Browse Source

Squash: conventions, evolinux, etc-git…

munin-openbsd
Jérémy Lecour 6 years ago committed by Jérémy Lecour
parent
commit
c0ab8f99ce
  1. 158
      CONVENTIONS.md
  2. 2
      Vagrantfile
  3. 11
      apache/README.md
  4. 7
      apache/defaults/main.yml
  5. 0
      apache/files/evolinux-defaults.conf
  6. 1
      apache/files/private_htpasswd
  7. 0
      apache/files/private_ipaddr_whitelist.conf
  8. 120
      apache/tasks/main.yml
  9. 0
      apache/templates/evolinux-custom.conf.j2
  10. 23
      apt-backports/tasks/main.yml
  11. 0
      apt-repositories/README.md
  12. 1
      apt-repositories/defaults/main.yml
  13. 3
      apt-repositories/files/jessie_backports_preferences
  14. 17
      apt-repositories/tasks/main.yml
  15. 1
      apt-repositories/templates/backports.list.j2
  16. 13
      apt-upgrade/README.md
  17. 8
      apt-upgrade/tasks/main.yml
  18. 1
      elasticsearch-plugin-head/defaults/main.yml
  19. 3
      elasticsearch-plugin-head/meta/main.yml
  20. 36
      elasticsearch-plugin-head/tasks/main.yml
  21. 1
      elasticsearch/defaults/main.yml
  22. 7
      etc-git/README.md
  23. 1
      etc-git/files/gitignore
  24. 36
      etc-git/tasks/main.yml
  25. 7
      evocheck/README.md
  26. 3
      evocheck/meta/main.yml
  27. 8
      evocheck/tasks/main.yml
  28. 29
      evolinux-admin-users/README.md
  29. 6
      evolinux-admin-users/defaults/main.yml
  30. 95
      evolinux-admin-users/tasks/adduser_debian.yml
  31. 8
      evolinux-admin-users/tasks/main.yml
  32. 10
      evolinux-admin-users/templates/sudoers_debian.j2
  33. 24
      evolinux-base/README.md
  34. 41
      evolinux-base/defaults/main.yml
  35. BIN
      evolinux-base/files/default_www/img/background-top.png
  36. BIN
      evolinux-base/files/default_www/img/favicon.ico
  37. 9
      evolinux-base/files/logs/logrotate.d/apache2-php
  38. 16
      evolinux-base/files/logs/logrotate.d/apt
  39. 14
      evolinux-base/files/logs/logrotate.d/bind.disabled
  40. 9
      evolinux-base/files/logs/logrotate.d/dhcp
  41. 19
      evolinux-base/files/logs/logrotate.d/dpkg
  42. 8
      evolinux-base/files/logs/logrotate.d/freeradius
  43. 31
      evolinux-base/files/logs/logrotate.d/ftp.disabled
  44. 9
      evolinux-base/files/logs/logrotate.d/ldap
  45. 19
      evolinux-base/files/logs/logrotate.d/lighttpd.disabled
  46. 6
      evolinux-base/files/logs/logrotate.d/lvm-common.disabled
  47. 8
      evolinux-base/files/logs/logrotate.d/news.disabled
  48. 18
      evolinux-base/files/logs/logrotate.d/nginx
  49. 14
      evolinux-base/files/logs/logrotate.d/ntp.disabled
  50. 7
      evolinux-base/files/logs/logrotate.d/postgresql
