pvc-ansible/roles/base/tasks/main.yml

---
#
# First run check
#
- name: check if this is a new instance
  shell: "echo 'bootstrapped' > /etc/pvc-install.base"
  args:
    creates: /etc/pvc-install.base
  register: newhost_check
  tags: always

- name: set newhost fact
  set_fact:
    newhost: yes
  when: newhost_check.changed
  tags: always

#
# Remove obsolete issue-gen
#
- name: remove obsolete issue-gen script from PVC installer
  file:
    dest: /etc/network/if-up.d/issue-gen
    state: absent
  when: newhost is defined and newhost
  tags: always

#
# Install custom fact scripts
#
- name: create facts directory
  file:
    dest: "/etc/ansible/facts.d"
    state: directory
    recurse: yes
  tags: base-ansible

- name: install custom facts
  template:
    src: "etc/ansible/facts.d/{{ item }}.fact.j2"
    dest: "/etc/ansible/facts.d/{{ item }}.fact"
    mode: 0755
  register: installed_facts
  with_items:
    - host_id
    - host_group
    - dhcp_status
  tags: base-ansible

- name: regather facts
  setup:
  when: installed_facts.changed
  tags: base-ansible

- debug:
    var: ansible_local.host_group
    verbosity: 1
  tags: always
  
- debug:
    var: ansible_local.host_id
    verbosity: 1
  tags: always
  
- debug:
    var: ansible_local.dhcp_status
    verbosity: 1
  tags: always

#
# Configure APT
#

- name: install apt config files
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" }
    - { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" }
    - { src: "etc/apt/sources.list.{{ ansible_machine }}.{{ ansible_lsb.codename }}.j2", dest: "/etc/apt/sources.list" }
  tags: base-apt

- name: add key for bonilan repo
  apt_key:
    url: "https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub"
    id: "83D07192314835D4"
    state: present
  tags: base-apt

#
# Safe apt upgrades (on first install only)
#

- name: apt update
  apt:
    update-cache: yes
  when: newhost is defined and newhost
  tags: base-apt

- name: aptitude safe upgrade with autoremove
  apt:
    update_cache: yes
    autoremove: yes
    upgrade: safe
  when: newhost is defined and newhost
  tags: base-apt

- name: install dbus
  apt:
    name:
      - dbus
    state: latest
  when: newhost is defined and newhost
  tags: base-apt

- name: clean out apt cache
  file:
    path: "/var/cache/apt/archives"
    state: absent
  when: newhost is defined and newhost
  tags: base-apt

#
# Purge unneeded packages
#

- name: remove unneeded packages
  apt:
    name:
      - exim4
      - exim4-base
      - exim4-config
      - exim4-daemon-light
      - joe
    state: absent
    purge: yes
    autoremove: yes
  tags: base-packages

- name: set override debconf selections
  shell: 'echo "{{ item }}" | debconf-set-selections'
  with_items:
    - "wireshark-common wireshark-common/install-setuid boolean true"
  tags: base-packages

- name: install common packages (all arch)
  apt:
    name:
      - debconf-utils
      - iptables
      - locales
      - acpid
      - acpi-support-base
      - rsync
      - bash
      - bash-completion
      - net-tools
      - pciutils
      - usbutils
      - check-mk-agent
      - dns-root-data
      - bind9-host
      - dnsutils
      - whois
      - postfix
      - ntp
      - openssh-client
      - openssh-server
      - libpam-systemd
      - fail2ban
      - ca-certificates
      - openssl
      - sudo
      - rsyslog
      - logrotate
      - man
      - less
      - vim
      - nano
      - git
      - vlan
      - bridge-utils
      - ifenslave
      - nmap
      - netcat-openbsd
      - htop
      - psmisc
      - dstat
      - iotop
      - lsof
      - jnettop
      - iperf
      - sysstat
      - binutils
      - deborphan
      - wget
      - curl
      - gawk
      - uuid-runtime
      - mmv
      - pv
      - bc
      - reptyr
      - sharutils
      - tcptraceroute
      - nethogs
      - strace
      - tshark
      - acl
      - bzip2
      - lzop
      - xz-utils
      - haveged
      - linux-image-amd64
      - linux-headers-amd64
  tags: base-packages

- name: install cleanup scripts
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0755
  with_items:
    - { src: "usr/local/sbin/kernel-cleanup.sh.j2", dest: "/usr/local/sbin/kernel-cleanup.sh" }
    - { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
  tags: base-packages

