diff --git a/ansible.cfg b/ansible.cfg index 21d28df..87040d1 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,8 +2,9 @@ inventory=inventory retry_files_enabled = False remote_user = root +ansible_managed = DO NOT MODIFY: this file is managed by ansible! deperaction_warnings = True display_skipped_hosts = True -result_format=yaml - +stdout_callback = yaml +stderr_callback = yaml diff --git a/group_vars/all/applications.yml b/group_vars/all/applications.yml index 3df2f28..40a27dd 100644 --- a/group_vars/all/applications.yml +++ b/group_vars/all/applications.yml @@ -15,6 +15,11 @@ ppm_apps: - on_server: ppm.pfoe.be user: nginx chicken_egg_appdefinition: ../nginx/ + firewall_redirect: + - from: 8080 + to: 80 + - from: 8443 + to: 443 appconfig: appinfo: url: https://ppm.pfoe.be/ppm/nginx.git diff --git a/group_vars/all/zabbix.yml b/group_vars/all/zabbix.yml deleted file mode 100644 index b61ffa4..0000000 --- a/group_vars/all/zabbix.yml +++ /dev/null @@ -1,2 +0,0 @@ -zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}" -zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}" diff --git a/roles/baseline/files/zabbix-sudoers b/roles/baseline/files/zabbix-sudoers deleted file mode 100644 index 266d2d5..0000000 --- a/roles/baseline/files/zabbix-sudoers +++ /dev/null @@ -1 +0,0 @@ -zabbix ALL=(ALL) NOPASSWD: /usr/sbin/smartctl diff --git a/roles/baseline/handlers/main.yml b/roles/baseline/handlers/main.yml index 7fb1494..5ceb761 100644 --- a/roles/baseline/handlers/main.yml +++ b/roles/baseline/handlers/main.yml @@ -6,8 +6,3 @@ ansible.builtin.systemd: name: ssh state: restarted - -- name: Restart zabbix-agent2 - ansible.builtin.service: - name: zabbix-agent2 - state: restarted diff --git a/roles/baseline/tasks/main.yml b/roles/baseline/tasks/main.yml index b016df3..3b3a112 100644 --- a/roles/baseline/tasks/main.yml +++ b/roles/baseline/tasks/main.yml @@ -7,8 +7,5 @@ - name: Manage root user ansible.builtin.import_tasks: rootuser.yml -- name: Get zabbix agent installed - ansible.builtin.import_tasks: zabbix.yml - - name: Ensure handlers have ran ansible.builtin.meta: flush_handlers diff --git a/roles/baseline/tasks/zabbix.yml b/roles/baseline/tasks/zabbix.yml deleted file mode 100644 index ec2d5e7..0000000 --- a/roles/baseline/tasks/zabbix.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Install zabbix related packages - ansible.builtin.apt: - pkg: - - zabbix-agent2 - # To monitor our physical disks health, not needed for vm's. - - smartmontools - -- name: Zabbix firewall - ansible.builtin.template: - dest: /etc/firewall.d/zabbix - group: root - owner: root - mode: "0755" - src: zabbix-firewall.j2 - notify: Restart firewall - -- name: Write psk file - ansible.builtin.copy: - content: "{{ zabbix_psk }}\n" - dest: /etc/zabbix/zabbix.psk - group: root - owner: root - mode: "0644" - notify: Restart zabbix-agent2 - -- name: Zabbix agent config file - ansible.builtin.template: - dest: /etc/zabbix/zabbix_agent2.d/ansible.conf - group: root - owner: root - mode: "0644" - src: zabbix-agent.j2 - notify: Restart zabbix-agent2 - -- name: Zabbix sudoers file - ansible.builtin.copy: - dest: /etc/sudoers.d/zabbix - group: root - owner: root - mode: "0644" - src: zabbix-sudoers diff --git a/roles/baseline/templates/firewall.j2 b/roles/baseline/templates/firewall.j2 index 039cc3f..dac129b 100644 --- a/roles/baseline/templates/firewall.j2 +++ b/roles/baseline/templates/firewall.j2 @@ -1,5 +1,5 @@ #!/bin/bash -# This file is managed by ansible, do not modify! +# {{ ansible_managed }} # IPv4: iptables -F @@ -75,4 +75,4 @@ ip6tables -A INPUT -j REJECT iptables -A FORWARD -j REJECT ip6tables -A FORWARD -j REJECT -# This file is managed by ansible, do not modify! +# {{ansible_managed}} diff --git a/roles/baseline/templates/mosh.j2 b/roles/baseline/templates/mosh.j2 index 96d7a61..379a7ba 100644 --- a/roles/baseline/templates/mosh.j2 +++ b/roles/baseline/templates/mosh.j2 @@ -1,5 +1,5 @@ #!/bin/sh -# DO NOT MODIFY: this file is written by ansible +# {{ansible_managed}} # Firewall to allow mosh sessions ip6tables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT diff --git a/roles/baseline/templates/zabbix-agent.j2 b/roles/baseline/templates/zabbix-agent.j2 deleted file mode 100644 index 6bc423b..0000000 --- a/roles/baseline/templates/zabbix-agent.j2 +++ /dev/null @@ -1,10 +0,0 @@ -Server={{ zabbix_server }} -ServerActive= - -TLSConnect=psk -TLSAccept=psk -TLSPSKFile=/etc/zabbix/zabbix.psk -TLSPSKIdentity={{ inventory_hostname }} - - -UserParameter=smartctl.health[*],sudo /usr/sbin/smartctl -H /dev/$1 | grep 'overall-health' | awk '{print $NF}' diff --git a/roles/baseline/templates/zabbix-firewall.j2 b/roles/baseline/templates/zabbix-firewall.j2 deleted file mode 100644 index 7681135..0000000 --- a/roles/baseline/templates/zabbix-firewall.j2 +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -# Zabbix agent firewall - -iptables -A INPUT -p tcp -s {{ zabbix_server }} --dport 10050 -j ACCEPT diff --git a/roles/ppm/files/ppmfirewall b/roles/ppm/files/ppmfirewall deleted file mode 100644 index 1f63bd8..0000000 --- a/roles/ppm/files/ppmfirewall +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# PPM Firewall - -{% for app in otherapps -%} -{%- if "firewall" in otherapps[app]["imports"] -%} -{%- set oneapp = otherapps[app]["imports"]["firewall"] %} - -{% for redirect in oneapp.redirect %} -# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} -iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT -ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT -iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -{% endfor %} -{% for openport in oneapp.open %} -# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }} -iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT -ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT -{% endfor %} -{% endif %} -{% endfor %} diff --git a/roles/ppm/files/ppmzabbixagent b/roles/ppm/files/ppmzabbixagent deleted file mode 100644 index 7f23a5d..0000000 --- a/roles/ppm/files/ppmzabbixagent +++ /dev/null @@ -1,12 +0,0 @@ -# Zabbix agent config for ppm - -{%- set ns = namespace() -%} -{%- set ns.allchecks = [] -%} -{%- for app in otherapps -%} -{%- if "monitoring" in otherapps[app]["imports"] -%} -{%- for check in otherapps[app]["imports"]["monitoring"]["checks"] %} -{%- set ns.allchecks = ns.allchecks + [check | combine({'app':app})] -%} -{% endfor -%}{%- endif -%}{%- endfor %} - -UserParameter=ppm.discover,/bin/echo '{{ ns.allchecks | tojson }}' -UserParameter=ppm.app[*],/bin/bash -c 'echo $2 | nc -U {{ statedir }}/$1.monitoring' \ No newline at end of file diff --git a/roles/ppm/handlers/main.yml b/roles/ppm/handlers/main.yml index 4fe15f5..f64b418 100644 --- a/roles/ppm/handlers/main.yml +++ b/roles/ppm/handlers/main.yml @@ -1,8 +1,3 @@ - name: Restart firewall ansible.builtin.command: /etc/network/if-pre-up.d/firewall changed_when: true - -- name: Restart zabbix-agent2 - ansible.builtin.service: - name: zabbix-agent2 - state: restarted diff --git a/roles/ppm/tasks/firewall.yml b/roles/ppm/tasks/firewall.yml deleted file mode 100644 index 2b58d7b..0000000 --- a/roles/ppm/tasks/firewall.