From cbd190bcf8bb64c796f74d2256a7a7ca257640e7 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 27 Oct 2016 08:18:30 +0200 Subject: [PATCH 1/5] Inventory: add host milchreis --- inventory/hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/hosts b/inventory/hosts index b91bf82..d936cfe 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -28,6 +28,7 @@ simple-ff-servers [simple-ff-servers] # not meshing linse.freifunk-mwu.de # ext. DNS-master #pudding.freifunk-mwu.de # +milchreis.freifunk-mwu.de # build server [test-vms] local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False From 1d9b50dbe68691bd23f9bd8632872da8516516d4 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 27 Oct 2016 08:19:12 +0200 Subject: [PATCH 2/5] Roles: add tasks to ffmwu-server * ensure system user is present * ensure vim is the default editor * ensure timezone is Europe/Berlin (activate with ansible version 2.2) --- roles/ffmwu-server/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml index 21bc53a..b94e000 100644 --- a/roles/ffmwu-server/tasks/main.yml +++ b/roles/ffmwu-server/tasks/main.yml @@ -3,6 +3,9 @@ #- name: test key concatenation # debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}" +- name: ensure needed system users are present + user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present + - name: ensure all wanted ssh keys exclusively authorized_key: exclusive=True state=present user=admin key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }} @@ -27,3 +30,10 @@ loop_control: loop_var: mwu_s_item become: True + +- name: ensure vim is default editor + alternatives: name=editor path=/usr/bin/vim.basic + +# enable with ansible version 2.2 +#- name: set timezone to Europe/Berlin +# timezone: name=Europe/Berlin From 54e55358a45e110d3f39df1dfac46009f8136c6a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 27 Oct 2016 10:52:47 +0200 Subject: [PATCH 3/5] Inventory: add public key of maesto to host milchreis --- inventory/host_vars/milchreis.freifunk-mwu.de | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 inventory/host_vars/milchreis.freifunk-mwu.de diff --git a/inventory/host_vars/milchreis.freifunk-mwu.de b/inventory/host_vars/milchreis.freifunk-mwu.de new file mode 100644 index 0000000..96d25ca --- /dev/null +++ b/inventory/host_vars/milchreis.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- + +h_v_add_auth_keys: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS From 1ddf265f319b66d830e78514bf993e750a694596 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 28 Oct 2016 16:36:35 +0200 Subject: [PATCH 4/5] Inventory: remove pudding; move milchreis to build-servers --- inventory/hosts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/inventory/hosts b/inventory/hosts index d936cfe..c45174c 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -27,8 +27,9 @@ simple-ff-servers [simple-ff-servers] # not meshing linse.freifunk-mwu.de # ext. DNS-master -#pudding.freifunk-mwu.de # -milchreis.freifunk-mwu.de # build server + +[build-servers] +milchreis.freifunk-mwu.de [test-vms] local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False From 9dd7b203dba438156ebf527ca00be3ef013a7f64 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 28 Oct 2016 16:37:37 +0200 Subject: [PATCH 5/5] Roles: initially add role ffmwu-build and playbook for build-servers --- ffmwu-build.yml | 8 ++ roles/ffmwu-build/files/rsync.service | 9 ++ roles/ffmwu-build/files/rsyncd.conf | 17 ++++ roles/ffmwu-build/handlers/main.yml | 8 ++ roles/ffmwu-build/meta/main.yml | 3 + roles/ffmwu-build/tasks/ecdsautils.yml | 28 ++++++ roles/ffmwu-build/tasks/main.yml | 6 ++ roles/ffmwu-build/tasks/packages.yml | 31 +++++++ roles/ffmwu-build/tasks/repos.yml | 4 + roles/ffmwu-build/tasks/rsync.yml | 15 ++++ roles/ffmwu-build/tasks/web.yml | 90 +++++++++++++++++++ .../templates/ffmwu-default-http.conf.j2 | 16 ++++ .../templates/ffmwu-default-https.conf.j2 | 36 ++++++++ 13 files changed, 271 insertions(+) create mode 100755 ffmwu-build.yml create mode 100644 roles/ffmwu-build/files/rsync.service create mode 100644 roles/ffmwu-build/files/rsyncd.conf create mode 100644 roles/ffmwu-build/handlers/main.yml create mode 100644 roles/ffmwu-build/meta/main.yml create mode 100644 roles/ffmwu-build/tasks/ecdsautils.yml create mode 100644 roles/ffmwu-build/tasks/main.yml create mode 100644 roles/ffmwu-build/tasks/packages.yml create mode 100644 roles/ffmwu-build/tasks/repos.yml create mode 100644 roles/ffmwu-build/tasks/rsync.yml create mode 100644 roles/ffmwu-build/tasks/web.yml create mode 100644 roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 create mode 100644 roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 diff --git a/ffmwu-build.yml b/ffmwu-build.yml new file mode 100755 index 0000000..1651e02 --- /dev/null +++ b/ffmwu-build.yml @@ -0,0 +1,8 @@ +#!