Collection of ansible roles and playbooks I have found to be useful.
Roles are tested on Debian Jessie.
Requires python package on remote host.
- Antti Jaakkola (Annttu)
- Joonas Järveläinen (jonttu)
- Veli-Matti Leppänen (velzi)
Combined with ferm_service module, ferm provides easy to use firewall.
Currently none.
This module opens ports to ferm-firewall. Useful when service requires open ports.
Add to role's meta/main.yml
dependencies:
- { role: ferm_service, name: someservice, chain: input, saddr: "source-ip-here", dport: someport, proto: tcp }
| name | description | example |
|---|---|---|
| name | name for service | someservice |
| interface | Interface for incoming traffic | eth0 |
| daddr | Destination address | 10.0.0.1 |
| saddr | Source address | 10.0.0.0/24 |
| dport | Destination port | 5555 |
| sport | source port | 5555 |
| proto | Protocol, tcp, udp, icmp | tcp |
| chain | Firewall chain, input, output, forward, input6, output6, forward6 | input |
Setup libvirt virtual to have getty on virtual serial console ttyS0.
Setup pam authentication against ldap and nscd and nslcd to use ldap.
| name | description | example |
|---|---|---|
| ca_crt | Local path to ca file | /etc/ca.crt |
| ldap_ca | Remote path to ca file | /etc/ldap/ca.crt (default) |
| ldap_server | LDAP server(s) URI | ldaps://ldap.example.com |
| ldap_base | LDAP base dn | dc=example,dc=com |
| login_groups | List of groups allowed to login | sysadmin |
Install and setup fail2ban.
Currently only ssh service is supported.
Example config
fail2ban:
ignored_hosts:
- 127.0.0.0/8
- x.y.z.i/24
bantime: 3600
maxretry: 10
destemail: root@localhost
banaction: iptables-multiport
services:
- ssh:
port: ssh
logpath: /var/log/auth.log
filter: sshd
Install and configure nagios-nrpe service. Uses quite a dynamic plugin configuration via host_vars or group_vars.
| name | type | description | example | required |
|---|---|---|---|---|
| server_port | int | Port where nrpe server listens | 5666 ( default ) | no |
| user_groups | list | Groups which nagios user should have | Debian-exim | no |
| plugins | list | a list of plugin entries | see below | yes |
| sudo_plugins | list | a list of plugin entries which requires sudo | see below | no |
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| name | string | Name of plugin, automatically prefixed with "check_" | disk | yes | |
| path | string | partial or full path to plugin | /usr/lib/nagios/plugins/check_{{ name }} | /usr/lib/nagios/plugins/check_disk or disk | no |
| warning | string | warning limit | 10% | no | |
| critical | string | critical limit | 20% | no | |
| args | string | plugin arguments | -p /dev/sda1 | no |
nagios_nrpe:
server_port: 5555
allowed_hosts:
- 10.0.0.1
user_groups:
- Debian-exim
plugins:
- name: users
critical: 30
warning: 10
- name: mailq
args: -M exim
critical: 100
warning: 10
sudo_plugins:
- name: apt
args: -u -t 60
Install and configure munin-node
In munin block
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| master_address | ip-address | master ip-address without netmask | 10.0.0.2 | yes |
munin:
master_address: 10.0.0.2
Install and configure a ntp server for host.
