ctucx.git: ansible-configs

My personal ansible roles and playbooks [deprecated in favor of nixos]

commit bd2aca0200cac847009e7f7850c364db22cf3576
parent 47a0e7763bdbd3274e3676974478fd627eb2f430
Author: Leah Thein <leah@toaster.home.ctu.cx>
Date: Tue, 8 Dec 2020 00:28:05 +0100

arch/common: add role

9 files changed, 198 insertions(+), 0 deletions(-)
A
arch/roles/common/tasks/firewall.yml
|
20
++++++++++++++++++++
A
arch/roles/common/tasks/ip-forwarding.yml
|
38
++++++++++++++++++++++++++++++++++++++
A
arch/roles/common/tasks/main.yml
|
19
+++++++++++++++++++
A
arch/roles/common/tasks/network.yml
|
19
+++++++++++++++++++
A
arch/roles/common/tasks/node-exporter.yml
|
13
+++++++++++++
A
arch/roles/common/tasks/packages.yml
|
34
++++++++++++++++++++++++++++++++++
A
arch/roles/common/tasks/sshd.yml
|
13
+++++++++++++
A
arch/roles/common/tasks/sudo.yml
|
8
++++++++
A
arch/roles/common/tasks/users.yml
|
34
++++++++++++++++++++++++++++++++++
diff --git a/arch/roles/common/tasks/firewall.yml b/arch/roles/common/tasks/firewall.yml
@@ -0,0 +1,19 @@
+---
+
+- name: "Install package: ferm"
+  pacman:
+    name: ferm
+    state: present
+    update_cache: yes
+
+- name: copy ferm config to destination
+  copy:
+    src: "config-files/ferm/ferm-{{ network.hostname }}.conf"
+    dest: /etc/ferm.conf
+    mode: 0644
+
+- name: "Start and enable service: ferm"
+  systemd:
+   name: ferm
+   enabled: yes
+   state: started+
\ No newline at end of file

diff --git a/arch/roles/common/tasks/ip-forwarding.yml b/arch/roles/common/tasks/ip-forwarding.yml
@@ -0,0 +1,37 @@
+---
+
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: network.ip_forwarding is true
+
+- name: Disable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: network.ip_forwarding is true
+
+- name: Disable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '0'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: network.ip_forwarding is false
+
+- name: Disable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '0'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: network.ip_forwarding is false+
\ No newline at end of file

diff --git a/arch/roles/common/tasks/main.yml b/arch/roles/common/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- include: packages.yml
+
+- include: sudo.yml
+
+- include: sshd.yml
+
+- include: users.yml
+
+- include: network.yml
+
+- include: ip-forwarding.yml
+  when: network.ip_forwarding is defined 
+
+- include: firewall.yml
+  when: network.useFerm is defined
+
+- include: node-exporter.yml

diff --git a/arch/roles/common/tasks/network.yml b/arch/roles/common/tasks/network.yml
@@ -0,0 +1,19 @@
+---
+
+- name: "create file: /etc/hostname"
+  copy:
+    content: "{{network.hostname}}"
+    dest: /etc/hostname
+  register: hostname
+
+- name: Change hostname of running system
+  hostname:
+    name: "{{network.hostname}}"
+    use: systemd
+  when: hostname.changed
+
+- name: "Start and enable service: systemd-networkd"
+  systemd:
+    name: systemd-networkd
+    state: started
+    enabled: yes

diff --git a/arch/roles/common/tasks/node-exporter.yml b/arch/roles/common/tasks/node-exporter.yml
@@ -0,0 +1,13 @@
+---
+
+- name: "Install package: prometheus-node-exporter"
+  pacman:
+    name: prometheus-node-exporter
+    state: present
+    update_cache: yes
+
+- name: "Start and enable service: prometheus-node-exporter"
+  systemd:
+    name: prometheus-node-exporter
+    state: started
+    enabled: yes

diff --git a/arch/roles/common/tasks/packages.yml b/arch/roles/common/tasks/packages.yml
@@ -0,0 +1,33 @@
+---
+
+- name: "Install package: patch"
+  pacman:
+    name: patch
+    update_cache: yes
+
+- name: "Patch file: /etc/pacman.conf (add isas aur-repo)"
+  ansible.posix.patch:
+    src: config-files/common/pacman.conf.patch
+    dest: /etc/pacman.conf
+
+- name: Upgrade system
+  pacman:
+    update_cache: yes
+    upgrade: yes
+
+- name: Install common packages
+  pacman:
+    name:
+      - nano
+      - micro
+      - sudo
+      - htop
+      - tar
+      - unzip
+      - curl 
+      - wget
+      - tmux
+      - git
+      - jq
+      - restic
+    update_cache: yes+
\ No newline at end of file

diff --git a/arch/roles/common/tasks/sshd.yml b/arch/roles/common/tasks/sshd.yml
@@ -0,0 +1,13 @@
+---
+
+- name: "Install package: openssh"
+  pacman:
+    name: openssh
+    state: present
+    update_cache: yes
+
+- name: "Start and enable service: sshd"
+  systemd:
+    name: sshd
+    state: started
+    enabled: yes

diff --git a/arch/roles/common/tasks/sudo.yml b/arch/roles/common/tasks/sudo.yml
@@ -0,0 +1,7 @@
+---
+
+- name: "Install/Upgrade package: sudo "
+  pacman:
+    name: sudo
+    state: present
+    update_cache: yes+
\ No newline at end of file

diff --git a/arch/roles/common/tasks/users.yml b/arch/roles/common/tasks/users.yml
@@ -0,0 +1,34 @@
+---
+
+- name: "Add groups" 
+  group:
+    name: "{{item.name}}"
+    state: present
+  loop: "{{ users }}"
+
+- name: "Add users" 
+  user:
+    append: yes
+    name: "{{item.name}}"
+    group: "{{item.name}}"
+    groups: "{{item.groups}}"
+    password: "{{item.password}}"
+  loop: "{{ users }}"
+
+- name: "Create ~/.ssh directory for users"
+  file:
+    state: directory
+    dest: "/home/{{item.name}}/.ssh/"
+    mode: 0755
+    owner: "{{item.name}}"
+    group: "{{item.name}}"
+  loop: "{{ users }}"
+
+- name: "Place ssh-key for users"
+  copy:
+    content: "{{item.sshKey}}"
+    dest: "/home/{{item.name}}/.ssh/authorized_keys"
+    mode: 0644    
+    owner: "{{item.name}}"
+    group: "{{item.name}}"
+  loop: "{{ users }}"