From a4b890e443418dfbb706f228cd01dd986086df83 Mon Sep 17 00:00:00 2001 From: Christian Elberfeld <christian.elberfeld@adesso.de> Date: Sun, 3 Feb 2019 00:39:33 +0100 Subject: [PATCH] Vorstand in Verwaltung umbenannt, Openvpn Tunnel restrukturiert --- common/openvpn/handlers/main.yml | 12 ++++ common/openvpn/tasks/main.yml | 60 +++++++++++++++++++ common/openvpn/templates/logrotate | 7 +++ common/openvpn/templates/openvpn-common | 12 ++++ .../templates/verwaltung-client-webs.conf | 12 ++++ .../templates/verwaltung-server-zone.conf | 11 ++++ .../webserver-server-verwaltung.conf | 11 ++++ .../templates/webserver-server-zone.conf | 11 ++++ host_vars/{vorstand => verwaltung} | 15 +++++ host_vars/warpsrvint | 6 ++ host_vars/webserver | 15 ++++- hosts | 2 +- site.yml | 2 +- {vorstand => verwaltung}/Documentation.md | 0 .../docker_gitea/tasks/main.yml | 0 .../docker_gitea/templates/docker-compose.yml | 0 .../docker_mysql/tasks/main.yml | 0 .../docker_mysql/templates/docker-compose.yml | 0 .../docker_mysql/templates/tuning.cnf | 0 .../git/handlers/main.yml | 0 {vorstand => verwaltung}/git/tasks/main.yml | 0 .../jameica/tasks/main.yml | 0 ...et.JVerein.rmi.JVereinDBService.properties | 0 ....jameica.hbci.rmi.HBCIDBService.properties | 0 .../jameica/templates/jameica.sh | 0 {vorstand => verwaltung}/main.yml | 3 +- {vorstand => verwaltung}/user/tasks/main.yml | 0 .../x2goserver/tasks/main.yml | 0 webserver/main.yml | 2 +- webserver/openvpn/handlers/main.yml | 3 - webserver/openvpn/tasks/main.yml | 34 ----------- webserver/openvpn/templates/warpzone-up.sh | 6 -- webserver/openvpn/templates/warpzone.conf | 20 ------- 33 files changed, 176 insertions(+), 68 deletions(-) create mode 100644 common/openvpn/handlers/main.yml create mode 100644 common/openvpn/tasks/main.yml create mode 100644 common/openvpn/templates/logrotate create mode 100644 common/openvpn/templates/openvpn-common create mode 100644 common/openvpn/templates/verwaltung-client-webs.conf create mode 100644 common/openvpn/templates/verwaltung-server-zone.conf create mode 100644 common/openvpn/templates/webserver-server-verwaltung.conf create mode 100644 common/openvpn/templates/webserver-server-zone.conf rename host_vars/{vorstand => verwaltung} (80%) rename {vorstand => verwaltung}/Documentation.md (100%) rename {vorstand => verwaltung}/docker_gitea/tasks/main.yml (100%) rename {vorstand => verwaltung}/docker_gitea/templates/docker-compose.yml (100%) rename {vorstand => verwaltung}/docker_mysql/tasks/main.yml (100%) rename {vorstand => verwaltung}/docker_mysql/templates/docker-compose.yml (100%) rename {vorstand => verwaltung}/docker_mysql/templates/tuning.cnf (100%) rename {vorstand => verwaltung}/git/handlers/main.yml (100%) rename {vorstand => verwaltung}/git/tasks/main.yml (100%) rename {vorstand => verwaltung}/jameica/tasks/main.yml (100%) rename {vorstand => verwaltung}/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties (100%) rename {vorstand => verwaltung}/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties (100%) rename {vorstand => verwaltung}/jameica/templates/jameica.sh (100%) rename {vorstand => verwaltung}/main.yml (87%) rename {vorstand => verwaltung}/user/tasks/main.yml (100%) rename {vorstand => verwaltung}/x2goserver/tasks/main.yml (100%) delete mode 100644 webserver/openvpn/handlers/main.yml delete mode 100644 webserver/openvpn/tasks/main.yml delete mode 100644 webserver/openvpn/templates/warpzone-up.sh delete mode 100644 webserver/openvpn/templates/warpzone.conf diff --git