Restructure and update role for firmware build server
* rename role ffmwu-build -> firmware-build-server * rename playbook build-server to firmware-build-server
This commit is contained in:
parent
f0d8d2f170
commit
88bee34235
19 changed files with 81 additions and 191 deletions
2
inventory/host_vars/milchreis.freifunk-mwu.de
Normal file
2
inventory/host_vars/milchreis.freifunk-mwu.de
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ffmwu_server_type: "firmware-build"
|
|
@ -1,7 +0,0 @@
|
||||||
#!/usr/bin/ansible-playbook
|
|
||||||
|
|
||||||
- hosts: ffmwu-build-servers
|
|
||||||
remote_user: admin
|
|
||||||
roles:
|
|
||||||
- prerequisites
|
|
||||||
- ffmwu-build
|
|
14
playbooks/firmware-build-server.yml
Executable file
14
playbooks/firmware-build-server.yml
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/usr/bin/ansible-playbook
|
||||||
|
|
||||||
|
- hosts: ffmwu-build-servers
|
||||||
|
remote_user: admin
|
||||||
|
roles:
|
||||||
|
- prerequisites
|
||||||
|
- server-apt-repos
|
||||||
|
- server-basic
|
||||||
|
- users
|
||||||
|
- service-haveged
|
||||||
|
- service-ntpd
|
||||||
|
- service-vnstat
|
||||||
|
- service-nginx
|
||||||
|
- firmware-build-server
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
dependencies:
|
|
||||||
- ffmwu-server
|
|
|
@ -1,17 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
# we don't want to disrupt servers where this role is manually maintained!
|
|
||||||
# thus: warning and block statement
|
|
||||||
|
|
||||||
- name: full-stop if build role is manually maintained on this server
|
|
||||||
debug: msg="build role skipped to not disrupt manual maintenance - set ansible_managed_build to True to enable ansible control"
|
|
||||||
when: (not ansible_managed_build is defined) or (not ansible_managed_build)
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- include: packages.yml
|
|
||||||
- include: git-repos.yml
|
|
||||||
- include: rsyncd.yml
|
|
||||||
- include: web.yml
|
|
||||||
|
|
||||||
when: (ansible_managed_build is defined) and (ansible_managed_build)
|
|
||||||
# end block
|
|
|
@ -1,48 +0,0 @@
|
||||||
---
|
|
||||||
- name: add apt repository of neoraider
|
|
||||||
apt_repository:
|
|
||||||
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
|
|
||||||
state: present
|
|
||||||
filename: 'neoraider'
|
|
||||||
notify: update apt cache
|
|
||||||
|
|
||||||
- name: add apt repository of freifunk-mwu
|
|
||||||
apt_repository:
|
|
||||||
repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
|
|
||||||
state: present
|
|
||||||
filename: 'ffmwu'
|
|
||||||
notify: update apt cache
|
|
||||||
|
|
||||||
- name: add apt-key of neoraider
|
|
||||||
apt_key:
|
|
||||||
keyserver: keyserver.ubuntu.com
|
|
||||||
id: 16EF3F64CB201D9C
|
|
||||||
state: present
|
|
||||||
notify: update apt cache
|
|
||||||
|
|
||||||
- name: add apt-key of freifunk-mwu package sigs
|
|
||||||
apt_key:
|
|
||||||
url: http://repo.freifunk-mwu.de/83A70084.gpg.key
|
|
||||||
state: present
|
|
||||||
notify: update apt cache
|
|
||||||
|
|
||||||
- name: install needed packages for build-server
|
|
||||||
apt:
|
|
||||||
state: present
|
|
||||||
name: "{{ item }}"
|
|
||||||
update_cache: yes
|
|
||||||
cache_valid_time: 21600
|
|
||||||
with_items:
|
|
||||||
- apache2
|
|
||||||
- apache2-utils
|
|
||||||
- build-essential
|
|
||||||
- ecdsautils
|
|
||||||
- gawk
|
|
||||||
- git
|
|
||||||
- haveged
|
|
||||||
- libncurses5-dev
|
|
||||||
- libssl-dev
|
|
||||||
- pkg-config
|
|
||||||
- subversion
|
|
||||||
- unzip
|
|
||||||
- zlib1g-dev
|
|
|
@ -1,111 +0,0 @@
|
||||||
---
|
|
||||||
- name: ensure webroot owned by user/group admin
|
|
||||||
file:
|
|
||||||
dest: /var/www/html
|
|
||||||
owner: admin
|
|
||||||
group: admin
|
|
||||||
recurse: yes
|
|
||||||
|
|
||||||
- name: enable apache module ssl
|
|
||||||
apache2_module:
|
|
||||||
state: present
|
|
||||||
name: ssl
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: disable default apache http site
|
|
||||||
command: /usr/sbin/a2dissite 000-default
|
|
||||||
args:
|
|
||||||
removes: /etc/apache2/sites-enabled/000-default.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: disable default apache https site
|
|
||||||
command: /usr/sbin/a2dissite default-ssl
|
|
||||||
args:
|
|
||||||
removes: /etc/apache2/sites-enabled/default-ssl.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: disable unwanted default configs
|
|
||||||
command: /usr/sbin/a2disconf other-vhosts-access-log
|
|
||||||
args:
|
|
||||||
removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: configure apache ssl cipher suites
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/apache2/mods-enabled/ssl.conf
|
|
||||||
regexp: '^([\s\t]+)?SSLCipherSuite'
|
|
||||||
line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
|
||||||
state: present
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: configure apache ssl protocols
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/apache2/mods-available/ssl.conf
|
|
||||||
regexp: '^([\s\t]+)?SSLProtocol'
|
|
||||||
line: "SSLProtocol all -SSLv2 -SSLv3"
|
|
||||||
state: present
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: configure apache security settings
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/apache2/conf-available/security.conf
|
|
||||||
regexp: "^ServerTokens"
|
|
||||||
line: "ServerTokens Prod"
|
|
||||||
state: present
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: configure apache server signature
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/apache2/conf-available/security.conf
|
|
||||||
regexp: "^ServerSignature"
|
|
||||||
line: "ServerSignature EMail"
|
|
||||||
state: present
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: write ffmwu http site
|
|
||||||
template:
|
|
||||||
src: ffmwu-default-http.conf.j2
|
|
||||||
dest: /etc/apache2/sites-available/ffmwu-default-http.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: write ffmwu https site
|
|
||||||
template:
|
|
||||||
src: ffmwu-default-https.conf.j2
|
|
||||||
dest: /etc/apache2/sites-available/ffmwu-default-https.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: enable ffmwu apache http site
|
|
||||||
command: /usr/sbin/a2ensite ffmwu-default-http
|
|
||||||
args:
|
|
||||||
creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
||||||
|
|
||||||
- name: enable ffmwu apache https site
|
|
||||||
command: /usr/sbin/a2ensite ffmwu-default-https
|
|
||||||
args:
|
|
||||||
creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
|
|
||||||
notify:
|
|
||||||
- check apache syntax
|
|
||||||
- restart systemd unit apache2
|
|
1
roles/firmware-build-server/files/maesto.pub
Normal file
1
roles/firmware-build-server/files/maesto.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw==
|
|
@ -10,3 +10,7 @@
|
||||||
- name: update apt cache
|
- name: update apt cache
|
||||||
apt:
|
apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: reload systemd
|
||||||
|
systemd:
|
||||||
|
daemon_reload: yes
|
26
roles/firmware-build-server/tasks/main.yml
Normal file
26
roles/firmware-build-server/tasks/main.yml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
---
|
||||||
|
- include: packages.yml
|
||||||
|
- include: git-repos.yml
|
||||||
|
- include: rsyncd.yml
|
||||||
|
|
||||||
|
- name: create user maesto
|
||||||
|
user:
|
||||||
|
name: maesto
|
||||||
|
shell: /bin/bash
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: install ssh public key of maesto
|
||||||
|
authorized_key:
|
||||||
|
user: maesto
|
||||||
|
state: present
|
||||||
|
exclusive: yes
|
||||||
|
key: "{{ lookup('file', 'maesto.pub') }}"
|
||||||
|
|
||||||
|
- name: configure passwordless sudo access
|
||||||
|
template:
|
||||||
|
src: "sudoers-maesto.j2"
|
||||||
|
dest: "/etc/sudoers.d/maesto"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0440'
|
||||||
|
validate: "/usr/sbin/visudo -cf %s"
|
19
roles/firmware-build-server/tasks/packages.yml
Normal file
19
roles/firmware-build-server/tasks/packages.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- name: install packages
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: "{{ item }}"
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 21600
|
||||||
|
with_items:
|
||||||
|
- build-essential
|
||||||
|
- ecdsautils
|
||||||
|
- gawk
|
||||||
|
- git
|
||||||
|
- haveged
|
||||||
|
- libncurses5-dev
|
||||||
|
- libssl-dev
|
||||||
|
- pkg-config
|
||||||
|
- subversion
|
||||||
|
- unzip
|
||||||
|
- zlib1g-dev
|
|
@ -1,17 +1,22 @@
|
||||||
---
|
---
|
||||||
- name: install rsnycd configuration file
|
- name: install rsnycd configuration file
|
||||||
copy:
|
template:
|
||||||
src: rsyncd.conf
|
src: rsyncd.conf.j2
|
||||||
dest: /etc/rsyncd.conf
|
dest: /etc/rsyncd.conf
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
- name: install rsnyc systemd unit
|
- name: install rsnyc systemd unit
|
||||||
copy:
|
template:
|
||||||
src: rsync.service
|
src: rsync.service.j2
|
||||||
dest: /etc/systemd/system/
|
dest: /etc/systemd/system/
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: reload systemd
|
||||||
|
|
||||||
- name: ensure rsync is started on boot as a daemon
|
- name: ensure rsync is started and activated
|
||||||
systemd:
|
systemd:
|
||||||
name: rsync
|
name: rsync
|
||||||
state: started
|
state: started
|
2
roles/firmware-build-server/templates/sudoers-maesto.j2
Normal file
2
roles/firmware-build-server/templates/sudoers-maesto.j2
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
maesto ALL=NOPASSWD: ALL
|
|
@ -20,6 +20,9 @@
|
||||||
<h1>Freifunk MWU Gateway <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
|
<h1>Freifunk MWU Gateway <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
|
||||||
</header>
|
</header>
|
||||||
<div class="block"><a href="firmware">Firmware</a></div>
|
<div class="block"><a href="firmware">Firmware</a></div>
|
||||||
|
{% if ffmwu_server_type == "firmware-build" %}
|
||||||
|
<div class="block"><a href="_archive">Firmware Archiv</a></div>
|
||||||
|
{% endif %}
|
||||||
<div class="block"><a href="traffic">Traffic</a></div>
|
<div class="block"><a href="traffic">Traffic</a></div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
Loading…
Reference in a new issue