  51. 11
      evolinux-base/files/logs/logrotate.d/procmail
  52. 14
      evolinux-base/files/logs/logrotate.d/samba
  53. 11
      evolinux-base/files/logs/logrotate.d/squid3.disabled
  54. 35
      evolinux-base/files/logs/logrotate.d/zsyslog
  55. 122
      evolinux-base/files/logs/rsyslog.conf
  56. 22
      evolinux-base/files/root/gitconfig
  57. 49
      evolinux-base/handlers/main.yml
  58. 55
      evolinux-base/tasks/apt.yml
  59. 14
      evolinux-base/tasks/default_packages.yml
  60. 108
      evolinux-base/tasks/default_www.yml
  61. 53
      evolinux-base/tasks/fstab.yml
  62. 71
      evolinux-base/tasks/hardware.yml
  63. 37
      evolinux-base/tasks/hostname.yml
  64. 39
      evolinux-base/tasks/kernel.yml
  65. 28
      evolinux-base/tasks/logs.yml
  66. 39
      evolinux-base/tasks/main.yml
  67. 2
      evolinux-base/tasks/provider_online.yml
  68. 14
      evolinux-base/tasks/provider_orange_fce.yml
  69. 78
      evolinux-base/tasks/root.yml
  70. 104
      evolinux-base/tasks/system.yml
  71. 2
      evolinux-base/templates/apt/evolix_public.list.j2
  72. 55
      evolinux-base/templates/default_www/apache_default_site.j2
  73. 78
      evolinux-base/templates/default_www/index.html.j2
  74. 2
      evolinux-base/templates/default_www/nginx_default_site.j2
  75. 191
      evolinux-base/templates/hardware/cciss-vol-statusd.j2
  76. 4
      evolinux-base/templates/hardware/megaclisas-statusd.j2
  77. 16
      evolinux-base/templates/system/init_alert5.j2
  78. 31
      evolinux-base/vars/main.yml
  79. 23
      evomaintenance/defaults/main.yml
  80. 3
      evomaintenance/meta/main.yml
  81. 32
      evomaintenance/tasks/main.yml
  82. 26
      evomaintenance/tasks/trap.yml
  83. 13
      evomaintenance/templates/evomaintenance.j2
  84. 16
      fail2ban/README.md
  85. 3
      fail2ban/defaults/main.yml
  86. 3
      fail2ban/files/dovecot-evolix.conf
  87. 3
      fail2ban/files/sasl-evolix.conf
  88. 5
      fail2ban/handlers/main.yml
  89. 24
      fail2ban/tasks/main.yml
  90. 27
      fail2ban/templates/jail.local.j2
  91. 1
      filebeat/defaults/main.yml
  92. 1
      java8/defaults/main.yml
  93. 1
      kibana-proxy-nginx/defaults/main.yml
  94. 6
      listupgrade/defaults/main.yml
  95. 39
      listupgrade/tasks/main.yml
  96. 4
      listupgrade/templates/listupgrade.cnf.j2
  97. 217
      listupgrade/templates/listupgrade.sh.j2
  98. 1
      listupgrade/templates/listupgrade_cron.j2
  99. 1
      logstash/defaults/main.yml
  100. 19
      minifirewall/README.md
  101. Some files were not shown because too many files have changed in this diff Show More

