[ansible] Use ansible notation
by Nicolas Chauvet
commit 1a64aa314cdf332af5da7ee8ef29a29af6486822
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 12:17:20 2019 +0200
Use ansible notation
roles/basessh/tasks/main.yml | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml
index 49a5aff..d50017f 100644
--- a/roles/basessh/tasks/main.yml
+++ b/roles/basessh/tasks/main.yml
@@ -72,7 +72,10 @@
- base
- name: sshd_config
- template: src=sshd_config dest=/etc/ssh/sshd_config mode=0600
+ template:
+ src: sshd_config
+ dest: /etc/ssh/sshd_config
+ mode: 0600
notify:
- restart sshd
tags:
4 years, 8 months
[ansible] Add chrony role
by Nicolas Chauvet
commit 97b1f47c774de284961c94563ab179ea3b0f7300
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 12:00:32 2019 +0200
Add chrony role
roles/chrony/tasks/main.yml | 28 ++++++++++++++++++++++++
roles/chrony/templates/chrony.conf.j2 | 38 +++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 0 deletions(-)
---
diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml
new file mode 100644
index 0000000..2e5609f
--- /dev/null
+++ b/roles/chrony/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: install chrony
+ package: name=chrony state=present
+ tags:
+ - chrony
+ - package
+ - base
+
+- name: install chrony.conf
+ template: src=chrony.conf.j2 dest=/etc/chrony.conf
+ tags:
+ - chrony
+ - config
+ - base
+
+- name: disable and stop ntp
+ service: name=ntpd state=stopped enabled=no
+ tags:
+ - chrony
+ - service
+ - base
+ when: ansible_distribution_major_version|int != 8
+
+- name: Start and enable chrony
+ service: name=chronyd state=started enabled=yes
+ tags:
+ - chrony
+ - service
+ - base
diff --git a/roles/chrony/templates/chrony.conf.j2 b/roles/chrony/templates/chrony.conf.j2
new file mode 100644
index 0000000..af6ebed
--- /dev/null
+++ b/roles/chrony/templates/chrony.conf.j2
@@ -0,0 +1,38 @@
+# setup our servers
+pool 2.fedora.pool.ntp.org iburst
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+minsources 1
+
+# Allow NTP client access from local network.
+allow 10.0.0.0/8
+allow 192.168.0.0/16
+
+# Serve time even if not synchronized to a time source.
+local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking
4 years, 8 months
[ansible] Add basessh role
by Nicolas Chauvet
commit 584f250bff1cb4caea05e5b737b403a8a368f30a
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:41:31 2019 +0200
Add basessh role
roles/basessh/README | 4 +
roles/basessh/handlers/main.yml | 3 +
roles/basessh/tasks/main.yml | 253 +++++++++++++++++++++++++++++++++++
roles/basessh/templates/sshd_config | 55 ++++++++
4 files changed, 315 insertions(+), 0 deletions(-)
---
diff --git a/roles/basessh/README b/roles/basessh/README
new file mode 100644
index 0000000..317ef04
--- /dev/null
+++ b/roles/basessh/README
@@ -0,0 +1,4 @@
+This role is the base setup for all our machines.
+
+If there's something that shouldn't be run on every single
+machine, it should be in another role.
diff --git a/roles/basessh/handlers/main.yml b/roles/basessh/handlers/main.yml
new file mode 100644
index 0000000..0c4def4
--- /dev/null
+++ b/roles/basessh/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart sshd
+ service: name=sshd state=restarted
diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml
new file mode 100644
index 0000000..49a5aff
--- /dev/null
+++ b/roles/basessh/tasks/main.yml
@@ -0,0 +1,253 @@
+---
+#
+# We have some tasks here in case this is a bare metal machine
+# and we are provisioning it for the first time.
