change directory structure
This commit is contained in:
parent
a172a02fe1
commit
99d88677f9
18 changed files with 226 additions and 155 deletions
|
@ -1,7 +1,9 @@
|
||||||
[defaults]
|
[defaults]
|
||||||
|
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
|
||||||
inventory=inventory
|
inventory=inventory
|
||||||
interpreter_python=/usr/bin/python3
|
|
||||||
vault_password_file=util/secret-service-client.sh
|
vault_password_file=util/secret-service-client.sh
|
||||||
|
interpreter_python=/usr/bin/python3
|
||||||
|
host_key_checking = False
|
||||||
|
|
||||||
[diff]
|
[diff]
|
||||||
always = True
|
always = True
|
39
ansible/atlas.yml
Normal file
39
ansible/atlas.yml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
- name: Setup Atlas
|
||||||
|
hosts: atlas
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: enable interfaces
|
||||||
|
command:
|
||||||
|
cmd: ifup -a
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: Start libvirtd
|
||||||
|
systemd:
|
||||||
|
name: libvirtd
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Add root to libvirt group
|
||||||
|
user:
|
||||||
|
name: root
|
||||||
|
groups: libvirt
|
||||||
|
append: yes
|
||||||
|
|
||||||
|
- name: Disable apparmor
|
||||||
|
systemd:
|
||||||
|
name: apparmor
|
||||||
|
enabled: false
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: Copy interfaces configuration
|
||||||
|
copy:
|
||||||
|
src: dmz.conf
|
||||||
|
dest: /etc/network/interfaces.d/dmz.conf
|
||||||
|
notify: enable interfaces
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- {role: setup-apt, tags: setup-apt}
|
||||||
|
- {role: postgresql, tags: postgresql}
|
||||||
|
- {role: githubixx.ansible_role_wireguard, tags: wireguard}
|
||||||
|
- {role: ssh-ca, tags: ssh-ca}
|
90
ansible/inventory/host_vars/atlas.yml
Normal file
90
ansible/inventory/host_vars/atlas.yml
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
backup_share_user: "backup-share"
|
||||||
|
backup_control_user: "backup-control"
|
||||||
|
user_ca: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
|
||||||
|
storage_pools: [iso, disk, init]
|
||||||
|
wireguard_addresses:
|
||||||
|
- "10.42.0.1/32"
|
||||||
|
wireguard_endpoint: "atlas.lan"
|
||||||
|
wireguard_private_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
65666463346536363662353234666662376330396365656361636530663032366436653336383134
|
||||||
|
6463636362636530316434626561623866306165313638330a633761626361393963303933313738
|
||||||
|
30336535333761393663396534373363333465306232343238666538383039636138393661373839
|
||||||
|
3935626664326237310a386337306364663463663764376631336431363062656137376635366361
|
||||||
|
35393135626261626565333261316363633838353833666163666132363462636431626234383864
|
||||||
|
3039633631356339663234656233343635653236356235623532
|
||||||
|
wireguard_unmanaged_peers:
|
||||||
|
pim:
|
||||||
|
public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08="
|
||||||
|
allowed_ips: "10.42.0.2/32"
|
||||||
|
niels:
|
||||||
|
public_key: "WJO/DQUJyDp4rFW291F2Ai51lotU2IC+OATu+5P3Jio="
|
||||||
|
allowed_ips: "10.42.0.3/32"
|
||||||
|
|
||||||
|
apt_install_packages:
|
||||||
|
- qemu-kvm
|
||||||
|
- libvirt-daemon-system
|
||||||
|
- postgresql
|
||||||
|
- python3-psycopg2
|
||||||
|
- sudo
|
||||||
|
- bridge-utils
|
||||||
|
|
||||||
|
ssh_ca_dir: /root/ssh_ca
|
||||||
|
ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
|
||||||
|
ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ"
|
||||||
|
ssh_ca_user_ca_private_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
64343164666336316635323733353839373835316465653038333062386438363131353566626130
|
||||||
|
6531653835313838396638366330386331383533303435300a306333363238633864623864393665
|
||||||
|
31393036346532353134646466666465386633303061346662393430666532366137323866646561
|
||||||
|
3131653064323565370a656361326462336238333464353635303066323565633865663032313661
|
||||||
|
38366238613361626161633862353938326365306634303166346461366531663063343264353533
|
||||||
|
61656630633734643639333738616566326531653264306134363837616365643039626262613433
|
||||||
|
61656361326234313130386533363761366665383064643735316133313133643865616536306466
|
||||||
|
33303733663834646435303935633436383632306330616264343263303861313635383866636163
|
||||||
|
39653064373966643437636530326235653131616366396563386139333837616535616135323337
|
||||||
|
66626161336539356637373138613464376133373234353863383330313362623236633462386234
|
||||||
|
31386635613936306262346264343732623761303331623831353061343035626361623639326530
|
||||||
|
62643139663733666662623039396461623334666565663439613430353364626162653731303535
|
||||||
|
