Commit initial

README.md

@@ -1,2 +1,39 @@
-# common
+Role : common
+=============
+
+
+Services fournis
+----------------
+
+* horodatage de l'history
+* change le mot de passe root
+* configuration sudo
+* configuration sshd et limite l'accès root à distance
+* relai de messagerie, possibilité d'altérer l'émetteur / destinataire suivant l'environnement
+* installation de quelques outils pratiques
+
+
+
+Variables
+-----------
+
+```yaml
+common_searchdomain: home.navas.rocks
+common_user_password_salt: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          [...]
+common_rootpassword: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          [...]
+```
+
+| Option                    | Valeur par défaut              | Description                                                                                                   |
+|---------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------|
+| common_searchdomain       |                                | Domaine du fqdn et suffixe de recherche dns                                                                   |
+| common_admin_mail         | olivier+admin@navas.rocks      | Adresse mail à laquelle les mails émis par le système à l'attention de comptes locaux sont réellement envoyés |
+| common_X11Forwarding      | false                          | Active la possibilité de redirection X11 et installe les paquets nécessaires pour son fonctionnement          |
+| common_postfix_mail_relay | mail.{{ common_searchdomain }} | Permet d'indiquer le serveur smtp à qui envoyer les mails émis par le relai local                             |
+| common_rootpassword       |                                | Mot de passe à définir pour root                                                                              |
+| common_user_password_salt |                                | Sel utilisé pour définir le mot de passe via le module ansible user                                           |
+|                           |                                |                                                                                                               |
 

defaults/main.yml

@@ -0,0 +1,4 @@
+---
+common_postfix_mail_relay: mail.{{ common_searchdomain }}
+common_admin_mail: olivier+admin@navas.rocks
+common_X11Forwarding: false

handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart_sshd
+  service: name=sshd state=restarted enabled=yes
+
+- name: restart postfix
+  service: name=postfix state=restarted enabled=yes

meta/main.yml

@@ -0,0 +1,8 @@
+galaxy_info:
+  author: Olivier Navas
+  description: tronc commun des vms
+  license: GPL-3.0-only
+  min_ansible_version: 2.9
+  galaxy_tags: []
+
+dependencies: []

meta/requirements.yml

@@ -0,0 +1,3 @@
+- src: willshersystems.sshd
+  version: v0.14.0
+

tasks/configure_postfix_relay.yml

@@ -0,0 +1,68 @@
+- name: Supprime exim
+  package:
+    name:
+      - exim4-base
+      - exim4-config
+      - exim4-daemon-light
+    state: absent
+
+- name: Installation postfix
+  package:
+    name: postfix
+    state: present
+
+- name: Configuration postfix
+  template:
+    src: postfix-main.cf.j2
+    dest: /etc/postfix/main.cf
+  notify:
+    - restart postfix
+
+- name: Configuration aliases postfix
+  template:
+    src: aliases.j2
+    dest: /etc/aliases
+  register: aliases
+  notify:
+    - restart postfix
+
+- shell: newaliases
+  when: aliases.changed
+
+- name: Configure sender_canonical_maps_regexp
+  blockinfile:
+    dest: /etc/postfix/sender_canonical_maps_regexp
+    marker: "#### {mark} SECTION CONTROLEE PAR ANSIBLE ####"
+    owner: root
+    group: root
+    mode: 0755
+    create: yes
+    block: |
+      # A completer
+  register: sender_canonical_maps_regexp
+
+- name: Configure recipient_canonical_maps_regexp
+  blockinfile:
+    dest: /etc/postfix/recipient_canonical_maps_regexp
+    marker: "#### {mark} SECTION CONTROLEE PAR ANSIBLE ####"
+    owner: root
+    group: root
+    mode: 0755
+    create: yes
+    block: |
+      # A completer
+  register: recipiend_canonical_maps_regexp
+
+- name: postmap
+  command: postmap {{ item }}
+  args:
+    chdir: /etc/postfix/
+  with_items:
+    - sender_canonical_maps_regexp
+    - recipient_canonical_maps_regexp
+  when: sender_canonical_maps_regexp.changed or recipiend_canonical_maps_regexp.changed
+  notify:
+    - restart postfix
+
+
+

tasks/main.yml

@@ -0,0 +1,75 @@
+- name: definit le mdp de root
+  user:
+    name: root
+    state: present
+    password: "{{ _pwd | password_hash('sha512', common_user_password_salt) }}"
+  vars:
+    _pwd: "{{ common_rootpassword }}"
+    
+- name: Installation nftables
+  package: name=nftables state=present
+
+- name: Activation nftables
+  service:
+    name: nftables
+    state: started
+    enabled: yes
+
+- name: installe paquets pratiques
+  package:
+    state: present
+    name:
+      - rsyslog
+      - vim
+      - net-tools
+      - sysstat
+      - nano
+      - iotop
+      - htop
+      - tcpdump
+      - traceroute
+      - mlocate
+      - telnet
+      - wget
+      - python3
+      - figlet
+
+- name: Configuration ssh
+  import_role:
+     name: willshersystems.sshd
+  vars:
+    sshd_skip_defaults: false
+    sshd:
+      ListenAddress:
+        - "0.0.0.0"
+        - "::"
+      PermitRootLogin: without-password
+      X11Forwarding: "{{ common_X11Forwarding }}"
+
+- name: horodatage history 
+  template: src=historytime.sh dest=/etc/profile.d/historytime.sh
+
+- import_tasks: configure_postfix_relay.yml
+  tags: configure_postfix_relay
+
+
+- name: motd colors
+  template:
+    src: update-motd.d/colors
+    dest: /etc/update-motd.d/
+    
+- name: configure motd
+  template:
+    src: update-motd.d/{{ item }}
+    dest: /etc/update-motd.d/
+    mode: 0755
+  with_items:
+    - 01-linebreak
+    - 05-header
+    - 10-uname
+    - 15-linebreak
+    - 20-sysinfo
+    - 30-upgrades
+    - 50-linebreak
+
+

templates/aliases.j2

@@ -0,0 +1,17 @@
+#
+# {{ ansible_managed }}
+#
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+
+root:  {{ common_admin_mail }}

templates/historytime.sh

@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+export HISTTIMEFORMAT="%F %T: "

templates/hosts

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+127.0.0.1 localhost
+
+# The following lines are desirable for IPv6 capable hosts
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+

templates/postfix-main.cf.j2

@@ -0,0 +1,22 @@
+# {{ ansible_managed }}
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+append_dot_mydomain = no
+
+readme_directory = no
+
+compatibility_level = 2
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+relayhost = {{ common_postfix_mail_relay }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+inet_interfaces = all
+inet_protocols = all
+
+# reecritures d'adresses si besoin
+sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps_regexp
+recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical_maps_regexp

templates/update-motd.d/01-linebreak

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "-----------------------------------------------------------------"

templates/update-motd.d/05-header

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+. /etc/update-motd.d/colors
+
+printf $LIGHT_RED
+figlet " "$(hostname -s)
+printf $NONE

templates/update-motd.d/10-uname

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+. /etc/update-motd.d/colors
+
+echo $DISTRIB_DESCRIPTION $YELLOW "$(lsb_release -ds)" $NONE "($(uname -o)" "$(uname -r)" "$(uname -m))"

templates/update-motd.d/15-linebreak

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "-----------------------------------------------------------------"

templates/update-motd.d/20-sysinfo

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+. /etc/update-motd.d/colors
+
+warnvalue(){
+value=$1
+limit=$2
+if [ $value -gt $limit ]
+then
+  echo -n "$RED_BACK$value"
+else
+  echo -n "$NONE$value"
+fi
+}
+
+printloadavg() {
+read one five fifteen rest < /proc/loadavg
+echo -e "$LIGHT_GREEN Charge CPU :$NONE $one (1min) / $five (5min) / $fifteen (15min)"
+}
+
+
+printcpu() {
+proc=$(cat /proc/cpuinfo | grep model | cut -c14- | sed -n "2 p")
+proc=$(echo "${proc}" | sed 's/^ *//g')
+cores=$(cat /proc/cpuinfo | grep -i "^processor" | wc -l)
+echo -e "$LIGHT_GREEN Processeur :$NONE $proc ($cores cores)"
+}
+
+printram(){
+memfree=$(cat /proc/meminfo | grep MemAvailable | awk {'print $2'})
+memtotal=$(cat /proc/meminfo | grep MemTotal | awk {'print $2'})
+mempctused=$((($memtotal - $memfree) * 100 / $memtotal))
+swaptotal=$(cat /proc/meminfo | grep SwapTotal | awk {'print $2'})
+swapfree=$(cat /proc/meminfo | grep SwapFree | awk {'print $2'})
+swappctused=$((($swaptotal - $swapfree) * 100 / $swaptotal))
+
+echo -n -e "$LIGHT_GREEN RAM usage : $(warnvalue $mempctused 80)%$NONE / $(($memtotal/1024)) MB Total"
+echo    -e "$LIGHT_GREEN Swap usage : $(warnvalue $swappctused 50)%$NONE / $(($swaptotal/1024)) MB Total"
+}
+
+printprocesses(){
+process=$(ps ax | wc -l | tr -d " ")
+echo -e "$LIGHT_GREEN Processus :$NONE $process"
+}
+
+printloggedin(){
+connecteduser=$(who | wc -l)
+echo -e "$LIGHT_GREEN Utilisateurs connectes :$NONE $connecteduser"
+}
+
+printserverid(){
+fqdn=$(hostname -f)
+addrip=$(hostname -I)
+echo -e "$LIGHT_GREEN FQDN :$NONE $fqdn$LIGHT_GREEN Adresse IP :$NONE $addrip"
+}
+
+printuptime(){
+uptime=$(uptime -p)
+echo -e "$LIGHT_GREEN Uptime :$NONE $uptime"
+last -x 2> /dev/null | grep reboot 1> /dev/null && /usr/bin/last -x 2> /dev/null | grep reboot | head -2 | sed 's/^/  /g' || echo "  Pas de shutdown enregistré"
+last -x 2> /dev/null|grep shutdown 1> /dev/null && /usr/bin/last -x 2> /dev/null|grep shutdown|head -2 | sed 's/^/  /g' || echo "  Pas de shutdown enregistré"
+}
+
+
+printdiskline() {
+pattern=$1
+diskused=$(df -h | grep $pattern | awk {'print $5'} | tr -d "%")
+disktotal=$(df -h | grep $pattern | awk {'print $2'})
+inodesused=$(df -i | grep $pattern | awk {'print $5'} | tr -d "%")
+echo -n -e "$LIGHT_GREEN Disque$YELLOW $pattern$LIGHT_GREEN\t: $(warnvalue $diskused 90)% / $disktotal$NONE"
+echo -e  "\t$LIGHT_GREEN Inodes$LIGHT_GREEN\t: $(warnvalue $inodesused 90)%$NONE"
+}
+
+printdisklines() {
+for disk in $(mount |grep /dev/mapper/system | cut -d ' ' -f 1)
+do
+  printdiskline $disk
+done
+for disk in $(mount |grep /dev/mapper/data | cut -d ' ' -f 1)
+do
+  printdiskline $disk
+done
+}
+
+
+printserverid
+printcpu
+printloadavg
+printram
+printprocesses
+printloggedin
+printuptime
+printdisklines

templates/update-motd.d/30-upgrades

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+. /etc/update-motd.d/colors
+
+n=$(apt-get -qq --just-print dist-upgrade | cut -f 2 -d " " | sort -u | wc -l)
+if [[ $n -gt 0 ]]
+then
+    printf " $CYAN%s packages attendent d'être mis à jour.$NONE\n" "$n"
+fi
+
+n=$(apt-get -qq --just-print autoremove | cut -f 2 -d " " | sort -u | wc -l)
+if [[ $n -gt 0 ]]
+then
+    printf " $CYAN%s packages installés comme dépendances pourraient être supprimés.$NONE\n" "$n"
+fi
+

templates/update-motd.d/50-linebreak

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "-----------------------------------------------------------------"

templates/update-motd.d/colors

@@ -0,0 +1,19 @@
+# Reset Colors
+NONE="\033[m"
+
+# Colors
+WHITE="\033[1;37m"
+GREEN="\033[1;32m"
+RED="\033[0;32;31m"
+RED_BACK="\033[37;41m"
+YELLOW="\033[1;33m"
+BLUE="\033[34m"
+CYAN="\033[36m"
+LIGHT_GREEN="\033[1;32m"
+LIGHT_RED="\033[1;31m"
+
+# Bold
+BOLD="\033[1m"
+
+# Underline
+UNDERLINE="\033[4m"

tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - common