README.md

 # Warpzone Infrastruktur Konfiguration
 
 Die Infrastruktur der Warpzone wird nach und nach durch das Konfigurationstool Ansible aufgebaut.
-Diese Konfiguration wird von den verschiedenen Teams gemeinschaftlich genutzt und soll als zentrale Dokumentation dienen.
-
+Diese Konfiguration soll als zentrale Dokumentation dienen.
 
 ## Aktueller Status
 
-Aktuell ist nur der neue Websserver in der Konfiguration erfasst.
-Weitere Dienste (wie z.B. der bestehende Webserver und die interne Infrastruktur) sind noch nicht abgebildet.
+Alle Server sind erfasst
 
 ## Vorraussetzungen
 Installiertes ansible
@@ -22,7 +20,7 @@ ansible-galaxy collection install community.docker
 
 Ausführen von Rollen per
 ```
-ansible-playbook  site.yml -l webserver -t hackmd
+ansible-playbook -i hosts.yml site.yml -l webserver -t hackmd
 ```
 
 mit -l wird der hosts eingeschränkt mit -t der tag bzw die Rolle, alle tags stehen in der site.yml

all/common/tasks/main.yml

@@ -45,7 +45,8 @@
       - wget
       - psmisc
       - tree
-      - tmux 
+      - tmux
+      - mosh
 
 - name: deploy sshd config
   template: src=sshd_config.j2 dest=/etc/ssh/sshd_config

all/common/templates/sshd_config.j2

@@ -33,7 +33,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin without-password
+PermitRootLogin prohibit-password
 StrictModes yes
 
 RSAAuthentication yes

all/mount/tasks/main.yml

+- name: Ensure mount directories exist for non-root drives
+  ansible.builtin.file:
+    path: "{{ item.value.path }}"
+    state: directory
+    mode: '0755'
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype != "swap" and item.value.path != "/"
+
+- name: Mount all drives (excluding swap)
+  ansible.builtin.mount:
+    path: "{{ item.value.path }}"
+    src: "UUID={{ item.value.uuid }}"
+    fstype: "{{ item.value.fstype }}"
+    state: mounted
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype != "swap"
+
+- name: Ensure swap entry is present in /etc/fstab
+  ansible.builtin.lineinfile:
+    path: /etc/fstab
+    state: present
+    line: "UUID={{ item.value.uuid }} none swap sw 0 0"
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype == "swap"
+
+- name: Enable swap partition
+  ansible.builtin.command:
+    cmd: "swapon UUID={{ item.value.uuid }}"
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype == "swap"
\ No newline at end of file

ansible.cfg

 [defaults]
 # some default values for ansible
-inventory = hosts
+inventory = hosts.yml
 interpreter_python = /usr/bin/python3

common/borgbackup/templates/borgbackup-create.sh

@@ -11,7 +11,7 @@ export LAST_BACKUPS_PROM="/var/lib/prometheus/node-exporter/lastbackup.prom"
 
 echo "===[ Create Backup: {{ item.value.repo }} ]===" \
 && \
-borg create $1 $2 $3 --info --show-rc --stats --compression {{ item.value.compression }} {{ item.value.options }} {{ item.value.repo }}::$BACKUP_DATE \
+borg create $1 $2 $3 --info --show-rc --stats --exclude *lost+found --compression {{ item.value.compression }} {{ item.value.options }} {{ item.value.repo }}::$BACKUP_DATE \
 {% for directory in borgbackup_directories %}
 {{ directory }} \
 {% endfor %} \

common/borgbackup/templates/borgbackup-prometheus.sh

@@ -3,6 +3,9 @@
 export BORG_PASSPHRASE="{{repo_passphrase}}"
 export BORG_RSH="ssh -i /srv/borgbackup/repo_sshkey"
 
+# Force locale for correct formatting
+LANG=en_US.UTF-8
+
 # Metrics output file in the prometheus node-exporter directory 
 PROM_FILE="/var/lib/prometheus/node-exporter/borgbackup.prom"
 

common/docker/tasks/main.yml

@@ -7,6 +7,7 @@
     state: present
   vars:
     packages:
+      - apparmor
       - docker-ce
       - docker-compose
       - python3
@@ -19,6 +20,8 @@
     dest: /etc/docker/daemon.json
   notify: restart docker
 
+- name: Cronjob to prune unused images  
+  cron: name="docker-prune" weekday="*" hour="5" minute="5" job="/usr/bin/docker system prune --volumes --all -f"
 