32396638393534363533303039343938346339656266303766613931316337333635373664643461
|
||||||
|
37303332386233663937636631373935613231356262346530323337393733373764613864616563
|
||||||
|
66383137393738316638393530616234653264613363383663366261303433636236326632323734
|
||||||
|
35616133386438613636663631653139386466303534636263393633633663303664326137373139
|
||||||
|
35626336653966396335623330663161333432306538316664376231616161353235353032633438
|
||||||
|
62363663613135616462323363333863376532623764663066616431636632653938666263383731
|
||||||
|
65666564656130383262373964386631643332323066386635643032663833306565643164376239
|
||||||
|
32383732393236336235363936303063663963343061306161643331623330326139663836323561
|
||||||
|
31353532313639613563393938643333326462653833623531613935363265333534663762333831
|
||||||
|
36376264636432656537313834373036623339306430333837323836303134323062306265356430
|
||||||
|
39663238363338666362663364643063613337646237356431383237616465643634313166643435
|
||||||
|
32623864313537336634373631396465643362333237646462336362656430653036656263613162
|
||||||
|
64306662313934643661333462306336333561626335303866306131326538653264343465633139
|
||||||
|
3466663135663239616135353764373532323935613233316132
|
||||||
|
ssh_ca_host_ca_private_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
34613835376232653534353636303364613437666563653530363564346164656136643732626234
|
||||||
|
6430316165623933666461646639303435386433333335660a393538303835616366333066353665
|
||||||
|
64663236353233383236656365356264653963366464303433313133386430646230363634353465
|
||||||
|
6365313836666534330a633832303963616162623631663732623236383665383333323032383364
|
||||||
|
36313663366461643733373836326335386562663362326438353033376431356537326133646338
|
||||||
|
31623064303662616464343639346663323437333038346664393166333930336539373031313161
|
||||||
|
39343365373238383661343234666430336131323666313032333666306333366566336361383536
|
||||||
|
64626261363138323766306239303133376632386235666633363461303135613865343161356266
|
||||||
|
33333634613761616336653162396662633131333336613264663764333761633032313436376534
|
||||||
|
65376631383239666235313939363265643364376638623630373839303236633635356431356263
|
||||||
|
66366535656335326335616666316534366232353262336164663562613439623135303262356130
|
||||||
|
36316134366366623331393230396132366535356435613563663937376639653339343761306431
|
||||||
|
33353331306334336133316234326133663939636430376139376231383966346363303362386265
|
||||||
|
32356166363231613962383434333536356138623039663561313137653037663231666666646230
|
||||||
|
66323932333031626637616434383737623634353933613861326666313737636133333438656634
|
||||||
|
31363461373639366464343836333031313632346465346535303139623038633330356334633866
|
||||||
|
61303765353439303966623030303966656465353538323932343536393764616566386261306466
|
||||||
|
36343237393333376366303933373139353161376262333739353138666162663339393136303634
|
||||||
|
39383433323563666661313631613761343532373736386537626433323631323465623736653165
|
||||||
|
35356163356361346438366430636563656531363164306534353865393039643136366634323638
|
||||||
|
62656261396635353332376661353661353931663932386465643238343031376235363239303832
|
||||||
|
63393437613362623963306364356363396134623739656265326433356134303835356266326465
|
||||||
|
64623631353163653438376534316162666330663963363064326161656335383639356164393237
|
||||||
|
39346231666362313632363737623139373632376461373362656563616566633265653438393361
|
||||||
|
39393734393061653639313365633931373963666635316138663538356265386562373837393530
|
||||||
|
6537646639613534666533626339356335396634613765616664
|
6
ansible/requirements.yml
Normal file
6
ansible/requirements.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
- name: setup-apt
|
||||||
|
src: https://github.com/sunscrapers/ansible-role-apt.git
|
||||||
|
scm: git
|
||||||
|
- name: ssh-ca
|
||||||
|
src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca
|
||||||
|
scm: git
|
4
ansible/roles/backup/handlers/main.yml
Normal file
4
ansible/roles/backup/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
- name: restart sshd
|
||||||
|
systemd:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
34
ansible/roles/backup/tasks/main.yml
Normal file
34
ansible/roles/backup/tasks/main.yml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
- name: Add backup share user
|
||||||
|
user:
|
||||||
|
name: "{{ backup_share_user }}"
|
||||||
|
create_home: false
|
||||||
|
password: '!'
|
||||||
|
shell: /sbin/nologin
|
||||||
|
system: true
|
||||||
|
- name: Add backup control user
|
||||||
|
user:
|
||||||
|
name: "{{ backup_control_user }}"
|
||||||
|
password: '!'
