Cleanup

99685bee · Tom Teichler · ae4b7813 · ae4b7813 · ae4b7813 · ae4b7813
Commit 99685bee authored 3 years ago by Tom Teichler
--- a/play.sh
+++ b/play.sh
-#!/bin/sh
-echo "Bitte nur noch foreman nutzen! https://foreman.teckids.org"
--- a/roles/common/meta/packages/blocked
+++ b/roles/common/meta/packages/blocked
-exim4
-exim4-config
-network-manager
-os-prober
-sl
--- a/roles/common/meta/packages/essential
+++ b/roles/common/meta/packages/essential
-acl
-audispd-plugins
-auditd
-bc
-bind9-host
-bsd-mailx
-bsdmainutils
-byobu
-ca-certificates
-console-data
-curl
-devscripts
-dnsutils
-eatmydata
-emacs-nox
-haveged
-htop
-iotop
-iputils-ping
-joe
-jupp
-less
-locales-all
-lsof
-ltrace
-lynx
-mc
-mksh
-mosh
-mtr-tiny
-nano
-ncdu
-netcat-openbsd
-ntp
-popularity-contest
-postfix
-pv
-pwgen
-reportbug
-rsync
-rsyslog
-rsyslog-relp
-screen
-sharutils
-ssh
-strace
-sudo
-tig
-vim-nox
-vrms
-wget
-zsh
-zsh-autosuggestions
-zsh-syntax-highlighting
--- a/roles/common/meta/packages/monitoring
+++ b/roles/common/meta/packages/monitoring
--- a/roles/common/meta/packages/servers
+++ b/roles/common/meta/packages/servers
-apt-listchanges
-atop
-debsums
-dehydrated
-dnsutils
-etckeeper
-git-email
-mlocate
-molly-guard
-needrestart
-unattended-upgrades
--- a/roles/common/tasks/base.yaml
+++ b/roles/common/tasks/base.yaml
- name: Add backports
-  ansible.builtin.apt_repository:
-    repo: deb http:/httpredir.debian.org/debian/ bullseye-backports main
-    state: present
-    filename: 'backports'
- name: Install essential packages
-  ansible.builtin.package: name={{ item }} state=present
-  with_lines: cat "../meta/packages/essential"
- name: Install server packages
-  ansible.builtin.package: name={{ item }} state=present
-  with_lines: cat "../meta/packages/servers"
- name: Uninstall blocked packages
-  ansible.builtin.package: name={{ item }} state=absent
-  with_lines: cat "../meta/packages/blocked"
- name: Install etckeeper mail hook
-  ansible.builtin.copy:
-    src: ../files/etckeeper-post-commit
-    dest: /etc/.git/hooks/post-commit
-    mode: 0755
- name: Ignore keytab in etckeeper
-  ansible.builtin.lineinfile:
-    path: /etc/.gitignore
-    insertafter: 'managed by'
-    line: 'krb5.keytab'
- name: Set root alias
-  ansible.builtin.lineinfile:
-    path: /etc/aliases
-    regexp: '^root'
-    line: 'root: root@teckids.org'
- name: Enable unattended security updates
-  ansible.builtin.debconf:
-    name: unattended-upgrades
-    question: "unattended-upgrades/enable_auto_updates"
-    value: true
-    vtype: boolean
-  notify: reconfigure unattended-upgrades
- name: Enable popularity contest
-  ansible.builtin.debconf:
-    name: popularity-contest
-    question: "popularity-contest/participate"
-    value: true
-    vtype: boolean
-  notify: reconfigure popularity-contest
- name: Install DNS key for dehydrated
-  ansible.builtin.copy:
-    src: ../files/tmp/acme.key
-    dest: /etc/dehydrated/acme.key
-    mode: 0640
- name: Install dehydrated config
-  ansible.builtin.copy:
-    src: ../files/dehydrated.conf
-    dest: /etc/dehydrated/conf.d/zzz-local.sh
-    mode: 0644
- name: Install dehydrated DNS update hook
-  ansible.builtin.copy:
-    src: ../files/dehydrated-dns.sh
-    dest: /etc/dehydrated/dns-hook.sh
-    mode: 0755
- name: Install dehydrated cron job
-  ansible.builtin.copy:
-    src: ../files/dehydrated-cron.sh
-    dest: /etc/cron.daily/dehydrated
-    mode: 0755
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -3,6 +3,7 @@
    repo: deb http://deb.debian.org/debian/ bullseye-backports main
    state: present
    filename: 'backports'
+  when: ansible_facts['distribution'] == 'Debian'
 - name: Install essential packages
  ansible.builtin.package:
    name:

--- a/roles/common/tasks/monitoring.yaml
+++ b/roles/common/tasks/monitoring.yaml
- hosts: all
-  become: yes
-  tasks:
-  - name: Install monitoring packages
-    ansible.builtin.../package: name={{ item }} state=present
-    with_lines: cat "../meta/packages/monitoring"
-  - name: Configure prometheus-node-exporter
-    ansible.builtin.systemd:
-      name: prometheus-node-exporter
-      enabled: yes
-    notify: restart prometheus-node-exporter
-  - name: Copy agent configuration script
-    ansible.builtin.copy:
-      src: ../files/monitoring/icinga-agent.sh
-      dest: /tmp/icinga-agent.sh
-      mode: a+x
-  - name: Run icinga2 agent configuration script
-    ansible.builtin.command: export INV_HOSTNAME={{ inventory_hostname }}; bash /tmp/icinga-agent.sh
-    notify: restart icinga2