158
CONVENTIONS.md

@ -0,0 +1,158 @@
# Conventions
## Roles
We can use the `ansible-galaxy init` command to bootstrap a new role :
$ ansible-galaxy init foo
- foo was created successfully
$ tree foo
foo
├── defaults
   └── main.yml
├── files
├── handlers
   └── main.yml
├── meta
   └── main.yml
├── README.md
├── tasks
   └── main.yml
├── templates
├── tests
   ├── inventory
   └── test.yml
└── vars
└── main.yml
All `main.yml` file will be picked up by Ansible automatically, with respect to their own responsibility.
The main directory is `tasks`. It will contains tasks, either all in the `main.yml` file, or grouped in files that can be included in the main file.
`defaults/main.yml` is the place to put the list of all variables for the role with a default value.
`vars` will hold files with variables definitions. Those differ from the defaults because of a much higher precedence (see below).
`files` is the directory where we'll put files to copy on hosts. They will be copied "as-is". When a role has multiple logical groups of tasks, it's best to create a sub-directroy for each group that needs files. The name of files in these directories doesn't have to be the same as the destination name. Example :
copy:
src: apt/jessie_backports_preferences
dest: /etc/apt/apt.conf.d/backports
`templates` is the twin brother of `files`, but differs in that it contains files that can be pre-processed by the Jinja2 templating language. It can contain variables that will be extrapolated before copying the file to its destination.
`handlers` is the place to put special tasks that can be triggered by the `notify` argument of modules. For example an `nginx -s reload` command.
`meta/main.yml` contains … well … "meta" information. There we can define role dependencies, but also some "galaxy" information like the desired Ansible version, supported OS and distributions, a destription, author/ownership, license…
`tests` and `.travis.yml` are here to help testing with a test matrix, a test inventory and a test playbook.
We can delete parts we don't need.
### How much goes into a role
We create roles (instead of a plain tasks files) when it makes sense as a whole, and it is more that a series of tasks. It often has variables, files/templates, handlers…
## Syntax
### Pure YAML
It's possible to use a compact (Ansible specific) syntax,
- name: Add evomaintenance trap for '{{ user.name }}'
lineinfile: state=present dest='/home/{{ user.name }}/.profile' insertafter=EOF line='trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
when: evomaintenance_script.stat.exists
but we prefer the pure-YAML syntax
- name: Add evomaintenance trap for '{{ user.name }}'
lineinfile:
state: present
dest: '/home/{{ user.name }}/.profile'
insertafter: EOF
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
when: evomaintenance_script.stat.exists
Here are some reasons :
* when lines get long, it's easier to read ;
* it's a pure YAML syntax, so there is no Ansible-specific preprocessing
* … with means that IDE can show the proper syntax highligthing ;
* each argument stands on its own.
## Variables
### defaults
When a role is using variables, they must be defined (for example in the `defaults/main.yml`) with a default value (possibly Ǹull). That way, there will never be an "foo is undefined" situation.
### progressive specificity
In many roles, we use a *progressive specificity* pattern for some variables.
The most common is for "alert_email" ; we want to have a default email address where all alerts or message will be sent, but it can be customized globally, and also customized per task/role.
For the *evolinux-base* role we have those defaults :
general_alert_email: "root@localhost"
reboot_alert_email: Null
log2mail_alert_email: Null
raid_alert_email: Null
In the *log2mail* template, we set the email address like this :
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
if nothing is customize, the mail will be sent to root@localhost, if geeral_alert_email is changed, it will be use, but if log2mail_alert_email is set to a non-null value, it will have precedence.
## precedence
There are multiple places where we can define variables ans there is a specific precedence order for the resolution. Here is [the (ascending) order](http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) :
* role defaults
* inventory vars
* inventory group_vars
* inventory host_vars
* playbook group_vars
* playbook host_vars
* host facts
* play vars
* play vars_prompt
* play vars_files
* registered vars
* set_facts
* role and include vars
* block vars (only for tasks in block)
* task vars (only for the task)
* extra vars (always win precedence)
## Configuration patterns
### lineinfile vs. blockinfile vs. copy/template
When possible, we prefer using the [lineinfile](http://docs.ansible.com/ansible/lineinfile_module.html) module to make very specific changes.
If a `regexp` argument is specified, every line that matches the pattern will be updated. It's a good way to comment/uncomment variable, of add a piece inside a line.
When it's not possible (multi-line changes, for example), we can use the [blockinfile](http://docs.ansible.com/ansible/blockinfile_module.html) module. It managed blocs of text with begin/end markers. The marker can be customized, mostly to use the proper comment syntax, but also to prevent collisions within a file.
If none of the previous ca be used, we can use [copy](http://docs.ansible.com/ansible/copy_module.html) or [template](http://docs.ansible.com/ansible/template_module.html) modules to copy an entire file.
### defaults and custom files
We try not to alter configuration files managed by packages. It makes upgrading easier, so when a piece of software has a "foo.d" configuration directory, we add custom files there.
We usually put a `z-evolinux-defaults` with our core configuration. This file can be changed later via Ansible and must not be edited by hand. Example :
copy:
src: evolinux-defaults.cnf
dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
force: yes
We also create a blank `zzz-evolinux-custom` file, with commented examples, to allow custom configuration that will never be reverted by Ansible. Example :
copy:
src: evolinux-custom.cnf
dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
force: no
The source file or template shouldn't to be prefixed for ordering (eg. `z-` or `zzz-`). It's the task's responsibility to choose how destination files must be ordered.

2
Vagrantfile vendored

@ -9,7 +9,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.synced_folder "./vagrant_share/", "/vagrant", disabled: true
config.vm.provider :virtualbox do |v|
v.memory = 1024
v.memory = 2048
v.cpus = 2
v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
v.customize ["modifyvm", :id, "--ioapic", "on"]

11
apache/README.md

@ -6,6 +6,13 @@ Install Apache
Everything is in the `tasks/main.yml` file for now.
## Variables
## Available variables
To add IP to apache whitelist, define apache_ipaddr_whitelist variable as list.
Main variables are :
* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
* `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
* `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
The full list of variables (with default values) can be found in `defaults/main.yml`.

7
apache/defaults/main.yml

@ -1 +1,6 @@
apache_ipaddr_whitelist: []
---
apache_private_ipaddr_whitelist_present: []
apache_private_ipaddr_whitelist_absent: []
apache_private_htpasswd_present: []
apache_private_htpasswd_absent: []

0
apache/files/z_evolinux.conf → apache/files/evolinux-defaults.conf

1
apache/files/private_htpasswd

@ -0,0 +1 @@
# user:password for HTTP Basic authentication

0
apache/files/ipaddr_whitelist.conf → apache/files/private_ipaddr_whitelist.conf

120
apache/tasks/main.yml

@ -1,4 +1,4 @@
- name: Ensure packages are installed
- name: packages are installed
apt:
name: '{{ item }}'
state: present
@ -7,8 +7,10 @@
- apachetop
- libapache2-mod-evasive
- libwww-perl
tags:
- apache
- name: Ensure basic modules are enabled
- name: basic modules are enabled
apache2_module:
name: '{{ item }}'
state: present
@ -18,48 +20,120 @@
- headers
- rewrite
- cgi
tags:
- apache
- name: Copy Apache config files
- name: Copy Apache defaults config file
copy:
src: "{{ item.file }}"
dest: "/etc/apache2/conf-available/{{ item.file }}"
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf
owner: root
group: root
mode: "{{ item.mode }}"
with_items:
- { file: z_evolinux.conf, mode: 0644 }
- { file: zzz_evolinux.conf, mode: 0640 }
mode: 0644
force: yes
tags:
- apache
- name: Copy Apache custom config file
template:
src: evolinux-custom.conf.j2
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf
owner: root
group: root
mode: 0644
force: no
tags:
- apache
- name: Ensure Apache default config is enabled
command: a2enconf z_evolinux.conf zzz_evolinux.conf
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
with_items:
- z-evolinux-defaults.conf
- zzz-evolinux-custom.conf
tags:
- apache
- name: Init ipaddr_whitelist.conf file
- name: Init private_ipaddr_whitelist.conf file
copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
src: private_ipaddr_whitelist.conf
dest: /etc/apache2/private_ipaddr_whitelist.conf
owner: root
group: root
mode: 0640
force: no
tags:
- apache
- name: Add IP addresses to private IP whitelist if defined
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
dest: /etc/apache2/private_ipaddr_whitelist.conf
line: "Allow from {{ item }}"
state: present
with_items: "{{ apache_ipaddr_whitelist }}"
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
notify: reload apache
tags:
- apache
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/apache2/private_ipaddr_whitelist.conf
line: "Allow from {{ item }}"
state: absent
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
notify: reload apache
tags:
- apache
- name: Copy private_htpasswd
copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
group: root
mode: 0640
force: no
notify: reload apache
tags:
- apache
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ apache_private_htpasswd_present }}"
notify: reload apache
tags:
- apache
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ apache_private_htpasswd_absent }}"
notify: reload apache
tags:
- apache
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
tags:
- apache
- name: Add a mark in envvars for umask
blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
## Set umask for writing by Apache user.
## Set rights on files and directories written by Apache
- name : Ensure umask is set in envvars (default is umask 007)
lineinfile:
dest: /etc/apache2/envvars
regexp: "^umask"
line: "umask 007"
umask 007
when: envvar_grep_umask.rc != 0
tags:
- apache

0
apache/files/zzz_evolinux.conf → apache/templates/evolinux-custom.conf.j2

23
apt-backports/tasks/main.yml

@ -1,23 +0,0 @@
---
- name: Jessie-backports list is available
apt_repository:
repo: "deb http://mirror.evolix.org/debian jessie-backports main contrib non-free"
update_cache: yes
state: present
tags:
- system
- packages
- name: Backports have a low priority
blockinfile:
dest: /etc/apt/preferences.d/backports
marker: "// {mark} ANSIBLE MANAGED BLOCK"
insertafter: EOF
create: yes
block: |
Package: *
Pin: release a=jessie-backports
Pin-Priority: 50
tags:
- system
- packages

0
apt-backports/README.md → apt-repositories/README.md

1
apt-repositories/defaults/main.yml

@ -0,0 +1 @@
apt_repositories_components: "main"

3
apt-repositories/files/jessie_backports_preferences

@ -0,0 +1,3 @@
Package: *
Pin: release a=jessie-backports
Pin-Priority: 50

17
apt-repositories/tasks/main.yml

@ -0,0 +1,17 @@
---
- name: Backports sources list is installed
template:
src: backports.list.j2
dest: /etc/apt/sources.list.d/backports.list
force: yes
backup: yes
mode: 0640
- name: Backports configuration
copy:
src: jessie_backports_preferences
dest: /etc/apt/preferences.d/backports
force: yes
backup: yes
mode: 0640

1
apt-repositories/templates/backports.list.j2

@ -0,0 +1 @@
deb http://mirror.evolix.org/debian jessie-backports {{ apt_repositories_components | mandatory }}

13
apt-upgrade/README.md

@ -1,13 +0,0 @@
# apt-upgrade
Upgrades Debian packages
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
* `apt_upgrade_mode` : kind of upgrade to do (cf. http://docs.ansible.com/ansible/apt_module.html#options)
Choice of upgrade mode can be set in a variables file (ex. `vars/main.yml`) or when invoking the role (`- { role: apt-upgrade, apt_upgrade_mode: safe }`).

8
apt-upgrade/tasks/main.yml

@ -1,8 +0,0 @@
---
- name: Ensure Debian is up-to-date
apt:
update_cache: yes
upgrade: "{{ apt_upgrade_mode | default('safe') }}"
tags:
- system
- packages

1
elasticsearch-plugin-head/defaults/main.yml

@ -1,3 +1,4 @@
---
elasticsearch_plugin_head_home: /home/elasticsearch-head
elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www"
elasticsearch_plugin_head_owner: "elasticsearch-head"

