From e3f3ea66611d7b209f3115941916fb13c115f062 Mon Sep 17 00:00:00 2001 From: Hugo LEVY-FALK Date: Thu, 13 Dec 2018 14:31:55 +0100 Subject: [PATCH] apticron, apt-dater, sendmail and deploy_key --- README.md | 33 ++++++++++++++++++++++------ hosts | 3 ++- post_install.yaml | 11 ++++++++++ rezo_basic.yaml | 13 ++++++----- roles/apt-dater/tasks/main.yml | 12 ++++------ roles/apticron/tasks/main.yml | 21 ++++++++++++++++++ roles/deploy_key/files/ansible.pub | 1 + roles/deploy_key/files/apt-dater.pub | 1 + roles/deploy_key/files/root_rezo.pub | 1 + roles/deploy_key/tasks/main.yml | 14 ++++++++++++ roles/sendmail/tasks/main.yml | 28 +++++++++++++++++++++++ 11 files changed, 117 insertions(+), 21 deletions(-) create mode 100644 post_install.yaml create mode 100644 roles/apticron/tasks/main.yml create mode 100644 roles/deploy_key/files/ansible.pub create mode 100644 roles/deploy_key/files/apt-dater.pub create mode 100644 roles/deploy_key/files/root_rezo.pub create mode 100644 roles/deploy_key/tasks/main.yml create mode 100644 roles/sendmail/tasks/main.yml diff --git a/README.md b/README.md index e283e8b..23dbef2 100644 --- a/README.md +++ b/README.md @@ -51,17 +51,36 @@ Pour utiliser l'un des playbooks, on n'oubliera pas de spécifier que l'on souha ansible-playbook -i hosts rezo_basic.yaml ``` +### post_install.yaml +Ce playbook permet de déployer la clé root ansible et rézo après l'installation, ceci afin d'utiliser les autres playbooks. + +* Déploiement des clés ssh root prez et apt-dater. + +Puisqu'on a pas encore les clés ssh à ce moment, on utilise une commande un peu différente. + +``` +ansible-playbook -i hosts rezo_basic.yaml --ask-pass --ask-become-pass +``` + +De cette manière, ansible demandera le mot de passe pour se connecter en ssh puis pour passer superutilisateur. + +Pour que le rôle fonctionne, on installe normalement la machine via l'installateur dédié, puis on place le nom de domaine ou son adresse IP dans le fichier hosts. Si la machine ne correspond à aucun groupe, il suffit de la mettre en tête de fichier. + +Notes sur l'installation: + +* Pensez à installer un serveur ssh; +* Pensez à mettre un mot de passe bidon à root, par exemple plopiplop. Le rôle va ensuite canarder le mot de passe pour ne garder que l'authentification avec la clé ssh; +* Pensez à créer un utilisateur ansible pour se connecter en ssh. + + ### rezo_basic.yaml Ce playbook réalise les opérations usuelles après une installation de machine au Rézo. Il réalise entre autre : -* Mise à jour de la machine -* Déploiement des clés ssh root prez et apt-dater; +* Mise à jour de la machine [v] * Activation de l'accès par le LDAP; -* Installation de ZSH; -* Installation de Vim +* Installation de ZSH; [v] +* Installation de Vim [v] * Installation de fail2ban; -* Installation d'apticron; +* Installation d'apticron; [v] * Déploiement du motd Rézo. -Pour que le rôle fonctionne, on installe normalement la machine via l'installateur dédié, puis on place le nom de domaine ou son adresse IP dans le