Skip to content
Snippets Groups Projects
Commit 2c52e03b authored by Stéphane Diemer's avatar Stéphane Diemer
Browse files

Security repository changes | refs #33830

parent 11de0baf
No related branches found
No related tags found
No related merge requests found
Showing
with 141 additions and 109 deletions
......@@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
def test_apt_source_skyreach_file(host):
f = host.file("/etc/apt/sources.list.d/skyreach.list")
f = host.file("/etc/apt/sources.list.d/ubicast.list")
assert f.exists
assert f.is_file
......
......@@ -70,7 +70,7 @@
- name: disable skyreach repository
shell:
cmd: mv -f /etc/apt/sources.list.d/skyreach.list /etc/apt/sources.list.d/skyreach.list.migrate
cmd: mv -f /etc/apt/sources.list.d/ubicast.list /etc/apt/sources.list.d/ubicast.list.migrate
- name: update sources list
copy:
......
......@@ -48,4 +48,7 @@
- import_playbook: munin/all.yml
tags: monitor
- import_playbook: tester.yml
tags: tester
...
#!/usr/bin/env ansible-playbook
---
- name: Install UbiCast tester
hosts: all
tags: all
roles:
- tester
...
---
celerity_signing_key: "{{ envsetup_celerity_signing_key }}"
celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) }}"
celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) | d('127.0.0.1', true) }}"
celerity_ms_id: "{{ envsetup_ms_id }}"
celerity_ms_api_key: "{{ envsetup_ms_api_key }}"
celerity_ms_hostname: "{{ envsetup_ms_server_name }}"
celerity_ms_id: "{{ envsetup_ms_id | d() }}"
celerity_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
celerity_ms_hostname: "{{ envsetup_ms_server_name | d() }}"
celerity_ms_instances:
- ms_id: "{{ celerity_ms_id }}"
ms_api_key: "{{ celerity_ms_api_key }}"
......
......@@ -9,5 +9,7 @@ SERVER_URL = 'https://{{ celerity_server }}:6200'
# MediaServer interactions
MEDIASERVERS = {
{% if celerity_ms_id and celerity_ms_hostname and celerity_ms_api_key %}
'{{ celerity_ms_id }}': {'url': 'https://{{ celerity_ms_hostname }}', 'api_key': '{{ celerity_ms_api_key }}'},
{% endif %}
}
......@@ -7,9 +7,7 @@ conf_req_packages:
conf_req_packages_online:
- git
conf_repo_url: https://mirismanager.ubicast.eu/git/mediaserver/envsetup.git
conf_repo_version: "{{ lookup('env', 'ENVSETUP_BRANCH') | d('stable', true) }}"
conf_repo_dest: /root/envsetup
conf_dir: /root/envsetup
conf_host: "{{ skyreach_host | default('mirismanager.ubicast.eu', true) }}"
conf_valid_cert: "{{ skyreach_valid_cert | default(true, true) }}"
......
......@@ -26,23 +26,6 @@
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: clone envsetup repository
when: not offline_mode | d(false)
ignore_errors: true
register: conf_clone
git:
repo: "{{ conf_repo_url }}"
version: "{{ conf_repo_version }}"
dest: "{{ conf_repo_dest }}"
- name: ask to continue
when:
- not offline_mode | d(false)
- conf_clone is failed
pause:
prompt: "Previous task failed, it may be normal if you have local changes in the commited files, do you want to continue anyway?"
seconds: 30
- name: generate root ssh key pair
register: conf_root
user:
......@@ -51,17 +34,17 @@
ssh_key_type: ed25519
ssh_key_file: .ssh/id_ed25519
- name: check if auto-generated-conf.sh exists
check_mode: false
register: check_conf
stat:
path: "{{ conf_repo_dest }}/auto-generated-conf.sh"
- name: create conf dir
file:
path: "{{ conf_dir }}"
state: directory
mode: "0700"
- name: check if conf.sh exists
- name: check if auto-generated-conf.sh exists
check_mode: false
register: check_local_conf
register: check_auto_conf
stat:
path: "{{ conf_repo_dest }}/conf.sh"
path: "{{ conf_dir }}/auto-generated-conf.sh"
- name: download conf and update ssh public key with activation key
when: skyreach_activation_key | d(false)
......@@ -69,7 +52,7 @@
changed_when: conf_dl_ak.status == 200
failed_when:
- conf_dl_ak.status != 200
- not check_conf.stat.exists
- not check_auto_conf.stat.exists
- not skyreach_system_key
uri:
url: https://{{ conf_host }}/erp/credentials/envsetup-conf.sh
......@@ -83,13 +66,13 @@
- name: download conf and update ssh public key with system key
when:
- not check_conf.stat.exists or conf_update
- not check_auto_conf.stat.exists or conf_update
- skyreach_system_key | d(false)
register: conf_dl_sk
changed_when: conf_dl_sk.status == 200
failed_when:
- conf_dl_sk.status != 200
- not check_conf.stat.exists
- not check_auto_conf.stat.exists
uri:
url: https://{{ conf_host }}/erp/credentials/envsetup-conf.sh
method: POST
......@@ -107,45 +90,37 @@
when: item is changed
copy:
content: "{{ item.content }}"
dest: "{{ conf_repo_dest }}/auto-generated-conf.sh"
dest: "{{ conf_dir }}/auto-generated-conf.sh"
force: true
backup: true
- name: touch generated conf
file:
path: "{{ conf_repo_dest }}/auto-generated-conf.sh"
access_time: preserve
modification_time: preserve
state: touch
- name: touch local conf
file:
path: "{{ conf_repo_dest }}/conf.sh"
access_time: preserve
modification_time: preserve
state: touch
- name: check if auto-generated-conf.sh exists
check_mode: false
register: check_auto_conf
stat:
path: "{{ conf_dir }}/auto-generated-conf.sh"
- name: load global conf
changed_when: false
- name: check if conf.sh exists
check_mode: false
source_file:
path: "{{ conf_repo_dest }}/global-conf.sh"
prefix: envsetup_
lower: true
register: check_local_conf
stat:
path: "{{ conf_dir }}/conf.sh"
- name: load generated conf
when: check_auto_conf.stat.exists
changed_when: false
check_mode: false
source_file:
path: "{{ conf_repo_dest }}/auto-generated-conf.sh"
path: "{{ conf_dir }}/auto-generated-conf.sh"
prefix: envsetup_
lower: true
- name: load local conf
when: check_local_conf.stat.exists
changed_when: false
check_mode: false
source_file:
path: "{{ conf_repo_dest }}/conf.sh"
path: "{{ conf_dir }}/conf.sh"
prefix: envsetup_
lower: true
......
......@@ -4,13 +4,13 @@ f2b_packages:
- fail2ban
- rsyslog
f2b_enabled: "{% if envsetup_fail2ban_enabled | bool %}true{% else %}false{% endif %}"
f2b_enabled: "{% if envsetup_fail2ban_enabled | default(false) %}true{% else %}false{% endif %}"
f2b_ignoreip: 127.0.0.1/8 ::1
f2b_maxretry: "{{ envsetup_fail2ban_maxretry | default('5', true) }}"
f2b_bantime: "{{ envsetup_fail2ban_bantime | default('10m', true) }}"
f2b_sender: "{{ envsetup_email_sender | default('root@localhost', true) }}"
f2b_destemail: "{% if envsetup_fail2ban_dest_email is string %}{{ envsetup_fail2ban_dest_email }}{% else %}{{ envsetup_fail2ban_dest_email | join(',') }}{% endif %}"
f2b_destemail_admins: "{% if envsetup_email_admins is string %}{{ envsetup_email_admins }}{% else %}{{ envsetup_email_admins | join(',') }}{% endif %}"
f2b_action: "{% if envsetup_fail2ban_send_email | bool %}action_mwl{% else %}action_{% endif %}"
f2b_destemail: "{% if envsetup_fail2ban_dest_email is defined %}{% if envsetup_fail2ban_dest_email is string %}{{ envsetup_fail2ban_dest_email }}{% else %}{{ envsetup_fail2ban_dest_email | join(',') }}{% endif %}{% endif %}"
f2b_destemail_admins: "{% if envsetup_email_admins is defined %}{% if envsetup_email_admins is string %}{{ envsetup_email_admins }}{% else %}{{ envsetup_email_admins | join(',') }}{% endif %}{% endif %}"
f2b_action: "{% if envsetup_fail2ban_send_email | default(false) %}action_mwl{% else %}action_{% endif %}"
...
