diff --git a/README.md b/README.md new file mode 100644 index 0000000..0ee4b61 --- /dev/null +++ b/README.md @@ -0,0 +1,146 @@ +# EvoBSD 1.0 + +EvoBSD is an ansible project used for customising OpenBSD hosts +used by Evolix. + +## How to install an OpenBSD machine + +**Note :** The system must be installed with a root account only. Put your public key in the remote root's autorized_keys (/root/.ssh/authorized_keys) + +1 - Install ansible's prerequisites + +``` +ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME +``` + +2 - Run it! + +``` +ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME +``` + +### Try it on a disposable system! + +The easiest way to try EvoBSD is by using packer and vmm : + +* First of all let's install go and packer on your host system + +``` +# pkg_add go packer +``` + +* Then we gonna use [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project availbale on Github + +``` +$ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm +``` + +* We have to create a definition file for packer + +``` +$ vim openbsd.json +``` + + { + "description": "OpenBSD installation on VMM", + + "variables": { + "hostname": "evobsd", + "domain": "example.com", + + "password": "evolix" + }, + + "builders": [ + { + "type": "vmm", + "vm_name": "evobsd", + "disk_size": "2G", + "format": "qcow2", + "mem_size": "1024M", + + "iso_urls": ["downloads/install64.fs", "https://ftp.nluug.nl/pub/OpenBSD/6.4/amd64/install64.fs"], + "iso_checksum": "7aa4344cb39efbf67300f97ac7eec005b607e8c19d4e31a0a593a8ee2b7136e4", + "iso_checksum_type": "sha256", + + "boot_wait": "10s", + "boot_command": [ + "S", + + "cat <disklabel.template", + "/ 1G-* 100%", + "EOF", + + "cat <install.conf", + "System hostname = {{user `hostname`}}", + "DNS domain name = {{user `domain`}}", + "Password for root account = {{user `password`}}", + "Do you expect to run the X Window System = no", + "Setup a user = no", + "Which disk is the root disk = sd1", + "Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout = c", + "URL to autopartitioning template for disklabel = file://disklabel.template", + "Location of sets = disk", + "Is the disk partition already mounted = no", + "Set name(s) = -bsd.rd", + "Set name(s) = done", + "Directory does not contain SHA256.sig. Continue without verification = yes", + "What timezone are you in = Europe/Paris", + "EOF", + + "install -af install.conf", + "", + + "/sbin/halt -p" + ] + } + ] + } + + +* You need your unprivileged user to be able to run vmctl through doas + +``` +# echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl +``` + +* Eventually you can build your virtual machine + +``` +$ packer build openbsd.json +``` + +* Once the building is done, run your VM like this + +``` +doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2 +``` + +## Contributions + +Contributions to this project are most welcome! The best way is to create a +pull request so that after review it's merged. + +## License + +MIT License + +Copyright (c) 2019 Evolix + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/evolixisation.yml b/evolixisation.yml new file mode 100644 index 0000000..3895536 --- /dev/null +++ b/evolixisation.yml @@ -0,0 +1,33 @@ +# Playbook command +# ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME + +--- +- name: Evolixisation of an OpenBSD system + hosts: openbsd + become: true + become_user: root + become_method: sudo + + + vars_files: + - vars/main.yml +# - vars/secrets.yml + + roles: + - etc-git + - base + - forwarding + - pf + - accounts + - nagios-nrpe + - post-install + + post_tasks: + - include: "tasks/commit_etc_git.yml" + vars: + commit_message: "Ansible - Evolixisation" + + environment: + PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" + +# vim:ft=ansible diff --git a/hosts b/hosts new file mode 100644 index 0000000..680aa87 --- /dev/null +++ b/hosts @@ -0,0 +1,5 @@ +[openbsd] +foo.example.com + +[openbsd:vars] +ansible_python_interpreter=/usr/local/bin/python2.7 diff --git a/prerequisite.yml b/prerequisite.yml new file mode 100644 index 0000000..4695566 --- /dev/null +++ b/prerequisite.yml @@ -0,0 +1,16 @@ +# Playbook command +# ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME + +--- + - hosts: all + become: yes + become_method: su + user: root + gather_facts: no + + tasks: + + - name: Install ansible's prerequisite + raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2 + +# vim:ft=ansible diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml new file mode 100644 index 0000000..27b4b90 --- /dev/null +++ b/roles/accounts/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Create admins accounts + user: + state: present + name: '{{ item.value.name }}' + uid: '{{ item.value.uid }}' + password: '{{ item.value.password_hash_openbsd }}' + groups: wheel + shell: /bin/ksh + append: yes + with_dict: + "{{ evolix_users }}" + tags: + - admin + +- name: Add admins ssh keys + lineinfile: + state: present + dest: '/home/{{ item.value.name }}/.ssh/authorized_keys' + line: '{{ item.value.ssh_keys }}' + create: yes + with_dict: + "{{ evolix_users }}" + tags: + - admin + diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml new file mode 100644 index 0000000..fe0e8fd --- /dev/null +++ b/roles/base/defaults/main.yml @@ -0,0 +1,19 @@ +--- +ntpd_servers: +- "ntp.evolix.net" + +general_alert_email: "root@localhost" +general_technical_realm: "example.com" + +evomaintenance_realm: "example.com" +evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" +evomaintenance_pg_host: Null +evomaintenance_pg_passwd: Null +evomaintenance_pg_db: Null +evomaintenance_pg_table: Null +evomaintenance_from_domain: "{{ evomaintenance_realm }}" +evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" +evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" +evomaintenance_urgency_from: mama.doe@example.com +evomaintenance_urgency_tel: "06.00.00.00.00" diff --git a/roles/base/files/evomaintenance.sh b/roles/base/files/evomaintenance.sh new file mode 100644 index 0000000..d2a7f52 --- /dev/null +++ b/roles/base/files/evomaintenance.sh @@ -0,0 +1,198 @@ +#!/bin/sh + +# EvoMaintenance script +# Dependencies (all OS): git postgresql-client +# Dependencies (Debian): sudo + +# version 0.4.1 +# Copyright 2007-2018 Evolix + +get_system() { + uname -s +} + +get_fqdn() { + if [ "$(get_system)" = "Linux" ]; then + hostname --fqdn + elif [ "$(get_system)" = "OpenBSD" ]; then + hostname + else + echo "OS not detected!" + exit 1 + fi +} + +get_tty() { + if [ "$(get_system)" = "Linux" ]; then + ps -o tty= | tail -1 + elif [ "$(get_system)" = "OpenBSD" ]; then + env | grep SSH_TTY | cut -d"/" -f3 + else + echo "OS not detected!" + exit 1 + fi +} + +get_who() { + who=$(LC_ALL=C who -m) + + if [ -n "${who}" ]; then + echo "${who}" + else + LC_ALL=C who | grep $(get_tty) | tr -s ' ' + fi +} + +get_begin_date() { + echo "$(date "+%Y") $(echo $(get_who) | cut -d" " -f3,4,5)" +} + +get_ip() { + ip=$(echo $(get_who) | cut -d" " -f6 | sed -e "s/^(// ; s/)$//") + [ -z "${ip}" ] && ip="unknown (no tty)" + [ "${ip}" = ":0" ] && ip="localhost" + + echo "${ip}" +} + +get_end_date() { + date +"%Y %b %d %H:%M" +} + +get_now() { + date +"%Y-%m-%dT%H:%M:%S%z" +} + +test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf + +[ -n "${HOSTNAME}" ] || HOSTNAME=$(get_fqdn) +[ -n "${EVOMAINTMAIL}" ] || EVOMAINTMAIL=evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM} +[ -n "${LOGFILE}" ] || LOGFILE=/var/log/evomaintenance.log + +# Treat unset variables as an error when substituting. +# Only after this line, because some config variables might be missing. +set -u + +REAL_HOSTNAME=$(get_fqdn) +if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then + HOSTNAME_TEXT="${HOSTNAME}" +else + HOSTNAME_TEXT="${HOSTNAME} (${REAL_HOSTNAME})" +fi + +# TTY=$(get_tty) +# WHO=$(get_who) +IP=$(get_ip) +BEGIN_DATE=$(get_begin_date) +END_DATE=$(get_end_date) +USER=$(logname) + +PATH=${PATH}:/usr/sbin + +SENDMAIL_BIN=$(command -v sendmail) +GIT_BIN=$(command -v git) + +GIT_REPOSITORIES="/etc /etc/bind" + +# git statuses +GIT_STATUSES="" + +if test -x "${GIT_BIN}"; then + # loop on possible directories managed by GIT + for dir in ${GIT_REPOSITORIES}; do + # tell Git where to find the repository and the work tree (no need to `cd …` there) + export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" + # If the repository and the work tree exist, try to commit changes + if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then + CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') + if [ "${CHANGED_LINES}" != "0" ]; then + STATUS=$(${GIT_BIN} status --short | tail -n 10) + # append diff data, without empty lines + GIT_STATUSES=$(printf "%s\n%s\n%s\n" "${GIT_STATUSES}" "${GIT_DIR} (last 10 lines)" "${STATUS}" | sed -e '/^$/d') + fi + fi + # unset environment variables to prevent accidental influence on other git commands + unset GIT_DIR GIT_WORK_TREE + done + if [ -n "${GIT_STATUSES}" ]; then + echo "/!\ There are some uncommited changes. If you proceed, everything will be commited." + echo "${GIT_STATUSES}" + echo "" + fi +fi + +# get input from stdin +echo "> Please, enter details about your maintenance" +read TEXTE + +if [ "${TEXTE}" = "" ]; then + echo "no value..." + exit 1 +fi + +# recapitulatif +BLOB=$(cat < Press to submit, or to cancel." +read enter + +# write log +echo "----------- $(get_now) ---------------" >> "${LOGFILE}" +echo "${BLOB}" >> "${LOGFILE}" + +# git commit +GIT_COMMITS="" + +if test -x "${GIT_BIN}"; then + # loop on possible directories managed by GIT + for dir in ${GIT_REPOSITORIES}; do + # tell Git where to find the repository and the work tree (no need to `cd …` there) + export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" + # If the repository and the work tree exist, try to commit changes + if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then + CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') + if [ "${CHANGED_LINES}" != "0" ]; then + ${GIT_BIN} add --all + ${GIT_BIN} commit --message "${TEXTE}" --author="${USER} <${USER}@evolix.net>" --quiet + # Add the SHA to the log file if something has been committed + SHA=$(${GIT_BIN} rev-parse --short HEAD) + STATS=$(${GIT_BIN} show --stat | tail -1) + # append commit data, without empty lines + GIT_COMMITS=$(printf "%s\n%s : %s –%s" "${GIT_COMMITS}" "${GIT_DIR}" "${SHA}" "${STATS}" | sed -e '/^$/d') + fi + fi + # unset environment variables to prevent accidental influence on other git commands + unset GIT_DIR GIT_WORK_TREE + done + if [ -n "${GIT_COMMITS}" ]; then + echo "${GIT_COMMITS}" >> "${LOGFILE}" + fi +fi + +# insert into PG +# SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/\\\\\\'/g ; s@/@\\\\\/@g ; s@\\&@et@g"` +SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"` + +PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')" +echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet + +# send mail +MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") +MAIL_GIT_COMMITS=$(echo "${GIT_COMMITS}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") + +cat /usr/share/scripts/evomaintenance.tpl | \ + sed -e "s/__TO__/${EVOMAINTMAIL}/ ; s/__HOSTNAME__/${HOSTNAME_TEXT}/ ; s/__USER__/${USER}/ ; s/__BEGIN_DATE__/${BEGIN_DATE}/ ; s/__END_DATE__/${END_DATE}/ ; s/__GIT_COMMITS__/${MAIL_GIT_COMMITS}/ ; s/__TEXTE__/${MAIL_TEXTE}/ ; s/__IP__/${IP}/ ; s/__FULLFROM__/${FULLFROM}/ ; s/__FROM__/${FROM}/ ; s/__URGENCYFROM__/${URGENCYFROM}/ ; s/__URGENCYTEL__/${URGENCYTEL}/" | \ + ${SENDMAIL_BIN} -oi -t -f ${FROM} + +exit 0 diff --git a/roles/base/files/evomaintenance.tpl b/roles/base/files/evomaintenance.tpl new file mode 100644 index 0000000..ddddd7b --- /dev/null +++ b/roles/base/files/evomaintenance.tpl @@ -0,0 +1,33 @@ +From: __FULLFROM__ +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +To: __TO__ +Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__) + +Bonjour, + +Une intervention vient de se terminer sur votre serveur. +Voici les renseignements sur l'intervention : + +Nom du serveur : __HOSTNAME__ +Personne ayant réalisée l'intervention : __USER__ +Intervention réalisée depuis : __IP__ +Début de l'intervention : __BEGIN_DATE__ +Fin de l'intervention : __END_DATE__ + +### +Renseignements sur l'intervention : +__TEXTE__ +### + +__GIT_COMMITS__ + +Pour réagir à cette intervention, vous pouvez répondre à ce message +(sur l'adresse mail __FROM__). En cas d'urgence, utilisez +l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte +(__URGENCYTEL__) + +Cordialement, +-- +__FULLFROM__ diff --git a/roles/base/files/installurl b/roles/base/files/installurl new file mode 100644 index 0000000..93832e8 --- /dev/null +++ b/roles/base/files/installurl @@ -0,0 +1 @@ +https://cdn.openbsd.org/pub/OpenBSD diff --git a/roles/base/files/kshrc b/roles/base/files/kshrc new file mode 100644 index 0000000..dffa3fb --- /dev/null +++ b/roles/base/files/kshrc @@ -0,0 +1,17 @@ +alias vi='vim' +sudo() { if [[ $# == "1" ]] && [[ $1 == "su" ]]; then command sudo -i; else command sudo "$@"; fi } + +## +# Caracterisation du shell +## + +bind -m '^L'='^U 'clear'^M^Y' +bind '^[[4~'=end-of-line +bind '^[[1~'=beginning-of-line +bind '^[[3~'=delete-char-forward +bind '^[[8~'=end-of-line +bind '^[[7~'=beginning-of-line +bind '^[Oc'=forward-word +bind '^[Od'=backward-word +bind '^[^[[C'=forward-word +bind '^[^[[D'=backward-word diff --git a/roles/base/files/profile b/roles/base/files/profile new file mode 100644 index 0000000..b153f2f --- /dev/null +++ b/roles/base/files/profile @@ -0,0 +1,27 @@ +# $OpenBSD: dot.profile,v 1.9 2010/12/13 12:54:31 millert Exp $ +# +# sh/ksh initialization + +PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin +export PATH HOME TERM +export PS1="\u@\h:\w\\$ " +HISTFILE=$HOME/.histfile +export HISTSIZE=10000 +export HISTCONTROL='ignoredups:ignorespace' +export TMOUT=36000 +export PAGER=less +umask 022 + +export ENV='~/.kshrc' + +case "$-" in +*i*) # interactive shell + if [ -x /usr/bin/tset ]; then + if [ X"$XTERM_VERSION" = X"" ]; then + eval `/usr/bin/tset -sQ '-munknown:?vt220' $TERM` + else + eval `/usr/bin/tset -IsQ '-munknown:?vt220' $TERM` + fi + fi + ;; +esac diff --git a/roles/base/files/vimrc b/roles/base/files/vimrc new file mode 100644 index 0000000..581459c --- /dev/null +++ b/roles/base/files/vimrc @@ -0,0 +1,11 @@ +syntax on +set hlsearch +set background=dark +set expandtab +set tabstop=4 +set softtabstop=0 +set shiftwidth=4 +set smarttab +set backspace=indent,eol,start +set showcmd +set encoding=utf-8 diff --git a/roles/base/files/zzz_evobackup b/roles/base/files/zzz_evobackup new file mode 100755 index 0000000..5e2a4d9 --- /dev/null +++ b/roles/base/files/zzz_evobackup @@ -0,0 +1,222 @@ +#!/bin/sh + +# +# Script Evobackup plus ou moins forké +# See https://forge.evolix.org/projects/evobackup +# + +PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin + +## lang = C for english outputs +LANGUAGE=C +LANG=C + +## Force umask +umask 077 + +## Verify other evobackup process and kill if needed +PIDFILE=/var/run/evobackup.pid +if [ -e $PIDFILE ]; then + # Killing the childs of evobackup. + for pid in $(ps h --ppid $(cat $PIDFILE) -o pid | tr -s '\n' ' '); do + kill -9 $pid; + done + # Then kill the main PID. + kill -9 $(cat $PIDFILE) + echo "$0 tourne encore (PID `cat $PIDFILE`). Processus killé" >&2 +fi +echo "$$" > $PIDFILE +trap "rm -f $PIDFILE" EXIT + +# Variable to choose different backup server with date +NODE=$(expr `date +%d` % 2 + 2) + +# port SSH +SSH_PORT=2XXX + +# email adress for notifications +MAIL={{ general_alert_email }} + +# backup server used +SRV=node$NODE.backup2.evolix.net + +# choose "linux" or "bsd" +SYSTEME=$(uname | tr '[:upper:]' '[:lower:]') + +## We use /home/backup : feel free to use your own dir +mkdir -p -m 700 /home/backup + +## OpenLDAP : example with slapcat +# slapcat -l /home/backup/ldap.bak + +### MySQL + +## example with global and compressed mysqldump +# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ +# --opt --all-databases --force --events --hex-blob | gzip --best > /home/backup/mysql.bak.gz + +## example with two dumps for each table (.sql/.txt) for all databases +# for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ +# | egrep -v "^(Database|information_schema|performance_schema)" ); \ +# do mkdir -p /home/mysqldump/$i ; chown -RL mysql /home/mysqldump ; \ +# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments -T \ +# /home/mysqldump/$i $i; done + +## example with compressed SQL dump for each databases +# mkdir -p /home/mysqldump/ +# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ +# | egrep -v "^(Database|information_schema|performance_schema)"); do +# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz +# done + +## example with *one* uncompressed SQL dump for *one* database (MYBASE) +# mkdir -p -m 700 /home/mysqldump/MYBASE +# chown -RL mysql /home/mysqldump/ +# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \ +# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE + +## example with mysqlhotcopy +# mkdir -p /home/mysqlhotcopy/ +# mysqlhotcopy BASE /home/mysqlhotcopy/ + +## example for multiples MySQL instances +# mysqladminpasswd=`cat /root/.my.cnf |grep -m1 'password = .*' |cut -d" " -f3` +# grep -E "^port\s*=\s*\d*" /etc/mysql/my.cnf |while read instance; do +# instance=$(echo $instance |tr -d '\t') +# instance=${instance// /} +# instance=${instance//port=/} +# if [ "$instance" != "3306" ] +# then +# mysqldump -P $instance --opt --all-databases --hex-blob -u mysqladmin -p$mysqladminpasswd > /home/backup/mysql.$instance.bak +# fi +# done + +### PostgreSQL + +## example with pg_dumpall (warning: you need space in ~postgres) +# su - postgres -c "pg_dumpall > ~/pg.dump.bak" +# mv ~postgres/pg.dump.bak /home/backup/ + +## example with all tables from MYBASE excepts TABLE1 and TABLE2 +# pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f /home/backup/pg-backup.tar -t 'TABLE1' -t 'TABLE2' MYBASE + +## example with only TABLE1 and TABLE2 from MYBASE +# pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f /home/backup/pg-backup.tar -T 'TABLE1' -T 'TABLE2' MYBASE + +## MongoDB : example with mongodump +## don't forget to create use with read-only access +## > use admin +## > db.addUser("mongobackup", "PASS", true); +# mongodump -u mongobackup -pPASS -o /home/backup/mongodump/ >/dev/null 2>&1 |grep -v "^connected to:" + +## Redis : example with copy .rdb file +# cp /var/lib/redis/dump.rdb /home/backup/ + +## ElasticSearch : example with rsync (warning: don't forget to use NFS if you have a cluster) +## Disable ES translog flush +# curl -s -XPUT 'localhost:9200/_settings' -d '{"index.translog.disable_flush": true}' >/dev/null +## Flushes translog +# curl -s 'localhost:9200/_flush' | grep -qe '"ok":true' +## If it succeed, do an rsync of the datadir +# if [ $? -eq 0 ]; then +# rsync -a /var/lib/elasticsearch /home/backup/ +# else +# echo "Error when flushing ES translog indexes." +# fi +## In any case re-enable translog flush +# curl -s -XPUT 'localhost:9200/_settings' -d '{"index.translog.disable_flush": false}' > /dev/null + +## Dump MBR / table partitions with dd and sfdisk +## Linux +# dd if=/dev/sda of=/home/backup/MBR bs=512 count=1 2>&1 | egrep -v "(records in|records out|512 bytes)" +# sfdisk -d /dev/sda > /home/backup/partitions 2>&1 | egrep -v "(Warning: extended partition does not start at a cylinder boundary|DOS and Linux will interpret the contents differently)" +## OpenBSD +# disklabel sd0 > /home/backup/partitions + +# backup MegaCli config +#megacli -CfgSave -f /home/backup/megacli_conf.dump -a0 >/dev/null + +## Dump network routes with mtr and traceroute (warning: could be long with aggressive firewalls) +for addr in 8.8.8.8 backup.evolix.net www.evolix.fr www.evolix.net; do + mtr -r $addr > /home/backup/mtr-${addr} 2>/dev/null + traceroute -n $addr > /home/backup/traceroute-${addr} 2>/dev/null +done + +## Dump process with ps +ps aux >/home/backup/ps.out + +if [ $SYSTEME = "linux" ]; then + ## Dump network connections with netstat + netstat -taupen >/home/backup/netstat.out + + ## List Debian packages + dpkg -l >/home/backup/packages +else + ## Dump network connections with netstat + netstat -finet -atn >/home/backup/netstat.out + + ## List OpenBSD packages + pkg_info -m >/home/backup/packages +fi + +HOSTNAME=$(hostname) + +DATE=$(/bin/date +"%d-%m-%Y") + +DEBUT=$(/bin/date +"%d-%m-%Y ; %H:%M") + +if [ $SYSTEME = "linux" ]; then + rep="/bin /boot /lib /opt /sbin /usr" +else + rep="/bsd /bin /sbin /usr" +fi + +/usr/local/bin/rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \ + --exclude "lost+found" \ + --exclude ".nfs.*" \ + --exclude "/var/log" \ + --exclude "/var/log/evobackup*" \ + --exclude "/var/lib/mysql" \ + --exclude "/var/lib/postgres" \ + --exclude "/var/lib/postgresql" \ + --exclude "/var/lib/sympa" \ + --exclude "/var/lib/metche" \ + --exclude "/var/run" \ + --exclude "/var/lock" \ + --exclude "/var/state" \ + --exclude "/var/apt" \ + --exclude "/var/cache" \ + --exclude "/usr/src" \ + --exclude "/usr/doc" \ + --exclude "/usr/share/doc" \ + --exclude "/usr/obj" \ + --exclude "dev" \ + --exclude "/var/spool/postfix" \ + --exclude "/var/lib/amavis/amavisd.sock" \ + --exclude "/var/lib/munin/*tmp*" \ + --exclude "/var/lib/php5" \ + --exclude "/var/spool/squid" \ + --exclude "/var/lib/elasticsearch" \ + --exclude "/var/lib/amavis/tmp" \ + --exclude "/var/lib/clamav/*.tmp" \ + --exclude "/home/mysqltmp" \ + $rep \ + /etc \ + /root \ + /var \ + /home \ + -e "ssh -p $SSH_PORT" \ + root@${SRV}:/var/backup/ \ + | tail -30 >> /var/log/evobackup.log + +FIN=$(/bin/date +"%d-%m-%Y ; %H:%M") + +echo "EvoBackup - $HOSTNAME - START $DEBUT" \ + >> /var/log/evobackup.log + +echo "EvoBackup - $HOSTNAME - STOP $FIN" \ + >> /var/log/evobackup.log + +tail -10 /var/log/evobackup.log | \ + mail -s "[info] EvoBackup - Client $HOSTNAME" \ + $MAIL diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..ba888e0 