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| servers | list of servers | list of servers, see server variables | 4 pool.ntp.org servers | no | |
| peers | list of peers | list of peers, see server variables | no | ||
| restrict | list of restrictons | see restrict variables | allow local, deny others | no |
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| address | ip or hostname | peer or server address | 10.0.0.1 | yes | |
| iburst | boolean | use iburst | false | false | no |
| burst | boolean | use iburst | false | false | no |
| true | boolean | Force the association to assume truechimer status | false | false | no |
| xleave | boolean | Operate in interleaved mode | false | false | no |
| key | string | key string | no | no | |
| autokey | boolean | use autokey option | false | false | no |
| minpoll | int | minimum polling interval, in seconds as a power of two | 10 | no | |
| maxpoll | int | maximum polling interval, in seconds as a power of two | 20 | no | |
| mode | string | Pass option to a reference clock driver | no | ||
| noselect | boolean | only display peer/server but don't use | false | false | no |
| preempt | boolean | Preempt server/peer | false | false | no |
| ttl | int | ttl used in broadcast and anycast mode | no | ||
| version | string | specify allowed version | no |
More information on:
man 5 ntp.conf
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| address | ip or hostname | Client ip or hostname. | 10.0.0.1 | yes | |
| mask | hostmask | Optional hostmask if ip is a network. | 255.255.255.0 | no | |
| kod | boolean | send kiss of death packet to denied host. | false | true | no |
| noquery | boolean | Don't allow queries. | false | false | no |
| nomodify | boolean | Don't allow modifications. | false | false | no |
| notrap | boolean | Don't allow control message traps. | false | false | no |
| noserve | boolean | Don't provide time service. | false | false | no |
| nopeer | boolean | Provide stateless service but don't accept as peer. | false | false | no |
| notrust | boolean | Don't allow unauthenticated packages. | false | false | no |
| limited | boolean | see doc | false | false | no |
| ntpport | boolean | Accept only queries from port NTP port (123) | false | false | no |
| version | boolean | Ignore these hosts if not the current NTP version. | false | false | no |
| ignore | boolean | Ignore all packets from hosts. | false | false | no |
| lowpriotrap | boolean | false | false | no |
More information in doc.ntp.org
Install sudo package and provide per user or per app sudo permissions using dependencies.
Add to your role's meta/main.yml
dependencies:
- { role: sudo, name: somename, user: someuser, command: "somecommand", nopasswd: true }
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| name | string | name for file | apt-dater-sudo | yes | |
| user | string | username for sudo permission | someuser | yes | |
| command | string | allow sudo only for this command | /usr/bin/apt-get | no | |
| nopasswd | boolean | enable sudo without password | false | true | no |
Install and configure remote for apt-dater. Uses separate apt-dater user for ssh.
Variables are prefixed with apt_dater_host.
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| username | string | name of the user in remote system | apt-dater | apt-dater | no |
| home | string | home dir path of the user | /var/lib/apt-dater | /home/apt-dater | no |
| ssh_key | string | public key for apt-dater | ssh-rsa AAA... | yes |
In site.yml
- role apt-dater-host
in host_vars or group_vars
apt_dater_host:
ssh_key: ssh-rsa AAAA...
Configure /etc/networking/interfaces etc.
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| interfaces | list | list of interfaces | see interface variables | yes | |
| dns_servers | list | list of dns-server addresses | no | ||
| domain | string | Domain name | no |
| name | type | description | default | example | required |
|---|---|---|---|---|---|
| interface | string | Interface name | eth0 | yes | |
| ip | ipv4 address | Interface IPv4 address | 10.0.0.2 | yes | |
| mask | integer or hostmask | IPv4 address mask | 24 or 255.255.255.0 | yes | |
| gateway | IPv4 address | gateway address | 10.0.0.1 | no | |
| dhcp | boolean | Use dhcp to acquire address, if true ip, netmask and gateway are ignored | false | true | no |
| mtu | integer | Interface mtu | no | ||
| boardcast | ipv4 address | IPv4 broadcast address | 10.0.0.255 | no | |
| boardcast | ipv4 address | IPv4 network address | 10.0.0.0 | no | |
| auto6 | ipv6 autoconf | ||||
| ip6 | ipv6 address | Interface IPv6 address | 2001:DB8::10:2 | no | |
| mask6 | integer | Interface IPv6 address mask | 64 | 64 | no |
| gateway6 | ipv6 address | gateway IPv6 address | 2001:DB8::1 | no | |
| accept_ra | boolean, integer | accept router advertisements | true, false, 0, 1 2 | no | |
| autoconf | boolean | IPv6 autoconf | true, false | no | |
| privext | boolean, integer | Use IPv6 privacy extension (RFC3041) | true, false, 0, 1, 2 | no |
- lldpd
- munin master
- icinga ( master )
- icinga2
The MIT License (MIT)
Copyright (c) 2015 Antti Jaakkola
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.