Skip to content
Snippets Groups Projects
Commit 77747ccb authored by Jörg Sachse's avatar Jörg Sachse
Browse files

initial commit (confidential information removed)

parents
Branches
No related tags found
No related merge requests found
Showing
with 665 additions and 0 deletions
# CRLF vs. LF:
* text=auto
# make 'git diff' use ansible-vault for vault files, so you can see decrypted
# content if you have the password
*.vault diff=ansible-vault merge=binary
#!/usr/bin/env bash
#
# An example hook script to verify what is about to be committed.
# Called by "git commit" with no arguments. The hook should
# exit with non-zero status after issuing an appropriate message if
# it wants to stop the commit.
#
# To enable this hook, rename this file to "pre-commit".
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
# Initial commit: diff against an empty tree object
against=$(git hash-object -t tree /dev/null)
fi
# If you want to allow non-ASCII filenames set this variable to true.
allownonascii=$(git config --bool hooks.allownonascii)
# Redirect output to stderr.
exec 1>&2
# Cross platform projects tend to avoid non-ASCII filenames; prevent
# them from being added to the repository. We exploit the fact that the
# printable range starts at the space character and ends with tilde.
if [ "$allownonascii" != "true" ] &&
# Note that the use of brackets around a tr range is ok here, (it's
# even required, for portability to Solaris 10's /usr/bin/tr), since
# the square bracket bytes happen to fall in the designated range.
test $(git diff --cached --name-only --diff-filter=A -z $against |
LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
then
cat <<\EOF
Error: Attempt to add a non-ASCII file name.
This can cause problems if you want to work with people on other platforms.
To be portable it is advisable to rename the file.
If you know what you are doing you can disable this check using:
git config hooks.allownonascii true
EOF
exit 1
fi
# If there are whitespace errors, print the offending file names and fail.
# exec git diff-index --check --cached $against --
################################################################################
## Everything below this is customized, everything above is from the example. ##
################################################################################
### PREPARE
# Expand aliases and make alias command work in the bash script.
shopt -s expand_aliases
REPOPATH="$(git rev-parse --show-toplevel)"
GREP_CMD='grep -Rn --color'
GREP_EXCLUDES="--exclude-dir=\.git --exclude-dir=\.githooks --exclude=*\.example"
### YAMLLINT stage
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
YAML_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".yml$")
if [[ ${YAML_FILES} != "" ]]; then
for file in ${YAML_FILES}; do
yamllint "${file}"
if [[ ${?} -ne 0 ]]; then
exit 1
fi
done
fi && echo "SUCCESS: Yamllint stage."
### VAULT detection stage
VAULT_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".vault$")
if [[ ${VAULT_FILES} != "" ]]; then
echo "ERROR: Vaultfiles found:"
for file in ${VAULT_FILES}; do
echo "- ${file}"
done
exit 1
fi
# https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-format
if [[ ${STAGED_FILES} != "" ]]; then
for file in ${STAGED_FILES}; do
grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"
[[ ${?} -eq 0 ]] && echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
done
fi
echo "SUCCESS: Vault detection stage."
### URL detection stage
${GREP_CMD} ${GREP_EXCLUDES} -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"
if [[ ${?} -eq 0 ]]; then
echo "ERROR: found internal URLs."
exit 1;
fi
echo "SUCCESS: URL detection stage."
### IP address detection stage
# This is pretty basic regex matching, but it's a start.
IP_REGEX='[^a-zA-ZäöÜÄÖÜß/\\\-][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
${GREP_CMD} ${GREP_EXCLUDES} -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"
if [[ ${?} -eq 0 ]]; then
echo "ERROR: found IP address."
exit 1;
fi
echo "SUCCESS: IP address detection stage."
### SSH-Key detection stage
${GREP_CMD} ${GREP_EXCLUDES} -e "ssh-[dr]sa " "${REPOPATH}"
if [[ ${?} -eq 0 ]]; then
echo "ERROR: found SSH key."
exit 1;
fi
echo "SUCCESS: SSH Key detection stage."
### DONE
# Return explicit 0.
exit 0;
# Compiled source #
###################
*.bin
*.com
*.class
*.dll
*.exe
*.o
*.so
*.pyc
__pycache__
# Packages #
############
# it's better to unpack these files and commit the raw source
# git has its own built in compression methods
*.7z
*.dmg
*.gz
*.iso
*.jar
*.rar
*.tar
*.zip
*.tar.gz
*.tgz
# Logs and databases #
######################
*.log
*.sql
*.sqlite
# OS generated files #
######################
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
# Linux packages #
##################
*.deb
*.rpm
# Ansible specific files #
##########################
*.retry
*.vault
# Vim #
#######
# swap
[._]*.s[a-v][a-z]
[._]*.sw[a-p]
[._]s[a-v][a-z]
[._]sw[a-p]
# session
Session.vim
# temporary
.netrwhist
# auto-generated tag files
tags
# Vagrant #
###########
.vagrant/
*.box
# Temporary/Build/Backup #
##########################
backups/
build/
# CONFIDENTIAL #
################
ssh_host_*
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable
# Ansible-Role "ansible_lza_install_common"
## Description
This role provides all necessary post-install tasks to setup a basic multi-purpose Debian VM.
## Prerequisites
To use this role, the following software must be installed on your workstation:
* ansible
To deploy this role to a managed host, the following software must be installed on the target:
* Python3
* SSHd
It is recommended to use Debian VMs as deployed by SLUB's UDA tool with this role. Otherwise you will not have access to the software packages that are located in SLUB's private Debian package repository.
## Quick Start
```
ansible-playbook site.yml [-i <INVENTORY_FILE>] [--limit <HOSTNAME>] [-u <USERNAME>] [-b]
```
## General Ansible usage
Most options already have sensible defaults in `ansible.cfg`. However, you can override these defaults using CLI options/flags if you want to.
To simply run the playbook, just call the `site.yml` playbook like this:
```
ansible-playbook site.yml -u <username>
```
If you want to limit the execution to a subset of all hosts that are listed in the inventory, use the `-l` or `--limit` option like this:
```
ansible-playbook site.yml -l <hostna*>
ansible-playbook site.yml -l <hostname>
ansible-playbook site.yml -l <hostname1>:<hostname2>:...
ansible-playbook site.yml -l <inventory_group>
ansible-playbook site.yml --limit=<hostna*>
```
If you do not have Vault password files in the directory above the role direcory, you have to give the Vault password before execution:
```
ansible-playbook site.yml --ask-vault-pass
```
You can use your own inventory file by adding the `-i` or `--inventory=INVENTORY` option:
```
ansible-playbook site.yml -i inventory.yml
ansible-playbook site.yml --inventory=inventory.yml
```
Tasks in this role have been tagged to enable users to only run subsets of tasks. This can be leveraged to decrease run times or run only certain tasks after small changes.
To list all available tags, use:
```
ansible-playbook site.yml --list-tags
```
You can then run only certain tagged tasks by using the `--tags` option:
```
ansible-playbook site.yml -t tag1,tag2,...,tagN
ansible-playbook site.yml --tags=tag1,tag2,...,tagN
```
For more help with ansible-playbook, use the `--help` flag.
## Testing the role
Tests have been implemented using the Molecule framework. The details on using the test suite are described below `molecule/`.
## Variables
Many variables have been "hidden" in encrypted Ansible Vaults. For security reasons, these Vaults are maintained in a separate private internal repository of SLUB's Git. However, in order to better understand the data within the vaults, you can find `\*.vault.example` files below the `vars/` directory.
If you work outside of SLUBArchive and have no access to the vault repository, make sure to put the necessary vaults in the expected paths at `../ansible_vaults/<ROLENAME>/`.
## git configuration
Just run the `setup_gitconfig.sh` script that comes with the repo to correctly setup all necessary local Git configurations.
## Author Information
If you have any comments or find bugs, please contact langzeitarchiv@slub-dresden.de or issue a pull request.
[defaults]
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
vault_identity_list = ../lza_install_common.pass, ../slub_osquery.pass
# Path to default inventory file
# Administrators can override this by using the "-i <inventoryfile>" CLI
# argument.
inventory = ../ansible_vaults/inventory.yml
# Remote user name
# We DELIBERATELY set this to an non-existent non-root username to make sure
# the role can only be run if an Administrator knows the correct remote_user
# name and passes it as a CLI argument.
remote_user = non-root-user
# By default, ansible will use the 'linear' strategy but you may want to try
# another one
strategy = free
# Don't like cows? that's unfortunate.
# Set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
nocows = 1
# Custom role path that guarantees roles are always found, no matter where a
# user checks them out.
roles_path = ../:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
[inventory]
# Ignore these extensions when parsing a directory as inventory source.
ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
pipelining = True
---
exim4_sendonly_fqdn: '{{ ansible_fqdn }}'
exim4_sendonly_enable_tls: true
exim4_sendonly_smarthost: ''
exim4_sendonly_username: ''
exim4_sendonly_password: ''
exim_name: "{{ 'exim4' if ansible_distribution == 'Debian' else 'exim' }}"
This directory contains files, script files and directories for use with the copy/script resource.
\ No newline at end of file
Is%20a%20system/service%20restart%20needed? (interval=3600) /usr/lib/check_mk_agent/nrpe/check_needrestart.sh
autoclean -y
dist-upgrade -y -o APT::Get::Show-Upgraded=true
autoremove -y
# Beware! This file is rewritten by htop when settings are changed in the interface.
# The parser is also very primitive, and not human-friendly.
fields=0 3 2 48 17 18 38 39 40 2 46 47 111 49 1
sort_key=46
sort_direction=-1
hide_threads=0
hide_kernel_threads=1
hide_userland_threads=0
shadow_other_users=0
show_thread_names=0
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=0
header_margin=1
detailed_cpu_time=1
cpu_count_from_zero=0
update_process_names=0
account_guest_in_cpu_meter=0
color_scheme=6
delay=15
left_meters=AllCPUs Memory Swap
left_meter_modes=1 2 1
right_meters=Tasks LoadAverage Uptime
right_meter_modes=2 2 2
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 13 weeks (so 1/4 of a year) worth of backlogs
rotate 13
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be configured here
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
============================================ WARNING! =============================================
Login to this system is only allowed by authorized personnel. Any unauthorized access and use of
this system is unlawful and will be subject to civil and criminal penalties. The use of this system
can be logged or monitored without further notice. Resulting logs can be used as evidence in court.
============================================ WARNING! =============================================
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap nopeer noquery
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
# Eigene NTP Server verwenden
# Standard: #server ntp.your-provider.example
#server ptbtime1.ptb.de
server time1.slub-dresden.de
server time2.slub-dresden.de
server time3.slub-dresden.de
server time4.slub-dresden.de
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org iburst
#server 1.rhel.pool.ntp.org iburst
#server 2.rhel.pool.ntp.org iburst
#server 3.rhel.pool.ntp.org iburst
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
#!/usr/bin/env bash
COWSAY="$(command -v cowsay)"
PATH="${PATH}:/usr/sbin/"; export PATH
figlet SLUBarchiv
# figlet SLUBarchiv | lolcat
# colored/formatted strings are not properly supported by cowsay, which in turn is not maintained any longer (as of 2019-05-31)
#HOST="\e[1m$( cat /etc/hostname )\e[0m.slub-dresden.de"
HOST="${HOSTNAME}.$( dnsdomainname )"
IP="$(
ip -4 -brief addr show | \
grep -v 'UNKNOWN' | \
while read -r line; do
# printf " %.0s" {1..21};
echo "$( printf " %.0s" {1..21} )${line}";
done
)"
#RELEASE="$( uname -o ) $( cat /etc/debian_version )"
RELEASE="$( lsb_release -s -d )"
VERSION="$( uname -rvm )"
UPTIME="$( uptime )"
PROCESSES="$( ps ax | wc -l | tr -d ' ' )"
SSH_FINGERPRINT="$( ssh-keyscan "${HOSTNAME}" 2> /dev/null | ssh-keygen -E sha256 -lf - | grep '(RSA)' )"
WEATHER="$( curl -s --max-time 2 "http://rss.accuweather.com/rss/liveweather_rss.asp?metric=1&locCode=EUR|DE|DE01069|DRESDEN|" | sed -n '/Currently:/ s/.*: \(.*\): \([0-9]*\)\([CF]\).*/\2°\3, \1/p' )"
SUBAPP_VERSION="(not installed)"
if [[ $( command -v dpkg ) ]]; then
if dpkg -l | grep -q 'submissionapplication4rosetta'; then
SUBAPP_VERSION="$( dpkg --status submissionapplication4rosetta | grep '^Version:' | cut -d ' ' -f 2 )"
fi
fi
# alternative weather service that provides much nicer icons. However, these icons are not shown nicely in PuTTY
# WEATHER="$( curl -s --max-time 2 "http://de.wttr.in/Dresden?format=4 )"
(echo -e "\
Hostname: ${HOST}
Netzwerk: Interface Status Adresse\n${IP}
OS-Name/-Release: ${RELEASE}
OS-Version: ${VERSION}
Uptime / CPU-Load: ${UPTIME}
Running Processes: ${PROCESSES}
SSH-Fingerprint: ${SSH_FINGERPRINT}
Wetter: ${WEATHER}
SubApp-Version: ${SUBAPP_VERSION}
- Use 'tmux a' to attach to last tmux session.
- Press 'Strg+B' and 'd' to leave (detatch from) any tmux session. The session will continue to run in the background.
- Consult http://tmuxcheatsheet.com for a quick start with tmux.\
") | ${COWSAY} -T U -W100 -f www -n
echo ""
alias grep='grep --color=auto' # coloured grep
alias fgrep='fgrep --color=auto' # coloured fgrep
alias egrep='egrep --color=auto' # coloured egrep
alias diff='diff --color=auto' # coloured diff
alias ipb='ip --color --brief' # coloured ip command (brief)
alias ip='ip --color' # coloured ip command
alias ..='cd ..'
alias ...='cd ../../'
alias c='clear'
alias la='ls --color -ahl' # long-list all files
alias ll='ls --color -A' # short list all files (except . & ..)
alias l='ls --color -CF' # short list files in columns, classify
alias mc='mc -x' # Midnight Commander with tmux mouse support
alias mload='nload -u M' # nload with default units in MByte
# alias please='sudo' # by special request by Andreas :-)
alias please='sudo $(fc -ln -1)' # https://twitter.com/zzaaho/status/1160825118597292032
alias nfsmounts='mount | sort | column -t -s" " | grep nfs' # pretty print all nfs mounts
#!/usr/bin/env bash
# Checks the status of all running processes to find outdated
# binaries/libraries that need to be restarted in order to run the latest
# version.
# copy plugin to the "/usr/lib/check_mk_agent/plugin" directory
# test it via: check_mk_agent | grep -v grep | grep -A 3 "<<<local>>>"
# REQUIREMENTS:
# - Debian-System
# - needrestart
scriptname=$( basename "${0}" ".sh" )
LOCKFILE="/var/lock/${scriptname}.lock"
STATUS="3"
ITEMNAME="needrestart"
PERF_VALUES="-"
# IMPORTANT: Set lock using "flock", NOT "touch"!!! It's atomic and doesn't have to be cleared after the script ran.
if [[ -e "/usr/sbin/needrestart" ]]; then
# based on https://itrig.de/index.php?/archives/2356-checkrestart-vs.-needrestart-alte-Prozesse-nach-Paketupdates-erkennen.html
flock "${LOCKFILE}" /usr/sbin/needrestart -k -l -p -q
else
echo "${STATUS} ${ITEMNAME} ${PERF_VALUES} Could not get status, maybe needrestart isn't installed."
fi
# Code checked by shellcheck (https://github.com/koalaman/shellcheck) on 2020-12-02
#!/bin/bash
set -e
# https://askubuntu.com/questions/764620/how-do-you-hotplug-enable-new-cpu-and-ram-in-a-virtual-machine
# Bring hot-added CPUs online
for CPU_DIR in /sys/devices/system/cpu/cpu[0-9]*; do
CPU=${CPU_DIR##*/}
echo "Found cpu: '${CPU_DIR}' ..."
CPU_STATE_FILE="${CPU_DIR}/online"
if [ -f "${CPU_STATE_FILE}" ]; then
if grep -qx 1 "${CPU_STATE_FILE}"; then
echo -e "\t${CPU} already online"
else
echo -e "\t${CPU} is new cpu, onlining cpu ..."
# This is where the magic happens:
echo 1 > "${CPU_STATE_FILE}"
fi
else
echo -e "\t${CPU} already configured prior to hot-add"
fi
done
#!/bin/bash
set -e
# https://askubuntu.com/questions/764620/how-do-you-hotplug-enable-new-cpu-and-ram-in-a-virtual-machine
# https://kb.vmware.com/s/article/1012764
# Bring all new Memory online
for RAM_FILE in $( find /sys/devices/system/memory/ -type f -name "state" | sort -d ); do
RAM="$( echo "${RAM_FILE}" | cut -d '/' -f6 )"
echo -n "Found RAM module '${RAM}', "
if grep --quiet "offline" "${RAM_FILE}"; then
echo "bringing it online."
echo "online" > "${RAM_FILE}"
else
echo "and it's already online."
fi
done
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment