## configz ======= Yet another ansible's playbook repository ## playbooks ====== * postint.yml * run common role to install you packages, deploy ssh, keys, ... * posting-full.yml * use roles common, xymon-client and rudder-node to have a fully compliant server ## roles ====== * Common * provides **common** configuration * https://github.com/nojhan/liquidprompt <3 * SSH keys * provides ssh keys deployement and blacklist * possibility to use dictionnaries to list keys * possibility to deploy different pools of keys on different servers with ansible hash_behaviour = merge * Update * allow install all update on hosts (tag normal) * allow update specific packages from list (tags packages) * use host_vars, group_vars or default vars to update packages list * Wallabag * provides **Wallabag** configuration * Imported with <3 from https://github.com/al3x/sovereign/ * **Not yet READY** * Prosody * Provides XMPP (Jabber) server * Imported with <3 from https://github.com/al3x/sovereign/ * **Not yet READY** * IRCBouncer * Provides a ZNC Config * Imported with <3 from https://github.com/al3x/sovereign/ * Mail * provides a complete **mail** server for a given domain name and the vdomain capability for other domains. * **Note** : This role starts in order : common, mariadb, and mail. If you don't want one of them, please comment out. * **Note2** : If you already have a SQL server, **it wont erase the original config**, but it needs a ``~/.my.cnf``. * **TODO** : * Razor/Pyzor * Roundcube * Simplify template copy * Postgrey * MariaDB * provides a lambda **MariaDB** server peered on ``127.0.0.1:3306`` with ``root`` MySQL password on ``~/.my.cnf`` * ownCloud * provides a simple instance of **ownCloud**, with ``NGINX, PHP5-FPM, and MariaDB`` * xymon-client and xymon-server * https://www.xymon.com/ * Provide installation of xymon server and xymon client monitoring system * Available for Debian (6 to 8) and Centos (6 to 7). **WARN** : xymon-server only for Debian (Centos dependencies are really hard to automate) * Configure apache for xymon-server * Configure xymon client and add the client in xymon server configuration to allow fetch data * Allow to disable and drop sonde from client * **Note** : Using xymon-client tag/role needs a working xymon-server (whenever the server was installed with the playbook or not) * Cloud be (theoretically, to be tested) used to update xymon server binaries to last stable release * ovzdb * https://www.openvz-diff-backups.fr/ * Install openvz-diff-backup to an openvz host to backup container * enable update of openvz-diff-backup thanks to 0.9.4 version * enable backup AND upload feature via cron * enable purge feature via cron * enable customization of configuration file * use standard installation method (conf in /etc, link binary to /usr/local/bin) * provide bonus hook to create files when problems occurs (additionnally to send emails), allowing monitoring with standard tool (ie xymon and else) * rudder-node * https://www.rudder-project.org * allow to configure a debian/ubuntu rudder node to report to a rudder server * you need a working rudder-server (https://www.rudder-project.org/doc-4.1/_install_rudder_server.html) * use rudder_server variable to configure your rudderserver IP (rudder advice to use IP addresses instead of DNS) * unbound * Possibility to deploy unbound as a local resolver, with forwading zone to your local DNS server (ie .lan, .home, ...) * You need to add unbound variables (see below) * ssh-curve : based from https://blog.arnaudminable.net/secure-shell-mon-amour-dechu/ * DISCLAIMER : using this role WILL trigger "breaking attempt messages" with SSH as server keys are changed, do not forget to clean your know_hosts file(s) * needs debian jessie or later, centos 7 or later * configure ssh to use exclusively actual most secure cipher and algorithms * allow ssh port, listen address, password authent customization * generate ed25519 keys for server instead of RSA * configure ssh client to use strong algorithms * will create compatibility problem with old ssh versions (openwrt, old putty, debian wheezy) * prometheus_nodexporter : allow configuration for node with prometheus node-exporter * debian 9 and centos 7 compatible * You can configure prometheus_exporter_listen_address (default 0.0.0.0) and prometheus_exporter_listen_port (default 9100) * use file_sd_configs on prometheus server with prometheus_sd_directory (default to /etc/prometheus/nodes/) : ``` - job_name: 'node' file_sd_configs: - files: - '{{ prometheus_sd_directory }}/*.json' - '{{ prometheus_sd_directory }}/*.yml' - '{{ prometheus_sd_directory }}/*.yaml' ``` ## example host file ===== ```yaml --- admin_ssh_keys: 0: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian default_packages_debian: htop description: machine test # NTP ntp_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org disable_ipv6: true # Update deb_packages_to_update: - apache2 centos_packages_to_update: - httpd # Mail domain: test.net # MariaDB mariadb_version: 10.0 mysql_root_password: changeme mysql_host: localhost # ircbouncer znc_version: 1.4 irc_nick: (required) irc_ident: (required) irc_realname: (required) irc_quitmsg: (required) irc_password_hash: (required) # http://wiki.znc.in/Configuration#Pass irc_password_salt: (required) # http://wiki.znc.in/Configuration#Pass irc_timezone: "Europe/Paris" #Example: "Europe/Paris" network_address: irc.my.network.net network_port: 6697 network_channel: 1337Chan # xmpp prosody_admin: "admin@test.net" prosody_virtual_domain: "test.net" prosody_accounts: admin@test.net #Wallabag wallabag_version: 1.8.1 wallabag_domain: "read.{{ domain }}" wallabag_salt: (required) wallabag_db_username: wallabag wallabag_db_password: (required) wallabag_db_database: wallabag #xymon xymon_server: yyy.yyy.yyy.yyy # server IP address (mandatory) xymon_htname: admin # server user for webinterface use xymon_htpasswd: mysecurepasswd # server password for webinterface use ## xymon per client configuration (ie usually done in host_var)## monitoring_file: dns ## Where to store the host in hosts.d xymon server directory (optionnal) monitoring_section: dns ## Name of the page to use in xymon server webpage tree view (optionnal) monitoring_ip: xxx.xxx.xxx.xxx ## IP address of the client to add in server (mandatory) xymon_checks: "#" ## Checks to use for this client. Default '#' do a simple ping check xymon_disabled_sondes: ## Allow to disable checks on clients (DEBIAN >= 8 only) - ntpq - libs #ovzdb ## You can duplicate backup locally and remotely ## by using openvz host as backup_server and ## remote server as upload_server ## I advice to customize cron hour to have ## backup, then purge, then upload backup_server: xxx.xxx.xxx.xxx backup_dir: "/var/lib/vz/backups/OpenVZ/" backup_minute: 10 backup_hour: 02 purge_minute: 10 purge_hour: 03 upload_server: yyy.yyy.yyy.yyy upload_dir: "/var/lib/vz/backups/OpenVZ/" upload_minute: 10 upload_hour: 05 admin_email: "your_email@example.com" # rudder-node rudder_server: 192.168.0.100 # vim: set textwidth=0 ft=yaml: unbound_local_zone: "lan" unbound_forward_dns: XXX.XXX.XXX.XXX # ssh-curve # ssh_port: (default 22) # ssh_ipv4_listen: (default "0.0.0.0") # ssh_ipv6_listen: (default "::") # ssh_authorizedkeysfile: (default ".ssh/authorized_keys") # ssh_pwd_authent: (default "no") ```