......@@ -12,13 +12,13 @@ server_packages:
server_default_email_sender: "noreply@{{ server_hostname }}"
server_email_sender: "{{ envsetup_email_sender | default(server_default_email_sender, true) }}"
server_id: "{{ envsetup_ms_id }}"
server_id: "{{ envsetup_ms_id | d() }}"
server_instance_name: "{{ server_id.split('_')[-1] }}"
server_hostname: "{{ envsetup_ms_server_name }}"
server_campusmanager: "{{ envsetup_cm_server_name | d('mirismanager.' + server_hostname) }}"
server_api_key: "{{ envsetup_ms_api_key }}"
server_superuser_passwd: "{{ envsetup_ms_superuser_pwd }}"
server_admin_passwd: "{{ envsetup_ms_admin_pwd }}"
server_hostname: "{{ envsetup_ms_server_name | d('mediaserver', true) }}"
server_campusmanager: "{{ envsetup_cm_server_name | d() }}"
server_api_key: "{{ envsetup_ms_api_key | d() }}"
server_superuser_passwd: "{{ envsetup_ms_superuser_pwd | d() }}"
server_admin_passwd: "{{ envsetup_ms_admin_pwd | d() }}"
server_instances:
- name: "{{ server_instance_name }}"
ms_server_name: "{{ server_hostname }}"
......@@ -28,9 +28,9 @@ server_instances:
ms_superuser_pwd: "{{ server_superuser_passwd }}"
ms_admin_pwd: "{{ server_admin_passwd }}"
server_celerity_signing_key: "{{ envsetup_celerity_signing_key }}"
server_celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
server_live_host: "{{ envsetup_live_host | d('') }}"
server_live_host: "{{ envsetup_live_host | d() }}"
server_firewall_enabled: true
server_ferm_rules_filename: server
......
---
worker_celerity_signing_key: "{{ envsetup_celerity_signing_key }}"
worker_celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) }}"
worker_celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
worker_celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) | d('127.0.0.1', true) }}"
worker_ms_id: "{{ envsetup_ms_id }}"
worker_ms_api_key: "{{ envsetup_ms_api_key }}"
worker_ms_hostname: "{{ envsetup_ms_server_name }}"
worker_ms_id: "{{ envsetup_ms_id | d() }}"
worker_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
worker_ms_hostname: "{{ envsetup_ms_server_name | d() }}"
worker_ms_instances:
- ms_id: "{{ worker_ms_id }}"
ms_api_key: "{{ worker_ms_api_key }}"
......
......@@ -12,10 +12,10 @@ manager_packages:
- ubicast-skyreach
manager_testing: false
manager_hostname: "{{ envsetup_cm_server_name }}"
manager_hostname: "{{ envsetup_cm_server_name | d('mirismanager', true) }}"
manager_default_email_sender: "noreply@{{ manager_hostname }}"
manager_email_sender: "{{ envsetup_email_sender | default(manager_default_email_sender, true) }}"
manager_proxy_http: "{{ envsetup_proxy_http }}"
manager_proxy_http: "{{ envsetup_proxy_http | d() }}"
manager_firewall_enabled: true
manager_ferm_rules_filename: manager
......
---
monitor_shell_pwd: "{{ envsetup_monitor_shell_pwd }}"
monitor_hostname: "{{ envsetup_monitor_server_name }}"
monitor_shell_pwd: "{{ envsetup_monitor_shell_pwd | d() }}"
monitor_hostname: "{{ envsetup_monitor_server_name | d('monitor', true) }}"
monitor_firewall_enabled: true
monitor_ferm_rules_filename: monitor
......
---
netcapture_registry_host: registry.ubicast.eu
netcapture_registry_login: "{{ envsetup_netcapture_docker_login }}"
netcapture_registry_password: "{{ envsetup_netcapture_docker_pwd }}"
netcapture_registry_login: "{{ envsetup_netcapture_docker_login | d() }}"
netcapture_registry_password: "{{ envsetup_netcapture_docker_pwd | d() }}"
netcapture_cm_url: "https://{{ envsetup_cm_server_name | default('https://mirismanager.ubicast.eu', true) }}"
netcapture_check_ssl: true
netcapture_conf_folder: /etc/miris/conf
......
......@@ -4,12 +4,12 @@ postfix_packages:
- postfix
- bsd-mailx
postfix_mailname: "{{ envsetup_ms_server_name }}"
postfix_mailname: "{{ envsetup_ms_server_name | d() }}"
postfix_default_email_sender: noreply@{{ postfix_mailname }}
postfix_email_sender: "{{ envsetup_email_sender | default(postfix_default_email_sender, true) }}"
postfix_relay_host: "{{ envsetup_email_smtp_server }}"
postfix_relay_user: "{{ envsetup_email_smtp_user }}"
postfix_relay_pass: "{{ envsetup_email_smtp_pwd }}"
postfix_relay_host: "{{ envsetup_email_smtp_server | d() }}"
postfix_relay_user: "{{ envsetup_email_smtp_user | d() }}"
postfix_relay_pass: "{{ envsetup_email_smtp_pwd | d() }}"
postfix_admin: sysadmin@ubicast.eu
...
......@@ -5,41 +5,31 @@ repos_deb: deb.debian.org
repos_deb_sec: security.debian.org
repos_release: "{{ ansible_distribution_release }}"
repos_skyreach_token: "{{ envsetup_skyreach_apt_token }}"
repos_skyreach_host: "{{ envsetup_skyreach_host }}"
repos_skyreach_token: "{{ envsetup_skyreach_apt_token | d('') }}"
repos_skyreach_host: "{{ envsetup_skyreach_host | d('mirismanager.ubicast.eu', true) }}"
sysconfig_packages:
- bash-completion
- curl
- git
- host
- htop
- iftop
- ifupdown
- iotop
- iftop
- ipython3
- lm-sensors
- make
- man
- net-tools
- netcat
- nfs-client
- openssh-server
- pciutils
- python3-psutil
- python3-openssl
- python3-requests
- python3-spf
- python3-packaging
- python3-lxml
- pwgen
- rsync
- smartmontools
- sudo
- unattended-upgrades
- vim
- man
- git-man
sysconfig_firewall_enabled: true
sysconfig_ferm_rules_filename: sysutils
......@@ -68,6 +58,6 @@ init_timezone: "{{ envsetup_timezone | d('Etc/UTC', true) }}"
sysconfig_logs_packages:
- rsyslog
ntp_servers: "{{ envsetup_ntp_server }}"
ntp_servers: "{{ envsetup_ntp_server | d('0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org', true) }}"
...
......@@ -9,6 +9,7 @@
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: generate locale
when: init_locale != 'C.UTF-8'
locale_gen:
name: "{{ init_locale }}"
......
---
- include: repos.yml
# Upgrade already installed packages to latest version and clean system
- name: apt update
apt:
force_apt_get: true
install_recommends: false
update_cache: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: apt dist upgrade
apt:
force_apt_get: true
install_recommends: false
upgrade: dist
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: apt clean and autoremove
apt:
force_apt_get: true
install_recommends: false
autoclean: true
autoremove: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
# Install new packages and remove conflicts
- name: install system utilities
apt:
force_apt_get: true
......@@ -26,6 +58,8 @@
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
# Enable automatic security upgrades
- name: install unattended-upgrades
apt:
force_apt_get: true
......@@ -50,10 +84,17 @@
replace: 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'
notify: restart unattended-upgrades
- name: allow automatic updates for ubicast security
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
insertafter: '^Unattended-Upgrade::Origins-Pattern {$'
line: ' "origin=UbiCast,label=UbiCast-Security";'
backup: true
- name: enable root login via ssh with key
replace:
dest: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
regexp: "^#PermitRootLogin (yes|without-password|prohibit-password)"
replace: "PermitRootLogin without-password"
notify: restart sshd
......
......@@ -26,20 +26,25 @@
deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }}-updates main contrib non-free
deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}/updates main contrib non-free
- name: add skyreach apt repo key
when:
- not offline_mode | d(false)
- repos_skyreach_token | d(false)
- name: add ubicast apt repo key
when: not offline_mode | d(false)
apt_key:
url: https://{{ repos_skyreach_host }}/media/public.gpg
- name: add skyreach apt repo
- name: add ubicast apt repo
when:
- not offline_mode | d(false)
- repos_skyreach_token | d(false)
apt_repository:
repo: deb https://{{ repos_skyreach_host }} packaging/apt/{{ repos_skyreach_token }}/
filename: skyreach
filename: ubicast
update_cache: true
- name: add ubicast security apt repo
when: not offline_mode | d(false)
apt_repository:
repo: deb https://{{ repos_skyreach_host }} packaging/apt/ubicast-security-updates/
filename: ubicast-secu
update_cache: true
...
---
tester_packages:
- ubicast-env
- ubicast-tester
...
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment