the remote root's autorized_keys (/root/.ssh/authorized_keys)
|
||||
|
||||
1 - Install ansible's prerequisites
|
||||
|
||||
```
|
||||
ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
|
||||
```
|
||||
|
||||
2 - Run it!
|
||||
|
||||
```
|
||||
ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME
|
||||
```
|
||||
|
||||
### Try it on a disposable system!
|
||||
|
||||
The easiest way to try EvoBSD is by using packer and vmm :
|
||||
|
||||
* First of all let's install go and packer on your host system
|
||||
|
||||
```
|
||||
# pkg_add go packer
|
||||
```
|
||||
|
||||
* Then we gonna use [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project availbale on Github
|
||||
|
||||
```
|
||||
$ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm
|
||||
```
|
||||
|
||||
* We have to create a definition file for packer
|
||||
|
||||
```
|
||||
$ vim openbsd.json
|
||||
```
|
||||
|
||||
{
|
||||
"description": "OpenBSD installation on VMM",
|
||||
|
||||
"variables": {
|
||||
"hostname": "evobsd",
|
||||
"domain": "example.com",
|
||||
|
||||
"password": "evolix"
|
||||
},
|
||||
|
||||
"builders": [
|
||||
{
|
||||
"type": "vmm",
|
||||
"vm_name": "evobsd",
|
||||
"disk_size": "2G",
|
||||
"format": "qcow2",
|
||||
"mem_size": "1024M",
|
||||
|
||||
"iso_urls": ["downloads/install64.fs", "https://ftp.nluug.nl/pub/OpenBSD/6.4/amd64/install64.fs"],
|
||||
"iso_checksum": "7aa4344cb39efbf67300f97ac7eec005b607e8c19d4e31a0a593a8ee2b7136e4",
|
||||
"iso_checksum_type": "sha256",
|
||||
|
||||
"boot_wait": "10s",
|
||||
"boot_command": [
|
||||
"S<enter>",
|
||||
|
||||
"cat <<EOF >disklabel.template<enter>",
|
||||
"/ 1G-* 100%<enter>",
|
||||
"EOF<enter>",
|
||||
|
||||
"cat <<EOF >install.conf<enter>",
|
||||
"System hostname = {{user `hostname`}}<enter>",
|
||||
"DNS domain name = {{user `domain`}}<enter>",
|
||||
"Password for root account = {{user `password`}}<enter>",
|
||||
"Do you expect to run the X Window System = no<enter>",
|
||||
"Setup a user = no<enter>",
|
||||
"Which disk is the root disk = sd1<enter>",
|
||||
"Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout = c<enter>",
|
||||
"URL to autopartitioning template for disklabel = file://disklabel.template<enter>",
|
||||
"Location of sets = disk<enter>",
|
||||
"Is the disk partition already mounted = no<enter>",
|
||||
"Set name(s) = -bsd.rd<enter>",
|
||||
"Set name(s) = done<enter>",
|
||||
"Directory does not contain SHA256.sig. Continue without verification = yes<enter>",
|
||||
"What timezone are you in = Europe/Paris<enter>",
|
||||
"EOF<enter>",
|
||||
|
||||
"install -af install.conf<enter>",
|
||||
"<wait2m>",
|
||||
|
||||
"/sbin/halt -p<enter><wait15>"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
* You need your unprivileged user to be able to run vmctl through doas
|
||||
|
||||
```
|
||||
# echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl
|
||||
```
|
||||
|
||||
* Eventually you can build your virtual machine
|
||||
|
||||
```
|
||||
$ packer build openbsd.json
|
||||
```
|
||||
|
||||
* Once the building is done, run your VM like this
|
||||
|
||||
```
|
||||
doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2
|
||||
```
|
||||
|
||||
## Contributions
|
||||
|
||||
Contributions to this project are most welcome! The best way is to create a
|
||||
pull request so that after review it's merged.
|
||||
|
||||
## License
|
||||
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2019 Evolix
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
33
evolixisation.yml
Normal file
33
evolixisation.yml
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Playbook command
|
||||
# ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME
|
||||
|
||||
---
|
||||
- name: Evolixisation of an OpenBSD system
|
||||
hosts: openbsd
|
||||
become: true
|
||||
become_user: root
|
||||
become_method: sudo
|
||||
|
||||
|
||||
vars_files:
|
||||
- vars/main.yml
|
||||
# - vars/secrets.yml
|
||||
|
||||
roles:
|
||||
- etc-git
|
||||
- base
|
||||
- forwarding
|
||||
- pf
|
||||
- accounts
|
||||
- nagios-nrpe
|
||||
- post-install
|
||||
|
||||
post_tasks:
|
||||
- include: "tasks/commit_etc_git.yml"
|
||||
vars:
|
||||
commit_message: "Ansible - Evolixisation"
|
||||
|
||||
environment:
|
||||
PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
|
||||
|
||||
# vim:ft=ansible
|
5
hosts
Normal file
5
hosts
Normal file
|
@ -0,0 +1,5 @@
|
|||
[openbsd]
|
||||
foo.example.com
|
||||
|
||||
[openbsd:vars]
|
||||
ansible_python_interpreter=/usr/local/bin/python2.7
|
16
prerequisite.yml
Normal file
16
prerequisite.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
# Playbook command
|
||||
# ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
|
||||
|
||||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
become_method: su
|
||||
user: root
|
||||
gather_facts: no
|
||||
|
||||
tasks:
|
||||
|
||||
- name: Install ansible's prerequisite
|
||||
raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2
|
||||
|
||||
# vim:ft=ansible
|
26
roles/accounts/tasks/main.yml
Normal file
26
roles/accounts/tasks/main.yml
Normal file
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
- name: Create admins accounts
|
||||
user:
|
||||
state: present
|
||||
name: '{{ item.value.name }}'
|
||||
uid: '{{ item.value.uid }}'
|
||||
password: '{{ item.value.password_hash_openbsd }}'
|
||||
groups: wheel
|
||||
shell: /bin/ksh
|
||||
append: yes
|
||||
with_dict:
|
||||
"{{ evolix_users }}"
|
||||
tags:
|
||||
- admin
|
||||
|
||||
- name: Add admins ssh keys
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: '/home/{{ item.value.name }}/.ssh/authorized_keys'
|
||||
line: '{{ item.value.ssh_keys }}'
|
||||
create: yes
|
||||
with_dict:
|
||||
"{{ evolix_users }}"
|
||||
tags:
|
||||
- admin
|
||||
|
19
roles/base/defaults/main.yml
Normal file
19
roles/base/defaults/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
ntpd_servers:
|
||||
- "ntp.evolix.net"
|
||||
|
||||
general_alert_email: "root@localhost"
|
||||
general_technical_realm: "example.com"
|
||||
|
||||
evomaintenance_realm: "example.com"
|
||||
evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
|
||||
evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
|
||||
evomaintenance_pg_host: Null
|
||||
evomaintenance_pg_passwd: Null
|
||||
evomaintenance_pg_db: Null
|
||||
evomaintenance_pg_table: Null
|
||||
evomaintenance_from_domain: "{{ evomaintenance_realm }}"
|
||||
evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
|
||||
evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
|
||||
evomaintenance_urgency_from: mama.doe@example.com
|
||||
evomaintenance_urgency_tel: "06.00.00.00.00"
|
198
roles/base/files/evomaintenance.sh
Normal file
198
roles/base/files/evomaintenance.sh
Normal file
|
@ -0,0 +1,198 @@
|
|||
#!/bin/sh
|
||||
|
||||
# EvoMaintenance script
|
||||
# Dependencies (all OS): git postgresql-client
|
||||
# Dependencies (Debian): sudo
|
||||
|
||||
# version 0.4.1
|
||||
# Copyright 2007-2018 Evolix <info@evolix.fr>
|
||||
|
||||
get_system() {
|
||||
uname -s
|
||||
}
|
||||
|
||||
get_fqdn() {
|
||||
if [ "$(get_system)" = "Linux" ]; then
|
||||
hostname --fqdn
|
||||
elif [ "$(get_system)" = "OpenBSD" ]; then
|
||||
hostname
|
||||
else
|
||||
echo "OS not detected!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
get_tty() {
|
||||
if [ "$(get_system)" = "Linux" ]; then
|
||||
ps -o tty= | tail -1
|
||||
elif [ "$(get_system)" = "OpenBSD" ]; then
|
||||
env | grep SSH_TTY | cut -d"/" -f3
|
||||
else
|
||||
echo "OS not detected!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
get_who() {
|
||||
who=$(LC_ALL=C who -m)
|
||||
|
||||
if [ -n "${who}" ]; then
|
||||
echo "${who}"
|
||||
else
|
||||
LC_ALL=C who | grep $(get_tty) | tr -s ' '
|
||||
fi
|
||||
}
|
||||
|
||||
get_begin_date() {
|
||||
echo "$(date "+%Y") $(echo $(get_who) | cut -d" " -f3,4,5)"
|
||||
}
|
||||
|
||||
get_ip() {
|
||||
ip=$(echo $(get_who) | cut -d" " -f6 | sed -e "s/^(// ; s/)$//")
|
||||
[ -z "${ip}" ] && ip="unknown (no tty)"
|
||||
[ "${ip}" = ":0" ] && ip="localhost"
|
||||
|
||||
echo "${ip}"
|
||||
}
|
||||
|
||||
get_end_date() {
|
||||
date +"%Y %b %d %H:%M"
|
||||
}
|
||||
|
||||
get_now() {
|
||||
date +"%Y-%m-%dT%H:%M:%S%z"
|
||||
}
|
||||
|
||||
test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf
|
||||
|
||||
[ -n "${HOSTNAME}" ] || HOSTNAME=$(get_fqdn)
|
||||
[ -n "${EVOMAINTMAIL}" ] || EVOMAINTMAIL=evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM}
|
||||
[ -n "${LOGFILE}" ] || LOGFILE=/var/log/evomaintenance.log
|
||||
|
||||
# Treat unset variables as an error when substituting.
|
||||
# Only after this line, because some config variables might be missing.
|
||||
set -u
|
||||
|
||||
REAL_HOSTNAME=$(get_fqdn)
|
||||
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
|
||||
HOSTNAME_TEXT="${HOSTNAME}"
|
||||
else
|
||||
HOSTNAME_TEXT="${HOSTNAME} (${REAL_HOSTNAME})"
|
||||
fi
|
||||
|
||||
# TTY=$(get_tty)
|
||||
# WHO=$(get_who)
|
||||
IP=$(get_ip)
|
||||
BEGIN_DATE=$(get_begin_date)
|
||||
END_DATE=$(get_end_date)
|
||||
USER=$(logname)
|
||||
|
||||
PATH=${PATH}:/usr/sbin
|
||||
|
||||
SENDMAIL_BIN=$(command -v sendmail)
|
||||
GIT_BIN=$(command -v git)
|
||||
|
||||
GIT_REPOSITORIES="/etc /etc/bind"
|
||||
|
||||
# git statuses
|
||||
GIT_STATUSES=""
|
||||
|
||||
if test -x "${GIT_BIN}"; then
|
||||
# loop on possible directories managed by GIT
|
||||
for dir in ${GIT_REPOSITORIES}; do
|
||||
# tell Git where to find the repository and the work tree (no need to `cd …` there)
|
||||
export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}"
|
||||
# If the repository and the work tree exist, try to commit changes
|
||||
if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
|
||||
CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ')
|
||||
if [ "${CHANGED_LINES}" != "0" ]; then
|
||||
STATUS=$(${GIT_BIN} status --short | tail -n 10)
|
||||
# append diff data, without empty lines
|
||||
GIT_STATUSES=$(printf "%s\n%s\n%s\n" "${GIT_STATUSES}" "${GIT_DIR} (last 10 lines)" "${STATUS}" | sed -e '/^$/d')
|
||||
fi
|
||||
fi
|
||||
# unset environment variables to prevent accidental influence on other git commands
|
||||
unset GIT_DIR GIT_WORK_TREE
|
||||
done
|
||||
if [ -n "${GIT_STATUSES}" ]; then
|
||||
echo "/!\ There are some uncommited changes. If you proceed, everything will be commited."
|
||||
echo "${GIT_STATUSES}"
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
# get input from stdin
|
||||
echo "> Please, enter details about your maintenance"
|
||||
read TEXTE
|
||||
|
||||
if [ "${TEXTE}" = "" ]; then
|
||||
echo "no value..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# recapitulatif
|
||||
BLOB=$(cat <<END
|
||||
Host : $HOSTNAME_TEXT
|
||||
User : $USER
|
||||
IP : $IP
|
||||
Begin : $BEGIN_DATE
|
||||
End : $END_DATE
|
||||
Message : $TEXTE
|
||||
END
|
||||
)
|
||||
|
||||
echo ""
|
||||
echo "${BLOB}"
|
||||
echo ""
|
||||
echo "> Press <Enter> to submit, or <Ctrl+c> to cancel."
