janic/ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial Push of scraped playbooks

Browse Source
This commit is contained in:
janic 2021-12-06 09:45:41 +01:00
parent 8ea7a36196
commit 7aa8e04057
14 changed files with 353 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE
View File

@ -58,7 +58,7 @@ APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Copyright 2021 Janic Voser
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

5
README.md
View File

@ -1,3 +1,6 @@
# Ansible
Ansible Playbooks & Jinja2 Templates
Ansible Playbooks & Jinja2 Templates
# Structure

35
playbooks/Netadmin/NetAdmin.yaml Normal file
View File

@ -0,0 +1,35 @@
---
- name: "Mount NAS (NetAdmin)"
hosts: home
tasks:
- name: "Create Mountpoint (/mnt/NetAdmin)"
file:
path: /mnt/NetAdmin
state: directory
become: True
- name: "Install & Upgrade NFS (Debian)"
package:
name: "nfs-common"
state: "present"
when: ansible_os_family == "Debian"
become: True
- name: "Install & Upgrade NFS (Arch)"
package:
name: "nfs-utils"
state: "present"
when: ansible_os_family == "Arch"
become: True
- name: "Edit Mountfile (/etc/fstab)"
shell: grep -c "^192.168.1.3:/NetAdmin" /etc/fstab || true
register: LineInFile
- name: "Mount All mount"
lineinfile:
dest: /etc/fstab
line: "192.168.1.3:/NetAdmin /mnt/NetAdmin nfs rw,hard,intr,timeo=14 0 0"
when: LineInFile.stdout == "0"
become: True
- name: "Mount All if needed"
shell: mount -a
become: True
...

35
playbooks/dnsfix/NetAdmin.yaml Normal file
View File

@ -0,0 +1,35 @@
---
- name: "Mount NAS (NetAdmin)"
hosts: home
tasks:
- name: "Create Mountpoint (/mnt/NetAdmin)"
file:
path: /mnt/NetAdmin
state: directory
become: True
- name: "Install & Upgrade NFS (Debian)"
package:
name: "nfs-common"
state: "present"
when: ansible_os_family == "Debian"
become: True
- name: "Install & Upgrade NFS (Arch)"
package:
name: "nfs-utils"
state: "present"
when: ansible_os_family == "Arch"
become: True
- name: "Edit Mountfile (/etc/fstab)"
shell: grep -c "^192.168.1.3:/NetAdmin" /etc/fstab || true
register: LineInFile
- name: "Mount All mount"
lineinfile:
dest: /etc/fstab
line: "192.168.1.3:/NetAdmin /mnt/NetAdmin nfs rw,hard,intr,timeo=14 0 0"
when: LineInFile.stdout == "0"
become: True
- name: "Mount All if needed"
shell: mount -a
become: True
...

14
playbooks/dnsfix/dnsfix.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- name: "Fix DNS"
hosts: rpis
tasks:
- name: "Copy working resolv.conf"
ansible.builtin.copy:
src: /srv/ansible/files/rpis/resolve.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
become: True
...

31
playbooks/fail2ban/fail2ban.yaml Normal file
View File

@ -0,0 +1,31 @@
---
- name: "Install Fail2Ban"
hosts: all
tasks:
- name: "Install Fail2Ban"
package:
name: "fail2ban"
state: "present"
become: True
- name: "Start Fail2ban service"
service:
name: "fail2ban.service"
state: "started"
enabled: "yes"
become: True
- name: "Copy Custom Fail2ban Config "
ansible.builtin.copy:
src: /srv/ansible/files/fail2ban/jail.local
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: '0644'
become: True
- name: "Restart Fail2ban"
ansible.builtin.service:
name: fail2ban
state: reloaded
become: True
...

14
playbooks/firewalld/all.rules.firewalld.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- name: "Apply Custom Firewall Rules to every Ansible-Managed Machine"
hosts: all
tasks:
# Create Firewall Rules
# SSH - ALL
- name: "Create Firewall Rule - SSH"
ansible.posix.firewalld:
zone: public
service: ssh
permanent: yes
state: enabled
...

46
playbooks/firewalld/firewalld.yaml Normal file
View File

@ -0,0 +1,46 @@
---
- name: "Install & Configure Firewalld"
hosts: all
tasks:
# Setup correct Firewall
- name: "Stop and disable ufw"
ansible.builtin.service:
name: "ufw"
state: stopped
enabled: no
become: True
- name: "Remove ufw"
ansible.builtin.package:
name: "ufw"
state: "absent"
become: True
- name: "Install & Update firewalld"
ansible.builtin.package:
name: "firewalld"
state: "latest"
become: True
- name: "Start and enable firewalld"
ansible.builtin.service:
name: "firewalld"
state: "started"
enabled: yes
# Create Firewall Rules loaded from external Playbooks
- name: "Create Firewall Rules for any Node"
import_playbook: all.rules.firewalld.yaml
# Create Firewall Rules for Groups loaded from external Playbooks
- name: "Create Firewall Rules for Servers"
import_playbook: servers.rules.firewalld.yaml
- name: "Create Firewall Rules for RPIS"
import_playbook: rpis.rules.firewalld.yaml
# Create Firewall Rules for specific Hosts loaded from external Playbooks
- name: "Create Firewall Rules for srvdoc01"
import_playbook: srvdoc01.rul0es.firewalld.yaml
# Reload Firewall to activate new Rules
- name: "Reload Firewall Rules"
ansible.builtin.command:
cmd: "firewall-cmd --reload"
# Due to security Conditions Fail2ban gets installed too
- name: "Install Fail2ban with custom Ansible-Playbook"
import_playbook: ../prod/fail2ban.yaml
...

14
playbooks/firewalld/rpis.rules.firewalld.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- name: "Apply Custom Firewall Rules to every Ansible-Managed Raspberry"
hosts: rpis
tasks:
# Create Firewall Rules
# SSH - ALL
- name: "Create Firewall Rule - SSH"
ansible.posix.firewalld:
zone: public
service: ssh
permanent: yes
state: enabled
...

14
playbooks/firewalld/servers.rules.firewalld.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- name: "Apply Custom Firewall Rules to every Ansible-Managed Server"
hosts: servers
tasks:
# Create Firewall Rules
# Cockpit - ALL Servers
- name: "Create Firewall Rule - SSH"
ansible.posix.firewalld:
zone: public
service: cockpit
permanent: yes
state: enabled
...

84
playbooks/firewalld/srvdoc01.rules.firewalld.yaml Normal file
View File

@ -0,0 +1,84 @@
---
- name: "IApply Custom Firewall Rules to SRVDOC01 "
hosts: srvdoc01
tasks:
- name: "Create Firewall Rule [SRVDOC01]- HTTP"
ansible.posix.firewalld:
zone: public
service: http
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- HTTPS"
ansible.posix.firewalld:
zone: public
service: https
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- SMTP"
ansible.posix.firewalld:
zone: public
port: 25/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- POP3"
ansible.posix.firewalld:
zone: public
port: 110/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- IMAP"
ansible.posix.firewalld:
zone: public
port: 143/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- SMTPs"
ansible.posix.firewalld:
zone: public
port: 465/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- SMTP"
ansible.posix.firewalld:
zone: public
port: 587/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- IMAPs"
ansible.posix.firewalld:
zone: public
port: 993/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- POP3s"
ansible.posix.firewalld:
zone: public
port: 995/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- DNS"
ansible.posix.firewalld:
zone: public
port: 53/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- DNS"
ansible.posix.firewalld:
zone: public
port: 53/udp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- DNSs"
ansible.posix.firewalld:
zone: public
port: 853/tcp
permanent: yes
state: enabled
- name: "Create Firewall Rule [SRVDOC01]- DNSs"
ansible.posix.firewalld:
zone: public
port: 853/udp
permanent: yes
state: enabled
...

12
playbooks/gatherfacts/gather_facts.yaml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: all
gather_facts: yes
become: false
tasks:
- name: Distribution
debug: msg="{{ ansible_distribution }}"
- name: Distribution version
debug: msg="{{ ansible_distribution_version}}"
- name: Distribution major version
debug: msg="{{ ansible_distribution_major_version }}"
...

30
playbooks/keepalived/keepalived.yaml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Install & Configure Keepalived VIP
hosts: rpis
remote_user: root
become: True
tasks:
- name: Update APT-cache if Debianbased
apt: update_cache=yes cache_valid_time=3600
when: ansible_os_family == 'Debian'
- name: Install keepalived
package:
name: keepalived
state: latest
- name: Configure keepalived
template:
src: /srv/ansible/files/templates/keepalived/keepalived.conf.j2
dest: /etc/keepalived/keepalived.conf
register: template
- name: Restart keepalive Server
service:
name: keepalived
state: restarted
when: template.changed
- name: Running keepalive Server
service:
name: keepalived
state: started
enabled: yes
...

19
playbooks/update/update.yaml Normal file
View File

@ -0,0 +1,19 @@
---
- name: "Update Linux Servers"
hosts: servers
tasks:
- name: "Update && Upgrade Servers (Debianbased)"
apt:
name: '*'
state: latest
when: ansible_facts['os_family'] == "Debian"
become: True
- name: "Update && Upgrade Servers (Redhatbased)"
dnf:
name: '*'
state: latest
when: ansible_facts['os_family'] == "RedHat"
become: True
...