-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsite.yml
185 lines (177 loc) · 5.63 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
---
- hosts: encrypted_machines
gather_facts: no
vars:
luks_password: "{{ lookup('file', 'secrets/luks_keys/' + inventory_hostname + '_luks.key') }}"
tasks:
- name: Unlock encrypted root drive
block:
- name: check if the server is already unlocked
wait_for_connection:
connect_timeout: 5
timeout: 5
rescue:
- name: Unlock the root filesystem with the assigned passphrase
block:
- name: send the unlock string
local_action: command /bin/bash -c "printf \"{{ luks_password }}\" | ssh root@{{ inventory_hostname }} -p 23"
no_log: true
- name: wait for the server to come up to confirm that it successfully unlocked
wait_for_connection:
connect_timeout: 1
timeout: 60
- hosts: all
become: true
tasks:
- name: Create an admin group
group:
name: admin
state: present
- name: Add admin accounts as a member of the 'admin' group
user:
name: '{{item}}admin'
comment: '{{ item }} admin account'
groups: admin
shell: /bin/bash
password: '*'
loop:
- kms15
- eric
- ace
- name: set up authorized admin keys
authorized_key:
user: '{{item}}admin'
state: present
exclusive: yes
key: "{{ lookup('file', 'keys/{{ item }}.keys') }}"
loop:
- kms15
- eric
- ace
- name: Enable unattended upgrades
apt:
name: "{{ item }}"
state: present
loop:
- unattended-upgrades
- apt-listchanges
when: ansible_facts['os_family'] == 'Debian'
- name: Apply settings for unattended upgrades
copy:
src: files/etc_apt_apt.conf.d_02periodic
dest: /etc/apt/apt.conf.d/02periodic
owner: root
group: root
when: ansible_facts['os_family'] == 'Debian'
- name: Set the dropbear authorized keys
authorized_key:
user: root
state: present
path: /etc/dropbear-initramfs/authorized_keys
key_options: 'no-port-forwarding,no-agent-forwarding,no-x11-forwarding,command="/bin/cryptroot-unlock"'
key: "{{ lookup('file', 'keys/{{ item }}.keys') }}"
loop:
- kms15
- eric
- ace
notify:
- update initramfs
- name: Set up a static IP for the dropbear client
lineinfile:
path: /etc/dropbear-initramfs/config
regexp: "^IP="
line: "IP={{ ip }}::{{ gateway }}:{{ netmask }}:{{ inventory_hostname }}"
notify:
- update initramfs
- name: Set enp0s25 to use a static ip
lineinfile:
path: /etc/network/interfaces
regexp: "^iface enp0s25"
line: "iface enp0s25 inet static"
- name: Set the static ip address for enp0s25
interfaces_file:
iface: enp0s25
option: address
value: "{{ ip }}"
- name: Set the netmask for enp0s25
interfaces_file:
iface: enp0s25
option: netmask
value: "{{ netmask }}"
- name: Set the gateway for enp0s25
interfaces_file:
iface: enp0s25
option: gateway
value: "{{ gateway }}"
- name: Activate enp0s25 on startup
lineinfile:
path: /etc/network/interfaces
regexp: "^(auto|allow-hotplug) enp0s25"
line: "auto enp0s25"
- name: Set DNS server
lineinfile:
path: /etc/resolv.conf
regexp: "^nameserver "
line: "nameserver 8.8.8.8"
handlers:
- name: update initramfs
command: update-initramfs -u
# openelectronicslab.org specific details
- hosts: servers
become: true
tasks:
- name: Create an openelectronicslab_admin group
group:
name: openelectronicslab_admin
state: present
- name: Add backup machine users
user:
name: '{{ item }}'
shell: /bin/bash
groups: openelectronicslab_admin
password: '*'
loop:
- openelectronicslab_backup
- ace
- eric
- kms15
- name: set up authorized admin keys
authorized_key:
user: '{{ item }}'
state: present
key: "{{ lookup('file', 'keys/' + item + '.keys') }}"
loop:
- openelectronicslab_backup
- ace
- eric
- kms15
- name: Create the openelectronicslab_backups directory
file:
path: /mnt/storage/openelectronicslab_backups
state: directory
mode: "u=rwx,g=rwx,o=x"
owner: root
group: openelectronicslab_admin
- name: Add rsync for the openelectronicslab backup
apt:
name: rsync
state: present
- name: Add qemu for running gitlab.openelectronicslab.org
apt:
name: qemu-system-x86
state: present
# kendrickshaw.org specific things
- hosts: magellan.kendrickshaw.org
become: true
tasks:
- name: Create the backups directory
file:
path: /mnt/storage/backups
state: directory
mode: "u=rwx,g=rwx,o=x"
owner: root
group: admin
- name: Add borgbackup
apt:
name: borgbackup
state: present