Merge branch 'master' of github.com:freifunk-mwu/ansible-ffmwu
concurrent edits
This commit is contained in:
commit
fad4bdb191
16 changed files with 288 additions and 1 deletions
8
ffmwu-build.yml
Executable file
8
ffmwu-build.yml
Executable file
|
@ -0,0 +1,8 @@
|
||||||
|
#!/usr/bin/ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: build-servers
|
||||||
|
remote_user: admin
|
||||||
|
strategy: linear
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- ffmwu-build
|
4
inventory/host_vars/milchreis.freifunk-mwu.de
Normal file
4
inventory/host_vars/milchreis.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
h_v_add_auth_keys: |
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS
|
|
@ -27,7 +27,9 @@ simple-ff-servers
|
||||||
|
|
||||||
[simple-ff-servers] # not meshing
|
[simple-ff-servers] # not meshing
|
||||||
linse.freifunk-mwu.de # ext. DNS-master
|
linse.freifunk-mwu.de # ext. DNS-master
|
||||||
#pudding.freifunk-mwu.de #
|
|
||||||
|
[build-servers]
|
||||||
|
milchreis.freifunk-mwu.de
|
||||||
|
|
||||||
[test-vms]
|
[test-vms]
|
||||||
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
|
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
|
||||||
|
|
9
roles/ffmwu-build/files/rsync.service
Normal file
9
roles/ffmwu-build/files/rsync.service
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
[Unit]
|
||||||
|
Description=fast remote file copy program daemon
|
||||||
|
ConditionPathExists=/etc/rsyncd.conf
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/bin/rsync --daemon -6 --no-detach
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
17
roles/ffmwu-build/files/rsyncd.conf
Normal file
17
roles/ffmwu-build/files/rsyncd.conf
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
use chroot = true
|
||||||
|
|
||||||
|
max connections = 10
|
||||||
|
timeout = 300
|
||||||
|
|
||||||
|
transfer logging = false
|
||||||
|
log file = /var/log/rsyncd.log
|
||||||
|
|
||||||
|
[firmware]
|
||||||
|
comment = gluon firmware builds
|
||||||
|
path = /var/www/html/firmware
|
||||||
|
read only = yes
|
||||||
|
list = yes
|
||||||
|
uid = nobody
|
||||||
|
gid = nogroup
|
||||||
|
strict modes = yes
|
||||||
|
ignore nonreadable = yes
|
8
roles/ffmwu-build/handlers/main.yml
Normal file
8
roles/ffmwu-build/handlers/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: check apache syntax
|
||||||
|
shell: apachectl -t
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: restart systemd unit apache2
|
||||||
|
systemd: name=apache2 state=restarted
|
||||||
|
become: true
|
3
roles/ffmwu-build/meta/main.yml
Normal file
3
roles/ffmwu-build/meta/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- ffmwu-server
|
28
roles/ffmwu-build/tasks/ecdsautils.yml
Normal file
28
roles/ffmwu-build/tasks/ecdsautils.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
- name: checkout ecdsautils repo
|
||||||
|
git: repo=https://github.com/tcatm/ecdsautils.git
|
||||||
|
dest=/home/admin/clones/ecdsautils
|
||||||
|
version=v0.3.2
|
||||||
|
|
||||||
|
- name: create build directory
|
||||||
|
file: path=/home/admin/clones/ecdsautils/build state=directory
|
||||||
|
|
||||||
|
- name: build ecdsautils
|
||||||
|
shell: "{{ item }}"
|
||||||
|
args:
|
||||||
|
chdir: /home/admin/clones/ecdsautils/build
|
||||||
|
with_items:
|
||||||
|
- cmake ..
|
||||||
|
- make
|
||||||
|
|
||||||
|
- name: install ecdsautils to /usr/local/bin
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /usr/local/bin/
|
||||||
|
mode: 0755
|
||||||
|
remote_src: True
|
||||||
|
with_items:
|
||||||
|
- /home/admin/clones/ecdsautils/build/src/ecdsakeygen
|
||||||
|
- /home/admin/clones/ecdsautils/build/src/ecdsaverify
|
||||||
|
- /home/admin/clones/ecdsautils/build/src/ecdsasign
|
||||||
|
become: true
|
6
roles/ffmwu-build/tasks/main.yml
Normal file
6
roles/ffmwu-build/tasks/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- include: tasks/packages.yml
|
||||||
|
- include: tasks/ecdsautils.yml
|
||||||
|
- include: tasks/repos.yml
|
||||||
|
- include: tasks/rsync.yml
|
||||||
|
- include: tasks/web.yml
|
31
roles/ffmwu-build/tasks/packages.yml
Normal file
31
roles/ffmwu-build/tasks/packages.yml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
- name: add apt repository of neoraider
|
||||||
|
apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider'
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: add apt-key of neoraider
|
||||||
|
apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: install needed packages for build-server
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: "{{ item }}"
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 21600
|
||||||
|
with_items:
|
||||||
|
- apache2
|
||||||
|
- apache2-utils
|
||||||
|
- build-essential
|
||||||
|
- cmake
|
||||||
|
- gawk
|
||||||
|
- git
|
||||||
|
- haveged
|
||||||
|
- libncurses5-dev
|
||||||
|
- libssl-dev
|
||||||
|
- libuecc-dev
|
||||||
|
- pkg-config
|
||||||
|
- subversion
|
||||||
|
- unzip
|
||||||
|
- zlib1g-dev
|
||||||
|
become: true
|
4
roles/ffmwu-build/tasks/repos.yml
Normal file
4
roles/ffmwu-build/tasks/repos.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: checkout sites-ffmwu repo
|
||||||
|
git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
|
||||||
|
dest=/home/admin/clones/sites-ffmwu
|
15
roles/ffmwu-build/tasks/rsync.yml
Normal file
15
roles/ffmwu-build/tasks/rsync.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
- name: install rsnycd configuration file
|
||||||
|
copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: install rsnyc systemd unit
|
||||||
|
copy: src=rsync.service dest=/etc/systemd/system/ mode=644
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: ensure rsync is started on boot as a daemon
|
||||||
|
systemd:
|
||||||
|
name: rsync
|
||||||
|
state: started
|
||||||
|
enabled: True
|
||||||
|
become: true
|
90
roles/ffmwu-build/tasks/web.yml
Normal file
90
roles/ffmwu-build/tasks/web.yml
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
---
|
||||||
|
- name: ensure webroot owns by user/group admin
|
||||||
|
file: dest=/var/www/html owner=admin group=admin recurse=yes
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: enable apache module ssl
|
||||||
|
apache2_module: state=present name=ssl
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: disable default apache sites and unwanted default configs
|
||||||
|
shell: a2dissite "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- 000-default
|
||||||
|
- default-ssl
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- shell: a2disconf "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- other-vhosts-access-log.conf
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: configure apache ssl module settings
|
||||||
|
lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf
|
||||||
|
regexp="^([\s\t]+)?SSLCipherSuite"
|
||||||
|
line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
||||||
|
state=present
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- lineinfile: dest=/etc/apache2/mods-available/ssl.conf
|
||||||
|
regexp="^([\s\t]+)?SSLProtocol"
|
||||||
|
line="SSLProtocol all -SSLv2 -SSLv3"
|
||||||
|
state=present
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: configure apache security settings
|
||||||
|
lineinfile: dest=/etc/apache2/conf-available/security.conf
|
||||||
|
regexp="^ServerTokens"
|
||||||
|
line="ServerTokens Prod"
|
||||||
|
state=present
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- lineinfile: dest=/etc/apache2/conf-available/security.conf
|
||||||
|
regexp="^ServerSignature"
|
||||||
|
line="ServerSignature EMail"
|
||||||
|
state=present
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: write ffmwu apache sites
|
||||||
|
template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: enable ffmwu apache sites
|
||||||
|
shell: a2ensite "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- ffmwu-default-http
|
||||||
|
- ffmwu-default-https
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
16
roles/ffmwu-build/templates/ffmwu-default-http.conf.j2
Normal file
16
roles/ffmwu-build/templates/ffmwu-default-http.conf.j2
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName {{ inventory_hostname }}
|
||||||
|
ServerAdmin webmaster@freifunk-mwu.de
|
||||||
|
|
||||||
|
DocumentRoot /var/www/html/firmware
|
||||||
|
|
||||||
|
<Directory /var/www/html/firmware>
|
||||||
|
Options +Indexes +FollowSymlinks
|
||||||
|
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
|
||||||
|
AllowOverride None
|
||||||
|
Order allow,deny
|
||||||
|
allow from all
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
36
roles/ffmwu-build/templates/ffmwu-default-https.conf.j2
Normal file
36
roles/ffmwu-build/templates/ffmwu-default-https.conf.j2
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerAdmin webmaster@freifunk-mwu.de
|
||||||
|
ServerName {{ inventory_hostname }}
|
||||||
|
|
||||||
|
DocumentRoot /var/www/html/firmware
|
||||||
|
|
||||||
|
<Directory /var/www/html/firmware>
|
||||||
|
Options +Indexes +FollowSymlinks
|
||||||
|
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
|
||||||
|
AllowOverride None
|
||||||
|
Order allow,deny
|
||||||
|
allow from all
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/webcerts/{{ inventory_hostname }}/cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/webcerts/{{ inventory_hostname }}/privkey.pem
|
||||||
|
SSLCertificateChainFile /etc/webcerts/{{ inventory_hostname }}/fullchain.pem
|
||||||
|
|
||||||
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</FilesMatch>
|
||||||
|
<Directory /usr/lib/cgi-bin>
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
BrowserMatch "MSIE [2-6]" \
|
||||||
|
nokeepalive ssl-unclean-shutdown \
|
||||||
|
downgrade-1.0 force-response-1.0
|
||||||
|
# MSIE 7 and newer should be able to use keepalive
|
||||||
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||||
|
</VirtualHost>
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
|
@ -3,6 +3,9 @@
|
||||||
#- name: test key concatenation
|
#- name: test key concatenation
|
||||||
# debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}"
|
# debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}"
|
||||||
|
|
||||||
|
- name: ensure needed system users are present
|
||||||
|
user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
|
||||||
|
|
||||||
- name: ensure all wanted ssh keys exclusively
|
- name: ensure all wanted ssh keys exclusively
|
||||||
authorized_key: exclusive=True state=present user=admin
|
authorized_key: exclusive=True state=present user=admin
|
||||||
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
|
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
|
||||||
|
@ -27,3 +30,10 @@
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: mwu_s_item
|
loop_var: mwu_s_item
|
||||||
become: True
|
become: True
|
||||||
|
|
||||||
|
- name: ensure vim is default editor
|
||||||
|
alternatives: name=editor path=/usr/bin/vim.basic
|
||||||
|
|
||||||
|
# enable with ansible version 2.2
|
||||||
|
#- name: set timezone to Europe/Berlin
|
||||||
|
# timezone: name=Europe/Berlin
|
||||||
|
|
Loading…
Reference in a new issue