|
||||
read enter
|
||||
|
||||
# write log
|
||||
echo "----------- $(get_now) ---------------" >> "${LOGFILE}"
|
||||
echo "${BLOB}" >> "${LOGFILE}"
|
||||
|
||||
# git commit
|
||||
GIT_COMMITS=""
|
||||
|
||||
if test -x "${GIT_BIN}"; then
|
||||
# loop on possible directories managed by GIT
|
||||
for dir in ${GIT_REPOSITORIES}; do
|
||||
# tell Git where to find the repository and the work tree (no need to `cd …` there)
|
||||
export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}"
|
||||
# If the repository and the work tree exist, try to commit changes
|
||||
if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
|
||||
CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ')
|
||||
if [ "${CHANGED_LINES}" != "0" ]; then
|
||||
${GIT_BIN} add --all
|
||||
${GIT_BIN} commit --message "${TEXTE}" --author="${USER} <${USER}@evolix.net>" --quiet
|
||||
# Add the SHA to the log file if something has been committed
|
||||
SHA=$(${GIT_BIN} rev-parse --short HEAD)
|
||||
STATS=$(${GIT_BIN} show --stat | tail -1)
|
||||
# append commit data, without empty lines
|
||||
GIT_COMMITS=$(printf "%s\n%s : %s –%s" "${GIT_COMMITS}" "${GIT_DIR}" "${SHA}" "${STATS}" | sed -e '/^$/d')
|
||||
fi
|
||||
fi
|
||||
# unset environment variables to prevent accidental influence on other git commands
|
||||
unset GIT_DIR GIT_WORK_TREE
|
||||
done
|
||||
if [ -n "${GIT_COMMITS}" ]; then
|
||||
echo "${GIT_COMMITS}" >> "${LOGFILE}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# insert into PG
|
||||
# SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/\\\\\\'/g ; s@/@\\\\\/@g ; s@\\&@et@g"`
|
||||
SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"`
|
||||
|
||||
PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')"
|
||||
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet
|
||||
|
||||
# send mail
|
||||
MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
|
||||
MAIL_GIT_COMMITS=$(echo "${GIT_COMMITS}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
|
||||
|
||||
cat /usr/share/scripts/evomaintenance.tpl | \
|
||||
sed -e "s/__TO__/${EVOMAINTMAIL}/ ; s/__HOSTNAME__/${HOSTNAME_TEXT}/ ; s/__USER__/${USER}/ ; s/__BEGIN_DATE__/${BEGIN_DATE}/ ; s/__END_DATE__/${END_DATE}/ ; s/__GIT_COMMITS__/${MAIL_GIT_COMMITS}/ ; s/__TEXTE__/${MAIL_TEXTE}/ ; s/__IP__/${IP}/ ; s/__FULLFROM__/${FULLFROM}/ ; s/__FROM__/${FROM}/ ; s/__URGENCYFROM__/${URGENCYFROM}/ ; s/__URGENCYTEL__/${URGENCYTEL}/" | \
|
||||
${SENDMAIL_BIN} -oi -t -f ${FROM}
|
||||
|
||||
exit 0
|
33
roles/base/files/evomaintenance.tpl
Normal file
33
roles/base/files/evomaintenance.tpl
Normal file
|
@ -0,0 +1,33 @@
|
|||
From: __FULLFROM__
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
To: __TO__
|
||||
Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__)
|
||||
|
||||
Bonjour,
|
||||
|
||||
Une intervention vient de se terminer sur votre serveur.
|
||||
Voici les renseignements sur l'intervention :
|
||||
|
||||
Nom du serveur : __HOSTNAME__
|
||||
Personne ayant réalisée l'intervention : __USER__
|
||||
Intervention réalisée depuis : __IP__
|
||||
Début de l'intervention : __BEGIN_DATE__
|
||||
Fin de l'intervention : __END_DATE__
|
||||
|
||||
###
|
||||
Renseignements sur l'intervention :
|
||||
__TEXTE__
|
||||
###
|
||||
|
||||
__GIT_COMMITS__
|
||||
|
||||
Pour réagir à cette intervention, vous pouvez répondre à ce message
|
||||
(sur l'adresse mail __FROM__). En cas d'urgence, utilisez
|
||||
l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte
|
||||
(__URGENCYTEL__)
|
||||
|
||||
Cordialement,
|
||||
--
|
||||
__FULLFROM__
|
1
roles/base/files/installurl
Normal file
1
roles/base/files/installurl
Normal file
|
@ -0,0 +1 @@
|
|||
https://cdn.openbsd.org/pub/OpenBSD
|
17
roles/base/files/kshrc
Normal file
17
roles/base/files/kshrc
Normal file
|
@ -0,0 +1,17 @@
|
|||
alias vi='vim'
|
||||
sudo() { if [[ $# == "1" ]] && [[ $1 == "su" ]]; then command sudo -i; else command sudo "$@"; fi }
|
||||
|
||||
##
|
||||
# Caracterisation du shell
|
||||
##
|
||||
|
||||
bind -m '^L'='^U 'clear'^M^Y'
|
||||
bind '^[[4~'=end-of-line
|
||||
bind '^[[1~'=beginning-of-line
|
||||
bind '^[[3~'=delete-char-forward
|
||||
bind '^[[8~'=end-of-line
|
||||
bind '^[[7~'=beginning-of-line
|
||||
bind '^[Oc'=forward-word
|
||||
bind '^[Od'=backward-word
|
||||
bind '^[^[[C'=forward-word
|
||||
bind '^[^[[D'=backward-word
|
27
roles/base/files/profile
Normal file
27
roles/base/files/profile
Normal file
|
@ -0,0 +1,27 @@
|
|||
# $OpenBSD: dot.profile,v 1.9 2010/12/13 12:54:31 millert Exp $
|
||||
#
|
||||
# sh/ksh initialization
|
||||
|
||||
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin
|
||||
export PATH HOME TERM
|
||||
export PS1="\u@\h:\w\\$ "
|
||||
HISTFILE=$HOME/.histfile
|
||||
export HISTSIZE=10000
|
||||
export HISTCONTROL='ignoredups:ignorespace'
|
||||
export TMOUT=36000
|
||||
export PAGER=less
|
||||
umask 022
|
||||
|
||||
export ENV='~/.kshrc'
|
||||
|
||||
case "$-" in
|
||||
*i*) # interactive shell
|
||||
if [ -x /usr/bin/tset ]; then
|
||||
if [ X"$XTERM_VERSION" = X"" ]; then
|
||||
eval `/usr/bin/tset -sQ '-munknown:?vt220' $TERM`
|
||||
else
|
||||
eval `/usr/bin/tset -IsQ '-munknown:?vt220' $TERM`
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
11
roles/base/files/vimrc
Normal file
11
roles/base/files/vimrc
Normal file
|
@ -0,0 +1,11 @@
|
|||
syntax on
|
||||
set hlsearch
|
||||
set background=dark
|
||||
set expandtab
|
||||
set tabstop=4
|
||||
set softtabstop=0
|
||||
set shiftwidth=4
|
||||
set smarttab
|
||||
set backspace=indent,eol,start
|
||||
set showcmd
|
||||
set encoding=utf-8
|
222
roles/base/files/zzz_evobackup
Executable file
222
roles/base/files/zzz_evobackup
Executable file
|
@ -0,0 +1,222 @@
|
|||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Script Evobackup plus ou moins forké