3
elasticsearch-plugin-head/meta/main.yml

@ -0,0 +1,3 @@
---
dependencies:
- nodejs

36
elasticsearch-plugin-head/tasks/main.yml

@ -1,41 +1,5 @@
---
- name: APT https transport is enabled
apt:
name: apt-transport-https
state: installed
tags:
- system
- packages
- name: Node GPG key is installed
apt_key:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
state: present
tags:
- system
- packages
- npm
- name: Node sources list is available
apt_repository:
repo: "deb https://deb.nodesource.com/node_6.x jessie main"
state: present
tags:
- system
- packages
- npm
- name: Node is installed
apt:
name: nodejs
update_cache: yes
state: installed
tags:
- packages
- npm
- name: "User {{ elasticsearch_plugin_head_owner }} is present"
user:
name: "{{ elasticsearch_plugin_head_owner }}"

1
elasticsearch/defaults/main.yml

@ -1,3 +1,4 @@
---
elasticsearch_cluster_name: Null
elasticsearch_node_name: "${HOSTNAME}"
elasticsearch_network_host: "[_site_, _local_]"

7
etc-git/README.md

@ -0,0 +1,7 @@
# etc-git
Put /etc under Git version control.
## Tasks
Everything is in the `tasks/main.yml` file.

1
etc-git/files/gitignore

@ -0,0 +1 @@
aliases.db

36
etc-git/tasks/main.yml

@ -0,0 +1,36 @@
---
- name: Git is installed
apt:
name: git
state: present
- name: /etc is versioned with git
command: "git init ."
args:
chdir: /etc
creates: /etc/.git/
register: git_init
- name: /etc/.gitignore is present
copy:
src: gitignore
dest: /etc/.gitignore
owner: root
group: root
mode: 0600
- name: does /etc/ have any commit?
command: "git log"
args:
chdir: /etc
changed_when: False
failed_when: False
register: git_log
- name: initial commit is present?
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
args:
chdir: /etc
register: git_commit
when: git_init.changed or git_log.rc != 0

7
evocheck/README.md

@ -0,0 +1,7 @@
# evocheck
Install a script to verify compliance of a Debian/OpenBSD server
## Tasks
Everything is in the `tasks/main.yml` file.

3
evocheck/meta/main.yml

@ -0,0 +1,3 @@
---
dependencies:
- { role: evolinux-sources-list }

8
evocheck/tasks/main.yml

@ -0,0 +1,8 @@
---
- name: evocheck is installed
command: "apt-get install -yq --allow-unauthenticated evomaintenance"
register: installed_evomaintenance
changed_when: not (installed_evomaintenance.stdout | search("0 upgraded") and installed_evomaintenance.stdout | search("0 newly installed"))
# TODO make sure that the package is in the right version

29
evolinux-admin-users/README.md

@ -0,0 +1,29 @@
# evolinux-admin-users
Creates admin users accounts, based on a configuration data structure.
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
The variable `evolinux_admin_users` must be a "hash" of one or more users :
```
evolinux_admin_users:
- name: foo
uid: 1001
fullname: 'Mr Foo'
password_hash: 'sdfgsdfgsdfgsdfg'
ssh_key: 'ssh-rsa AZERTYXYZ'
- name: bar
uid: 1002
fullname: 'Mr Bar'
password_hash: 'gsdfgsdfgsdfgsdf'
ssh_key: 'ssh-rsa QWERTYUIOP'
```
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
* `listupgrade_scripts_dir`: script directory for listupgrade (default: `general_scripts_dir`).
* `evomaintenance_scripts_dir`: script directory for evomaintenance (default: `general_scripts_dir`).

6
evolinux-admin-users/defaults/main.yml

@ -0,0 +1,6 @@
---
evolinux_admin_users: []
general_scripts_dir: "/usr/local/bin"
evomaintenance_scripts_dir: Null
listupgrade_scripts_dir: Null

95
evolinux-admin-users/tasks/adduser_debian.yml

@ -0,0 +1,95 @@
---
- name: Test if uid exists for '{{ user.name }}'
command: 'getent passwd {{ user.uid }}'
register: uidisbusy
failed_when: False
changed_when: False
- name: Add Unix account with classical uid for '{{ user.name }}'
user:
state: present
uid: '{{ user.uid }}'
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when: uidisbusy|failed
- name: Add Unix account with random uid for '{{ user.name }}'
user:
state: present
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when: uidisbusy|success
- name: Fix perms on homedirectory for '{{ user.name }}'
file:
name: '/home/{{ user.name }}'
mode: 0700
state: directory
- name: is evomaintenance installed?
stat:
path: "{{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh"
register: evomaintenance_script
- name: Add evomaintenance trap for '{{ user.name }}'
lineinfile:
state: present
dest: '/home/{{ user.name }}/.profile'
insertafter: EOF
line: 'trap "sudo {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh" 0'
when: evomaintenance_script.stat.exists
- name: Create .ssh directory for '{{ user.name }}'
file:
dest: '/home/{{ user.name }}/.ssh/'
state: directory
mode: 0700
owner: '{{ user.name }}'
group: '{{ user.name }}'
- name: Add user's SSH public key for '{{ user.name }}'
lineinfile:
dest: '/home/{{ user.name }}/.ssh/authorized_keys'
create: yes
line: '{{ user.ssh_key }}'
owner: '{{ user.name }}'
group: '{{ user.name }}'
- name: Modify AllowUsers' sshd directive for '{{ user.name }}'
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
replace: '\1 {{ user.name }}'
notify:
- reload sshd
- name: Modify Match User's sshd directive for '{{ user.name }}'
replace:
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
notify:
- reload sshd
- name: Evolinux sudoers file is present
template:
src: sudoers_debian.j2
dest: /etc/sudoers.d/evolinux
force: false
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
- name: Add user in sudoers file for '{{ user.name }}'
replace:
dest: /etc/sudoers.d/evolinux
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/visudo -cf %s'
when: not copy_sudoers_evolinux.changed