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: newaliases + shell: smtpctl update table aliases diff --git a/roles/base/tasks/doas.yml b/roles/base/tasks/doas.yml new file mode 100644 index 0000000..9c866a5 --- /dev/null +++ b/roles/base/tasks/doas.yml @@ -0,0 +1,13 @@ +--- +- name: Configure doas + template: + src: doas.conf.j2 + dest: /etc/doas.conf + owner: root + group: wheel + mode: "0640" + backup: no + tags: + - doas + + diff --git a/roles/base/tasks/dotfiles.yml b/roles/base/tasks/dotfiles.yml new file mode 100644 index 0000000..a132e03 --- /dev/null +++ b/roles/base/tasks/dotfiles.yml @@ -0,0 +1,63 @@ +--- +- name: Customize root's .profile + copy: + src: profile + dest: /root/.profile + tags: + - admin + - dotfiles + +- name: Copy vim default configuration + copy: + src: vimrc + dest: /root/.vimrc + mode: "0644" + tags: + - admin + - dotfiles + - vim + +- name: Customize .kshrc environment file + copy: + src: kshrc + dest: /root/.kshrc + tags: + - admin + - dotfiles + +- name: Change default .profile skeleton + copy: + src: profile + dest: /etc/skel/.profile + tags: + - admin + - dotfiles + +- name: Add evomaintenance trap .profile skeleton with doas + lineinfile: + state: present + dest: /etc/skel/.profile + insertafter: EOF + line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0' + create: yes + tags: + - admin + - dotfiles + +- name: Add vim configuration to dotfiles for new users + copy: + src: vimrc + dest: /etc/skel/.vimrc + mode: "0644" + tags: + - admin + - dotfiles + - vim + +- name: Customize .kshrc environment file for new users + copy: + src: kshrc + dest: /etc/skel/.kshrc + tags: + - admin + - dotfiles diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml new file mode 100644 index 0000000..3ac7b05 --- /dev/null +++ b/roles/base/tasks/evobackup.yml @@ -0,0 +1,20 @@ +--- +- name: Copy zzz_evobackup script + copy: + src: zzz_evobackup + dest: /usr/share/scripts/zzz_evobackup + owner: root + group: wheel + mode: "0755" + force: no + tags: + - evobackup + +- name: Add evobackup cron (disabled) + lineinfile: + path: /etc/daily.local + line: '#sh /usr/share/scripts/zzz_evobackup' + owner: root + mode: "0700" + tags: + - evobackup diff --git a/roles/base/tasks/evomaintenance.yml b/roles/base/tasks/evomaintenance.yml new file mode 100644 index 0000000..6471d28 --- /dev/null +++ b/roles/base/tasks/evomaintenance.yml @@ -0,0 +1,51 @@ +--- +- name: Create scripts directory + file: + path: /usr/share/scripts/ + state: directory + owner: root + group: wheel + mode: "0700" + tags: + - evomaintenance + +- name: Copy evomaintenance script and template + copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755" + with_items: + - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/' } + - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/' } + tags: + - evomaintenance + - script-evomaintenance + +- name: Configure evomaintenance + template: + src: evomaintenance.j2 + dest: /etc/evomaintenance.cf + owner: root + group: wheel + mode: "0600" + backup: no + tags: + - evomaintenance + +- name: Copy mailevomaintenance + template: + src: mailevomaintenance.sh.j2 + dest: /usr/share/scripts/mailevomaintenance.sh + owner: root + group: wheel + mode: "0700" + tags: + - evomaintenance + - mailevomaintenance + +- name: Add mailevomaintenance cron + cron: + name: "mailevomaintenance" + job: "/usr/share/scripts/mailevomaintenance.sh" + minute: "50" + hour: "22" + disabled: yes + tags: + - mailevomaintenance diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml new file mode 100644 index 0000000..321d837 --- /dev/null +++ b/roles/base/tasks/mail.yml @@ -0,0 +1,19 @@ +--- +- name: Configure rc.local + lineinfile: + path: /etc/rc.local + line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' + create: yes + tags: + - misc + +- name: Set root mail alias + replace: + dest: /etc/mail/aliases + regexp: "# root:" + replace: "root: {{ general_alert_email }}" + backup: no + notify: + - newaliases + tags: + - mail diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..7df8981 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,9 @@ +--- +# tasks file for evobsd-base +- include: packages.yml +- include: doas.yml +- include: dotfiles.yml +- include: evomaintenance.yml +- include: mail.yml +- include: sudo.yml +- include: evobackup.yml diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml new file mode 100644 index 0000000..6c78d9c --- /dev/null +++ b/roles/base/tasks/packages.yml @@ -0,0 +1,31 @@ +--- + +- name: Configure installurl + copy: + dest: /etc/installurl + src: installurl + tags: + - pkg + +- name: Install packages (vim rsync mtr etc) + openbsd_pkg: + name: "{{ item }}" + state: present + with_items: + - wget + - vim--no_x11 + - rsync-- + - mtr-- + - iftop + - postgresql-client + tags: + - pkg + +- name: Install sudo + openbsd_pkg: + name: "{{ item }}" + state: present + with_items: + - sudo-- + tags: + - pkg diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml new file mode 100644 index 0000000..d00e460 --- /dev/null +++ b/roles/base/tasks/sudo.yml @@ -0,0 +1,29 @@ +--- +# dont't break the tab! +- name: Allow wheel group to run command as root in sudo + lineinfile: + dest: /etc/sudoers + insertafter: '# and set environment variables.' + line: '%wheel ALL=(ALL) SETENV: ALL' + validate: 'visudo -cf %s' + backup: no + tags: + - sudo + +- name: Configure sudoers for evomaintenance and monitoring + blockinfile: + state: present + dest: /etc/sudoers + insertafter: EOF + block: | + Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh + %wheel ALL=NOPASSWD: MAINT + _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh + _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq + _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple + validate: 'visudo -cf %s' + backup: no + tags: + - sudo + + diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 new file mode 100644 index 0000000..0d313a5 --- /dev/null +++ b/roles/base/templates/doas.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} :wheel +permit nopass root +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh +permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh +permit nopass _nrpe as root cmd /sbin/bioctl args sd2 +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd +permit nopass _collectd as root cmd /usr/sbin/bgpctl +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states diff --git a/roles/base/templates/evomaintenance.j2 b/roles/base/templates/evomaintenance.j2 new file mode 100644 index 0000000..79bc0cb --- /dev/null +++ b/roles/base/templates/evomaintenance.j2 @@ -0,0 +1,13 @@ +HOSTNAME={{ evomaintenance_hostname }} +EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }} + +export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }} + +PGDB={{ evomaintenance_pg_db | mandatory }} +PGTABLE={{ evomaintenance_pg_table | mandatory }} +PGHOST={{ evomaintenance_pg_host | mandatory }} +FROM={{ evomaintenance_from }} +FULLFROM="{{ evomaintenance_full_from }}" +URGENCYFROM={{ evomaintenance_urgency_from }} +URGENCYTEL="{{ evomaintenance_urgency_tel }}" +REALM="{{ evomaintenance_realm }}" diff --git a/roles/base/templates/mailevomaintenance.sh.j2 b/roles/base/templates/mailevomaintenance.sh.j2 new file mode 100644 index 