+# virtual machines are handled in tasks/virt-instance-create
+#
+
+- name: make sure there is no old ssh host key for the host still around
+ local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=absent
+ ignore_errors: True
+ with_items:
+ - /root/.ssh/known_hosts
+ when: birthday is defined
+
+- name: gather ssh host key from new instance
+ local_action: command ssh-keyscan -t rsa {{ inventory_hostname }}
+ ignore_errors: True
+ register: hostkey
+ when: birthday is defined
+
+- name: add new ssh host key (until we can sign it)
+ local_action: known_hosts path={{item}} key="{{ hostkey.stdout }}" host={{ inventory_hostname }} state=present
+ ignore_errors: True
+ with_items:
+ - /root/.ssh/known_hosts
+ when: birthday is defined
+
+- name: make sure libselinux-python is installed
+ package: name=libselinux-python state=present
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ when: ansible_distribution_major_version|int < 30 and ansible_distribution_major_version|int != 8
+
+- name: make sure python3-libselinux is installed
+ package: name=python3-libselinux state=present
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ when: ansible_distribution_major_version|int >= 30 or ansible_distribution_major_version|int == 8
+
+- name: check if sshd port is already known by selinux
+ shell: semanage port -l | grep ssh
+ register: sshd_selinux_port
+ check_mode: no
+ changed_when: false
+ failed_when: false
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ - base
+
+- name: allow alternate sshd port
+ command: semanage port -a -t ssh_port_t -p tcp {{ sshd_port }}
+ when: sshd_port in sshd_selinux_port
+ failed_when: false
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ - base
+
+- name: sshd_config
+ template: src=sshd_config dest=/etc/ssh/sshd_config mode=0600
+ notify:
+ - restart sshd
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Determine SSH keys generated by this machine
+ find: paths=/etc/ssh
+ file_type=file
+ patterns="ssh_host_*_key"
+ register: ssh_key_files
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Determine SSH keys never signed
+ stat: path="{{item.path}}-cert.pub"
+ with_items: "{{ssh_key_files.files}}"
+ register: ssh_cert_files
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Set lists of certs to sign to empty
+ set_fact:
+ certs_to_sign: "[]"
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Set list of certs to sign
+ set_fact:
+ certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]"
+ with_items: "{{ssh_cert_files.results}}"
+ when: not item.stat.exists
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+# Renew if last mod was more than 10 months ago
+- name: Get soon-to-expire certificates to sign
+ set_fact:
+ certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]"
+ with_items: "{{ssh_cert_files.results}}"
+ when: "item.stat.exists and item.stat.mtime|int < (lookup('pipe', 'date +%s')|int - 25920000)"
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- set_fact:
+ pubkeydir: "/tmp/sshkeysign/{{inventory_hostname}}"
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Create directory for storing pubkeys
+ file: path="{{pubkeydir}}"
+ owner=root
+ group=root
+ mode=0600
+ state=directory
+ delegate_to: localhost
+ run_once: true
+ changed_when: False
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Get public keys for certs to sign
+ fetch: src="{{item}}.pub"
+ dest="{{pubkeydir}}"
+ fail_on_missing=true
+ with_items: "{{certs_to_sign}}"
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Set some extra signing facts
+ set_fact:
+ sign_hostnames: "{{ssh_hostnames}} + ['{{inventory_hostname}}']"
+ sign_validity: "-1h:+52w"
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+# Currently, we use the epoch as serial. That's unique enough for now
+- name: Sign the certificates
+ shell: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z `date +%s` {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
+ delegate_to: localhost
+ with_items: "{{certs_to_sign}}"
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Copy the certificates
+ copy: src="{{pubkeydir}}/{{inventory_hostname}}{{item}}-cert.pub"
+ dest="{{item}}-cert.pub"
+ with_items: "{{certs_to_sign}}"
+ register: certcopy
+ notify:
+ - restart sshd
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Remove the generated certificates
+ local_action: file path="{{pubkeydir}}/{{inventory_hostname}}" state=absent
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: Restart sshd in case we just signed a new certificate so it gets applied
+ service: name=sshd state=restarted
+ when: certcopy.changed
+ tags:
+ - basessh
+ - sshd_cert
+ - sshd_config
+ - config
+ - sshd
+ - base
+
+- name: make sure there is no old ssh host key for the host still around
+ local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=absent
+ ignore_errors: True
+ with_items:
+ - /root/.ssh/known_hosts
diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config
new file mode 100644
index 0000000..3138bfd
--- /dev/null
+++ b/roles/basessh/templates/sshd_config
@@ -0,0 +1,55 @@
+Protocol 2
+
+Port {{ sshd_port|22 }}
+
+{% if ansible_distribution_major_version == "6" %}
+KexAlgorithms diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512,hmac-sha2-256
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+{% else %}
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
+{% endif %}
+
+HostKey /etc/ssh/ssh_host_rsa_key
+{% if sshd_host_certificate %}
+HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+{% endif %}
+
+SyslogFacility AUTHPRIV
+LogLevel VERBOSE
+
+PermitRootLogin without-password
+StrictModes yes
+AuthorizedKeysFile .ssh/authorized_keys
+
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+
+AllowAgentForwarding no
+X11Forwarding no
+PermitTunnel no
+
+{% if ansible_distribution_major_version == "6" %}
+UsePrivilegeSeparation yes
+{% elif ansible_distribution_major_version == "7" %}
+UsePrivilegeSeparation sandbox
+{% endif %}
+
+# Accept locale-related environment
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+{% if sshd_keyhelper %}
+# For repospanner/git
+AuthorizedKeysCommandUser git
+AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
+{% endif %}
+{% if sshd_sftp %}
+Subsystem sftp internal-sftp
+{% endif %}
4 years, 8 months
[ansible] Remove base ssh config
by Nicolas Chauvet
commit d4c39192fc2f102deba4c8a772829fe775822bb1
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:35:21 2019 +0200
Remove base ssh config
roles/base/files/ssh/sshd_config.7 | 161 --------------------------
roles/base/files/ssh/sshd_config.buildhw | 138 ----------------------
roles/base/files/ssh/sshd_config.default | 121 -------------------
roles/base/files/ssh/sshd_config.el6 | 121 -------------------
roles/base/files/ssh/sshd_config.kojibuilder | 138 ----------------------
roles/base/files/ssh/sshd_config.pkgs | 121 -------------------
roles/base/files/ssh/sshd_config.qa-stg | 151 ------------------------
roles/base/files/ssh/sshd_config.qadevel | 151 ------------------------
roles/base/files/ssh/sshd_config.releng | 121 -------------------
9 files changed, 0 insertions(+), 1223 deletions(-)
4 years, 8 months
[ansible] Add Frozen variable
by Nicolas Chauvet
commit f2c6edaa2e550ae2acacbf48d9e51d71e2eae88b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:25:58 2019 +0200
Add Frozen variable
vars/all/Frozen.yaml | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
---
diff --git a/vars/all/Frozen.yaml b/vars/all/Frozen.yaml
new file mode 100644
index 0000000..dcbccd6
--- /dev/null
+++ b/vars/all/Frozen.yaml
@@ -0,0 +1 @@
+Frozen: False
4 years, 8 months
[ansible] Update rkhunter default config
by Nicolas Chauvet
commit 6e709bbd759ceb38c478b9fe5d21110afd1efae4
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:25:40 2019 +0200
Update rkhunter default config
roles/rkhunter/tasks/main.yml | 4 ++--
roles/rkhunter/templates/rkhunter.conf.j2 | 27 +++++++++++++++++++++++++--
2 files changed, 27 insertions(+), 4 deletions(-)
---
diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml
index e696ba2..83788c3 100644
--- a/roles/rkhunter/tasks/main.yml
+++ b/roles/rkhunter/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: install rkhunter (yum)
- yum: name=rkhunter state=present
+ package: name=rkhunter state=present
notify:
- run rkhunter
tags:
@@ -9,7 +9,7 @@
when: ansible_distribution_major_version|int < 22
- name: install rkhunter (dnf)
- dnf: name=rkhunter state=present
+ package: name=rkhunter state=present
notify:
- run rkhunter
tags:
diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2
index 663a4b8..9e30994 100644
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@@ -200,8 +200,12 @@ ALLOW_SSH_PROT_V1=0
# tests, the test names, and how rkhunter behaves when these options are used.
#
ENABLE_TESTS="all"
+{% if ansible_hostname.startswith(('cloud', 'buildvmhost-s390x')) %}
# Disable the promisc test here as openstack has it set on interfaces
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps promisc"
+{% else %}
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
+{% endif %}
#
# The HASH_FUNC option can be used to specify the command to use
@@ -304,7 +308,9 @@ ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.udev/db
ALLOWHIDDENDIR=/dev/.udev/rules.d
+{% if ansible_hostname.startswith('cloud') %}
ALLOWHIDDENDIR=/etc/.git
+{% endif %}
ALLOWHIDDENDIR=/etc/.java
#
@@ -318,6 +324,14 @@ ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+{% if ansible_distribution_version|int > 27 %}
+# In Fedora 28+ there's a new package for dracut that does the FIPs stuff
+ALLOWHIDDENFILE=/usr/bin/.sha1hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha224hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha256hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha384hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha512hmac.hmac
+{% endif %}
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
@@ -326,8 +340,10 @@ ALLOWHIDDENFILE=/dev/.udev/queue.bin
ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum
# Fedora 21+ and RHEL 7.2+ have a /etc/.updated file
ALLOWHIDDENFILE=/etc/.updated
+{% if ansible_hostname.startswith('cloud') %}
ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore
+{% endif %}
#
# Allow the specified processes to use deleted files.
@@ -372,7 +388,9 @@ ALLOWDEVFILE=/dev/.udev/db/*
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
ALLOWDEVFILE=/dev/.udev/uevent_seqnum
ALLOWDEVFILE=/dev/md/autorebuild.pid
+{% if ansible_hostname == 'notifs-backend01' %}
ALLOWDEVFILE=/dev/shm/fmn-cache.dbm
+{% endif %}
ALLOWDEVFILE=/dev/shm/squid-squid-page-pool.shm
ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm
ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm
@@ -383,14 +401,19 @@ ALLOWDEVFILE=/dev/shm/squid-cache_mem_space.shm
ALLOWDEVFILE=/dev/shm/squid-cf__readers.shm
ALLOWDEVFILE=/dev/shm/squid-cf__queues.shm
ALLOWDEVFILE=/dev/shm/squid-cf__metadata.shm
-{% if inventory_hostname in groups['virtservers'] %}
+{% if inventory_hostname in groups['virtservers'] or inventory_hostname in groups['openqa_workers'] or inventory_hostname in groups['openqa_stg_workers'] or inventory_hostname in groups['taskotron_stg_client_hosts'] or inventory_hostname in groups['taskotron_dev_client_hosts'] %}
# libvirt spice device makes a /dev/shm/spice file
ALLOWDEVFILE=/dev/shm/spice.*
{% endif %}
-{% if inventory_hostname in groups['ipa'] %}
+{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa_stg'] %}
ALLOWDEVFILE=/dev/shm/sem.slapd*.stats
{% endif %}
+{% if inventory_hostname in groups['proxies'] or inventory_hostname in groups['proxies_stg'] %}
+ALLOWDEVFILE=/dev/shm/libpod_lock
+{% endif %}
+{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr_stg'] or inventory_hostname == 'ci-cc-rdu01.fedoraproject.org' or inventory_hostname == 'hubs01.stg.phx2.fedoraproject.org' or inventory_hostname == 'db-koji01.stg.phx2.fedoraproject.org' or inventory_hostname == 'db-qa03.qa.fedoraproject.org' %}
ALLOWDEVFILE=/dev/shm/PostgreSQL*
+{% endif %}
#
# This setting tells rkhunter where the inetd configuration
4 years, 8 months
[ansible] Update varsz
by Nicolas Chauvet
commit 2d9b80e1cb24d97bd519653db7c9eb47e2c362b9
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:20:42 2019 +0200
Update varsz
vars/Fedora.yml | 2 +-
vars/RedHat.yml | 4 ++--
vars/global.yml | 21 ++++++++++++++++++---
3 files changed, 21 insertions(+), 6 deletions(-)
---
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
index 9372c10..affe407 100644
--- a/vars/Fedora.yml
+++ b/vars/Fedora.yml
@@ -1,7 +1,7 @@
---
dist_tag: f{{ ansible_distribution_version }}
base_pkgs_inst: ['iptables-services' ]
-base_pkgs_erase: ['firewalld', 'PackageKit*', 'sendmail', 'at']
+base_pkgs_erase: ['firewalld', 'sendmail', 'at']
service_disabled: [ ]
service_enabled: ['auditd']
is_fedora: True
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index d2c0b2b..d5e7621 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -2,7 +2,7 @@
dist_tag: el{{ ansible_distribution_version[0] }}
base_pkgs_inst: ['iptables-services']
base_pkgs_erase: ['firstboot-tui','bluez-utils', 'sendmail', 'firewalld']
-service_disabled: [ ]
-service_enabled: [ ]
+service_disabled: []
+service_enabled: []
is_rhel: True
pythonsitelib: /usr/lib/python2.7/site-packages
diff --git a/vars/global.yml b/vars/global.yml
index d30f65f..4f16050 100644
--- a/vars/global.yml
+++ b/vars/global.yml
@@ -39,13 +39,25 @@ fedora_atomic_22_alpha: Fedora-Cloud-Atomic-22_Alpha-20150305.x86_64
fedora_atomic_22_beta: Fedora-Cloud-Atomic-22_Beta-20150415.x86_64
fedora_atomic_22: Fedora-Cloud-Atomic-22-20150521.x86_64
fedora23_x86_64: Fedora-Cloud-Base-23-20151030.x86_64
+fedora24_alpha_x86_64: Fedora-Cloud-Base-24_Alpha-7.x86_64.qcow2
+fedora24_x86_64: Fedora-Cloud-Base-24-1.2.x86_64.qcow2
+fedora25_x86_64: Fedora-Cloud-Base-25-1.3.x86_64
+fedora26_x86_64: Fedora-Cloud-Base-26-1.4.x86_64
+fedora27_x86_64: Fedora-Cloud-Base-27-1.2.x86_64
+fedora28_x86_64: Fedora-Cloud-Base-28-1.1.x86_64
+fedora29_x86_64: Fedora-Cloud-Base-29-1.2.x86_64
+fedora30_beta_x86_64: Fedora-Cloud-Base-30-20190329.n.0.x86_64
+fedora30_x86_64: Fedora-Cloud-Base-30-1.2.x86_64
centos70_x86_64: CentOS-7-x86_64-GenericCloud-1503
centos66_x86_64: CentOS-6-x86_64-GenericCloud-20141129_01
rhel70_x86_64: rhel-guest-image-7.0-20140930.0.x86_64
rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64
-ssl_protocols: "-All +TLSv1 +TLSv1.1 +TLSv1.2"
-ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+# Note: we do "all and blacklist" rather than whitelist to make sure we can use this
+# same list on both EL7 and Fedora and get new ciphers: on Fedora, at time of writing,
+# this includes TLSv1.3, which EL7 does not have.
