commit b47f39094f05a2c9dc2d6298bb46698bb661d3f3 Author: Iain R. Learmonth <irl@fsfe.org> Date: Thu Mar 26 15:48:18 2020 +0000 Initial metrics-common role --- ansible/files/ssh_user_keys/acute | 1 + ansible/files/ssh_user_keys/irl | 1 + ansible/files/ssh_user_keys/karsten | 1 + ansible/group_vars/all.yml | 2 + ansible/group_vars/exit_scanners.yml | 15 ++++++ ansible/roles/metrics-common/files/vimrc.local | 2 + ansible/roles/metrics-common/handlers/main.yml | 5 ++ ansible/roles/metrics-common/tasks/main.yml | 68 ++++++++++++++++++++++++++ 8 files changed, 95 insertions(+) diff --git a/ansible/files/ssh_user_keys/acute b/ansible/files/ssh_user_keys/acute new file mode 100644 index 0000000..67462bd --- /dev/null +++ b/ansible/files/ssh_user_keys/acute @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChdcj+GLhTme17lt8hKRSx5T5jrJlPlWsNSSK+Dnh594jLea0i/soYT+GimvGqrlZOOknSLDWHlnePa8K9nYm5hElDodmXbTCq2X4YyZ7OgMBKORSmuu5PD9d7MECDPhprPi1p6v6vk2BCjjL2QjOsxYeu5Dj89qcX009oIx+6lVlBD4SRfMyDYPOLf8UYx1ALLYdZ8Ruzl63ERJEG4mZrleZT8ZnrsN706xKVth01oacXTpvGxEtlakDAAoZoeWtucJj3vgVY+Edga54pRUb+0HGzTSPi6qJ/pgn2H1hZCklJLOP1saJemsOHi26IDyB3JNr2JbDGNOMhCNWcK3Kw3DOL9VkHJSbK+70SU7s/vFntL62D2blX/mzUFa1vf/4kh6390WKW535RmPs//bcKmWPQ4zCgpqMi3qn9Bm3ZJfgLYE2aMfMW5rjgGYRhft3tLuHRnGSUHVJwtBEMzD1PLIrIAFU32VRBqTX+v+xwVTKHujtdXP5gCSJwY6WKyTeFOfvz/HfS8DD8pZwciGfObI3hlprVbGQv6gUokaYH9/X9wj98hwfDWctJbMTmG6B/X7xiukzxnzUhA7Ijo7jpQKS3zfps0TD2GpyGnBnFZ5PzYqh1/vYtR/4+zS+56GNCgR3yAKMwwm3wixeF7ATmEG40eVdf6BtlxFCoZVFKvQ== cardno:00060490456 diff --git a/ansible/files/ssh_user_keys/irl b/ansible/files/ssh_user_keys/irl new file mode 100644 index 0000000..8aebcf5 --- /dev/null +++ b/ansible/files/ssh_user_keys/irl @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAnbNRJMRawMMgT8GJ9qOl5aIFGEwsdVeMTQxlpkYFsRMWERDxQLsU4X1pF9MP3U70qeeHTu1E+hVHFUWxFsMOm/f/1BaWzh9ODHx8DkLnP1OUdC8veQqVpPVUOmw4v68z0dotxiNE4g1h4+HBHJNt+hTcns6AdjuVKSV614EQPvmKn0DJJQc5CZY5r4fy8fz2W+7cmI5F3U6kF4snLSO0IwOb26PQCa6+Cw20aBihcsGks8mT6tMX70vr/XEtDSTOSKftTS6jjZ1ifnimR5sQ5JZpFnRL8HhxuhrnwgwLT+chkc7C/luv9H4+FXhRi/B6Me0XODXVtyhyWMhaUwN2AUv7Hr319kyKtwALvU/zTJXoqtFpYN7k3OHjYA15ZKwxGf+Pukl+10zZtT0V372UjVOxT5fuYPt6FykkKtIxbyiRHP0yXIMuIsfHtTqLiwKgDChiNb2oPI3NwxTFuuj0eO5eXYDDeuXXEDLIPg/2YCvpxaXf/PC+K3A4GgTb1l39KTMJxmh8/4HgVWZmi+gDJvVU3/SfujhSzRhlWBMeK2nACRwdCI7OFsCsh9GYEkCz/5w53M5/pBZnJeub1GnmnRso6cD+oP2v15yVWSMQVWj9YwifmQbSj8SyyL29wCgSyC28MfKvKWOfyulw3JjZicDTvaVAh1i6HteUB62E5Q== cardno:000606634751 diff --git a/ansible/files/ssh_user_keys/karsten b/ansible/files/ssh_user_keys/karsten new file mode 100644 index 0000000..8aebcf5 --- /dev/null +++ b/ansible/files/ssh_user_keys/karsten @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAnbNRJMRawMMgT8GJ9qOl5aIFGEwsdVeMTQxlpkYFsRMWERDxQLsU4X1pF9MP3U70qeeHTu1E+hVHFUWxFsMOm/f/1BaWzh9ODHx8DkLnP1OUdC8veQqVpPVUOmw4v68z0dotxiNE4g1h4+HBHJNt+hTcns6AdjuVKSV614EQPvmKn0DJJQc5CZY5r4fy8fz2W+7cmI5F3U6kF4snLSO0IwOb26PQCa6+Cw20aBihcsGks8mT6tMX70vr/XEtDSTOSKftTS6jjZ1ifnimR5sQ5JZpFnRL8HhxuhrnwgwLT+chkc7C/luv9H4+FXhRi/B6Me0XODXVtyhyWMhaUwN2AUv7Hr319kyKtwALvU/zTJXoqtFpYN7k3OHjYA15ZKwxGf+Pukl+10zZtT0V372UjVOxT5fuYPt6FykkKtIxbyiRHP0yXIMuIsfHtTqLiwKgDChiNb2oPI3NwxTFuuj0eO5eXYDDeuXXEDLIPg/2YCvpxaXf/PC+K3A4GgTb1l39KTMJxmh8/4HgVWZmi+gDJvVU3/SfujhSzRhlWBMeK2nACRwdCI7OFsCsh9GYEkCz/5w53M5/pBZnJeub1GnmnRso6cD+oP2v15yVWSMQVWj9YwifmQbSj8SyyL29wCgSyC28MfKvKWOfyulw3JjZicDTvaVAh1i6HteUB62E5Q== cardno:000606634751 diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100644 index 0000000..bbdb0bf --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,2 @@ +--- +metrics_users: ['irl', 'karsten', 'acute'] diff --git a/ansible/group_vars/exit_scanners.yml b/ansible/group_vars/exit_scanners.yml new file mode 100644 index 0000000..e2e69b5 --- /dev/null +++ b/ansible/group_vars/exit_scanners.yml @@ -0,0 +1,15 @@ +--- +metrics_dependency_pkgs: + - git + - python-dnspython + - curl + - gettext + - golang-go + - build-essential + - python-dateutil +metrics_backport_pkgs: + - python-stem + - python3-stem +metrics_service_users: + - {name: tordnsel, uid: 1532, home: "/home/tordnsel", linger: yes} + - {name: check, uid: 1507, home: "/home/check", linger: yes} diff --git a/ansible/roles/metrics-common/files/vimrc.local b/ansible/roles/metrics-common/files/vimrc.local new file mode 100644 index 0000000..afd5ae0 --- /dev/null +++ b/ansible/roles/metrics-common/files/vimrc.local @@ -0,0 +1,2 @@ +let g:skip_defaults_vim = 1 +set mouse= diff --git a/ansible/roles/metrics-common/handlers/main.yml b/ansible/roles/metrics-common/handlers/main.yml new file mode 100644 index 0000000..5e8c155 --- /dev/null +++ b/ansible/roles/metrics-common/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: "reload sshd" + service: + name: sshd + state: reloaded diff --git a/ansible/roles/metrics-common/tasks/main.yml b/ansible/roles/metrics-common/tasks/main.yml new file mode 100644 index 0000000..aa1d962 --- /dev/null +++ b/ansible/roles/metrics-common/tasks/main.yml @@ -0,0 +1,68 @@ +--- +- name: set timezone to UTC + timezone: + name: UTC +- name: enable password-less sudo for sudo group + lineinfile: + path: /etc/sudoers + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' +- name: create metrics users + user: + name: "{{ item }}" + password: "*" + with_items: "{{ metrics_users }}" +- name: ensure users are in correct primary group and sudo group + user: + name: "{{ item }}" + group: "{{ item }}" + append: yes + groups: "sudo" + with_items: "{{ metrics_users }}" +- name: disable root password + user: + name: root + password: '*' +- name: set up authorized keys + authorized_key: + user: "{{ item }}" + state: present + exclusive: yes + key: "{{ lookup('file', 'ssh_user_keys/' + item) }}" + with_items: "{{ metrics_users }}" +- name: sshd PermitRootLogin=no + lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^#?PermitRootLogin" + line: "PermitRootLogin prohibit-password" + state: present + notify: "reload sshd" +- name: sshd PasswordAuthentication=no + lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^#?PasswordAuthentication" + line: "PasswordAuthentication no" + state: present + notify: "reload sshd" +- name: install vim defaults + become: true + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + copy: + src: vimrc.local + dest: /etc/vim/vimrc.local +- name: add backports repository + apt_repository: + repo: 'deb http://http.debian.net/debian {{ ansible_distribution_release }}-backports main contrib non-free' + state: present +- name: install dependency packages + apt: + pkg: "{{ metrics_dependency_pkgs }}" + state: latest + update_cache: yes +- name: install dependency (backport) packages + apt: + pkg: "{{ metrics_backport_pkgs }}" + state: latest + update_cache: yes + default_release: "{{ ansible_distribution_release }}-backports"