Added playbooks for provisioning a backup server with SFTP, TFTP, SCP, OMG, WTF

2023-11-13 15:18:28 +00:00 · 2023-11-13 15:18:28 +00:00 · 2f092d625c
commit 2f092d625c
parent 5d8d76fa5c
10 changed files with 215 additions and 28 deletions
--- a/dnaclab_linux/inventory.yml
+++ b/dnaclab_linux/inventory.yml
@ -1,29 +1,25 @@
 ---
 all:
  children:
-    services:
+    services_hosts:
      hosts:
        ubuntu.dnaclab.net:
-    developer:
+        staging.dnaclab.net:
+    developer_hosts:
      hosts:
        developer.dnaclab.net:
+        developer2.dnaclab.net:
    gitlab:
      hosts:
        gitlab.dnaclab.net:
-    ansibletower:
+    backup_hosts:
      hosts:
-        ansibletower.dnaclab.net:
+        backups.dnaclab.net:
    kubernetes:
      hosts:
        10.221.0.130:
        10.221.0.131:
        10.221.0.132:
-    staging:
-      hosts:
-        10.221.0.105:
-    developer2:
-      hosts:
-        developer2.dnaclab.net:
    kubernetes_dev:
      hosts:
        172.16.1.130:
--- a/dnaclab_linux/prestage_backup.yml
+++ b/dnaclab_linux/prestage_backup.yml
@ -0,0 +1,8 @@
+---
+- name: Prestage server(s) with the NCA Automation team users
+  hosts: backup_hosts
+  roles: 
+    - ncafsa-backup
+  become: yes
+  vars_files:
+    - global_vars/main.yml
--- a/dnaclab_linux/prestage_users.yaml
+++ b/dnaclab_linux/prestage_users.yaml
@ -1,6 +1,6 @@
 ---
 - name: Prestage server(s) with the NCA Automation team users
-  hosts: ansibletower
+  hosts: backup_hosts
  roles: 
    - ncafsa-users
  become: yes
--- a/dnaclab_linux/roles/ncafsa-backup/tasks/main.yaml
+++ b/dnaclab_linux/roles/ncafsa-backup/tasks/main.yaml
@ -0,0 +1,45 @@
+---
+- name: Create account for backup services
+  ansible.builtin.user:
+    name: "{{ item }}"
+    password: "{{ password }}"
+    shell: /bin/bash
+  loop: "{{ services }}"
+
+- name: Create backup directory tree 
+  ansible.builtin.file:
+    path: "/backups/{{ item }}"
+    state: directory
+    owner: "{{ item }}"
+    group: "{{ item }}"
+  loop: "{{ services }}"
+
+- name: Install NFS, SFTP and TFTP services
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - nfs-kernel-server
+    - openssh-server 
+    - tftpd-hpa
+
+- name: Configure SFTP for ISE backups
+  ansible.builtin.template:
+    src: sftp.conf.j2
+    dest: /etc/ssh/sshd_config
+  vars:
+    user: "ise"
+
+- name: Fix permissions for SFTP folder
+  ansible.builtin.file:
+    path: "/backups/{{ user }}"
+    state: directory
+    owner: root
+    group: root
+  vars:
+    user: "ise"
+
+- name: Restart SSH service (allows SFTP changes to work)
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
--- a/dnaclab_linux/roles/ncafsa-backup/templates/sftp.conf.j2
+++ b/dnaclab_linux/roles/ncafsa-backup/templates/sftp.conf.j2
@ -0,0 +1,131 @@
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+
+Match User {{ user }}
+    ForceCommand internal-sftp
+    PasswordAuthentication yes
+    ChrootDirectory /backups/{{ user }}
+    PermitTunnel no
+    AllowAgentForwarding no
+    AllowTcpForwarding no
+    X11Forwarding no
--- a/dnaclab_linux/roles/ncafsa-backup/vars/main.yaml
+++ b/dnaclab_linux/roles/ncafsa-backup/vars/main.yaml
@ -0,0 +1,6 @@
+services:
+  - dnac
+  - ise
+  - tftp
+  - other
+password: $6$rounds=656000$mysecretsalt$VvhQ/hNVWpgVuv9MXN0zFAGMLloWYezEPvgG/oyFsaTJxmiZWintigtbssQ8zRdH4CjkB6obYcAOASlw2yutl/
--- a/dnaclab_linux/update.yml
+++ b/dnaclab_linux/update.yml
@ -1,6 +1,6 @@
 ---
 - name: Update and upgrade packages on Ubuntu VMs
-  hosts: kubernetes-dev
+  hosts: backup_hosts
  become: yes
  vars_files:
    - global_vars/main.yml
--- a/ios_devices/device_audit.yml
+++ b/ios_devices/device_audit.yml
@ -3,7 +3,7 @@
 ## for devices which feature VRFs or multi-instance capabilities.

 - name: Audit devices and print key information
-  hosts: baguleykit
+  hosts: evengkit
  gather_facts: false
  connection: network_cli
  roles:
@ -47,4 +47,4 @@

    - name: Print device information
      debug:
-        var: runtime_information.stdout_lines[4]
+        var: runtime_information.stdout_lines[4]
--- a/ios_devices/inventory.yml
+++ b/ios_devices/inventory.yml
@ -7,4 +7,5 @@ homekit:
    192.168.1.60:
 evengkit:
  hosts:
-    172.16.1.239:
+    10.3.0.101:
+    10.3.0.102:
--- a/ios_devices/roles/common/vars/main.yml
+++ b/ios_devices/roles/common/vars/main.yml
@ -1,14 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-36666363353431303563373132653732303830323865333734636561616465306661346338393766
-3462656233353031396533363133386439363133363563310a336263303535363666653838393835
-39303964323662653463633933336434396234653738343636373566636365363265333062656532
-3030383335306537320a616262613366303235643331616166643932306164636235393530636163
-33666163663931636363353831316564333931663763613130363766666363313534623166313631
-32636162646334343439623566353063373633306537313864613637373730393561626635323536
-64393730386432356337373637343834313634386430643137343463306135653939303931333666
-61653266663230323437343433626330303433656335363963356339356134653933646264383439
-61613730353761316332633961343939653863326639343164623261303939396561333262326337
-35333437653136653434393265333165666365353765666662396434303933623564346232653331
-32386339646266343764646462653336356261376235626263653430636436306235623035396366
-32363130613536353835613430643865346630366434353032366565353535313536653463313134
-3532
+35393738393862623261626334653837633235366266636332383535623733343636613830303634
+3464643164383564393538643832656133373637306563660a323862313736353430623532306336
+36363165646565643038663938633131343637613238646562323865633065653438656630626339
+3332633937373237380a623238623137396637623137373765333936376535313731326139633266
+61303937626264383735383361653532396338626332383362306634616136303030353963653232
+39313837346634663431323139666632393733643663313131306535656161383334383233373031
+39386533636163666531633733303564393937323664633232626565623931326332386436366239
+63353164363864613366663161326434366638633535643565346462346136343039633531363766
+61323131626361386363613338656362353436313530383562373439663034333933323330386638
+36303434366238373335633165343737373632643838663264376536653837633331643738323039
+66376636666462616137633762376230333639346631336231313336373330393439356539373762
+38613038636366613634396263303238666535386138626363373065353136323163393534663830
+3063