From a0f85aadf518eb4d77c59c9ec3a08bab868f8470 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Mon, 20 Dec 2021 14:09:39 +0100
Subject: [PATCH] =?UTF-8?q?feat:=20ND-2111=20'deep=5Ffixity=20auf=20Sanity?=
 =?UTF-8?q?-Server=20vom=20ZIH=20aus=20ausf=C3=BChren'?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tasks/configure_iptables_external.yml | 11 ++++
 tasks/configure_nfs_mounts.yml        | 93 ++++++++++++++-------------
 tasks/configure_ssh_keys.yml          |  7 +-
 tasks/create_users_groups.yml         | 15 +++--
 tasks/install_test_scripts.yml        |  4 +-
 tasks/main.yml                        |  4 ++
 6 files changed, 77 insertions(+), 57 deletions(-)
 create mode 100644 tasks/configure_iptables_external.yml

diff --git a/tasks/configure_iptables_external.yml b/tasks/configure_iptables_external.yml
new file mode 100644
index 0000000..e18f847
--- /dev/null
+++ b/tasks/configure_iptables_external.yml
@@ -0,0 +1,11 @@
+---
+- name: configure iptables filter rules for external access
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "{{ item.chain | default('INPUT') }}"
+    comment: "{{ item.comment | default(omit) }}"
+    destination_port: "{{ item.destination_port }}"
+    jump: "{{ item.jump | default('DROP') }}"
+    protocol: "{{ item.protocol | default('tcp') }}"
+    source: "{{ item.source }}"
+  loop: "{{ vault_iptables_external }}"
diff --git a/tasks/configure_nfs_mounts.yml b/tasks/configure_nfs_mounts.yml
index e186ab6..25be700 100644
--- a/tasks/configure_nfs_mounts.yml
+++ b/tasks/configure_nfs_mounts.yml
@@ -1,13 +1,13 @@
 ---
 - name: Mountpoint für Logging anlegen
   file:
-    path: "{{ vault_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}"
+    path: "{{ vault_log_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}"
     state: directory
 
 - name: NFS-Shares für Logging mounten (/var/log/rossanity/)
   mount:
-    name: "{{ vault_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}/"
-    src: "{{ vault_nfs_mounts.log.share }}{{ ansible_hostname }}/"
+    name: "{{ vault_log_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}/"
+    src: "{{ vault_log_nfs_mounts.log.share }}{{ ansible_hostname }}/"
     state: mounted
     fstype: "nfs"
     opts: "defaults,nodev,nosuid,rsize=8192,wsize=8192,vers=3"
@@ -16,55 +16,56 @@
 ### MOUNTPOINTS PERMANENT ERSTELLEN ###
 - name: Mountpoints für Permanent Storage anlegen
   file:
-    path: "{{ item }}"
+    path: "{{ item.mountpoint }}"
     state: directory
-  loop:
-    - "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
+  loop: "{{ vault_permanent_nfs_mounts }}"
+#    - "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
 
 ### PERMANENT STORAGE MOUNTEN ###
 - name: NFS-Shares für Permanent Storage mounten
   mount:
-    name: "{{ item.name }}"
-    src: "{{ item.src }}"
+    name: "{{ item.mountpoint }}"
+    src: "{{ item.share }}"
     state: mounted
     fstype: "nfs"
     opts: "ro,{{ item.opts | default('ro,defaults,nodev,nosuid,rsize=8192,wsize=8192,vers=3') }}"
-  with_items:
-    - name: "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_dev.share }}"
-    - name: "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_test.share }}"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2015.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2016.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2017.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2018.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2019.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2020.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2021.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_lfulg.share }}"
-      opts: "auto,nfsvers=4"
+  loop: "{{ vault_permanent_nfs_mounts }}"
+#  with_items:
+#    - name: "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_dev.share }}"
+#    - name: "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_test.share }}"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2015.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2016.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2017.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2018.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2019.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2020.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2021.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_lfulg.share }}"
+#      opts: "auto,nfsvers=4"
   tags: [notest]
diff --git a/tasks/configure_ssh_keys.yml b/tasks/configure_ssh_keys.yml
index 1effacb..30f0337 100644
--- a/tasks/configure_ssh_keys.yml
+++ b/tasks/configure_ssh_keys.yml
@@ -1,10 +1,11 @@
 ---
 - name: deploy SSH key for management user
   authorized_key:
-    user: "{{ vault_ssh_access.user }}"
+    user: "{{ item.user }}"
     state: present
-    key: "{{ vault_ssh_access.ssh_key }}"
-    comment: "{{ vault_ssh_access.ssh_comment }}"
+    key: "{{ item.ssh_key }}"
+    comment: "{{ item.ssh_comment }}"
+  loop: "{{ vault_ssh_access }}"
 
 - name: copy SSH key files to managed servers
   copy:
diff --git a/tasks/create_users_groups.yml b/tasks/create_users_groups.yml
index 1807633..fa36346 100644
--- a/tasks/create_users_groups.yml
+++ b/tasks/create_users_groups.yml
@@ -1,15 +1,16 @@
 ---
 - name: Gruppen anlegen
-  group:
+  ansible.builtin.group:
     name: "{{ item.name }}"
     state: "{{ item.state | default('present') }}"
     gid: "{{ item.gid | default(omit) }}"
   loop: "{{ vault_groups }}"
 
 - name: User in Gruppen einfügen & SSH-Key erzeugen
-  user:
-    name: "{{ vault_user.name }}"
-    groups: "{{ vault_user.groups }}"
-    generate_ssh_key: "yes"
-    ssh_key_bits: 4096
-    ssh_key_comment: "lza-user"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    groups: "{{ item.groups | default('') }}"
+    generate_ssh_key: "{{ item.generate_ssh_key | default(false) }}"
+    ssh_key_bits: "{{ item.ssh_key_bits | default(omit) }}"
+    ssh_key_comment: "{{ item.ssh_key_comment | default(omit) }}"
+  loop: "{{ vault_users }}"
diff --git a/tasks/install_test_scripts.yml b/tasks/install_test_scripts.yml
index 86a41ab..1126d2b 100644
--- a/tasks/install_test_scripts.yml
+++ b/tasks/install_test_scripts.yml
@@ -21,7 +21,7 @@
     - "test_exit_strategy.sh"
 
 - name: deploy test scripts from Git
-  git:
+  ansible.builtin.git:
     dest: "/usr/local/bin/{{ item.dest }}"
     repo: "{{ item.repo }}"
     version: "{{ item.version | default(omit) }}"
@@ -38,6 +38,8 @@
     # runs the Exit Strategy script to build an emergency database
     - dest: "rosettaExitStrategy/"
       repo: "git@{{ vault_slub_git_repo_fqdn }}:slub-digitalpreservation/rosettaExitStrategy.git"
+    - dest: "rosettaDeepFixity/"
+      repo: "git@{{ vault_slub_git_repo_fqdn }}:digital-preservation/rosettadeepfixity.git"
 
 - name: test if prerequisites for exit strategy script are installed
   command: "perl -c /usr/local/bin/rosettaExitStrategy/perl/exit_strategy.pl"
diff --git a/tasks/main.yml b/tasks/main.yml
index 6c9feff..d7b1f76 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -24,3 +24,7 @@
 - name: install test scripts
   import_tasks: "install_test_scripts.yml"
   tags: [testscripts]
+
+- name: configure iptables
+  import_tasks: "configure_iptables_external.yml"
+  tags: [firewall, iptables]
-- 
GitLab