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: Configure firewall options - ansible.builtin.copy: - dest: /home/.ppmfirewalltemplate - group: root - owner: root - mode: "0755" - src: ppmfirewall - -- name: Render firewall - ansible.builtin.shell: ppm template /home/.ppmfirewalltemplate /etc/firewall.d/ppmfirewall ; chmod 755 /etc/firewall.d/ppmfirewall - register: firewall_render - changed_when: "'content did not change' not in firewall_render.stdout" - notify: Restart firewall diff --git a/roles/ppm/tasks/main.yml b/roles/ppm/tasks/main.yml index 8a52276..b6acf32 100644 --- a/roles/ppm/tasks/main.yml +++ b/roles/ppm/tasks/main.yml @@ -9,8 +9,11 @@ label: "{{ ppm_app.user }}" when: ppm_app.on_server == inventory_hostname -- name: Arrange firewall - ansible.builtin.import_tasks: firewall.yml - -- name: Arrange zabbix - ansible.builtin.import_tasks: zabbix.yml +- name: Configure firewall options + ansible.builtin.template: + dest: /etc/firewall.d/ppmfirewall + group: root + owner: root + mode: "0755" + src: ppmfirewall.j2 + notify: Restart firewall diff --git a/roles/ppm/tasks/oneapp.yml b/roles/ppm/tasks/oneapp.yml index 976e9eb..77e4dc9 100644 --- a/roles/ppm/tasks/oneapp.yml +++ b/roles/ppm/tasks/oneapp.yml @@ -34,25 +34,3 @@ - name: "Bootstrap the app definition ({{ ppm_app.user }})" ansible.builtin.include_tasks: copyappdef.yml when: ppm_app.chicken_egg_appdefinition is defined and not appdefinition.stat.exists - -- name: "Set up extra files for {{ ppm_app.user }}" - ansible.builtin.copy: - src: "{{ item.from }}" - dest: "{{ ppm_app_user.home }}/{{ item.to }}" - mode: "{{ item.mode | default('0644') }}" - owner: "{{ ppm_app_user.name }}" - group: "{{ ppm_app_user.group }}" - loop: "{{ ppm_app.extra_files | default([]) }}" - -- name: "Setup and run app ({{ ppm_app.user }})" - ansible.builtin.command: ppm setup --start - register: ppm_setupstart - changed_when: "'No changes have been made, everything was already ok' not in ppm_setupstart.stdout" - become: true - become_user: "{{ ppm_app.user }}" - environment: - XDG_RUNTIME_DIR: "/run/user/{{ ppm_app_user.uid }}" - -- name: Show ppm output - ansible.builtin.debug: - var: ppm_setupstart diff --git a/roles/ppm/tasks/ppminstall.yml b/roles/ppm/tasks/ppminstall.yml index 022f3e8..3619992 100644 --- a/roles/ppm/tasks/ppminstall.yml +++ b/roles/ppm/tasks/ppminstall.yml @@ -19,8 +19,6 @@ - python3-jsonschema # Git is required for checking out the app definitions - git - # Yeah we should use nftables, patches welcome. For now, we install iptables - - iptables - name: Create state directory ansible.builtin.file: diff --git a/roles/ppm/tasks/zabbix.yml b/roles/ppm/tasks/zabbix.yml deleted file mode 100644 index ad254bd..0000000 --- a/roles/ppm/tasks/zabbix.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: Configure firewall options - ansible.builtin.copy: - dest: /home/.zabbixagenttemplate - group: root - owner: root - mode: "0755" - src: ppmzabbixagent - -- name: Render zabbix template - ansible.builtin.command: ppm template /home/.zabbixagenttemplate /etc/zabbix/zabbix_agent2.d/ppm.conf - register: zabbix_render - changed_when: "'content did not change' not in zabbix_render.stdout" - notify: Restart zabbix-agent2 diff --git a/roles/ppm/templates/ppmfirewall.j2 b/roles/ppm/templates/ppmfirewall.j2 new file mode 100644 index 0000000..1682c11 --- /dev/null +++ b/roles/ppm/templates/ppmfirewall.j2 @@ -0,0 +1,20 @@ +#!/bin/bash + +# PPM Firewal, written by ansible + +{% for ppm_app in ppm_apps %} +# Firewall for {{ ppm_app.user }} +{% for redirect in ppm_app.firewall_redirect | default([]) %} +# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) +iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT +ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT +iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }} +ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }} +{% endfor %} +{% for openport in ppm_app.firewall_openport | default([]) %} +# Open port {{ openport.port }} ({{ openport.proto | default('tcp') }}) +iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT +ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT +{% endfor %} + +{% endfor %}