0000000..d679ea5 --- /dev/null +++ b/roles/base/templates/mailevomaintenance.sh.j2 @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +cd /etc && _STATUS=$(/usr/local/bin/git status --porcelain) +[ -n "${_STATUS}" ] || exit 0 + +if [ -e /etc/realname ]; then + _HOSTNAME=$(/bin/cat /etc/realname) +else + _HOSTNAME=$(/bin/hostname) +fi + + +TMPFILE=$(/usr/bin/mktemp) || exit 1 +echo "Dear NOC,\n\nSome changes in /etc/ were not committed." >> $TMPFILE + +echo "" >> $TMPFILE +echo "${_STATUS}" >> $TMPFILE + +echo "" >> $TMPFILE +/usr/bin/last | head -n 10 >> $TMPFILE +echo "" >> $TMPFILE +echo "Please answer this mail to notify people when you've corrected the problem." >> $TMPFILE + +/bin/cat $TMPFILE | mail -s "Verif etc-git ${_HOSTNAME}" noc@{{ evomaintenance_realm }} + +/bin/rm $TMPFILE diff --git a/roles/etc-git/README.md b/roles/etc-git/README.md new file mode 100644 index 0000000..5c03384 --- /dev/null +++ b/roles/etc-git/README.md @@ -0,0 +1,31 @@ +# etc-git + +Put /etc under Git version control. + +## Tasks + +The main part (installation and configuration) is in the `tasks/main.yml` file. + +There is also an independant task that can be executed to commit changes made in `/etc/.git`, for example when a playbook is run : + +``` +- name: My Splendid Playbook + […] + + pre_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible pre-run my splendid playbook" + + roles : + […] + + post_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible pre-run my splendid playbook" +``` diff --git a/roles/etc-git/defaults/main.yml b/roles/etc-git/defaults/main.yml new file mode 100644 index 0000000..8a822ab --- /dev/null +++ b/roles/etc-git/defaults/main.yml @@ -0,0 +1,4 @@ +--- +commit_message: Ansible run + +etc_git_monitor_status: True diff --git a/roles/etc-git/files/gitignore b/roles/etc-git/files/gitignore new file mode 100644 index 0000000..2a64198 --- /dev/null +++ b/roles/etc-git/files/gitignore @@ -0,0 +1,3 @@ +aliases.db +*.swp +random.seed diff --git a/roles/etc-git/tasks/commit.yml b/roles/etc-git/tasks/commit.yml new file mode 100644 index 0000000..e4166e7 --- /dev/null +++ b/roles/etc-git/tasks/commit.yml @@ -0,0 +1,56 @@ +--- +- name: is /etc clean? + command: git status --porcelain + args: + chdir: /etc + changed_when: False + register: git_status + when: not ansible_check_mode + ignore_errors: yes + tags: + - etc-git + - commit-etc + +- debug: + var: git_status + verbosity: 3 + tags: + - etc-git + - commit-etc + +- name: fetch current Git user.email + git_config: + name: user.email + repo: /etc + scope: local + register: git_config_user_email + ignore_errors: yes + tags: + - etc-git + - commit-etc + +- name: set commit author + set_fact: + commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' + commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' + tags: + - etc-git + - commit-etc + +- name: /etc modifications are committed + shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\"" + args: + chdir: /etc + register: etc_commit_end_run + when: not ansible_check_mode and git_status.stdout != "" + ignore_errors: yes + tags: + - etc-git + - commit-etc + +- debug: + var: etc_commit_end_run + verbosity: 4 + tags: + - etc-git + - commit-etc diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml new file mode 100644 index 0000000..078c0f0 --- /dev/null +++ b/roles/etc-git/tasks/main.yml @@ -0,0 +1,118 @@ +--- + +- name: Git is installed + openbsd_pkg: + name: git + state: present + tags: + - etc-git + +- name: /etc is versioned with git + command: "git init ." + args: + chdir: /etc + creates: /etc/.git/ + warn: no + register: git_init + tags: + - etc-git + +- name: Git user.email is configured + git_config: + name: user.email + repo: /etc + scope: local + value: "root@{{ ansible_fqdn | default('localhost') }}" + tags: + - etc-git + +- name: /etc/.git is secure + file: + path: /etc/.git + owner: root + mode: "0700" + state: directory + tags: + - etc-git + +- name: /etc/.gitignore is present + copy: + src: gitignore + dest: /etc/.gitignore + owner: root + mode: "0600" + tags: + - etc-git + +- name: does /etc/ have any commit? + command: "git log" + args: + chdir: /etc + warn: no + changed_when: False + failed_when: False + register: git_log + check_mode: no + tags: + - etc-git + +- name: initial commit is present? + shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" + args: + chdir: /etc + warn: no + register: git_commit + when: git_log.rc != 0 or (git_init is defined and git_init.changed) + tags: + - etc-git + +- name: Optimize script is installed in monthly crontab + lineinfile: + path: /etc/monthly.local + line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet' + owner: root + mode: "0700" + create: yes + tags: + - etc-git + +- name: cron job for /etc/.git status is installed + lineinfile: + path: /etc/daily.local + line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + owner: root + mode: "0700" + create: yes + when: etc_git_monitor_status + tags: + - etc-git + +- name: cron job for /etc/.git status is removed + lineinfile: + path: /etc/daily.local + line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + owner: root + mode: "0700" + state: absent + when: not etc_git_monitor_status + tags: + - etc-git + +- name: hourly cron job for /etc/.git status is installed + cron: + name: git status + minute: 42 + job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short" + when: etc_git_monitor_status + tags: + - etc-git + +- name: hourly cron job for /etc/.git status is removed + cron: + name: git status + minute: 42 + job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short" + state: absent + when: not etc_git_monitor_status + tags: + - etc-git diff --git a/roles/forwarding/tasks/main.yml b/roles/forwarding/tasks/main.yml new file mode 100644 index 0000000..d424c35 --- /dev/null +++ b/roles/forwarding/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Enable IPv4 forwarding + sysctl: + name: net.inet.ip.forwarding + value: 1 + state: present + reload: yes + tags: + - net + +- name: Enable IPv6 forwarding + sysctl: + name: net.inet6.ip6.forwarding + value: 1 + state: present + reload: yes + tags: + - net diff --git a/roles/nagios-nrpe/README.md b/roles/nagios-nrpe/README.md new file mode 100644 index 0000000..3f3f9a9 --- /dev/null +++ b/roles/nagios-nrpe/README.md @@ -0,0 +1,13 @@ +# nagios-nrpe + +Installation and custom configuration of Nagios NRPE server. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/roles/nagios-nrpe/defaults/main.yml b/roles/nagios-nrpe/defaults/main.yml new file mode 100644 index 0000000..96c3ddd --- /dev/null +++ b/roles/nagios-nrpe/defaults/main.yml @@ -0,0 +1,13 @@ +--- +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT" +nagios_nrpe_ldap_passwd: LDAP_PASSWD +nagios_nrpe_pgsql_passwd: PGSQL_PASSWD +nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}" + +nagios_nrpe_check_proxy_host: "www.example.com" + +nagios_plugins_directory: "/usr/local/lib/nagios/plugins" diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_carp_if b/roles/nagios-nrpe/files/plugins_bsd/check_carp_if new file mode 100755 index 0000000..3fe1dc5 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_carp_if @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2012, Claudiu Vasadi +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# The views and conclusions contained in the software and documentation are those +# of the authors and should not be interpreted as representing official policies, +# either expressed or implied, of the FreeBSD Project. + + +# +# Script to check the state (master/backup) of a carp internface +# $1 - carp if +# $2 - state +# + +. /usr/local/libexec/nagios/utils.sh + +# check if $1 and $2 is set +if [ -z "$1" ];then + echo "carp interface not set. Exiting ..." + exit "$STATE_CRITICAL" +fi + +if [ -z "$2" ];then + echo "Interface status not set. Exiting ..." + exit "$STATE_CRITICAL" +fi + +# check if the carp interface exists or not +ifconfig $1 > /dev/null +if [ $? != "0" ];then + echo "carp interface $1 does not exist. Exiting ...." + exit "$STATE_CRITICAL" +fi + +# check state +ifconfig $1 | grep -i $2 > /dev/null +if [ $? != "0" ];then + echo "NOT_OK - $1 should be $2" + exit "$STATE_CRITICAL" +else + echo "OK - $1 is $2" + exit "$STATE_OK" +fi diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh new file mode 100755 index 0000000..4cdeaa9 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh @@ -0,0 +1,23 @@ +#!/bin/sh +IPSECCTL="/sbin/ipsecctl -s sa" +STATUS=0 + +LINE1=`$IPSECCTL | grep "from $1 to $2" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT1="No VPN from $1 to $2 " +fi + +LINE2=`$IPSECCTL | grep "from $2 to $1" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT2="No VPN from $2 to $1" +fi + +if [ $STATUS -eq 0 ]; then + echo "VPN OK - $3 is up" + exit $STATUS +else + echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)" + exit $STATUS +fi diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn new file mode 100755 index 0000000..4ae14ac --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn @@ -0,0 +1,9 @@ +#!/bin/sh + +if netstat -an|grep '.1194' >/dev/null; then + echo "VPN OK" + return 0 +else + echo "PROCESS NOT LISTENING" + return 2 +fi diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple b/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple new file mode 100755 index 0000000..932e69e --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple @@ -0,0 +1,12 @@ +#!/bin/sh + +. /usr/local/libexec/nagios/utils.sh + +# check if ospfd is running +if [[ "$(ospfctl show 2>&1)" = *"/var/run/ospfd.sock:"* ]]; then + echo "CRITICAL - OSPFD not running" + exit "$STATE_CRITICAL" +else + echo "OK - OSPFD is running" + exit "$STATE_OK" +fi diff --git a/roles/nagios-nrpe/handlers/main.yml b/roles/nagios-nrpe/handlers/main.yml new file mode 100644 index 0000000..2762b9c --- /dev/null +++ b/roles/nagios-nrpe/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart nrpe + service: + name: nrpe + state: restarted diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml new file mode 100644 index 0000000..ec97d0a --- /dev/null +++ b/roles/nagios-nrpe/tasks/main.yml @@ -0,0 +1,60 @@ +--- +- name: Install nrpe + openbsd_pkg: + name: "{{ item }}" + state: present + with_items: + - nrpe-- + +- name: Install monitoring-plugins + openbsd_pkg: + name: "{{ item }}" + state: present + with_items: + - monitoring-plugins + +- name: Create nrpe.d dir + file: + path: /etc/nrpe.d + state: directory + owner: root + group: wheel + mode: "0755" + +- name: Include nrpe.d dir in nrpe.cfg + lineinfile: + dest: /etc/nrpe.cfg + line: 'include_dir=/etc/nrpe.d' + +- name: custom configuration is present + template: + src: evolix_bsd.cfg.j2 + dest: /etc/nrpe.d/evolix.cfg + notify: restart nrpe + +- name: Nagios plugins are installed + copy: + src: plugins_bsd/ + dest: /usr/local/libexec/nagios/plugins/ + owner: root + group: wheel + mode: "0755" + notify: restart nrpe + +- name: Nagios plugins are installed - template + template: + src: plugins_bsd/{{ item }}.j2 + dest: /usr/local/libexec/nagios/plugins/{{ item }} + owner: root + group: wheel + mode: "0755" + with_items: + - 'check_pf_states' + - 'check_free_mem.sh' + notify: restart nrpe + +- name: Starting and enabling nrpe + service: + name: nrpe + enabled: yes + state: started diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 new file mode 100644 index 0000000..0420fcb --- /dev/null +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -0,0 +1,38 @@ +# +# Custom NRPE configuration file. +# Part of the EvoBSD distribution. +# + +# Allowed IPs +allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} + +command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10 +command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20 +command[check_disk1]=/usr/local/libexec/nagios/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_zombie_procs]=/usr/local/libexec/nagios/check_procs -w 5 -c 10 -s Z +command[check_total_procs]=/usr/local/libexec/nagios/check_procs -w 150 -c 200 +command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost +command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f {{ general_alert_email }} +command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net +command[check_swap]=/usr/local/libexec/nagios/check_swap --no-swap=ok -a -w 30% -c 20% +command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp.evolix.net +command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 +command[check_onduleur]=/usr/local/libexec/nagios/check_ups -H localhost -u onduleur +# Pour check_mailq, ajouter dans sudo : +# _nrpe ALL=NOPASSWD: /usr/local/libexec/nagios/check_mailq +command[check_mailq]=sudo /usr/local/libexec/nagios/check_mailq -w 10 -c 20 +command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost +command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost +command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT +#command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% +command[check_vpn]=sudo /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" +command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn +command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states +command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master +command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 +command[check_dhcpclient]=/usr/local/libexec/nagios/check_dhcp -i INTERFACE +command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 +#command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd +#command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d +command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple +command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf diff --git a/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 b/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 new file mode 100755 index 0000000..ab5f7e2 --- /dev/null +++ b/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 @@ -0,0 +1,166 @@ +#!