-  - name: Deploy custom check commands
-    ansible.builtin.copy:
-      src: ../files/monitoring/plugins/
-      dest: /usr/local/lib/nagios/plugins
-      mode: a+x
--- a/roles/common/tasks/prepare.yaml
+++ b/roles/common/tasks/prepare.yaml
- hosts: db.teckids.org
-  become: yes
-  tasks:
-  - name: Get DNS key for dehydrated
-    ansible.builtin.fetch: src=/etc/dehydrated/acme.key dest=../files/tmp/ flat=yes
--- a/roles/firewall/handlers/main.yaml
+++ b/roles/firewall/handlers/main.yaml
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
 - name: Install firewall packages
-  ansible.builtin.package: name={{ item }} state=present
+  ansible.builtin.package:
-  with_lines: cat "roles/firewall/meta/packages"
+    name:
+      - keepalived
+      - haproxy
+      - shorewall
+      - shorewall6
+    state: present
 - name: Copy static config files
  ansible.builtin.copy:
-    src: "roles/firewall/files/{{ item.src }}"
+    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
-    - { src: "../files/shorewall/", dest: "/tmp/shorewall/" }
+    - { src: "/etc/ansible/roles/firewall/files/shorewall/", dest: "/tmp/shorewall/" }
-    - { src: "../files/haproxy.cfg", dest: "/tmp/haproxy.cfg" }
+    - { src: "/etc/ansible/roles/firewall/files/haproxy.cfg", dest: "/tmp/haproxy.cfg" }
- name: Copy template configs
+#- name: Copy template configs
-  ansible.builtin.template:
+#  ansible.builtin.template:
-    src: "../templates/{{ item.src }}.j2"
+#    src: "/etc/ansible/roles/firewall/templates/{{ item.src }}.j2"
-    dest: "{{ item.dest }}"
+#    dest: "{{ item.dest }}"
-  with_items:
+#  with_items:
-    - { src: "keepalived.conf", dest: "/etc/keepalived/keepalived.conf" }
+#    - { src: "keepalived.conf", dest: "/etc/keepalived/keepalived.conf" }
 - name: Check shorewall config
  ansible.builtin.command: "shorewall check /tmp/shorewall"
  register: shorewall_config_check
@@ -26,9 +31,11 @@
    src: "/tmp/shorewall/"
    dest: "/etc/shorewall/"
  when: shorewall_config_check.rc == 0
+  notify: restart shorewall
 - name: Copy checked HAProxy config
  ansible.builtin.copy:
    remote_src: True
    src: "/tmp/haproxy.cfg"
    dest: "/etc/haproxy/haproxy.cfg"
  when: haproxy_config_check.rc == 0
+  notify: reload haproxy
--- a/run.sh
+++ b/run.sh
-#!/bin/sh
-echo "Bitte nur noch foreman nutzen! https://foreman.teckids.org"
--- a/teckids.yaml
+++ b/teckids.yaml
-all:
-  hosts:
-    cloud.teckids.org:
-    commu-intern.teckids.org:
-    commu.teckids.org:
-    db.teckids.org:
-    discourse01.teckids.org:
-    gitlab01.teckids.org:
-    jabber01.teckids.org:
-    k8s-master-1.kube.teckids.org:
-    k8s-master-2.kube.teckids.org:
-    k8s-master-3.kube.teckids.org:
-    k8s-worker-1.kube.teckids.org:
-    k8s-worker-2.kube.teckids.org:
-    k8s-worker-3.kube.teckids.org:
-    k8s-worker-4.kube.teckids.org:
-    k8s-worker-5.kube.teckids.org:
-    k8s-worker-6.kube.teckids.org:
-    lms.teckids.org:
-    matrix01.teckids.org:
-    media.teckids.org:
-    monitoring.teckids.org:
-    rz-sp-backup-01.teckids.org:
-    rz-sp-fw-01.teckids.org:
-    rz-sp-fw-02.teckids.org:
-      ansible_host: 91.184.32.118
-    rz-sp-virt-01.teckids.org:
-    rz-sp-virt-02.teckids.org:
-    rz-sp-virt-03.teckids.org:
-    rz-sp-virt-04.teckids.org:
-    rz-sp-virt-fallback.teckids.org:
-    ticdesk-dev.teckids.org:
-    ticdesk.teckids.org:
-  children:
-    teckids_hosts: # Hosts running on Teckids infrastructure
-      hosts:
-        db.teckids.org:
-        master-1.kube.teckids.org:
-        master-2.kube.teckids.org:
-        master-3.kube.teckids.org:
-        worker-1.kube.teckids.org:
-        worker-2.kube.teckids.org:
-        worker-3.kube.teckids.org:
-        worker-4.kube.teckids.org:
-        worker-5.kube.teckids.org:
-        worker-6.kube.teckids.org:
-        rz-sp-fw-01.teckids.org:
-        rz-sp-fw-02.teckids.org:
-    firewalls:
-      hosts:
-        rz-sp-fw-01.teckids.org:
-          keepalived_priority: 150
-        rz-sp-fw-02.teckids.org:
-          keepalived_priority: 100
-          ansible_host: 91.184.32.118
-    k8s_masters:
-      hosts:
-        master-1.kube.teckids.org:
-          primary_control_plane: true
-          cluster_version: v1.23.5
-          package_version: 1.23.5-00
-        master-2.kube.teckids.org:
-        master-3.kube.teckids.org:
-    k8s_workers:
-      hosts:
-        worker-1.kube.teckids.org:
-        worker-2.kube.teckids.org:
-        worker-3.kube.teckids.org:
-        worker-4.kube.teckids.org:
-        worker-5.kube.teckids.org:
-        worker-6.kube.teckids.org: