From 7ea7290b4f3a743be0ac37902249250132933e91 Mon Sep 17 00:00:00 2001 From: kaba Date: Mon, 28 Nov 2016 17:00:44 +0100 Subject: [PATCH] safeguard not to disrupt manually managed systems --- inventory/host_vars/aubergine.freifunk-mwu.de | 4 + inventory/host_vars/churro.freifunk-mwu.de | 4 + .../host_vars/glueckskeks.freifunk-mwu.de | 4 + inventory/host_vars/ingwer.freifunk-mwu.de | 4 + inventory/host_vars/linse.freifunk-mwu.de | 3 + inventory/host_vars/local-test-vm.ffmwu.local | 3 + .../host_vars/lotuswurzel.freifunk-mwu.de | 4 + inventory/host_vars/milchreis.freifunk-mwu.de | 3 + .../host_vars/suesskartoffel.freifunk-mwu.de | 3 + .../host_vars/wasserfloh.freifunk-mwu.de | 4 + .../host_vars/zuckerwatte.freifunk-mwu.de | 3 + inventory/host_vars/zwiebel.freifunk-mwu.de | 4 + roles/ffmwu-build/tasks/main.yml | 20 ++++- roles/ffmwu-meshing/tasks/main.yml | 23 ++++-- roles/ffmwu-server/tasks/main.yml | 76 ++++++++++--------- 15 files changed, 118 insertions(+), 44 deletions(-) create mode 100644 inventory/host_vars/aubergine.freifunk-mwu.de create mode 100644 inventory/host_vars/churro.freifunk-mwu.de create mode 100644 inventory/host_vars/glueckskeks.freifunk-mwu.de create mode 100644 inventory/host_vars/ingwer.freifunk-mwu.de create mode 100644 inventory/host_vars/linse.freifunk-mwu.de create mode 100644 inventory/host_vars/lotuswurzel.freifunk-mwu.de create mode 100644 inventory/host_vars/wasserfloh.freifunk-mwu.de create mode 100644 inventory/host_vars/zwiebel.freifunk-mwu.de diff --git a/inventory/host_vars/aubergine.freifunk-mwu.de b/inventory/host_vars/aubergine.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/aubergine.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/churro.freifunk-mwu.de b/inventory/host_vars/churro.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/churro.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/glueckskeks.freifunk-mwu.de b/inventory/host_vars/glueckskeks.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/glueckskeks.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/ingwer.freifunk-mwu.de b/inventory/host_vars/ingwer.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/ingwer.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/linse.freifunk-mwu.de b/inventory/host_vars/linse.freifunk-mwu.de new file mode 100644 index 0000000..5b67d99 --- /dev/null +++ b/inventory/host_vars/linse.freifunk-mwu.de @@ -0,0 +1,3 @@ +--- + +ansible_managed_server: True diff --git a/inventory/host_vars/local-test-vm.ffmwu.local b/inventory/host_vars/local-test-vm.ffmwu.local index 29639a4..5eb1bca 100644 --- a/inventory/host_vars/local-test-vm.ffmwu.local +++ b/inventory/host_vars/local-test-vm.ffmwu.local @@ -1,5 +1,8 @@ --- +ansible_managed_server: True +ansible_managed_meshing: True + # communities inherited as mz, wi fastd_config: 'meshing-only' diff --git a/inventory/host_vars/lotuswurzel.freifunk-mwu.de b/inventory/host_vars/lotuswurzel.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/lotuswurzel.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/milchreis.freifunk-mwu.de b/inventory/host_vars/milchreis.freifunk-mwu.de index 96d25ca..a6193da 100644 --- a/inventory/host_vars/milchreis.freifunk-mwu.de +++ b/inventory/host_vars/milchreis.freifunk-mwu.de @@ -1,4 +1,7 @@ --- +ansible_managed_server: True +ansible_managed_build: True + h_v_add_auth_keys: | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS diff --git a/inventory/host_vars/suesskartoffel.freifunk-mwu.de b/inventory/host_vars/suesskartoffel.freifunk-mwu.de index 6a9c249..9e44bdf 100644 --- a/inventory/host_vars/suesskartoffel.freifunk-mwu.de +++ b/inventory/host_vars/suesskartoffel.freifunk-mwu.de @@ -1,4 +1,7 @@ --- +ansible_managed_server: True +# not yet: ansible_managed_meshing + h_v_add_auth_keys: | ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local diff --git a/inventory/host_vars/wasserfloh.freifunk-mwu.de b/inventory/host_vars/wasserfloh.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/wasserfloh.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/zuckerwatte.freifunk-mwu.de b/inventory/host_vars/zuckerwatte.freifunk-mwu.de index 646e7a6..9fa8544 100644 --- a/inventory/host_vars/zuckerwatte.freifunk-mwu.de +++ b/inventory/host_vars/zuckerwatte.freifunk-mwu.de @@ -1,5 +1,8 @@ --- +ansible_managed_server: True +# not yet: ansible_managed_meshing + h_v_add_auth_keys: | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHs63QNerevCI6wt2Gpq/IpHTPVeHIP8aKIOrRCUlKWR ccgx@small-x ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAwbfFERETgOAF7iOJFTfJAXQwOWykceRXa151PWG+hiln8X2729tdFyEhztL0tJ0ln+VCj29KLc4mG23qCBW48d35btZTkdVUhFSY/PY/bMQEBiWG2MCAWxJ329i/Blw92xvlFARJNhyPzKSxgYYGRhkncbcKXoX9QWhCBY8KfH+08X9tFOxj4osYn/+dXm7Sg5mqJG4ETmdAAy5afNGE+K+NyBafcg35Y+gBfxNzilGc2/2I0lSsiEcUr+StNxhMMZ/NtQ1N2G9iPziqpu/LYlPl/2mtya+6MPtfSfoYpggIyMqcT+KSPsmxyJod0SrI1vgrX7qa0aJV08dN+gThDb8pOBEb6NG2iQEIbmTKy7XoSpF13lnAVDtPv20PjLpUR6IKZtWNnlN2hVtZLhgyeEIDMnVjmNwloItkqsKP1H96eLSoj1g9B9IOYPPxq5pf6VJKizFAI0jsxGZk0gX/QX4DoVxrD57KXrHKEuFAM4eIjHKMXeRq3Ewbn3bHT1QXevjwBtoW2hxY8Pligc0W0sHt2jW0MxaSiE0LM+hGk0Jy9rquC3+gGU7fD2kLM6nff3wzQJXCORkfdyqvMFUqwpkZmjL4qCypt04peTwkWzs/W4LlHWyc4CJGp0jKIAOA8JRxs/FJf9CyN8N+0AY6xXAZ1UPqs+wPkZ9j5hYcaHs= magic diff --git a/inventory/host_vars/zwiebel.freifunk-mwu.de b/inventory/host_vars/zwiebel.freifunk-mwu.de new file mode 100644 index 0000000..bc82ec6 --- /dev/null +++ b/inventory/host_vars/zwiebel.