From f3f57b85a0360a6a4cd60af2f17b11f72d7ce076 Mon Sep 17 00:00:00 2001 From: jaydee Date: Wed, 11 Dec 2024 10:07:16 +0100 Subject: [PATCH] bitwarden --- playbooks/00_clone_git_repo.yml | 4 + roles/autofs-client/tasks/main.yml | 42 +++++++ roles/docker/handlers/main.yml | 4 + roles/docker/tasks/main.yml | 57 ++++++++++ roles/ldap-client/tasks/main.yml | 149 +++++++++++++++++++++++++ roles/matter-server/handlers/main.yml | 4 + roles/matter-server/tasks/main.yml | 10 ++ roles/mqtt-srv/tasks/main.yml | 116 +++++++++++++++++++ roles/mqtt-srv/vars/main.yml | 1 + roles/timeshift/tasks/main.yml | 9 ++ roles/zabbix-agent/tasks/main.yml | 154 ++++++++++++++++++++++++++ roles/zabbix-agent/vars/main.yml | 1 + 12 files changed, 551 insertions(+) create mode 100644 playbooks/00_clone_git_repo.yml create mode 100644 roles/autofs-client/tasks/main.yml create mode 100644 roles/docker/handlers/main.yml create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/ldap-client/tasks/main.yml create mode 100644 roles/matter-server/handlers/main.yml create mode 100644 roles/matter-server/tasks/main.yml create mode 100644 roles/mqtt-srv/tasks/main.yml create mode 100644 roles/mqtt-srv/vars/main.yml create mode 100644 roles/timeshift/tasks/main.yml create mode 100644 roles/zabbix-agent/tasks/main.yml create mode 100644 roles/zabbix-agent/vars/main.yml diff --git a/playbooks/00_clone_git_repo.yml b/playbooks/00_clone_git_repo.yml new file mode 100644 index 0000000..3ea4815 --- /dev/null +++ b/playbooks/00_clone_git_repo.yml @@ -0,0 +1,4 @@ +- hosts: datacenter + name: Clone git + become: true + tasks: diff --git a/roles/autofs-client/tasks/main.yml b/roles/autofs-client/tasks/main.yml new file mode 100644 index 0000000..5591a85 --- /dev/null +++ b/roles/autofs-client/tasks/main.yml @@ -0,0 +1,42 @@ +- block: + - name: include vault + ansible.builtin.include_vars: + file: jaydee.yml + - name: Install autofs + ansible.builtin.apt: + name: + - autofs + - cifs-utils + state: present + + - name: Creating a file with content + copy: + dest: "/etc/auto.auth" + content: | + username={{ samba_user }} + password={{ samba_password }} + + - name: Creating a file with content + copy: + dest: "/etc/auto.nas" + content: | + nas-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Data + nas-docker-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/docker_data + nas-photo -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Photo + nas-public -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Public + nas-install -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/install + nas-media -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Media + nas-downloads -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/downloads + + - name: Reconfigure zabbix agent Server + ansible.builtin.lineinfile: + path: /etc/auto.master + regexp: "^/media/nas.*" + insertafter: '^/media/nas' + line: "/media/nas /etc/auto.nas --timeout 360 --ghost" + + - name: Restart docker service + ansible.builtin.service: + name: autofs + state: restarted + become: true \ No newline at end of file diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml new file mode 100644 index 0000000..8fd7f72 --- /dev/null +++ b/roles/docker/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart_docker + ansible.builtin.service: + name: docker.service + state: restarted \ No newline at end of file diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..9f80008 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,57 @@ +- block: + - name: Install docker + ansible.builtin.apt: + name: + - ca-certificates + - curl + - telnet + - net-tools + - python3-pip + - python3-dev + state: present + update_cache: true + - name: Get keys for raspotify + ansible.builtin.shell: + install -m 0755 -d /etc/apt/keyrings + + - name: Get keys for raspotify + ansible.builtin.shell: + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + + - name: Get keys for raspotify + ansible.builtin.shell: + chmod a+r /etc/apt/keyrings/docker.asc + + - name: Get keys for raspotify + ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + + - name: Install docker + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + update_cache: true + + - name: Create a directory docker.service.d + ansible.builtin.file: + path: /etc/systemd/system/docker.service.d/ + state: directory + mode: '0755' + + - name: Creating a file with content + copy: + dest: "/etc/systemd/system/docker.service.d/override.conf" + content: | + [Service] + ExecStart= + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 + notify: restart_docker + + - name: Just force systemd to reread configs + ansible.builtin.systemd: + daemon_reload: true + + become: true \ No newline at end of file diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml new file mode 100644 index 0000000..a1451b5 --- /dev/null +++ b/roles/ldap-client/tasks/main.yml @@ -0,0 +1,149 @@ +- block: + - name: Install ldap packages + ansible.builtin.apt: + name: + - libpam-ldapd + - ldap-utils + - libnss-ldapd + # - name: Reconfigure ldap base + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^base " + # line: "base dc=sectorq,dc=eu" + + # - name: Reconfigure ldap uri + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^uri ldap.*" + # line: "uri ldaps://ldap-server.loc/" + # - name: Reconfigure ldap version + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^ldap_version.*" + # line: "ldap_version 3" + + # - name: Reconfigure ldap rootbinddn + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^rootbinddn.*" + # line: "rootbinddn cn=admin,dc=sectorq,dc=eu" + - name: Reconfigure common-session + ansible.builtin.lineinfile: + path: /etc/pam.d/common-session + regexp: "^session optional pam_mkhomedir.so.*" + line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077" + - name: Reconfigure common-session + ansible.builtin.lineinfile: + path: /etc/pam.d/common-session + regexp: "^session.*pam_ldap.so.*" + line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000" + - name: Reconfigure common-password + ansible.builtin.lineinfile: + path: /etc/pam.d/common-password + regexp: "^password.*success=1 user_unknown=ignore default=die.*" + line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass" + - name: Reconfigure nsswitch passwd + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^passwd:.*" + line: "passwd: compat systemd ldap" + - name: Reconfigure nsswitch group + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^group:.*" + line: "group: compat systemd ldap" + - name: Reconfigure nsswitch shadow + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^shadow:.*" + line: "shadow: compat ldap" + + - name: Reconfigure nslcd uri + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^uri ldap.*" + line: "uri ldap://192.168.77.101:2389/" + + + - name: Reconfigure ldap base + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^base " + line: "base dc=sectorq,dc=eu" + + + - name: Reconfigure nslcd binddn + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^binddn" + line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu" + + - name: Reconfigure nslcd bindpw + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^bindpw" + line: "bindpw {{ ldap_admin_password }}" + # - name: Reconfigure ldap base + # ansible.builtin.lineinfile: + # path: /etc/nslcd.conf + # regexp: "^#ssl" + # line: "ssl start_tls" + - name: Reconfigure nslcd tls_reqcert + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^tls_reqcert" + line: "tls_reqcert allow" + - name: Restart nslcd service + ansible.builtin.service: + name: nslcd.service + state: restarted + + - name: Creating a file with content + copy: + dest: "/usr/local/bin/fetchSSHKeysFromLDAP" + content: | + #!/usr/bin/bash + ldapsearch -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' + mode: '0755' + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AuthorizedKeysCommand *" + line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP" + + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AuthorizedKeysCommandUser *" + line: "AuthorizedKeysCommandUser root" + - name: Create a directory LDAP if it does not exist + ansible.builtin.file: + path: /etc/ldap/ + state: directory + mode: '0755' + - name: Creating a file with content + copy: + dest: "/etc/ldap/ldap.conf" + content: | + # + # LDAP Defaults + # + + # See ldap.conf(5) for details + # This file should be world readable but not world writable. + + BASE dc=sectorq,dc=eu + URI ldap://192.168.77.101:2389 + + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never + + # TLS certificates (needed for GnuTLS) + TLS_CACERT /etc/ssl/certs/ca-certificates.crt + + - name: Restart sshd service + ansible.builtin.service: + name: sshd.service + state: restarted + become: true \ No newline at end of file diff --git a/roles/matter-server/handlers/main.yml b/roles/matter-server/handlers/main.yml new file mode 100644 index 0000000..bf3c0f0 --- /dev/null +++ b/roles/matter-server/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart_matter_server + ansible.builtin.shell: docker restart matter-server + + become: true \ No newline at end of file diff --git a/roles/matter-server/tasks/main.yml b/roles/matter-server/tasks/main.yml new file mode 100644 index 0000000..fe5fbc7 --- /dev/null +++ b/roles/matter-server/tasks/main.yml @@ -0,0 +1,10 @@ +- block: + - name: Reconfigure config + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: "^Unet.ipv4.igmp_max_memberships.*" + line: "net.ipv4.igmp_max_memberships = 75" + - name: Restart agent + ansible.builtin.shell: echo 76 > /proc/sys/net/ipv4/igmp_max_memberships + notify: restart_matter_server + become: true diff --git a/roles/mqtt-srv/tasks/main.yml b/roles/mqtt-srv/tasks/main.yml new file mode 100644 index 0000000..0b0b66c --- /dev/null +++ b/roles/mqtt-srv/tasks/main.yml @@ -0,0 +1,116 @@ +- block: + - name: include vault + ansible.builtin.include_vars: + file: ../jaydee.yml + - name: Delete content & directory + ansible.builtin.file: + state: absent + path: "{{ dest_folder }}" + - name: GIT pull + tags: + - git_pull + git: + repo: "https://{{ git_user | urlencode }}:{{ git_password_mqtt | urlencode }}@gitlab.sectorq.eu/jaydee/mqtt_srv.git" + dest: "{{ dest_folder }}" + update: yes + clone: yes + version: main + - debug: + msg: "{{ inventory_hostname }}" + + - name: Upload service config + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.service" + dest: /etc/systemd/system/mqtt_srv.service + remote_src: true + when: inventory_hostname != 'nas.home.lan' + + - name: Upload service script + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.py" + dest: /usr/bin/mqtt_srv.py + mode: '755' + owner: root + remote_src: true + when: inventory_hostname != 'nas.home.lan' + + - name: Upload service script config + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.cfg" + dest: /etc/mqtt_srv/mqtt_srv.cfg + mode: '755' + owner: root + remote_src: true + when: inventory_hostname != 'nas.home.lan' + + + # - name: Upload service script1 + # ansible.builtin.copy: + # src: scripts/mqtt_srv.sh + # dest: /jffs/scripts/mqtt_srv/ + # mode: '755' + # owner: admin + # when: inventory_hostname in groups['router'] + # become: false + + + # - name: Upload service script + # ansible.builtin.copy: + # src: scripts/mqtt_srv.py + # dest: /jffs/scripts/mqtt_srv/ + # mode: '755' + # owner: admin + # when: inventory_hostname in groups['router'] + # become: false + + - name: Upload service script1 + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.sh" + dest: /etc/init.d/ + mode: '755' + owner: admin + remote_src: true + when: inventory_hostname == 'nas.home.lan' + + - debug: + msg: "{{ dest_folder }}" + - name: Upload service script2 + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.py" + dest: /usr/bin/mqtt_srv.py + mode: '755' + owner: admin + remote_src: true + when: inventory_hostname == 'nas.home.lan' + + - name: Install bottle python package + ansible.builtin.shell: pip install {{ item }} --break-system-packages + loop: + - paho-mqtt + - getmac + - ping3 + - psutil + - autorandr + when: inventory_hostname != 'nas.home.lan' + + - name: Just force systemd to reread configs (2.4 and above) + ansible.builtin.systemd: + daemon_reload: true + when: inventory_hostname != 'nas.home.lan' + + + + - name: Restart mqtt_srv service + ansible.builtin.service: + name: mqtt_srv.service + state: restarted + enabled: true + when: inventory_hostname != 'nas.home.lan' + + - name: Restart mqtt service + ansible.builtin.shell: "(/etc/init.d/mqtt_srv.sh restart >/dev/null 2>&1 &)" + async: 10 + poll: 0 + when: inventory_hostname == 'nas.home.lan' + + become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}" \ No newline at end of file diff --git a/roles/mqtt-srv/vars/main.yml b/roles/mqtt-srv/vars/main.yml new file mode 100644 index 0000000..1de1a77 --- /dev/null +++ b/roles/mqtt-srv/vars/main.yml @@ -0,0 +1 @@ +dest_folder: "/tmp/ans_repo" \ No newline at end of file diff --git a/roles/timeshift/tasks/main.yml b/roles/timeshift/tasks/main.yml new file mode 100644 index 0000000..fc1f513 --- /dev/null +++ b/roles/timeshift/tasks/main.yml @@ -0,0 +1,9 @@ +- name: Install timeshift packages + ansible.builtin.apt: + name: + - timeshift + update_cache: yes + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + ignore_errors: true + when: inventory_hostname != 'nas.home.lan' + diff --git a/roles/zabbix-agent/tasks/main.yml b/roles/zabbix-agent/tasks/main.yml new file mode 100644 index 0000000..4f5f161 --- /dev/null +++ b/roles/zabbix-agent/tasks/main.yml @@ -0,0 +1,154 @@ +- block: + - name: Get config for not nas + ansible.builtin.set_fact: + zabbix_agent_cfg: "/etc/zabbix/zabbix_agent2.conf" + when: inventory_hostname != 'nas.home.lan' + + - name: Get config for nas + ansible.builtin.set_fact: + zabbix_agent_cfg: "/opt/ZabbixAgent/etc/zabbix_agentd.conf" + when: inventory_hostname == 'nas.home.lan' + + - name: Print all available facts + ansible.builtin.debug: + msg: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + + - name: Print all available facts + ansible.builtin.debug: + var: ansible_facts.architecture + - name: Print all available facts + ansible.builtin.debug: + var: ansible_distribution + - name: Print all available facts + ansible.builtin.debug: + var: ansible_distribution_major_version + # - name: Upload zabbix package + # ansible.builtin.copy: + # src: packages/zabbix-release_6.4-1+ubuntu22.04_all.deb + # dest: /tmp/ + - name: Install a .deb package from the internet11 + ansible.builtin.apt: + deb: https://repo.zabbix.com/zabbix/6.4/ubuntu-arm64/pool/main/z/zabbix-release/zabbix-release_6.4-1+ubuntu22.04_all.deb + when: + - ansible_facts.architecture != "armv7l" and ( ansible_distribution == "Ubuntu" or ansible_distribution == "Linux Mint" ) + + - name: Install a .deb package from the internet2 + ansible.builtin.apt: + #deb: https://repo.zabbix.com/zabbix/6.4/raspbian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb + deb: https://repo.zabbix.com/zabbix/7.0/raspbian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian11_all.deb + retries: 5 + delay: 5 + when: + - ansible_facts.architecture == "armv7l" or ansible_facts.architecture == "aarch64" + + ignore_errors: true + + - name: Install a .deb package from the internet3 + ansible.builtin.apt: + deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb + + when: + - ansible_facts.architecture != "armv7l" and ansible_distribution == "Debian" and ansible_distribution_major_version == "11" + + - name: Install a .deb package from the internet4 + ansible.builtin.apt: + #deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb + deb: https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian12_all.deb + when: + - ansible_facts.architecture != "armv7l" and ansible_facts.architecture != "aarch64" and ansible_distribution == "Debian" and ansible_distribution_major_version == "12" + ignore_errors: true + + # - name: Install a .deb package localy + # ansible.builtin.apt: + # deb: /tmp/zabbix-release_6.4-1+ubuntu22.04_all.deb + - name: Install zabbix packages + ansible.builtin.apt: + name: + - zabbix-agent2 + - zabbix-agent2-plugin-mongodb + - zabbix-agent2-plugin-postgresql + # - zabbix-agent2-plugin-mysql + update_cache: yes + ignore_errors: true + when: inventory_hostname != 'nas.home.lan' + + - name: Reconfigure zabbix agent Server + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + regexp: "^Server=.*" + insertafter: '^# Server=' + line: "Server=192.168.77.0/24,192.168.80.0/28" + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + + - name: Reconfigure zabbix agent ServerActive + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + regexp: "^ServerActive=.*" + line: "ServerActive={{ ZABBIX_SERVER }}" + + - name: Reconfigure zabbix agent ListenPort + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + regexp: "^ListenPort=.*" + line: "ListenPort=10050" + # - name: Reconfigure zabbix agent ListenIP + # ansible.builtin.lineinfile: + # path: /"{{ zabbix_agent_cfg }}" + # regexp: "^ListenIP=.*" + # line: "ListenIP=0.0.0.0" + + - name: Reconfigure zabbix-agent2 hostname + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + regexp: "^Hostname=.*" + line: "Hostname={{ inventory_hostname }}" + + - name: Reconfigure zabbix-agent2 config + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + insertafter: '^# UserParameter=' + regexp: "^UserParameter=system.certs.*" + line: "UserParameter=system.certs,python3 /share/ZFS530_DATA/.qpkg/ZabbixAgent/cert_check2.py" + when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan' + + - name: Reconfigure zabbix-agent2 config + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + insertafter: '^# UserParameter=' + line: "UserParameter=rpi.hw.temp,/usr/bin/vcgencmd measure_temp" + when: inventory_hostname == 'rpi5.home.lan' + + - name: Reconfigure zabbix-agent2 hostname + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + regexp: "^HostMetadata=.*" + insertafter: '^# HostMetadata=' + line: "HostMetadata=linux;jaydee" + - name: Reconfigure zabbix-agent2 hostname + ansible.builtin.lineinfile: + path: "{{ zabbix_agent_cfg }}" + regexp: "^HostMetadata=.*" + insertafter: '^# HostMetadata=' + line: "HostMetadata=server;jaydee" + when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan' + + - name: Add the user 'to group video + ansible.builtin.user: + name: zabbix + groups: video + append: yes + when: inventory_hostname != 'nas.home.lan' + + - name: Restart zabbix-agent2 service + ansible.builtin.service: + name: zabbix-agent2.service + state: restarted + enabled: true + when: inventory_hostname != 'nas.home.lan' + + - name: Restart agent + ansible.builtin.shell: /etc/init.d/ZabbixAgent.sh restart + when: inventory_hostname == 'nas.home.lan' + + + become: true \ No newline at end of file diff --git a/roles/zabbix-agent/vars/main.yml b/roles/zabbix-agent/vars/main.yml new file mode 100644 index 0000000..e95fa5e --- /dev/null +++ b/roles/zabbix-agent/vars/main.yml @@ -0,0 +1 @@ +ZABBIX_SERVER: "zabbix.home.lan" \ No newline at end of file