|
||||
# See https://forge.evolix.org/projects/evobackup
|
||||
#
|
||||
|
||||
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||
|
||||
## lang = C for english outputs
|
||||
LANGUAGE=C
|
||||
LANG=C
|
||||
|
||||
## Force umask
|
||||
umask 077
|
||||
|
||||
## Verify other evobackup process and kill if needed
|
||||
PIDFILE=/var/run/evobackup.pid
|
||||
if [ -e $PIDFILE ]; then
|
||||
# Killing the childs of evobackup.
|
||||
for pid in $(ps h --ppid $(cat $PIDFILE) -o pid | tr -s '\n' ' '); do
|
||||
kill -9 $pid;
|
||||
done
|
||||
# Then kill the main PID.
|
||||
kill -9 $(cat $PIDFILE)
|
||||
echo "$0 tourne encore (PID `cat $PIDFILE`). Processus killé" >&2
|
||||
fi
|
||||
echo "$$" > $PIDFILE
|
||||
trap "rm -f $PIDFILE" EXIT
|
||||
|
||||
# Variable to choose different backup server with date
|
||||
NODE=$(expr `date +%d` % 2 + 2)
|
||||
|
||||
# port SSH
|
||||
SSH_PORT=2XXX
|
||||
|
||||
# email adress for notifications
|
||||
MAIL={{ general_alert_email }}
|
||||
|
||||
# backup server used
|
||||
SRV=node$NODE.backup2.evolix.net
|
||||
|
||||
# choose "linux" or "bsd"
|
||||
SYSTEME=$(uname | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
## We use /home/backup : feel free to use your own dir
|
||||
mkdir -p -m 700 /home/backup
|
||||
|
||||
## OpenLDAP : example with slapcat
|
||||
# slapcat -l /home/backup/ldap.bak
|
||||
|
||||
### MySQL
|
||||
|
||||
## example with global and compressed mysqldump
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \
|
||||
# --opt --all-databases --force --events --hex-blob | gzip --best > /home/backup/mysql.bak.gz
|
||||
|
||||
## example with two dumps for each table (.sql/.txt) for all databases
|
||||
# for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \
|
||||
# | egrep -v "^(Database|information_schema|performance_schema)" ); \
|
||||
# do mkdir -p /home/mysqldump/$i ; chown -RL mysql /home/mysqldump ; \
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments -T \
|
||||
# /home/mysqldump/$i $i; done
|
||||
|
||||
## example with compressed SQL dump for each databases
|
||||
# mkdir -p /home/mysqldump/
|
||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||
# | egrep -v "^(Database|information_schema|performance_schema)"); do
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz
|
||||
# done
|
||||
|
||||
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
|
||||
# mkdir -p -m 700 /home/mysqldump/MYBASE
|
||||
# chown -RL mysql /home/mysqldump/
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
|
||||
# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE
|
||||
|
||||
## example with mysqlhotcopy
|
||||
# mkdir -p /home/mysqlhotcopy/
|
||||
# mysqlhotcopy BASE /home/mysqlhotcopy/
|
||||
|
||||
## example for multiples MySQL instances
|
||||
# mysqladminpasswd=`cat /root/.my.cnf |grep -m1 'password = .*' |cut -d" " -f3`
|
||||
# grep -E "^port\s*=\s*\d*" /etc/mysql/my.cnf |while read instance; do
|
||||
# instance=$(echo $instance |tr -d '\t')
|
||||
# instance=${instance// /}
|
||||
# instance=${instance//port=/}
|
||||
# if [ "$instance" != "3306" ]
|
||||
# then
|
||||
# mysqldump -P $instance --opt --all-databases --hex-blob -u mysqladmin -p$mysqladminpasswd > /home/backup/mysql.$instance.bak
