Merge branch 'master' of ssh://gitlab.warpzone.ms:444/infrastruktur/ansible-warpzone

# Conflicts:
#	common/borgbackup/tasks/main.yml
#	common/borgbackup/templates/borgbackup-check.sh
#	common/borgbackup/templates/borgbackup-create.sh
#	common/borgbackup/templates/borgbackup-delete.sh
#	common/borgbackup/templates/borgbackup-info.sh
#	common/borgbackup/templates/borgbackup-init.sh
#	common/borgbackup/templates/borgbackup-list.sh
#	common/borgbackup/templates/borgbackup-mount.sh
#	common/borgbackup/templates/borgbackup-prometheus.sh

common/borgbackup/templates/logrotate

-/var/log/borgbackup/borgbackup.log {
+/var/log/borgbackup/*.log {
   rotate 12
   monthly
   compress

common/borgserver/tasks/main.yml

+---
+# Pakete installieren
+- name: pakete installieren
+  apt:
+    pkg: "{{ item }}"
+    update_cache: yes
+    state: installed
+  with_items:
+    - borgbackup
+
+# User for private backups 
+- name: create backup user account
+  user:  
+    name: "{{ item.key }}"
+    group: "users"
+    home: "/data/{{ item.key }}"
+    createhome: yes 
+  with_dict: "{{ borgbackup_user }}"
+
+- name: create authorized_keys for users 1
+  file: 
+    path: "/data/{{ item.key }}/.ssh"
+    state: "directory"
+  with_dict: "{{ borgbackup_user }}"
+
+- name: create authorized_keys for users 2
+  template: 
+    src: authorized_keys 
+    dest: "/data/{{ item.key }}/.ssh/authorized_keys" 
+  with_dict: "{{ borgbackup_user }}"

common/borgserver/templates/authorized_keys

+{% for sshkey in item.value.sshkeys %}
+{{ sshkey }}
+{% endfor %}
\ No newline at end of file

common/docker/tasks/main.yml

+---
+
+- name: install deb packages
+  apt:
+    pkg: "{{ item }}"
+    update_cache: yes
+    state: installed
+  with_items:
+    - docker-ce
+    - python 
+    - python-pip
+    
+- name: uninstall pip packages
+  pip: 
+    name: docker-py
+    state: absent
+
+- name: install pip packages
+  pip: 
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - docker
+    - docker-compose 
+

functions/get_secret.yml

+---
+# Hilfsfunktion zum auslesen lokal gespeicherter Secrets auf dem Server 
+# Die Secrets sind aus dem Server jeweils in einer Datei gespeichert 
+# Zum Auslesen wird die Datei über Slurp geladen und in einer Variable entsprechend dem 
+# Dateinamen registriert.
+# Falls die Datei noch nicht existiert wird das Secret entsprechend der vorgegebenen 
+# Länge initialisiert 
+# 
+# Beispiel: (Auslesen von Passörtern aus /srv/xyz/secret_pw, registrierung als Variable secret_pw, erzeugung mit 24 Zeichen falls nicht vorhanden)
+# 
+# - include: ../functions/get_secret.yml
+#   with_items:
+#     - { path: /srv/xyz/secret_pw,  length: 24 }
+#     - { path: /srv/xyz/secret2_pw, length: 12 }
+
+# Check if file exists  
+- name: "{{ item.path | basename }} (check directory)"
+  file: 
+    path: "{{ item.path | dirname }}"
+    state: "directory"
+
+# Check if file exists  
+- name: "{{ item.path | basename }} (check file)"
+  stat:
+    path: "{{ item.path }}" 
+  register: filestat 
+
+# Generate secret if missing 
+- name: "{{ item.path | basename }} (generate: install openssl)" 
+  apt:
+    pkg: openssl
+    update_cache: no
+    state: installed
+  when: filestat.stat.exists == False 
+
+- name: "{{ item.path | basename }} (generate: length = {{ item.length }})"
+  command: "openssl rand -base64 -out {{ item.path }} {{ item.length }}" 
+  when: filestat.stat.exists == False 
+
+# Get Secret 
+- name: "{{ item.path | basename }} (slurp)"
+  slurp: src={{ item.path }}
+  register: secretfile
+
+# Decode Secret and register fact 
+- name: "{{ item.path | basename }} (decode)"
+  set_fact: 
+    "{{ item.path | basename }}": "{{ secretfile.content | b64decode | regex_replace('\\s', '') }}" 
+

group_vars/all

@@ -5,3 +5,6 @@
 ldap_ip_ext: 10.0.20.2
 # int ist noch ungenutzt / später replikation in der Zone
 ldap_ip_int: 10.0.20.2
+
+ldap_base_dn: DC=warpzone,DC=ms
+ldap_readonly_bind_dn: CN=readonly,DC=warpzone,DC=ms
\ No newline at end of file

host_vars/warpsrvext

@@ -8,6 +8,7 @@ motd_lines:
 debian_sources: 
   - "deb http://repo.myloc.de/debian jessie main non-free contrib"
   - "deb http://security.debian.org/ jessie/updates main contrib non-free"
+  - "deb http://ftp.debian.org/debian jessie-backports main"
 
 debian_keys:
 
@@ -18,3 +19,11 @@ administratorenteam:
   - "commander1024"
 
 
+borgbackup_user:
+
+  warpzone: 
+
+     sshkeys:
+       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2EdE/pfN3L91XytQ3+KXLTxAvAGSUE6TKpHTcOcJWw root@warpsrvint"
+       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENYus4S4XOaGHVL4B6vbnIrovtqaCT1lbEF73StiTt+ root@webserver"
+

host_vars/warpsrvint

@@ -9,10 +9,12 @@ debian_sources:
   - "deb http://debian.uni-duisburg-essen.de/debian/ jessie main non-free contrib"
   - "deb http://security.debian.org/ jessie/updates main contrib non-free"
   - "deb http://debian.uni-duisburg-essen.de/debian/ jessie-updates main contrib non-free"
+  - "deb http://ftp.debian.org/debian jessie-backports main"
   - "deb https://apt.dockerproject.org/repo debian-jessie main"
-  - "deb http://http.debian.net/debian jessie-backports main"
+  - "deb [arch=amd64] https://download.docker.com/linux/debian jessie stable"
 
 debian_keys:
+  - "https://download.docker.com/linux/debian/gpg"
 
 webserver_domains: 
   - "infra"
@@ -24,3 +26,67 @@ administratorenteam:
   - "sandhome"
   - "sandmobil"
 #  - "ennox" (ssh key fehlt noch)
+
+
+# Definition von Borgbackup Repositories 
+borgbackup_repos:
+  
+  warpsrvext: 
+
+    # URL des Repos   
+    repo: "ssh://warpzone@217.79.181.126:/data/warpzone/warpsrvint"
+    
+    # Repo-spezifische Optionen zum Aufruf von Borgbackup
+    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+    options: ""
+
+    # Compression Options, z,b. "zlib,5, "zstd,5"
+    compression: "zlib,5"
+
+    # Prune Optionen 
+    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+    
+    # Backup Schedule 
+    weekday: "*"
+    hour: "6"
+    minute: "0"
+
+    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+    # directories:
+
+  voidhome: 
+
+    # URL des Repos   
+    repo: "ssh://warpzone@130.180.13.106:5201/data/warpzone/warpsrvint"
+    
+    # Repo-spezifische Optionen zum Aufruf von Borgbackup
+    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+    options: ""
+
+    # Compression Options, z,b. "zlib,5, "zstd,5"
+    compression: "zlib,5"
+
+    # Prune Optionen 
+    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+    
+    # Backup Schedule 
+    weekday: "*"
+    hour: "*/5"
+    minute: "0"
+
+    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+    # directories:
+
+
+# Definition der Verzeichnisse, die in allen Borgbackup Repos gesichert werden sollen 
+borgbackup_directories:
+  - "/etc/"
+  - "/srv/"
+
+
+borgbackup_user:
+
+  warpzone: 
+
+     sshkeys:
+       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENYus4S4XOaGHVL4B6vbnIrovtqaCT1lbEF73StiTt+ root@webserver"

host_vars/webserver

@@ -15,19 +15,6 @@ debian_sources:
 debian_keys:
   - "https://download.docker.com/linux/debian/gpg"
 
-borgbackup_weekday: "*"
-borgbackup_hour: "4"
-borgbackup_minute: "0"
-
-borgbackup_directories:
-  - "/etc/"
-  - "/srv/"
-
-borgbackup_prune:
-  - "--keep-within=2d"
-  - "--keep-daily=7"
-  - "--keep-weekly=4"
-  - "--keep-monthly=6"
 
 letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
 
@@ -37,6 +24,12 @@ webserver_domains:
   - "gitlab"
   - "infra"
   - "infra-test"
+  - "jabber"
+  - "muc.jabber"
+  - "proxy.jabber"
+  - "jabber-test"
+  - "muc.jabber-test"
+  - "proxy.jabber-test"
   - "ldap"
   - "mattermost"
   - "pad"
@@ -50,4 +43,82 @@ administratorenteam:
   - "sandhome"
   - "sandmobil"
   - "commander1024"
-  
+  
\ No newline at end of file
+  # Definition von Borgbackup Repositories 
+borgbackup_repos:
+  
+  warpsrvext: 
+
+    # URL des Repos   
+    repo: "ssh://warpzone@217.79.181.126:/data/warpzone/webserver"
+    
+    # Repo-spezifische Optionen zum Aufruf von Borgbackup
+    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+    options: ""
+
+    # Compression Options, z,b. "zlib,5, "zstd,5"
+    compression: "zlib,5"
+
+    # Prune Optionen 
+    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+    
+    # Backup Schedule 
+    weekday: "*"
+    hour: "*/4"
+    minute: "0"
+
+    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+    # directories:
+
+  warpsrvint: 
+
+    # URL des Repos   
+    repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/webserver"
+    
+    # Repo-spezifische Optionen zum Aufruf von Borgbackup
+    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+    options: ""
+
+    # Compression Options, z,b. "zlib,5, "zstd,5"
+    compression: "zlib,5"
+
+    # Prune Optionen 
+    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+    
+    # Backup Schedule 
+    weekday: "*"
+    hour: "*/5"
+    minute: "0"
+
+    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+    # directories:
+
+  voidhome: 
+
+    # URL des Repos   
+    repo: "ssh://warpzone@130.180.13.106:5201/data/warpzone/webserver"
+    
+    # Repo-spezifische Optionen zum Aufruf von Borgbackup
+    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+    options: ""
+
+    # Compression Options, z,b. "zlib,5, "zstd,5"
+    compression: "zlib,5"
+
+    # Prune Optionen 
+    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+    
+    # Backup Schedule 
+    weekday: "*"
+    hour: "*/4"
+    minute: "0"
+
+    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+    # directories:
+
+
+# Definition der Verzeichnisse, die in allen Borgbackup Repos gesichert werden sollen 
+borgbackup_directories:
+  - "/etc/"
+  - "/srv/"
+

site.yml

@@ -5,6 +5,7 @@
 - include: vorstandspi/main.yml 
 - include: warphab/main.yml 
 - include: warpsrvint/main.yml 
+- include: warpsrvext/main.yml 
 - include: webserver/main.yml 
 
     

warpsrvext/main.yml

+---
+
+- hosts: warpsrvext
+  remote_user: root
+  roles:
+    - { role: ../common/borgserver, tags: borgserver }
+    

warpsrvint/docker_grafana/tasks/main.yml

 ---
-# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen 
-# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets 
-# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden  
-# Die Daten, die von Slurp gelesen werden sind Base64 codiert 
-# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden 
-
-- name: get secrets from server 1
-  slurp: src={{ item }}
-  with_items:
-    - /srv/ldap/secret/ldap_readonly_pass
-  register: warpinfra_secrets
-
-- name: get secrets from server 2
-  set_fact: 
-    ldap_readonly_pass: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" 
-
-- name: get secrets from server 1
-  slurp: src={{ item }}
+# Get secrets 
+- include: ../functions/get_secret.yml
   with_items:
-    - /srv/grafana/grafana_admin_pass
-  register: grafana_secrets
-
-- name: get secrets from server 2
-  set_fact: 
-    grafana_admin_pass: "{{ grafana_secrets.results | selectattr('item', 'equalto', '/srv/grafana/grafana_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" 
+    - { path: /srv/ldap/secret/ldap_readonly_pass, length: 24 }
+    - { path: /srv/grafana/grafana_admin_pass, length: 12 }
 
 - name: create folder struct for grafana
   file: 
@@ -41,25 +21,19 @@
     - ldap.toml
   register: config
 
-- name: stop grafana-app docker
-  docker_container: 
-    name: grafana-app
+- name: Docker Compose Konfig-Datei erstellen
+  template:
+    src: "docker-compose.yml"
+    dest: "/srv/grafana/docker-compose.yml"
+
+- name: start grafana docker
+  docker_service:
+    project_src: /srv/grafana/
     state: absent
   when: config.changed
 
-- name: start grafana-app docker
-  docker_container: 
-    name: grafana-app
-    image: grafana/grafana:4.4.1
-    state: started
-    restart_policy: always
-    volumes:
-      - /srv/grafana/config/grafana.ini:/etc/grafana/grafana.ini
-      - /srv/grafana/config/ldap.toml:/etc/grafana/ldap.toml
-      - /srv/grafana/data/:/var/lib/grafana
-    ports:
-      - 3000:3000
-    env:
-      GF_SERVER_ROOT_URL: "http://10.5.0.111:3000"
-      GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
-      
+- name: start grafana docker
+  docker_service:
+    project_src: /srv/grafana/
+    state: present
+

warpsrvint/docker_grafana/templates/docker-compose.yml

+version: "3"
+
+services:
+
+  db:
+
+    image: grafana/grafana:5.0.4
+    restart: always
+    ports:
+      - 3000:3000
+    volumes:
+      - /srv/grafana/config/grafana.ini:/etc/grafana/grafana.ini
+      - /srv/grafana/config/ldap.toml:/etc/grafana/ldap.toml
+      - /srv/grafana/data/:/var/lib/grafana
+    environment:
+      GF_SERVER_ROOT_URL: "http://warpsrvint:3000"
+      GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
+

warpsrvint/docker_influxdb/tasks/main.yml

+---
+- name: create folder struct for influxdb
+  file: 
+    path: "{{ item }}"
+    state: "directory"
+  with_items:
+    - "/srv/influxdb/"
+    - "/srv/influxdb/data/"   
+
+- name: Docker Compose Konfig-Datei erstellen
+  template:
+    src: "docker-compose.yml"
+    dest: "/srv/influxdb/docker-compose.yml"
+
+- name: start influxdb docker
+  docker_service:
+    project_src: /srv/influxdb/
+    state: present

warpsrvint/docker_influxdb/templates/docker-compose.yml

+version: "3"
+
+services:
+
+  db:
+
+    image: influxdb:1.5.1
+    restart: always
+    ports:
+      - 8086:8086
+      - 2003:2003
+    volumes:
+      - /srv/influxdb/data/:/var/lib/influxdb
+    environment:
+      INFLUXDB_GRAPHITE_ENABLED: "true"
+

warpsrvint/docker_iobroker/tasks/main.yml

+---
+
+# Create folders 
+- name: create folder struct for iobroker 
+  file: 
+    path: "{{ item }}" 
+    state: "directory"
+  with_items:
+    - "/srv/iobroker"
+    - "/srv/iobroker/data"
+
+# Create docker-compose.yml 
+- name: Konfig-Datei erstellen
+  template: 
+    src: "{{item}}" 
+    dest: "/srv/iobroker/{{item}}"
+  with_items:
+    - docker-compose.yml
+
+# Create run.sh 
+- name: Konfig-Datei erstellen
+  template: 
+    src: "{{item}}" 
+    dest: "/srv/iobroker/data/{{item}}"
+    mode: "u=rwx"
+  with_items:
+    - run.sh
+
+# Start containers        
+- name: start iobroker docker
+  docker_service:
+    project_src: /srv/iobroker/
+    state: present
+

warpsrvint/docker_iobroker/templates/docker-compose.yml

+
+version: "3"
+
+services:
+
+  app:
+
+    image: iobroker/iobroker:latest
+    restart: always
+    ports:
+      - 0.0.0.0:8081:8081
+      - 0.0.0.0:8082:8082
+    volumes:
+      - /srv/iobroker/data/:/opt/iobroker
+

warpsrvint/docker_iobroker/templates/run.sh

+
+#!/bin/sh
+
+cd /opt/iobroker/
+npm install iobroker --unsafe-perm
+node node_modules/iobroker.js-controller/controller.js

warpsrvint/docker_l4z0r/tasks/main.yml

+---
+
+# Create folders 
+- name: create folder struct for l4z0r 
+  file: 
+    path: "{{ item }}" 
+    state: "directory"
+  with_items:
+    - "/srv/l4z0r"
+    - "/srv/l4z0r/db"
+
+# Get secrets 
+- include: ../functions/get_secret.yml
+  with_items:
+    - { path: /srv/l4z0r/mysql_root_pw, length: 24 }
+    - { path: /srv/l4z0r/mysql_user_pw, length: 12 }
+
+# Create docker-compose.yml 
+- name: Konfig-Datei erstellen
+  template: 
+    src: "docker-compose.yml" 
+    dest: "/srv/l4z0r/docker-compose.yml"
+
+# Start containers        
+- name: start l4z0r docker
+  docker_service:
+    project_src: /srv/l4z0r/
+    state: present
+

warpsrvint/docker_l4z0r/templates/docker-compose.yml

+
+version: "3"
+
+services:
+
+  db:
+
+    image: mariadb:10.1
+    restart: always
+    ports:
+      - 0.0.0.0:33306:3306
+    volumes:
+      - /srv/l4z0r/db/:/var/lib/mysql
+    environment:
+      MYSQL_DATABASE: l4z0r
+      MYSQL_USER: l4z0r
+      MYSQL_PASSWORD: {{ mysql_user_pw }}
+      MYSQL_ROOT_PASSWORD: {{ mysql_root_pw }}
+