From 99d88677f9b5d7eaba39af28067c47bb84587615 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 19:28:53 +0200 Subject: [PATCH] change directory structure --- README.md | 2 +- {configure => ansible}/ansible.cfg | 4 +- ansible/atlas.yml | 39 ++++++ {configure => ansible}/backup_control.sh | 0 {configure => ansible}/dmz.conf | 0 ansible/inventory/host_vars/atlas.yml | 90 ++++++++++++ {configure => ansible}/inventory/hosts.yml | 0 ansible/requirements.yml | 6 + ansible/roles/backup/handlers/main.yml | 4 + ansible/roles/backup/tasks/main.yml | 34 +++++ ansible/roles/postgresql/handlers/main.yml | 4 + ansible/roles/postgresql/tasks/main.yml | 44 ++++++ {configure => ansible}/sshd.conf.j2 | 0 .../util/secret-service-client.sh | 2 +- configure/atlas.yml | 130 ------------------ configure/inventory/host_vars/atlas.yml | 22 --- {bootstrap => terraform}/main.tf | 0 .../set_volume_pool_mode_open.xsl | 0 18 files changed, 226 insertions(+), 155 deletions(-) rename {configure => ansible}/ansible.cfg (57%) create mode 100644 ansible/atlas.yml rename {configure => ansible}/backup_control.sh (100%) rename {configure => ansible}/dmz.conf (100%) create mode 100644 ansible/inventory/host_vars/atlas.yml rename {configure => ansible}/inventory/hosts.yml (100%) create mode 100644 ansible/requirements.yml create mode 100644 ansible/roles/backup/handlers/main.yml create mode 100644 ansible/roles/backup/tasks/main.yml create mode 100644 ansible/roles/postgresql/handlers/main.yml create mode 100644 ansible/roles/postgresql/tasks/main.yml rename {configure => ansible}/sshd.conf.j2 (100%) rename {configure => ansible}/util/secret-service-client.sh (62%) delete mode 100644 configure/atlas.yml delete mode 100644 configure/inventory/host_vars/atlas.yml rename {bootstrap => terraform}/main.tf (100%) rename {bootstrap => terraform}/set_volume_pool_mode_open.xsl (100%) diff --git a/README.md b/README.md index 257103c..a4cbe7d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # Atlas -Atlas is our first server running a hypervisor. \ No newline at end of file +Atlas is our first server running a hypervisor. diff --git a/configure/ansible.cfg b/ansible/ansible.cfg similarity index 57% rename from configure/ansible.cfg rename to ansible/ansible.cfg index 0f3551c..4351528 100644 --- a/configure/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,7 +1,9 @@ [defaults] +roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory -interpreter_python=/usr/bin/python3 vault_password_file=util/secret-service-client.sh +interpreter_python=/usr/bin/python3 +host_key_checking = False [diff] always = True diff --git a/ansible/atlas.yml b/ansible/atlas.yml new file mode 100644 index 0000000..94f8e14 --- /dev/null +++ b/ansible/atlas.yml @@ -0,0 +1,39 @@ +--- +- name: Setup Atlas + hosts: atlas + + handlers: + - name: enable interfaces + command: + cmd: ifup -a + + pre_tasks: + - name: Start libvirtd + systemd: + name: libvirtd + enabled: true + state: started + + - name: Add root to libvirt group + user: + name: root + groups: libvirt + append: yes + + - name: Disable apparmor + systemd: + name: apparmor + enabled: false + state: stopped + + - name: Copy interfaces configuration + copy: + src: dmz.conf + dest: /etc/network/interfaces.d/dmz.conf + notify: enable interfaces + + roles: + - {role: setup-apt, tags: setup-apt} + - {role: postgresql, tags: postgresql} + - {role: githubixx.ansible_role_wireguard, tags: wireguard} + - {role: ssh-ca, tags: ssh-ca} diff --git a/configure/backup_control.sh b/ansible/backup_control.sh similarity index 100% rename from configure/backup_control.sh rename to ansible/backup_control.sh diff --git a/configure/dmz.conf b/ansible/dmz.conf similarity index 100% rename from configure/dmz.conf rename to ansible/dmz.conf diff --git a/ansible/inventory/host_vars/atlas.yml b/ansible/inventory/host_vars/atlas.yml new file mode 100644 index 0000000..583e6e1 --- /dev/null +++ b/ansible/inventory/host_vars/atlas.yml @@ -0,0 +1,90 @@ +backup_share_user: "backup-share" +backup_control_user: "backup-control" +user_ca: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ" +storage_pools: [iso, disk, init] +wireguard_addresses: + - "10.42.0.1/32" +wireguard_endpoint: "atlas.lan" +wireguard_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65666463346536363662353234666662376330396365656361636530663032366436653336383134 + 6463636362636530316434626561623866306165313638330a633761626361393963303933313738 + 30336535333761393663396534373363333465306232343238666538383039636138393661373839 + 3935626664326237310a386337306364663463663764376631336431363062656137376635366361 + 35393135626261626565333261316363633838353833666163666132363462636431626234383864 + 3039633631356339663234656233343635653236356235623532 +wireguard_unmanaged_peers: + pim: + public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08=" + allowed_ips: "10.42.0.2/32" + niels: + public_key: "WJO/DQUJyDp4rFW291F2Ai51lotU2IC+OATu+5P3Jio=" + allowed_ips: "10.42.0.3/32" + +apt_install_packages: + - qemu-kvm + - libvirt-daemon-system + - postgresql + - python3-psycopg2 + - sudo + - bridge-utils + +ssh_ca_dir: /root/ssh_ca +ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ" +ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ" +ssh_ca_user_ca_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64343164666336316635323733353839373835316465653038333062386438363131353566626130 + 6531653835313838396638366330386331383533303435300a306333363238633864623864393665 + 31393036346532353134646466666465386633303061346662393430666532366137323866646561 + 3131653064323565370a656361326462336238333464353635303066323565633865663032313661 + 38366238613361626161633862353938326365306634303166346461366531663063343264353533 + 61656630633734643639333738616566326531653264306134363837616365643039626262613433 + 61656361326234313130386533363761366665383064643735316133313133643865616536306466 + 33303733663834646435303935633436383632306330616264343263303861313635383866636163 + 39653064373966643437636530326235653131616366396563386139333837616535616135323337 + 66626161336539356637373138613464376133373234353863383330313362623236633462386234 + 31386635613936306262346264343732623761303331623831353061343035626361623639326530 + 62643139663733666662623039396461623334666565663439613430353364626162653731303535 + 32396638393534363533303039343938346339656266303766613931316337333635373664643461 + 37303332386233663937636631373935613231356262346530323337393733373764613864616563 + 66383137393738316638393530616234653264613363383663366261303433636236326632323734 + 35616133386438613636663631653139386466303534636263393633633663303664326137373139 + 35626336653966396335623330663161333432306538316664376231616161353235353032633438 + 62363663613135616462323363333863376532623764663066616431636632653938666263383731 + 65666564656130383262373964386631643332323066386635643032663833306565643164376239 + 32383732393236336235363936303063663963343061306161643331623330326139663836323561 + 31353532313639613563393938643333326462653833623531613935363265333534663762333831 + 36376264636432656537313834373036623339306430333837323836303134323062306265356430 + 39663238363338666362663364643063613337646237356431383237616465643634313166643435 + 32623864313537336634373631396465643362333237646462336362656430653036656263613162 + 64306662313934643661333462306336333561626335303866306131326538653264343465633139 + 3466663135663239616135353764373532323935613233316132 +ssh_ca_host_ca_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34613835376232653534353636303364613437666563653530363564346164656136643732626234 + 6430316165623933666461646639303435386433333335660a393538303835616366333066353665 + 64663236353233383236656365356264653963366464303433313133386430646230363634353465 + 6365313836666534330a633832303963616162623631663732623236383665383333323032383364 + 36313663366461643733373836326335386562663362326438353033376431356537326133646338 + 31623064303662616464343639346663323437333038346664393166333930336539373031313161 + 39343365373238383661343234666430336131323666313032333666306333366566336361383536 + 64626261363138323766306239303133376632386235666633363461303135613865343161356266 + 33333634613761616336653162396662633131333336613264663764333761633032313436376534 + 65376631383239666235313939363265643364376638623630373839303236633635356431356263 + 66366535656335326335616666316534366232353262336164663562613439623135303262356130 + 36316134366366623331393230396132366535356435613563663937376639653339343761306431 + 33353331306334336133316234326133663939636430376139376231383966346363303362386265 + 32356166363231613962383434333536356138623039663561313137653037663231666666646230 + 66323932333031626637616434383737623634353933613861326666313737636133333438656634 + 31363461373639366464343836333031313632346465346535303139623038633330356334633866 + 61303765353439303966623030303966656465353538323932343536393764616566386261306466 + 36343237393333376366303933373139353161376262333739353138666162663339393136303634 + 39383433323563666661313631613761343532373736386537626433323631323465623736653165 + 35356163356361346438366430636563656531363164306534353865393039643136366634323638 + 62656261396635353332376661353661353931663932386465643238343031376235363239303832 + 63393437613362623963306364356363396134623739656265326433356134303835356266326465 + 64623631353163653438376534316162666330663963363064326161656335383639356164393237 + 39346231666362313632363737623139373632376461373362656563616566633265653438393361 + 39393734393061653639313365633931373963666635316138663538356265386562373837393530 + 6537646639613534666533626339356335396634613765616664 diff --git a/configure/inventory/hosts.yml b/ansible/inventory/hosts.yml similarity index 100% rename from configure/inventory/hosts.yml rename to ansible/inventory/hosts.yml diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..3801664 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,6 @@ +- name: setup-apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git +- name: ssh-ca + src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca + scm: git diff --git a/ansible/roles/backup/handlers/main.yml b/ansible/roles/backup/handlers/main.yml new file mode 100644 index 0000000..18c505e --- /dev/null +++ b/ansible/roles/backup/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart sshd + systemd: + name: sshd + state: restarted diff --git a/ansible/roles/backup/tasks/main.yml b/ansible/roles/backup/tasks/main.yml new file mode 100644 index 0000000..84bf409 --- /dev/null +++ b/ansible/roles/backup/tasks/main.yml @@ -0,0 +1,34 @@ +- name: Add backup share user + user: + name: "{{ backup_share_user }}" + create_home: false + password: '!' + shell: /sbin/nologin + system: true +- name: Add backup control user + user: + name: "{{ backup_control_user }}" + password: '!' + shell: /usr/bin/sh + system: true + groups: "libvirt" +- name: Copy control script + copy: + src: "backup_control.sh" + dest: "/home/{{ backup_control_user }}/control.sh" + owner: "{{ backup_control_user }}" + group: "{{ backup_control_user }}" + mode: u=rx,g=rx,o=rx +- name: Add backup user principals file + copy: + dest: "/etc/ssh/backup_principals" + content: "backup" +- name: Install user CA + copy: + dest: "/etc/ssh/user_ca_key.pub" + content: "{{ user_ca }}" +- name: Copy ssh config for backup user + template: + src: "sshd.conf.j2" + dest: "/etc/ssh/sshd_config.d/custom.conf" + notify: restart sshd diff --git a/ansible/roles/postgresql/handlers/main.yml b/ansible/roles/postgresql/handlers/main.yml new file mode 100644 index 0000000..a09812e --- /dev/null +++ b/ansible/roles/postgresql/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart postgres + systemd: + name: postgresql + state: restarted diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml new file mode 100644 index 0000000..ac436c5 --- /dev/null +++ b/ansible/roles/postgresql/tasks/main.yml @@ -0,0 +1,44 @@ +- name: Create terraform database + postgresql_db: + name: terraform_state + owner: terraform + become: true + become_user: postgres + +- name: Create database user + postgresql_user: + name: terraform + become: true + become_user: postgres + +- name: Grant database user access to database + postgresql_privs: + type: database + database: terraform_state + roles: terraform + grant_option: no + privs: all + become: true + become_user: postgres + notify: restart postgres + +- name: Allow remote access to database for user + postgresql_pg_hba: + dest: /etc/postgresql/15/main/pg_hba.conf + contype: host + databases: all + method: trust + users: terraform + address: "10.42.0.0/24" + create: true + become: true + become_user: postgres + notify: restart postgres + +- name: Open postgres port + ini_file: + path: /etc/postgresql/15/main/postgresql.conf + section: null + option: listen_addresses + value: "'*'" + notify: restart postgres diff --git a/configure/sshd.conf.j2 b/ansible/sshd.conf.j2 similarity index 100% rename from configure/sshd.conf.j2 rename to ansible/sshd.conf.j2 diff --git a/configure/util/secret-service-client.sh b/ansible/util/secret-service-client.sh similarity index 62% rename from configure/util/secret-service-client.sh rename to ansible/util/secret-service-client.sh index 32d82a6..5743a9d 100755 --- a/configure/util/secret-service-client.sh +++ b/ansible/util/secret-service-client.sh @@ -1,6 +1,6 @@ #!/bin/bash -pass=`secret-tool lookup ansible_vault atlas` +pass=`secret-tool lookup ansible_vault hermes` retval=$? if [ $retval -ne 0 ]; then diff --git a/configure/atlas.yml b/configure/atlas.yml deleted file mode 100644 index 1c4a349..0000000 --- a/configure/atlas.yml +++ /dev/null @@ -1,130 +0,0 @@ ---- -- name: Setup Atlas - hosts: atlas - - handlers: - - name: restart postgres - systemd: - name: postgresql - state: restarted - - name: enable interfaces - command: - cmd: ifup -a - - name: restart sshd - systemd: - name: sshd - state: restarted - - tasks: - - name: Update - apt: - autoremove: true - upgrade: yes - state: latest - update_cache: yes - cache_valid_time: 86400 - - name: Install packages - apt: - pkg: - - qemu-kvm - - libvirt-daemon-system - - postgresql - - python3-psycopg2 - - sudo - - bridge-utils - - name: Start libvirtd - systemd: - name: libvirtd - enabled: true - state: started - - name: Add root to libvirt group - user: - name: root - groups: libvirt - append: yes - - name: Disable apparmor - systemd: - name: apparmor - enabled: false - state: stopped - - name: Create terraform database - postgresql_db: - name: terraform_state - owner: terraform - become: true - become_user: postgres - - name: Create database user - postgresql_user: - name: terraform - become: true - become_user: postgres - - name: Grant database user access to database - postgresql_privs: - type: database - database: terraform_state - roles: terraform - grant_option: no - privs: all - become: true - become_user: postgres - notify: restart postgres - - name: Allow remote access to database for user - postgresql_pg_hba: - dest: /etc/postgresql/15/main/pg_hba.conf - contype: host - databases: all - method: trust - users: terraform - address: "10.42.0.0/24" - create: true - become: true - become_user: postgres - notify: restart postgres - - name: Open postgres port - ini_file: - path: /etc/postgresql/15/main/postgresql.conf - section: null - option: listen_addresses - value: "'*'" - notify: restart postgres - - name: Copy interfaces configuration - copy: - src: dmz.conf - dest: /etc/network/interfaces.d/dmz.conf - notify: enable interfaces - - name: Add backup share user - user: - name: "{{ backup_share_user }}" - create_home: false - password: '!' - shell: /sbin/nologin - system: true - - name: Add backup control user - user: - name: "{{ backup_control_user }}" - password: '!' - shell: /usr/bin/sh - system: true - groups: "libvirt" - - name: Copy control script - copy: - src: "backup_control.sh" - dest: "/home/{{ backup_control_user }}/control.sh" - owner: "{{ backup_control_user }}" - group: "{{ backup_control_user }}" - mode: u=rx,g=rx,o=rx - - name: Add backup user principals file - copy: - dest: "/etc/ssh/backup_principals" - content: "backup" - - name: Install user CA - copy: - dest: "/etc/ssh/user_ca_key.pub" - content: "{{ user_ca }}" - - name: Copy ssh config for backup user - template: - src: "sshd.conf.j2" - dest: "/etc/ssh/sshd_config.d/custom.conf" - notify: restart sshd - roles: - - githubixx.ansible_role_wireguard diff --git a/configure/inventory/host_vars/atlas.yml b/configure/inventory/host_vars/atlas.yml deleted file mode 100644 index d7fd4c5..0000000 --- a/configure/inventory/host_vars/atlas.yml +++ /dev/null @@ -1,22 +0,0 @@ -backup_share_user: "backup-share" -backup_control_user: "backup-control" -user_ca: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ" -storage_pools: [iso, disk, init] -wireguard_addresses: - - "10.42.0.1/32" -wireguard_endpoint: "atlas.lan" -wireguard_private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65666463346536363662353234666662376330396365656361636530663032366436653336383134 - 6463636362636530316434626561623866306165313638330a633761626361393963303933313738 - 30336535333761393663396534373363333465306232343238666538383039636138393661373839 - 3935626664326237310a386337306364663463663764376631336431363062656137376635366361 - 35393135626261626565333261316363633838353833666163666132363462636431626234383864 - 3039633631356339663234656233343635653236356235623532 -wireguard_unmanaged_peers: - pim: - public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08=" - allowed_ips: "10.42.0.2/32" - niels: - public_key: "WJO/DQUJyDp4rFW291F2Ai51lotU2IC+OATu+5P3Jio=" - allowed_ips: "10.42.0.3/32" diff --git a/bootstrap/main.tf b/terraform/main.tf similarity index 100% rename from bootstrap/main.tf rename to terraform/main.tf diff --git a/bootstrap/set_volume_pool_mode_open.xsl b/terraform/set_volume_pool_mode_open.xsl similarity index 100% rename from bootstrap/set_volume_pool_mode_open.xsl rename to terraform/set_volume_pool_mode_open.xsl