diff --git a/README.md b/README.md index 5b26276..3436c70 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,39 @@ -# common +Role : common +============= + + +Services fournis +---------------- + +* horodatage de l'history +* change le mot de passe root +* configuration sudo +* configuration sshd et limite l'accès root à distance +* relai de messagerie, possibilité d'altérer l'émetteur / destinataire suivant l'environnement +* installation de quelques outils pratiques + + + +Variables +----------- + +```yaml +common_searchdomain: home.navas.rocks +common_user_password_salt: !vault | + $ANSIBLE_VAULT;1.1;AES256 + [...] +common_rootpassword: !vault | + $ANSIBLE_VAULT;1.1;AES256 + [...] +``` + +| Option | Valeur par défaut | Description | +|---------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------| +| common_searchdomain | | Domaine du fqdn et suffixe de recherche dns | +| common_admin_mail | olivier+admin@navas.rocks | Adresse mail à laquelle les mails émis par le système à l'attention de comptes locaux sont réellement envoyés | +| common_X11Forwarding | false | Active la possibilité de redirection X11 et installe les paquets nécessaires pour son fonctionnement | +| common_postfix_mail_relay | mail.{{ common_searchdomain }} | Permet d'indiquer le serveur smtp à qui envoyer les mails émis par le relai local | +| common_rootpassword | | Mot de passe à définir pour root | +| common_user_password_salt | | Sel utilisé pour définir le mot de passe via le module ansible user | +| | | | diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..99b1b00 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,4 @@ +--- +common_postfix_mail_relay: mail.{{ common_searchdomain }} +common_admin_mail: olivier+admin@navas.rocks +common_X11Forwarding: false diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..d62e1e1 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart_sshd + service: name=sshd state=restarted enabled=yes + +- name: restart postfix + service: name=postfix state=restarted enabled=yes diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..1032879 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,8 @@ +galaxy_info: + author: Olivier Navas + description: tronc commun des vms + license: GPL-3.0-only + min_ansible_version: 2.9 + galaxy_tags: [] + +dependencies: [] diff --git a/meta/requirements.yml b/meta/requirements.yml new file mode 100644 index 0000000..a240680 --- /dev/null +++ b/meta/requirements.yml @@ -0,0 +1,3 @@ +- src: willshersystems.sshd + version: v0.14.0 + diff --git a/tasks/configure_postfix_relay.yml b/tasks/configure_postfix_relay.yml new file mode 100644 index 0000000..230c685 --- /dev/null +++ b/tasks/configure_postfix_relay.yml @@ -0,0 +1,68 @@ +- name: Supprime exim + package: + name: + - exim4-base + - exim4-config + - exim4-daemon-light + state: absent + +- name: Installation postfix + package: + name: postfix + state: present + +- name: Configuration postfix + template: + src: postfix-main.cf.j2 + dest: /etc/postfix/main.cf + notify: + - restart postfix + +- name: Configuration aliases postfix + template: + src: aliases.j2 + dest: /etc/aliases + register: aliases + notify: + - restart postfix + +- shell: newaliases + when: aliases.changed + +- name: Configure sender_canonical_maps_regexp + blockinfile: + dest: /etc/postfix/sender_canonical_maps_regexp + marker: "#### {mark} SECTION CONTROLEE PAR ANSIBLE ####" + owner: root + group: root + mode: 0755 + create: yes + block: | + # A completer + register: sender_canonical_maps_regexp + +- name: Configure recipient_canonical_maps_regexp + blockinfile: + dest: /etc/postfix/recipient_canonical_maps_regexp + marker: "#### {mark} SECTION CONTROLEE PAR ANSIBLE ####" + owner: root + group: root + mode: 0755 + create: yes + block: | + # A completer + register: recipiend_canonical_maps_regexp + +- name: postmap + command: postmap {{ item }} + args: + chdir: /etc/postfix/ + with_items: + - sender_canonical_maps_regexp + - recipient_canonical_maps_regexp + when: sender_canonical_maps_regexp.changed or recipiend_canonical_maps_regexp.changed + notify: + - restart postfix + + + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..2eae4d0 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,75 @@ +- name: definit le mdp de root + user: + name: root + state: present + password: "{{ _pwd | password_hash('sha512', common_user_password_salt) }}" + vars: + _pwd: "{{ common_rootpassword }}" + +- name: Installation nftables + package: name=nftables state=present + +- name: Activation nftables + service: + name: nftables + state: started + enabled: yes + +- name: installe paquets pratiques + package: + state: present + name: + - rsyslog + - vim + - net-tools + - sysstat + - nano + - iotop + - htop + - tcpdump + - traceroute + - mlocate + - telnet + - wget + - python3 + - figlet + +- name: Configuration ssh + import_role: + name: willshersystems.sshd + vars: + sshd_skip_defaults: false + sshd: + ListenAddress: + - "0.0.0.0" + - "::" + PermitRootLogin: without-password + X11Forwarding: "{{ common_X11Forwarding }}" + +- name: horodatage history + template: src=historytime.sh dest=/etc/profile.d/historytime.sh + +- import_tasks: configure_postfix_relay.yml + tags: configure_postfix_relay + + +- name: motd colors + template: + src: update-motd.d/colors + dest: /etc/update-motd.d/ + +- name: configure motd + template: + src: update-motd.d/{{ item }} + dest: /etc/update-motd.d/ + mode: 0755 + with_items: + - 01-linebreak + - 05-header + - 10-uname + - 15-linebreak + - 20-sysinfo + - 30-upgrades + - 50-linebreak + + diff --git a/templates/aliases.j2 b/templates/aliases.j2 new file mode 100644 index 0000000..e87e517 --- /dev/null +++ b/templates/aliases.j2 @@ -0,0 +1,17 @@ +# +# {{ ansible_managed }} +# +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root + +root: {{ common_admin_mail }} diff --git a/templates/historytime.sh b/templates/historytime.sh new file mode 100644 index 0000000..5f660a4 --- /dev/null +++ b/templates/historytime.sh @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +export HISTTIMEFORMAT="%F %T: " diff --git a/templates/hosts b/templates/hosts new file mode 100644 index 0000000..0501069 --- /dev/null +++ b/templates/hosts @@ -0,0 +1,11 @@ +# {{ ansible_managed }} +127.0.0.1 localhost + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts + diff --git a/templates/postfix-main.cf.j2 b/templates/postfix-main.cf.j2 new file mode 100644 index 0000000..ec3ca64 --- /dev/null +++ b/templates/postfix-main.cf.j2 @@ -0,0 +1,22 @@ +# {{ ansible_managed }} + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +append_dot_mydomain = no + +readme_directory = no + +compatibility_level = 2 + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +relayhost = {{ common_postfix_mail_relay }} +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +inet_interfaces = all +inet_protocols = all + +# reecritures d'adresses si besoin +sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps_regexp +recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical_maps_regexp diff --git a/templates/update-motd.d/01-linebreak b/templates/update-motd.d/01-linebreak new file mode 100755 index 0000000..ff22b1d --- /dev/null +++ b/templates/update-motd.d/01-linebreak @@ -0,0 +1,3 @@ +#!/bin/sh + +echo "-----------------------------------------------------------------" diff --git a/templates/update-motd.d/05-header b/templates/update-motd.d/05-header new file mode 100755 index 0000000..89bb933 --- /dev/null +++ b/templates/update-motd.d/05-header @@ -0,0 +1,7 @@ +#!/bin/sh + +. /etc/update-motd.d/colors + +printf $LIGHT_RED +figlet " "$(hostname -s) +printf $NONE diff --git a/templates/update-motd.d/10-uname b/templates/update-motd.d/10-uname new file mode 100755 index 0000000..a475a5f --- /dev/null +++ b/templates/update-motd.d/10-uname @@ -0,0 +1,5 @@ +#!/bin/sh + +. /etc/update-motd.d/colors + +echo $DISTRIB_DESCRIPTION $YELLOW "$(lsb_release -ds)" $NONE "($(uname -o)" "$(uname -r)" "$(uname -m))" diff --git a/templates/update-motd.d/15-linebreak b/templates/update-motd.d/15-linebreak new file mode 100755 index 0000000..ff22b1d --- /dev/null +++ b/templates/update-motd.d/15-linebreak @@ -0,0 +1,3 @@ +#!/bin/sh + +echo "-----------------------------------------------------------------" diff --git a/templates/update-motd.d/20-sysinfo b/templates/update-motd.d/20-sysinfo new file mode 100755 index 0000000..b891d38 --- /dev/null +++ b/templates/update-motd.d/20-sysinfo @@ -0,0 +1,93 @@ +#!/bin/bash + +. /etc/update-motd.d/colors + +warnvalue(){ +value=$1 +limit=$2 +if [ $value -gt $limit ] +then + echo -n "$RED_BACK$value" +else + echo -n "$NONE$value" +fi +} + +printloadavg() { +read one five fifteen rest < /proc/loadavg +echo -e "$LIGHT_GREEN Charge CPU :$NONE $one (1min) / $five (5min) / $fifteen (15min)" +} + + +printcpu() { +proc=$(cat /proc/cpuinfo | grep model | cut -c14- | sed -n "2 p") +proc=$(echo "${proc}" | sed 's/^ *//g') +cores=$(cat /proc/cpuinfo | grep -i "^processor" | wc -l) +echo -e "$LIGHT_GREEN Processeur :$NONE $proc ($cores cores)" +} + +printram(){ +memfree=$(cat /proc/meminfo | grep MemAvailable | awk {'print $2'}) +memtotal=$(cat /proc/meminfo | grep MemTotal | awk {'print $2'}) +mempctused=$((($memtotal - $memfree) * 100 / $memtotal)) +swaptotal=$(cat /proc/meminfo | grep SwapTotal | awk {'print $2'}) +swapfree=$(cat /proc/meminfo | grep SwapFree | awk {'print $2'}) +swappctused=$((($swaptotal - $swapfree) * 100 / $swaptotal)) + +echo -n -e "$LIGHT_GREEN RAM usage : $(warnvalue $mempctused 80)%$NONE / $(($memtotal/1024)) MB Total" +echo -e "$LIGHT_GREEN Swap usage : $(warnvalue $swappctused 50)%$NONE / $(($swaptotal/1024)) MB Total" +} + +printprocesses(){ +process=$(ps ax | wc -l | tr -d " ") +echo -e "$LIGHT_GREEN Processus :$NONE $process" +} + +printloggedin(){ +connecteduser=$(who | wc -l) +echo -e "$LIGHT_GREEN Utilisateurs connectes :$NONE $connecteduser" +} + +printserverid(){ +fqdn=$(hostname -f) +addrip=$(hostname -I) +echo -e "$LIGHT_GREEN FQDN :$NONE $fqdn$LIGHT_GREEN Adresse IP :$NONE $addrip" +} + +printuptime(){ +uptime=$(uptime -p) +echo -e "$LIGHT_GREEN Uptime :$NONE $uptime" +last -x 2> /dev/null | grep reboot 1> /dev/null && /usr/bin/last -x 2> /dev/null | grep reboot | head -2 | sed 's/^/ /g' || echo " Pas de shutdown enregistré" +last -x 2> /dev/null|grep shutdown 1> /dev/null && /usr/bin/last -x 2> /dev/null|grep shutdown|head -2 | sed 's/^/ /g' || echo " Pas de shutdown enregistré" +} + + +printdiskline() { +pattern=$1 +diskused=$(df -h | grep $pattern | awk {'print $5'} | tr -d "%") +disktotal=$(df -h | grep $pattern | awk {'print $2'}) +inodesused=$(df -i | grep $pattern | awk {'print $5'} | tr -d "%") +echo -n -e "$LIGHT_GREEN Disque$YELLOW $pattern$LIGHT_GREEN\t: $(warnvalue $diskused 90)% / $disktotal$NONE" +echo -e "\t$LIGHT_GREEN Inodes$LIGHT_GREEN\t: $(warnvalue $inodesused 90)%$NONE" +} + +printdisklines() { +for disk in $(mount |grep /dev/mapper/system | cut -d ' ' -f 1) +do + printdiskline $disk +done +for disk in $(mount |grep /dev/mapper/data | cut -d ' ' -f 1) +do + printdiskline $disk +done +} + + +printserverid +printcpu +printloadavg +printram +printprocesses +printloggedin +printuptime +printdisklines diff --git a/templates/update-motd.d/30-upgrades b/templates/update-motd.d/30-upgrades new file mode 100755 index 0000000..a55f873 --- /dev/null +++ b/templates/update-motd.d/30-upgrades @@ -0,0 +1,16 @@ +#!/bin/bash + +. /etc/update-motd.d/colors + +n=$(apt-get -qq --just-print dist-upgrade | cut -f 2 -d " " | sort -u | wc -l) +if [[ $n -gt 0 ]] +then + printf " $CYAN%s packages attendent d'être mis à jour.$NONE\n" "$n" +fi + +n=$(apt-get -qq --just-print autoremove | cut -f 2 -d " " | sort -u | wc -l) +if [[ $n -gt 0 ]] +then + printf " $CYAN%s packages installés comme dépendances pourraient être supprimés.$NONE\n" "$n" +fi + diff --git a/templates/update-motd.d/50-linebreak b/templates/update-motd.d/50-linebreak new file mode 100755 index 0000000..ff22b1d --- /dev/null +++ b/templates/update-motd.d/50-linebreak @@ -0,0 +1,3 @@ +#!/bin/sh + +echo "-----------------------------------------------------------------" diff --git a/templates/update-motd.d/colors b/templates/update-motd.d/colors new file mode 100644 index 0000000..6d7dd67 --- /dev/null +++ b/templates/update-motd.d/colors @@ -0,0 +1,19 @@ +# Reset Colors +NONE="\033[m" + +# Colors +WHITE="\033[1;37m" +GREEN="\033[1;32m" +RED="\033[0;32;31m" +RED_BACK="\033[37;41m" +YELLOW="\033[1;33m" +BLUE="\033[34m" +CYAN="\033[36m" +LIGHT_GREEN="\033[1;32m" +LIGHT_RED="\033[1;31m" + +# Bold +BOLD="\033[1m" + +# Underline +UNDERLINE="\033[4m" diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..31cf1ac --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - common