Skip to content
Snippets Groups Projects
Commit 022ebd67 authored by Jörg Sachse's avatar Jörg Sachse
Browse files

initial commit

parents
No related branches found
No related tags found
No related merge requests found
Showing with 471 additions and 0 deletions
# CRLF vs. LF:
* text=auto
# make 'git diff' use ansible-vault for vault files, so you can see decrypted
# content if you have the password
*.vault diff=ansible-vault merge=binary
# Compiled source #
###################
*.bin
*.com
*.class
*.dll
*.exe
*.o
*.so
*.pyc
__pycache__
# Packages #
############
# it's better to unpack these files and commit the raw source
# git has its own built in compression methods
*.7z
*.dmg
*.gz
*.iso
*.jar
*.rar
*.tar
*.zip
*.tar.gz
*.tgz
# Logs and databases #
######################
*.log
*.sql
*.sqlite
# OS generated files #
######################
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
# Linux packages #
##################
*.deb
*.rpm
# Ansible specific files #
##########################
*.retry
*.vault
# Vim #
#######
# swap
[._]*.s[a-v][a-z]
[._]*.sw[a-p]
[._]s[a-v][a-z]
[._]sw[a-p]
# session
Session.vim
# temporary
.netrwhist
# auto-generated tag files
tags
# Vagrant #
###########
.vagrant/
*.box
---
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
truthy: disable
# Ansible-Role "ansible_lza_bootstrap_rhel_server"
## Description
This role provides all necessary tasks to initialise RHEL 7 servers for SLUBArchiv before a non-root user takes over for further managemant.
## Prerequisites
To use this role, the following software must be installed on your workstation:
* ansible
To deploy this role to a managed host, the following software must be installed on the target:
* Python3
* SSHd
## General usage
Most options already have sensible defaults in `ansible.cfg`. However, you can override these defaults using CLI options/flags if you want to.
To simply run the playbook, just call the `site.yml` playbook like this:
```
ansible-playbook site.yml -u <username>
```
If you want to limit the execution to a subset of all hosts that are listed in the inventory, use the `-l` or `--limit` option like this:
```
ansible-playbook site.yml -l <hostna*>
ansible-playbook site.yml -l <hostname>
ansible-playbook site.yml -l <hostname1>:<hostname2>:...
ansible-playbook site.yml -l <inventory_group>
ansible-playbook site.yml --limit=<hostna*>
```
If you do not have Vault password files in the directory above the role direcory, you have to give the Vault password before execution:
```
ansible-playbook site.yml --ask-vault-pass
```
You can use your own inventory file by adding the `-i` or `--inventory=INVENTORY` option:
```
ansible-playbook site.yml -i inventory.yml
ansible-playbook site.yml --inventory=inventory.yml
```
Tasks in this role have been tagged to enable users to only run subsets of tasks. This can be leveraged to decrease run times or run only certain tasks after small changes.
To list all available tags, use:
```
ansible-playbook site.yml --list-tags
```
You can then run only certain tagged tasks by using the `--tags` option:
```
ansible-playbook site.yml -t tag1,tag2,...,tagN
ansible-playbook site.yml --tags=tag1,tag2,...,tagN
```
For more help with ansible-playbook, use the `--help` flag.
## Testing the role
Tests have been implemented using the Molecule framework. The details on using the test suite are described below `molecule/`.
## Variables
Many variables have been "hidden" in encrypted Ansible Vaults. However, in order to better understand the data within the vaults, you can find `\*.vault.example` files below the `vars/` directory.
## git configuration
Just run the `setup_gitconfig.sh` script that comes with the repo to correctly setup all necessary local Git configurations.
## Author Information
If you have any comments or find bugs, please contact langzeitarchiv@slub-dresden.de or issue a pull request.
[defaults]
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
vault_identity_list = ../lza_install_common.pass, ../lza_server_hardening.pass, ../slub_osquery.pass, ../lza_bootstrap_rhel_server.pass
# Path to default inventory file
# Administrators can override this by using the "-i <inventoryfile>" CLI
# argument.
inventory = ../ansible_vaults/inventory.yml
# Remote user name
# As this role is supposed to run very basic tasks necessary before handing
# over to a non-root-user, we use root as the remote_user.
remote_user = root
# By default, ansible will use the 'linear' strategy but you may want to try
# another one
strategy = free
# Don't like cows? that's unfortunate.
# Set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
nocows = 1
[inventory]
# Ignore these extensions when parsing a directory as inventory source.
ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#pipelining = True
pipelining = False
---
# defaults file for ansible_lza_bootstrap_rhel_server
---
# handlers file for ansible_lza_bootstrap_rhel_server
---
galaxy_info:
author: Jörg Sachse
description: role to initialise empty VMs that should become RHEL servers before switching to a non-root user for further management.
company: SLUB Dresden
# If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker Some suggested licenses: - BSD
# (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
license: GPLv3
min_ansible_version: 2.5
# If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo
#for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only
#notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions. If you don't wish to enumerate all versions for a particular platform, use 'all'. To view available
# platforms and versions (or releases), visit: https://galaxy.ansible.com/api/v1/platforms/
#
# platforms: - name: Fedora
# versions: - all - 25 - name: SomePlatform versions: - all - 1.0 - 7 - 99.99
platforms:
- name: RedHat
versions:
- 7
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you
# add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
*******
Vagrant driver installation guide
*******
Requirements
============
* Vagrant
* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule[vagrant]'
---
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: virtualbox
lint: |
set -e
yamllint .
ansible-lint -x formatting
flake8 --ignore=E501
platforms:
- name: molecule-bootstrap-redhat
box: centos/7
memory: 512
cpus: 1
provisioner:
name: ansible
log: true
config_options:
defaults:
# https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
vault_identity_list: "@$HOME/.ansible/roles/molecule_prepare.pass, @$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/lza_server_hardening.pass, @$HOME/.ansible/roles/lza_bootstrap_rhel_server.pass, @$HOME/.ansible/roles/slub_osquery.pass"
vvv: false
verifier:
name: testinfra
env:
PYTHONWARNINGS: "ignore:.*U.*mode is deprecated:DeprecationWarning"
options:
v: 1
---
- name: Converge
hosts: all
roles:
- role: ansible_lza_bootstrap_rhel_server
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Install python for Ansible
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
become: true
changed_when: false
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_hosts_file(host):
f = host.file('/etc/hosts')
assert f.exists
assert f.user == 'root'
assert f.group == 'root'
#!/usr/bin/env bash
set -ex
# Change the path that Git expects the hooks to be in, so we can track the hooks
# within the repository (as the default `.git/` directory is not tracked).
git config --local core.hooksPath .githooks/
# To be able to run `git diff` on Ansible Vault files, please set you local
# `git/config` files as described in (https://stackoverflow.com/a/52863794) for
# the `~/.gitconfig` file or just blindly follow the instructions there to set
# it for you Git installation as a whole.
git config --local core.attributesfile "../.gitattributes"
git config --local diff.ansible-vault.textconv "ansible-vault view"
site.yml 0 → 100644
---
- hosts: "*"
pre_tasks:
- name: Verify that the installed version of Ansible meets this playbook's version requirements.
assert:
that: "ansible_version.full is version_compare('2.5', '>=')"
msg: >
"You must update Ansible to at least 2.5 to use this playbook."
# Collect facts from remote system? Possible values: true, false
gather_facts: true
# Gather only certain subsects of facts. Ansible supports network, hardware, virtual, facter, ohai as subset.
gather_subset:
- network
- virtual
- hardware
# any_error_fatal will mark all the hosts as failed if fails and immediately abort the playbook execution. Possible values: true, false
any_errors_fatal: false
# max_fail_percentage allows you to abort the play if certain threshold of failures have been reached.
max_fail_percentage: 30
serial: 30
# hide sensitive information in verbose/debugging output from others. Possible values: true, false
no_log: false
# execution strategy, possible values: debug, linear, serial, free (https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html)
strategy: linear
roles:
- { role: ansible_lza_bootstrap_rhel_server }
# - { role: ansible_lza_install_common, become: true }
# - { role: ansible_lza_server_hardening, become: true }
# - { role: ansible_lza_rosetta_app, become: true }
---
- name: subscribe system with RedHat
redhat_subscription:
state: present
username: "{{ vault_rhel_username }}"
password: "{{ vault_rhel_password }}"
auto_attach: true
- name: activate RHEL repos
rhsm_repository:
name: "{{ item }}"
state: enabled
loop:
- "rhel-7-server-optional-rpms"
- "rhel-7-server-rh-common-rpms"
- "rhel-7-server-extras-rpms"
- name: activate EPEL repos
yum:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
state: installed
---
- name: configure .bashrc
blockinfile:
path: "/etc/skel/.bashrc"
owner: "root"
group: "root"
mode: 0644
marker: "# {mark} ANSIBLE MANAGED BLOCK ansible_lza_bootstrap_rhel_server"
block: |
cd ~
- name: configure .bash_aliases
blockinfile:
path: "/etc/skel/.bash_aliases"
owner: "root"
group: "root"
mode: 0644
marker: "# {mark} ANSIBLE MANAGED BLOCK ansible_lza_bootstrap_rhel_server"
create: true
block: |
alias ip='ip --color'
alias ll='ls -l'
alias la='ls -lah'
alias grep='grep --color'
- name: create user .ssh directory skel
file:
path: "/etc/skel/.ssh"
state: directory
owner: "root"
group: "root"
mode: 0700
---
- name: add SSH key
authorized_key:
comment: "{{ item.ssh_comment | default(omit) }}"
key: "{{ item.ssh_key }}"
user: "{{ item.name }}"
state: "{{ item.ssh_state | default('present') }}"
loop: "{{ vault_users }}"
---
- name: create groups
group:
name: sudo
system: true
- name: create users
user:
name: "{{ item.name }}"
uid: "{{ item.uid | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
password: "{{ item.password | default('!') }}"
append: true
groups: "sudo"
shell: "{{ item.shell | default('/bin/bash') }}"
loop: "{{ vault_users }}"
- name: grant sudo
blockinfile:
path: "/etc/sudoers.d/group_sudo"
create: true
owner: "root"
group: "root"
mode: 0644
block: |
# Allow members of group 'sudo' to execute any command
%sudo ALL=(ALL:sudo) NOPASSWD:ALL
---
# tasks file for ansible_lza_bootstrap_rhel_server
- name: include Ansible Vaults
include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
loop:
- "redhat.vault"
- "users.vault"
tags: [always]
- name: prepare skel
import_tasks: configure_skel.yml
tags: [skel]
- name: create users
import_tasks: configure_users.yml
tags: [users]
- name: prepare SSH access
import_tasks: configure_ssh_client.yml
tags: [ssh]
- name: activate repos
import_tasks: configure_repos.yml
tags: [repos]
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment