vlad/ansible_cache
vlad/ansible_cache
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Completed 'services' role + tested on empty node. I also moved task from the main playbook to the 'common' role to better reflect the actions taken by each role

Browse Source
This commit is contained in:
Vlad Raducanu 2022-06-28 22:01:26 +01:00
parent cb9f425c9b
commit b7c93028e3
11 changed files with 276 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dnaclab_linux/ansible.cfg
View File

@ -1,2 +0,0 @@
[defaults]
private_key_file = /home/vlad/.ssh/id_rsa

0
dnaclab_linux/configuration_files/ntp.conf
View File

1
dnaclab_linux/inventory.yml
View File

@ -22,3 +22,4 @@
telemetry.dnaclab.net: telemetry.dnaclab.net:
developer.dnaclab.net: developer.dnaclab.net:
gitlab.dnaclab.net: gitlab.dnaclab.net:
test.dnaclab.net:

29
dnaclab_linux/prestage.yml
View File

@ -1,6 +1,11 @@
# This playbook is an example of how to manage linux servers with Ansible playbooks. It consists of multiple roles
# which are read in sequence and run through their tasks (defined in the 'roles/xxxx/tasks/main.yml' file - 'xxxx' being the name of the role)
# The playbook requires the target hosts to have a user with sudo privileges configured - add the credentials of this user to the encrypted
# 'roles/common/vars/main.yml' file using the function 'ansible-vault edit'
--- ---
- name: Prestage server and install services [SYSLOG, FTP, TFTP, NTP] - name: Prestage server(s) with the following roles {{ ansible_play_role_names }}
hosts: services hosts: test
roles: roles:
- common - common
- services - services
@ -8,26 +13,6 @@
tasks: tasks:
- name: Update and upgrade current packages
apt:
update_cache: yes
upgrade: yes
- name: Create a new regular user with sudo privileges
user:
name: "{{ create_user }}"
state: present
groups: sudo
append: true
create_home: true
shell: /bin/bash
- name: Set authorized key for remote user
authorized_key:
user: "{{ create_user }}"
state: present
key: "{{ copy_local_key }}"
- name: Send Webex Teams message via BOT to confirm playbook completion - name: Send Webex Teams message via BOT to confirm playbook completion
community.general.cisco_webex: community.general.cisco_webex:
recipient_type: toPersonEmail recipient_type: toPersonEmail

21
dnaclab_linux/roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Update and upgrade current packages
ansible.builtin.apt:
update_cache: yes
upgrade: yes
- name: Create a user with sudo privileges which will be used for managing the host via SSH
ansible.builtin.user:
name: "{{ local_user }}"
state: present
groups: sudo
append: true
create_home: true
shell: /bin/bash
password: "{{ local_password }}"
- name: Set authorized key for remote SSH access (passwordless login)
ansible.posix.authorized_key:
user: "{{ local_user }}"
state: present
key: "{{ local_key }}"

52
dnaclab_linux/roles/common/vars/main.yml
View File

@ -1,25 +1,29 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
37306465323037623364336366393036643966666232653964313436383333633133353232636166 32623135623032666634373536313037663734313837316335613936383235393038373434366236
3232373132386263633466643139313732656537383239310a303935333732353632383736356235 3034643538666133396565626235616133646138613931660a383037323333373161616436613639
61326134633862343632343035646637306135646532353264363533383233663034623162663263 61663131636637376531646438643166316439643339333433343665303438336163633638316364
6235616361396435310a313862636162316238336237383938613139366534616537343638306237 3534353732666636360a323866656461633461386130663263616132646631383736303864393532
63616535313636303666616137336366626561393162336134656166313837633933326631363430 63346661653135313636646233396166323630633535643735653965313637353538393634336161
39656335303261656637626663383065633265306438323839373239663634316439623730303532 39353736353262373139653763646539323030646432633730333334393562306361626637376163
65383231393738633436356139633665316533383734316434313430393163396636613366373435 63343331646236323232393832373037616333333334643630633262333536323563623032373136
30613839633164363032333434643738353335363666326430396461633331623532346465323361 35663333306264616564343263663930393562356465623232386536656434613664316335303933
37356136306466663132383133653435666666383831646262356166633737656266376135653530 64623238323836336538303361663965316136383533666533306235373663646338313164633534
31363531663366623539363963363766633264356363636133343938323738376630333664666535 32346632386164376630646662336436373036653330643137336233613236633335393939333839
32386230633461623164373338373032313635393137366131336633366137396135343665633330 32313066316631366632386234323862386535343964346261633362386331653130396437643930
33633336386633373437393939343430623164626534633264333031323633613666363738653764 61363265356236343639663931643835646261633038356133613964336466396532633436653939
35373565636233336639393463306534326536383438656334343733333036346463613962643066 35363133343634383638363265636261393761653262353035376339333661386262393966343234
36396634336366396533353038356361326437646538313464653438353231653636366334336437 32326136343233356534316562343132303963323862343038613734356436303865356334643031
34313334326539326338343036633732666465653662373961653566663361396231666566343064 32326335633237353563383166666165373232653134643263386536386638633636336662336166
37633133343463633833643735333637333531326161356263643261653462643362386336623961 37313464323961363237306331373132613962636162303561333836656361653732666563363563
35623864346665633130306233356133346633646238353839393136353439383266343732666535 66376231306539613666363534656263366534303066636166336633656136313531333638386437
63613634663962636436653639396266343166363362663161633562623136343363373037633437 33393462663161336630623532313934373535383130373735633632623032336366616164333233
65386432333634343437313139323466666635313330323831313034616230636465353236383635 63366463623838363638613463633134353830353537636630343636333161616333303862623534
35393138363462333839616261306361386466386662323835376436323462326238363161623339 62633134303939366339616530366634366339643935623265636639323533336530663030383031
64636661623431336266356531373736636337316462333266623266643031613533343632643731 39313061626366656431636533643037323439663463653033343735306632333433663231393332
65653337393562636635326262663639353037336231323332313364616438366362623238393262 32346539643064653662323766653765653235633935643530343031666637636563656339313137
39633134313262616639633637386339353761343339646632356436303061613662643738323736 64316164636136666139393762336530373365616563306231396531373031633337383864643361
36656337333134306363 66663539303532656335373139656634363539646533393932326462623163653034383036636333
62343830343136306565303934383464333233633265386635313066646635663664326135663836
32356433353832323736363939343165346130363031373731366532313137653435393534393030
37326635656537366339326538653238353534313934303632343361383164633037353136613562
37383166653735303330

60
dnaclab_linux/roles/services/files/ntp.conf Normal file
View File

@ -0,0 +1,60 @@
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
pool pool.ntp.org
server 0.uk.pool.ntp.org iburst
server 1.uk.pool.ntp.org
server 127.0.0.1
# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

55
dnaclab_linux/roles/services/files/syslog-ng-network-devices.conf Normal file
View File

@ -0,0 +1,55 @@
#Options
options {
create-dirs(yes);
owner(administrator);
group(administrator);
perm(0640);
dir-owner(administrator);
dir-group(administrator);
dir-perm(0750);
};
#Sources
source s_regular { tcp(port(5140)); };
source s_cisco { tcp(port(5141) flags(no-parse,store-raw-message)); };
source s_servers { tcp(port(5142) flags(no-parse,store-raw-message)); };
#Templates
template t_jsonfile {
template("$(format-json --scope rfc5424 --scope dot-nv-pairs --rekey .* --shift 1 --scope nv-pairs --key ISODATE)\n");
};
#Parsers
parser p_cisco { cisco-parser(); };
#Destinations
destination d_raw {
file("/home/administrator/Desktop/SYSLOG/RAW_LOGS/$HOST-$YEAR-$MONTH-$DAY.log" template("${RAWMSG}\n"));
};
destination d_from_cisco {
file("/home/administrator/Desktop/SYSLOG/CISCO_DEVICES/$HOST-$YEAR-$MONTH-$DAY.log" template(t_jsonfile));
};
destination d_from_servers {
file("/home/administrator/Desktop/SYSLOG/SERVERS/$HOST-$YEAR-$MONTH-$DAY.log" );
};
#Loggers
log {
source(s_regular);
destination(d_raw);
};
log {
source(s_cisco);
parser(p_cisco);
destination(d_from_cisco);
};
log {
source(s_servers);
destination(d_from_servers);
};

6
dnaclab_linux/roles/services/files/tftpd-hpa Normal file
View File

@ -0,0 +1,6 @@
# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/home/administrator/Desktop/TFTP"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure --create"

46
dnaclab_linux/roles/services/files/vsftpd.conf Normal file
View File

@ -0,0 +1,46 @@
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/sftp.ubuntu.dnaclab.net.pem
rsa_private_key_file=/etc/ssl/private/sftp.ubuntu.dnaclab.net.key
ssl_enable=NO
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100
allow_writeable_chroot=YES
# Below verbose log is for transfer/upload, formatted for common tools stats.
# Use command: tail -f /var/log/xferlog
xferlog_enable=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
# Below verbose log is for FTP commands and responses.
# By default, logs were written to syslog instead of file.
# Use command: tail -f /var/log/vsftpd.log
# Use command: logread -f
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
syslog_enable=YES
# Allow log 1 and 2 to be written simultaneously.
dual_log_enable=YES
#Directory configuration and user access
local_root=/home/administrator/Desktop/SFTP
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

59
dnaclab_linux/roles/services/tasks/main.yml
View File

@ -1,17 +1,17 @@
--- ---
- name: Install required packages - name: Install required packages
apt: ansible.builtin.apt:
name: "{{ item }}" name: "{{ item }}"
loop: loop:
- curl - curl
- tree - tree
- ufw
- ntp
- tftpd-hpa
- syslog-ng - syslog-ng
- vsftpd - vsftpd
- tftpd-hpa
- ntp
- ufw
- name: Configure UFW to allow inbound NTP, SSH, SYSLOG, FTP connections - name: Configure UFW to allow inbound NTP, SSH, SYSLOG, FTP and TFTP connections
community.general.ufw: community.general.ufw:
rule: allow rule: allow
direction: in direction: in
@ -37,7 +37,7 @@
- port: '5142' - port: '5142'
proto: tcp proto: tcp
- name: UFW - Deny all other incoming traffic by default - name: Deny all other incoming IPv4 traffic
community.general.ufw: community.general.ufw:
state: enabled state: enabled
policy: deny policy: deny
@ -51,9 +51,54 @@
- name: Apply NTP configuration file - name: Apply NTP configuration file
ansible.builtin.copy: ansible.builtin.copy:
src: ./configuration_files/ntp.conf src: ntp.conf
dest: /etc/ntp.conf dest: /etc/ntp.conf
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
backup: yes backup: yes
- name: Apply TFTP configuration file
ansible.builtin.copy:
src: tftpd-hpa
dest: /etc/default/tftpd-hpa
owner: root
group: root
mode: '0644'
backup: yes
- name: Create TFTP directory
ansible.builtin.file:
path: "/home/{{ ansible_user }}/Desktop/TFTP"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0777'
- name: Apply SYSLOG configuration file
ansible.builtin.copy:
src: syslog-ng-network-devices.conf
dest: /etc/syslog-ng/conf.d/syslog-ng-network-devices.conf
owner: root
group: root
mode: '0644'
backup: yes
- name: Apply FTP configuration file
ansible.builtin.copy:
src: vsftpd.conf
dest: /etc/vsftpd.conf
owner: root
group: root
mode: '0644'
backup: yes
- name: Enable installed services
ansible.builtin.service:
name: "{{ item }}"
enabled: yes
loop:
- ntp
- tftpd-hpa
- syslog-ng
- vsftpd