Compare revisions

92852e55 · 0d4b22a0 · 1ffa84e3 · dfce64d5 · bf03e41e · 63872447
--- a/.gitmodules
+++ b/.gitmodules
+[submodule "functions"]
+	path = functions
+	url = ssh://git@gitlab.warpzone.ms:444/infrastruktur/ansible-functions.git
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+    -   id: detect-private-key
+    -   id: fix-encoding-pragma
+    -   id: mixed-line-ending
+
+- repo: https://github.com/ansible/ansible-lint.git
+  rev: v5.4.0
+  hooks:
+    - id: ansible-lint
+      files: \.(yaml|yml)$
+- repo: https://github.com/markdownlint/markdownlint
+  rev: v0.11.0
+  hooks:
+    - id: markdownlint
--- a/README.md
+++ b/README.md
-# Warpzone Infrastruktur Konfiguration 
+# Warpzone Infrastruktur Konfiguration

-Die Infrastruktur der Warpzone wird nach und nach durch das Konfigurationstool Ansible aufgebaut. 
-Diese Konfiguration wird von den verschiedenen Teams gemeinschaftlich genutzt und soll als zentrale Dokumentation dienen. 
+Die Infrastruktur der Warpzone wird nach und nach durch das Konfigurationstool Ansible aufgebaut.
+Diese Konfiguration soll als zentrale Dokumentation dienen.

+## Aktueller Status

-# Aktueller Status 
+Alle Server sind erfasst
+
+## Vorraussetzungen
+Installiertes ansible
+
+Ausführen von
+
+```
+ansible-galaxy collection install community.docker
+```
+
+## Benutzung
+
+Ausführen von Rollen per
+```
+ansible-playbook -i hosts.yml site.yml -l webserver -t hackmd
+```
+
+mit -l wird der hosts eingeschränkt mit -t der tag bzw die Rolle, alle tags stehen in der site.yml

-Aktuell ist nur der neue Websserver in der Konfiguration erfasst.
-Weitere Dienste (wie z.B. der bestehende Webserver und die interne Infrastruktur) sind noch nicht abgebildet.
--- a/VagrantPutty.bat
+++ b/VagrantPutty.bat
-
-rem Vagrant VM für Ansible Arbeitsumgebung 
-rem Unter Windows müssen die folgenden Git-Einstellungen 
-rem gesetzt werden damit die Dateien lokal mit LF als Dateiendungen 
-rem vorliegen:
-rem $ git config core.eol lf
-rem $ git config core.autocrlf input
-
-rem Vagrant VM Starten 
-vagrant up 
-
-rem SSH Verbindung über PuTTY mit https://github.com/nickryand/vagrant-multi-putty
-vagrant putty -- -l vagrant -pw vagrant
-
-pause
-
-rem Vagrant VM Stoppen 
-vagrant halt
--- a/Vagrantfile
+++ b/Vagrantfile
-
-Vagrant.configure(2) do |config|
-
-  # Debian Jessie + VirtualBox Addons 
-  config.vm.box = "debian/contrib-jessie64"
-
-  # Hostname
-  config.vm.hostname = "box"
-  
-  # Customize 
-  config.vm.provider "virtualbox" do |vb|
-	vb.memory = "512"
-	vb.cpus = 2
-	vb.linked_clone = true
-  end
-
-  # Enable Agent forwarding   
-  config.ssh.forward_agent = true 
-  
-  config.vm.provision "shell", inline: <<-SHELL
-
-	echo "######################################################"
-	echo "Setup Debian Testing ..."
-	echo "######################################################"
-
-	echo "deb http://httpredir.debian.org/debian testing main contrib non-free" > /etc/apt/sources.list
-	echo "deb http://security.debian.org/ testing/updates main contrib non-free" >> /etc/apt/sources.list
-	
-	sudo apt-get update
-
-	# Avoid service sestart question if libc is upgraded
-	echo 'libc6 libraries/restart-without-asking boolean true' | sudo debconf-set-selections
-
-	echo "######################################################"
-	echo "Installing Vim ..."
-	echo "######################################################"
-
-	sudo apt-get install -y vim
-	
-	echo "######################################################"
-	echo "Installing Git ..."
-	echo "######################################################"
-
-	sudo apt-get install -y git
-	
- 	echo "######################################################"
-    echo "Installing Fish Shell ..."
-    echo "######################################################"
-
-    sudo apt-get install -y fish
-	
-	# Set FiSH Shell as default Login Shell
-	sudo chsh -s /usr/bin/fish vagrant
-	
-	# Create a FiSH base config 
-	mkdir -p -v /home/vagrant/.config/fish/
-	curl https://raw.githubusercontent.com/elberfeld/fish/master/config.fish > /home/vagrant/.config/fish/config.fish
-	chown vagrant:vagrant -v -R /home/vagrant/.config 
-	
-	# Change to /vagrant/ directory on Login 
-    echo "cd /vagrant/" >> /home/vagrant/.config/fish/config.fish 
-
-	echo "######################################################"
-	echo "Installing Ansible ..."
-	echo "######################################################"
-		
-	sudo apt-get install -y python python-pip python-dev libffi6 libffi-dev libssl-dev sshpass
-	sudo pip install ansible markupsafe netaddr
-
-    echo "    StrictHostKeyChecking no" >> /etc/ssh/ssh_config  
-    
-    echo "[defaults]" > /home/vagrant/.ansible.cfg
-    echo "inventory = /vagrant/hosts" >> /home/vagrant/.ansible.cfg
-
-	echo "######################################################"
-	echo "DONE"
-	echo "######################################################"
-	
-  SHELL
-     
-end
--- a/all/common/tasks/main.yml
+++ b/all/common/tasks/main.yml
@@ -4,44 +4,58 @@
 - name: create motd file
  template: src=motd.j2 dest=/etc/motd

- name: install apt-transport-https packages before adding sources 
+- name: install apt-transport-https packages before adding sources
  apt:
-    pkg: "{{ item }}"
-    update_cache: yes
-    state: installed
-  with_items:
-    - apt-transport-https
+    name: "{{ packages }}"
+    update_cache: no
+    state: present
+  vars:
+    packages:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg2
+      - software-properties-common
+
+- name: add debian repo keys (id)
+  apt_key:
+    id: "{{ item }}"
+    state: present
+  with_items: "{{ debian_keys_id }}"
+  when: debian_keys_id

- name: add debian repo keys 
+- name: add debian repo keys (url)
  apt_key:
    url: "{{ item }}"
    state: present
-  with_items: "{{ debian_keys }}"
-  when: debian_keys
+  with_items: "{{ debian_keys_url }}"
+  when: debian_keys_url

- name: set debian repos 
-  template: src=sources.list.j2 dest=/etc/apt/sources.list   
+- name: set debian repos
+  template: src=sources.list.j2 dest=/etc/apt/sources.list

 - name: install common packages
  apt:
-    pkg: "{{ item }}"
+    name: "{{ packages }}"
    update_cache: yes
-    state: installed
-  with_items:
-    - vim
-    - wget
-    - psmisc
-    - tree
-
- name: deploy sshd config  
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config 
-  notify: restart sshd 
-  
+    state: present
+  vars:
+    packages:
+      - vim
+      - wget
+      - psmisc
+      - tree
+      - tmux
+      - mosh
+
+- name: deploy sshd config
+  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
+  notify: restart sshd
+
 - name: add sshkeys for server
-  authorized_key: 
-    user: root 
-    key: "{{ lookup('file', '../keyfiles/' + item + '.pub') }}"
+  authorized_key:
+    user: root
+    key: "{{ lookup('file', 'keyfiles/' + item + '.pub') }}"
  with_items: "{{ administratorenteam }}"
  when: administratorenteam
-  notify: restart sshd 
-
+  notify: restart sshd
--- a/all/common/templates/sshd_config.j2
+++ b/all/common/templates/sshd_config.j2
@@ -16,7 +16,6 @@ Port {{ port }}
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
@@ -34,7 +33,7 @@ LogLevel INFO

 # Authentication:
 LoginGraceTime 120
-PermitRootLogin without-password
+PermitRootLogin prohibit-password
 StrictModes yes

 RSAAuthentication yes

--- a/all/main.yml
+++ b/all/main.yml
---
-# Globale Konfiguration für alle Server
-
- hosts: all 
-  remote_user: root
-  roles:
-    - { role: hostname, tags: common }
-    - { role: common, tags: common }
--- a/all/mount/tasks/main.yml
+++ b/all/mount/tasks/main.yml
+- name: Ensure mount directories exist for non-root drives
+  ansible.builtin.file:
+    path: "{{ item.value.path }}"
+    state: directory
+    mode: '0755'
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype != "swap" and item.value.path != "/"
+
+- name: Mount all drives (excluding swap)
+  ansible.builtin.mount:
+    path: "{{ item.value.path }}"
+    src: "UUID={{ item.value.uuid }}"
+    fstype: "{{ item.value.fstype }}"
+    state: mounted
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype != "swap"
+
+- name: Ensure swap entry is present in /etc/fstab
+  ansible.builtin.lineinfile:
+    path: /etc/fstab
+    state: present
+    line: "UUID={{ item.value.uuid }} none swap sw 0 0"
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype == "swap"
+
+- name: Enable swap partition
+  ansible.builtin.command:
+    cmd: "swapon UUID={{ item.value.uuid }}"
+  loop: "{{ lookup('dict', drives) }}"
+  when: drives is defined and item.value.fstype == "swap"
\ No newline at end of file
--- a/all/sysctl/tasks/main.yml
+++ b/all/sysctl/tasks/main.yml
+---
+
+# set general sysctl.conf settings
+# the module will reload the setting so they are applied without reboot
+
+# minimize usage of swap 
+- sysctl:
+    name: vm.swappiness
+    value: '1'
+    state: present
+  when: (host_type == "physical") or (host_type == "vm")
--- a/ansible.cfg
+++ b/ansible.cfg
+[defaults]
+# some default values for ansible
+inventory = hosts.yml
+interpreter_python = /usr/bin/python3
--- a/common/borgbackup/tasks/main.yml
+++ b/common/borgbackup/tasks/main.yml
@@ -2,10 +2,11 @@
 # Pakete installieren
 - name: pakete installieren
  apt:
-    pkg: "{{ item }}"
+    name: "{{ packages }}"
    update_cache: yes
-    state: installed
-  with_items:
+    state: present
+  vars:
+    packages:
    - borgbackup
    - logrotate
    - moreutils
@@ -60,56 +61,56 @@
  template: 
    src: borgbackup-check.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-check.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"

 - name: BorgBackup Scripte erstellen (create)
  template: 
    src: borgbackup-create.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-create.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"

 - name: BorgBackup Scripte erstellen (delete)
  template: 
    src: borgbackup-delete.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-delete.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"
  
 - name: BorgBackup Scripte erstellen (init)
  template: 
    src: borgbackup-init.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-init.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"

 - name: BorgBackup Scripte erstellen (info)
  template: 
    src: borgbackup-info.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-info.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"

 - name: BorgBackup Scripte erstellen (list)
  template: 
    src: borgbackup-list.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-list.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"

 - name: BorgBackup Scripte erstellen (mount)
  template: 
    src: borgbackup-mount.sh 
    dest: /srv/borgbackup/{{ item.key }}/borgbackup-mount.sh 
-    mode: o+x
+    mode: u+x
  with_dict: "{{ borgbackup_repos }}"

 - name: BorgBackup Scripte erstellen (prometheus)
  template: 
    src: borgbackup-prometheus.sh 
    dest: /srv/borgbackup/borgbackup-prometheus.sh 
-    mode: o+x
+    mode: u+x
  
 - name: BorgBackup LogRotate config erstellen 
  template: 
@@ -126,5 +127,5 @@
  with_dict: "{{ borgbackup_repos }}"

 - name: Cronjob für BorgBackup Prometheus export  
-  cron: name="borgbackup-prom" weekday="*" hour="*" minute="40" job="/srv/borgbackup/borgbackup-prometheus.sh 2>&1 | ts '[\\%Y-\\%m-\\%d \\%H:\%M:\\%S]' >> /var/log/borgbackup/borgbackup-prometheus.log"
+  cron: name="borgbackup-prom" weekday="*" hour="*" minute="0" job="/srv/borgbackup/borgbackup-prometheus.sh 2>&1 | ts '[\\%Y-\\%m-\\%d \\%H:\%M:\\%S]' >> /var/log/borgbackup/borgbackup-prometheus.log"
  
--- a/common/borgbackup/templates/borgbackup-create.sh
+++ b/common/borgbackup/templates/borgbackup-create.sh
@@ -3,6 +3,7 @@
 export BORG_PASSPHRASE="{{repo_passphrase}}"
 export BORG_RSH="ssh -i /srv/borgbackup/repo_sshkey"
 export BACKUP_DATE=`date +%Y-%m-%d_%H_%M`
+export LAST_BACKUPS_PROM="/var/lib/prometheus/node-exporter/lastbackup.prom"

 # Ausführung der Backups
 # anschließend Bereinigung 
@@ -10,7 +11,7 @@ export BACKUP_DATE=`date +%Y-%m-%d_%H_%M`

 echo "===[ Create Backup: {{ item.value.repo }} ]===" \
 && \
-borg create $1 $2 $3 --info --show-rc --stats --compression {{ item.value.compression }} {{ item.value.options }} {{ item.value.repo }}::$BACKUP_DATE \
+borg create $1 $2 $3 --info --show-rc --stats --exclude *lost+found --compression {{ item.value.compression }} {{ item.value.options }} {{ item.value.repo }}::$BACKUP_DATE \
 {% for directory in borgbackup_directories %}
 {{ directory }} \
 {% endfor %} \
@@ -28,4 +29,16 @@ echo "===[ Check Repo: {{ item.value.repo }} ]===" \
 && \
 borg check $1 $2 $3 --info --show-rc {{ item.value.options }} {{ item.value.repo }} \
 && \
-date > "/srv/borgbackup/{{ item.key }}/lastbackup"
+echo "===[ write: /srv/rsyncbackup/{{ item.key }}/lastbackup ]===" \
+&& \
+date > "/srv/borgbackup/{{ item.key }}/lastbackup" \
+&& \
+echo "===[ add value to: $LAST_BACKUPS_PROM ]===" \
+&& \
+touch $LAST_BACKUPS_PROM \
+&& \
+sed -i '/borgbackup_lastbackup{repo="{{ item.key }}"}/d' $LAST_BACKUPS_PROM \
+&& \
+echo "borgbackup_lastbackup{repo=\"{{ item.key }}\"} $(date +%s)" >> $LAST_BACKUPS_PROM \
+&& \
+echo "===[ DONE ]===" 
--- a/common/borgbackup/templates/borgbackup-prometheus.sh
+++ b/common/borgbackup/templates/borgbackup-prometheus.sh
@@ -3,6 +3,9 @@
 export BORG_PASSPHRASE="{{repo_passphrase}}"
 export BORG_RSH="ssh -i /srv/borgbackup/repo_sshkey"

+# Force locale for correct formatting
+LANG=en_US.UTF-8
+
 # Metrics output file in the prometheus node-exporter directory 
 PROM_FILE="/var/lib/prometheus/node-exporter/borgbackup.prom"

@@ -47,10 +50,10 @@ done

 BORG_INFO=$(borg info {{ borgbackup_repos[repo].options }} {{ borgbackup_repos[repo].repo }}::$BACKUP)

-echo "borgbackup_count{repo="{{ repo }}"} $COUNTER" >> $TMP_FILE
-echo "borgbackup_files{repo="{{ repo }}"} $(echo "$BORG_INFO" | grep "Number of files" | awk '{print $4}')" >> $TMP_FILE
-echo "borgbackup_chunks_unique{repo="{{ repo }}"} $(echo "$BORG_INFO" | grep "Chunk index" | awk '{print $3}')" >> $TMP_FILE
-echo "borgbackup_chunks_total{repo="{{ repo }}"} $(echo "$BORG_INFO" | grep "Chunk index" | awk '{print $4}')" >> $TMP_FILE
+echo "borgbackup_count{repo=\"{{ repo }}\"} $COUNTER" >> $TMP_FILE
+echo "borgbackup_files{repo=\"{{ repo }}\"} $(echo "$BORG_INFO" | grep "Number of files" | awk '{print $4}')" >> $TMP_FILE
+echo "borgbackup_chunks_unique{repo=\"{{ repo }}\"} $(echo "$BORG_INFO" | grep "Chunk index" | awk '{print $3}')" >> $TMP_FILE
+echo "borgbackup_chunks_total{repo=\"{{ repo }}\"} $(echo "$BORG_INFO" | grep "Chunk index" | awk '{print $4}')" >> $TMP_FILE

 # byte size calculation 
 LAST_SIZE=$(calc_bytes $(echo "$BORG_INFO" |grep "This archive" |awk '{print $3}') $(echo "$BORG_INFO" |grep "This archive" |awk '{print $4}'))
@@ -60,12 +63,12 @@ TOTAL_SIZE=$(calc_bytes $(echo "$BORG_INFO" |grep "All archives" |awk '{print $3
 TOTAL_SIZE_COMPRESSED=$(calc_bytes $(echo "$BORG_INFO" |grep "All archives" |awk '{print $5}') $(echo "$BORG_INFO" |grep "All archives" |awk '{print $6}'))
 TOTAL_SIZE_DEDUP=$(calc_bytes $(echo "$BORG_INFO" |grep "All archives" |awk '{print $7}') $(echo "$BORG_INFO" |grep "All archives" |awk '{print $8}'))

-echo "borgbackup_last_size{repo="{{ repo }}"} $LAST_SIZE" >> $TMP_FILE
-echo "borgbackup_last_size_compressed{repo="{{ repo }}"} $LAST_SIZE_COMPRESSED" >> $TMP_FILE
-echo "borgbackup_last_size_dedup{repo="{{ repo }}"} $LAST_SIZE_DEDUP" >> $TMP_FILE
-echo "borgbackup_total_size{repo="{{ repo }}"} $TOTAL_SIZE" >> $TMP_FILE
-echo "borgbackup_total_size_compressed{repo="{{ repo }}"} $TOTAL_SIZE_COMPRESSED" >> $TMP_FILE
-echo "borgbackup_total_size_dedup{repo="{{ repo }}"} $TOTAL_SIZE_DEDUP" >> $TMP_FILE
+echo "borgbackup_last_size{repo=\"{{ repo }}\"} $LAST_SIZE" >> $TMP_FILE
+echo "borgbackup_last_size_compressed{repo=\"{{ repo }}\"} $LAST_SIZE_COMPRESSED" >> $TMP_FILE
+echo "borgbackup_last_size_dedup{repo=\"{{ repo }}\"} $LAST_SIZE_DEDUP" >> $TMP_FILE
+echo "borgbackup_total_size{repo=\"{{ repo }}\"} $TOTAL_SIZE" >> $TMP_FILE
+echo "borgbackup_total_size_compressed{repo=\"{{ repo }}\"} $TOTAL_SIZE_COMPRESSED" >> $TMP_FILE
+echo "borgbackup_total_size_dedup{repo=\"{{ repo }}\"} $TOTAL_SIZE_DEDUP" >> $TMP_FILE

 {% endfor %}

@@ -73,5 +76,5 @@ echo "borgbackup_total_size_dedup{repo="{{ repo }}"} $TOTAL_SIZE_DEDUP" >> $TMP_
 mv $TMP_FILE $PROM_FILE
 chown prometheus:prometheus $PROM_FILE
 
-echo "created BorgBackup statistic for $COUNTER backups in {{ borgbackup_repos|length }} repos: $PROM_FILE"
+echo "created BorgBackup statistic for {{ borgbackup_repos|length }} repos: $PROM_FILE"

--- a/common/borgserver/tasks/main.yml
+++ b/common/borgserver/tasks/main.yml
@@ -2,11 +2,12 @@
 # Pakete installieren
 - name: pakete installieren
  apt:
-    pkg: "{{ item }}"
+    name: "{{ packages }}"
    update_cache: yes
-    state: installed
-  with_items:
-    - borgbackup
+    state: present
+  vars:
+    packages:
+      - borgbackup

 # User for private backups 
 - name: create backup user account

--- a/common/cronapt/tasks/main.yml
+++ b/common/cronapt/tasks/main.yml
+---
+# Pakete installieren
+- name: pakete installieren
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - cron-apt
+      - needrestart
+
+# Cron-Apt runs with default configuration 
+# Daily update at 4am 
+
+- name: add upgrade step 
+  template: 
+    src: 5-upgrade
+    dest: /etc/cron-apt/action.d/5-upgrade
+   
--- a/common/cronapt/templates/5-upgrade
+++ b/common/cronapt/templates/5-upgrade
+dist-upgrade -y -o APT::Get::Show-Upgraded=true
+
--- a/common/docker/handlers/main.yml
+++ b/common/docker/handlers/main.yml
+---
+- name: restart docker
+  service: name=docker state=restarted
+
--- a/common/docker/tasks/main.yml
+++ b/common/docker/tasks/main.yml
@@ -2,24 +2,31 @@

 - name: install deb packages
  apt:
-    pkg: "{{ item }}"
+    name: "{{ packages }}"
    update_cache: yes
-    state: installed
-  with_items:
-    - docker-ce
-    - python 
-    - python-pip
-    
- name: uninstall pip packages
-  pip: 
-    name: docker-py
-    state: absent
+    state: present
+  vars:
+    packages:
+      - apparmor
+      - docker-ce
+      - docker-compose
+      - python3
+      - python3-pip
+
+
+- name: daemon config für docker erstellen 
+  template: 
+    src: daemon.json 
+    dest: /etc/docker/daemon.json
+  notify: restart docker

- name: install pip packages
-  pip: 
+- name: Cronjob to prune unused images  
+  cron: name="docker-prune" weekday="*" hour="5" minute="5" job="/usr/bin/docker system prune --volumes --all -f"
+
+- name: "Create internal Networks: {{ docker.internal_networks }}"
+  docker_network:
    name: "{{ item }}"
-    state: present
-  with_items:
-    - docker
-    - docker-compose 
+    internal: yes
+  with_items: "{{ docker.internal_networks }}"
+  when: docker.internal_networks is defined and docker.internal_networks|length > 0

--- a/common/docker/templates/daemon.json
+++ b/common/docker/templates/daemon.json
+{
+    "storage-driver": "overlay2",
+    "log-driver": "json-file",
+    "log-opts": {
+      "max-size": "128m",
+      "max-file": "5"
+    },
+    "metrics-addr": "{{int_ip4}}:9323",
+    "experimental": true,
+    "ip6tables": true
+}
+
No results found