 - name: "Create internal Networks: {{ docker.internal_networks }}"
   docker_network:

common/docker/templates/daemon.json

@@ -6,7 +6,7 @@
       "max-file": "5"
     },
     "metrics-addr": "{{int_ip4}}:9323",
-    "experimental": true
-
+    "experimental": true,
+    "ip6tables": true
 }
 

common/docker_dockerstats/tasks/main.yml

 ---
 
-
-- name: create folder struct for {{ servicename }}
+- name: "create folder struct for {{ servicename }}"
   file: 
     path: "{{ item }}"
     state: "directory"
@@ -14,11 +13,17 @@
     src: "{{ item }}"
     dest: "{{ basedir }}/{{ item }}"
   with_items:
-    - Dockerfile
     - docker-compose.yml
+  register: config_files
+
+- name: "stop {{ servicename }} docker"
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: absent
+  when: config_files.changed 
 
 
-- name: start {{ servicename }} docker
-  docker_compose:
+- name: "start {{ servicename }} docker"
+  community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"
     state: present

common/docker_dockerstats/templates/docker-compose.yml

-version: "3"
-
 services:
 
   app:
 
-    build: .
+    image: wywywywy/docker_stats_exporter
     restart: always
     ports:
-      - "{{ int_ip4 }}:9487:9487" 
+      - "{{ int_ip4 }}:{{ metrics_port }}:{{ metrics_port }}" 
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /usr/bin/docker:/usr/bin/docker
-
+    environment:
+      DOCKERSTATS_PORT: {{ metrics_port }} 
+      DOCKERSTATS_INTERVAL: 15 
+      DEBUG: 0

common/docker_ldap/notes/acl-allow-user-self-read.ldif

-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcAccess
-olcAccess: to * by self read by * search

common/docker_ldap/notes/acl-allow-user-self-read.sh

-#!/bin/bash 
-
-ldapmodify -Y EXTERNAL -H ldapi:// -f /opt/helper/acl-allow-user-self-read.ldif 
-ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config" "olcDatabase={1}hdb" 

common/docker_ldap/notes/search_admin.sh

-#!/bin/bash 
-# Usage: sh search_admin.sh "(objectClass=*)" 
-ldapsearch -h {{ int_ip4 }} -b "{{ ldap_base_dn }}" -D "{{ ldap_admin_bind_dn }}" -w "{{ ldap_admin_pass }}" -s sub "$1"

common/docker_ldap/notes/search_user.sh

-#!/bin/bash 
-# Usage: sh search_user.sh "testuser" "(objectClass=*)" 
-ldapsearch -h {{ int_ip4 }} -b "{{ ldap_base_dn }}" -D "uid=$1,ou=users,{{ ldap_base_dn }}" -W -s sub "$2"

common/docker_ldap/tasks/main.yml

----
-
-- include_tasks: ../functions/get_secret.yml
-  with_items:
-   - { path: /srv/ldap/secret/ldap_admin_pass,  length: 24 }
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: 24 }
-
-- name: create folder struct for ldap
-  file:
-    path: "/srv/ldap/{{ item.path }}"
-    state: "directory"
-    recurse: yes
-  with_items:
-    - { path: 'database' }
-    - { path: 'config' }
-
-- name: Docker Compose Konfig-Datei erstellen
-  template:
-    src: "{{ item }}"
-    dest: "/srv/ldap/{{ item }}"
-  with_items:
-    - docker-compose.yml
-    - Dockerfile 
-    - syncrepl_exporter.yml 
-
-- name: start openldap docker
-  docker_compose:
-    project_src: /srv/ldap/
-    state: present

common/docker_ldap/templates/Dockerfile

-FROM golang:1.13.5
-
-RUN go get github.com/ThoreKr/syncrepl_exporter 
-
-EXPOSE 9328
-CMD ["/go/bin/syncrepl_exporter","--path.config=/syncrepl_exporter.yml"]

common/docker_ldap/templates/syncrepl_exporter.yml

----
-
-    ldap:
-      host: 'openldap'
-      port: '636'
-      basedn: '{{ ldap_base_dn }}'
-      starttls: false
-      bind: true
-      bindcn: '{{ ldap_readonly_bind_dn }}'
-      bindpass: '{{ ldap_readonly_pass }}'