+ssl_protocols: "+all -SSLv3 -TLSv1 -TLSv1.1"
+ssl_ciphers: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
sslonly_hsts: true
# Set a default hostname base to transient. Override in host vars or command line.
@@ -54,4 +66,7 @@ global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients',
'patch', 'postfix', 'rsync', 'strace',
'tmpwatch', 'traceroute', 'vim-enhanced', 'xz', 'zsh',
'libselinux-python', 'ntpdate', 'bash-completion', 'telnet',
- 'htop', 'rsyslog' ]
+ 'atop', 'htop', 'rsyslog' ]
+# Set up variables for various files to make sure we don't forget to use.
+repoSpanner_rpms_http: 8445
+repoSpanner_ansible_http: 8443
4 years, 8 months
[ansible] Add base package erase
by Nicolas Chauvet
commit 7e4458e16802d50d2b165461bfc64c5fa9ac45a5
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:14:14 2019 +0200
Add base package erase
roles/base/tasks/main.yml | 20 ++++++++++++--------
1 files changed, 12 insertions(+), 8 deletions(-)
---
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index cb4e0a8..05531b6 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -134,32 +134,36 @@
- base
- name: dist pkgs to remove (yum)
- package: state=absent name={{ item }}
- with_items:
- - "{{ base_pkgs_erase }}"
+ package:
+ state: absent
+ name: "{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 22
- name: dist pkgs to install (yum)
- package: state=present name={{ item }}
- with_items:
- - "{{ base_pkgs_inst }}"
+ package:
+ state: present
+ name: "{{ base_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 22
- name: dist pkgs to remove (dnf)
- dnf: state=absent name="{{ base_pkgs_erase }}"
+ dnf:
+ state: absent
+ name: "{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
- name: dist pkgs to install (dnf)
- dnf: state=present name="{{ base_pkgs_inst }}"
+ dnf:
+ state: present
+ name: "{{ base_pkgs_inst }}"
tags:
- packages
- base
4 years, 8 months
[ansible] Use yaml notation instead of the ansible notation
by Nicolas Chauvet
commit 05c4bb21d6e45ea4b1144ff175fe44534ab29347
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:06:12 2019 +0200
Use yaml notation instead of the ansible notation
roles/base/tasks/main.yml | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
---
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index c6d39d2..cb4e0a8 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -86,16 +86,18 @@
- base
- name: global default packages to install (yum)
- package: state=present name={{ item }}
- with_items:
- - "{{ global_pkgs_inst }}"
+ package:
+ state: present
+ name: "{{ global_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 22 and ansible_distribution_major_version|int != 8
- name: global default packages to install (dnf)
- dnf: state=present name="{{ global_pkgs_inst }}"
+ dnf:
+ state: present
+ name: "{{ global_pkgs_inst }}"
tags:
- packages
- base
4 years, 8 months
[ansible] Add empty tls_policy file
by Nicolas Chauvet
commit 3c7015f6b8d6a49a02701dfebb0ab58cacb50920
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 10:58:04 2019 +0200
Add empty tls_policy file
0 files changed, 0 insertions(+), 0 deletions(-)
---
diff --git a/roles/base/files/postfix/tls_policy b/roles/base/files/postfix/tls_policy
new file mode 100644
index 0000000..e69de29
4 years, 8 months