|
||||
# fi
|
||||
# done
|
||||
|
||||
### PostgreSQL
|
||||
|
||||
## example with pg_dumpall (warning: you need space in ~postgres)
|
||||
# su - postgres -c "pg_dumpall > ~/pg.dump.bak"
|
||||
# mv ~postgres/pg.dump.bak /home/backup/
|
||||
|
||||
## example with all tables from MYBASE excepts TABLE1 and TABLE2
|
||||
# pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f /home/backup/pg-backup.tar -t 'TABLE1' -t 'TABLE2' MYBASE
|
||||
|
||||
## example with only TABLE1 and TABLE2 from MYBASE
|
||||
# pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f /home/backup/pg-backup.tar -T 'TABLE1' -T 'TABLE2' MYBASE
|
||||
|
||||
## MongoDB : example with mongodump
|
||||
## don't forget to create use with read-only access
|
||||
## > use admin
|
||||
## > db.addUser("mongobackup", "PASS", true);
|
||||
# mongodump -u mongobackup -pPASS -o /home/backup/mongodump/ >/dev/null 2>&1 |grep -v "^connected to:"
|
||||
|
||||
## Redis : example with copy .rdb file
|
||||
# cp /var/lib/redis/dump.rdb /home/backup/
|
||||
|
||||
## ElasticSearch : example with rsync (warning: don't forget to use NFS if you have a cluster)
|
||||
## Disable ES translog flush
|
||||
# curl -s -XPUT 'localhost:9200/_settings' -d '{"index.translog.disable_flush": true}' >/dev/null
|
||||
## Flushes translog
|
||||
# curl -s 'localhost:9200/_flush' | grep -qe '"ok":true'
|
||||
## If it succeed, do an rsync of the datadir
|
||||
# if [ $? -eq 0 ]; then
|
||||
# rsync -a /var/lib/elasticsearch /home/backup/
|
||||
# else
|
||||
# echo "Error when flushing ES translog indexes."
|
||||
# fi
|
||||
## In any case re-enable translog flush
|
||||
# curl -s -XPUT 'localhost:9200/_settings' -d '{"index.translog.disable_flush": false}' > /dev/null
|
||||
|
||||
## Dump MBR / table partitions with dd and sfdisk
|
||||
## Linux
|
||||
# dd if=/dev/sda of=/home/backup/MBR bs=512 count=1 2>&1 | egrep -v "(records in|records out|512 bytes)"
|
||||
# sfdisk -d /dev/sda > /home/backup/partitions 2>&1 | egrep -v "(Warning: extended partition does not start at a cylinder boundary|DOS and Linux will interpret the contents differently)"
|
||||
## OpenBSD
|
||||
# disklabel sd0 > /home/backup/partitions
|
||||
|
||||
# backup MegaCli config
|
||||
#megacli -CfgSave -f /home/backup/megacli_conf.dump -a0 >/dev/null
|
||||
|
||||
## Dump network routes with mtr and traceroute (warning: could be long with aggressive firewalls)
|
||||
for addr in 8.8.8.8 backup.evolix.net www.evolix.fr www.evolix.net; do
|
||||
mtr -r $addr > /home/backup/mtr-${addr} 2>/dev/null
|
||||
traceroute -n $addr > /home/backup/traceroute-${addr} 2>/dev/null
|
||||
done
|
||||
|
||||
## Dump process with ps
|
||||
ps aux >/home/backup/ps.out
|
||||
|
||||
if [ $SYSTEME = "linux" ]; then
|
||||
## Dump network connections with netstat
|
||||
netstat -taupen >/home/backup/netstat.out
|
||||
|
||||
## List Debian packages
|
||||
dpkg -l >/home/backup/packages
|
||||
else
|
||||
## Dump network connections with netstat
|
||||
netstat -finet -atn >/home/backup/netstat.out
|
||||
|
||||
## List OpenBSD packages
|
||||
pkg_info -m >/home/backup/packages
|
||||
fi
|
||||
|
||||
HOSTNAME=$(hostname)
|
||||
|
||||
DATE=$(/bin/date +"%d-%m-%Y")
|
||||
|
||||
DEBUT=$(/bin/date +"%d-%m-%Y ; %H:%M")
|
||||
|
||||
if [ $SYSTEME = "linux" ]; then
|
||||
rep="/bin /boot /lib /opt /sbin /usr"
|
||||
else
|
||||
rep="/bsd /bin /sbin /usr"
|
||||
fi
|
||||
|
||||
/usr/local/bin/rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \
|
||||
--exclude "lost+found" \
|
||||
--exclude ".nfs.*" \
|
||||
--exclude "/var/log" \
|
||||
--exclude "/var/log/evobackup*" \
|
||||
--exclude "/var/lib/mysql" \
|
||||
--exclude "/var/lib/postgres" \
|
||||
--exclude "/var/lib/postgresql" \
|
||||
--exclude "/var/lib/sympa" \
|
||||
--exclude "/var/lib/metche" \
|
||||
--exclude "/var/run" \
|
||||
--exclude "/var/lock" \
|
||||
--exclude "/var/state" \
|
||||
--exclude "/var/apt" \
|
||||
--exclude "/var/cache" \
|
||||
--exclude "/usr/src" \
|
||||
--exclude "/usr/doc" \
|
||||
--exclude "/usr/share/doc" \
|
||||
--exclude "/usr/obj" \
|
||||
--exclude "dev" \
|
||||
--exclude "/var/spool/postfix" \
|
||||
--exclude "/var/lib/amavis/amavisd.sock" \
|
||||
--exclude "/var/lib/munin/*tmp*" \
|
||||
--exclude "/var/lib/php5" \
|
||||
--exclude "/var/spool/squid" \
|
||||
--exclude "/var/lib/elasticsearch" \
|
||||
--exclude "/var/lib/amavis/tmp" \
|
||||
--exclude "/var/lib/clamav/*.tmp" \
|
||||
--exclude "/home/mysqltmp" \
|
||||
$rep \
|
||||
/etc \
|
||||
/root \
|
||||
/var \
|
||||
/home \
|
||||
-e "ssh -p $SSH_PORT" \
|
||||
root@${SRV}:/var/backup/ \
|
||||
| tail -30 >> /var/log/evobackup.log
|
||||
|
||||
FIN=$(/bin/date +"%d-%m-%Y ; %H:%M")
|
||||
|
||||
echo "EvoBackup - $HOSTNAME - START $DEBUT" \
|
||||
>> /var/log/evobackup.log
|
||||
|
||||
echo "EvoBackup - $HOSTNAME - STOP $FIN" \
|
||||
>> /var/log/evobackup.log
|
||||
|
||||
tail -10 /var/log/evobackup.log | \
|
||||
mail -s "[info] EvoBackup - Client $HOSTNAME" \
|
||||
$MAIL
|
3
roles/base/handlers/main.yml
Normal file
3
roles/base/handlers/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: newaliases
|
||||
shell: smtpctl update table aliases
|
13
roles/base/tasks/doas.yml
Normal file
13
roles/base/tasks/doas.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: Configure doas
|
||||
template:
|
||||
src: doas.conf.j2
|
||||
dest: /etc/doas.conf
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0640"
|
||||
backup: no
|
||||
tags:
|
||||
- doas
|
||||
|
||||
|
63
roles/base/tasks/dotfiles.yml
Normal file
63
roles/base/tasks/dotfiles.yml
Normal file
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
- name: Customize root's .profile
|
||||
copy:
|
||||
src: profile
|
||||
dest: /root/.profile
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
||||
|
||||
- name: Copy vim default configuration
|
||||
copy:
|
||||
src: vimrc
|
||||
dest: /root/.vimrc
|
||||
mode: "0644"
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
||||
- vim
|
||||
|
||||
- name: Customize .kshrc environment file
|
||||
copy:
|
||||
src: kshrc
|
||||
dest: /root/.kshrc
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
||||
|
||||
- name: Change default .profile skeleton
|
||||
copy:
|
||||
src: profile
|
||||
dest: /etc/skel/.profile
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
||||
|
||||
- name: Add evomaintenance trap .profile skeleton with doas
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: /etc/skel/.profile
|
||||
insertafter: EOF
|
||||
line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0'
|
||||
create: yes
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
||||
|
||||
- name: Add vim configuration to dotfiles for new users
|
||||
copy:
|
||||
src: vimrc
|
||||
dest: /etc/skel/.vimrc
|
||||
mode: "0644"
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
||||
- vim
|
||||
|
||||
- name: Customize .kshrc environment file for new users
|
||||
copy:
|
||||
src: kshrc
