From 7aa8e04057ed902c459c68a1bb33e76f5bb625ee Mon Sep 17 00:00:00 2001 From: janic Date: Mon, 6 Dec 2021 09:45:41 +0100 Subject: [PATCH] Initial Push of scraped playbooks --- LICENSE | 2 +- README.md | 5 +- playbooks/Netadmin/NetAdmin.yaml | 35 ++++++++ playbooks/dnsfix/NetAdmin.yaml | 35 ++++++++ playbooks/dnsfix/dnsfix.yaml | 14 ++++ playbooks/fail2ban/fail2ban.yaml | 31 +++++++ playbooks/firewalld/all.rules.firewalld.yaml | 14 ++++ playbooks/firewalld/firewalld.yaml | 46 ++++++++++ playbooks/firewalld/rpis.rules.firewalld.yaml | 14 ++++ .../firewalld/servers.rules.firewalld.yaml | 14 ++++ .../firewalld/srvdoc01.rules.firewalld.yaml | 84 +++++++++++++++++++ playbooks/gatherfacts/gather_facts.yaml | 12 +++ playbooks/keepalived/keepalived.yaml | 30 +++++++ playbooks/update/update.yaml | 19 +++++ 14 files changed, 353 insertions(+), 2 deletions(-) create mode 100644 playbooks/Netadmin/NetAdmin.yaml create mode 100644 playbooks/dnsfix/NetAdmin.yaml create mode 100644 playbooks/dnsfix/dnsfix.yaml create mode 100644 playbooks/fail2ban/fail2ban.yaml create mode 100644 playbooks/firewalld/all.rules.firewalld.yaml create mode 100644 playbooks/firewalld/firewalld.yaml create mode 100644 playbooks/firewalld/rpis.rules.firewalld.yaml create mode 100644 playbooks/firewalld/servers.rules.firewalld.yaml create mode 100644 playbooks/firewalld/srvdoc01.rules.firewalld.yaml create mode 100644 playbooks/gatherfacts/gather_facts.yaml create mode 100644 playbooks/keepalived/keepalived.yaml create mode 100644 playbooks/update/update.yaml diff --git a/LICENSE b/LICENSE index 137069b..ac2238b 100644 --- a/LICENSE +++ b/LICENSE @@ -58,7 +58,7 @@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. -Copyright [yyyy] [name of copyright owner] +Copyright 2021 Janic Voser Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index fcb5ada..760332a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,6 @@ # Ansible -Ansible Playbooks & Jinja2 Templates \ No newline at end of file +Ansible Playbooks & Jinja2 Templates + +# Structure + diff --git a/playbooks/Netadmin/NetAdmin.yaml b/playbooks/Netadmin/NetAdmin.yaml new file mode 100644 index 0000000..a3002e6 --- /dev/null +++ b/playbooks/Netadmin/NetAdmin.yaml @@ -0,0 +1,35 @@ +--- +- name: "Mount NAS (NetAdmin)" + hosts: home + + tasks: + - name: "Create Mountpoint (/mnt/NetAdmin)" + file: + path: /mnt/NetAdmin + state: directory + become: True + - name: "Install & Upgrade NFS (Debian)" + package: + name: "nfs-common" + state: "present" + when: ansible_os_family == "Debian" + become: True + - name: "Install & Upgrade NFS (Arch)" + package: + name: "nfs-utils" + state: "present" + when: ansible_os_family == "Arch" + become: True + - name: "Edit Mountfile (/etc/fstab)" + shell: grep -c "^192.168.1.3:/NetAdmin" /etc/fstab || true + register: LineInFile + - name: "Mount All mount" + lineinfile: + dest: /etc/fstab + line: "192.168.1.3:/NetAdmin /mnt/NetAdmin nfs rw,hard,intr,timeo=14 0 0" + when: LineInFile.stdout == "0" + become: True + - name: "Mount All if needed" + shell: mount -a + become: True +... diff --git a/playbooks/dnsfix/NetAdmin.yaml b/playbooks/dnsfix/NetAdmin.yaml new file mode 100644 index 0000000..a3002e6 --- /dev/null +++ b/playbooks/dnsfix/NetAdmin.yaml @@ -0,0 +1,35 @@ +--- +- name: "Mount NAS (NetAdmin)" + hosts: home + + tasks: + - name: "Create Mountpoint (/mnt/NetAdmin)" + file: + path: /mnt/NetAdmin + state: directory + become: True + - name: "Install & Upgrade NFS (Debian)" + package: + name: "nfs-common" + state: "present" + when: ansible_os_family == "Debian" + become: True + - name: "Install & Upgrade NFS (Arch)" + package: + name: "nfs-utils" + state: "present" + when: ansible_os_family == "Arch" + become: True + - name: "Edit Mountfile (/etc/fstab)" + shell: grep -c "^192.168.1.3:/NetAdmin" /etc/fstab || true + register: LineInFile + - name: "Mount All mount" + lineinfile: + dest: /etc/fstab + line: "192.168.1.3:/NetAdmin /mnt/NetAdmin nfs rw,hard,intr,timeo=14 0 0" + when: LineInFile.stdout == "0" + become: True + - name: "Mount All if needed" + shell: mount -a + become: True +... diff --git a/playbooks/dnsfix/dnsfix.yaml b/playbooks/dnsfix/dnsfix.yaml new file mode 100644 index 0000000..ba5a022 --- /dev/null +++ b/playbooks/dnsfix/dnsfix.yaml @@ -0,0 +1,14 @@ +--- +- name: "Fix DNS" + hosts: rpis + + tasks: + - name: "Copy working resolv.conf" + ansible.builtin.copy: + src: /srv/ansible/files/rpis/resolve.conf + dest: /etc/resolv.conf + owner: root + group: root + mode: '0644' + become: True +... diff --git a/playbooks/fail2ban/fail2ban.yaml b/playbooks/fail2ban/fail2ban.yaml new file mode 100644 index 0000000..0afe718 --- /dev/null +++ b/playbooks/fail2ban/fail2ban.yaml @@ -0,0 +1,31 @@ +--- +- name: "Install Fail2Ban" + hosts: all + + tasks: + - name: "Install Fail2Ban" + package: + name: "fail2ban" + state: "present" + become: True + + - name: "Start Fail2ban service" + service: + name: "fail2ban.service" + state: "started" + enabled: "yes" + become: True + - name: "Copy Custom Fail2ban Config " + ansible.builtin.copy: + src: /srv/ansible/files/fail2ban/jail.local + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: '0644' + become: True + - name: "Restart Fail2ban" + ansible.builtin.service: + name: fail2ban + state: reloaded + become: True +... diff --git a/playbooks/firewalld/all.rules.firewalld.yaml b/playbooks/firewalld/all.rules.firewalld.yaml new file mode 100644 index 0000000..b3c9383 --- /dev/null +++ b/playbooks/firewalld/all.rules.firewalld.yaml @@ -0,0 +1,14 @@ +--- +- name: "Apply Custom Firewall Rules to every Ansible-Managed Machine" + hosts: all + + tasks: +# Create Firewall Rules + # SSH - ALL + - name: "Create Firewall Rule - SSH" + ansible.posix.firewalld: + zone: public + service: ssh + permanent: yes + state: enabled +... \ No newline at end of file diff --git a/playbooks/firewalld/firewalld.yaml b/playbooks/firewalld/firewalld.yaml new file mode 100644 index 0000000..29dc18c --- /dev/null +++ b/playbooks/firewalld/firewalld.yaml @@ -0,0 +1,46 @@ +--- +- name: "Install & Configure Firewalld" + hosts: all + + tasks: +# Setup correct Firewall + - name: "Stop and disable ufw" + ansible.builtin.service: + name: "ufw" + state: stopped + enabled: no + become: True + - name: "Remove ufw" + ansible.builtin.package: + name: "ufw" + state: "absent" + become: True + - name: "Install & Update firewalld" + ansible.builtin.package: + name: "firewalld" + state: "latest" + become: True + - name: "Start and enable firewalld" + ansible.builtin.service: + name: "firewalld" + state: "started" + enabled: yes +# Create Firewall Rules loaded from external Playbooks + - name: "Create Firewall Rules for any Node" + import_playbook: all.rules.firewalld.yaml +# Create Firewall Rules for Groups loaded from external Playbooks + - name: "Create Firewall Rules for Servers" + import_playbook: servers.rules.firewalld.yaml + - name: "Create Firewall Rules for RPIS" + import_playbook: rpis.rules.firewalld.yaml +# Create Firewall Rules for specific Hosts loaded from external Playbooks + - name: "Create Firewall Rules for srvdoc01" + import_playbook: srvdoc01.rul0es.firewalld.yaml +# Reload Firewall to activate new Rules + - name: "Reload Firewall Rules" + ansible.builtin.command: + cmd: "firewall-cmd --reload" +# Due to security Conditions Fail2ban gets installed too + - name: "Install Fail2ban with custom Ansible-Playbook" + import_playbook: ../prod/fail2ban.yaml +... \ No newline at end of file diff --git a/playbooks/firewalld/rpis.rules.firewalld.yaml b/playbooks/firewalld/rpis.rules.firewalld.yaml new file mode 100644 index 0000000..bf3aad1 --- /dev/null +++ b/playbooks/firewalld/rpis.rules.firewalld.yaml @@ -0,0 +1,14 @@ +--- +- name: "Apply Custom Firewall Rules to every Ansible-Managed Raspberry" + hosts: rpis + + tasks: +# Create Firewall Rules + # SSH - ALL + - name: "Create Firewall Rule - SSH" + ansible.posix.firewalld: + zone: public + service: ssh + permanent: yes + state: enabled +... \ No newline at end of file diff --git a/playbooks/firewalld/servers.rules.firewalld.yaml b/playbooks/firewalld/servers.rules.firewalld.yaml new file mode 100644 index 0000000..4ec33b3 --- /dev/null +++ b/playbooks/firewalld/servers.rules.firewalld.yaml @@ -0,0 +1,14 @@ +--- +- name: "Apply Custom Firewall Rules to every Ansible-Managed Server" + hosts: servers + + tasks: +# Create Firewall Rules + # Cockpit - ALL Servers + - name: "Create Firewall Rule - SSH" + ansible.posix.firewalld: + zone: public + service: cockpit + permanent: yes + state: enabled +... \ No newline at end of file diff --git a/playbooks/firewalld/srvdoc01.rules.firewalld.yaml b/playbooks/firewalld/srvdoc01.rules.firewalld.yaml new file mode 100644 index 0000000..df8c68b --- /dev/null +++ b/playbooks/firewalld/srvdoc01.rules.firewalld.yaml @@ -0,0 +1,84 @@ +--- +- name: "IApply Custom Firewall Rules to SRVDOC01 " + hosts: srvdoc01 + + tasks: + - name: "Create Firewall Rule [SRVDOC01]- HTTP" + ansible.posix.firewalld: + zone: public + service: http + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- HTTPS" + ansible.posix.firewalld: + zone: public + service: https + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- SMTP" + ansible.posix.firewalld: + zone: public + port: 25/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- POP3" + ansible.posix.firewalld: + zone: public + port: 110/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- IMAP" + ansible.posix.firewalld: + zone: public + port: 143/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- SMTPs" + ansible.posix.firewalld: + zone: public + port: 465/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- SMTP" + ansible.posix.firewalld: + zone: public + port: 587/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- IMAPs" + ansible.posix.firewalld: + zone: public + port: 993/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- POP3s" + ansible.posix.firewalld: + zone: public + port: 995/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- DNS" + ansible.posix.firewalld: + zone: public + port: 53/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- DNS" + ansible.posix.firewalld: + zone: public + port: 53/udp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- DNSs" + ansible.posix.firewalld: + zone: public + port: 853/tcp + permanent: yes + state: enabled + - name: "Create Firewall Rule [SRVDOC01]- DNSs" + ansible.posix.firewalld: + zone: public + port: 853/udp + permanent: yes + state: enabled +... \ No newline at end of file diff --git a/playbooks/gatherfacts/gather_facts.yaml b/playbooks/gatherfacts/gather_facts.yaml new file mode 100644 index 0000000..48efc36 --- /dev/null +++ b/playbooks/gatherfacts/gather_facts.yaml @@ -0,0 +1,12 @@ +--- +- hosts: all + gather_facts: yes + become: false + tasks: + - name: Distribution + debug: msg="{{ ansible_distribution }}" + - name: Distribution version + debug: msg="{{ ansible_distribution_version}}" + - name: Distribution major version + debug: msg="{{ ansible_distribution_major_version }}" +... diff --git a/playbooks/keepalived/keepalived.yaml b/playbooks/keepalived/keepalived.yaml new file mode 100644 index 0000000..a4256c3 --- /dev/null +++ b/playbooks/keepalived/keepalived.yaml @@ -0,0 +1,30 @@ +--- +- name: Install & Configure Keepalived VIP + hosts: rpis + remote_user: root + become: True + + tasks: + - name: Update APT-cache if Debianbased + apt: update_cache=yes cache_valid_time=3600 + when: ansible_os_family == 'Debian' + - name: Install keepalived + package: + name: keepalived + state: latest + - name: Configure keepalived + template: + src: /srv/ansible/files/templates/keepalived/keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + register: template + - name: Restart keepalive Server + service: + name: keepalived + state: restarted + when: template.changed + - name: Running keepalive Server + service: + name: keepalived + state: started + enabled: yes +... \ No newline at end of file diff --git a/playbooks/update/update.yaml b/playbooks/update/update.yaml new file mode 100644 index 0000000..9fb4e16 --- /dev/null +++ b/playbooks/update/update.yaml @@ -0,0 +1,19 @@ +--- +- name: "Update Linux Servers" + hosts: servers + + tasks: + - name: "Update && Upgrade Servers (Debianbased)" + apt: + name: '*' + state: latest + when: ansible_facts['os_family'] == "Debian" + become: True + + - name: "Update && Upgrade Servers (Redhatbased)" + dnf: + name: '*' + state: latest + when: ansible_facts['os_family'] == "RedHat" + become: True +...