#
# System configuration
#

# networking
- name: install base interfaces file
  template:
    src: etc/network/interfaces.j2
    dest: /etc/network/interfaces
  tags: base-network

- name: install per-interface files
  template:
    src: etc/network/interfaces-perif.j2
    dest: /etc/network/interfaces.d/{{ network.key }}
  with_dict: "{{ networks }}"
  loop_control:
    loop_var: network
  tags: base-network

# locale
- name: install locale config files
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  notify:
    - generate locales
  with_items:
    - { src: "etc/default/locale.j2", dest: "/etc/default/locale" }
    - { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" }
  tags: base-system

- name: set timezone
  file:
    src: /usr/share/zoneinfo/{{ timezone_location }}
    dest: /etc/localtime
    state: link
    force: yes
  tags: base-system

# sysctl
- name: install sysctl tweaks
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
  tags: base-system

- name: activate sysctl tweaks
  shell: "sysctl -p {{ item }}"
  with_items:
    - /etc/sysctl.d/pvc.conf
  tags: base-system

# sudo
- name: write the sudoers file
  template:
    src: "etc/sudoers.j2"
    dest: "/etc/sudoers"
    mode: 0440
  tags: base-system

# dns
- name: write the hosts config
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: "etc/hosts.j2", dest: "/etc/hosts" }
  tags: base-dns

- name: write the resolver configs
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" }
    - { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
  tags: base-dns

# syslog
- name: install rsyslog and logrotate configs
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  notify:
    - restart rsyslog
  with_items:
    - { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" }
    - { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" }
  tags: base-syslog

- name: set journalctl persistence
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
  with_items:
    - { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" }
  tags: base-syslog

# cron
- name: install crontab
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0755
  with_items:
    - { src: "etc/crontab.j2", dest: "/etc/crontab" }
  tags: base-cron

# mta
- name: install postfix generic config
  template:
    src: "etc/postfix/main.cf.j2"
    dest: "/etc/postfix/main.cf"
  notify:
    - restart postfix
  tags: base-mta

- name: touch the postfix aliases file
  file:
    dest: /etc/postfix/aliases
    state: touch
  tags: base-mta

- name: install local alias maps for various users
  lineinfile:
    dest: "/etc/aliases"
    regexp: "^{{ item }}:"
    line: "{{ item }}: {{ username_email_root }}"
    state: present
  with_items:
    - root
    - postmaster
    - amavis
    - clamav
  notify:
    - newaliases
  tags: base-mta

# ntp
- name: write the NTP config file
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  notify:
    - restart ntp
  with_items:
    - { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
  tags: base-time

# ssl
- name: ensure haveged is running
  service:
    name: haveged
    state: started
  tags: base-ssl

- name: generate diffie-hellman parameters
  command: openssl dhparam -out /etc/ssl/dhparams.pem 2048
  args:
    creates: /etc/ssl/dhparams.pem
  tags: base-ssl

- name: correct permissions on dhparams
  file:
    dest: /etc/ssl/dhparams.pem
    mode: 0440
  tags: base-ssl

# ssh
- name: write the sshd_config files
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  notify:
    - restart ssh
  with_items:
    - { src: 'etc/ssh/ssh_config.j2', dest: '/etc/ssh/ssh_config' }
    - { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' }
    - { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' }
    - { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' }
  tags: base-ssh

- name: write sshd pam.d config
  template:
    src: "etc/pam.d/sshd.j2"
    dest: "/etc/pam.d/sshd"
  tags: base-ssh

- name: remove unneeded SSH keys (leave only RSA and ED25519)
  file:
    name: "{{ item }}"
    state: "absent"
  with_items:
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_dsa_key.pub
    - /etc/ssh/ssh_host_ecdsa_key
    - /etc/ssh/ssh_host_ecdsa_key.pub
  notify:
    - restart ssh
  tags: base-ssh

- name: set permissions on rsa and ed25519 host keys (just in case they're wrong)
  file:
    name: "/etc/ssh/{{ item.name }}"
    mode: "{{ item.mode }}"
  with_items:
    - { name: 'ssh_host_rsa_key', mode: '600' }
    - { name: 'ssh_host_rsa_key.pub', mode: '644' }
    - { name: 'ssh_host_ed25519_key', mode: '600' }
    - { name: 'ssh_host_ed25519_key.pub', mode: '644' }
  tags: base-ssh

# bash
- name: write the bash.bashrc config file
  template:
    src: "etc/bash.bashrc.j2"
    dest: "/etc/bash.bashrc"
  tags: base-shell

# motd
- name: ensure update-motd and profile.d scripts are present
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0755
  with_items:
    - { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" }
    - { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" }
    - { src: "etc/profile.d/pvc.sh.j2", dest: "/etc/profile.d/zzz_pvc.sh" }
  tags: base-shell

- name: install update-motd crontab
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
  with_items:
    - { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" }
  tags: base-shell

- name: ensure /etc/motd is absent
  file:
    dest: "/etc/motd"
    state: absent
  tags: base-shell

# fail2ban
- name: install fail2ban configurations
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
  notify: restart fail2ban
  with_items:
    - { src: "etc/fail2ban/action.d/route.conf.j2", dest: "/etc/fail2ban/action.d/route.conf" }
    - { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" }
    - { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" }
    - { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" }
  tags: base-fail2ban

# check-mk-agent
- name: install check_mk agent plugins
  copy:
    src: "usr/lib/check_mk_agent/plugins/{{ item }}"
    dest: "/usr/lib/check_mk_agent/plugins/{{ item }}"
    mode: 0755
  with_items:
    - backup
    - cephfsmounts
    - dpkg
    - entropy
    - freshness
    - kernelversion
    - ownership
  tags: base-cmkagent

# backups
- name: create backup directory
  file:
    dest: /srv/backups
    state: directory
  tags: base-backups

- name: install daily backup script
  template:
    src: etc/cron.daily/pvc-backup.j2
    dest: /etc/cron.daily/pvc-backup
    mode: 0755
  tags: base-backups

- name: install IPMI network interfaces fragment
  template:
    src: etc/network/interfaces.d/ipmi.j2
    dest: /etc/network/interfaces.d/ipmi
  tags: base-ipmi

- name: configure IPMI username
  command: "ipmitool user set name {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['username'] }}"
  with_items:
    - "admin"
    - "pvc"
  tags: base-ipmi

- name: configure IPMI password
  command: "ipmitool user set password {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['password'] }}"
  with_items:
    - "admin"
    - "pvc"
  tags: base-ipmi

- name: configure IPMI role
  command: "ipmitool user priv {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['role'] }} {{ ipmi_user_configuration[cluster_hardware]['channel'] }}"
  with_items:
    - "admin"
    - "pvc"
  tags: base-ipmi

- name: enable IPMI user
  command: "ipmitool user enable {{ ipmi_user_configuration[cluster_hardware][item]['id'] }}"
  with_items:
    - "admin"
    - "pvc"
  tags: base-ipmi

#
# Configure users
#

# common
- name: ensure /var/home exists
  file:
    state: directory
    dest: /var/home
  tags:
    - users

# root
- name: generate Root password hash
  command: "mkpasswd --method=sha512crypt {{ root_password }}"
  no_log: true
  register: mkpasswd
  tags:
    - users
    - user-root

- name: set Root password
  user:
    name: root
    password: "{{ mkpasswd.stdout }}"
  tags:
    - users
    - user-root

- name: remove Root known_hosts
  file:
    state: absent
    dest: /root/.ssh/known_hosts
  tags:
    - users
    - user-root

- name: write vimrc to root homedir
  template:
    src: var/home/user/vimrc.j2
    dest: /root/.vimrc
    mode: 0600
  tags:
    - users
    - user-root

- name: create vimdir
  file:
    state: directory
    dest: /root/.vim
    mode: 0700
  tags:
    - users
    - user-root

- name: write htoprc to homedir
  template:
    src: var/home/user/config/htop/htoprc.j2
    dest: /root/.htoprc
    mode: 0600
  tags:
    - users
    - user-root

# backup
- name: ensure backup user has shell
  user:
    name: backup
    shell: /bin/sh
  tags:
    - users
    - user-backup

- name: create backup .ssh directory
  file:
    path: /var/backups/.ssh
    state: directory
    owner: backup
    group: root
    mode: 0700
  tags:
    - users
    - user-backup

- name: create backup authorized_keys file
  template:
    src: var/backups/ssh/authorized_keys.j2
    dest: /var/backups/.ssh/authorized_keys
    owner: backup
    group: root
    mode: 0640
  tags:
    - users
    - user-backup

- name: write the sudoers file
  template:
    src: etc/sudoers.d/sudoers-backup.j2
    dest: /etc/sudoers.d/backup
  tags:
    - users
    - user-backup

- name: install the post-backup timestamp script
  template:
    src: var/backups/timestamp.sh.j2
    dest: /var/backups/timestamp.sh
    mode: 0755
  tags:
    - users
    - user-backup

- name: touch shares file
  file:
    dest: /var/backups/shares
    state: touch
    owner: backup
  tags:
    - users
    - user-backup

# deploy
- name: ensure user deploy exists
  user:
    name: "{{ deploy_username }}"
    uid: 200
    group: operator
    shell: /bin/bash
    home: "/var/home/{{ deploy_username }}"
    createhome: yes
    move_home: yes
    state: present
    append: yes
  tags:
    - users
    - user-deploy

- name: ensure homedir has right permissions
  file:
    dest: "/var/home/{{ deploy_username }}"
    state: directory
    owner: "{{ deploy_username }}"
    group: operator
    mode: 0700
  tags:
    - users
    - user-deploy

- name: ensure .ssh directory exists
  file:
    dest: "/var/home/{{ deploy_username }}/.ssh"
    state: directory
    owner: "{{ deploy_username }}"
    group: operator
    mode: 0700
  tags:
    - users
    - user-deploy

- name: add authorized keys
  authorized_key:
    user: "{{ deploy_username }}"
    key: "{{ item.1 }}"
  with_subelements:
    - "{{ admin_users }}"
    - keys
  tags:
    - users
    - user-deploy

# admin_users
- name: ensure user exists
  user:
    name: "{{ item.name }}"
    uid: "{{ item.uid }}"
    group: operator
    groups: sudo,adm,wireshark
    shell: /bin/bash
    home: "/var/home/{{ item.name }}"
    createhome: yes
    state: present
    append: yes
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: ensure homedir has right permissions
  file:
    dest: "/var/home/{{ item.name }}"
    state: directory
    owner: "{{ item.name }}"
    group: operator
    mode: 0700
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: ensure .ssh directory exists
  file:
    dest: "/var/home/{{ item.name }}/.ssh"
    state: directory
    owner: "{{ item.name }}"
    group: operator
    mode: 0700
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: add authorized keys
  authorized_key:
    user: "{{ item.0.name }}"
    key: "{{ item.1 }}"
  with_subelements:
    - "{{ admin_users }}"
    - keys
  tags:
    - users
    - user-admin

- name: write bashrc to homedir
  template:
    src: var/home/user/bashrc.j2
    dest: "/var/home/{{ item.name }}/.bashrc"
    owner: "{{ item.name }}"
    group: operator
    mode: 0700
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: write bash_logout to homedir
  template:
    src: var/home/user/bash_logout.j2
    dest: "/var/home/{{ item.name }}/.bash_logout"
    owner: "{{ item.name }}"
    group: operator
    mode: 0700
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: ensure htop config directory exists
  file:
    dest: "/var/home/{{ item.name }}/.config/htop"
    state: directory
    owner: "{{ item.name }}"
    group: operator
    mode: 0755
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: write htoprc to homedir
  template:
    src: var/home/user/config/htop/htoprc.j2
    dest: "/var/home/{{ item.name }}/.config/htop/htoprc"
    owner: "{{ item.name }}"
    group: operator
    mode: 0644
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: write profile to homedir
  template:
    src: var/home/user/profile.j2
    dest: "/var/home/{{ item.name }}/.profile"
    owner: "{{ item.name }}"
    group: operator
    mode: 0700
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: write vimrc to homedir
  template:
    src: var/home/user/vimrc.j2
    dest: "/var/home/{{ item.name }}/.vimrc"
    owner: "{{ item.name }}"
    group: operator
    mode: 0600
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

- name: create vimdir
  file:
    state: directory
    dest: /var/home/{{ item.name }}/.vim
    owner: "{{ item.name }}"
    group: operator
    mode: 0700
  with_items: "{{ admin_users }}"
  tags:
    - users
    - user-admin

#
# Verify and enable services
#

- name: verify and enable services
  service:
    name: "{{ item }}"
    state: started
    enabled: yes
  with_items:
    - acpid
    - rsyslog
    - postfix
    - ntp
    - ssh
  tags: base-services

- meta: flush_handlers