configz

=======

Yet another ansible's playbook repository

playbooks

======

• postint.yml
• run common role to install you packages, deploy ssh, keys, ...
• posting-full.yml
• use roles common, xymon-client and rudder-node to have a fully compliant server

roles

======

• Common
• provides common configuration
• https://github.com/nojhan/liquidprompt <3
• SSH keys
• provides ssh keys deployement and blacklist
• possibility to use dictionnaries to list keys
• possibility to deploy different pools of keys on different servers with ansible hash_behaviour = merge
• Update
• allow install all update on hosts (tag normal)
• allow update specific packages from list (tags packages)
  • use host_vars, group_vars or default vars to update packages list
• Wallabag
• provides Wallabag configuration
• Imported with <3 from https://github.com/al3x/sovereign/
• Not yet READY
• Prosody
• Provides XMPP (Jabber) server
• Imported with <3 from https://github.com/al3x/sovereign/
• Not yet READY
• IRCBouncer
• Provides a ZNC Config
• Imported with <3 from https://github.com/al3x/sovereign/
• Mail
• provides a complete mail server for a given domain name and the vdomain capability for other domains.
• Note : This role starts in order : common, mariadb, and mail. If you don't want one of them, please comment out.
• Note2 : If you already have a SQL server, it wont erase the original config, but it needs a ~/.my.cnf.
• TODO :
  • Razor/Pyzor
  • Roundcube
  • Simplify template copy
  • Postgrey
• MariaDB
• provides a lambda MariaDB server peered on 127.0.0.1:3306 with root MySQL password on ~/.my.cnf
• ownCloud
• provides a simple instance of ownCloud, with NGINX, PHP5-FPM, and MariaDB
• xymon-client and xymon-server
• https://www.xymon.com/
• Provide installation of xymon server and xymon client monitoring system
• Available for Debian (6 to 8) and Centos (6 to 7). WARN : xymon-server only for Debian (Centos dependencies are really hard to automate)
• Configure apache for xymon-server
• Configure xymon client and add the client in xymon server configuration to allow fetch data
• Allow to disable and drop sonde from client
• Note : Using xymon-client tag/role needs a working xymon-server (whenever the server was installed with the playbook or not)
• Cloud be (theoretically, to be tested) used to update xymon server binaries to last stable release
• ovzdb
• https://www.openvz-diff-backups.fr/
• Install openvz-diff-backup to an openvz host to backup container
• enable update of openvz-diff-backup thanks to 0.9.4 version
• enable backup AND upload feature via cron
• enable purge feature via cron
• enable customization of configuration file
• use standard installation method (conf in /etc, link binary to /usr/local/bin)
• provide bonus hook to create files when problems occurs (additionnally to send emails), allowing monitoring with standard tool (ie xymon and else)
• rudder-node
• https://www.rudder-project.org
• allow to configure a debian/ubuntu rudder node to report to a rudder server
• you need a working rudder-server (https://www.rudder-project.org/doc-4.1/_install_rudder_server.html)
• use rudder_server variable to configure your rudderserver IP (rudder advice to use IP addresses instead of DNS)
• unbound
• Possibility to deploy unbound as a local resolver, with forwading zone to your local DNS server (ie .lan, .home, ...)
• You need to add unbound variables (see below)
• ssh-curve : based from https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/
• DISCLAIMER : using this role WILL trigger "breaking attempt messages" with SSH as server keys are changed, do not forget to clean your know_hosts file(s)
• needs debian jessie or later, centos 7 or later
• configure ssh to use exclusively actual most secure cipher and algorithms
• allow ssh port, listen address, password authent customization
• generate ed25519 keys for server instead of RSA
• configure ssh client to use strong algorithms
• will create compatibility problem with old ssh versions (openwrt, old putty, debian wheezy)
• prometheus_nodexporter : allow configuration for node with prometheus node-exporter
• debian 9 and centos 7 compatible
• You can configure prometheus_exporter_listen_address (default 0.0.0.0) and prometheus_exporter_listen_port (default 9100)
• use file_sd_configs on prometheus server with prometheus_sd_directory (default to /etc/prometheus/nodes/) :

   - job_name: 'node'
    file_sd_configs:
      - files:
        - '{{ prometheus_sd_directory }}/*.json'
        - '{{ prometheus_sd_directory }}/*.yml'
        - '{{ prometheus_sd_directory }}/*.yaml'

example host file

=====

---
admin_ssh_keys: 
 0: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian

default_packages_debian: htop

description: machine test

# NTP
ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
disable_ipv6: true

# Update
deb_packages_to_update:
  - apache2

centos_packages_to_update:
  - httpd

# Mail
domain: test.net

# MariaDB
mariadb_version: 10.0
mysql_root_password: changeme
mysql_host: localhost

# ircbouncer
znc_version: 1.4
irc_nick: (required)
irc_ident: (required)
irc_realname: (required)
irc_quitmsg: (required)
irc_password_hash: (required) # http://wiki.znc.in/Configuration#Pass
irc_password_salt: (required) # http://wiki.znc.in/Configuration#Pass
irc_timezone: "Europe/Paris" #Example: "Europe/Paris"
network_address: irc.my.network.net
network_port: 6697
network_channel: 1337Chan

# xmpp
prosody_admin: "admin@test.net"
prosody_virtual_domain: "test.net"
prosody_accounts: admin@test.net

#Wallabag
wallabag_version: 1.8.1
wallabag_domain: "read.{{ domain }}"
wallabag_salt: (required)
wallabag_db_username: wallabag
wallabag_db_password: (required)
wallabag_db_database: wallabag


#xymon
xymon_server: yyy.yyy.yyy.yyy # server IP address (mandatory)
xymon_htname: admin # server user for webinterface use
xymon_htpasswd: mysecurepasswd # server password for webinterface use
## xymon per client configuration (ie usually done in host_var)##
monitoring_file: dns ## Where to store the host in hosts.d xymon server directory (optionnal)
monitoring_section: dns ## Name of the page to use in xymon server webpage tree view (optionnal)
monitoring_ip: xxx.xxx.xxx.xxx ## IP address of the client to add in server (mandatory)
xymon_checks: "#" ## Checks to use for this client. Default '#' do a simple ping check
xymon_disabled_sondes: ## Allow to disable checks on clients (DEBIAN >= 8 only)
  - ntpq
  - libs

#ovzdb
## You can duplicate backup locally and remotely
## by using openvz host as backup_server and
## remote server as upload_server
## I advice to customize cron hour to have
## backup, then purge, then upload
backup_server: xxx.xxx.xxx.xxx
backup_dir: "/var/lib/vz/backups/OpenVZ/"
backup_minute: 10
backup_hour: 02
purge_minute: 10
purge_hour: 03
upload_server: yyy.yyy.yyy.yyy
upload_dir: "/var/lib/vz/backups/OpenVZ/"
upload_minute: 10
upload_hour: 05
admin_email: "your_email@example.com"

# rudder-node
rudder_server: 192.168.0.100
# vim: set textwidth=0 ft=yaml:

unbound_local_zone: "lan"
unbound_forward_dns: XXX.XXX.XXX.XXX

# ssh-curve
# ssh_port: (default 22)
# ssh_ipv4_listen: (default "0.0.0.0")
# ssh_ipv6_listen: (default "::")
# ssh_authorizedkeysfile: (default ".ssh/authorized_keys")
# ssh_pwd_authent: (default "no")