ansible-debops-infrastructure

Unnamed repository; edit this file 'description' to name the repository.
git clone git://git.erethon.com/ansible-debops-infrastructure
Log | Files | Refs

commit e816f5e9a909bc81f9c515e8c18d89cc30fe7e82
Author: Dionysis Grigoropoulos <dgrig@erethon.com>
Date:   Wed, 31 May 2017 00:49:20 +0300

Initial commit

Diffstat:
.debops.cfg | 15+++++++++++++++
.gitignore | 33+++++++++++++++++++++++++++++++++
ansible/inventory/group_vars/all/apt_install.yml | 7+++++++
ansible/inventory/group_vars/all/auth.yml | 4++++
ansible/inventory/group_vars/all/bootstrap.yml | 5+++++
ansible/inventory/group_vars/all/console.yml | 10++++++++++
ansible/inventory/group_vars/all/docker.yml | 5+++++
ansible/inventory/group_vars/all/fail2ban.yml | 10++++++++++
ansible/inventory/group_vars/all/ferm.yml | 5+++++
ansible/inventory/group_vars/all/monit.yml | 7+++++++
ansible/inventory/group_vars/all/ntp.yml | 5+++++
ansible/inventory/group_vars/all/pki.yml | 3+++
ansible/inventory/group_vars/all/postfix.yml | 4++++
ansible/inventory/group_vars/all/sshd.yml | 4++++
ansible/inventory/group_vars/all/unattended_upgrades.yml | 3+++
ansible/inventory/group_vars/all/users.yml | 16++++++++++++++++
ansible/inventory/group_vars/xmpp/ferm.yml | 11+++++++++++
ansible/inventory/group_vars/xvm/sysctl.yml | 4++++
ansible/inventory/host_vars/spinny/ferm.yml | 67+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ansible/inventory/hosts | 1+
ansible/playbooks/docker.yml | 22++++++++++++++++++++++
ansible/playbooks/monit.yml | 11+++++++++++
ansible/playbooks/prosody.yml | 10++++++++++
ansible/playbooks/webd.yml | 7+++++++
ansible/roles/blog.erethon.com/tasks/main.yml | 14++++++++++++++
ansible/roles/chat.erethon.com/tasks/main.yml | 15+++++++++++++++
ansible/roles/erethon.com/tasks/main.yml | 14++++++++++++++
ansible/roles/f.erethon.com/tasks/main.yml | 14++++++++++++++
ansible/roles/monit/handlers/main.yml | 6++++++
ansible/roles/monit/tasks/main.yml | 10++++++++++
ansible/roles/monit/templates/cpu_ram.monit.j2 | 4++++
ansible/roles/monit/templates/fs.monit.j2 | 2++
ansible/roles/monit/templates/ssh.monit.j2 | 4++++
ansible/roles/static.erethon.com/files/httpd.conf | 10++++++++++
ansible/roles/static.erethon.com/files/httpd/capitalism.conf | 4++++
ansible/roles/static.erethon.com/files/httpd/hacked.conf | 4++++
ansible/roles/static.erethon.com/handlers/main.yml | 6++++++
ansible/roles/static.erethon.com/tasks/main.yml | 26++++++++++++++++++++++++++
38 files changed, 402 insertions(+), 0 deletions(-)

diff --git a/.debops.cfg b/.debops.cfg @@ -0,0 +1,15 @@ + +# -*- conf -*- + +[paths] +;data-home: /opt/debops + +[ansible defaults] +;callback_plugins = /my/plugins/callback +;roles_path = /my/roles + +[ansible paramiko] +;record_host_keys=True + +[ansible ssh_connection] +ssh_args = -o ControlMaster=auto -o ControlPersist=60s diff --git a/.gitignore b/.gitignore @@ -0,0 +1,33 @@ +*.local +ansible/secret +secret +.encfs.secret +ansible.cfg +*.retry + +#-- python +*.py[co] + +#-- vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + +#-- Emacs +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* + +#-- SublimeText +*.sublime-workspace +#*.sublime-project + +#-- sftp configuration file +sftp-config.json diff --git a/ansible/inventory/group_vars/all/apt_install.yml b/ansible/inventory/group_vars/all/apt_install.yml @@ -0,0 +1,7 @@ +--- + +apt_install__packages: [git, vim, rxvt-unicode-256color, screen, tmux, + fail2ban, mlocate, htop, sudo, ferm, strace, ltrace, file, monit, less, + nmon, colordiff, bash-completion, telnet, dstat, ca-certificates, curl, + sysstat, tcpdump, zsh, mosh, lsof, iotop, netcat, mtr-tiny, bwm-ng, + etckeeper] diff --git a/ansible/inventory/group_vars/all/auth.yml b/ansible/inventory/group_vars/all/auth.yml @@ -0,0 +1,4 @@ +--- + +auth_ldap_conf: False +auth_nslcd_conf: False diff --git a/ansible/inventory/group_vars/all/bootstrap.yml b/ansible/inventory/group_vars/all/bootstrap.yml @@ -0,0 +1,5 @@ +--- + +bootstrap__domain: 'erethon.com' +bootstrap__admin_default_users: [] +bootstrap__admin_sshkeys: [] diff --git a/ansible/inventory/group_vars/all/console.yml b/ansible/inventory/group_vars/all/console.yml @@ -0,0 +1,10 @@ +--- + +console_motd: | + + ██╗ ██╗ █████╗ ██████╗██╗ ██╗ ████████╗██╗ ██╗███████╗ ██████╗ ██╗ █████╗ ███╗ ██╗███████╗████████╗ + ██║ ██║██╔══██╗██╔════╝██║ ██╔╝ ╚══██╔══╝██║ ██║██╔════╝ ██╔══██╗██║ ██╔══██╗████╗ ██║██╔════╝╚══██╔══╝ + ███████║███████║██║ █████╔╝ ██║ ███████║█████╗ ██████╔╝██║ ███████║██╔██╗ ██║█████╗ ██║ + ██╔══██║██╔══██║██║ ██╔═██╗ ██║ ██╔══██║██╔══╝ ██╔═══╝ ██║ ██╔══██║██║╚██╗██║██╔══╝ ██║ + ██║ ██║██║ ██║╚██████╗██║ ██╗ ██║ ██║ ██║███████╗ ██║ ███████╗██║ ██║██║ ╚████║███████╗ ██║ + ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝ ╚═╝ diff --git a/ansible/inventory/group_vars/all/docker.yml b/ansible/inventory/group_vars/all/docker.yml @@ -0,0 +1,5 @@ +--- + +docker__upstream: True +docker__tcp: False +docker__ferment: True diff --git a/ansible/inventory/group_vars/all/fail2ban.yml b/ansible/inventory/group_vars/all/fail2ban.yml @@ -0,0 +1,10 @@ +--- + +fail2ban_jails: + - name: 'ssh' + enabled: 'true' + port: 222 + filter: 'sshd' + logpath: '/var/log/auth.log' + maxretry: 6 + diff --git a/ansible/inventory/group_vars/all/ferm.yml b/ansible/inventory/group_vars/all/ferm.yml @@ -0,0 +1,5 @@ +--- + +ferm__enabled: True +ferm__filter_icmp: False +ferm__filter_syn: False diff --git a/ansible/inventory/group_vars/all/monit.yml b/ansible/inventory/group_vars/all/monit.yml @@ -0,0 +1,7 @@ +--- + +monit_mail_servers: + - host: 'mail.erethon.com' + port: 587 + +monit_fs_percentage: 75 diff --git a/ansible/inventory/group_vars/all/ntp.yml b/ansible/inventory/group_vars/all/ntp.yml @@ -0,0 +1,5 @@ +--- + +ntp__daemon_enabled: True +ntp__daeon: 'openntpd' +ntp__firewall_access: False diff --git a/ansible/inventory/group_vars/all/pki.yml b/ansible/inventory/group_vars/all/pki.yml @@ -0,0 +1,3 @@ +--- + +pki_enabled: False diff --git a/ansible/inventory/group_vars/all/postfix.yml b/ansible/inventory/group_vars/all/postfix.yml @@ -0,0 +1,4 @@ +--- + +postfix_local_maincf: | + inet_protocols = ipv4 diff --git a/ansible/inventory/group_vars/all/sshd.yml b/ansible/inventory/group_vars/all/sshd.yml @@ -0,0 +1,4 @@ +--- + +sshd__ferm_ports: [ '222' ] +sshd__ports: [ '222' ] diff --git a/ansible/inventory/group_vars/all/unattended_upgrades.yml b/ansible/inventory/group_vars/all/unattended_upgrades.yml @@ -0,0 +1,3 @@ +--- + +unattended_upgrades__enabled: False diff --git a/ansible/inventory/group_vars/all/users.yml b/ansible/inventory/group_vars/all/users.yml @@ -0,0 +1,15 @@ +--- + +users__enabled: True + +users__accounts: + - name: 'dgrig' + state: present + group: 'dgrig' + groups: ['docker', 'admins'] + append: True + gid: 1005 + uid: 1005 + shell: '/usr/bin/zsh' + sshkeys: [ 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb/e7O6zcnEhaGz2JyzWCP7rWCCO0ZWwZvHeSYtQ6D384ZssDFupvoEIhVvPnuYbl3/jzXN69D/gm2w95hv82swUOvSbOhxhqga5HEZh5doC2RjAIchOaAqSOKPKQfaSZroZ+l+eUtcm8I4L6+xdUtSMaNndHQwWa2mllhZ21jrF6msublVuvy/ATjwHLdLd1MAORoYXKja84cejj0cQdVbyv36vqQmBeuU87//4mw45/IIpef3t6UjGjTAyUVGih2LQdX0Y4rghFwt1pc1x4oQxp4hThCQFYikTUtAw1CLFRjfnaU1KyCTc9akV6rf0NowChsENj1TvczTQg9tjlHA28rhpP6W2gN9buHzU/tG13pkBC/0PLmUtN7U95nAPNEYbjxQAbGKU9/lWICU0EEYoHFb+qhRiCdM0fek/9jj0F84ur4yWDQ9xtJKAg/mtNF3VyFbV86pmXnlTVdCzeW8eIU6BHOtc29i5BIXPUp9A2jELSY3FraTF2a7c2WCO6L43sJRwKl6U78QGpSHXSUN+fJIgK1MrvjEtoKRKHMeVdTtkqhabQqySaDl92PH6cVFHrLMhCB0YG5HFdsWoS+KxrRpCA4y9709+tNq5ulqgw/eD7RPbDP1SmHOEHSowF3A8DhfL3Sw1xoHQsr+/ghUFWvoylr+knDf+/PM0UCbw==' ] + forward: [ 'abuse@erethon.com' ]+ \ No newline at end of file diff --git a/ansible/inventory/group_vars/xmpp/ferm.yml b/ansible/inventory/group_vars/xmpp/ferm.yml @@ -0,0 +1,11 @@ +--- + +ferm__group_rules: + - type: 'accept' + filename: 'prosody' + name: 'prosody' + table: 'filter' + chain: 'INPUT' + dport: [ 5222, 5269 ] + protocol: 'tcp' + domain: 'ip' diff --git a/ansible/inventory/group_vars/xvm/sysctl.yml b/ansible/inventory/group_vars/xvm/sysctl.yml @@ -0,0 +1,4 @@ +--- + +sysctl__shared_memory_configure: False +sysctl__paging_configure: False diff --git a/ansible/inventory/host_vars/spinny/ferm.yml b/ansible/inventory/host_vars/spinny/ferm.yml @@ -0,0 +1,67 @@ +--- + +ferm__host_rules: + - type: 'accept' + filename: 'tinc' + name: 'tinc' + table: 'filter' + chain: 'INPUT' + dport: [ 655 ] + protocol: ['tcp', 'udp'] + domain: 'ip' + + - type: 'accept' + filename: 'haproxy' + name: 'haproxy' + table: 'filter' + chain: 'INPUT' + dport: [ 80, 443 ] + protocol: 'tcp' + domain: 'ip' + + - type: 'accept' + filename: 'haproxy_internal' + name: 'haproxy_internal' + table: 'filter' + chain: 'INPUT' + dport: [ 1936 ] + protocol: 'tcp' + domain: 'ip' + saddr: '192.168.166.0/24' + + - type: 'accept' + filename: 'openvpn' + name: 'openvpn' + table: 'filter' + chain: 'INPUT' + dport: [ 1194 ] + protocol: 'udp' + domain: 'ip' + + - type: 'accept' + filename: 'vmnet' + name: 'vmnet' + table: 'filter' + chain: 'FORWARD' + domain: 'ip' + interface_present: 'tun0' + outerface_present: 'virbr0' + comment: 'Forward traffic from OpenVPN to VMs' + + - type: 'accept' + filename: 'vmnet_public' + name: 'vmnet_public' + table: 'filter' + chain: 'FORWARD' + domain: 'ip' + interface_present: 'virbr0' + saddr: '192.168.122.0/24' + comment: 'Forward traffic from VMs to the internet' + + - type: 'custom' + filename: 'vmnet_nat' + rules: "domain ip table nat chain POSTROUTING { + outerface br0 { + MASQUERADE; + } + }" diff --git a/ansible/inventory/hosts b/ansible/inventory/hosts @@ -0,0 +1 @@ +[debops_all_hosts] diff --git a/ansible/playbooks/docker.yml b/ansible/playbooks/docker.yml @@ -0,0 +1,22 @@ +--- +- hosts: ['debops_service_docker', '!debops_no_service_docker'] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + roles: + + - role: debops.etc_services + tags: [ 'role::etc_services' ] + etc_services__dependent_list: + - '{{ docker__etc_services__dependent_list }}' + + - role: debops.ferm + tags: [ 'role::ferm' ] + ferm__dependent_rules: + - '{{ docker__ferm__dependent_rules }}' + + - role: debops.docker + tags: [ 'role::docker' ] diff --git a/ansible/playbooks/monit.yml b/ansible/playbooks/monit.yml @@ -0,0 +1,11 @@ +--- + +- name: Monit configuration for all nodes + hosts: [ 'debops_all_hosts', '!debops_no_monit' ] + gather_facts: True + become: True + + roles: + + # - role: debops.monit + - role: monit diff --git a/ansible/playbooks/prosody.yml b/ansible/playbooks/prosody.yml @@ -0,0 +1,10 @@ +--- + +- hosts: xmpp + become: True + + roles: + + - role: debops.ferm + tags: [ 'role::ferm' ] + - role: chat.erethon.com diff --git a/ansible/playbooks/webd.yml b/ansible/playbooks/webd.yml @@ -0,0 +1,7 @@ +--- +- hosts: webd + become: True + + roles: + + - role: static.erethon.com diff --git a/ansible/roles/blog.erethon.com/tasks/main.yml b/ansible/roles/blog.erethon.com/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: blog.erethon.com nginx docker + docker: + name: blog.erethon.com + image: nginx + state: restarted + restart_policy: always + pull: always + ports: + - 127.0.0.1:18082:80 + volumes: + - /data/volumes/blog:/usr/share/nginx/html:ro + - /data/volumes/blog/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/ansible/roles/chat.erethon.com/tasks/main.yml b/ansible/roles/chat.erethon.com/tasks/main.yml @@ -0,0 +1,15 @@ +--- + +- name: chat.erethon.com xmpp docker + docker: + name: chat.erethon.com + image: prosody/prosody + state: restarted + restart_policy: always + pull: always + ports: + - 5222:5222 + - 5269:5269 + volumes: + - /data/volumes/prosody/etc:/etc/prosody:ro + - /data/volumes/prosody/data:/var/lib/prosody diff --git a/ansible/roles/erethon.com/tasks/main.yml b/ansible/roles/erethon.com/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: erethon.com nginx docker + docker: + name: erethon.com + image: nginx + state: restarted + restart_policy: always + pull: always + ports: + - 127.0.0.1:18083:80 + volumes: + - /data/volumes/erethon.com:/usr/share/nginx/html:ro + - /data/volumes/erethon.com/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/ansible/roles/f.erethon.com/tasks/main.yml b/ansible/roles/f.erethon.com/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: f.erethon.com nginx docker + docker: + name: f.erethon.com + image: nginx + state: restarted + restart_policy: always + pull: always + ports: + - 127.0.0.1:18081:80 + volumes: + - /data/volumes/files:/usr/share/nginx/html:ro + - /data/volumes/files/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/ansible/roles/monit/handlers/main.yml b/ansible/roles/monit/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart Monit + service: + name: monit + state: restarted diff --git a/ansible/roles/monit/tasks/main.yml b/ansible/roles/monit/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- template: + src: "{{ item.src }}" + dest: "/etc/monit/conf.d/{{ item.dest }}" + with_items: + - {src: "fs.monit.j2", dest: "fs"} + - {src: "ssh.monit.j2", dest: "ssh"} + - {src: "cpu_ram.monit.j2", dest: "cpu_ram"} + notify: Restart Monit diff --git a/ansible/roles/monit/templates/cpu_ram.monit.j2 b/ansible/roles/monit/templates/cpu_ram.monit.j2 @@ -0,0 +1,4 @@ +check system localhost + if memory usage > 85% then alert + if cpu usage (user) > 80% for 3 cycles then alert + if cpu usage (system) > 80% for 3 cycles then alert diff --git a/ansible/roles/monit/templates/fs.monit.j2 b/ansible/roles/monit/templates/fs.monit.j2 @@ -0,0 +1,2 @@ +check device rootfs with path / + if SPACE usage > {{ monit_fs_percentage }}% then alert diff --git a/ansible/roles/monit/templates/ssh.monit.j2 b/ansible/roles/monit/templates/ssh.monit.j2 @@ -0,0 +1,4 @@ +check process sshd with pidfile /var/run/sshd.pid + start program "/etc/init.d/ssh start" + stop program "/etc/init.d/ssh stop" + if failed port {{ sshd__ports[0] }} protocol ssh then restart diff --git a/ansible/roles/static.erethon.com/files/httpd.conf b/ansible/roles/static.erethon.com/files/httpd.conf @@ -0,0 +1,10 @@ +types { + text/css css + text/html html htm + text/plain txt + image/gif gif + image/jpeg jpeg jpg + image/png png + application/javascript js + application/xml xml +} diff --git a/ansible/roles/static.erethon.com/files/httpd/capitalism.conf b/ansible/roles/static.erethon.com/files/httpd/capitalism.conf @@ -0,0 +1,4 @@ +server "capitalism.erethon.com" { + listen on * port 80 + root "/htdocs/capitalism.erethon.com" +} diff --git a/ansible/roles/static.erethon.com/files/httpd/hacked.conf b/ansible/roles/static.erethon.com/files/httpd/hacked.conf @@ -0,0 +1,4 @@ +server "hacked.erethon.com" { + listen on * port 80 + root "/htdocs/hacked.erethon.com" +} diff --git a/ansible/roles/static.erethon.com/handlers/main.yml b/ansible/roles/static.erethon.com/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart httpd + service: + name: httpd + state: restarted diff --git a/ansible/roles/static.erethon.com/tasks/main.yml b/ansible/roles/static.erethon.com/tasks/main.yml @@ -0,0 +1,26 @@ +--- + +- file: + path: /etc/httpd/ + state: directory + mode: 0755 + owner: root + group: wheel + +- copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: wheel + with_items: + - { src: "httpd.conf", dest: "/etc/httpd.conf" } + - { src: "httpd/", dest: "/etc/httpd" } + notify: Restart httpd + +- lineinfile: + path: /etc/httpd.conf + line: 'include "/etc/httpd/{{ item }}.conf"' + with_items: + - capitalism + - hacked + notify: Restart httpd