fichier hosts. Si la machine ne correspond à aucun groupe, il suffit de la mettre en tête de fichier. - diff --git a/hosts b/hosts index 81e0908..b3405cd 100644 --- a/hosts +++ b/hosts @@ -1,5 +1,6 @@ [gateways] -10.7.6.66 +10.7.57.54 +10.7.54.57 [reverse_dns] diff --git a/post_install.yaml b/post_install.yaml new file mode 100644 index 0000000..51c2727 --- /dev/null +++ b/post_install.yaml @@ -0,0 +1,11 @@ +# post_install.yaml +# Ce rôle est chargé de dépoloyer les clés root rézo et ansible + +--- +- hosts: all + remote_user: ansible + become: true + become_method: sudo + tasks: + - include_role: + name: deploy_key diff --git a/rezo_basic.yaml b/rezo_basic.yaml index 2fe2a40..92e0f75 100644 --- a/rezo_basic.yaml +++ b/rezo_basic.yaml @@ -11,11 +11,9 @@ apt: update_cache: yes upgrade: yes - - name: Deploy root_rezo ssh key - authorized_key: - user: root - state: present - key: "{{ lookup('file', './ssh/root_rezo.pub') }}" + - name: Install sudo + apt: + name: sudo - include_role: name: apt-dater - name: Install ZSH @@ -24,3 +22,8 @@ - name: Install vim apt: name: vim + - include_role: + name: sendmail + - include_role: + name: apticron + diff --git a/roles/apt-dater/tasks/main.yml b/roles/apt-dater/tasks/main.yml index 759b0d9..203ae90 100644 --- a/roles/apt-dater/tasks/main.yml +++ b/roles/apt-dater/tasks/main.yml @@ -17,16 +17,12 @@ mode: '700' owner: apt-dater group: apt-dater -- name: Backup sudoers file - copy: - remote_src: yes - src: /etc/sudoers - dest: /etc/sudoers.tmp - name: Allow apt-dater to perform aptitude actions lineinfile: - path: /etc/sudoers.tmp + path: /etc/sudoers + backup: yes line: "apt-dater ALL=NOPASSWD: /usr/bin/apt-get, /usr/bin/aptitude" + regexp: "apt-dater ALL=NOPASSWD: /usr/bin/apt-get, /usr/bin/aptitude" state: present insertafter: "# User privilege specification" -- name: sudoers file check - shell: visudo -q -c -f /etc/sudoers.tmp && mv -f /etc/sudoers.tmp /etc/sudoers + validate: visudo -q -c -f %s diff --git a/roles/apticron/tasks/main.yml b/roles/apticron/tasks/main.yml new file mode 100644 index 0000000..695a014 --- /dev/null +++ b/roles/apticron/tasks/main.yml @@ -0,0 +1,21 @@ +- name: Install apticron + apt: + name: apticron +- name: Add apticron mail target + lineinfile: + path: /etc/apticron/apticron.conf + line: "EMAIL=\"apticron@rezometz.org\"" + state: present + insertafter: EOF + regexp: "EMAIL=\".*\"" +- name: Register hostname + shell: uname -n + register: hostname + changed_when: False +- name: Add apticron custom from + lineinfile: + path: /etc/apticron/apticron.conf + line: "CUSTOM_FROM=\"{{ hostname.stdout }}\"" + insertafter: EOF + regexp: "(# )?CUSTOM_FROM=\".*\"" + diff --git a/roles/deploy_key/files/ansible.pub b/roles/deploy_key/files/ansible.pub new file mode 100644 index 0000000..6f86e14 --- /dev/null +++ b/roles/deploy_key/files/ansible.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVaXJdS4w5miBT/TYj0kMu85vF+d5i85TbJ9Y1KwJpegku0JBxF8q5qfPcmNT8Xd+Qdg6kT4H/ox0+0yaLmTmSBjNxjmGz1QachUHshlZ9rKklEIGnjutsnl5N3jZqzHTz29fShutd/eFi2hBNIOe1/B0BsPezYNiWliX34PWo8fUpLkBXPS3lYqWGkyoUkWrkDh0Rmlv3BUVzYP3ARUjAgb8nRzfpgom8Y3l31RDImgkfi9My6tE/qQtpfmsmohWAfDOkOmIYOLDS7WnpTJKKRHugEKV1tE0aP2oP1FdE2Zg9exYp0mYFqOizS98BiqARIOQY6cNPiGUH9fj3XwmF klafyvel@batman diff --git a/roles/deploy_key/files/apt-dater.pub b/roles/deploy_key/files/apt-dater.pub new file mode 100644 index 0000000..b0c9af7 --- /dev/null +++ b/roles/deploy_key/files/apt-dater.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHxw/CCIAmyFO1eMIimpdzMhacQWIh9fUSgRlVB60cMmfvCA0yLPas1oWW+jA3XNSuXsW65TzI589zGQ08HD72dNQG+777sa1fpF0KG8JSnA5BNS6ihWgeE+l1p2EiW4DBFbnN/N3gP7FoEHjpw+SGZVQVKc0cijwkkJflFvoX4xOic4A== apt-dater@era diff --git a/roles/deploy_key/files/root_rezo.pub b/roles/deploy_key/files/root_rezo.pub new file mode 100644 index 0000000..7d72c99 --- /dev/null +++ b/roles/deploy_key/files/root_rezo.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1VXpH9GwfgR7fSWaCj4DirunOFNF2tmANjEAlFL+uBf9lUSYAXLJiz5i10sHvVgcT4eopeFVVscSPaUae6B+rNl/h/rTmh4+mbtWVLDeCGPq1WkT/ZJljK85iOna+kIFBhCwT7vK3vl0RNgXKrKE7xcIJJ32iBY7Bc3mzqfDoB36bcsDE71RdYQS4rKej+qX7NYoIcetBFdmsR1yOfOx/QRbd8zO+pIiK06LIpw9PK4WzfV2PN1YGzvFmHMyXiB0KHMSV1hHf1l9v8P3yv/T7iHuBFD9i8i9gS35tdws7OZ1PHl6D2dSU+LVXL3IuRWSYtGIMyF9+bTLdTX2lOHis7EetvCjHLJDuyRMQyApvi4D34zW5SlazqmTD3pBUfqMf8x0P1YGNta3nVrhyG6619Jm9ZpnHZV5/bQaJ5Q0+dklFegmYvf9KLEDKTjfD7E4Z8X/TQS1uAPX4wTzPEEks6zKjta69a1KWNHeWrHziwG8GDVZNAW1ZabHTSqTi2nN95lPpF6CEUO6UcnwX0rhVvMRLiCPWwJ4jZj4gzs88gu8vBJHMtxwDnHfn5ofEm2w9swooUGHTe8l+4VScsHuOjSXFji1bCUy2tXCtA6ukhq5cSYlIAmV9J+ULrwFVq1CBFKpg+IFMeWCKc84TyE0/+hoE5n8s5mFf4x25Y2hoAQ== root@president diff --git a/roles/deploy_key/tasks/main.yml b/roles/deploy_key/tasks/main.yml new file mode 100644 index 0000000..ad6800d --- /dev/null +++ b/roles/deploy_key/tasks/main.yml @@ -0,0 +1,14 @@ +- name: Deploy root_rezo ssh key + authorized_key: + user: root + state: present + key: "{{ lookup('file', 'root_rezo.pub') }}" +- name: Deploy ansible ssh key + authorized_key: + user: root + state: present + key: "{{ lookup('file', 'ansible.pub') }}" +- name: Lock ansible password to force ssh key usage + user: + name: ansible + password_lock: yes diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml new file mode 100644 index 0000000..96c2c15 --- /dev/null +++ b/roles/sendmail/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Install sendmail + apt: + name: sendmail +- name: Configure sendmail + blockinfile: + path: /etc/mail/sendmail.mc + block: | + MASQUERADE_AS(`rezometz.org')dnl + FEATURE(`mailertable')dnl + state: present + insertafter: EOF + register: sendmail +- name: Add smtp.rez to the mailertable + lineinfile: + path: /etc/mail/mailertable + line: ". smtp:smtp.rez" + insertafter: EOF + create: yes + register: mailertable +- name: Compile sendmail configuration + shell: cd /etc/mail && sudo make + when: mailertable.changed or sendmail.changed + register: compile +- name: Restart sendmail + service: + name: sendmail + state: restarted + when: compile.changed -- 2.24.1