|
||||||
|
shell: /usr/bin/sh
|
||||||
|
system: true
|
||||||
|
groups: "libvirt"
|
||||||
|
- name: Copy control script
|
||||||
|
copy:
|
||||||
|
src: "backup_control.sh"
|
||||||
|
dest: "/home/{{ backup_control_user }}/control.sh"
|
||||||
|
owner: "{{ backup_control_user }}"
|
||||||
|
group: "{{ backup_control_user }}"
|
||||||
|
mode: u=rx,g=rx,o=rx
|
||||||
|
- name: Add backup user principals file
|
||||||
|
copy:
|
||||||
|
dest: "/etc/ssh/backup_principals"
|
||||||
|
content: "backup"
|
||||||
|
- name: Install user CA
|
||||||
|
copy:
|
||||||
|
dest: "/etc/ssh/user_ca_key.pub"
|
||||||
|
content: "{{ user_ca }}"
|
||||||
|
- name: Copy ssh config for backup user
|
||||||
|
template:
|
||||||
|
src: "sshd.conf.j2"
|
||||||
|
dest: "/etc/ssh/sshd_config.d/custom.conf"
|
||||||
|
notify: restart sshd
|
4
ansible/roles/postgresql/handlers/main.yml
Normal file
4
ansible/roles/postgresql/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
- name: restart postgres
|
||||||
|
systemd:
|
||||||
|
name: postgresql
|
||||||
|
state: restarted
|
44
ansible/roles/postgresql/tasks/main.yml
Normal file
44
ansible/roles/postgresql/tasks/main.yml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
- name: Create terraform database
|
||||||
|
postgresql_db:
|
||||||
|
name: terraform_state
|
||||||
|
owner: terraform
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Create database user
|
||||||
|
postgresql_user:
|
||||||
|
name: terraform
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Grant database user access to database
|
||||||
|
postgresql_privs:
|
||||||
|
type: database
|
||||||
|
database: terraform_state
|
||||||
|
roles: terraform
|
||||||
|
grant_option: no
|
||||||
|
privs: all
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
notify: restart postgres
|
||||||
|
|
||||||
|
- name: Allow remote access to database for user
|
||||||
|
postgresql_pg_hba:
|
||||||
|
dest: /etc/postgresql/15/main/pg_hba.conf
|
||||||
|
contype: host
|
||||||
|
databases: all
|
||||||
|
method: trust
|
||||||
|
users: terraform
|
||||||
|
address: "10.42.0.0/24"
|
||||||
|
create: true
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
notify: restart postgres
|
||||||
|
|
||||||
|
- name: Open postgres port
|
||||||
|
ini_file:
|
||||||
|
path: /etc/postgresql/15/main/postgresql.conf
|
||||||
|
section: null
|
||||||
|
option: listen_addresses
|
||||||
|
value: "'*'"
|
||||||
|
notify: restart postgres
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
pass=`secret-tool lookup ansible_vault atlas`
|
pass=`secret-tool lookup ansible_vault hermes`
|
||||||
retval=$?
|
retval=$?
|
||||||
|
|
||||||
if [ $retval -ne 0 ]; then
|
if [ $retval -ne 0 ]; then
|
|
@ -1,130 +0,0 @@
|
||||||
---
|
|
||||||
- name: Setup Atlas
|
|
||||||
hosts: atlas
|
|
||||||
|
|
||||||
handlers:
|
|
||||||
- name: restart postgres
|
|
||||||
systemd:
|
|
||||||
name: postgresql
|
|
||||||
state: restarted
|
|
||||||
- name: enable interfaces
|
|
||||||
command:
|
|
||||||
cmd: ifup -a
|
|
||||||
- name: restart sshd
|
|
||||||
systemd:
|
|
||||||
name: sshd
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: Update
|
|
||||||
apt:
|
|
||||||
autoremove: true
|
|
||||||
upgrade: yes
|
|
||||||
state: latest
|
|
||||||
update_cache: yes
|
|
||||||
cache_valid_time: 86400
|
|
||||||
- name: Install packages
|
|
||||||
apt:
|
|
||||||
pkg:
|
|
||||||
- qemu-kvm
|
|
||||||
- libvirt-daemon-system
|
|
||||||
- postgresql
|
|
||||||
- python3-psycopg2
|
|
||||||
- sudo
|
|
||||||
- bridge-utils
|
|
||||||
- name: Start libvirtd
|
|
||||||
systemd:
|
|
||||||
name: libvirtd
|
|
||||||
enabled: true
|
|
||||||
state: started
|
|
||||||
- name: Add root to libvirt group
|
|
||||||
user:
|
|
||||||
name: root
|
|
||||||
groups: libvirt
|
|
||||||
append: yes
|
|
||||||
- name: Disable apparmor
|
|
||||||
systemd:
|
|
||||||
name: apparmor
|
|
||||||
enabled: false
|
|
||||||