|
||||
dest: /etc/skel/.kshrc
|
||||
tags:
|
||||
- admin
|
||||
- dotfiles
|
20
roles/base/tasks/evobackup.yml
Normal file
20
roles/base/tasks/evobackup.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
- name: Copy zzz_evobackup script
|
||||
copy:
|
||||
src: zzz_evobackup
|
||||
dest: /usr/share/scripts/zzz_evobackup
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0755"
|
||||
force: no
|
||||
tags:
|
||||
- evobackup
|
||||
|
||||
- name: Add evobackup cron (disabled)
|
||||
lineinfile:
|
||||
path: /etc/daily.local
|
||||
line: '#sh /usr/share/scripts/zzz_evobackup'
|
||||
owner: root
|
||||
mode: "0700"
|
||||
tags:
|
||||
- evobackup
|
51
roles/base/tasks/evomaintenance.yml
Normal file
51
roles/base/tasks/evomaintenance.yml
Normal file
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
- name: Create scripts directory
|
||||
file:
|
||||
path: /usr/share/scripts/
|
||||
state: directory
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0700"
|
||||
tags:
|
||||
- evomaintenance
|
||||
|
||||
- name: Copy evomaintenance script and template
|
||||
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755"
|
||||
with_items:
|
||||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/' }
|
||||
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/' }
|
||||
tags:
|
||||
- evomaintenance
|
||||
- script-evomaintenance
|
||||
|
||||
- name: Configure evomaintenance
|
||||
template:
|
||||
src: evomaintenance.j2
|
||||
dest: /etc/evomaintenance.cf
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0600"
|
||||
backup: no
|
||||
tags:
|
||||
- evomaintenance
|
||||
|
||||
- name: Copy mailevomaintenance
|
||||
template:
|
||||
src: mailevomaintenance.sh.j2
|
||||
dest: /usr/share/scripts/mailevomaintenance.sh
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0700"
|
||||
tags:
|
||||
- evomaintenance
|
||||
- mailevomaintenance
|
||||
|
||||
- name: Add mailevomaintenance cron
|
||||
cron:
|
||||
name: "mailevomaintenance"
|
||||
job: "/usr/share/scripts/mailevomaintenance.sh"
|
||||
minute: "50"
|
||||
hour: "22"
|
||||
disabled: yes
|
||||
tags:
|
||||
- mailevomaintenance
|
19
roles/base/tasks/mail.yml
Normal file
19
roles/base/tasks/mail.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Configure rc.local
|
||||
lineinfile:
|
||||
path: /etc/rc.local
|
||||
line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
|
||||
create: yes
|
||||
tags:
|
||||
- misc
|
||||
|
||||
- name: Set root mail alias
|
||||
replace:
|
||||
dest: /etc/mail/aliases
|
||||
regexp: "# root:"
|
||||
replace: "root: {{ general_alert_email }}"
|
||||
backup: no
|
||||
notify:
|
||||
- newaliases
|
||||
tags:
|
||||
- mail
|
9
roles/base/tasks/main.yml
Normal file
9
roles/base/tasks/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
# tasks file for evobsd-base
|
||||
- include: packages.yml
|
||||
- include: doas.yml
|
||||
- include: dotfiles.yml
|
||||
- include: evomaintenance.yml
|
||||
- include: mail.yml
|
||||
- include: sudo.yml
|
||||
- include: evobackup.yml
|
31
roles/base/tasks/packages.yml
Normal file
31
roles/base/tasks/packages.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
|
||||
- name: Configure installurl
|
||||
copy:
|
||||
dest: /etc/installurl
|
||||
src: installurl
|
||||
tags:
|
||||
- pkg
|
||||
|
||||
- name: Install packages (vim rsync mtr etc)
|
||||
openbsd_pkg:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- wget
|
||||
- vim--no_x11
|
||||
- rsync--
|
||||
- mtr--
|
||||
- iftop
|
||||
- postgresql-client
|
||||
tags:
|
||||
- pkg
|
||||
|
||||
- name: Install sudo
|
||||
openbsd_pkg:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- sudo--
|
||||
tags:
|
||||
- pkg
|
29
roles/base/tasks/sudo.yml
Normal file
29
roles/base/tasks/sudo.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
# dont't break the tab!
|
||||
- name: Allow wheel group to run command as root in sudo
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
insertafter: '# and set environment variables.'
|
||||
line: '%wheel ALL=(ALL) SETENV: ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
backup: no
|
||||
tags:
|
||||
- sudo
|
||||
|
||||
- name: Configure sudoers for evomaintenance and monitoring
|
||||
blockinfile:
|
||||
state: present
|
||||
dest: /etc/sudoers
|
||||
insertafter: EOF
|
||||
block: |
|
||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh
|
||||
%wheel ALL=NOPASSWD: MAINT
|
||||
_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
|
||||
_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq
|
||||
_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
||||
validate: 'visudo -cf %s'
|
||||
backup: no
|
||||
tags:
|
||||
- sudo
|
||||
|
||||
|
11
roles/base/templates/doas.conf.j2
Normal file
11
roles/base/templates/doas.conf.j2
Normal file
|
@ -0,0 +1,11 @@
|
|||
# {{ ansible_managed }}
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} :wheel
|
||||
permit nopass root
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh
|
||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd
|
||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states
|
13
roles/base/templates/evomaintenance.j2
Normal file
13
roles/base/templates/evomaintenance.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
HOSTNAME={{ evomaintenance_hostname }}
|
||||
EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }}
|
||||
|
||||
export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }}
|
||||
|
||||
PGDB={{ evomaintenance_pg_db | mandatory }}
|
||||
PGTABLE={{ evomaintenance_pg_table | mandatory }}
|
||||
PGHOST={{ evomaintenance_pg_host | mandatory }}
|
||||
FROM={{ evomaintenance_from }}
|
||||
FULLFROM="{{ evomaintenance_full_from }}"
|
||||
URGENCYFROM={{ evomaintenance_urgency_from }}
|
||||
URGENCYTEL="{{ evomaintenance_urgency_tel }}"
|
||||
REALM="{{ evomaintenance_realm }}"
|
28
roles/base/templates/mailevomaintenance.sh.j2
Normal file
28
roles/base/templates/mailevomaintenance.sh.j2
Normal file
|
@ -0,0 +1,28 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
cd /etc && _STATUS=$(/usr/local/bin/git status --porcelain)
|
||||
[ -n "${_STATUS}" ] || exit 0
|
||||
|
||||
if [ -e /etc/realname ]; then
|
||||
_HOSTNAME=$(/bin/cat /etc/realname)
|
||||
else
|
||||
_HOSTNAME=$(/bin/hostname)
|
||||
fi
|
||||
|
||||
|
||||
TMPFILE=$(/usr/bin/mktemp) || exit 1
|
||||
echo "Dear NOC,\n\nSome changes in /etc/ were not committed." >> $TMPFILE
|
||||
|
||||
echo "" >> $TMPFILE
|
||||
echo "${_STATUS}" >> $TMPFILE
|
||||
|
||||
echo "" >> $TMPFILE
|
||||
/usr/bin/last | head -n 10 >> $TMPFILE
|
||||
echo "" >> $TMPFILE
|
||||
echo "Please answer this mail to notify people when you've corrected the problem." >> $TMPFILE
|
||||
|
||||
/bin/cat $TMPFILE | mail -s "Verif etc-git ${_HOSTNAME}" noc@{{ evomaintenance_realm }}
|
||||
|
||||
/bin/rm $TMPFILE
|
31
roles/etc-git/README.md
Normal file
31
roles/etc-git/README.md
Normal file
|
@ -0,0 +1,31 @@
|
|||
# etc-git
|
||||
|
||||
Put /etc under Git version control.