/bin/ksh + +################################################################################ +# Sample Nagios plugin to monitor free memory on the local machine # +# Author: Daniele Mazzocchio (http://www.kernel-panic.it/) # +################################################################################ + +VERSION="Version 1.0" +AUTHOR="(c) 2007-2009 Daniele Mazzocchio (danix@kernel-panic.it)" + +PROGNAME=`/usr/bin/basename $0` + +# Constants +BYTES_IN_MB=$(( 1024 * 1024 )) +KB_IN_MB=1024 + +# Exit codes +STATE_OK=0 +STATE_WARNING=1 +STATE_CRITICAL=2 +STATE_UNKNOWN=3 + +# Helper functions ############################################################# + +function print_revision { + # Print the revision number + echo "$PROGNAME - $VERSION" +} + +function print_usage { + # Print a short usage statement + echo "Usage: $PROGNAME [-v] -w -c " +} + +function print_help { + # Print detailed help information + print_revision + echo "$AUTHOR\n\nCheck free memory on local machine\n" + print_usage + + /bin/cat <<__EOT + +Options: +-h + Print detailed help screen +-V + Print version information + +-w INTEGER + Exit with WARNING status if less than INTEGER MB of memory are free +-w PERCENT% + Exit with WARNING status if less than PERCENT of memory is free +-c INTEGER + Exit with CRITICAL status if less than INTEGER MB of memory are free +-c PERCENT% + Exit with CRITICAL status if less than PERCENT of memory is free +-v + Verbose output +__EOT +} + +# Main ######################################################################### + +# Total memory size (in MB) +tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB)) +# Free memory size (in MB) +{% if ansible_distribution_version | version_compare("6.2",'<') %} +free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB )) +{% else %} +free_mem=$(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') +{% endif %} +# Free memory size (in percentage) +free_mem_perc=$(( free_mem * 100 / tot_mem )) + +# Verbosity level +verbosity=0 +# Warning threshold +thresh_warn= +# Critical threshold +thresh_crit= + +# Parse command line options +while [ "$1" ]; do + case "$1" in + -h | --help) + print_help + exit $STATE_OK + ;; + -V | --version) + print_revision + exit $STATE_OK + ;; + -v | --verbose) + : $(( verbosity++ )) + shift + ;; + -w | --warning | -c | --critical) + if [[ -z "$2" || "$2" = -* ]]; then + # Threshold not provided + echo "$PROGNAME: Option '$1' requires an argument" + print_usage + exit $STATE_UNKNOWN + elif [[ "$2" = +([0-9]) ]]; then + # Threshold is a number (MB) + thresh=$2 + elif [[ "$2" = +([0-9])% ]]; then + # Threshold is a percentage + thresh=$(( tot_mem * ${2%\%} / 100 )) + else + # Threshold is neither a number nor a percentage + echo "$PROGNAME: Threshold must be integer or percentage" + print_usage + exit $STATE_UNKNOWN + fi + [[ "$1" = *-w* ]] && thresh_warn=$thresh || thresh_crit=$thresh + shift 2 + ;; + -?) + print_usage + exit $STATE_OK + ;; + *) + echo "$PROGNAME: Invalid option '$1'" + print_usage + exit $STATE_UNKNOWN + ;; + esac +done + +if [[ -z "$thresh_warn" || -z "$thresh_crit" ]]; then + # One or both thresholds were not specified + echo "$PROGNAME: Threshold not set" + print_usage + exit $STATE_UNKNOWN +elif [[ "$thresh_crit" -gt "$thresh_warn" ]]; then + # The warning threshold must be greater than the critical threshold + echo "$PROGNAME: Warning free space should be more than critical free space" + print_usage + exit $STATE_UNKNOWN +fi + +if [[ "$verbosity" -ge 2 ]]; then + # Print debugging information + /bin/cat <<__EOT +Debugging information: + Warning threshold: $thresh_warn MB + Critical threshold: $thresh_crit MB + Verbosity level: $verbosity + Total memory: $tot_mem MB + Free memory: $free_mem MB ($free_mem_perc%) +__EOT +fi + +if [[ "$free_mem" -lt "$thresh_crit" ]]; then + # Free memory is less than the critical threshold + echo "MEMORY CRITICAL - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)" + exit $STATE_CRITICAL +elif [[ "$free_mem" -lt "$thresh_warn" ]]; then + # Free memory is less than the warning threshold + echo "MEMORY WARNING - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)" + exit $STATE_WARNING +else + # There's enough free memory! + echo "MEMORY OK - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)" + exit $STATE_OK +fi diff --git a/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 b/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 new file mode 100755 index 0000000..c32e305 --- /dev/null +++ b/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 @@ -0,0 +1,22 @@ +#!/bin/sh + +# Script writen by Evolix + +_MAX_STATES_LIMIT=$(/sbin/pfctl -sm | /usr/bin/grep states | awk '{print $4}') +_WARNING_STATES_LIMIT=$((_MAX_STATES_LIMIT*10/100)) +_CRTICAL_STATES_LIMIT=$((_MAX_STATES_LIMIT*15/100)) + +. /usr/local/libexec/nagios/utils.sh + +_CHECK_STATES=$(/sbin/pfctl -si | /usr/bin/grep current | awk '{print $3}') + +if [ $_CHECK_STATES -lt $_WARNING_STATES_LIMIT ];then + echo "OK: States number ($_CHECK_STATES) is below threshold (warn : $_WARNING_STATES_LIMIT / crit : $_CRTICAL_STATES_LIMIT / max : $_MAX_STATES_LIMIT)" + exit "$STATE_OK" +elif [ $_CHECK_STATES -ge $_WARNING_STATES_LIMIT ] && [ $_CHECK_STATES -lt $_CRTICAL_STATES_LIMIT ];then + echo "WARNING: States number is $_CHECK_STATES (threshold WARNING = $_WARNING_STATES_LIMIT, max = $_MAX_STATES_LIMIT)" + exit "$STATE_WARNING" +else + echo "CRITICAL: States number is $_CHECK_STATES (threshold CRITICAL = $_CRTICAL_STATES_LIMIT, max = $_MAX_STATES_LIMIT)" + exit "$STATE_CRITICAL" +fi diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml new file mode 100644 index 0000000..30aef63 --- /dev/null +++ b/roles/pf/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Setup pf.conf + template: + src: pf.conf.j2 + dest: /etc/pf.conf + mode: "0600" + backup: yes diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 new file mode 100644 index 0000000..1952e18 --- /dev/null +++ b/roles/pf/templates/pf.conf.j2 @@ -0,0 +1,74 @@ +# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST + +###################### +##### INTERFACES ##### +###################### + +ext_if="{{ ansible_default_ipv4.device }}" +#lan_if="em1" + +########################### +##### TABLES & LISTES ##### +########################### + +# Evolix +table { 88.179.18.233, 31.170.9.129, 31.170.8.4 } + +# Port en entrée +# 2222 = ssh secondaire +# 5666 = nrpe +#tcp_in = "{ domain, ldap, ldaps, imap, imaps, pop3, pop3s, ssh, smtp, http, https, ftp, ftp-data, smtps, submission, 2222 }" +tcp_in = "{ http, https }" + +# 33433><33626 = traceroute +#udp_in = "{ domain, ntp, 33433><33626 }" +udp_in = "{ 33433><33626 }" + + +################### +##### OPTIONS ##### +################### + +set block-policy return +set optimization normal +#set optimization aggressive +#set limit states 150000 +#set limit src-nodes 25000 +#set limit tables 10000 +#set limit table-entries 3000 +set skip on lo +match in all scrub (no-df) + +#################### +##### FILTRAGE ##### +#################### + +# politiques par defaut +block log all + +# filter rules and anchor for ftp-proxy(8) +#anchor "ftp-proxy/*" +#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 + +#pass quick proto carp +#pass quick on $pfsync_if proto pfsync + +pass out +# 9999 = pfstat, 5666 = nrpe +pass in on $ext_if proto tcp from to (self) port { 9999, ssh, 5666 } + +# Block Attack +# China 144.0.0.0/16 --> SSH +block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh + +# Autorisation des protocoles +pass in on $ext_if proto tcp to !(self) port $tcp_in +pass in on $ext_if proto udp to !(self) port $udp_in + +# FTP actif +# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535 + + +# Acces public +pass in proto { icmp, icmp6 } + diff --git a/roles/post-install/files/ldap.sh b/roles/post-install/files/ldap.sh new file mode 100755 index 0000000..8933e90 --- /dev/null +++ b/roles/post-install/files/ldap.sh @@ -0,0 +1,140 @@ +#!/bin/sh + +EvoComputerName=$(hostname -s) +dnsPTRrecord=$(hostname) +HardwareMark=$(sysctl hw.vendor| sed 's#hw.vendor=##') +HardwareModel=$(sysctl hw.product| sed 's#hw.product=##') +computerIP=$(ifconfig egress | grep inet | awk -v OFS="\n" '{ print $2, $NF }'| head -1) +computerOS=OpenBSD +computerKernel=$(sysctl kern.osrelease | sed 's#kern.osrelease=##') +HardwareSerial=$(sysctl hw.serialno| sed 's#hw.serialno=##') +clientNumber="XXX" +cpuMark=$(sysctl hw.model| sed 's#hw.model=##') +cpuModel=$(sysctl hw.model| sed 's#hw.model=##') +cpuFreq=$(sysctl hw.cpuspeed| sed 's#hw.cpuspeed=##') +mem=$(expr $(sysctl hw.physmem| sed 's#hw.physmem=##') / 1000000)Mo +eth0Mark=unknown +eth0Model=unknown +eth0MAC=$(ifconfig egress | awk -v OFS="\n" '{ print $2, $NF }' | head -3 | tail -1) +eth0IP=$(ifconfig egress | grep inet | awk -v OFS="\n" '{ print $2, $NF }'| head -1) +screen0Mark=none +screen0Model=none +sdaSize=100G +sdaModel=unknown +swap=unknown +nrpeVersion=$(pkg_info nrpe | head -1 | sed 's/Information for inst://') +openvpnVersion=$(pkg_info openvpn | head -1 | sed 's/Information for inst://') +opensshFingerprintRSA=$(ssh-keyscan -t rsa localhost 2>/dev/null\ + | sed -e 's/localhost //' -e 's/ssh-rsa /ssh-rsa,/') +opensshFingerprintED25519=$(ssh-keyscan -t ed25519 localhost 2>/dev/null\ + | sed -e 's/localhost //' -e 's/ssh-ed25519 /ssh-ed25519,/') +opensshFingerprintECDSA=$(ssh-keyscan -t ecdsa-sha2-nistp256 localhost 2>/dev/null\ + | sed -e 's/localhost //' -e 's/ecdsa-sha2-nistp256 /ecdsa-sha2-nistp256,/') +Fingerprint="${opensshFingerprintRSA}${opensshFingerprintRSA:+;}"\ +"${opensshFingerprintED25519}${opensshFingerprintED25519:+;}${opensshFingerprintECDSA}" + +cat</root/${EvoComputerName}.ldif +# ldapvi --profile evolix --add --in ${EvoComputerName}.ldif + +dn: EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +dnsArecord: $EvoComputerName +EvoComputerName: $EvoComputerName +HardwareMark: $HardwareMark +HardwareModel: $HardwareModel +dnsZone: evolix.net +objectClass: EvoComputer +objectClass: top +computerIP: $computerIP +dnsPTRrecord: $dnsPTRrecord +computerOS: $computerOS +computerKernel: $computerKernel +isActive: TRUE +NagiosEnabled: TRUE +NagiosComments: icmp,everytime,10 +HardwareSerial: $HardwareSerial +clientNumber: $clientNumber + +dn: HardwareName=cpu0,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +HardwareMark: $cpuMark +objectClass: EvoHardware +HardwareName: cpu0 +HardwareSize: $cpuFreq +HardwareType: CPU +HardwareModel: $cpuModel + +dn: HardwareName=ram0,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +HardwareName: ram0 +objectClass: EvoHardware +HardwareSize: $mem +HardwareType: mem +NagiosEnabled: TRUE + +dn: HardwareName=eth0,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +HardwareMark: $eth0Mark +objectClass: EvoHardware +HardwareName: eth0 +HardwareSize: 1Gigabit +HardwareType: netcard +HardwareAddress: $eth0MAC +HardwareModel: $eth0Model +HardwareIP: $eth0IP + +dn: HardwareName=screen0,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +HardwareMark: $screen0Mark +HardwareName: screen0 +objectClass: EvoHardware +HardwareModel: $screen0Model +HardwareType: video + +dn: HardwareName=sda,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +objectClass: EvoHardware +HardwareName: sda +HardwareSize: $sdaSize +HardwareType: disk +HardwareModel:${sdaModel} +HardwarePartitioncount: 1 +NagiosEnabled: TRUE + +dn: HardwareName=swap,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +objectClass: EvoHardware +HardwareName: swap +HardwareSize: $swap +HardwareType: mem +NagiosEnabled: TRUE + +dn: ServiceName=nrpe,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +NagiosEnabled: TRUE +ipServiceProtocol: TCP +ServiceVersion: $nrpeVersion +objectClass: EvoService +ServiceName: nrpe +ipServicePort: 5666 +ServiceType: monitoring + +dn: ServiceName=openssh,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +ipServiceProtocol: tcp +NagiosEnabled: TRUE +ServiceFingerprint: $Fingerprint +objectClass: EvoService +ipServicePort: 22 +ServiceName: openssh +ServiceType: ssh +ServiceVersion: OpenSSH 6.7 + +dn: ServiceName=opensmtpd,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +ipServiceProtocol: tcp +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: opensmtpd +ipServicePort: 25 +ServiceType: smtp +ServiceVersion: OpenSMTPD 5.4.3 + +dn: ServiceName=ntp,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: ntp +ServiceType: ntp +ServiceVersion: OpenNTPd 4.6 + +EOT diff --git a/roles/post-install/tasks/ldif.yml b/roles/post-install/tasks/ldif.yml new file mode 100644 index 0000000..4247fc4 --- /dev/null +++ b/roles/post-install/tasks/ldif.yml @@ -0,0 +1,5 @@ +--- +- name: Generate ldif for LDAP + script: ldap.sh + args: + creates: "/root/*.ldif" diff --git a/roles/post-install/tasks/main.yml b/roles/post-install/tasks/main.yml new file mode 100644 index 0000000..1876037 --- /dev/null +++ b/roles/post-install/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# tasks files +- include: ldif.yml +- include: update.yml diff --git a/roles/post-install/tasks/update.yml b/roles/post-install/tasks/update.yml new file mode 100644 index 0000000..1a6de6a --- /dev/null +++ b/roles/post-install/tasks/update.yml @@ -0,0 +1,9 @@ +--- +- name: Fetch and install openup + get_url: + url: https://stable.mtier.org/openup + dest: /usr/local/bin/openup + mode: "0750" + +- name: Install updates (erratas) with openup + shell: /usr/local/bin/openup diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml new file mode 100644 index 0000000..032e898 --- /dev/null +++ b/tasks/commit_etc_git.yml @@ -0,0 +1,21 @@ +--- +- name: is /etc clean? + command: git status --porcelain + args: + chdir: /etc + changed_when: False + register: git_status + when: not ansible_check_mode + ignore_errors: yes + tags: + - commit-etc + +- name: /etc modifications are committed + shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\"" + args: + chdir: /etc + register: etc_commit_end_evolinux + when: not ansible_check_mode and git_status.stdout != "" + ignore_errors: yes + tags: + - commit-etc diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..ed3fb9f --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,33 @@ +--- +######################################################## +## Edit and uncomment to overwrite the default values ## +######################################################## + +#ntpd_servers: +#- "ntp.evolix.net" +# +#general_alert_email: "root@localhost" +#general_technical_realm: "example.com" +# +#evomaintenance_realm: "example.com" +#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" +#evomaintenance_pg_host: Null +#evomaintenance_pg_passwd: Null +#evomaintenance_pg_db: Null +#evomaintenance_pg_table: Null +#evomaintenance_from_domain: "{{ evomaintenance_realm }}" +#evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" +#evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" +#evomaintenance_urgency_from: mama.doe@example.com +#evomaintenance_urgency_tel: "06.00.00.00.00" +# +#evolix_users: +# foo: +# name: foo +# uid: 1042 +# fullname: 'Foo Bar (Evolix)' +# groups: [] +# password_hash_openbsd: '' +# ssh_keys: +# - 'ssh-rsa XXXXXXX'