Git Product home page Git Product logo

ansible-collection-base's People

Contributors

cherrykitten avatar evlli avatar jadyndev avatar jcgruenhage avatar jdreichmann avatar johannescpk avatar lrsksr avatar lukaslihotzki-f avatar nikzen avatar ratzupaltuff avatar transcaffeine avatar

Watchers

avatar avatar avatar avatar

Forkers

jadyndev

ansible-collection-base's Issues

Lego: Dependency missing on Debain 11

In GitLab by @jadyn.dev on Jun 15, 2023, 19:35

The dependency cryptography>=1.6 is not installed.

fatal: [******]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "content": null,
            "name_encoding": "ignore",
            "path": "/opt/lego/certificates/******.crt",
            "select_crypto_backend": "auto",
            "valid_at": null
        }
    },
    "msg": "Cannot detect any of the required Python libraries cryptography (>= 1.6)"
}

Fix:
Install python3-cryptography via apt

Changing IP address in inventory only adds new records instead of updating

In GitLab by @lrsksr on Apr 22, 2021, 20:00

When you change the famedly_host_ipv* variable in inventory and play the dns role, only additional A and AAAA records will be created. The old ones still persist, which makes moving hosts or correcting errors more difficult as you have to manually delete the old records.

You could add solo: true to the corresponding tasks, but we probably still want the possibility to define several A and AAAA records with the same record name.

shell customisation

In GitLab by @jcgruenhage on Sep 2, 2021, 11:11

Split out of #1.

We want to have a slightly modified shell for our hosts, so that we can work on them more easily if we need to ssh into them for debugging. This does not need to be super massive, and it shouldn't import too much external stuff for security reasons, but properly working shell completions is a must.

add terminfo for more terminals

In GitLab by @jcgruenhage on May 4, 2021, 12:47

I use foot or kitty, depending on which device I'm on, and running export TERM=xterm each time I connect is annoying. Just putting that line into ~/.profile feels wrong too. The proper fix here would be to add the terminfo files using ansible.

ref #10

Dropbear-initramfs config paths changed in Deb 12

In GitLab by @jadyn.dev on Jul 1, 2023, 16:09

The dropbear_path changed from /etc/dropbear-initramfs to /etc/dropbear/initramfs
please update the paths inside the roles accordingly

On a sidenote: The task "Configure /etc/crypttab" tries to write to a file /etc/dropbear-initramfs/config which doesn't exist (anymore?) and the path should be changed to the actual location of crypttab.

Thankies :3

feat: SSH hardening - [merged]

In GitLab by @jdreichmann on Nov 12, 2020, 13:36

Merges transcaffeine/ssh-hardening -> main

  • Disallows AuthMethods other than pubkey, enforces SSHv2 and turns off rarely used features like x11- and tcp-forwarding, which have an attack surface
  • Enforces key algorithms and ciphers according to BSI specifications and from those, only use trusted ones

Run SSH daemon on LogLevel=VERBOSE

In GitLab by @jdreichmann on Apr 28, 2021, 10:01

On LogLevel=VERBOSE, SSHD also logs information about pubkey-authentication (failues) in the /var/log/auth.log.

For auditing reasons, we should run all instances on that log level, as it allows alerting on unknown fingerprints, weak keys (DSA) and (possibly) unauthorized users successfully authenticating (sucessfull attack but still logged, for example)

See https://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account/15586#15586

fix(lego): issue new certs only when necessary - [merged]

In GitLab by @lrsksr on Nov 25, 2021, 20:00

Merges emperor/fix-lego-cert-creation -> main

Make issuance more robust against failed ansible runs.
A new certificate will now be issued if there are no changes to configuration, but the cert is missing.

The added tasks do not adhere to some ansible principles (changed_when although the tasks don't change anything), but the entire role is not very pretty as lego does not provide a way to be configured by a file.

Lego: New certificate is only obtained if ACME account or systemd unit have changes in template task

In GitLab by @lrsksr on Nov 17, 2021, 04:55

The first lego run is done in a handler that is executed after the tasks mentioned in the title.
If the handler fails or the playbook is canceled, in subsequent runs the handler is not even notified, leading to a missing certificate and failed renewals.

Instead, there should be a task that checks if there is a certificate in the certificates folder and triggers lego run if not.

Also, if there are changes in the systemd unit that are unrelated to certificate (eg. ExecStartPre) a new certificate is issued unnecessarily.

Add redis role

In GitLab by @jdreichmann on Sep 29, 2020, 11:26

Add a role to deploy a redis instance.

This is a prerequisite to synapse worker support, as they need a redis pub/sub channel to communicate.

Auth via pass: https://redis.io/topics/security#protected-mode

Related MRs:

feat(redis): create role to deploy redis in a container - [merged]

In GitLab by @jdreichmann on Oct 1, 2020, 11:53

Merges transcaffeine/redis -> main

Adds an ansible role which deploys the redis image from the docker default library in a container, maps the data directory to the host and uses a config which instructs redis to use a global password for AUTH.

With redis_prefix, a prefix can be specified to isolate multiple instances on the same host. With a prefix like "matrix_", the user, container-name and host data-directories get prefixed.

Lego: "Compare pubkey type, notify handler if it differs" fails with default configuration

In GitLab by @jadyn.dev on Jun 15, 2023, 20:09

The task "Compare pubkey type, notify handler if it differs" fails with the minimal configuration.

Configuration:

---
lego_certificate:
  domains:
    - "{{ inventory_hostname }}"
  email: "[email protected]"

lego_letsencrypt_environment: prod

Error:

TASK [famedly.base.lego : Compare pubkey type, notify handler if it differs] ***************************************************************************************************************************************************************
task path: /home/******/ansible/environment/ansible_collections/famedly/base/roles/lego/tasks/main.yml:160
fatal: [******]: FAILED! => {
    "msg": "The task includes an option with an undefined variable. The error was: {{\n  \"ECC\" if \"ec\" in lego_configuration.command_parameters.global[\"key-type\"]\n  else \"RSA\" if \"rsa\" in lego_configuration.command_parameters.global[\"key-type\"]\n}}: 'lego_configuration' is undefined. 'lego_configuration' is undefined. {{\n  \"ECC\" if \"ec\" in lego_configuration.command_parameters.global[\"key-type\"]\n  else \"RSA\" if \"rsa\" in lego_configuration.command_parameters.global[\"key-type\"]\n}}: 'lego_configuration' is undefined. 'lego_configuration' is undefined\n\nThe error appears to be in '/home/******/ansible/environment/ansible_collections/famedly/base/roles/lego/tasks/main.yml': line 160, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name: \"Compare pubkey type, notify handler if it differs\"\n      ^ here\n"

Fix ideas:

  1. Please change lego_configuration to lego_configuration_merged in the task
  2. The key-type is not set in lego_configuration_defaults which should be set to a reasonable default.

Configure Traefik to output TLS cert for Postfix

In GitLab by @ratzupaltuff on Aug 8, 2021, 16:43

Traefik may support forced/strict TLS for smtp but no opportunistic TLS. We want to support both so we need to hand out the TLS handling to postfix. We dont want to hand out full permission to write any subdomain. The cert should only allow mail.customer.famedly.tld to be modified.

Install common debugging tools

In GitLab by @jcgruenhage on Sep 2, 2021, 11:16

Split out of #1.

This needs discussion, because not everyone has the same picture of what we need on a machine for debugging.

List of tools

  • neovim
  • dnsutils
  • curl
  • ldap-client
  • ??????

Callback plugin inception

In GitLab by @jcgruenhage on Feb 1, 2023, 09:40

Ansible callback plugins are not all that powerful. Stuff that can't be done right now:

  • chaining together pre-processors before handing it over to the callback plugin thats doing the actual logging
  • having multiple output streams, where some could be logging to files, some to stdout, etc pp

We'd like to evaluate whether writing a call-back plugin that implements these and then hands off the logging to another call-back plugin would help us for stuff like https://gitlab.com/famedly/infra/meta/-/issues/666

Role for `rclone serve restic`

We want multi-tenancy and append-only storage in the backend for restic. rclone serve restic supports these features (multi-tenancy via --private-repos and append-only storage via --append-only) and was therefore chosen as the solution for this.

The scope of this implementing a role for rclone serve in the famedly.base collection, and exposing the ability to run subcommands with arbitrary command line flags.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.