From c50bb4a9c54ab9a66a5f1bebd5409c9adacbc615 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20L=C3=A1szl=C3=B3?= <rlacko99@gmail.com>
Date: Wed, 15 Sep 2021 22:45:51 +0200
Subject: [PATCH] Base config for kubernetes vm
---
README.md | 41 +++---------
base-ansible-role | 1 +
defaults/main.yml | 25 ++++++-
meta/main.yml | 65 +++++--------------
tasks/floppy.yaml | 18 +++++
tasks/main.yml | 36 +++++++++-
tasks/motd.yml | 15 +++++
tasks/multipath.yaml | 15 +++++
tasks/packages.yml | 37 +++++++++++
tasks/setup_user.yml | 51 +++++++++++++++
tasks/ssh.yml | 20 ++++++
tasks/update.yml | 7 ++
.../etc/modprobe.d/blacklist-floppy.conf.j2 | 6 ++
templates/etc/multipath.conf.j2 | 15 +++++
templates/etc/ssh/sshd_config | 39 +++++++++++
templates/etc/update-motd.d/motd.sh | 20 ++++++
16 files changed, 327 insertions(+), 84 deletions(-)
create mode 120000 base-ansible-role
create mode 100644 tasks/floppy.yaml
create mode 100644 tasks/motd.yml
create mode 100644 tasks/multipath.yaml
create mode 100644 tasks/packages.yml
create mode 100644 tasks/setup_user.yml
create mode 100644 tasks/ssh.yml
create mode 100644 tasks/update.yml
create mode 100644 templates/etc/modprobe.d/blacklist-floppy.conf.j2
create mode 100644 templates/etc/multipath.conf.j2
create mode 100644 templates/etc/ssh/sshd_config
create mode 100644 templates/etc/update-motd.d/motd.sh
diff --git a/README.md b/README.md
index 225dd44..206ef68 100644
--- a/README.md
+++ b/README.md
@@ -1,38 +1,13 @@
-Role Name
-=========
+# Role Name
-A brief description of the role goes here.
+Base role for every Kubernetes VM.
+It will install base packages, configures ssh and
+disables floppy, multipathd for vmware.
-Requirements
-------------
+## License
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+MIT
-Role Variables
---------------
+## Author Information
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
-
-Dependencies
-------------
-
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
- - hosts: servers
- roles:
- - { role: username.rolename, x: 42 }
-
-License
--------
-
-BSD
-
-Author Information
-------------------
-
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+KSZK
diff --git a/base-ansible-role b/base-ansible-role
new file mode 120000
index 0000000..2d628f4
--- /dev/null
+++ b/base-ansible-role
@@ -0,0 +1 @@
+/home/rlacko/codes/kszk/k8s/cluster-setup/roles/base-ansible-role
\ No newline at end of file
diff --git a/defaults/main.yml b/defaults/main.yml
index 5c2b873..ccbd58d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,2 +1,25 @@
---
-# defaults file for myrole
+timezone: Europe/Budapest
+na: "https://git.sch.bme.hu/kszk/sysadmin/kubernetes/base-ansible-role"
+hostname: "{{ inventory_hostname }}"
+
+ssh:
+ port: 10022
+ pubkeyAuthentication: "yes"
+ passwordAuthentication: "no"
+ permitRootLogin: "without-password"
+ allow:
+ #users: root, ubuntu
+ # groups: root
+ # passwordLoginFrom:
+ # custom:
+ # enabled: False
+ # ipList: "192.168.42.0/24"
+
+users:
+#- name: kszk
+# comment: "kszk@sch.bme.hu" # optional
+# sudo: yes
+# passwordless_sudo: yes
+# # https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html#examples
+# keys_url: https://git.sch.bme.hu/xy.keys
diff --git a/meta/main.yml b/meta/main.yml
index c572acc..7d8d83c 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,52 +1,19 @@
galaxy_info:
- author: your name
- description: your role description
- company: your company (optional)
-
- # If the issue tracker for your role is not on github, uncomment the
- # next line and provide a value
- # issue_tracker_url: http://example.com/issue/tracker
-
- # Choose a valid license ID from https://spdx.org - some suggested licenses:
- # - BSD-3-Clause (default)
- # - MIT
- # - GPL-2.0-or-later
- # - GPL-3.0-only
- # - Apache-2.0
- # - CC-BY-4.0
- license: license (GPL-2.0-or-later, MIT, etc)
-
- min_ansible_version: 2.1
-
- # If this a Container Enabled role, provide the minimum Ansible Container version.
- # min_ansible_container_version:
-
- #
- # Provide a list of supported platforms, and for each platform a list of versions.
- # If you don't wish to enumerate all versions for a particular platform, use 'all'.
- # To view available platforms and versions (or releases), visit:
- # https://galaxy.ansible.com/api/v1/platforms/
- #
- # platforms:
- # - name: Fedora
- # versions:
- # - all
- # - 25
- # - name: SomePlatform
- # versions:
- # - all
- # - 1.0
- # - 7
- # - 99.99
-
+ author: kszk
+ description: Base role for Kubernetes VMs
+ company: KSZK
+ license: MIT
+ platforms:
+ - name: Ubuntu
+ versions:
+ - all
+ min_ansible_version: 2.9
galaxy_tags: []
- # List tags for your role here, one per line. A tag is a keyword that describes
- # and categorizes the role. Users find roles by searching for tags. Be sure to
- # remove the '[]' above, if you add tags to this list.
- #
- # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
- # Maximum 20 tags per role.
-dependencies: []
- # List your role dependencies here, one per line. Be sure to remove the '[]' above,
- # if you add dependencies to this list.
+dependencies:
+ - yatesr.timezone
+
+collections:
+ - community.general
+ - community.crypto
+ - ansible.posix
diff --git a/tasks/floppy.yaml b/tasks/floppy.yaml
new file mode 100644
index 0000000..aa82013
--- /dev/null
+++ b/tasks/floppy.yaml
@@ -0,0 +1,18 @@
+---
+
+- name: Disable floppy module
+ template:
+ src: etc/modprobe.d/blacklist-floppy.conf.j2
+ dest: /etc/modprobe.d/blacklist-floppy.conf
+ mode: 0644
+ register: blacklist_floppy
+
+- name: Unload floppy kernel module
+ modprobe:
+ name: floppy
+ state: absent
+ when: blacklist_floppy.changed
+
+- name: Update initramfs after floppy is disabled
+ command: update-initramfs -u
+ when: blacklist_floppy.changed
diff --git a/tasks/main.yml b/tasks/main.yml
index 221474d..051d931 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,2 +1,36 @@
---
-# tasks file for myrole
+# Dependent roles will be installed first
+
+- name: Set hostname
+ when: hostname is defined
+ hostname:
+ name: "{{ hostname }}"
+ tags: [hostname]
+
+- name: Upgrade packages
+ import_tasks: update.yml
+ tags: [update]
+
+- name: Setup admin users
+ include_tasks: setup_user.yml
+ loop: "{{ users }}"
+ loop_control:
+ loop_var: user
+
+- name: Install basic packages
+ import_tasks: packages.yml
+ tags: [packages]
+
+- name: Setup Message of the day (MOTD)
+ import_tasks: "motd.yml"
+ tags: [motd]
+
+- name: Setup SSH
+ import_tasks: "ssh.yml"
+ tags: [ssh]
+
+- name: Disable floppy
+ include_tasks: floppy.yaml
+
+- name: Fix multipath UUID VMWare errors
+ include_tasks: multipath.yaml
diff --git a/tasks/motd.yml b/tasks/motd.yml
new file mode 100644
index 0000000..4c2f6cd
--- /dev/null
+++ b/tasks/motd.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Remove parts of factory banner
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /etc/update-motd.d/10-help-text
+ - /etc/update-motd.d/50-motd-news
+
+- name: Place motd file.
+ template:
+ src: etc/update-motd.d/motd.sh
+ dest: /etc/update-motd.d/40-kszk-banner
+ mode: 0755
diff --git a/tasks/multipath.yaml b/tasks/multipath.yaml
new file mode 100644
index 0000000..9e33371
--- /dev/null
+++ b/tasks/multipath.yaml
@@ -0,0 +1,15 @@
+---
+
+- name: Blacklist multipath in VMWare disks
+ template:
+ src: etc/multipath.conf.j2
+ dest: /etc/multipath.conf
+ mode: 0644
+ register: blacklist_vmware_multipath
+
+- name: Ensure multipath is restarted.
+ service:
+ name: multipath-tools
+ state: restarted
+ when: blacklist_vmware_multipath.changed
+
diff --git a/tasks/packages.yml b/tasks/packages.yml
new file mode 100644
index 0000000..68ef1f9
--- /dev/null
+++ b/tasks/packages.yml
@@ -0,0 +1,37 @@
+---
+- name: Install open-vm-tools (if VM)
+ package:
+ name: open-vm-tools
+ state: present
+ when: ansible_virtualization_type == "VMware"
+
+- name: Install basic packages
+ package:
+ state: present
+ name:
+ # Debug tools
+ - sudo
+ - tmux
+ - htop
+ - dnsutils
+ - net-tools
+ - psmisc
+ - strace
+ - tcpdump
+ - xxd
+
+ # Editors
+ - nano
+ - neovim
+
+ # Admin helpers
+ - rsync
+ - tree
+ - molly-guard
+
+ # Dependencies for scripting
+ - python3
+ - unzip
+ - curl
+ - wget
+ - jq
diff --git a/tasks/setup_user.yml b/tasks/setup_user.yml
new file mode 100644
index 0000000..a3fa251
--- /dev/null
+++ b/tasks/setup_user.yml
@@ -0,0 +1,51 @@
+---
+- debug:
+ msg: "{{ user }}"
+
+- name: "Create group for user"
+ group:
+ name: "{{ user.name }}"
+
+- name: "Create user"
+ user:
+ name: "{{ user.name }}"
+ comment: "{{ user.comment | default('') }}"
+ group: "{{ user.name }}"
+ shell: "/bin/{{ user.shell | default('bash') }}"
+
+- name: "SUDO"
+ user:
+ name: "{{ user.name }}"
+ append: true
+ groups:
+ - sudo
+ when: user.sudo
+
+- set_fact:
+ sudoer_file: "/etc/sudoers.d/{{ user.name }}"
+
+- name: sudoers file for the user
+ file:
+ path: "{{ sudoer_file }}"
+ state: touch
+ mode: "0600"
+ owner: root
+ group: root
+
+- name: Insert sudoer file content
+ copy:
+ dest: "{{ sudoer_file }}"
+ content: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
+ when: user.passwordless_sudo
+
+- name: "Set password to be expired"
+ command: passwd --delete '{{ user.name }}'
+ when: not user.passwordless_sudo
+
+- name: Set authorized keys
+ ansible.posix.authorized_key:
+ user: "{{ user.name }}"
+ state: present
+ key: "{{ user.keys_url }}"
+ manage_dir: yes
+ exclusive: yes
diff --git a/tasks/ssh.yml b/tasks/ssh.yml
new file mode 100644
index 0000000..84f0a45
--- /dev/null
+++ b/tasks/ssh.yml
@@ -0,0 +1,20 @@
+---
+- name: Place sshd configuration file.
