From a0f85aadf518eb4d77c59c9ec3a08bab868f8470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de> Date: Mon, 20 Dec 2021 14:09:39 +0100 Subject: [PATCH] =?UTF-8?q?feat:=20ND-2111=20'deep=5Ffixity=20auf=20Sanity?= =?UTF-8?q?-Server=20vom=20ZIH=20aus=20ausf=C3=BChren'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tasks/configure_iptables_external.yml | 11 ++++ tasks/configure_nfs_mounts.yml | 93 ++++++++++++++------------- tasks/configure_ssh_keys.yml | 7 +- tasks/create_users_groups.yml | 15 +++-- tasks/install_test_scripts.yml | 4 +- tasks/main.yml | 4 ++ 6 files changed, 77 insertions(+), 57 deletions(-) create mode 100644 tasks/configure_iptables_external.yml diff --git a/tasks/configure_iptables_external.yml b/tasks/configure_iptables_external.yml new file mode 100644 index 0000000..e18f847 --- /dev/null +++ b/tasks/configure_iptables_external.yml @@ -0,0 +1,11 @@ +--- +- name: configure iptables filter rules for external access + ansible.builtin.iptables: + action: "insert" + chain: "{{ item.chain | default('INPUT') }}" + comment: "{{ item.comment | default(omit) }}" + destination_port: "{{ item.destination_port }}" + jump: "{{ item.jump | default('DROP') }}" + protocol: "{{ item.protocol | default('tcp') }}" + source: "{{ item.source }}" + loop: "{{ vault_iptables_external }}" diff --git a/tasks/configure_nfs_mounts.yml b/tasks/configure_nfs_mounts.yml index e186ab6..25be700 100644 --- a/tasks/configure_nfs_mounts.yml +++ b/tasks/configure_nfs_mounts.yml @@ -1,13 +1,13 @@ --- - name: Mountpoint für Logging anlegen file: - path: "{{ vault_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}" + path: "{{ vault_log_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}" state: directory - name: NFS-Shares für Logging mounten (/var/log/rossanity/) mount: - name: "{{ vault_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}/" - src: "{{ vault_nfs_mounts.log.share }}{{ ansible_hostname }}/" + name: "{{ vault_log_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}/" + src: "{{ vault_log_nfs_mounts.log.share }}{{ ansible_hostname }}/" state: mounted fstype: "nfs" opts: "defaults,nodev,nosuid,rsize=8192,wsize=8192,vers=3" @@ -16,55 +16,56 @@ ### MOUNTPOINTS PERMANENT ERSTELLEN ### - name: Mountpoints für Permanent Storage anlegen file: - path: "{{ item }}" + path: "{{ item.mountpoint }}" state: directory - loop: - - "{{ vault_nfs_mounts.permanent_dev.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_test.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}" - - "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}" + loop: "{{ vault_permanent_nfs_mounts }}" +# - "{{ vault_nfs_mounts.permanent_dev.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_test.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}" +# - "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}" ### PERMANENT STORAGE MOUNTEN ### - name: NFS-Shares für Permanent Storage mounten mount: - name: "{{ item.name }}" - src: "{{ item.src }}" + name: "{{ item.mountpoint }}" + src: "{{ item.share }}" state: mounted fstype: "nfs" opts: "ro,{{ item.opts | default('ro,defaults,nodev,nosuid,rsize=8192,wsize=8192,vers=3') }}" - with_items: - - name: "{{ vault_nfs_mounts.permanent_dev.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_dev.share }}" - - name: "{{ vault_nfs_mounts.permanent_test.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_test.share }}" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2015.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2016.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2017.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2018.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2019.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2020.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_slub_2021.share }}" - opts: "auto,nfsvers=4" - - name: "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}" - src: "{{ vault_nfs_mounts.permanent_prod_lfulg.share }}" - opts: "auto,nfsvers=4" + loop: "{{ vault_permanent_nfs_mounts }}" +# with_items: +# - name: "{{ vault_nfs_mounts.permanent_dev.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_dev.share }}" +# - name: "{{ vault_nfs_mounts.permanent_test.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_test.share }}" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2015.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2016.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2017.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2018.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2019.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2020.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_slub_2021.share }}" +# opts: "auto,nfsvers=4" +# - name: "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}" +# src: "{{ vault_nfs_mounts.permanent_prod_lfulg.share }}" +# opts: "auto,nfsvers=4" tags: [notest] diff --git a/tasks/configure_ssh_keys.yml b/tasks/configure_ssh_keys.yml index 1effacb..30f0337 100644 --- a/tasks/configure_ssh_keys.yml +++ b/tasks/configure_ssh_keys.yml @@ -1,10 +1,11 @@ --- - name: deploy SSH key for management user authorized_key: - user: "{{ vault_ssh_access.user }}" + user: "{{ item.user }}" state: present - key: "{{ vault_ssh_access.ssh_key }}" - comment: "{{ vault_ssh_access.ssh_comment }}" + key: "{{ item.ssh_key }}" + comment: "{{ item.ssh_comment }}" + loop: "{{ vault_ssh_access }}" - name: copy SSH key files to managed servers copy: diff --git a/tasks/create_users_groups.yml b/tasks/create_users_groups.yml index 1807633..fa36346 100644 --- a/tasks/create_users_groups.yml +++ b/tasks/create_users_groups.yml @@ -1,15 +1,16 @@ --- - name: Gruppen anlegen - group: + ansible.builtin.group: name: "{{ item.name }}" state: "{{ item.state | default('present') }}" gid: "{{ item.gid | default(omit) }}" loop: "{{ vault_groups }}" - name: User in Gruppen einfügen & SSH-Key erzeugen - user: - name: "{{ vault_user.name }}" - groups: "{{ vault_user.groups }}" - generate_ssh_key: "yes" - ssh_key_bits: 4096 - ssh_key_comment: "lza-user" + ansible.builtin.user: + name: "{{ item.name }}" + groups: "{{ item.groups | default('') }}" + generate_ssh_key: "{{ item.generate_ssh_key | default(false) }}" + ssh_key_bits: "{{ item.ssh_key_bits | default(omit) }}" + ssh_key_comment: "{{ item.ssh_key_comment | default(omit) }}" + loop: "{{ vault_users }}" diff --git a/tasks/install_test_scripts.yml b/tasks/install_test_scripts.yml index 86a41ab..1126d2b 100644 --- a/tasks/install_test_scripts.yml +++ b/tasks/install_test_scripts.yml @@ -21,7 +21,7 @@ - "test_exit_strategy.sh" - name: deploy test scripts from Git - git: + ansible.builtin.git: dest: "/usr/local/bin/{{ item.dest }}" repo: "{{ item.repo }}" version: "{{ item.version | default(omit) }}" @@ -38,6 +38,8 @@ # runs the Exit Strategy script to build an emergency database - dest: "rosettaExitStrategy/" repo: "git@{{ vault_slub_git_repo_fqdn }}:slub-digitalpreservation/rosettaExitStrategy.git" + - dest: "rosettaDeepFixity/" + repo: "git@{{ vault_slub_git_repo_fqdn }}:digital-preservation/rosettadeepfixity.git" - name: test if prerequisites for exit strategy script are installed command: "perl -c /usr/local/bin/rosettaExitStrategy/perl/exit_strategy.pl" diff --git a/tasks/main.yml b/tasks/main.yml index 6c9feff..d7b1f76 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,3 +24,7 @@ - name: install test scripts import_tasks: "install_test_scripts.yml" tags: [testscripts] + +- name: configure iptables + import_tasks: "configure_iptables_external.yml" + tags: [firewall, iptables] -- GitLab