[metrics-cloud/master] Initial metrics-common role - tor-commits

20 Apr 2020

commit b47f39094f05a2c9dc2d6298bb46698bb661d3f3
Author: Iain R. Learmonth irl@fsfe.org
Date:   Thu Mar 26 15:48:18 2020 +0000
Initial metrics-common role
---
 ansible/files/ssh_user_keys/acute              |  1 +
 ansible/files/ssh_user_keys/irl                |  1 +
 ansible/files/ssh_user_keys/karsten            |  1 +
 ansible/group_vars/all.yml                     |  2 +
 ansible/group_vars/exit_scanners.yml           | 15 ++++++
 ansible/roles/metrics-common/files/vimrc.local |  2 +
 ansible/roles/metrics-common/handlers/main.yml |  5 ++
 ansible/roles/metrics-common/tasks/main.yml    | 68 ++++++++++++++++++++++++++
 8 files changed, 95 insertions(+)

diff --git a/ansible/files/ssh_user_keys/acute b/ansible/files/ssh_user_keys/acute
new file mode 100644
index 0000000..67462bd
--- /dev/null
+++ b/ansible/files/ssh_user_keys/acute
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChdcj+GLhTme17lt8hKRSx5T5jrJlPlWsNSSK+Dnh594jLea0i/soYT+GimvGqrlZOOknSLDWHlnePa8K9nYm5hElDodmXbTCq2X4YyZ7OgMBKORSmuu5PD9d7MECDPhprPi1p6v6vk2BCjjL2QjOsxYeu5Dj89qcX009oIx+6lVlBD4SRfMyDYPOLf8UYx1ALLYdZ8Ruzl63ERJEG4mZrleZT8ZnrsN706xKVth01oacXTpvGxEtlakDAAoZoeWtucJj3vgVY+Edga54pRUb+0HGzTSPi6qJ/pgn2H1hZCklJLOP1saJemsOHi26IDyB3JNr2JbDGNOMhCNWcK3Kw3DOL9VkHJSbK+70SU7s/vFntL62D2blX/mzUFa1vf/4kh6390WKW535RmPs//bcKmWPQ4zCgpqMi3qn9Bm3ZJfgLYE2aMfMW5rjgGYRhft3tLuHRnGSUHVJwtBEMzD1PLIrIAFU32VRBqTX+v+xwVTKHujtdXP5gCSJwY6WKyTeFOfvz/HfS8DD8pZwciGfObI3hlprVbGQv6gUokaYH9/X9wj98hwfDWctJbMTmG6B/X7xiukzxnzUhA7Ijo7jpQKS3zfps0TD2GpyGnBnFZ5PzYqh1/vYtR/4+zS+56GNCgR3yAKMwwm3wixeF7ATmEG40eVdf6BtlxFCoZVFKvQ== cardno:00060490456
diff --git a/ansible/files/ssh_user_keys/irl b/ansible/files/ssh_user_keys/irl
new file mode 100644
index 0000000..8aebcf5
--- /dev/null
+++ b/ansible/files/ssh_user_keys/irl
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAnbNRJMRawMMgT8GJ9qOl5aIFGEwsdVeMTQxlpkYFsRMWERDxQLsU4X1pF9MP3U70qeeHTu1E+hVHFUWxFsMOm/f/1BaWzh9ODHx8DkLnP1OUdC8veQqVpPVUOmw4v68z0dotxiNE4g1h4+HBHJNt+hTcns6AdjuVKSV614EQPvmKn0DJJQc5CZY5r4fy8fz2W+7cmI5F3U6kF4snLSO0IwOb26PQCa6+Cw20aBihcsGks8mT6tMX70vr/XEtDSTOSKftTS6jjZ1ifnimR5sQ5JZpFnRL8HhxuhrnwgwLT+chkc7C/luv9H4+FXhRi/B6Me0XODXVtyhyWMhaUwN2AUv7Hr319kyKtwALvU/zTJXoqtFpYN7k3OHjYA15ZKwxGf+Pukl+10zZtT0V372UjVOxT5fuYPt6FykkKtIxbyiRHP0yXIMuIsfHtTqLiwKgDChiNb2oPI3NwxTFuuj0eO5eXYDDeuXXEDLIPg/2YCvpxaXf/PC+K3A4GgTb1l39KTMJxmh8/4HgVWZmi+gDJvVU3/SfujhSzRhlWBMeK2nACRwdCI7OFsCsh9GYEkCz/5w53M5/pBZnJeub1GnmnRso6cD+oP2v15yVWSMQVWj9YwifmQbSj8SyyL29wCgSyC28MfKvKWOfyulw3JjZicDTvaVAh1i6HteUB62E5Q== cardno:000606634751
diff --git a/ansible/files/ssh_user_keys/karsten b/ansible/files/ssh_user_keys/karsten
new file mode 100644
index 0000000..8aebcf5
--- /dev/null
+++ b/ansible/files/ssh_user_keys/karsten
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAnbNRJMRawMMgT8GJ9qOl5aIFGEwsdVeMTQxlpkYFsRMWERDxQLsU4X1pF9MP3U70qeeHTu1E+hVHFUWxFsMOm/f/1BaWzh9ODHx8DkLnP1OUdC8veQqVpPVUOmw4v68z0dotxiNE4g1h4+HBHJNt+hTcns6AdjuVKSV614EQPvmKn0DJJQc5CZY5r4fy8fz2W+7cmI5F3U6kF4snLSO0IwOb26PQCa6+Cw20aBihcsGks8mT6tMX70vr/XEtDSTOSKftTS6jjZ1ifnimR5sQ5JZpFnRL8HhxuhrnwgwLT+chkc7C/luv9H4+FXhRi/B6Me0XODXVtyhyWMhaUwN2AUv7Hr319kyKtwALvU/zTJXoqtFpYN7k3OHjYA15ZKwxGf+Pukl+10zZtT0V372UjVOxT5fuYPt6FykkKtIxbyiRHP0yXIMuIsfHtTqLiwKgDChiNb2oPI3NwxTFuuj0eO5eXYDDeuXXEDLIPg/2YCvpxaXf/PC+K3A4GgTb1l39KTMJxmh8/4HgVWZmi+gDJvVU3/SfujhSzRhlWBMeK2nACRwdCI7OFsCsh9GYEkCz/5w53M5/pBZnJeub1GnmnRso6cD+oP2v15yVWSMQVWj9YwifmQbSj8SyyL29wCgSyC28MfKvKWOfyulw3JjZicDTvaVAh1i6HteUB62E5Q== cardno:000606634751
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
new file mode 100644
index 0000000..bbdb0bf
--- /dev/null
+++ b/ansible/group_vars/all.yml
@@ -0,0 +1,2 @@
+---
+metrics_users: ['irl', 'karsten', 'acute']
diff --git a/ansible/group_vars/exit_scanners.yml b/ansible/group_vars/exit_scanners.yml
new file mode 100644
index 0000000..e2e69b5
--- /dev/null
+++ b/ansible/group_vars/exit_scanners.yml
@@ -0,0 +1,15 @@
+---
+metrics_dependency_pkgs:
+  - git
+  - python-dnspython
+  - curl
+  - gettext
+  - golang-go
+  - build-essential
+  - python-dateutil
+metrics_backport_pkgs:
+  - python-stem
+  - python3-stem
+metrics_service_users:
+  - {name: tordnsel, uid: 1532, home: "/home/tordnsel", linger: yes}
+  - {name: check, uid: 1507, home: "/home/check", linger: yes}
diff --git a/ansible/roles/metrics-common/files/vimrc.local b/ansible/roles/metrics-common/files/vimrc.local
new file mode 100644
index 0000000..afd5ae0
--- /dev/null
+++ b/ansible/roles/metrics-common/files/vimrc.local
@@ -0,0 +1,2 @@
+let g:skip_defaults_vim = 1
+set mouse=
diff --git a/ansible/roles/metrics-common/handlers/main.yml b/ansible/roles/metrics-common/handlers/main.yml
new file mode 100644
index 0000000..5e8c155
--- /dev/null
+++ b/ansible/roles/metrics-common/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: "reload sshd"
+  service:
+    name: sshd
+    state: reloaded
diff --git a/ansible/roles/metrics-common/tasks/main.yml b/ansible/roles/metrics-common/tasks/main.yml
new file mode 100644
index 0000000..aa1d962
--- /dev/null
+++ b/ansible/roles/metrics-common/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+- name: set timezone to UTC
+  timezone:
+    name: UTC
+- name: enable password-less sudo for sudo group
+  lineinfile:
+    path: /etc/sudoers
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+- name: create metrics users
+  user:
+    name: "{{ item }}"
+    password: "*"
+  with_items: "{{ metrics_users }}"
+- name: ensure users are in correct primary group and sudo group
+  user:
+    name: "{{ item }}"
+    group: "{{ item }}"
+    append: yes
+    groups: "sudo"
+  with_items: "{{ metrics_users }}"
+- name: disable root password
+  user:
+    name: root
+    password: '*'
+- name: set up authorized keys
+  authorized_key:
+    user: "{{ item }}"
+    state: present
+    exclusive: yes
+    key: "{{ lookup('file', 'ssh_user_keys/' + item) }}"
+  with_items: "{{ metrics_users }}"
+- name: sshd PermitRootLogin=no
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^#?PermitRootLogin"
+    line: "PermitRootLogin prohibit-password"
+    state: present
+  notify: "reload sshd"
+- name: sshd PasswordAuthentication=no
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^#?PasswordAuthentication"
+    line: "PasswordAuthentication no"
+    state: present
+  notify: "reload sshd"
+- name: install vim defaults
+  become: true
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+  copy:
+    src: vimrc.local
+    dest: /etc/vim/vimrc.local
+- name: add backports repository
+  apt_repository:
+    repo: 'deb http://http.debian.net/debian {{ ansible_distribution_release }}-backports main contrib non-free'
+    state: present
+- name: install dependency packages
+  apt:
+    pkg: "{{ metrics_dependency_pkgs }}"
+    state: latest
+    update_cache: yes
+- name: install dependency (backport) packages
+  apt:
+    pkg: "{{ metrics_backport_pkgs }}"
+    state: latest
+    update_cache: yes
+    default_release: "{{ ansible_distribution_release }}-backports"

    