+ template:
+ src: etc/ssh/sshd_config
+ dest: /etc/ssh/sshd_config
+ mode: 0600
+ register: sshd_config
+
+# disable the ssh.socket, otherwise it will collide with ssh.service
+- name: Ensure ssh socket is disabled
+ service:
+ name: ssh.socket
+ enabled: no
+
+- name: Ensure sshd is started and enabled to start at boot.
+ service:
+ name: sshd
+ state: restarted
+ enabled: yes
+ when: sshd_config.changed
diff --git a/tasks/update.yml b/tasks/update.yml
new file mode 100644
index 0000000..5180f9a
--- /dev/null
+++ b/tasks/update.yml
@@ -0,0 +1,7 @@
+---
+- name: Update and upgrade apt packages
+ become: yes
+ apt:
+ upgrade: 'yes'
+ update_cache: yes
+ cache_valid_time: 86400 #One day
diff --git a/templates/etc/modprobe.d/blacklist-floppy.conf.j2 b/templates/etc/modprobe.d/blacklist-floppy.conf.j2
new file mode 100644
index 0000000..77baf15
--- /dev/null
+++ b/templates/etc/modprobe.d/blacklist-floppy.conf.j2
@@ -0,0 +1,6 @@
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+blacklist floppy
diff --git a/templates/etc/multipath.conf.j2 b/templates/etc/multipath.conf.j2
new file mode 100644
index 0000000..3923c6b
--- /dev/null
+++ b/templates/etc/multipath.conf.j2
@@ -0,0 +1,15 @@
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+defaults {
+ user_friendly_names yes
+}
+
+blacklist {
+ device {
+ vendor "VMware"
+ product "Virtual disk"
+ }
+}
diff --git a/templates/etc/ssh/sshd_config b/templates/etc/ssh/sshd_config
new file mode 100644
index 0000000..2799b9a
--- /dev/null
+++ b/templates/etc/ssh/sshd_config
@@ -0,0 +1,39 @@
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+Protocol 2
+Port {{ ssh.port }}
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+PermitRootLogin {{ ssh.permitRootLogin }}
+PubkeyAuthentication {{ ssh.pubkeyAuthentication }}
+PasswordAuthentication {{ ssh.passwordAuthentication }}
+
+MaxAuthTries 6
+
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+AllowAgentForwarding yes
+X11Forwarding yes
+PrintMotd no
+
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+{% if ssh.allow.users is defined %}
+AllowUsers {{ ssh.allow.users }}
+{% endif %}
+{% if ssh.allow.groups is defined %}
+AllowGroups {{ ssh.allow.groups }}
+{% endif %}
diff --git a/templates/etc/update-motd.d/motd.sh b/templates/etc/update-motd.d/motd.sh
new file mode 100644
index 0000000..2a745b3
--- /dev/null
+++ b/templates/etc/update-motd.d/motd.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+# source: http://patorjk.com/software/taag/#p=display&f=Standard&t=KSZK%20server
+cat <<EOF
+ _ ______ ______ __
+ | |/ / ___|__ / |/ / ___ ___ _ ____ _____ _ __
+ | ' /\___ \ / /| ' / / __|/ _ \ '__\ \ / / _ \ '__|
+ | . \ ___) / /_| . \ \__ \ __/ | \ V / __/ |
+ |_|\_\____/____|_|\_\ |___/\___|_| \_/ \___|_|
+
+EOF
+
+echo "! ! !"
+echo "! Deployed with Ansible on {{ template_run_date.strftime('%Y-%m-%d %H:%M') }}."
+echo "! Playbook: {{ motd_playbook_url }}"
+echo "! ! !"
--
GitLab