famedly / ansible-collection-base Goto Github PK
View Code? Open in Web Editor NEW`famedly.base` ansible collection for common basic services/tools like dns, ldap, ssh, ...
License: GNU Affero General Public License v3.0
`famedly.base` ansible collection for common basic services/tools like dns, ldap, ssh, ...
License: GNU Affero General Public License v3.0
In GitLab by @jadyn.dev on Sep 1, 2021, 13:42
Merges jadyn/add-gecos -> main
ref: https://gitlab.com/famedly/company/devops/meta/-/issues/126
In GitLab by @jadyn.dev on Jun 15, 2023, 19:35
The dependency cryptography>=1.6
is not installed.
fatal: [******]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"content": null,
"name_encoding": "ignore",
"path": "/opt/lego/certificates/******.crt",
"select_crypto_backend": "auto",
"valid_at": null
}
},
"msg": "Cannot detect any of the required Python libraries cryptography (>= 1.6)"
}
Fix:
Install python3-cryptography
via apt
In GitLab by @lrsksr on Apr 22, 2021, 20:00
When you change the famedly_host_ipv*
variable in inventory and play the dns role, only additional A and AAAA records will be created. The old ones still persist, which makes moving hosts or correcting errors more difficult as you have to manually delete the old records.
You could add solo: true
to the corresponding tasks, but we probably still want the possibility to define several A and AAAA records with the same record name.
In GitLab by @jdreichmann on Apr 28, 2021, 14:05
Merges transcaffeine/ssh-loglevel -> main
Closes #6
In GitLab by @lrsksr on Nov 17, 2021, 04:43
The shell task at https://gitlab.com/famedly/company/devops/collections/base/-/blob/main/roles/lego/tasks/main.yml#L26 produces a fatal error if the binary does not exist that is ignored, but is irritating.
This should be avoidable by splitting it in two tasks, the first testing if the binary exists and the second (version check) only executed if the first succeeded.
In GitLab by @jdreichmann on Oct 11, 2021, 13:47
Merges transcaffeine/redis-networks-support -> main
In GitLab by @jdreichmann on May 30, 2021, 22:22
Merges transcaffeine/deprecated-ansible-modules -> main
In GitLab by @jcgruenhage on Sep 2, 2021, 11:11
Split out of #1.
We want to have a slightly modified shell for our hosts, so that we can work on them more easily if we need to ssh into them for debugging. This does not need to be super massive, and it shouldn't import too much external stuff for security reasons, but properly working shell completions is a must.
In GitLab by @ratzupaltuff on Aug 28, 2020, 17:50
In GitLab by @jdreichmann on Feb 26, 2021, 09:25
Merges transcaffeine/idempotency -> main
In GitLab by @jcgruenhage on Nov 30, 2020, 18:32
I'd suggest a weekly run of the following:
docker images -q | xargs docker rmi
docker system prune
docker volume prune
systemd unit+timer
In GitLab by @jcgruenhage on May 4, 2021, 12:47
I use foot
or kitty
, depending on which device I'm on, and running export TERM=xterm
each time I connect is annoying. Just putting that line into ~/.profile
feels wrong too. The proper fix here would be to add the terminfo files using ansible.
ref #10
In GitLab by @jdreichmann on Feb 8, 2021, 07:35
Merges transcaffeine/support-dns-txt-records -> main
In GitLab by @jadyn.dev on Jul 1, 2023, 16:09
The dropbear_path
changed from /etc/dropbear-initramfs
to /etc/dropbear/initramfs
please update the paths inside the roles accordingly
On a sidenote: The task "Configure /etc/crypttab"
tries to write to a file /etc/dropbear-initramfs/config
which doesn't exist (anymore?) and the path should be changed to the actual location of crypttab
.
Thankies :3
In GitLab by @jdreichmann on Nov 12, 2020, 13:36
Merges transcaffeine/ssh-hardening -> main
In GitLab by @jdreichmann on Apr 28, 2021, 10:01
On LogLevel=VERBOSE
, SSHD also logs information about pubkey-authentication (failues) in the /var/log/auth.log
.
For auditing reasons, we should run all instances on that log level, as it allows alerting on unknown fingerprints, weak keys (DSA) and (possibly) unauthorized users successfully authenticating (sucessfull attack but still logged, for example)
In GitLab by @jdreichmann on Mar 11, 2021, 10:55
Merges transcaffeine/update-redis -> main
In GitLab by @jcgruenhage on Apr 11, 2023, 13:01
We'd want a role that deploys and configures an instance of https://github.com/breard-r/acmed in a slightly opinionated, but still somewhat flexible way. This means:
In GitLab by @jbecker on Dec 28, 2020, 11:28
Merges refactor/submodules-switch-ssh-to-https -> main
Switch submodules URL from SSH to HTTPS for public GitHub Repo so cloning without SSH Key recognized by GitHub works
In GitLab by @jdreichmann on May 10, 2021, 06:19
Merges transcaffeine/fix-ldap-initialization -> main
In GitLab by @jadyn.dev on Oct 7, 2021, 11:08
Merges jadyn/lego -> main
ref https://gitlab.com/famedly/company/devops/meta/-/issues/182
In GitLab by @lrsksr on Nov 25, 2021, 20:00
Merges emperor/fix-lego-cert-creation -> main
Make issuance more robust against failed ansible runs.
A new certificate will now be issued if there are no changes to configuration, but the cert is missing.
The added tasks do not adhere to some ansible principles (changed_when
although the tasks don't change anything), but the entire role is not very pretty as lego does not provide a way to be configured by a file.
In GitLab by @lrsksr on Nov 17, 2021, 04:55
The first lego run
is done in a handler that is executed after the tasks mentioned in the title.
If the handler fails or the playbook is canceled, in subsequent runs the handler is not even notified, leading to a missing certificate and failed renewals.
Instead, there should be a task that checks if there is a certificate in the certificates folder and triggers lego run
if not.
Also, if there are changes in the systemd unit that are unrelated to certificate (eg. ExecStartPre
) a new certificate is issued unnecessarily.
In GitLab by @jdreichmann on Nov 18, 2020, 09:08
Merges transcaffeine/ssh-presets -> main
secure |
bsi_recommended |
---|---|
In GitLab by @jdreichmann on Dec 24, 2020, 11:03
Merges transcaffeine/hostname-role -> main
In GitLab by @jdreichmann on Sep 29, 2020, 11:26
Add a role to deploy a redis instance.
This is a prerequisite to synapse worker support, as they need a redis pub/sub channel to communicate.
Auth via pass: https://redis.io/topics/security#protected-mode
Related MRs:
In GitLab by @jdreichmann on Mar 31, 2021, 10:05
Merges transcaffeine/update-docs -> main
In GitLab by @jdreichmann on May 3, 2021, 11:55
The following discussion from !15 should be addressed:
@jcgruenhage started a discussion:
Not the current version anymore.
^ Updates should be handled in a seperate MR
In GitLab by @jdreichmann on Oct 1, 2020, 11:53
Merges transcaffeine/redis -> main
Adds an ansible role which deploys the redis image from the docker default library in a container, maps the data directory to the host and uses a config which instructs redis to use a global password for AUTH.
With redis_prefix
, a prefix can be specified to isolate multiple instances on the same host. With a prefix like "matrix_", the user, container-name and host data-directories get prefixed.
In GitLab by @jdreichmann on Mar 5, 2021, 14:30
Merges transcaffeine/healthchecks -> main
In GitLab by @lrsksr on Jun 20, 2022, 15:52
Merges emperor/fix/traefik-cert-reload -> main
In GitLab by @jadyn.dev on Jun 15, 2023, 20:09
The task "Compare pubkey type, notify handler if it differs" fails with the minimal configuration.
Configuration:
---
lego_certificate:
domains:
- "{{ inventory_hostname }}"
email: "[email protected]"
lego_letsencrypt_environment: prod
Error:
TASK [famedly.base.lego : Compare pubkey type, notify handler if it differs] ***************************************************************************************************************************************************************
task path: /home/******/ansible/environment/ansible_collections/famedly/base/roles/lego/tasks/main.yml:160
fatal: [******]: FAILED! => {
"msg": "The task includes an option with an undefined variable. The error was: {{\n \"ECC\" if \"ec\" in lego_configuration.command_parameters.global[\"key-type\"]\n else \"RSA\" if \"rsa\" in lego_configuration.command_parameters.global[\"key-type\"]\n}}: 'lego_configuration' is undefined. 'lego_configuration' is undefined. {{\n \"ECC\" if \"ec\" in lego_configuration.command_parameters.global[\"key-type\"]\n else \"RSA\" if \"rsa\" in lego_configuration.command_parameters.global[\"key-type\"]\n}}: 'lego_configuration' is undefined. 'lego_configuration' is undefined\n\nThe error appears to be in '/home/******/ansible/environment/ansible_collections/famedly/base/roles/lego/tasks/main.yml': line 160, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: \"Compare pubkey type, notify handler if it differs\"\n ^ here\n"
Fix ideas:
lego_configuration
to lego_configuration_merged
in the taskkey-type
is not set in lego_configuration_defaults
which should be set to a reasonable default.In GitLab by @jdreichmann on Mar 23, 2021, 07:04
Merges transcaffeine/redis-idempotency -> main
See https://gitlab.com/famedly/ansible/meta/-/issues/60 for context
In GitLab by @jadyn.dev on Jul 1, 2023, 16:19
I've written a small tool to automatically copy the initram-fs
to other disks. This is usefull for setups with (software) RAID to ensure booting is possible from both/multiple disks in case of one disk failing.
See https://gitlab.jadyn.dev/-/snippets/8
In GitLab by @jdreichmann on Nov 10, 2021, 17:02
Merges transcaffeine/dropbear-luks-unlock -> main
feat(dropbear-luks-unlock): add ansible role for unlocking luks volumes via dropbear ssh initramfs module
In GitLab by @jcgruenhage on Jun 16, 2022, 09:20
Merges jcgruenhage/fix/lego-san -> main
In GitLab by @jdreichmann on Nov 19, 2020, 09:16
minimal integration: https://gitlab.com/famedly/ansible/collections/local/-/merge_requests/24
In GitLab by @jdreichmann on May 10, 2021, 10:03
Merges transcaffeine/task-tagging -> main
In GitLab by @ratzupaltuff on Aug 8, 2021, 16:43
Traefik may support forced/strict TLS for smtp but no opportunistic TLS. We want to support both so we need to hand out the TLS handling to postfix. We dont want to hand out full permission to write any subdomain. The cert should only allow mail.customer.famedly.tld to be modified.
In GitLab by @jcgruenhage on Sep 2, 2021, 11:16
Split out of #1.
This needs discussion, because not everyone has the same picture of what we need on a machine for debugging.
In GitLab by @jadyn.dev on Jan 5, 2022, 07:07
Merges jadyn/pip-role -> main
ref https://gitlab.com/famedly/company/devops/meta/-/issues/180
In GitLab by @jdreichmann on Sep 6, 2021, 08:46
Merges transcaffeine/prepare-publishing -> main
In GitLab by @jcgruenhage on Feb 1, 2023, 09:40
Ansible callback plugins are not all that powerful. Stuff that can't be done right now:
We'd like to evaluate whether writing a call-back plugin that implements these and then hands off the logging to another call-back plugin would help us for stuff like https://gitlab.com/famedly/infra/meta/-/issues/666
In GitLab by @jdreichmann on Nov 9, 2021, 09:36
Merges transcaffeine/lego-permissions -> main
In GitLab by @jdreichmann on Sep 6, 2021, 06:51
Merges transcaffeine/deprecated-options -> main
In GitLab by @jcgruenhage on Mar 29, 2023, 13:26
Role should be able to backup command output (for example from pg_dump
) and a list of directories.
We want multi-tenancy and append-only storage in the backend for restic. rclone serve restic
supports these features (multi-tenancy via --private-repos
and append-only storage via --append-only
) and was therefore chosen as the solution for this.
The scope of this implementing a role for rclone serve
in the famedly.base
collection, and exposing the ability to run subcommands with arbitrary command line flags.
In GitLab by @jadyn.dev on Jun 14, 2022, 12:14
Merges jadyn/sshd-config -> main
In GitLab by @lukaslihotzki on Apr 1, 2022, 15:54
Merges ll/ssh-family -> main
ssh_address_family: inet6
can be the first step to IPv6-only servers.
In GitLab by @jdreichmann on Dec 24, 2020, 12:11
Merges transcaffeine/dns-role -> main
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.