|
||||
|
||||
## Tasks
|
||||
|
||||
The main part (installation and configuration) is in the `tasks/main.yml` file.
|
||||
|
||||
There is also an independant task that can be executed to commit changes made in `/etc/.git`, for example when a playbook is run :
|
||||
|
||||
```
|
||||
- name: My Splendid Playbook
|
||||
[…]
|
||||
|
||||
pre_tasks:
|
||||
- include_role:
|
||||
name: etc-git
|
||||
tasks_from: commit.yml
|
||||
vars:
|
||||
commit_message: "Ansible pre-run my splendid playbook"
|
||||
|
||||
roles :
|
||||
[…]
|
||||
|
||||
post_tasks:
|
||||
- include_role:
|
||||
name: etc-git
|
||||
tasks_from: commit.yml
|
||||
vars:
|
||||
commit_message: "Ansible pre-run my splendid playbook"
|
||||
```
|
4
roles/etc-git/defaults/main.yml
Normal file
4
roles/etc-git/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
commit_message: Ansible run
|
||||
|
||||
etc_git_monitor_status: True
|
3
roles/etc-git/files/gitignore
Normal file
3
roles/etc-git/files/gitignore
Normal file
|
@ -0,0 +1,3 @@
|
|||
aliases.db
|
||||
*.swp
|
||||
random.seed
|
56
roles/etc-git/tasks/commit.yml
Normal file
56
roles/etc-git/tasks/commit.yml
Normal file
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
- name: is /etc clean?
|
||||
command: git status --porcelain
|
||||
args:
|
||||
chdir: /etc
|
||||
changed_when: False
|
||||
register: git_status
|
||||
when: not ansible_check_mode
|
||||
ignore_errors: yes
|
||||
tags:
|
||||
- etc-git
|
||||
- commit-etc
|
||||
|
||||
- debug:
|
||||
var: git_status
|
||||
verbosity: 3
|
||||
tags:
|
||||
- etc-git
|
||||
- commit-etc
|
||||
|
||||
- name: fetch current Git user.email
|
||||
git_config:
|
||||
name: user.email
|
||||
repo: /etc
|
||||
scope: local
|
||||
register: git_config_user_email
|
||||
ignore_errors: yes
|
||||
tags:
|
||||
- etc-git
|
||||
- commit-etc
|
||||
|
||||
- name: set commit author
|
||||
set_fact:
|
||||
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
|
||||
commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
|
||||
tags:
|
||||
- etc-git
|
||||
- commit-etc
|
||||
|
||||
- name: /etc modifications are committed
|
||||
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
|
||||
args:
|
||||
chdir: /etc
|
||||
register: etc_commit_end_run
|
||||
when: not ansible_check_mode and git_status.stdout != ""
|
||||
ignore_errors: yes
|
||||
tags:
|
||||
- etc-git
|
||||
- commit-etc
|
||||
|
||||
- debug:
|
||||
var: etc_commit_end_run
|
||||
verbosity: 4
|
||||
tags:
|
||||
- etc-git
|
||||
- commit-etc
|
118
roles/etc-git/tasks/main.yml
Normal file
118
roles/etc-git/tasks/main.yml
Normal file
|
@ -0,0 +1,118 @@
|
|||
---
|
||||
|
||||
- name: Git is installed
|
||||
openbsd_pkg:
|
||||
name: git
|
||||
state: present
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: /etc is versioned with git
|
||||
command: "git init ."
|
||||
args:
|
||||
chdir: /etc
|
||||
creates: /etc/.git/
|
||||
warn: no
|
||||
register: git_init
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: Git user.email is configured
|
||||
git_config:
|
||||
name: user.email
|
||||
repo: /etc
|
||||
scope: local
|
||||
value: "root@{{ ansible_fqdn | default('localhost') }}"
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: /etc/.git is secure
|
||||
file:
|
||||
path: /etc/.git
|
||||
owner: root
|
||||
mode: "0700"
|
||||
state: directory
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: /etc/.gitignore is present
|
||||
copy:
|
||||
src: gitignore
|
||||
dest: /etc/.gitignore
|
||||
owner: root
|
||||
mode: "0600"
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: does /etc/ have any commit?
|
||||
command: "git log"
|
||||
args:
|
||||
chdir: /etc
|
||||
warn: no
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: git_log
|
||||
check_mode: no
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: initial commit is present?
|
||||
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
||||
args:
|
||||
chdir: /etc
|
||||
warn: no
|
||||
register: git_commit
|
||||
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: Optimize script is installed in monthly crontab
|
||||
lineinfile:
|
||||
path: /etc/monthly.local
|
||||
line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet'
|
||||
owner: root
|
||||
mode: "0700"
|
||||
create: yes
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: cron job for /etc/.git status is installed
|
||||
lineinfile:
|
||||
path: /etc/daily.local
|
||||
line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
|
||||
owner: root
|
||||
mode: "0700"
|
||||
create: yes
|
||||
when: etc_git_monitor_status
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: cron job for /etc/.git status is removed
|
||||
lineinfile:
|
||||
path: /etc/daily.local
|
||||
line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
|
||||
owner: root
|
||||
mode: "0700"
|
||||
state: absent
|
||||
when: not etc_git_monitor_status
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: hourly cron job for /etc/.git status is installed
|
||||
cron:
|
||||
name: git status
|
||||
minute: 42
|
||||
job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
|
||||
when: etc_git_monitor_status
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: hourly cron job for /etc/.git status is removed
|
||||
cron:
|
||||
name: git status
|
||||
minute: 42
|
||||
job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
|
||||
state: absent
|
||||
when: not etc_git_monitor_status
|
||||
tags:
|
||||
- etc-git
|
18
roles/forwarding/tasks/main.yml
Normal file
18
roles/forwarding/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
- name: Enable IPv4 forwarding
|
||||
sysctl:
|
||||
name: net.inet.ip.forwarding
|
||||
value: 1
|
||||
state: present
|
||||
reload: yes
|
||||
tags:
|
||||
- net
|
||||
|
||||
- name: Enable IPv6 forwarding
|
||||
sysctl:
|
||||
name: net.inet6.ip6.forwarding
|
||||
value: 1
|
||||
state: present
|
||||
reload: yes
|
||||
tags:
|
||||
- net
|
13
roles/nagios-nrpe/README.md
Normal file
13
roles/nagios-nrpe/README.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
# nagios-nrpe
|
||||
|
||||
Installation and custom configuration of Nagios NRPE server.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none).
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
13
roles/nagios-nrpe/defaults/main.yml
Normal file
13
roles/nagios-nrpe/defaults/main.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
evolix_trusted_ips: []
|
||||
additional_trusted_ips: []
|
||||
# Let's merge evolix_trusted_ips with additional_trusted_ips
|
||||
nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
|
||||
nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
|
||||
nagios_nrpe_ldap_passwd: LDAP_PASSWD
|
||||
nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
|
||||
nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"
|
||||
|
||||
nagios_nrpe_check_proxy_host: "www.example.com"
|
||||
|
||||
nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
|
65
roles/nagios-nrpe/files/plugins_bsd/check_carp_if
Executable file
65
roles/nagios-nrpe/files/plugins_bsd/check_carp_if
Executable file
|
@ -0,0 +1,65 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2012, Claudiu Vasadi
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice, this
|
||||
# list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
||||
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
#
|
||||
# The views and conclusions contained in the software and documentation are those
|
||||
# of the authors and should not be interpreted as representing official policies,
|
||||
# either expressed or implied, of the FreeBSD Project.
|
||||
|
||||
|
||||
#
|
||||
# Script to check the state (master/backup) of a carp internface
|
||||
# $1 - carp if
|
||||
# $2 - state
|
||||
#
|
||||
|
||||
. /usr/local/libexec/nagios/utils.sh
|
||||
|
||||
# check if $1 and $2 is set
|
||||
if [ -z "$1" ];then
|
||||
echo "carp interface not set. Exiting ..."
|
||||
exit "$STATE_CRITICAL"
|
||||
fi
|
||||
|
||||
if [ -z "$2" ];then
|
||||
echo "Interface status not set. Exiting ..."
|
||||
exit "$STATE_CRITICAL"
|
||||
fi
|
||||
|
||||
# check if the carp interface exists or not
|
||||
ifconfig $1 > /dev/null
|
||||
if [ $? != "0" ];then
|
||||
echo "carp interface $1 does not exist. Exiting ...."
|
||||
exit "$STATE_CRITICAL"
|
||||
fi
|
||||
|
||||
# check state
|
||||
ifconfig $1 | grep -i $2 > /dev/null
|
||||
if [ $? != "0" ];then
|
||||
echo "NOT_OK - $1 should be $2"
|
||||
exit "$STATE_CRITICAL"
|
||||
else
|
||||
echo "OK - $1 is $2"
|
||||
exit "$STATE_OK"
|
||||
fi
|
23
roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh
Executable file
23
roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh
Executable file
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
IPSECCTL="/sbin/ipsecctl -s sa"
|
||||
STATUS=0
|
||||
|
||||
LINE1=`$IPSECCTL | grep "from $1 to $2" `
|
||||
if [ $? -eq 1 ]; then
|
||||
STATUS=2;
|
||||
OUTPUT1="No VPN from $1 to $2 "
|
||||
fi
|
||||
|
||||
LINE2=`$IPSECCTL | grep "from $2 to $1" `
|
||||
if [ $? -eq 1 ]; then
|
||||
STATUS=2;
|
||||
OUTPUT2="No VPN from $2 to $1"
|
||||
fi
|
||||
|
||||
if [ $STATUS -eq 0 ]; then
|
||||
echo "VPN OK - $3 is up"
|
||||
exit $STATUS
|
||||
else
|
||||
echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)"
|
||||
exit $STATUS
|
||||
fi
|
9
roles/nagios-nrpe/files/plugins_bsd/check_openvpn
Executable file
9
roles/nagios-nrpe/files/plugins_bsd/check_openvpn
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
if netstat -an|grep '.1194' >/dev/null; then
|
||||
echo "VPN OK"
|
||||
return 0
|
||||
else
|
||||
echo "PROCESS NOT LISTENING"
|
||||
return 2
|
||||
fi
|
12
roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple
Executable file
12
roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple
Executable file
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
. /usr/local/libexec/nagios/utils.sh
|
||||
|
||||
# check if ospfd is running
|
||||
if [[ "$(ospfctl show 2>&1)" = *"/var/run/ospfd.sock:"* ]]; then
|
||||
echo "CRITICAL - OSPFD not running"
|
||||
exit "$STATE_CRITICAL"
|
||||
else
|
||||
echo "OK - OSPFD is running"
|
||||
exit "$STATE_OK"
|
||||
fi
|
5
roles/nagios-nrpe/handlers/main.yml
Normal file
5
roles/nagios-nrpe/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart nrpe
|
||||
service:
|
||||
name: nrpe
|
||||
state: restarted
|
60
roles/nagios-nrpe/tasks/main.yml
Normal file
60
roles/nagios-nrpe/tasks/main.yml
Normal file
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
- name: Install nrpe
|
||||
openbsd_pkg:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- nrpe--
|
||||
|
||||
- name: Install monitoring-plugins
|
||||
openbsd_pkg:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- monitoring-plugins
|
||||
|
||||
- name: Create nrpe.d dir
|
||||
file:
|
||||
path: /etc/nrpe.d
|
||||
state: directory
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0755"
|
||||
|
||||
- name: Include nrpe.d dir in nrpe.cfg
|
||||
lineinfile:
|
||||
dest: /etc/nrpe.cfg
|
||||
line: 'include_dir=/etc/nrpe.d'
|
||||
|
||||
- name: custom configuration is present
|
||||
template:
|
||||
src: evolix_bsd.cfg.j2
|
||||
dest: /etc/nrpe.d/evolix.cfg
|
||||
notify: restart nrpe
|
||||
|
||||
- name: Nagios plugins are installed
|
||||
copy:
|
||||
src: plugins_bsd/
|
||||
dest: /usr/local/libexec/nagios/plugins/
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0755"
|
||||
notify: restart nrpe
|
||||
|
||||
- name: Nagios plugins are installed - template
|
||||
template:
|
||||
src: plugins_bsd/{{ item }}.j2
|
||||
dest: /usr/local/libexec/nagios/plugins/{{ item }}
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0755"
|
||||
with_items:
|
||||
- 'check_pf_states'
|
||||
- 'check_free_mem.sh'
|
||||
notify: restart nrpe
|
||||
|
||||
- name: Starting and enabling nrpe
|
||||
service:
|
||||
name: nrpe
|
||||
enabled: yes
|
||||
state: started
|
38
roles/nagios-nrpe/templates/evolix_bsd.cfg.j2
Normal file
38
roles/nagios-nrpe/templates/evolix_bsd.cfg.j2
Normal file
|