Vladimir Smagin 1 year ago
parent
commit
b3351be12c
21 changed files with 0 additions and 218 deletions
  1. +0
    -2
      .gitignore
  2. +0
    -4
      ansible.cfg
  3. +0
    -17
      group_vars/hetzner-nodes.yml
  4. +0
    -6
      group_vars/hetzner.yml
  5. +0
    -3
      host_vars/monitor.yml
  6. +0
    -15
      inventory.ini
  7. +0
    -1
      roles/master_key/meta/main.yml
  8. +0
    -7
      roles/master_key/tasks/main.yml
  9. +0
    -1
      roles/preinstall/meta/main.yml
  10. +0
    -18
      roles/preinstall/tasks/main.yml
  11. +0
    -7
      roles/python2/tasks/main.yml
  12. +0
    -1
      roles/ssh_access/defaults/main.yml
  13. +0
    -1
      roles/ssh_access/meta/main.yml
  14. +0
    -17
      roles/ssh_access/tasks/main.yml
  15. +0
    -11
      roles/ssh_config/defaults/main.yml
  16. +0
    -36
      roles/ssh_config/tasks/main.yml
  17. +0
    -6
      roles/upgrade_pip/tasks/main.yml
  18. +0
    -27
      secrets/superkey.key
  19. +0
    -1
      secrets/superkey.pub
  20. +0
    -3
      ssh-keys.sh
  21. +0
    -34
      ssh-keys.yml

+ 0
- 2
.gitignore View File

@@ -1,2 +0,0 @@
*.log
*.retry

+ 0
- 4
ansible.cfg View File

@@ -1,4 +0,0 @@
[defaults]
log_path=ansible.log
nocows = 1
hash_behaviour = merge

+ 0
- 17
group_vars/hetzner-nodes.yml View File

@@ -1,17 +0,0 @@
# If you want to disable key just add key_state: "absent"
# Example: stupid_manager: { keypath: "../keys/stupid_manager.pub", username: "ubuntu", key_state: "absent" }

access_list:
git: { keypath: "../keys/project-git.pub", username: "root" }
dev1: { keypath: "../keys/developer1.pub", username: "root" }
dev2: { keypath: "../keys/developer2.pub", username: "root" }


# use non-standart sshd config
sshd_config_path: "/var/local/etc/ssh/sshd_config"


# allow password auth instead of defaults
# change defaults here roles/ssh_config/defaults/main.yml
sshd_options:
PasswordAuthentication: "yes"

+ 0
- 6
group_vars/hetzner.yml View File

@@ -1,6 +0,0 @@
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
interserver: { keypath: "../keys/interserver.pub", username: "root" }
secret_list:
interserver: { keypath: "../keys/interserver.pem", username: "root" }

+ 0
- 3
host_vars/monitor.yml View File

@@ -1,3 +0,0 @@
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }

+ 0
- 15
inventory.ini View File

@@ -1,15 +0,0 @@
[monitoring]
monitor ansible_host=44.165.225.144 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

[hetzner:children]
hetzner-balancers
hetzner-nodes

[hetzner-nodes]
hetzner-node0 ansible_host=145.251.216.112 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
hetzner-node1 ansible_host=154.64.4.185 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
hetzner-node2 ansible_host=168.251.172.244 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

[hetzner-balancers]
hetzner-balancer0 ansible_host=145.251.216.154 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
hetzner-balancer1 ansible_host=78.46.246.78 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

+ 0
- 1
roles/master_key/meta/main.yml View File

@@ -1 +0,0 @@
allow_duplicates: true

+ 0
- 7
roles/master_key/tasks/main.yml View File

@@ -1,7 +0,0 @@
---
- name: Set administrative keys and delete others
authorized_key:
user: root
state: present
exclusive: True
key: "{{ lookup('file', 'secrets/superkey.pub') }}"

+ 0
- 1
roles/preinstall/meta/main.yml View File

@@ -1 +0,0 @@
allow_duplicates: true

+ 0
- 18
roles/preinstall/tasks/main.yml View File

@@ -1,18 +0,0 @@
---
- name: Minimum packages for Debian-like
apt: name="{{ item }}" state=present update_cache=yes
become: yes
with_items:
- mc
- htop
when: (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian') and preinstall is defined

- name: Minimum packages for RedHat-like
become: yes
yum: name="{{ item }}" state=present update_cache=yes
with_items:
- mc
- htop
when: (ansible_distribution == 'Red Hat' or ansible_distribution == 'Centos') and preinstall is defined



+ 0
- 7
roles/python2/tasks/main.yml View File

@@ -1,7 +0,0 @@
---
- name: Install python2
apt: name=python state=present

- name: Install python pip
apt: name=python-pip state=present


+ 0
- 1
roles/ssh_access/defaults/main.yml View File

@@ -1 +0,0 @@
default_key_state: "present"

+ 0
- 1
roles/ssh_access/meta/main.yml View File

@@ -1 +0,0 @@
allow_duplicates: true

+ 0
- 17
roles/ssh_access/tasks/main.yml View File

@@ -1,17 +0,0 @@
---
- name: Set authorized keys
become: true
become_user: "{{ item.value.username }}"
authorized_key:
user: "{{ item.value.username }}"
key: "{{ lookup('file', item.value.keypath) }}"
state: "{{ item.value.key_state | default(default_key_state) }}"
with_dict: "{{ access_list }}"
when: access_list != None and access_list is defined

- name: Upload secret keys
become: true
become_user: "{{ item.value.username }}"
copy: src="{{ item.value.keypath }}" dest="~/.ssh/{{ item.value.keypath | basename }}" mode=0600
with_dict: "{{ secret_list }}"
when: secret_list != None and secret_list is defined

+ 0
- 11
roles/ssh_config/defaults/main.yml View File

@@ -1,11 +0,0 @@
---

# Set here defaults for ALL servers
# In other cases use group_vars or host_vars

sshd_config_path: "/etc/ssh/sshd_config"

sshd_options:
PubkeyAuthentication: "yes"
PasswordAuthentication: "no"
# PermitRootLogin: "prohibit-password"

+ 0
- 36
roles/ssh_config/tasks/main.yml View File

@@ -1,36 +0,0 @@
---

# Clean up config file

- name: SSHd config file
debug: msg="{{ sshd_config_path }}"

- name: SSHd config file
debug: msg="{{ sshd_options }}"

- name: Remove all marked options from config
become: yes
lineinfile:
path: "{{ sshd_config_path }}"
state: absent
regexp: '{{ item.key }}'
with_dict: "{{ sshd_options }}"
when: sshd_options != None and sshd_options is defined

# Nice, now add options from ansible configs

- name: Add marked options to config
become: yes
lineinfile:
path: "{{ sshd_config_path }}"
state: present
line: '{{ item.key }} {{ item.value }}'
with_dict: "{{ sshd_options }}"
when: sshd_options != None and sshd_options is defined

# Ok, applying new options

- name: Restart ssh
become: yes
service: name=ssh state=restarted


+ 0
- 6
roles/upgrade_pip/tasks/main.yml View File

@@ -1,6 +0,0 @@
---
- name: Upgrade pip
become: yes
pip:
name: pip
extra_args: --upgrade

+ 0
- 27
secrets/superkey.key View File

@@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwNv29GRDfroj6Ue5iPsj/E5nX7QWRPzfHIj8pMms3+YY/rt6
em077AXFGQITr874Y5tnjS7joO1LnOU71D/Yy80ty4kqL56U20OBGLrFxv/swJgf
QweSv9nFkj+sEONqu/kM7Ailu4sOkcAzH/aA8tLVpAyC5xf+wYhtX3twUkbSPgpG
N6hV/TaNMt27moWwOMui0Hm6EYriPYBD7c7wHwgLwkksq+SLLHDqJqiWrBSRnwCv
KBAIpMyqwhjLICk7LyuAZdXF+LdJXssXLnnpwl1HspkRt/QhbznRqyLqdD6pfVRv
yRalZxK7xv8akYlCzzWgCHGbw98KexUBLcw8oQIDAQABAoIBAFcjS7pyjth0bANc
B+Vva3v1RNnF+YXkJz6yWkxuXvCu+z4lIRqtvjRPCxXYjWKTBkGjFq+ArxKoBND3
9gdZba/vnbBn4iqv4RwMrQiqYvAd9C+0y/MyOcj7MTx6Dll3F2OlDISdB5zsIIIU
MEVR0ENmpWbAzGhzvARfiuNoV4CkfCMk8+1l5m0eLuFih74IW3Ka62tUx6DUIl9/
KTsgFqsGY7if6RomEWJssoDWYhfVpy2PyIR9Rvs3sTSKXKlHAZIewTbiwsjsknjw
8x6eJpi6KogZ2jsgmjOzAUkyAjFm5+Su7l0H58nJk6V0b4eskXGZD4nzzmUSmjEw
L1MmW90CgYEA59RpCp3t0MGX5IPkKezaCXC6uvP1cUPKIcz9MrYDDzX4mWUIiKza
hyPPllmV75sUk11/bMcwOlYiRlpwCRq6Wh5BV3D34/YSNF7gOyUkNrEWt04UAlSD
pwEP8RMv+GXhPGfWJrhuF3zTYoWy8347LKuKgkLxDgWYwvYaJTXMVDsCgYEA1Pds
Poup+X8eOOtF80w8T7joTEI4TM0h7LdJnK8Don99jG4dQdgXB/r8qsCSkjHG6nkn
6qsJXEULybxuc4qD444LwNWAVVxHE6e69plW5jtzO5ZXEEMFOpBawAZDIOtiePUr
ZrXp4X48o429XWBenZPJZmtCFCnd8943AEkLcNMCgYEAocEMNZMx3qllMNVxumr/
Svzz3QPhKlFRVLoxpFNo2REgTu82wB5TL12mNtJ1EkSTW6suAJkOpnV43ru1VjTm
94AKuVciL1V/KDlWnQ3yMZLoNaftwB516W2NUPjBTMDRIhOVUVj3v72hxCljTg+y
fB2IvBC3HsB68PVEEthxpAcCgYA+3N39xFojBGvWX1RhkcJHwgwH3pAh03dNGXlI
H70R7VIQ7rwCIJgDygllGbzqHHlb4vFuapgzvUnSfaWYw21U8Sv0+tCL4dY1LhCZ
FAA7q5bDIwiGC1JyzAONpQuRnwmNLMln4xCreAjMOl2IP5cOKn6LleOGcilK/+/6
TJVs8wKBgQDSOzTch2lQViWQhSFO2nnQ5Os7nLhQGhWLQP+L6JJiTIeAv0oITyQC
IVOzsysepQYnm/bSHDXRHpzYR/Cq2FJIIPKvBIHuh60zqhpfpG97+fCibRFfWcoe
DFR+2w5mcReEHjwAT5dVBfYVlLb75Zmu7P0/C4KG6DGtRNxEGSjUSw==
-----END RSA PRIVATE KEY-----

+ 0
- 1
secrets/superkey.pub View File

@@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA2/b0ZEN+uiPpR7mI+yP8TmdftBZE/N8ciPykyazf5hj+u3p6bTvsBcUZAhOvzvhjm2eNLuOg7Uuc5TvUP9jLzS3LiSovnpTbQ4EYusXG/+zAmB9DB5K/2cWSP6wQ42q7+QzsCKW7iw6RwDMf9oDy0tWkDILnF/7BiG1fe3BSRtI+CkY3qFX9No0y3buahbA4y6LQeboRiuI9gEPtzvAfCAvCSSyr5IsscOomqJasFJGfAK8oEAikzKrCGMsgKTsvK4Bl1cX4t0leyxcueenCXUeymRG39CFvOdGrIup0Pql9VG/JFqVnErvG/xqRiULPNaAIcZvD3wp7FQEtzDyh demo key. do not use it!

+ 0
- 3
ssh-keys.sh View File

@@ -1,3 +0,0 @@
#!/bin/bash

ansible-playbook ssh-keys.yml -i inventory.ini

+ 0
- 34
ssh-keys.yml View File

@@ -1,34 +0,0 @@
---

# Check if python2 installed to server

- name: Checkout python2
hosts: all
ignore_errors: yes
vars:
ansible_python_interpreter: /usr/bin/python3
roles:
# install python 2 and pip, use only for python3-only hosts
#- python2

# Ok, now magic begins

- hosts: all
gather_facts: True
roles:
# use master key only if you realy want it
# playbook install it only for root and delete others! allow root auth with key
#- master_key

# upgrade pip before python libs installation in preinstall role
#- upgrade_pip

# preinstall required libs and apps before first server use
#- preinstall

# this role reconfigures sshd server
- ssh_config

# add/remove public keys from servers
- ssh_access


Loading…
Cancel
Save