feat: ND-2111 'deep_fixity auf Sanity-Server vom ZIH aus ausführen'

a0f85aad · Jörg Sachse · 41f7444d · a0f85aad · a0f85aad · a0f85aad
Commit a0f85aad authored 3 years ago by Jörg Sachse
--- a/tasks/configure_iptables_external.yml
+++ b/tasks/configure_iptables_external.yml
+---
+- name: configure iptables filter rules for external access
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "{{ item.chain | default('INPUT') }}"
+    comment: "{{ item.comment | default(omit) }}"
+    destination_port: "{{ item.destination_port }}"
+    jump: "{{ item.jump | default('DROP') }}"
+    protocol: "{{ item.protocol | default('tcp') }}"
+    source: "{{ item.source }}"
+  loop: "{{ vault_iptables_external }}"
--- a/tasks/configure_nfs_mounts.yml
+++ b/tasks/configure_nfs_mounts.yml
 ---
 - name: Mountpoint für Logging anlegen
  file:
-    path: "{{ vault_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}"
+    path: "{{ vault_log_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}"
    state: directory

 - name: NFS-Shares für Logging mounten (/var/log/rossanity/)
  mount:
-    name: "{{ vault_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}/"
-    src: "{{ vault_nfs_mounts.log.share }}{{ ansible_hostname }}/"
+    name: "{{ vault_log_nfs_mounts.log.mountpoint }}{{ ansible_hostname }}/"
+    src: "{{ vault_log_nfs_mounts.log.share }}{{ ansible_hostname }}/"
    state: mounted
    fstype: "nfs"
    opts: "defaults,nodev,nosuid,rsize=8192,wsize=8192,vers=3"
@@ -16,55 +16,56 @@
 ### MOUNTPOINTS PERMANENT ERSTELLEN ###
 - name: Mountpoints für Permanent Storage anlegen
  file:
-    path: "{{ item }}"
+    path: "{{ item.mountpoint }}"
    state: directory
-  loop:
-    - "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
-    - "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
+  loop: "{{ vault_permanent_nfs_mounts }}"
+#    - "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
+#    - "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"

 ### PERMANENT STORAGE MOUNTEN ###
 - name: NFS-Shares für Permanent Storage mounten
  mount:
-    name: "{{ item.name }}"
-    src: "{{ item.src }}"
+    name: "{{ item.mountpoint }}"
+    src: "{{ item.share }}"
    state: mounted
    fstype: "nfs"
    opts: "ro,{{ item.opts | default('ro,defaults,nodev,nosuid,rsize=8192,wsize=8192,vers=3') }}"
-  with_items:
-    - name: "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_dev.share }}"
-    - name: "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_test.share }}"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2015.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2016.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2017.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2018.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2019.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2020.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_slub_2021.share }}"
-      opts: "auto,nfsvers=4"
-    - name: "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
-      src: "{{ vault_nfs_mounts.permanent_prod_lfulg.share }}"
-      opts: "auto,nfsvers=4"
+  loop: "{{ vault_permanent_nfs_mounts }}"
+#  with_items:
+#    - name: "{{ vault_nfs_mounts.permanent_dev.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_dev.share }}"
+#    - name: "{{ vault_nfs_mounts.permanent_test.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_test.share }}"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2015.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2015.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2016.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2016.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2017.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2017.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2018.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2018.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2019.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2019.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2020.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2020.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_slub_2021.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_slub_2021.share }}"
+#      opts: "auto,nfsvers=4"
+#    - name: "{{ vault_nfs_mounts.permanent_prod_lfulg.mountpoint }}"
+#      src: "{{ vault_nfs_mounts.permanent_prod_lfulg.share }}"
+#      opts: "auto,nfsvers=4"
  tags: [notest]
--- a/tasks/configure_ssh_keys.yml
+++ b/tasks/configure_ssh_keys.yml
 ---
 - name: deploy SSH key for management user
  authorized_key:
-    user: "{{ vault_ssh_access.user }}"
+    user: "{{ item.user }}"
    state: present
-    key: "{{ vault_ssh_access.ssh_key }}"
-    comment: "{{ vault_ssh_access.ssh_comment }}"
+    key: "{{ item.ssh_key }}"
+    comment: "{{ item.ssh_comment }}"
+  loop: "{{ vault_ssh_access }}"

 - name: copy SSH key files to managed servers
  copy:

--- a/tasks/create_users_groups.yml
+++ b/tasks/create_users_groups.yml
 ---
 - name: Gruppen anlegen
-  group:
+  ansible.builtin.group:
    name: "{{ item.name }}"
    state: "{{ item.state | default('present') }}"
    gid: "{{ item.gid | default(omit) }}"
  loop: "{{ vault_groups }}"

 - name: User in Gruppen einfügen & SSH-Key erzeugen
-  user:
-    name: "{{ vault_user.name }}"
-    groups: "{{ vault_user.groups }}"
-    generate_ssh_key: "yes"
-    ssh_key_bits: 4096
-    ssh_key_comment: "lza-user"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    groups: "{{ item.groups | default('') }}"
+    generate_ssh_key: "{{ item.generate_ssh_key | default(false) }}"
+    ssh_key_bits: "{{ item.ssh_key_bits | default(omit) }}"
+    ssh_key_comment: "{{ item.ssh_key_comment | default(omit) }}"
+  loop: "{{ vault_users }}"
--- a/tasks/install_test_scripts.yml
+++ b/tasks/install_test_scripts.yml
@@ -21,7 +21,7 @@
    - "test_exit_strategy.sh"

 - name: deploy test scripts from Git
-  git:
+  ansible.builtin.git:
    dest: "/usr/local/bin/{{ item.dest }}"
    repo: "{{ item.repo }}"
    version: "{{ item.version | default(omit) }}"
@@ -38,6 +38,8 @@
    # runs the Exit Strategy script to build an emergency database
    - dest: "rosettaExitStrategy/"
      repo: "git@{{ vault_slub_git_repo_fqdn }}:slub-digitalpreservation/rosettaExitStrategy.git"
+    - dest: "rosettaDeepFixity/"
+      repo: "git@{{ vault_slub_git_repo_fqdn }}:digital-preservation/rosettadeepfixity.git"

 - name: test if prerequisites for exit strategy script are installed
  command: "perl -c /usr/local/bin/rosettaExitStrategy/perl/exit_strategy.pl"

--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -24,3 +24,7 @@
 - name: install test scripts
  import_tasks: "install_test_scripts.yml"
  tags: [testscripts]
+
+- name: configure iptables
+  import_tasks: "configure_iptables_external.yml"
+  tags: [firewall, iptables]