common/docker_traefik/tasks/certificate.yml

+
+# Eigene CA und Server Zertifikat erstellen, falls diese noch nicht existiert   
+
+- name: "Install Packages"
+  apt:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+      - python3-cryptography
+
+
+- name: "Check if SelfSigned CA key exists"
+  stat:
+    path: "{{ basedir }}/ca.key"
+  register: ca_key_stat_result
+
+- name: "Create SelfSigned CA key"
+  community.crypto.openssl_privatekey:
+    path: "{{ basedir }}/ca.key"
+  when: not ca_key_stat_result.stat.exists
+
+- name: "Check if SelfSigned CA cert exists"
+  stat:
+    path: "{{ basedir }}/ca.pem"
+  register: ca_cert_stat_result
+
+- name: "Check if SelfSigned CA cert CSR"
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: "{{ basedir }}/ca.key"
+    common_name: "{{ selfSignedCN }} CA"
+    use_common_name_for_san: false  # since we do not specify SANs, don't use CN as a SAN
+    basic_constraints:
+      - 'CA:TRUE'
+    basic_constraints_critical: true
+    key_usage:
+      - keyCertSign
+    key_usage_critical: true
+  register: ca_csr
+  when: not ca_cert_stat_result.stat.exists
+
+- name: "Create SelfSigned CA cert from CSR"
+  community.crypto.x509_certificate:
+    path: "{{ basedir }}/ca.pem"
+    csr_content: "{{ ca_csr.csr }}"
+    privatekey_path: "{{ basedir }}/ca.key"
+    provider: selfsigned
+  when: not ca_cert_stat_result.stat.exists
+
+
+- name: "Check if ServerCert key exists"
+  stat:
+    path: "{{ basedir }}/cert.key"
+  register: cert_key_stat_result
+
+- name: "Create ServerCert key"
+  community.crypto.openssl_privatekey:
+    path: "{{ basedir }}/cert.key"
+  when: not cert_key_stat_result.stat.exists
+
+- name: "Check if ServerCert cert exists"
+  stat:
+    path: "{{ basedir }}/cert.pem"
+  register: cert_cert_stat_result
+
+- name: "Create ServerCert CSR"
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: "{{ basedir }}/cert.key"
+    subject_alt_name:
+      - "DNS:{{ selfSignedDomain }}"
+      - "DNS:{{ domain }}"
+  register: cert_csr
+  when: not cert_cert_stat_result.stat.exists
+
+- name: "Create ServerCert from CSR"
+  community.crypto.x509_certificate_pipe:
+    csr_content: "{{ cert_csr.csr }}"
+    provider: ownca
+    ownca_path: "{{ basedir }}/ca.pem"
+    ownca_privatekey_path: "{{ basedir }}/ca.key"
+    ownca_not_after: +9999d  # long lifetime 
+    ownca_not_before: "-1d"  # valid since yesterday
+  register: cert 
+  when: not cert_cert_stat_result.stat.exists
+
+- name: "Create ServerCert chain"
+  community.crypto.certificate_complete_chain:
+    input_chain: "{{ cert.certificate  }}"
+    root_certificates:
+    - "{{ basedir }}/ca.pem"
+  register: cert_chain
+  when: not cert_cert_stat_result.stat.exists
+
+- name: "Create ServerCert chain"
+  copy:
+    dest: "{{ basedir }}/cert.pem"
+    content: "{{ ''.join(cert_chain.complete_chain) }}"
+  when: not cert_cert_stat_result.stat.exists

common/docker_traefik/tasks/main.yml

-       
-- include: ../functions/get_secret.yml
+
+- include_tasks: ../functions/get_secret.yml
   with_items:
     - { path: "{{ basedir }}/letsencrypt_notification_email",  length: -1 }
+  when: selfSignedCN is not defined 
 
 - name: "create folder struct for {{ servicename }}"
   file:
@@ -11,6 +12,11 @@
     - "{{ basedir }}"
     - "{{ basedir }}/dynamic"
 
+- name: "Check if CertStore exists"
+  stat:
+    path: "{{ basedir }}/acme.json"
+  register: acme_stat_result
+
 - name: "Create CertStore if needed and set permissions"
   file:
     path: "{{ basedir }}/acme.json"
@@ -18,6 +24,12 @@
     group: root
     mode: '600'
     state: touch
+  when: not acme_stat_result.stat.exists
+
+- name: "Create SelfSigned CA and Cert"
+  ansible.builtin.include_tasks: certificate.yml
+  when: selfSignedCN is defined 
+  
 
 - name: Docker Compose Konfig-Datei erstellen
   template:
@@ -25,19 +37,27 @@
     dest: "{{ basedir }}/{{ item }}"
   with_items:
     - docker-compose.yml
-    - traefik.yml 
-    - dynamic/redirect-default.yml
+    - traefik.yml
     - dynamic/tls.yml
   register: config
 
+- name: redirect-default ersstellen, wenn domain_default definiert ist
+  template:
+    src: "{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - dynamic/redirect-default.yml
+  when: domain_default is defined
+  register: config
+
 - name: "stop {{ servicename}} docker"
-  docker_compose:
+  community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"
     state: absent
   when: config.changed
 
 - name: "start {{ servicename}} docker"
-  docker_compose:
+  community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"
     state: present
-    
\ No newline at end of file
+