8
evolinux-admin-users/tasks/main.yml

@ -0,0 +1,8 @@
---
- include: adduser_debian.yml user={{ item }}
with_items: "{{ evolinux_admin_users }}"
when: ansible_distribution == "Debian"
# - include: openbsd.yml
# when: ansible_distribution == "OpenBSD"

10
evolinux-admin-users/templates/sudoers_debian.j2

@ -0,0 +1,10 @@
Defaults umask=0077
Cmnd_Alias MAINT = {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh, {{ listupgrade_scripts_dir or general_scripts_dir | mandatory }}/listupgrade.sh, /usr/bin/apt, /bin/mount
User_Alias ADMINS = {{ user.name }}
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
ADMINS ALL = (ALL:ALL) ALL
ADMINS ALL = NOPASSWD: MAINT

24
evolinux-base/README.md

@ -0,0 +1,24 @@
# evolinux-base
Various tasks for Evolinux setup.
## Tasks
* `system.yml` :
* `apt.yml` :
* `install_tools.yml` :
* `root.yml` :
* `logs.yml` :
## Available variables
Main variables are :
* `evolinux_delete_nfs`: delete NFS tools (default: `True`)
* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`)
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
* `apt_alert_email`: email address to send APT messages to (default: `general_alert_email`).
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
The full list of variables (with default values) can be found in `defaults/main.yml`.

41
evolinux-base/defaults/main.yml

@ -0,0 +1,41 @@
---
general_alert_email: "root@localhost"
reboot_alert_email: Null
apt_alert_email: Null
log2mail_alert_email: Null
raid_alert_email: Null
# hostname
evolinux_hostname: "{{ ansible_hostname }}"
evolinux_domain: "{{ ansible_domain }}"
evolinux_fqdn: "{{ ansible_fqdn }}"
evolinux_internal_hostname: "{{ evolinux_hostname }}"
# apt
evolinux_apt_repositories_components: "main"
evolinux_apt_hooks: False
# kernel
evolinux_kernel_reboot_after_panic: True
evolinux_kernel_disable_tcp_timestamps: True
evolinux_kernel_reduce_swapiness: True
evolinux_kernel_cve20165696: True
# providers
evolinux_provider_online: False
evolinux_provider_orange_fce: False
# default www
evolinux_default_www_redirect_url: "http://evolix.fr"
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
evolinux_default_www_nginx_enabled: False
evolinux_default_www_apache_enabled: False
# misc.
evolinux_ntp_server: Null
evolinux_delete_nfs: True

BIN
evolinux-base/files/default_www/img/background-top.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.6 KiB

BIN
evolinux-base/files/default_www/img/favicon.ico

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

9
evolinux-base/files/logs/logrotate.d/apache2-php

@ -0,0 +1,9 @@
/var/log/php.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
create 640 www-data adm
}

16
evolinux-base/files/logs/logrotate.d/apt

@ -0,0 +1,16 @@
/var/log/apt/term.log {
rotate 120
monthly
compress
missingok
notifempty
}
/var/log/apt/history.log {
rotate 120
monthly
compress
missingok
notifempty
}

14
evolinux-base/files/logs/logrotate.d/bind.disabled

@ -0,0 +1,14 @@
/var/chroot-bind/var/log/bind.log {
weekly
missingok
notifempty
rotate 4
create 640 bind bind
compress
delaycompress
sharedscripts
postrotate
rndc reload > /dev/null
endscript
}

9
evolinux-base/files/logs/logrotate.d/dhcp

@ -0,0 +1,9 @@
/var/log/dhcp.log {
weekly
missingok
rotate 52
compress
delaycompress
create 640 root adm
notifempty
}

19
evolinux-base/files/logs/logrotate.d/dpkg

@ -0,0 +1,19 @@
/var/log/dpkg.log {
monthly
rotate 120
compress
delaycompress
missingok
notifempty
create 644 root root
}
/var/log/alternatives.log {
monthly
rotate 120
compress
delaycompress
missingok
notifempty
create 644 root root
}

8
evolinux-base/files/logs/logrotate.d/freeradius

@ -0,0 +1,8 @@
/var/log/freeradius/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
}

31
evolinux-base/files/logs/logrotate.d/ftp.disabled

@ -0,0 +1,31 @@
/var/log/proftpd.log {
weekly
missingok
rotate 13
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
/etc/init.d/proftpd restart > /dev/null
endscript
}
/var/log/xferlog.log {
weekly
rotate 1
missingok
create 640 root adm
sharedscripts
postrotate
DATE=$(date +"%d-%m-%Y")
cd /var/log
ftpstats -a -r -l 2 -d i-f xferlog.log.1 2>/dev/null >xferreport.$DATE
mv xferlog.log.1 xferlog.log.$DATE
gzip xferlog.log.$DATE
gzip xferreport.$DATE
endscript
}

9
evolinux-base/files/logs/logrotate.d/ldap

@ -0,0 +1,9 @@
/var/log/openldap.log {
weekly
missingok
rotate 3
compress
notifempty
create 640 root adm
}

19
evolinux-base/files/logs/logrotate.d/lighttpd.disabled

@ -0,0 +1,19 @@
/var/log/lighttpd/*.log {
weekly
missingok
copytruncate
rotate 52
compress
delaycompress
notifempty
sharedscripts
postrotate
if [ -f /var/run/lighttpd.pid ]; then \
if [ -x /usr/sbin/invoke-rc.d ]; then \
invoke-rc.d lighttpd force-reload > /dev/null; \
else \
/etc/init.d/lighttpd force-reload > /dev/null; \
fi; \
fi;
endscript
}

6
evolinux-base/files/logs/logrotate.d/lvm-common.disabled

@ -0,0 +1,6 @@
/var/log/lvm {
daily
rotate 3
missingok
create 0640 root adm
}

8
evolinux-base/files/logs/logrotate.d/news.disabled

@ -0,0 +1,8 @@
/var/log/news.log {
monthly
missingok
notifempty
rotate 1
create 640 root adm
}

18
evolinux-base/files/logs/logrotate.d/nginx

@ -0,0 +1,18 @@
/var/log/nginx/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi; \
endscript
postrotate
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
endscript
}

14
evolinux-base/files/logs/logrotate.d/ntp.disabled

@ -0,0 +1,14 @@
/var/log/ntp.log {
weekly
rotate 1
missingok
create 640 root adm
sharedscripts
postrotate
DATE=$(date +"%d-%m-%Y")
cd /var/log
mv ntp.log.1 ntp.log.$DATE
gzip ntp.log.$DATE
endscript
}

7
evolinux-base/files/logs/logrotate.d/postgresql

@ -0,0 +1,7 @@
/var/log/postgresql.log {
weekly
missingok
rotate 8
create 640 root adm
}

11
evolinux-base/files/logs/logrotate.d/procmail

@ -0,0 +1,11 @@
/var/log/procmail.log {
daily
rotate 365
dateext
dateyesterday
dateformat .%Y%m%d
missingok
rotate 365
create 640 root adm
}

14
evolinux-base/files/logs/logrotate.d/samba

@ -0,0 +1,14 @@
# Attention, bien mettre "log file = /var/log/samba/%m.log" dans la conf Samba
/var/log/samba/*.log {
weekly
missingok
rotate 52
postrotate
invoke-rc.d --quiet samba reload > /dev/null
[ ! -f /var/run/samba/nmbd.pid ] || kill -HUP `cat /var/run/samba/nmbd.pid`
[ -f /var/run/samba/winbindd.pid ] && kill -HUP `cat /var/run/samba/winbindd.pid` || true
endscript
compress
notifempty
}

11
evolinux-base/files/logs/logrotate.d/squid3.disabled

@ -0,0 +1,11 @@
/var/log/squid3/*.log {
monthly
compress
rotate 12
missingok
create 640 proxy adm
sharedscripts
postrotate
test ! -e /var/run/squid3.pid || /usr/sbin/squid3 -k rotate
endscript
}

35
evolinux-base/files/logs/logrotate.d/zsyslog

@ -0,0 +1,35 @@
# Custom EvoLinux
create 640 root adm
dateext
dateyesterday
dateformat .%Y%m%d
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
/var/log/daemon.log
/var/log/kern.log
/var/log/lpr.log
{
weekly
rotate 5
}
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
{
daily
rotate 365
}

122
evolinux-base/files/logs/rsyslog.conf

@ -0,0 +1,122 @@
# Syslog for Pack Evolix serveur - Debian Squeeze
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none;cron,mail,local4,local5.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
news.* /var/log/news.log
local4.* -/var/log/openldap.log
local1.* /var/log/sympa.log
local0.* /var/log/postgresql.log
local7.* -/var/log/dhcp.log
local5.* -/var/log/haproxy.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
#mail.err /var/log/mail.err
#
# Logging for INN news system.
#
#news.crit /var/log/news/news.crit
#news.err /var/log/news/news.err
#news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
#daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole

22
evolinux-base/files/root/gitconfig

@ -0,0 +1,22 @@
[core]
filemode = true
bare = false
[color]
branch = auto
status = auto
diff = auto
interactive = auto
decorate = auto
grep = auto
ui = true
[apply]
whitespace = nowarn
[alias]
a = add
aa = add -A .
c = commit -v
ca = commit -v -a
d = diff --ignore-space-change --patience --no-prefix
dw = diff --word-diff
lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative
s = status -s -b

49
evolinux-base/handlers/main.yml

@ -0,0 +1,49 @@
---
- name: dpkg-reconfigure-debconf
command: dpkg-reconfigure --frontend noninteractive debconf
- name: dpkg-reconfigure-locales
command: dpkg-reconfigure --frontend noninteractive locales
- name: dpkg-reconfigure-apt
command: dpkg-reconfigure --frontend noninteractive apt-listchanges
# - name: debconf-set-selections
# command: debconf-set-selections /root/debconf-preseed
- name: apt update
apt:
update_cache: yes
- name: restart rsyslog
service:
name: rsyslog
state: restarted
- name: remount /home
command: mount -o remount /home
- name: remount /var
command: mount -o remount /var
- name: restart nginx
service:
name: nginx
state: restarted
- name: reload nginx
service:
name: nginx
state: reloaded
- name: restart apache
service:
name: apache2
state: restarted
- name: reload apache
service:
name: apache2
state: reloaded

55
evolinux-base/tasks/apt.yml

@ -0,0 +1,55 @@
---
- name: Setting apt config
lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
state: present
mode: 0640
with_items:
- "APT::Install-Recommends \"0\";"
- "APT::Install-Suggests \"0\";"
- name: DPKg invoke hooks
lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
state: present
mode: 0640
with_items:
- "DPkg::Pre-Invoke { \"mount -oremount,exec /tmp && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || exit 0\"; };"
when: evolinux_apt_hooks
- name: Original repositories are disabled
replace:
dest: /etc/apt/sources.list
regexp: '^(deb(-src)? {{ item }}.+)'
replace: '# \1'
with_items:
# - '.+\.debian\.org'
- 'cdrom:'
- name: Basic sources list is installed
lineinfile:
dest: /etc/apt/sources.list
line: "{{ item }}"
with_items:
- "deb http://security.debian.org/ jessie/updates {{ evolinux_apt_components | mandatory }}"
- "deb http://mirror.evolix.org/debian/ jessie {{ evolinux_apt_components | mandatory }}"
- "deb http://mirror.evolix.org/debian/ jessie-updates {{ evolinux_apt_components | mandatory }}"
- name: Evolix public list is installed
template:
src: apt/evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
backup: yes
mode: 0640
- name: Upgrading system
apt:
upgrade: dist
update_cache: yes

14
evolinux-base/tasks/default_packages.yml

@ -0,0 +1,14 @@
---
- name: Install/Update default packages (might take some time)
command: "apt-get install -yq --allow-unauthenticated {{ evolinux_default_packages | join(' ') }}"
register: install_default_packages
changed_when: not (install_default_packages.stdout | search("0 upgraded") and install_default_packages.stdout | search("0 newly installed"))
- name: Deleting rpcbin and nfs-common
apt:
name: "{{ item }}"
state: absent
with_items:
- rpcbind
- nfs-common
when: evolinux_delete_nfs

108
evolinux-base/tasks/default_www.yml

@ -0,0 +1,108 @@
---
- name: /var/www is present
file:
path: /var/www
state: directory
mode: 0755
- name: images are copied
copy:
src: default_www/img
dest: /var/www/
mode: 0755
directory_mode: 0755
follow: yes
- name: index is copied
template:
src: default_www/index.html.j2
dest: /var/www/index.html
mode: 0755
# SSL cert
- name: ssl-cert package is installed
apt:
name: ssl-cert
state: installed
- name: Create private key and csr for default site ({{ ansible_fqdn }})
shell: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
- name: Adjust rights on private key
file:
path: /etc/ssl/private/{{ ansible_fqdn }}.key
owner: root
group: ssl-cert
mode: 0640
- name: Create certificate for default site
shell: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
# Nginx vhost
- name: is Nginx installed?
stat:
path: /etc/nginx/sites-available
register: nginx_sites_available
- block:
- name: nginx vhost is installed
template:
src: default_www/nginx_default_site.j2