Refactor common roles

databags/users/markus.json

@@ -1,15 +0,0 @@
-{
-  "id": "markus",
-  "action": "create",
-  "shell": "/bin/bash",
-  "comment": "Markus Lindenberg (markus@lindenberg.io)",
-  "system": false,
-  "groups": [
-    "sudo",
-    "adm",
-    "systemd-journal"
-  ],
-  "ssh_keys": [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsMMgbJhBuuDtFf0PZeBu9EomVEv3d3StdALncEn4Ld5ydvBLJgABmZerg+Icnlfrv0vT00ydPDVUzCYZqEyrOZscWKeSht0Ov8m0YZ/i4goqITPRrCJz238nFKQcFQG7MoKXO1ffMel0U/bsxqzVJHJN0jkELWblgJrhfe48W/icL5+ksMYn3KqPaPIwDa0ZEN2B3ceDRVOVb7gktSlGxPyUdjyCtObBtWNIuSQlwyoh6gVoKaxGntQlJtf2vcQmnfkFFqU3io8tZrbA05bNeoyD+Q0haUGFFqzFKhT4HTPvhVBSoB8x1GB7+VRSqSZqeBnCQrNVL48hG1S4GaVD/ markus@lindenberg.io"
-  ]
-}

roles/common-auth/files/skel/.bashrc

@@ -0,0 +1,113 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+case $- in
+    *i*) ;;
+      *) return;;
+esac
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=1000
+HISTFILESIZE=2000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+	# We have color support; assume it's compliant with Ecma-48
+	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+	# a case would tend to support setf rather than setaf.)
+	color_prompt=yes
+    else
+	color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    alias dir='dir --color=auto'
+    alias vdir='vdir --color=auto'
+
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+fi
+
+# colored GCC warnings and errors
+export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
+
+# some more ls aliases
+alias ll='ls -l'
+alias la='ls -A'
+alias l='ls -CF'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if ! shopt -oq posix; then
+  if [ -f /usr/share/bash-completion/bash_completion ]; then
+    . /usr/share/bash-completion/bash_completion
+  elif [ -f /etc/bash_completion ]; then
+    . /etc/bash_completion
+  fi
+fi

roles/common-auth/files/skel/.profile

@@ -0,0 +1,22 @@
+# ~/.profile: executed by the command interpreter for login shells.
+# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
+# exists.
+# see /usr/share/doc/bash/examples/startup-files for examples.
+# the files are located in the bash-doc package.
+
+# the default umask is set in /etc/profile; for setting the umask
+# for ssh logins, install and configure the libpam-umask package.
+#umask 022
+
+# if running bash
+if [ -n "$BASH_VERSION" ]; then
+    # include .bashrc if it exists
+    if [ -f "$HOME/.bashrc" ]; then
+	. "$HOME/.bashrc"
+    fi
+fi
+
+# set PATH so it includes user's private bin if it exists
+if [ -d "$HOME/bin" ] ; then
+    PATH="$HOME/bin:$PATH"
+fi

roles/common-auth/handlers/main.yml

@@ -1,5 +1,4 @@
 ---
-# handlers file for ffdo.authentication
 
 - name: reload ssh
   service: name=ssh state=reloaded

roles/common-auth/tasks/environment.yml

@@ -0,0 +1,21 @@
+---
+- name: Ensure locales are generated
+  locale_gen: name={{ item }}
+  with_items:
+    - en_US.UTF-8
+    - de_DE.UTF-8
+    - en_US
+- name: Ensure default locale is set to en_US.UTF-8
+  copy: content='LANG="en_US.UTF-8"\n' dest=/etc/default/locale
+
+- name: Install custom bash skeleleton
+  copy: src=skel dest=/etc/
+
+- name: Ensure root bash config is unchanged
+  shell: "diff -q /etc/skel/{{ item }} /root/{{ item }} || cp /etc/skel/{{ item }} /root/{{ item }}"
+  register: shell_result
+  changed_when: "shell_result.stdout != '' and shell_result.rc == 0"
+  failed_when: "shell_result.rc != 0"
+  with_items:
+    - .bashrc
+    - .profile

roles/common-auth/tasks/main.yml

@@ -1,30 +1,6 @@
 ---
-# tasks file for ffdo.authentication
 
-- name: Ensure sudo is installed
-  apt: name=sudo state=present update_cache=yes cache_valid_time=3600
-
-- name: Disable password based sudo for users in group sudo and enable password less sudo
-  lineinfile:
-    dest: "/etc/sudoers"
-    regexp: '^%sudo'
-    line: "%sudo ALL=(ALL) NOPASSWD: ALL"
-    validate: 'visudo -cf %s'
-
-- name: Update SSH configuration
-  replace: >
-    dest=/etc/ssh/sshd_config
-    regexp="^([\#\s]*)?{{item.key}}\s+([\w_-]+)"
-    replace="{{item.key}} {{item.value}}"
-    backup=yes
-  with_items:
-  - key: PermitRootLogin
-    value: without-password
-  - key: PasswordAuthentication
-    value: 'no'
-  - key: ChallengeResponseAuthentication
-    value: 'no'
-  - key: PrintLastLog
-    value: 'no'
-  notify:
-  - reload ssh
+- include: environment.yml
+- include: sudo.yml
+- include: users.yml
+- include: ssh.yml

roles/common-auth/tasks/ssh.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Update SSH configuration
+  replace: >
+    dest=/etc/ssh/sshd_config
+    regexp="^([\#\s]*)?{{item.key}}\s+([\w_-]+)"
+    replace="{{item.key}} {{item.value}}"
+    backup=yes
+  with_items:
+  - key: PermitRootLogin
+    value: 'without-password'
+  - key: PasswordAuthentication
+    value: 'no'
+  - key: ChallengeResponseAuthentication
+    value: 'no'
+  - key: PrintLastLog
+    value: 'no'
+  notify:
+  - reload ssh

roles/common-auth/tasks/sudo.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Ensure sudo is installed
+  apt: name={{ item }} install_recommends=no
+  with_items:
+    - sudo
+    - libnss-myhostname
+
+- name: Disable password based sudo for users in group sudo and enable password less sudo
+  lineinfile:
+    dest: "/etc/sudoers"
+    regexp: '^%sudo'
+    line: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL"
+    validate: 'visudo -cf %s'

roles/common-auth/tasks/users.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure admin users exist
+  user:
+    name: "{{ item.name }}"
+    uid: "{{ item.uid }}"
+    groups: adm,sudo,systemd-journal
+    shell: /bin/bash
+  with_items: users
+- name: Ensure users ssh keys exist
+  authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.authorized | default([]) | join('\n') }}"
+  with_items: users
+- name: Ensure deprecated ssh keys are removed
+  authorized_key:
+    state: absent
+    user: "{{ item.name }}"
+    key: "{{ item.invalid | default([]) | join('\n') }}"
+  with_items: users

roles/common-net/tasks/hostname.yml

@@ -1,5 +1,4 @@
 ---
-# tasks file for ffdo.hostname
 
 - name: Ensure hostname is set
   hostname: name={{ inventory_hostname_short }}

roles/common-net/tasks/interfaces.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Ensure public interface is configured
+  template: src=interfaces.j2 dest=/etc/network/interfaces backup=yes

roles/common-net/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+- include: hostname.yml
+- include: resolvconf.yml
+- include: interfaces.yml

roles/common-net/tasks/resolvconf.yml

@@ -1,9 +1,9 @@
 ---
-# tasks file for ffdo.resolvconf
 
 - name: Ensure package resolvconf is absent
   apt: name=resolvconf state=absent purge=yes 
 
-- name: Install custom resolv.conf
-  template: src=resolv.conf.j2 dest=/etc/resolv.conf
-
+- name: Ensure nameservers are set in resolv.conf
+  copy:
+    dest: /etc/resolv.conf
+    content: "{% for ip in network.nameservers %}nameserver {{ ip }}\n{% endfor %}"

roles/common-net/templates/interfaces.j2

@@ -0,0 +1,31 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug eth0
+iface eth0 inet static
+	address {{ primary_v4_address }}
+	netmask {{ primary_v4_netmask }}
+{% if primary_v4_network is defined %}
+	network {{ primary_v4_network }}
+{% endif %}
+{% if primary_v4_broadcast is defined %}
+	broadcast {{ primary_v4_broadcast }}
+{% endif %}
+	gateway {{ primary_v4_gateway }}
+{% if pointopoint is defined and pointopoint %}
+	pointopoint {{ primary_v4_gateway }}
+{% endif %}
+
+iface eth0 inet6 static
+	address {{ primary_v6_address }}
+	gateway {{ primary_v6_gateway }}
+{% if pointopoint is defined and pointopoint %}
+    pre-up ip -6 route add {{ primary_v6_gateway }} dev eth0
+{% endif %}

roles/common-repos/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Ensure deb-src ist disabled in sources.list
+  replace: dest=/etc/apt/sources.list regexp='^(deb-src .*)$' replace='#\1' backup=yes
+
+- name: Ensure Debian backports repository is installed
+  apt_repository: repo='deb http://ftp.de.debian.org/debian {{ ansible_lsb.codename|lower }}-backports main'
+
+# - name: Ensure FFDO repository key is installed
+#   apt_key:
+#     id: B257AE19
+#     data: "{{ lookup('file', 'markus.gpg') }}"
+
+# - name: ensure FFDO APT repository is installed
+#   apt_repository: repo='deb {{ ffdo_repo }} {{ ansible_lsb.codename|lower }} main'
+
+- name: Update APT cache
+  apt: update_cache=yes cache_valid_time=3600
+
+# - name: ensure all packages are up to date
+#   apt: upgrade=dist install_recommends=no dpkg_options='force-confold,force-confdef'

roles/common-system/files/dhparam.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAmK5Bso9lFIGGDwdIGHurJxsMQYKkWyon7r+VkumlGipsbV67WLAh
+IFJHpQJObABdX/7N7AvtF6rdp726ZY2Sk3n5kNZIlf3fGsSZ0iqEGgMyJ42++N4B
+gMs7oxry8FCvZ8wYkPsy29pPjv/qf/824kb6YTT7F/NaCwLGfYWeZKHCaX0lKmTN
+wgZo7bwtutaDw2yfjaquhmsJ1pgOI28OXL3J92qahW6KDwj6GJguwnAJZPtK1DQ6
+6pguVHjwglgr3TMW7DtMmaIqpX+VTRmjfcBkcokA3WSZHRq84kQeNfUtpqVHWCfQ
+4xTU67lqSzPPuvSU110lifdfTWL2/LEuibcBHY3UBCzrJLfTPer9I5zWQCU/PIqu
+FHcZFhBVV1ObzuYzrl2s97oFawcDxy+mxcFnbEPpN75My+AvaYVwuctlxMI436OQ
+f0lB2rS1OTfSYHkrZNpTB0VCzlsTAktgzh5RtOBrMWqWUEO2DAjNISD2pkBpfQ0S
+a8Pplx4DS2s0mspXu5KkimDjgMIyHFB3Wiqqky9KjOOuo7KNjGvjK+voScNs/XFF
+gPNTMk1iWhp1bHrGhvJFGD6qTRdaIgsdHBHw/BA8e2dRQ/LKgZfQw9NtPWWFifHF
+h1DPR0VkigXuwbA5+YvCAtGAL1vz5qm4z+xBFQmskllA5eglrD1cgAMCAQI=
+-----END DH PARAMETERS-----

roles/common-system/files/sysctl.conf

@@ -0,0 +1,7 @@
+# Reboot 1 second after kernel panic, oops or BUG (usually in batman-adv.ko)
+kernel.panic = 1
+kernel.panic_on_oops = 1
+
+# throw kernel panic on softlockup
+kernel.softlockup_panic=1
+

roles/common-system/files/vimrc

@@ -0,0 +1,13 @@
+syntax on
+set background=dark
+if has("autocmd")
+  filetype plugin indent on
+endif
+
+set showcmd		" Show (partial) command in status line.
+set showmatch		" Show matching brackets.
+set ignorecase		" Do case insensitive matching
+set incsearch		" Incremental search
+set autowrite		" Automatically save before commands like :next and :make
+set hidden		" Hide buffers when they are abandoned
+

roles/common-system/handlers/journald.yml

@@ -0,0 +1,24 @@
+---
+
+- name: restart journald
+  service: name=systemd-journald state=restarted
+
+- name: remove syslog files
+  file: path=/var/log/{{ item }} state=absent
+  with_items:
+    - auth.log
+    - syslog
+    - cron.log
+    - daemon.log
+    - kern.log
+    - lpr.log
+    - mail.log
+    - user.log
+    - mail.info
+    - mail.warn
+    - mail.err
+    - news.crit
+    - news.err
+    - news.notice
+    - debug
+    - messages

roles/common-system/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- include: sysctl.yml
+- include: journald.yml

roles/common-system/handlers/sysctl.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Load sysctl variables
+  shell: sysctl -p /etc/sysctl.d/system.conf || true

roles/common-system/tasks/crypto.yml

@@ -0,0 +1,10 @@
+---
+- name: ensure ca-certificates and ssl-cert is installed
+  apt: name={{ item }} install_recommends=no
+  with_items:
+    - ca-certificates
+    - ssl-cert
+    - apt-transport-https
+
+- name: ensure custom dhparam is installed
+  copy: src=dhparam.pem dest=/etc/ssl/private/dhparam.pem

roles/common-system/tasks/journald.yml

@@ -0,0 +1,8 @@
+---
+- name: ensure journal directory exists
+  file: path=/var/log/journal state=directory group=systemd-journal mode=2755
+  notify: restart journald
+
+- name: ensure rsyslog is not installed
+  apt: name=rsyslog state=absent purge=yes
+  notify: remove syslog files

roles/common-system/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- include: sysctl.yml
+- include: crypto.yml
+- include: time.yml
+- include: journald.yml
+- include: tools.yml

roles/common-system/tasks/sysctl.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Install router specific sysctl config
+  template: src=sysctl.conf.j2 dest=/etc/sysctl.d/system.conf
+  notify: Load sysctl variables

roles/common-system/tasks/time.yml

@@ -0,0 +1,14 @@
+---
+# libpam-systemd and dbus (dependency) are needed for timedatectl to work
+- name: ensure libpam-systemd is installed
+  apt: name=libpam-systemd install_recommends=no
+
+- name: ensure timezone is set to CET
+  command: timedatectl set-timezone CET
+  when: ansible_date_time.tz != "CET"
+
+- name: ensure NTP is enabled
+  shell: "timedatectl | grep 'NTP enabled: yes' || timedatectl set-ntp 1"
+  register: ntp_shell_result
+  changed_when: "ntp_shell_result.stdout == '' and ntp_shell_result.rc == 0"
+  failed_when: "ntp_shell_result.rc != 0"

roles/common-system/tasks/tools.yml

@@ -0,0 +1,19 @@
+---
+- name: Ensure some useful packages are installed
+  apt: name={{ item }} install_recommends=no
+  with_items:
+    - bash-completion
+    - vim
+    - htop
+    - mtr-tiny
+    - bind9-host
+    - curl
+    - tmux
+    - psmisc
+    - ngrep
+    - aptitude
+
+- name: Ensure vim is default editor
+  alternatives: name=editor path=/usr/bin/vim.basic
+- name: Set defaults for vim
+  copy: src=vimrc dest=/etc/vim/vimrc.local

site.yml

@@ -19,6 +19,7 @@
 
 - hosts: mapservers
   roles:
+    - service-nginx
     - service-map
     - service-wiki
     - service-gitolite