Security repository changes | refs #33830

molecule/default/tests/test_init.py

@@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 
 def test_apt_source_skyreach_file(host):
-    f = host.file("/etc/apt/sources.list.d/skyreach.list")
+    f = host.file("/etc/apt/sources.list.d/ubicast.list")
 
     assert f.exists
     assert f.is_file

playbooks/migrate-debian.yml

@@ -70,7 +70,7 @@
 
     - name: disable skyreach repository
       shell:
-        cmd: mv -f /etc/apt/sources.list.d/skyreach.list /etc/apt/sources.list.d/skyreach.list.migrate
+        cmd: mv -f /etc/apt/sources.list.d/ubicast.list /etc/apt/sources.list.d/ubicast.list.migrate
 
     - name: update sources list
       copy:

playbooks/site.yml

@@ -48,4 +48,7 @@
 - import_playbook: munin/all.yml
   tags: monitor
 
+- import_playbook: tester.yml
+  tags: tester
+
 ...

playbooks/tester.yml

+#!/usr/bin/env ansible-playbook
+---
+
+- name: Install UbiCast tester
+  hosts: all
+  tags: all
+  roles:
+    - tester
+
+...

roles/celerity/defaults/main.yml

 ---
 
-celerity_signing_key: "{{ envsetup_celerity_signing_key }}"
-celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) }}"
+celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
+celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) | d('127.0.0.1', true) }}"
 
-celerity_ms_id: "{{ envsetup_ms_id }}"
-celerity_ms_api_key: "{{ envsetup_ms_api_key }}"
-celerity_ms_hostname: "{{ envsetup_ms_server_name }}"
+celerity_ms_id: "{{ envsetup_ms_id | d() }}"
+celerity_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
+celerity_ms_hostname: "{{ envsetup_ms_server_name | d() }}"
 celerity_ms_instances:
   - ms_id: "{{ celerity_ms_id }}"
     ms_api_key: "{{ celerity_ms_api_key }}"

roles/celerity/templates/celerity-config.py.j2

@@ -9,5 +9,7 @@ SERVER_URL = 'https://{{ celerity_server }}:6200'
 
 # MediaServer interactions
 MEDIASERVERS = {
+{% if celerity_ms_id and celerity_ms_hostname and celerity_ms_api_key %}
     '{{ celerity_ms_id }}': {'url': 'https://{{ celerity_ms_hostname }}', 'api_key': '{{ celerity_ms_api_key }}'},
+{% endif %}
 }

roles/conf/defaults/main.yml

@@ -7,9 +7,7 @@ conf_req_packages:
 conf_req_packages_online:
   - git
 
-conf_repo_url: https://mirismanager.ubicast.eu/git/mediaserver/envsetup.git
-conf_repo_version: "{{ lookup('env', 'ENVSETUP_BRANCH') | d('stable', true) }}"
-conf_repo_dest: /root/envsetup
+conf_dir: /root/envsetup
 
 conf_host: "{{ skyreach_host | default('mirismanager.ubicast.eu', true) }}"
 conf_valid_cert: "{{ skyreach_valid_cert | default(true, true) }}"

roles/conf/tasks/main.yml

@@ -26,23 +26,6 @@
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: clone envsetup repository
-  when: not offline_mode | d(false)
-  ignore_errors: true
-  register: conf_clone
-  git:
-    repo: "{{ conf_repo_url }}"
-    version: "{{ conf_repo_version }}"
-    dest: "{{ conf_repo_dest }}"
-
-- name: ask to continue
-  when:
-    - not offline_mode | d(false)
-    - conf_clone is failed
-  pause:
-    prompt: "Previous task failed, it may be normal if you have local changes in the commited files, do you want to continue anyway?"
-    seconds: 30
-
 - name: generate root ssh key pair
   register: conf_root
   user:
@@ -51,17 +34,17 @@
     ssh_key_type: ed25519
     ssh_key_file: .ssh/id_ed25519
 
-- name: check if auto-generated-conf.sh exists
-  check_mode: false
-  register: check_conf
-  stat:
-    path: "{{ conf_repo_dest }}/auto-generated-conf.sh"
+- name: create conf dir
+  file:
+    path: "{{ conf_dir }}"
+    state: directory
+    mode: "0700"
 
-- name: check if conf.sh exists
+- name: check if auto-generated-conf.sh exists
   check_mode: false
-  register: check_local_conf
+  register: check_auto_conf
   stat:
-    path: "{{ conf_repo_dest }}/conf.sh"
+    path: "{{ conf_dir }}/auto-generated-conf.sh"
 
 - name: download conf and update ssh public key with activation key
   when: skyreach_activation_key | d(false)
@@ -69,7 +52,7 @@
   changed_when: conf_dl_ak.status == 200
   failed_when:
     - conf_dl_ak.status != 200
-    - not check_conf.stat.exists
+    - not check_auto_conf.stat.exists
     - not skyreach_system_key
   uri:
     url: https://{{ conf_host }}/erp/credentials/envsetup-conf.sh
@@ -83,13 +66,13 @@
 
 - name: download conf and update ssh public key with system key
   when:
-    - not check_conf.stat.exists or conf_update
+    - not check_auto_conf.stat.exists or conf_update
     - skyreach_system_key | d(false)
   register: conf_dl_sk
   changed_when: conf_dl_sk.status == 200
   failed_when:
     - conf_dl_sk.status != 200
-    - not check_conf.stat.exists
+    - not check_auto_conf.stat.exists
   uri:
     url: https://{{ conf_host }}/erp/credentials/envsetup-conf.sh
     method: POST
@@ -107,45 +90,37 @@
   when: item is changed
   copy:
     content: "{{ item.content }}"
-    dest: "{{ conf_repo_dest }}/auto-generated-conf.sh"
+    dest: "{{ conf_dir }}/auto-generated-conf.sh"
     force: true
     backup: true
 
-- name: touch generated conf
-  file:
-    path: "{{ conf_repo_dest }}/auto-generated-conf.sh"
-    access_time: preserve
-    modification_time: preserve
-    state: touch
-
-- name: touch local conf
-  file:
-    path: "{{ conf_repo_dest }}/conf.sh"
-    access_time: preserve
-    modification_time: preserve
-    state: touch
+- name: check if auto-generated-conf.sh exists
+  check_mode: false
+  register: check_auto_conf
+  stat:
+    path: "{{ conf_dir }}/auto-generated-conf.sh"
 
-- name: load global conf
-  changed_when: false
+- name: check if conf.sh exists
   check_mode: false
-  source_file:
-    path: "{{ conf_repo_dest }}/global-conf.sh"
-    prefix: envsetup_
-    lower: true
+  register: check_local_conf
+  stat:
+    path: "{{ conf_dir }}/conf.sh"
 
 - name: load generated conf
+  when: check_auto_conf.stat.exists
   changed_when: false
   check_mode: false
   source_file:
-    path: "{{ conf_repo_dest }}/auto-generated-conf.sh"
+    path: "{{ conf_dir }}/auto-generated-conf.sh"
     prefix: envsetup_
     lower: true
 
 - name: load local conf
+  when: check_local_conf.stat.exists
   changed_when: false
   check_mode: false
   source_file:
-    path: "{{ conf_repo_dest }}/conf.sh"
+    path: "{{ conf_dir }}/conf.sh"
     prefix: envsetup_
     lower: true
 

roles/fail2ban/defaults/main.yml

@@ -4,13 +4,13 @@ f2b_packages:
   - fail2ban
   - rsyslog
 
-f2b_enabled: "{% if envsetup_fail2ban_enabled | bool %}true{% else %}false{% endif %}"
+f2b_enabled: "{% if envsetup_fail2ban_enabled | default(false) %}true{% else %}false{% endif %}"
 f2b_ignoreip: 127.0.0.1/8 ::1
 f2b_maxretry: "{{ envsetup_fail2ban_maxretry | default('5', true) }}"
 f2b_bantime: "{{ envsetup_fail2ban_bantime | default('10m', true) }}"
 f2b_sender: "{{ envsetup_email_sender | default('root@localhost', true) }}"
-f2b_destemail: "{% if envsetup_fail2ban_dest_email is string %}{{ envsetup_fail2ban_dest_email }}{% else %}{{ envsetup_fail2ban_dest_email | join(',') }}{% endif %}"
-f2b_destemail_admins: "{% if envsetup_email_admins is string %}{{ envsetup_email_admins }}{% else %}{{ envsetup_email_admins | join(',') }}{% endif %}"
-f2b_action: "{% if envsetup_fail2ban_send_email | bool %}action_mwl{% else %}action_{% endif %}"
+f2b_destemail: "{% if envsetup_fail2ban_dest_email is defined %}{% if envsetup_fail2ban_dest_email is string %}{{ envsetup_fail2ban_dest_email }}{% else %}{{ envsetup_fail2ban_dest_email | join(',') }}{% endif %}{% endif %}"
+f2b_destemail_admins: "{% if envsetup_email_admins is defined %}{% if envsetup_email_admins is string %}{{ envsetup_email_admins }}{% else %}{{ envsetup_email_admins | join(',') }}{% endif %}{% endif %}"
+f2b_action: "{% if envsetup_fail2ban_send_email | default(false) %}action_mwl{% else %}action_{% endif %}"
 
 ...

roles/mediaserver/defaults/main.yml

@@ -12,13 +12,13 @@ server_packages:
 server_default_email_sender: "noreply@{{ server_hostname }}"
 server_email_sender: "{{ envsetup_email_sender | default(server_default_email_sender, true) }}"
 
-server_id: "{{ envsetup_ms_id }}"
+server_id: "{{ envsetup_ms_id | d() }}"
 server_instance_name: "{{ server_id.split('_')[-1] }}"
-server_hostname: "{{ envsetup_ms_server_name }}"
-server_campusmanager: "{{ envsetup_cm_server_name | d('mirismanager.' + server_hostname) }}"
-server_api_key: "{{ envsetup_ms_api_key }}"
-server_superuser_passwd: "{{ envsetup_ms_superuser_pwd }}"
-server_admin_passwd: "{{ envsetup_ms_admin_pwd }}"
+server_hostname: "{{ envsetup_ms_server_name | d('mediaserver', true) }}"
+server_campusmanager: "{{ envsetup_cm_server_name | d() }}"
+server_api_key: "{{ envsetup_ms_api_key | d() }}"
+server_superuser_passwd: "{{ envsetup_ms_superuser_pwd | d() }}"
+server_admin_passwd: "{{ envsetup_ms_admin_pwd | d() }}"
 server_instances:
   - name: "{{ server_instance_name }}"
     ms_server_name: "{{ server_hostname }}"
@@ -28,9 +28,9 @@ server_instances:
     ms_superuser_pwd: "{{ server_superuser_passwd }}"
     ms_admin_pwd: "{{ server_admin_passwd }}"
 
-server_celerity_signing_key: "{{ envsetup_celerity_signing_key }}"
+server_celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
 
-server_live_host: "{{ envsetup_live_host | d('') }}"
+server_live_host: "{{ envsetup_live_host | d() }}"
 
 server_firewall_enabled: true
 server_ferm_rules_filename: server

roles/mediaworker/defaults/main.yml

 ---
 
-worker_celerity_signing_key: "{{ envsetup_celerity_signing_key }}"
-worker_celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) }}"
+worker_celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
+worker_celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) | d('127.0.0.1', true) }}"
 
-worker_ms_id: "{{ envsetup_ms_id }}"
-worker_ms_api_key: "{{ envsetup_ms_api_key }}"
-worker_ms_hostname: "{{ envsetup_ms_server_name }}"
+worker_ms_id: "{{ envsetup_ms_id | d() }}"
+worker_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
+worker_ms_hostname: "{{ envsetup_ms_server_name | d() }}"
 worker_ms_instances:
   - ms_id: "{{ worker_ms_id }}"
     ms_api_key: "{{ worker_ms_api_key }}"

roles/mirismanager/defaults/main.yml

@@ -12,10 +12,10 @@ manager_packages:
   - ubicast-skyreach
 
 manager_testing: false
-manager_hostname: "{{ envsetup_cm_server_name }}"
+manager_hostname: "{{ envsetup_cm_server_name | d('mirismanager', true) }}"
 manager_default_email_sender: "noreply@{{ manager_hostname }}"
 manager_email_sender: "{{ envsetup_email_sender | default(manager_default_email_sender, true) }}"
-manager_proxy_http: "{{ envsetup_proxy_http }}"
+manager_proxy_http: "{{ envsetup_proxy_http | d() }}"
 
 manager_firewall_enabled: true
 manager_ferm_rules_filename: manager

roles/munin/msmonitor/defaults/main.yml

 ---
 
-monitor_shell_pwd: "{{ envsetup_monitor_shell_pwd }}"
-monitor_hostname: "{{ envsetup_monitor_server_name }}"
+monitor_shell_pwd: "{{ envsetup_monitor_shell_pwd | d() }}"
+monitor_hostname: "{{ envsetup_monitor_server_name | d('monitor', true) }}"
 
 monitor_firewall_enabled: true
 monitor_ferm_rules_filename: monitor

roles/netcapture/defaults/main.yml

 ---
 
 netcapture_registry_host: registry.ubicast.eu
-netcapture_registry_login: "{{ envsetup_netcapture_docker_login }}"
-netcapture_registry_password: "{{ envsetup_netcapture_docker_pwd }}"
+netcapture_registry_login: "{{ envsetup_netcapture_docker_login | d() }}"
+netcapture_registry_password: "{{ envsetup_netcapture_docker_pwd | d() }}"
 netcapture_cm_url: "https://{{ envsetup_cm_server_name | default('https://mirismanager.ubicast.eu', true) }}"
 netcapture_check_ssl: true
 netcapture_conf_folder: /etc/miris/conf

roles/postfix/defaults/main.yml

@@ -4,12 +4,12 @@ postfix_packages:
   - postfix
   - bsd-mailx
 
-postfix_mailname: "{{ envsetup_ms_server_name }}"
+postfix_mailname: "{{ envsetup_ms_server_name | d() }}"
 postfix_default_email_sender: noreply@{{ postfix_mailname }}
 postfix_email_sender: "{{ envsetup_email_sender | default(postfix_default_email_sender, true) }}"
-postfix_relay_host: "{{ envsetup_email_smtp_server }}"
-postfix_relay_user: "{{ envsetup_email_smtp_user }}"
-postfix_relay_pass: "{{ envsetup_email_smtp_pwd }}"
+postfix_relay_host: "{{ envsetup_email_smtp_server | d() }}"
+postfix_relay_user: "{{ envsetup_email_smtp_user | d() }}"
+postfix_relay_pass: "{{ envsetup_email_smtp_pwd | d() }}"
 postfix_admin: sysadmin@ubicast.eu
 
 ...

roles/sysconfig/defaults/main.yml

@@ -5,41 +5,31 @@ repos_deb: deb.debian.org
 repos_deb_sec: security.debian.org
 repos_release: "{{ ansible_distribution_release }}"
 
-repos_skyreach_token: "{{ envsetup_skyreach_apt_token }}"
-repos_skyreach_host: "{{ envsetup_skyreach_host }}"
-
+repos_skyreach_token: "{{ envsetup_skyreach_apt_token | d('') }}"
+repos_skyreach_host: "{{ envsetup_skyreach_host | d('mirismanager.ubicast.eu', true) }}"
 
 sysconfig_packages:
   - bash-completion
   - curl
-  - git
   - host
   - htop
+  - iftop
   - ifupdown
   - iotop
-  - iftop
   - ipython3
   - lm-sensors
   - make
+  - man
   - net-tools
   - netcat
   - nfs-client
   - openssh-server
   - pciutils
-  - python3-psutil
-  - python3-openssl
-  - python3-requests
-  - python3-spf
-  - python3-packaging
-  - python3-lxml
   - pwgen
   - rsync
   - smartmontools
   - sudo
-  - unattended-upgrades
   - vim
-  - man
-  - git-man
 
 sysconfig_firewall_enabled: true
 sysconfig_ferm_rules_filename: sysutils
@@ -68,6 +58,6 @@ init_timezone: "{{ envsetup_timezone | d('Etc/UTC', true) }}"
 sysconfig_logs_packages:
   - rsyslog
 
-ntp_servers: "{{ envsetup_ntp_server }}"
+ntp_servers: "{{ envsetup_ntp_server | d('0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org', true) }}"
 
 ...

roles/sysconfig/tasks/locale.yml

@@ -9,6 +9,7 @@
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
 - name: generate locale
+  when: init_locale != 'C.UTF-8'
   locale_gen:
     name: "{{ init_locale }}"
 

roles/sysconfig/tasks/main.yml

 ---
 - include: repos.yml
 
+# Upgrade already installed packages to latest version and clean system
+
+- name: apt update
+  apt:
+    force_apt_get: true
+    install_recommends: false
+    update_cache: true
+  register: apt_status
+  retries: 60
+  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+
+- name: apt dist upgrade
+  apt:
+    force_apt_get: true
+    install_recommends: false
+    upgrade: dist
+  register: apt_status
+  retries: 60
+  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+
+- name: apt clean and autoremove
+  apt:
+    force_apt_get: true
+    install_recommends: false
+    autoclean: true
+    autoremove: true
+  register: apt_status
+  retries: 60
+  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+
+# Install new packages and remove conflicts
+
 - name: install system utilities
   apt:
     force_apt_get: true
@@ -26,6 +58,8 @@
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
+# Enable automatic security upgrades
+
 - name: install unattended-upgrades
   apt:
     force_apt_get: true
@@ -50,10 +84,17 @@
     replace: 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'
   notify: restart unattended-upgrades
 
+- name: allow automatic updates for ubicast security
+  lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    insertafter: '^Unattended-Upgrade::Origins-Pattern {$'
+    line: '        "origin=UbiCast,label=UbiCast-Security";'
+    backup: true
+
 - name: enable root login via ssh with key
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
+    regexp: "^#PermitRootLogin (yes|without-password|prohibit-password)"
     replace: "PermitRootLogin without-password"
   notify: restart sshd
 

roles/sysconfig/tasks/repos.yml

@@ -26,20 +26,25 @@
       deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }}-updates main contrib non-free
       deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}/updates main contrib non-free
 
-- name: add skyreach apt repo key
-  when:
-    - not offline_mode | d(false)
-    - repos_skyreach_token | d(false)
+- name: add ubicast apt repo key
+  when: not offline_mode | d(false)
   apt_key:
     url: https://{{ repos_skyreach_host }}/media/public.gpg
 
-- name: add skyreach apt repo
+- name: add ubicast apt repo
   when:
     - not offline_mode | d(false)
     - repos_skyreach_token | d(false)
   apt_repository:
     repo: deb https://{{ repos_skyreach_host }} packaging/apt/{{ repos_skyreach_token }}/
-    filename: skyreach
+    filename: ubicast
+    update_cache: true
+
+- name: add ubicast security apt repo
+  when: not offline_mode | d(false)
+  apt_repository:
+    repo: deb https://{{ repos_skyreach_host }} packaging/apt/ubicast-security-updates/
+    filename: ubicast-secu
     update_cache: true
 
 ...

roles/tester/defaults/main.yml

+---
+
+tester_packages:
+  - ubicast-env
+  - ubicast-tester
+
+...