a/common/openvpn/handlers/main.yml b/common/openvpn/handlers/main.yml new file mode 100644 index 00000000..8153a482 --- /dev/null +++ b/common/openvpn/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart openvpn server + service: name=openvpn-server@{{ item }}.service state=restarted + with_items: + - "{{ openvpn_server }}" + when: openvpn_server is defined and openvpn_server > 0 + +- name: restart openvpn clients + service: name=openvpn-client@{{ item }}.service state=restarted + with_items: + - "{{ openvpn_clients }}" + when: openvpn_clients is defined and openvpn_clients > 0 diff --git a/common/openvpn/tasks/main.yml b/common/openvpn/tasks/main.yml new file mode 100644 index 00000000..3b50290e --- /dev/null +++ b/common/openvpn/tasks/main.yml @@ -0,0 +1,60 @@ +# Pakete installieren +- name: openvpn installieren + apt: + pkg: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - logrotate + - openvpn + +# Log-Verzeichnis erstellen + +- name: create folder struct for openvpn + file: + path: "/var/log/openvpn/" + state: "directory" + +# Konfigurationsdateien erstellen (ohne Keys) + +- name: Konfigurationen (server) erstellen + template: src={{ inventory_hostname }}-{{ item }}.conf dest=/etc/openvpn/server/{{ item }}.conf + with_items: + - "{{ openvpn_server }}" + notify: restart openvpn server + when: openvpn_server is defined and openvpn_server > 0 + +- name: Konfigurationen (clients) erstellen + template: src={{ inventory_hostname }}-{{ item }}.conf dest=/etc/openvpn/client/{{ item }}.conf + with_items: + - "{{ openvpn_clients }}" + notify: restart openvpn clients + when: openvpn_clients is defined and openvpn_clients > 0 + +- name: OpenVpn LogRotate config erstellen + template: + src: logrotate + dest: /etc/logrotate.d/openvpn + +# Enable service + +- name: enable openvpn systemd service (server) + systemd: + name: "openvpn-server@{{ item }}.service" + state: started + enabled: True + daemon_reload: yes + with_items: + - "{{ openvpn_server }}" + when: openvpn_server is defined and openvpn_server > 0 + +- name: enable openvpn systemd service (client) + systemd: + name: "openvpn-client@{{ item }}.service" + state: started + enabled: True + daemon_reload: yes + with_items: + - "{{ openvpn_clients }}" + when: openvpn_clients is defined and openvpn_clients > 0 diff --git a/common/openvpn/templates/logrotate b/common/openvpn/templates/logrotate new file mode 100644 index 00000000..6c724764 --- /dev/null +++ b/common/openvpn/templates/logrotate @@ -0,0 +1,7 @@ +/var/log/openvpn/*.log { + rotate 12 + monthly + compress + missingok + notifempty +} diff --git a/common/openvpn/templates/openvpn-common b/common/openvpn/templates/openvpn-common new file mode 100644 index 00000000..2fbc51ef --- /dev/null +++ b/common/openvpn/templates/openvpn-common @@ -0,0 +1,12 @@ + +persist-tun +persist-key + +cipher AES-256-CBC +auth SHA256 + +comp-lzo adaptive +keepalive 10 60 +ping-timer-rem + +verb 3 diff --git a/common/openvpn/templates/verwaltung-client-webs.conf b/common/openvpn/templates/verwaltung-client-webs.conf new file mode 100644 index 00000000..7c73ed3c --- /dev/null +++ b/common/openvpn/templates/verwaltung-client-webs.conf @@ -0,0 +1,12 @@ + +dev tun1 +remote {{ hostvars['webserver'].ext_ip4 }} 1197 udp +resolv-retry infinite + +ifconfig 10.44.1.2 10.44.1.1 +route 10.42.1.1 255.255.255.255 + +secret /etc/openvpn/client/client-webs.key +log /var/log/openvpn/client-webs.log + +{% include "openvpn-common" %} diff --git a/common/openvpn/templates/verwaltung-server-zone.conf b/common/openvpn/templates/verwaltung-server-zone.conf new file mode 100644 index 00000000..58756971 --- /dev/null +++ b/common/openvpn/templates/verwaltung-server-zone.conf @@ -0,0 +1,11 @@ + +dev tun0 +port 1196 + +ifconfig 10.43.2.1 10.43.2.2 +route 192.168.0.0 255.255.255.0 + +secret /etc/openvpn/server/server-zone.key +log /var/log/openvpn/server-zone.log + +{% include "openvpn-common" %} diff --git a/common/openvpn/templates/webserver-server-verwaltung.conf b/common/openvpn/templates/webserver-server-verwaltung.conf new file mode 100644 index 00000000..54edd1f2 --- /dev/null +++ b/common/openvpn/templates/webserver-server-verwaltung.conf @@ -0,0 +1,11 @@ + +dev tun1 +port 1197 + +ifconfig 10.44.1.1 10.44.1.2 +route 10.42.2.1 255.255.255.255 + +secret /etc/openvpn/server/server-verwaltung.key +log /var/log/openvpn/server-verwaltung.log + +{% include "openvpn-common" %} diff --git a/common/openvpn/templates/webserver-server-zone.conf b/common/openvpn/templates/webserver-server-zone.conf new file mode 100644 index 00000000..0056c4c6 --- /dev/null +++ b/common/openvpn/templates/webserver-server-zone.conf @@ -0,0 +1,11 @@ + +dev tun0 +port 1196 + +ifconfig 10.43.1.1 10.43.1.2 +route 192.168.0.0 255.255.255.0 + +secret /etc/openvpn/server/server-zone.key +log /var/log/openvpn/server-zone.conf + +{% include "openvpn-common" %} diff --git a/host_vars/vorstand b/host_vars/verwaltung similarity index 80% rename from host_vars/vorstand rename to host_vars/verwaltung index bd03105b..6b6fedb4 100644 --- a/host_vars/vorstand +++ b/host_vars/verwaltung @@ -20,6 +20,12 @@ debian_keys_url: - "https://repos.influxdata.com/influxdb.key" +# Primäre IP Adressen des Hosts +ext_ip4: 89.163.231.227 +ext_ip6: 2001:4ba0:ffff:007c::227 +int_ip4: 10.42.2.1 + + # Art des Hosts: physical, vm, docker host_type: "vm" @@ -29,6 +35,14 @@ webserver_domains: - "verwaltung-git.warpzone.ms" +#OpenVPN Konfigurationen +openvpn_server: + - "server-zone" + +openvpn_clients: + - "client-webs" + + administratorenteam: - "sandhome" - "void" @@ -39,3 +53,4 @@ vorstandteam: - "ole" - "larsm" - "reverend" + diff --git a/host_vars/warpsrvint b/host_vars/warpsrvint index 6c512169..92756249 100644 --- a/host_vars/warpsrvint +++ b/host_vars/warpsrvint @@ -21,6 +21,12 @@ debian_keys_url: - "https://repos.influxdata.com/influxdb.key" +# Primäre IP Adressen des Hosts +#ext_ip4: <keine> +#ext_ip6: <keine> +int_ip4: 10.42.3.1 + + # Art des Hosts: physical, vm, docker host_type: "physical" diff --git a/host_vars/webserver b/host_vars/webserver index da8dec92..7f1ec3c5 100644 --- a/host_vars/webserver +++ b/host_vars/webserver @@ -20,6 +20,12 @@ debian_keys_url: - "https://repos.influxdata.com/influxdb.key" +# Primäre IP Adressen des Hosts +ext_ip4: 89.163.231.226 +ext_ip6: 2001:4ba0:ffff:007c::2 +int_ip4: 10.42.1.1 + + # Art des Hosts: physical, vm, docker host_type: "vm" @@ -42,13 +48,20 @@ webserver_domains: - "wiki.warpzone.ms" - "www.warpzone.ms" + +#OpenVPN Konfigurationen +openvpn_server: + - "server-zone" + - "server-verwaltung" + administratorenteam: - "void" - "dray" - "sandhome" - "commander1024" - # Definition von Borgbackup Repositories + +# Definition von Borgbackup Repositories borgbackup_repos: warpsrvext: diff --git a/hosts b/hosts index 34b8aa57..15134d09 100644 --- a/hosts +++ b/hosts @@ -19,7 +19,7 @@ webserver ansible_ssh_host=89.163.231.226 # Vorstands-VM # VM auf dem Webtropia-Server # Auch erreichbar unter werwaltung.warpzone.ms -vorstand ansible_ssh_host=89.163.231.227 +verwaltung ansible_ssh_host=89.163.231.227 # Raspberry-PI Server diff --git a/site.yml b/site.yml index bcd3576c..558c9b27 100644 --- a/site.yml +++ b/site.yml @@ -2,7 +2,7 @@ # Hauptdatei, includiert lediglich die einzelnen Playbooks - import_playbook: all/main.yml -- import_playbook: vorstand/main.yml +- import_playbook: verwaltung/main.yml - import_playbook: warphab/main.yml - import_playbook: warpsrvint/main.yml - import_playbook: warpsrvext/main.yml diff --git a/vorstand/Documentation.md b/verwaltung/Documentation.md similarity index 100% rename from vorstand/Documentation.md rename to verwaltung/Documentation.md diff --git a/vorstand/docker_gitea/tasks/main.yml b/verwaltung/docker_gitea/tasks/main.yml similarity index 100% rename from vorstand/docker_gitea/tasks/main.yml rename to verwaltung/docker_gitea/tasks/main.yml diff --git a/vorstand/docker_gitea/templates/docker-compose.yml b/verwaltung/docker_gitea/templates/docker-compose.yml similarity index 100% rename from vorstand/docker_gitea/templates/docker-compose.yml rename to verwaltung/docker_gitea/templates/docker-compose.yml diff --git a/vorstand/docker_mysql/tasks/main.yml b/verwaltung/docker_mysql/tasks/main.yml similarity index 100% rename from vorstand/docker_mysql/tasks/main.yml rename to verwaltung/docker_mysql/tasks/main.yml diff --git a/vorstand/docker_mysql/templates/docker-compose.yml b/verwaltung/docker_mysql/templates/docker-compose.yml similarity index 100% rename from vorstand/docker_mysql/templates/docker-compose.yml rename to verwaltung/docker_mysql/templates/docker-compose.yml diff --git a/vorstand/docker_mysql/templates/tuning.cnf b/verwaltung/docker_mysql/templates/tuning.cnf similarity index 100% rename from vorstand/docker_mysql/templates/tuning.cnf rename to verwaltung/docker_mysql/templates/tuning.cnf diff --git a/vorstand/git/handlers/main.yml b/verwaltung/git/handlers/main.yml similarity index 100% rename from vorstand/git/handlers/main.yml rename to verwaltung/git/handlers/main.yml diff --git a/vorstand/git/tasks/main.yml b/verwaltung/git/tasks/main.yml similarity index 100% rename from vorstand/git/tasks/main.yml rename to verwaltung/git/tasks/main.yml diff --git a/vorstand/jameica/tasks/main.yml b/verwaltung/jameica/tasks/main.yml similarity index 100% rename from vorstand/jameica/tasks/main.yml rename to verwaltung/jameica/tasks/main.yml diff --git a/vorstand/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties b/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties similarity index 100% rename from vorstand/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties rename to verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties diff --git a/vorstand/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties b/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties similarity index 100% rename from vorstand/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties rename to verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties diff --git a/vorstand/jameica/templates/jameica.sh b/verwaltung/jameica/templates/jameica.sh similarity index 100% rename from vorstand/jameica/templates/jameica.sh rename to verwaltung/jameica/templates/jameica.sh diff --git a/vorstand/main.yml b/verwaltung/main.yml similarity index 87% rename from vorstand/main.yml rename to verwaltung/main.yml index 3f13121d..717c073c 100644 --- a/vorstand/main.yml +++ b/verwaltung/main.yml @@ -1,11 +1,12 @@ --- -- hosts: vorstand +- hosts: verwaltung remote_user: root roles: - { role: ../common/telegraf, tags: telegraf } - { role: ../common/docker, tags: docker } - { role: ../common/nginx, tags: nginx } + - { role: ../common/openvpn, tags: openvpn } - { role: docker_gitea, tags: gitea } - { role: docker_mysql, tags: mysql } - { role: user, tags: user } diff --git a/vorstand/user/tasks/main.yml b/verwaltung/user/tasks/main.yml similarity index 100% rename from vorstand/user/tasks/main.yml rename to verwaltung/user/tasks/main.yml diff --git a/vorstand/x2goserver/tasks/main.yml b/verwaltung/x2goserver/tasks/main.yml similarity index 100% rename from vorstand/x2goserver/tasks/main.yml rename to verwaltung/x2goserver/tasks/main.yml diff --git a/webserver/main.yml b/webserver/main.yml index e7be0116..e640968d 100644 --- a/webserver/main.yml +++ b/webserver/main.yml @@ -7,7 +7,7 @@ - { role: ../common/docker, tags: docker } - { role: ../common/telegraf, tags: telegraf } - { role: ../common/nginx, tags: nginx } - - { role: openvpn, tags: openvpn } + - { role: ../common/openvpn, tags: openvpn } - { role: docker_alerta, tags: alerta } - { role: docker_dokuwiki, tags: dokuwiki } - { role: docker_etherpad, tags: etherpad } diff --git a/webserver/openvpn/handlers/main.yml b/webserver/openvpn/handlers/main.yml deleted file mode 100644 index 99893c1c..00000000 --- a/webserver/openvpn/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart openvpn - service: name=openvpn-client@warpzone.service state=restarted diff --git a/webserver/openvpn/tasks/main.yml b/webserver/openvpn/tasks/main.yml deleted file mode 100644 index 9e78e87c..00000000 --- a/webserver/openvpn/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ -# Pakete installieren -- name: openvpn installieren - apt: - name: "{{ packages }}" - update_cache: yes - state: present - vars: - packages: - - openvpn - -# Log-Verzeichnis erstellen - -- name: create folder struct for openvpn - file: - path: "/var/log/openvpn/" - state: "directory" - -# Konfigurationsdateien erstellen (ohne Keys) - -- name: Konfiguration erstellen - template: src=warpzone.conf dest=/etc/openvpn/client/warpzone.conf - notify: restart openvpn - -- name: Konfiguration erstellen - template: src=warpzone-up.sh dest=/etc/openvpn/client/warpzone-up.sh mode=o+x - notify: restart openvpn - -# Enable service - -- name: enable openvpn systemd servise - systemd: - name: openvpn-client@warpzone.service - state: started - enabled: True diff --git a/webserver/openvpn/templates/warpzone-up.sh b/webserver/openvpn/templates/warpzone-up.sh deleted file mode 100644 index 2a0ca208..00000000 --- a/webserver/openvpn/templates/warpzone-up.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# the interface name is passed as first argument ($1) - -#modprobe ip_tables -#iptables -t nat -I PREROUTING -p tcp -d {{ ldap_ip_ext }}/32 --dport 389 -j DNAT --to-destination 127.0.0.1:389 -#iptables -t nat -I PREROUTING -p tcp -d {{ ldap_ip_ext }}/32 --dport 636 -j DNAT --to-destination 127.0.0.1:636 diff --git a/webserver/openvpn/templates/warpzone.conf b/webserver/openvpn/templates/warpzone.conf deleted file mode 100644 index 989f7d4d..00000000 --- a/webserver/openvpn/templates/warpzone.conf +++ /dev/null @@ -1,20 +0,0 @@ - -dev tun -persist-tun -persist-key -cipher AES-256-CBC -auth SHA1 -tls-client -client -resolv-retry infinite -remote 212.124.34.242 1195 udp -verify-x509-name "OpenVPN Server" name -pkcs12 /etc/openvpn/client/warpzone.p12 -tls-auth /etc/openvpn/client/warpzone.key 1 -comp-lzo adaptive - -script-security 2 -up /etc/openvpn/client/warpzone-up.sh - -log /var/log/openvpn/warpzone.log -verb 3 -- GitLab