From 88bee34235a834a8d36566ba76ccc0801251278d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 24 Jul 2018 17:09:02 +0200 Subject: [PATCH] Restructure and update role for firmware build server * rename role ffmwu-build -> firmware-build-server * rename playbook build-server to firmware-build-server --- inventory/host_vars/milchreis.freifunk-mwu.de | 2 + playbooks/build-server.yml | 7 -- playbooks/firmware-build-server.yml | 14 +++ roles/ffmwu-build/meta/main.yml | 3 - roles/ffmwu-build/tasks/main.yml | 17 --- roles/ffmwu-build/tasks/packages.yml | 48 -------- roles/ffmwu-build/tasks/web.yml | 111 ------------------ roles/firmware-build-server/files/maesto.pub | 1 + .../handlers/main.yml | 4 + .../tasks/git-repos.yml | 0 roles/firmware-build-server/tasks/main.yml | 26 ++++ .../firmware-build-server/tasks/packages.yml | 19 +++ .../tasks/rsyncd.yml | 15 ++- .../templates/ffmwu-default-http.conf.j2 | 0 .../templates/ffmwu-default-https.conf.j2 | 0 .../templates/rsync.service.j2} | 0 .../templates/rsyncd.conf.j2} | 0 .../templates/sudoers-maesto.j2 | 2 + roles/service-nginx/templates/index.html.j2 | 3 + 19 files changed, 81 insertions(+), 191 deletions(-) create mode 100644 inventory/host_vars/milchreis.freifunk-mwu.de delete mode 100755 playbooks/build-server.yml create mode 100755 playbooks/firmware-build-server.yml delete mode 100644 roles/ffmwu-build/meta/main.yml delete mode 100644 roles/ffmwu-build/tasks/main.yml delete mode 100644 roles/ffmwu-build/tasks/packages.yml delete mode 100644 roles/ffmwu-build/tasks/web.yml create mode 100644 roles/firmware-build-server/files/maesto.pub rename roles/{ffmwu-build => firmware-build-server}/handlers/main.yml (78%) rename roles/{ffmwu-build => firmware-build-server}/tasks/git-repos.yml (100%) create mode 100644 roles/firmware-build-server/tasks/main.yml create mode 100644 roles/firmware-build-server/tasks/packages.yml rename roles/{ffmwu-build => firmware-build-server}/tasks/rsyncd.yml (52%) rename roles/{ffmwu-build => firmware-build-server}/templates/ffmwu-default-http.conf.j2 (100%) rename roles/{ffmwu-build => firmware-build-server}/templates/ffmwu-default-https.conf.j2 (100%) rename roles/{ffmwu-build/files/rsync.service => firmware-build-server/templates/rsync.service.j2} (100%) rename roles/{ffmwu-build/files/rsyncd.conf => firmware-build-server/templates/rsyncd.conf.j2} (100%) create mode 100644 roles/firmware-build-server/templates/sudoers-maesto.j2 diff --git a/inventory/host_vars/milchreis.freifunk-mwu.de b/inventory/host_vars/milchreis.freifunk-mwu.de new file mode 100644 index 0000000..68174b8 --- /dev/null +++ b/inventory/host_vars/milchreis.freifunk-mwu.de @@ -0,0 +1,2 @@ +--- +ffmwu_server_type: "firmware-build" diff --git a/playbooks/build-server.yml b/playbooks/build-server.yml deleted file mode 100755 index 0242f2d..0000000 --- a/playbooks/build-server.yml +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/ansible-playbook - -- hosts: ffmwu-build-servers - remote_user: admin - roles: - - prerequisites - - ffmwu-build diff --git a/playbooks/firmware-build-server.yml b/playbooks/firmware-build-server.yml new file mode 100755 index 0000000..80db473 --- /dev/null +++ b/playbooks/firmware-build-server.yml @@ -0,0 +1,14 @@ +#!/usr/bin/ansible-playbook + +- hosts: ffmwu-build-servers + remote_user: admin + roles: + - prerequisites + - server-apt-repos + - server-basic + - users + - service-haveged + - service-ntpd + - service-vnstat + - service-nginx + - firmware-build-server diff --git a/roles/ffmwu-build/meta/main.yml b/roles/ffmwu-build/meta/main.yml deleted file mode 100644 index 6743d80..0000000 --- a/roles/ffmwu-build/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: -- ffmwu-server diff --git a/roles/ffmwu-build/tasks/main.yml b/roles/ffmwu-build/tasks/main.yml deleted file mode 100644 index c742cf5..0000000 --- a/roles/ffmwu-build/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -# we don't want to disrupt servers where this role is manually maintained! -# thus: warning and block statement - -- name: full-stop if build role is manually maintained on this server - debug: msg="build role skipped to not disrupt manual maintenance - set ansible_managed_build to True to enable ansible control" - when: (not ansible_managed_build is defined) or (not ansible_managed_build) - -- block: - - include: packages.yml - - include: git-repos.yml - - include: rsyncd.yml - - include: web.yml - - when: (ansible_managed_build is defined) and (ansible_managed_build) -# end block diff --git a/roles/ffmwu-build/tasks/packages.yml b/roles/ffmwu-build/tasks/packages.yml deleted file mode 100644 index 71b26b5..0000000 --- a/roles/ffmwu-build/tasks/packages.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -- name: add apt repository of neoraider - apt_repository: - repo: 'deb https://repo.universe-factory.net/debian/ sid main' - state: present - filename: 'neoraider' - notify: update apt cache - -- name: add apt repository of freifunk-mwu - apt_repository: - repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main' - state: present - filename: 'ffmwu' - notify: update apt cache - -- name: add apt-key of neoraider - apt_key: - keyserver: keyserver.ubuntu.com - id: 16EF3F64CB201D9C - state: present - notify: update apt cache - -- name: add apt-key of freifunk-mwu package sigs - apt_key: - url: http://repo.freifunk-mwu.de/83A70084.gpg.key - state: present - notify: update apt cache - -- name: install needed packages for build-server - apt: - state: present - name: "{{ item }}" - update_cache: yes - cache_valid_time: 21600 - with_items: - - apache2 - - apache2-utils - - build-essential - - ecdsautils - - gawk - - git - - haveged - - libncurses5-dev - - libssl-dev - - pkg-config - - subversion - - unzip - - zlib1g-dev diff --git a/roles/ffmwu-build/tasks/web.yml b/roles/ffmwu-build/tasks/web.yml deleted file mode 100644 index 710f607..0000000 --- a/roles/ffmwu-build/tasks/web.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -- name: ensure webroot owned by user/group admin - file: - dest: /var/www/html - owner: admin - group: admin - recurse: yes - -- name: enable apache module ssl - apache2_module: - state: present - name: ssl - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: disable default apache http site - command: /usr/sbin/a2dissite 000-default - args: - removes: /etc/apache2/sites-enabled/000-default.conf - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: disable default apache https site - command: /usr/sbin/a2dissite default-ssl - args: - removes: /etc/apache2/sites-enabled/default-ssl.conf - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: disable unwanted default configs - command: /usr/sbin/a2disconf other-vhosts-access-log - args: - removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: configure apache ssl cipher suites - lineinfile: - dest: /etc/apache2/mods-enabled/ssl.conf - regexp: '^([\s\t]+)?SSLCipherSuite' - line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" - state: present - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: configure apache ssl protocols - lineinfile: - dest: /etc/apache2/mods-available/ssl.conf - regexp: '^([\s\t]+)?SSLProtocol' - line: "SSLProtocol all -SSLv2 -SSLv3" - state: present - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: configure apache security settings - lineinfile: - dest: /etc/apache2/conf-available/security.conf - regexp: "^ServerTokens" - line: "ServerTokens Prod" - state: present - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: configure apache server signature - lineinfile: - dest: /etc/apache2/conf-available/security.conf - regexp: "^ServerSignature" - line: "ServerSignature EMail" - state: present - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: write ffmwu http site - template: - src: ffmwu-default-http.conf.j2 - dest: /etc/apache2/sites-available/ffmwu-default-http.conf - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: write ffmwu https site - template: - src: ffmwu-default-https.conf.j2 - dest: /etc/apache2/sites-available/ffmwu-default-https.conf - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: enable ffmwu apache http site - command: /usr/sbin/a2ensite ffmwu-default-http - args: - creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf - notify: - - check apache syntax - - restart systemd unit apache2 - -- name: enable ffmwu apache https site - command: /usr/sbin/a2ensite ffmwu-default-https - args: - creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf - notify: - - check apache syntax - - restart systemd unit apache2 diff --git a/roles/firmware-build-server/files/maesto.pub b/roles/firmware-build-server/files/maesto.pub new file mode 100644 index 0000000..a5e0dfd --- /dev/null +++ b/roles/firmware-build-server/files/maesto.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== diff --git a/roles/ffmwu-build/handlers/main.yml b/roles/firmware-build-server/handlers/main.yml similarity index 78% rename from roles/ffmwu-build/handlers/main.yml rename to roles/firmware-build-server/handlers/main.yml index fc9d637..ff74281 100644 --- a/roles/ffmwu-build/handlers/main.yml +++ b/roles/firmware-build-server/handlers/main.yml @@ -10,3 +10,7 @@ - name: update apt cache apt: update_cache: yes + +- name: reload systemd + systemd: + daemon_reload: yes diff --git a/roles/ffmwu-build/tasks/git-repos.yml b/roles/firmware-build-server/tasks/git-repos.yml similarity index 100% rename from roles/ffmwu-build/tasks/git-repos.yml rename to roles/firmware-build-server/tasks/git-repos.yml diff --git a/roles/firmware-build-server/tasks/main.yml b/roles/firmware-build-server/tasks/main.yml new file mode 100644 index 0000000..35ce467 --- /dev/null +++ b/roles/firmware-build-server/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- include: packages.yml +- include: git-repos.yml +- include: rsyncd.yml + +- name: create user maesto + user: + name: maesto + shell: /bin/bash + state: present + +- name: install ssh public key of maesto + authorized_key: + user: maesto + state: present + exclusive: yes + key: "{{ lookup('file', 'maesto.pub') }}" + +- name: configure passwordless sudo access + template: + src: "sudoers-maesto.j2" + dest: "/etc/sudoers.d/maesto" + owner: root + group: root + mode: '0440' + validate: "/usr/sbin/visudo -cf %s" diff --git a/roles/firmware-build-server/tasks/packages.yml b/roles/firmware-build-server/tasks/packages.yml new file mode 100644 index 0000000..c56e322 --- /dev/null +++ b/roles/firmware-build-server/tasks/packages.yml @@ -0,0 +1,19 @@ +--- +- name: install packages + apt: + state: present + name: "{{ item }}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - build-essential + - ecdsautils + - gawk + - git + - haveged + - libncurses5-dev + - libssl-dev + - pkg-config + - subversion + - unzip + - zlib1g-dev diff --git a/roles/ffmwu-build/tasks/rsyncd.yml b/roles/firmware-build-server/tasks/rsyncd.yml similarity index 52% rename from roles/ffmwu-build/tasks/rsyncd.yml rename to roles/firmware-build-server/tasks/rsyncd.yml index bc838e7..36e54fc 100644 --- a/roles/ffmwu-build/tasks/rsyncd.yml +++ b/roles/firmware-build-server/tasks/rsyncd.yml @@ -1,17 +1,22 @@ --- - name: install rsnycd configuration file - copy: - src: rsyncd.conf + template: + src: rsyncd.conf.j2 dest: /etc/rsyncd.conf mode: 0640 + owner: root + group: root - name: install rsnyc systemd unit - copy: - src: rsync.service + template: + src: rsync.service.j2 dest: /etc/systemd/system/ mode: 0644 + owner: root + group: root + notify: reload systemd -- name: ensure rsync is started on boot as a daemon +- name: ensure rsync is started and activated systemd: name: rsync state: started diff --git a/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 b/roles/firmware-build-server/templates/ffmwu-default-http.conf.j2 similarity index 100% rename from roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 rename to roles/firmware-build-server/templates/ffmwu-default-http.conf.j2 diff --git a/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 b/roles/firmware-build-server/templates/ffmwu-default-https.conf.j2 similarity index 100% rename from roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 rename to roles/firmware-build-server/templates/ffmwu-default-https.conf.j2 diff --git a/roles/ffmwu-build/files/rsync.service b/roles/firmware-build-server/templates/rsync.service.j2 similarity index 100% rename from roles/ffmwu-build/files/rsync.service rename to roles/firmware-build-server/templates/rsync.service.j2 diff --git a/roles/ffmwu-build/files/rsyncd.conf b/roles/firmware-build-server/templates/rsyncd.conf.j2 similarity index 100% rename from roles/ffmwu-build/files/rsyncd.conf rename to roles/firmware-build-server/templates/rsyncd.conf.j2 diff --git a/roles/firmware-build-server/templates/sudoers-maesto.j2 b/roles/firmware-build-server/templates/sudoers-maesto.j2 new file mode 100644 index 0000000..f81567d --- /dev/null +++ b/roles/firmware-build-server/templates/sudoers-maesto.j2 @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +maesto ALL=NOPASSWD: ALL diff --git a/roles/service-nginx/templates/index.html.j2 b/roles/service-nginx/templates/index.html.j2 index eb8c0fd..b2f034f 100644 --- a/roles/service-nginx/templates/index.html.j2 +++ b/roles/service-nginx/templates/index.html.j2 @@ -20,6 +20,9 @@

Freifunk MWU Gateway {{ inventory_hostname_short }}

Firmware
+{% if ffmwu_server_type == "firmware-build" %} +
Firmware Archiv
+{% endif %}
Traffic