ansible.cfg

@@ -2,8 +2,9 @@
 inventory=inventory
 retry_files_enabled = False
 remote_user = root
+ansible_managed = DO NOT MODIFY: this file is managed by ansible!
 deperaction_warnings = True
 display_skipped_hosts = True
 
-result_format=yaml
+stdout_callback = yaml
-
+stderr_callback = yaml

group_vars/all/applications.yml

@@ -15,6 +15,11 @@ ppm_apps:
   - on_server: ppm.pfoe.be
     user: nginx
     chicken_egg_appdefinition: ../nginx/
+    firewall_redirect:
+      - from: 8080
+        to: 80
+      - from: 8443
+        to: 443
     appconfig:
       appinfo:
         url: https://ppm.pfoe.be/ppm/nginx.git

group_vars/all/zabbix.yml

@@ -1,2 +0,0 @@
-zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}"
-zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}"

roles/baseline/files/zabbix-sudoers

@@ -1 +0,0 @@
-zabbix ALL=(ALL) NOPASSWD: /usr/sbin/smartctl

roles/baseline/handlers/main.yml

@@ -6,8 +6,3 @@
   ansible.builtin.systemd:
     name: ssh
     state: restarted
-
-- name: Restart zabbix-agent2
-  ansible.builtin.service:
-    name: zabbix-agent2
-    state: restarted

roles/baseline/tasks/main.yml

@@ -7,8 +7,5 @@
 - name: Manage root user
   ansible.builtin.import_tasks: rootuser.yml
 
-- name: Get zabbix agent installed
-  ansible.builtin.import_tasks: zabbix.yml
-
 - name: Ensure handlers have ran
   ansible.builtin.meta: flush_handlers

roles/baseline/tasks/zabbix.yml

@@ -1,41 +0,0 @@
-- name: Install zabbix related packages
-  ansible.builtin.apt:
-    pkg:
-      - zabbix-agent2
-      # To monitor our physical disks health, not needed for vm's.
-      - smartmontools
-
-- name: Zabbix firewall
-  ansible.builtin.template:
-    dest: /etc/firewall.d/zabbix
-    group: root
-    owner: root
-    mode: "0755"
-    src: zabbix-firewall.j2
-  notify: Restart firewall
-
-- name: Write psk file
-  ansible.builtin.copy:
-    content: "{{ zabbix_psk }}\n"
-    dest: /etc/zabbix/zabbix.psk
-    group: root
-    owner: root
-    mode: "0644"
-  notify: Restart zabbix-agent2
-
-- name: Zabbix agent config file
-  ansible.builtin.template:
-    dest: /etc/zabbix/zabbix_agent2.d/ansible.conf
-    group: root
-    owner: root
-    mode: "0644"
-    src: zabbix-agent.j2
-  notify: Restart zabbix-agent2
-
-- name: Zabbix sudoers file
-  ansible.builtin.copy:
-    dest: /etc/sudoers.d/zabbix
-    group: root
-    owner: root
-    mode: "0644"
-    src: zabbix-sudoers

roles/baseline/templates/firewall.j2

@@ -1,5 +1,5 @@
 #!/bin/bash
-# This file is managed by ansible, do not modify!
+# {{ ansible_managed }}
 
 # IPv4:
 iptables -F
@@ -75,4 +75,4 @@ ip6tables -A INPUT -j REJECT
 iptables -A FORWARD -j REJECT
 ip6tables -A FORWARD -j REJECT
 
-# This file is managed by ansible, do not modify!
+# {{ansible_managed}}

roles/baseline/templates/mosh.j2

@@ -1,5 +1,5 @@
 #!/bin/sh
-# DO NOT MODIFY: this file is written by ansible
+# {{ansible_managed}}
 # Firewall to allow mosh sessions
 
 ip6tables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT

roles/baseline/templates/zabbix-agent.j2

@@ -1,10 +0,0 @@
-Server={{ zabbix_server }}
-ServerActive=
-
-TLSConnect=psk
-TLSAccept=psk
-TLSPSKFile=/etc/zabbix/zabbix.psk
-TLSPSKIdentity={{ inventory_hostname }}
-
-
-UserParameter=smartctl.health[*],sudo /usr/sbin/smartctl -H /dev/$1 | grep 'overall-health' | awk '{print $NF}'

roles/baseline/templates/zabbix-firewall.j2

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-# Zabbix agent firewall
-
-iptables -A INPUT -p tcp -s {{ zabbix_server }} --dport 10050 -j ACCEPT

roles/ppm/files/ppmfirewall

@@ -1,22 +0,0 @@
-#!/bin/bash
-
-# PPM Firewall
-
-{% for app in otherapps -%}
-{%- if "firewall" in otherapps[app]["imports"] -%}
-{%- set oneapp = otherapps[app]["imports"]["firewall"] %}
-
-{% for redirect in oneapp.redirect %}
-# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
-iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
-ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
-iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
-ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
-{% endfor %}
-{% for openport in oneapp.open %}
-# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
-iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-{% endfor %}

roles/ppm/files/ppmzabbixagent

@@ -1,12 +0,0 @@
-# Zabbix agent config for ppm
-
-{%- set ns = namespace() -%}
-{%- set ns.allchecks = [] -%}
-{%- for app in otherapps -%}
-{%- if "monitoring" in otherapps[app]["imports"] -%}
-{%- for check in otherapps[app]["imports"]["monitoring"]["checks"] %}
-{%- set ns.allchecks = ns.allchecks + [check | combine({'app':app})] -%}
-{% endfor -%}{%- endif -%}{%- endfor %}
-
-UserParameter=ppm.discover,/bin/echo '{{ ns.allchecks | tojson }}'
-UserParameter=ppm.app[*],/bin/bash -c 'echo $2 | nc -U {{ statedir }}/$1.monitoring'

roles/ppm/handlers/main.yml

@@ -1,8 +1,3 @@
 - name: Restart firewall
   ansible.builtin.command: /etc/network/if-pre-up.d/firewall
   changed_when: true
-
-- name: Restart zabbix-agent2
-  ansible.builtin.service:
-    name: zabbix-agent2
-    state: restarted

roles/ppm/tasks/firewall.yml

@@ -1,13 +0,0 @@
-- name: Configure firewall options
-  ansible.builtin.copy:
-    dest: /home/.ppmfirewalltemplate
-    group: root
-    owner: root
-    mode: "0755"
-    src: ppmfirewall
-
-- name: Render firewall
-  ansible.builtin.shell: ppm template /home/.ppmfirewalltemplate /etc/firewall.d/ppmfirewall ; chmod 755 /etc/firewall.d/ppmfirewall
-  register: firewall_render
-  changed_when: "'content did not change' not in firewall_render.stdout"
-  notify: Restart firewall

roles/ppm/tasks/main.yml

@@ -9,8 +9,11 @@
     label: "{{ ppm_app.user }}"
   when: ppm_app.on_server == inventory_hostname
 
-- name: Arrange firewall
+- name: Configure firewall options
-  ansible.builtin.import_tasks: firewall.yml
+  ansible.builtin.template:
-
+    dest: /etc/firewall.d/ppmfirewall
-- name: Arrange zabbix
+    group: root
-  ansible.builtin.import_tasks: zabbix.yml
+    owner: root
+    mode: "0755"
+    src: ppmfirewall.j2
+  notify: Restart firewall

roles/ppm/tasks/oneapp.yml

@@ -34,25 +34,3 @@
 - name: "Bootstrap the app definition ({{ ppm_app.user }})"
   ansible.builtin.include_tasks: copyappdef.yml
   when: ppm_app.chicken_egg_appdefinition is defined and not appdefinition.stat.exists
-
-- name: "Set up extra files for {{ ppm_app.user }}"
-  ansible.builtin.copy:
-    src: "{{ item.from }}"
-    dest: "{{ ppm_app_user.home }}/{{ item.to }}"
-    mode: "{{ item.mode | default('0644') }}"
-    owner: "{{ ppm_app_user.name }}"
-    group: "{{ ppm_app_user.group }}"
-  loop: "{{ ppm_app.extra_files | default([]) }}"
-
-- name: "Setup and run app ({{ ppm_app.user }})"
-  ansible.builtin.command: ppm setup --start
-  register: ppm_setupstart
-  changed_when: "'No changes have been made, everything was already ok' not in ppm_setupstart.stdout"
-  become: true
-  become_user: "{{ ppm_app.user }}"
-  environment:
-    XDG_RUNTIME_DIR: "/run/user/{{ ppm_app_user.uid }}"
-
-- name: Show ppm output
-  ansible.builtin.debug:
-    var: ppm_setupstart

roles/ppm/tasks/ppminstall.yml

@@ -19,8 +19,6 @@
       - python3-jsonschema
       # Git is required for checking out the app definitions
       - git
-      # Yeah we should use nftables, patches welcome. For now, we install iptables
-      - iptables
 
 - name: Create state directory
   ansible.builtin.file:

roles/ppm/tasks/zabbix.yml

@@ -1,13 +0,0 @@
-- name: Configure firewall options
-  ansible.builtin.copy:
-    dest: /home/.zabbixagenttemplate
-    group: root
-    owner: root
-    mode: "0755"
-    src: ppmzabbixagent
-
-- name: Render zabbix template
-  ansible.builtin.command: ppm template /home/.zabbixagenttemplate /etc/zabbix/zabbix_agent2.d/ppm.conf
-  register: zabbix_render
-  changed_when: "'content did not change' not in zabbix_render.stdout"
-  notify: Restart zabbix-agent2

roles/ppm/templates/ppmfirewall.j2

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# PPM Firewal, written by ansible
+
+{% for ppm_app in ppm_apps %}
+# Firewall for {{ ppm_app.user }}
+{% for redirect in ppm_app.firewall_redirect | default([]) %}
+# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})
+iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
+ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
+iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
+ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
+{% endfor %}
+{% for openport in ppm_app.firewall_openport | default([]) %}
+# Open port {{ openport.port }} ({{ openport.proto | default('tcp') }})
+iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+{% endfor %}
+
+{% endfor %}