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +ansible_managed_server: True +# not yet: ansible_managed_meshing diff --git a/roles/ffmwu-build/tasks/main.yml b/roles/ffmwu-build/tasks/main.yml index 8200c71..c742cf5 100644 --- a/roles/ffmwu-build/tasks/main.yml +++ b/roles/ffmwu-build/tasks/main.yml @@ -1,5 +1,17 @@ --- -- include: packages.yml -- include: git-repos.yml -- include: rsyncd.yml -- include: web.yml + +# we don't want to disrupt servers where this role is manually maintained! +# thus: warning and block statement + +- name: full-stop if build role is manually maintained on this server + debug: msg="build role skipped to not disrupt manual maintenance - set ansible_managed_build to True to enable ansible control" + when: (not ansible_managed_build is defined) or (not ansible_managed_build) + +- block: + - include: packages.yml + - include: git-repos.yml + - include: rsyncd.yml + - include: web.yml + + when: (ansible_managed_build is defined) and (ansible_managed_build) +# end block diff --git a/roles/ffmwu-meshing/tasks/main.yml b/roles/ffmwu-meshing/tasks/main.yml index ff92209..569a9a5 100644 --- a/roles/ffmwu-meshing/tasks/main.yml +++ b/roles/ffmwu-meshing/tasks/main.yml @@ -1,10 +1,21 @@ --- - # arp and python packages -- include: mwu-m-pkgs.yml +# we don't want to disrupt servers where this role is manually maintained! +# thus: warning and block statement - # backend scripts -- include: mwu-m-bes.yml +- name: full-stop if meshing role is manually maintained on this server + debug: msg="meshing role skipped to not disrupt manual maintenance - set ansible_managed_meshing to True to enable ansible control" + when: (not ansible_managed_meshing is defined) or (not ansible_managed_meshing) - # fastd -- include: mwu-m-fastd.yml +- block: + # arp and python packages + - include: mwu-m-pkgs.yml + + # backend scripts + - include: mwu-m-bes.yml + + # fastd + - include: mwu-m-fastd.yml + + when: (ansible_managed_meshing is defined) and (ansible_managed_meshing) +# end block diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml index fa1750e..1819c86 100644 --- a/roles/ffmwu-server/tasks/main.yml +++ b/roles/ffmwu-server/tasks/main.yml @@ -1,41 +1,49 @@ --- -#- name: test key concatenation -# debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}" +# we don't want to disrupt servers where this role is manually maintained! +# thus: warning and block statement -- name: ensure needed system users are present - user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present - become: True +- name: full-stop if server role is manually maintained on this server + debug: msg="server role skipped to not disrupt manual maintenance - set ansible_managed_server to True to enable ansible control" + when: (not ansible_managed_server is defined) or (not ansible_managed_server) -- name: ensure all wanted ssh keys exclusively - authorized_key: exclusive=True state=present user=admin - key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }} +- block: + - name: ensure needed system users are present + user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present + become: True -- name: ensure some basic packages - apt: - state: present - name: "{{mwu_s_item}}" - update_cache: yes - cache_valid_time: 21600 - with_items: - - software-properties-common - - apt-transport-https - - man-db - - mosh - - ntp - - sudo - - sysfsutils - - vim - - vnstat - - vnstati - loop_control: - loop_var: mwu_s_item - become: True + - name: ensure all wanted ssh keys exclusively + authorized_key: exclusive=True state=present user=admin + key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }} -- name: ensure vim is default editor - alternatives: name=editor path=/usr/bin/vim.basic - become: True + - name: ensure some basic packages + apt: + state: present + name: "{{mwu_s_item}}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - software-properties-common + - apt-transport-https + - man-db + - mosh + - ntp + - sudo + - sysfsutils + - vim + - vnstat + - vnstati + loop_control: + loop_var: mwu_s_item + become: True -- name: set timezone to Europe/Berlin - timezone: name=Europe/Berlin - become: True + - name: ensure vim is default editor + alternatives: name=editor path=/usr/bin/vim.basic + become: True + + - name: set timezone to Europe/Berlin + timezone: name=Europe/Berlin + become: True + + when: (ansible_managed_server is defined) and (ansible_managed_server) +# end block