Merge branch 'master' of github.com:freifunk-mwu/ansible-ffmwu

concurrent edits
This commit is contained in:
kaba 2016-11-22 16:24:08 +01:00
commit fad4bdb191
16 changed files with 288 additions and 1 deletions

8
ffmwu-build.yml Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/ansible-playbook
---
- hosts: build-servers
remote_user: admin
strategy: linear
roles:
- ffmwu-build

View file

@ -0,0 +1,4 @@
---
h_v_add_auth_keys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS

View file

@ -27,7 +27,9 @@ simple-ff-servers
[simple-ff-servers] # not meshing [simple-ff-servers] # not meshing
linse.freifunk-mwu.de # ext. DNS-master linse.freifunk-mwu.de # ext. DNS-master
#pudding.freifunk-mwu.de #
[build-servers]
milchreis.freifunk-mwu.de
[test-vms] [test-vms]
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False

View file

@ -0,0 +1,9 @@
[Unit]
Description=fast remote file copy program daemon
ConditionPathExists=/etc/rsyncd.conf
[Service]
ExecStart=/usr/bin/rsync --daemon -6 --no-detach
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,17 @@
use chroot = true
max connections = 10
timeout = 300
transfer logging = false
log file = /var/log/rsyncd.log
[firmware]
comment = gluon firmware builds
path = /var/www/html/firmware
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore nonreadable = yes

View file

@ -0,0 +1,8 @@
---
- name: check apache syntax
shell: apachectl -t
become: true
- name: restart systemd unit apache2
systemd: name=apache2 state=restarted
become: true

View file

@ -0,0 +1,3 @@
---
dependencies:
- ffmwu-server

View file

@ -0,0 +1,28 @@
---
- name: checkout ecdsautils repo
git: repo=https://github.com/tcatm/ecdsautils.git
dest=/home/admin/clones/ecdsautils
version=v0.3.2
- name: create build directory
file: path=/home/admin/clones/ecdsautils/build state=directory
- name: build ecdsautils
shell: "{{ item }}"
args:
chdir: /home/admin/clones/ecdsautils/build
with_items:
- cmake ..
- make
- name: install ecdsautils to /usr/local/bin
copy:
src: "{{ item }}"
dest: /usr/local/bin/
mode: 0755
remote_src: True
with_items:
- /home/admin/clones/ecdsautils/build/src/ecdsakeygen
- /home/admin/clones/ecdsautils/build/src/ecdsaverify
- /home/admin/clones/ecdsautils/build/src/ecdsasign
become: true

View file

@ -0,0 +1,6 @@
---
- include: tasks/packages.yml
- include: tasks/ecdsautils.yml
- include: tasks/repos.yml
- include: tasks/rsync.yml
- include: tasks/web.yml

View file

@ -0,0 +1,31 @@
---
- name: add apt repository of neoraider
apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider'
become: true
- name: add apt-key of neoraider
apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present
become: true
- name: install needed packages for build-server
apt:
state: present
name: "{{ item }}"
update_cache: yes
cache_valid_time: 21600
with_items:
- apache2
- apache2-utils
- build-essential
- cmake
- gawk
- git
- haveged
- libncurses5-dev
- libssl-dev
- libuecc-dev
- pkg-config
- subversion
- unzip
- zlib1g-dev
become: true

View file

@ -0,0 +1,4 @@
---
- name: checkout sites-ffmwu repo
git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
dest=/home/admin/clones/sites-ffmwu

View file

@ -0,0 +1,15 @@
---
- name: install rsnycd configuration file
copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640
become: true
- name: install rsnyc systemd unit
copy: src=rsync.service dest=/etc/systemd/system/ mode=644
become: true
- name: ensure rsync is started on boot as a daemon
systemd:
name: rsync
state: started
enabled: True
become: true

View file

@ -0,0 +1,90 @@
---
- name: ensure webroot owns by user/group admin
file: dest=/var/www/html owner=admin group=admin recurse=yes
become: true
- name: enable apache module ssl
apache2_module: state=present name=ssl
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: disable default apache sites and unwanted default configs
shell: a2dissite "{{ item }}"
with_items:
- 000-default
- default-ssl
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- shell: a2disconf "{{ item }}"
with_items:
- other-vhosts-access-log.conf
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: configure apache ssl module settings
lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf
regexp="^([\s\t]+)?SSLCipherSuite"
line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
state=present
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- lineinfile: dest=/etc/apache2/mods-available/ssl.conf
regexp="^([\s\t]+)?SSLProtocol"
line="SSLProtocol all -SSLv2 -SSLv3"
state=present
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: configure apache security settings
lineinfile: dest=/etc/apache2/conf-available/security.conf
regexp="^ServerTokens"
line="ServerTokens Prod"
state=present
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- lineinfile: dest=/etc/apache2/conf-available/security.conf
regexp="^ServerSignature"
line="ServerSignature EMail"
state=present
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: write ffmwu apache sites
template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: enable ffmwu apache sites
shell: a2ensite "{{ item }}"
with_items:
- ffmwu-default-http
- ffmwu-default-https
become: true
notify:
- check apache syntax
- restart systemd unit apache2

View file

@ -0,0 +1,16 @@
<VirtualHost *:80>
ServerName {{ inventory_hostname }}
ServerAdmin webmaster@freifunk-mwu.de
DocumentRoot /var/www/html/firmware
<Directory /var/www/html/firmware>
Options +Indexes +FollowSymlinks
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

View file

@ -0,0 +1,36 @@
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName {{ inventory_hostname }}
DocumentRoot /var/www/html/firmware
<Directory /var/www/html/firmware>
Options +Indexes +FollowSymlinks
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
AllowOverride None
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/webcerts/{{ inventory_hostname }}/cert.pem
SSLCertificateKeyFile /etc/webcerts/{{ inventory_hostname }}/privkey.pem
SSLCertificateChainFile /etc/webcerts/{{ inventory_hostname }}/fullchain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

View file

@ -3,6 +3,9 @@
#- name: test key concatenation #- name: test key concatenation
# debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}" # debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}"
- name: ensure needed system users are present
user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
- name: ensure all wanted ssh keys exclusively - name: ensure all wanted ssh keys exclusively
authorized_key: exclusive=True state=present user=admin authorized_key: exclusive=True state=present user=admin
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }} key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
@ -27,3 +30,10 @@
loop_control: loop_control:
loop_var: mwu_s_item loop_var: mwu_s_item
become: True become: True
- name: ensure vim is default editor
alternatives: name=editor path=/usr/bin/vim.basic
# enable with ansible version 2.2
#- name: set timezone to Europe/Berlin
# timezone: name=Europe/Berlin