/usr/bin/ansible-playbook +--- +- hosts: build-servers + remote_user: admin + strategy: linear + + roles: + - ffmwu-build diff --git a/roles/ffmwu-build/files/rsync.service b/roles/ffmwu-build/files/rsync.service new file mode 100644 index 0000000..1ab82ee --- /dev/null +++ b/roles/ffmwu-build/files/rsync.service @@ -0,0 +1,9 @@ +[Unit] +Description=fast remote file copy program daemon +ConditionPathExists=/etc/rsyncd.conf + +[Service] +ExecStart=/usr/bin/rsync --daemon -6 --no-detach + +[Install] +WantedBy=multi-user.target diff --git a/roles/ffmwu-build/files/rsyncd.conf b/roles/ffmwu-build/files/rsyncd.conf new file mode 100644 index 0000000..ec2c0f2 --- /dev/null +++ b/roles/ffmwu-build/files/rsyncd.conf @@ -0,0 +1,17 @@ +use chroot = true + +max connections = 10 +timeout = 300 + +transfer logging = false +log file = /var/log/rsyncd.log + +[firmware] +comment = gluon firmware builds +path = /var/www/html/firmware +read only = yes +list = yes +uid = nobody +gid = nogroup +strict modes = yes +ignore nonreadable = yes diff --git a/roles/ffmwu-build/handlers/main.yml b/roles/ffmwu-build/handlers/main.yml new file mode 100644 index 0000000..6df1caf --- /dev/null +++ b/roles/ffmwu-build/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: check apache syntax + shell: apachectl -t + become: true + +- name: restart systemd unit apache2 + systemd: name=apache2 state=restarted + become: true diff --git a/roles/ffmwu-build/meta/main.yml b/roles/ffmwu-build/meta/main.yml new file mode 100644 index 0000000..6743d80 --- /dev/null +++ b/roles/ffmwu-build/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: +- ffmwu-server diff --git a/roles/ffmwu-build/tasks/ecdsautils.yml b/roles/ffmwu-build/tasks/ecdsautils.yml new file mode 100644 index 0000000..59ab9b9 --- /dev/null +++ b/roles/ffmwu-build/tasks/ecdsautils.yml @@ -0,0 +1,28 @@ +--- +- name: checkout ecdsautils repo + git: repo=https://github.com/tcatm/ecdsautils.git + dest=/home/admin/clones/ecdsautils + version=v0.3.2 + +- name: create build directory + file: path=/home/admin/clones/ecdsautils/build state=directory + +- name: build ecdsautils + shell: "{{ item }}" + args: + chdir: /home/admin/clones/ecdsautils/build + with_items: + - cmake .. + - make + +- name: install ecdsautils to /usr/local/bin + copy: + src: "{{ item }}" + dest: /usr/local/bin/ + mode: 0755 + remote_src: True + with_items: + - /home/admin/clones/ecdsautils/build/src/ecdsakeygen + - /home/admin/clones/ecdsautils/build/src/ecdsaverify + - /home/admin/clones/ecdsautils/build/src/ecdsasign + become: true diff --git a/roles/ffmwu-build/tasks/main.yml b/roles/ffmwu-build/tasks/main.yml new file mode 100644 index 0000000..0b92c72 --- /dev/null +++ b/roles/ffmwu-build/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- include: tasks/packages.yml +- include: tasks/ecdsautils.yml +- include: tasks/repos.yml +- include: tasks/rsync.yml +- include: tasks/web.yml diff --git a/roles/ffmwu-build/tasks/packages.yml b/roles/ffmwu-build/tasks/packages.yml new file mode 100644 index 0000000..9609f7c --- /dev/null +++ b/roles/ffmwu-build/tasks/packages.yml @@ -0,0 +1,31 @@ +--- +- name: add apt repository of neoraider + apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider' + become: true + +- name: add apt-key of neoraider + apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present + become: true + +- name: install needed packages for build-server + apt: + state: present + name: "{{ item }}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - apache2 + - apache2-utils + - build-essential + - cmake + - gawk + - git + - haveged + - libncurses5-dev + - libssl-dev + - libuecc-dev + - pkg-config + - subversion + - unzip + - zlib1g-dev + become: true diff --git a/roles/ffmwu-build/tasks/repos.yml b/roles/ffmwu-build/tasks/repos.yml new file mode 100644 index 0000000..65e331b --- /dev/null +++ b/roles/ffmwu-build/tasks/repos.yml @@ -0,0 +1,4 @@ +--- +- name: checkout sites-ffmwu repo + git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git + dest=/home/admin/clones/sites-ffmwu diff --git a/roles/ffmwu-build/tasks/rsync.yml b/roles/ffmwu-build/tasks/rsync.yml new file mode 100644 index 0000000..b48cf2a --- /dev/null +++ b/roles/ffmwu-build/tasks/rsync.yml @@ -0,0 +1,15 @@ +--- +- name: install rsnycd configuration file + copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640 + become: true + +- name: install rsnyc systemd unit + copy: src=rsync.service dest=/etc/systemd/system/ mode=644 + become: true + +- name: ensure rsync is started on boot as a daemon + systemd: + name: rsync + state: started + enabled: True + become: true diff --git a/roles/ffmwu-build/tasks/web.yml b/roles/ffmwu-build/tasks/web.yml new file mode 100644 index 0000000..4fca1f1 --- /dev/null +++ b/roles/ffmwu-build/tasks/web.yml @@ -0,0 +1,90 @@ +--- +- name: ensure webroot owns by user/group admin + file: dest=/var/www/html owner=admin group=admin recurse=yes + become: true + +- name: enable apache module ssl + apache2_module: state=present name=ssl + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: disable default apache sites and unwanted default configs + shell: a2dissite "{{ item }}" + with_items: + - 000-default + - default-ssl + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- shell: a2disconf "{{ item }}" + with_items: + - other-vhosts-access-log.conf + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: configure apache ssl module settings + lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf + regexp="^([\s\t]+)?SSLCipherSuite" + line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + state=present + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- lineinfile: dest=/etc/apache2/mods-available/ssl.conf + regexp="^([\s\t]+)?SSLProtocol" + line="SSLProtocol all -SSLv2 -SSLv3" + state=present + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: configure apache security settings + lineinfile: dest=/etc/apache2/conf-available/security.conf + regexp="^ServerTokens" + line="ServerTokens Prod" + state=present + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- lineinfile: dest=/etc/apache2/conf-available/security.conf + regexp="^ServerSignature" + line="ServerSignature EMail" + state=present + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: write ffmwu apache sites + template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: enable ffmwu apache sites + shell: a2ensite "{{ item }}" + with_items: + - ffmwu-default-http + - ffmwu-default-https + become: true + notify: + - check apache syntax + - restart systemd unit apache2 diff --git a/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 new file mode 100644 index 0000000..a48beee --- /dev/null +++ b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 @@ -0,0 +1,16 @@ + + ServerName {{ inventory_hostname }} + ServerAdmin webmaster@freifunk-mwu.de + + DocumentRoot /var/www/html/firmware + + + Options +Indexes +FollowSymlinks + IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=* + AllowOverride None + Order allow,deny + allow from all + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 new file mode 100644 index 0000000..0f83aaf --- /dev/null +++ b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 @@ -0,0 +1,36 @@ + + + ServerAdmin webmaster@freifunk-mwu.de + ServerName {{ inventory_hostname }} + + DocumentRoot /var/www/html/firmware + + + Options +Indexes +FollowSymlinks + IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=* + AllowOverride None + Order allow,deny + allow from all + + + SSLEngine on + SSLCertificateFile /etc/webcerts/{{ inventory_hostname }}/cert.pem + SSLCertificateKeyFile /etc/webcerts/{{ inventory_hostname }}/privkey.pem + SSLCertificateChainFile /etc/webcerts/{{ inventory_hostname }}/fullchain.pem + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet