From d3e7a0830565895a3ff7f3d13c08a88ace94a250 Mon Sep 17 00:00:00 2001 From: Caleb Fultz Date: Sun, 14 Jul 2024 00:45:38 -0400 Subject: [PATCH] working with jinga on sshd_config --- 11-jinga-templates/ansible.cfg | 5 + 11-jinga-templates/host_vars/10.0.0.11.yml | 7 ++ 11-jinga-templates/host_vars/10.0.0.5.yml | 7 ++ 11-jinga-templates/host_vars/10.0.0.7.yml | 7 ++ 11-jinga-templates/host_vars/10.0.0.8.yml | 7 ++ 11-jinga-templates/inventory | 8 ++ .../roles/base/handlers/main.yml | 4 + 11-jinga-templates/roles/base/tasks/main.yml | 42 +++++++ .../base/templates/sshd_config_debian.j2 | 117 ++++++++++++++++++ .../roles/base/templates/sshd_config_el.j2 | 117 ++++++++++++++++++ .../roles/db_servers/tasks/main.yml | 5 + .../roles/web_servers/files/default_site.html | 11 ++ .../roles/web_servers/handlers/main.yml | 4 + .../roles/web_servers/tasks/main.yml | 17 +++ 11-jinga-templates/site.yml | 35 ++++++ 15 files changed, 393 insertions(+) create mode 100644 11-jinga-templates/ansible.cfg create mode 100644 11-jinga-templates/host_vars/10.0.0.11.yml create mode 100644 11-jinga-templates/host_vars/10.0.0.5.yml create mode 100644 11-jinga-templates/host_vars/10.0.0.7.yml create mode 100644 11-jinga-templates/host_vars/10.0.0.8.yml create mode 100644 11-jinga-templates/inventory create mode 100644 11-jinga-templates/roles/base/handlers/main.yml create mode 100644 11-jinga-templates/roles/base/tasks/main.yml create mode 100644 11-jinga-templates/roles/base/templates/sshd_config_debian.j2 create mode 100644 11-jinga-templates/roles/base/templates/sshd_config_el.j2 create mode 100644 11-jinga-templates/roles/db_servers/tasks/main.yml create mode 100644 11-jinga-templates/roles/web_servers/files/default_site.html create mode 100644 11-jinga-templates/roles/web_servers/handlers/main.yml create mode 100644 11-jinga-templates/roles/web_servers/tasks/main.yml create mode 100644 11-jinga-templates/site.yml diff --git a/11-jinga-templates/ansible.cfg b/11-jinga-templates/ansible.cfg new file mode 100644 index 0000000..0056832 --- /dev/null +++ b/11-jinga-templates/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +inventory = inventory +private_key_file = ~/.ssh/hetzner + + diff --git a/11-jinga-templates/host_vars/10.0.0.11.yml b/11-jinga-templates/host_vars/10.0.0.11.yml new file mode 100644 index 0000000..485e9c9 --- /dev/null +++ b/11-jinga-templates/host_vars/10.0.0.11.yml @@ -0,0 +1,7 @@ +webserver_package: httpd +webserver_service: httpd +php_package: php +database_package: mariadb +database_service: mariadb +passwd_auth: "no" +ssh_template_file: sshd_config_el.j2 diff --git a/11-jinga-templates/host_vars/10.0.0.5.yml b/11-jinga-templates/host_vars/10.0.0.5.yml new file mode 100644 index 0000000..2b539ee --- /dev/null +++ b/11-jinga-templates/host_vars/10.0.0.5.yml @@ -0,0 +1,7 @@ +webserver_package: httpd +webserver_service: httpd +php_package: php +database_package: mariadb +database_service: mariadb +passwd_auth: "no" +ssh_template_file: sshd_config_el.j2 \ No newline at end of file diff --git a/11-jinga-templates/host_vars/10.0.0.7.yml b/11-jinga-templates/host_vars/10.0.0.7.yml new file mode 100644 index 0000000..203473c --- /dev/null +++ b/11-jinga-templates/host_vars/10.0.0.7.yml @@ -0,0 +1,7 @@ +webserver_package: apache2 +webserver_service: apache2 +php_package: libapache2-mod-php +database_package: mariadb-server +database_service: mariadb-server +passwd_auth: "no" +ssh_template_file: sshd_config_debian.j2 \ No newline at end of file diff --git a/11-jinga-templates/host_vars/10.0.0.8.yml b/11-jinga-templates/host_vars/10.0.0.8.yml new file mode 100644 index 0000000..203473c --- /dev/null +++ b/11-jinga-templates/host_vars/10.0.0.8.yml @@ -0,0 +1,7 @@ +webserver_package: apache2 +webserver_service: apache2 +php_package: libapache2-mod-php +database_package: mariadb-server +database_service: mariadb-server +passwd_auth: "no" +ssh_template_file: sshd_config_debian.j2 \ No newline at end of file diff --git a/11-jinga-templates/inventory b/11-jinga-templates/inventory new file mode 100644 index 0000000..7b19a43 --- /dev/null +++ b/11-jinga-templates/inventory @@ -0,0 +1,8 @@ +[web_servers] +10.0.0.7 +10.0.0.8 + + +[db_servers] +10.0.0.5 +10.0.0.11 diff --git a/11-jinga-templates/roles/base/handlers/main.yml b/11-jinga-templates/roles/base/handlers/main.yml new file mode 100644 index 0000000..650dd9e --- /dev/null +++ b/11-jinga-templates/roles/base/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart_sshd + service: + name: sshd + state: restarted \ No newline at end of file diff --git a/11-jinga-templates/roles/base/tasks/main.yml b/11-jinga-templates/roles/base/tasks/main.yml new file mode 100644 index 0000000..fc4516c --- /dev/null +++ b/11-jinga-templates/roles/base/tasks/main.yml @@ -0,0 +1,42 @@ +- name: Install common packages + package: + name: + - htop + - neofetch + +- name: Add lfultz account + tags: lfultz + user: + name: lfultz + comment: Logan Fultz + uid: 1040 + groups: root + append: yes + shell: /bin/bash + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + +- name: Add lfultz group + tags: group + group: + name: lfultz + state: present + gid: 1040 + +- name: Add cfultz ssh key + tags: ssh_keys + authorized_key: + user: cfultz + state: present + key: "{{ lookup('url', 'https://git.cfultz.wtf/cfultz.keys', split_lines=False) }}" + +- name: Update sshd_config for key auth only + tags: key_auth + template: + src: "{{ ssh_template_file }}" + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 + notify: restart_sshd \ No newline at end of file diff --git a/11-jinga-templates/roles/base/templates/sshd_config_debian.j2 b/11-jinga-templates/roles/base/templates/sshd_config_debian.j2 new file mode 100644 index 0000000..e5fabc5 --- /dev/null +++ b/11-jinga-templates/roles/base/templates/sshd_config_debian.j2 @@ -0,0 +1,117 @@ +# Include drop-in configurations +Include /etc/ssh/sshd_config.d/*.conf + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication {{ passwd_auth }} +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/11-jinga-templates/roles/base/templates/sshd_config_el.j2 b/11-jinga-templates/roles/base/templates/sshd_config_el.j2 new file mode 100644 index 0000000..e5fabc5 --- /dev/null +++ b/11-jinga-templates/roles/base/templates/sshd_config_el.j2 @@ -0,0 +1,117 @@ +# Include drop-in configurations +Include /etc/ssh/sshd_config.d/*.conf + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication {{ passwd_auth }} +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/11-jinga-templates/roles/db_servers/tasks/main.yml b/11-jinga-templates/roles/db_servers/tasks/main.yml new file mode 100644 index 0000000..384d2d5 --- /dev/null +++ b/11-jinga-templates/roles/db_servers/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: install mariadb package on db servers + package: + name: "{{ database_package }}" + state: latest \ No newline at end of file diff --git a/11-jinga-templates/roles/web_servers/files/default_site.html b/11-jinga-templates/roles/web_servers/files/default_site.html new file mode 100644 index 0000000..7f9c1a7 --- /dev/null +++ b/11-jinga-templates/roles/web_servers/files/default_site.html @@ -0,0 +1,11 @@ + + + + Ansible Course + + + +

Good evening, Caleb!

+ + + diff --git a/11-jinga-templates/roles/web_servers/handlers/main.yml b/11-jinga-templates/roles/web_servers/handlers/main.yml new file mode 100644 index 0000000..de64c4a --- /dev/null +++ b/11-jinga-templates/roles/web_servers/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart_apache + service: + name: "{{ webserver_package}}" + state: restarted \ No newline at end of file diff --git a/11-jinga-templates/roles/web_servers/tasks/main.yml b/11-jinga-templates/roles/web_servers/tasks/main.yml new file mode 100644 index 0000000..4c98027 --- /dev/null +++ b/11-jinga-templates/roles/web_servers/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: Install apache on web servers + tags: apache + package: + name: + - "{{ webserver_package }}" + - "{{ php_package }}" + +- name: Copy html file + tags: website + copy: + src: default_site.html + dest: /var/www/html/index.html + owner: root + group: root + mode: 0644 + notify: restart_apache diff --git a/11-jinga-templates/site.yml b/11-jinga-templates/site.yml new file mode 100644 index 0000000..2e05265 --- /dev/null +++ b/11-jinga-templates/site.yml @@ -0,0 +1,35 @@ +--- +- hosts: all + become: true + pre_tasks: + + - name: install updates for RHEL distros + tags: always + package: + update_only: yes + update_cache: yes + when: ansible_os_family == "RedHat" + + - name: install updates for Debian distros + tags: always + package: + upgrade: dist + update_cache: yes + when: ansible_os_family == "Debian" + +- hosts: all + become: true + roles: + - base + +- hosts: web_servers + become: true + tags: web + roles: + - web_servers + +- hosts: db_servers + tags: db, + become: true + roles: + - db_servers