state: stopped
|
|
||||||
- name: Create terraform database
|
|
||||||
postgresql_db:
|
|
||||||
name: terraform_state
|
|
||||||
owner: terraform
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
- name: Create database user
|
|
||||||
postgresql_user:
|
|
||||||
name: terraform
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
- name: Grant database user access to database
|
|
||||||
postgresql_privs:
|
|
||||||
type: database
|
|
||||||
database: terraform_state
|
|
||||||
roles: terraform
|
|
||||||
grant_option: no
|
|
||||||
privs: all
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
notify: restart postgres
|
|
||||||
- name: Allow remote access to database for user
|
|
||||||
postgresql_pg_hba:
|
|
||||||
dest: /etc/postgresql/15/main/pg_hba.conf
|
|
||||||
contype: host
|
|
||||||
databases: all
|
|
||||||
method: trust
|
|
||||||
users: terraform
|
|
||||||
address: "10.42.0.0/24"
|
|
||||||
create: true
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
notify: restart postgres
|
|
||||||
- name: Open postgres port
|
|
||||||
ini_file:
|
|
||||||
path: /etc/postgresql/15/main/postgresql.conf
|
|
||||||
section: null
|
|
||||||
option: listen_addresses
|
|
||||||
value: "'*'"
|
|
||||||
notify: restart postgres
|
|
||||||
- name: Copy interfaces configuration
|
|
||||||
copy:
|
|
||||||
src: dmz.conf
|
|
||||||
dest: /etc/network/interfaces.d/dmz.conf
|
|
||||||
notify: enable interfaces
|
|
||||||
- name: Add backup share user
|
|
||||||
user:
|
|
||||||
name: "{{ backup_share_user }}"
|
|
||||||
create_home: false
|
|
||||||
password: '!'
|
|
||||||
shell: /sbin/nologin
|
|
||||||
system: true
|
|
||||||
- name: Add backup control user
|
|
||||||
user:
|
|
||||||
name: "{{ backup_control_user }}"
|
|
||||||
password: '!'
|
|
||||||
shell: /usr/bin/sh
|
|
||||||
system: true
|
|
||||||
groups: "libvirt"
|
|
||||||
- name: Copy control script
|
|
||||||
copy:
|
|
||||||
src: "backup_control.sh"
|
|
||||||
dest: "/home/{{ backup_control_user }}/control.sh"
|
|
||||||
owner: "{{ backup_control_user }}"
|
|
||||||
group: "{{ backup_control_user }}"
|
|
||||||
mode: u=rx,g=rx,o=rx
|
|
||||||
- name: Add backup user principals file
|
|
||||||
copy:
|
|
||||||
dest: "/etc/ssh/backup_principals"
|
|
||||||
content: "backup"
|
|
||||||
- name: Install user CA
|
|
||||||
copy:
|
|
||||||
dest: "/etc/ssh/user_ca_key.pub"
|
|
||||||
content: "{{ user_ca }}"
|
|
||||||
- name: Copy ssh config for backup user
|
|
||||||
template:
|
|
||||||
src: "sshd.conf.j2"
|
|
||||||
dest: "/etc/ssh/sshd_config.d/custom.conf"
|
|
||||||
notify: restart sshd
|
|
||||||
roles:
|
|
||||||
- githubixx.ansible_role_wireguard
|
|
|
@ -1,22 +0,0 @@
|
||||||
backup_share_user: "backup-share"
|
|
||||||
backup_control_user: "backup-control"
|
|
||||||
user_ca: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
|
|
||||||
storage_pools: [iso, disk, init]
|
|
||||||
wireguard_addresses:
|
|
||||||
- "10.42.0.1/32"
|
|
||||||
wireguard_endpoint: "atlas.lan"
|
|
||||||
wireguard_private_key: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
65666463346536363662353234666662376330396365656361636530663032366436653336383134
|
|
||||||
6463636362636530316434626561623866306165313638330a633761626361393963303933313738
|
|
||||||
30336535333761393663396534373363333465306232343238666538383039636138393661373839
|
|
||||||
3935626664326237310a386337306364663463663764376631336431363062656137376635366361
|
|
||||||
35393135626261626565333261316363633838353833666163666132363462636431626234383864
|
|
||||||
3039633631356339663234656233343635653236356235623532
|
|
||||||
wireguard_unmanaged_peers:
|
|
||||||
pim:
|
|
||||||
public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08="
|
|
||||||
allowed_ips: "10.42.0.2/32"
|
|
||||||
niels:
|
|
||||||
public_key: "WJO/DQUJyDp4rFW291F2Ai51lotU2IC+OATu+5P3Jio="
|
|
||||||
allowed_ips: "10.42.0.3/32"
|
|
Reference in a new issue