From: Oleg Broytman Date: Sat, 31 Aug 2019 19:52:40 +0000 (+0300) Subject: Feat(RedHat): Add RedHat and redhatoids playbooks and roles X-Git-Url: https://git.phdru.name/?p=ansible.git;a=commitdiff_plain;h=76942f35b0b978244f917e28694b78f43e8f8860 Feat(RedHat): Add RedHat and redhatoids playbooks and roles Tested with Fedora 30. --- diff --git a/playbooks/redhat/README.txt b/playbooks/redhat/README.txt new file mode 100644 index 0000000..6dc5901 --- /dev/null +++ b/playbooks/redhat/README.txt @@ -0,0 +1,3 @@ +RedHat and redhatoids playbooks. + +Tested with Fedora 30. diff --git a/playbooks/redhat/init-local-phd.yml b/playbooks/redhat/init-local-phd.yml new file mode 100644 index 0000000..0fb6baf --- /dev/null +++ b/playbooks/redhat/init-local-phd.yml @@ -0,0 +1,27 @@ +- name: Update local user phd + hosts: localhost + gather_facts: false + vars: + system_groups: root,wheel,adm,disk,cdrom,floppy,audio,video,users,mail,input + tasks: + - name: Create system groups + become: true + group: + name: "{{ item }}" + system: true + loop: "{{ system_groups.split(',') }}" + - name: Create group phd + become: true + group: + name: phd + - name: user phd + become: true + user: + name: phd + groups: "{{ system_groups }}" + - name: Install X11 + become: true + dnf: + name: ['fvwm', 'rxvt-unicode', 'xorg'] + state: latest + update_cache: yes diff --git a/playbooks/redhat/init-system.sh b/playbooks/redhat/init-system.sh new file mode 100755 index 0000000..085eb3a --- /dev/null +++ b/playbooks/redhat/init-system.sh @@ -0,0 +1,18 @@ +#! /bin/sh + +if [ -z "$1" ]; then + echo "Usage: $0 host [...params...]" >&2 + exit 1 +fi + +host="$1" +shift + +cd "`dirname \"$0\"`" && +ANSIBLE_ROLES_PATH=roles:../roles && +export ANSIBLE_ROLES_PATH && + +# Passwordless access isn't configured yet; use `ssh` connection sharing. +# `sudo` isn't configured yet too; ask for phd password. +ansible-playbook init-system.yml "$@" -e hosts="$host" -K && +exec ansible-playbook init-system2.yml "$@" -e hosts="$host" diff --git a/playbooks/redhat/init-system.yml b/playbooks/redhat/init-system.yml new file mode 100644 index 0000000..b1dbd68 --- /dev/null +++ b/playbooks/redhat/init-system.yml @@ -0,0 +1,6 @@ +- name: Setup Debain system + hosts: "{{ hosts | default('all') }}" + gather_facts: false + roles: + - sudo + - phd diff --git a/playbooks/redhat/init-system2.yml b/playbooks/redhat/init-system2.yml new file mode 100644 index 0000000..75dd28a --- /dev/null +++ b/playbooks/redhat/init-system2.yml @@ -0,0 +1,9 @@ +- name: Setup Debain system - part 2 + hosts: "{{ hosts | default('all') }}" + gather_facts: true + roles: + - init-system2 + - root + - firewall + - logcheck + - sshd diff --git a/playbooks/redhat/roles/dev-packages/README.txt b/playbooks/redhat/roles/dev-packages/README.txt new file mode 100644 index 0000000..13d6c5f --- /dev/null +++ b/playbooks/redhat/roles/dev-packages/README.txt @@ -0,0 +1 @@ +Install development packages. diff --git a/playbooks/redhat/roles/dev-packages/tasks/main.yml b/playbooks/redhat/roles/dev-packages/tasks/main.yml new file mode 100644 index 0000000..ed57bf4 --- /dev/null +++ b/playbooks/redhat/roles/dev-packages/tasks/main.yml @@ -0,0 +1,7 @@ +- name: Install development packages + become: true + dnf: + name: ['gcc', 'gcc-c++', 'git', 'make', + ] + state: latest + update_cache: yes diff --git a/playbooks/redhat/roles/firewall/README.txt b/playbooks/redhat/roles/firewall/README.txt new file mode 100644 index 0000000..c90cb67 --- /dev/null +++ b/playbooks/redhat/roles/firewall/README.txt @@ -0,0 +1,3 @@ +Configure iptables firewall. + +Allow everything out, limit in, disable forward. diff --git a/playbooks/redhat/roles/firewall/files/etc/network/functions.phd b/playbooks/redhat/roles/firewall/files/etc/network/functions.phd new file mode 100644 index 0000000..08f3718 --- /dev/null +++ b/playbooks/redhat/roles/firewall/files/etc/network/functions.phd @@ -0,0 +1,61 @@ +IPTABLES=/sbin/iptables +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +my_ip() { + MYIP=$1 + + # Allow everything from this host + $IPTABLES -A INPUT -s $MYIP -j ACCEPT + + # Allow ICMP + $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT + + # Allow ports >1024 + $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT + $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT +} + +start_firewall() { + # Allow everything from localhost + $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT + + # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024 + $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP + $IPTABLES -A INPUT -p udp --dport 2049 -j DROP + $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP + $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP + + # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon + $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT + $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT + + # FTP + $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT + # Allow ftp-data for active connections + #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT + + # Track FTP connections to allow active and passive mode FTP + $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + + MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}') + for ip in $MY_IP; do my_ip "$ip"; done +} diff --git a/playbooks/redhat/roles/firewall/files/etc/network/if-down.d/eth b/playbooks/redhat/roles/firewall/files/etc/network/if-down.d/eth new file mode 100755 index 0000000..b75a12b --- /dev/null +++ b/playbooks/redhat/roles/firewall/files/etc/network/if-down.d/eth @@ -0,0 +1,2 @@ +#!/bin/sh +exec /etc/rc.d/init.d/iptables.sh start diff --git a/playbooks/redhat/roles/firewall/files/etc/network/if-up.d/eth b/playbooks/redhat/roles/firewall/files/etc/network/if-up.d/eth new file mode 100755 index 0000000..b75a12b --- /dev/null +++ b/playbooks/redhat/roles/firewall/files/etc/network/if-up.d/eth @@ -0,0 +1,2 @@ +#!/bin/sh +exec /etc/rc.d/init.d/iptables.sh start diff --git a/playbooks/redhat/roles/firewall/files/etc/rc.d/init.d/iptables.sh b/playbooks/redhat/roles/firewall/files/etc/rc.d/init.d/iptables.sh new file mode 100755 index 0000000..72e43e6 --- /dev/null +++ b/playbooks/redhat/roles/firewall/files/etc/rc.d/init.d/iptables.sh @@ -0,0 +1,62 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: iptables.sh +# Required-Start: $remote_fs $network +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: iptables firewall +### END INIT INFO + +# Setup ip firewall + +. /etc/network/functions.phd + +case "$1" in + start) + systemctl stop fail2ban.service + + # Start afresh + $IPTABLES -F + $IPTABLES -F -t nat + $IPTABLES -F -t mangle + + # Default policies + $IPTABLES -P INPUT DROP + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P FORWARD DROP + + start_firewall + /etc/rc.d/init.d/rc.masq + systemctl start fail2ban.service + ;; + + stop) + systemctl stop fail2ban.service + + $IPTABLES -F + $IPTABLES -F -t nat + $IPTABLES -F -t mangle + $IPTABLES -P INPUT DROP + $IPTABLES -P OUTPUT DROP + $IPTABLES -P FORWARD DROP + ;; + + clear) + systemctl stop fail2ban.service + + # Flush (delete) all rules + $IPTABLES -F + $IPTABLES -F -t nat + $IPTABLES -F -t mangle + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT + ;; + + *) + echo "Usage: firewall {start|stop|clear}" + exit 1 +esac + +exit 0 diff --git a/playbooks/redhat/roles/firewall/files/etc/rc.d/init.d/rc.masq b/playbooks/redhat/roles/firewall/files/etc/rc.d/init.d/rc.masq new file mode 100755 index 0000000..69be427 --- /dev/null +++ b/playbooks/redhat/roles/firewall/files/etc/rc.d/init.d/rc.masq @@ -0,0 +1,92 @@ +#!/bin/sh +# +# rc.masq - IP Masquerade +# +# Load all required IP MASQ modules +# +# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules +# are shown below but are commented out from loading. + +# Needed to initially load modules +# +#/sbin/depmod -a + +# Supports the proper masquerading of FTP file transfers using the PORT method +# +#/sbin/modprobe ip_masq_ftp + +# Supports the masquerading of RealAudio over UDP. Without this module, +# RealAudio WILL function but in TCP mode. This can cause a reduction +# in sound quality +# +#/sbin/modprobe ip_masq_raudio + +# Supports the masquerading of IRC DCC file transfers +# +#/sbin/modprobe ip_masq_irc + + +# Supports the masquerading of Quake and QuakeWorld by default. This modules is +# for for multiple users behind the Linux MASQ server. If you are going to play +# Quake I, II, and III, use the second example. +# +# NOTE: If you get ERRORs loading the QUAKE module, you are running an old +# ----- kernel that has bugs in it. Please upgrade to the newest kernel. +# +#Quake I / QuakeWorld (ports 26000 and 27000) +#/sbin/modprobe ip_masq_quake +# +#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) +#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 + + +# Supports the masquerading of the CuSeeme video conferencing software +# +#/sbin/modprobe ip_masq_cuseeme + +#Supports the masquerading of the VDO-live video conferencing software +# +#/sbin/modprobe ip_masq_vdolive + + +#CRITICAL: Enable IP forwarding since it is disabled by default since +# +# Redhat Users: you may try changing the options in /etc/sysconfig/network from: +# +# FORWARD_IPV4=false +# to +# FORWARD_IPV4=true +# +echo 1 > /proc/sys/net/ipv4/ip_forward + + +# Dynamic IP users: +# +# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following +# option. This enables dynamic-ip address hacking in IP MASQ, making the life +# with Diald and similar programs much easier. +# +#echo "1" > /proc/sys/net/ipv4/ip_dynaddr + + +IPTABLES=/sbin/iptables + + +# DHCP: For people who receive their external IP address from either DHCP or BOOTP +# such as ADSL or Cablemodem users, it is necessary to use the following +# before the deny command. The "bootp_client_net_if_name" should be replaced +# the name of the link that the DHCP/BOOTP server will put an address on to? +# This will be something like "eth0", "eth1", etc. +# +# This example is currently commented out. +# +# +#$IPCHAINS -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp + +# Enable simple IP forwarding and Masquerading +# +# NOTE: The following is an example for an internal LAN address in the 192.168.0.x +# network with a 255.255.255.0 or a "24" bit subnet mask. +# +# Please change this network number and subnet mask to match your internal LAN setup +# diff --git a/playbooks/redhat/roles/firewall/tasks/main.yml b/playbooks/redhat/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..c1624fd --- /dev/null +++ b/playbooks/redhat/roles/firewall/tasks/main.yml @@ -0,0 +1,52 @@ +- name: Install fail2ban and iptables-services + become: true + dnf: + name: ['fail2ban', 'iptables-services'] + state: latest + update_cache: yes + register: services + +- name: Disable firewalld + become: true + service: + name: firewalld.service + state: stopped + enabled: no + +- name: Enable fail2ban + become: true + service: + name: fail2ban + state: started + enabled: yes + +- name: Enable iptables-service + become: true + service: + name: iptables + state: started + enabled: yes + +- name: Configure firewall + become: true + copy: + src: etc + dest: / + owner: root + group: root + directory_mode: '0750' + mode: '0750' + force: no + register: etc + +- name: Fix permissions for /etc/network/functions + become: true + file: + path: /etc/network/functions.phd + mode: '0640' + register: functions + +- name: Start iptables + become: true + command: /etc/rc.d/init.d/iptables.sh start + when: services.changed or etc.changed or functions.changed diff --git a/playbooks/redhat/roles/init-system/README.txt b/playbooks/redhat/roles/init-system/README.txt new file mode 100644 index 0000000..60e0fd1 --- /dev/null +++ b/playbooks/redhat/roles/init-system/README.txt @@ -0,0 +1 @@ +Init new RPM system: configure yum/dnf, install minimal list of packages. diff --git a/playbooks/redhat/roles/init-system/tasks/dnf.yml b/playbooks/redhat/roles/init-system/tasks/dnf.yml new file mode 100644 index 0000000..df265fc --- /dev/null +++ b/playbooks/redhat/roles/init-system/tasks/dnf.yml @@ -0,0 +1,10 @@ +- name: Install minimal software packages + become: true + dnf: + name: ['bash', 'bash-completion', 'bzip2', + 'curl', 'dnsutils', 'dselect', + 'gnupg', 'gnupg2', 'logcheck', 'mc', 'mutt', + 'procmail', 'rsync', 'unzip', 'vim', 'wget', 'zip', + ] + state: latest + update_cache: yes diff --git a/playbooks/redhat/roles/init-system/tasks/main.yml b/playbooks/redhat/roles/init-system/tasks/main.yml new file mode 100644 index 0000000..fbef08b --- /dev/null +++ b/playbooks/redhat/roles/init-system/tasks/main.yml @@ -0,0 +1,5 @@ +- name: packages + import_tasks: dnf.yml + +- name: Python + import_tasks: python.yml diff --git a/playbooks/redhat/roles/init-system/tasks/python.yml b/playbooks/redhat/roles/init-system/tasks/python.yml new file mode 100644 index 0000000..15dc994 --- /dev/null +++ b/playbooks/redhat/roles/init-system/tasks/python.yml @@ -0,0 +1,17 @@ +- name: Install Python and packages + become: true + dnf: + name: ['python2', 'python3', 'python2-pip', 'python3-pip', + 'python2-setuptools', 'python3-setuptools', + ] + state: latest + update_cache: yes + register: python + +- name: Upgrade Python packages + become: true + shell: 'umask 022; {{ item }} -m pip install --upgrade + "pip < 19.1" setuptools tox virtualenv virtualenvwrapper "wheel < 0.31.1" + flake8 sphinx twine' + when: python.changed + loop: ['python3', 'python2'] diff --git a/playbooks/redhat/roles/init-system2/README.txt b/playbooks/redhat/roles/init-system2/README.txt new file mode 100644 index 0000000..2b60b3c --- /dev/null +++ b/playbooks/redhat/roles/init-system2/README.txt @@ -0,0 +1 @@ +Init RPM system: phase2 - setup /usr/local. diff --git a/playbooks/redhat/roles/init-system2/tasks/main.yml b/playbooks/redhat/roles/init-system2/tasks/main.yml new file mode 100644 index 0000000..991cf55 --- /dev/null +++ b/playbooks/redhat/roles/init-system2/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Setup /usr/local + become: true + file: + path: /usr/local + state: directory + owner: root + group: wheel + recurse: yes + +- name: Setup directories under /usr/local + become: true + command: find /usr/local -type d -exec chown root.wheel {} + -exec chmod ug+rwx,o+rx,g+s {} + + +- name: Setup files under /usr/local + become: true + command: find /usr/local -type f -exec chmod ug+rwX,o+rX {} + + +- name: Setup /usr/local/src + become: true + file: + path: /usr/local/src + state: directory + owner: phd + group: wheel + recurse: yes diff --git a/playbooks/redhat/roles/logcheck/README.txt b/playbooks/redhat/roles/logcheck/README.txt new file mode 100644 index 0000000..670499d --- /dev/null +++ b/playbooks/redhat/roles/logcheck/README.txt @@ -0,0 +1 @@ +Update logcheck ignore patterns. diff --git a/playbooks/redhat/roles/logcheck/files/.gitignore b/playbooks/redhat/roles/logcheck/files/.gitignore new file mode 100644 index 0000000..f8a9fd0 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/.gitignore @@ -0,0 +1 @@ +ignore.d/local-dhcpd diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-bluetooth b/playbooks/redhat/roles/logcheck/files/ignore.d/local-bluetooth new file mode 100644 index 0000000..119a65e --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-bluetooth @@ -0,0 +1 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bluetoothd\[[0-9]+\]: Endpoint (un)?registered: sender=:[0-9.]+ path=/MediaEndpoint/ diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-console-kit-daemon b/playbooks/redhat/roles/logcheck/files/ignore.d/local-console-kit-daemon new file mode 100644 index 0000000..1169ef9 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-console-kit-daemon @@ -0,0 +1,2 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ console-kit-daemon\[[0-9]+\]: GLib-CRITICAL: Source ID [0-9]+ was not found when attempting to remove it$ + diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-dbus b/playbooks/redhat/roles/logcheck/files/ignore.d/local-dbus new file mode 100644 index 0000000..7661db8 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-dbus @@ -0,0 +1,3 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Activating service name='org\.freedesktop\.UDisks' \(using servicehelper\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Successfully activated service 'org\.freedesktop\.UDisks'$ + diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-firefox b/playbooks/redhat/roles/logcheck/files/ignore.d/local-firefox new file mode 100644 index 0000000..620f89a --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-firefox @@ -0,0 +1 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ firefox: getaddrinfo\*\.gaih_getanswer: got type "DNAME"$ diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-kernel b/playbooks/redhat/roles/logcheck/files/ignore.d/local-kernel new file mode 100644 index 0000000..d200924 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-kernel @@ -0,0 +1,6 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] CIFS VFS: Server [0-9.]+ has not responded in 120 seconds\. Reconnecting\.\.\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] Peer [0-9.:/]+ unexpectedly shrunk window [0-9]+:[0-9]+ \(repaired\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] TCP: request_sock_TCP: Possible SYN flooding on port [0-9]+\. Sending cookies\. Check SNMP counters\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] ncpfs: ncp_evict_inode: could not close +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] net_ratelimit: [0-9]+ callbacks suppressed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] perf: interrupt took too long diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-minidsspd b/playbooks/redhat/roles/logcheck/files/ignore.d/local-minidsspd new file mode 100644 index 0000000..7d22d5d --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-minidsspd @@ -0,0 +1 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ minissdpd\[[0-9]+\]: method , don't know what to do diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-named b/playbooks/redhat/roles/logcheck/files/ignore.d/local-named new file mode 100644 index 0000000..634a8cb --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-named @@ -0,0 +1,6 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: DNS format error from ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} resolving +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5}: message parsing failed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} \([._[:alnum:]-]+\): query (\(cache\) )?'.+' denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client 192\.168\.3\.20#[0-9]+ \([._[:alnum:]-]+\): error sending response: host unreachable$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: clients-per-query (de|in)creased to +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: skipping nameserver '[A-Za-z0-9._-]+' because it is a CNAME, while resolving diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-pa b/playbooks/redhat/roles/logcheck/files/ignore.d/local-pa new file mode 100644 index 0000000..679db46 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-pa @@ -0,0 +1,3 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: ALSA woke us up to (read|write) new data (from|to) the device, but there was actually nothing to (read|write)!$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: Most likely this is a bug in the ALSA driver 'snd_hda_intel'\. Please report this issue to the ALSA developers\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: We were woken up with POLL(IN|OUT) set -- however a subsequent snd_pcm_avail\(\) returned 0 or another value < min_avail.$ diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-postgres b/playbooks/redhat/roles/logcheck/files/ignore.d/local-postgres new file mode 100644 index 0000000..2fbc57d --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-postgres @@ -0,0 +1 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ .0-9]{11,13}\] postgres \([0-9]+\): /proc/[0-9]+/oom_adj is deprecated, please use /proc/[0-9]+/oom_score_adj instead\. diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-rsyslog b/playbooks/redhat/roles/logcheck/files/ignore.d/local-rsyslog new file mode 100644 index 0000000..f7be8aa --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-rsyslog @@ -0,0 +1,2 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (liblogging-stdlog|rsyslogd): {1,2}\[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9-]+: action 'action 17' (suspended|resumed) diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-runuser b/playbooks/redhat/roles/logcheck/files/ignore.d/local-runuser new file mode 100644 index 0000000..b0bb7ad --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-runuser @@ -0,0 +1 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ runuser: pam_unix\(runuser:session\): session (opened|closed) for user nobody diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-samba b/playbooks/redhat/roles/logcheck/files/ignore.d/local-samba new file mode 100644 index 0000000..8c6c053 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-samba @@ -0,0 +1,2 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd: pam_unix\(samba:session\): session opened for user +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd: pam_unix\(samba:session\): session closed for user diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-spamassassin b/playbooks/redhat/roles/logcheck/files/ignore.d/local-spamassassin new file mode 100644 index 0000000..7101aa0 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-spamassassin @@ -0,0 +1,4 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: new_dns_packet: domain is utf8 flagged: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: adjust: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: handled cleanup of child +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-ssh b/playbooks/redhat/roles/logcheck/files/ignore.d/local-ssh new file mode 100644 index 0000000..ae96ad6 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-ssh @@ -0,0 +1,18 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (error: )?Received disconnect from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (packet_write_wait|ssh_dispatch_run_fatal): Connection from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: Broken pipe \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection (closed|reset) by ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Change of username or service not allowed: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Too many authentication failures +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3} +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM service\(sshd\) ignoring max retries +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: no matching (host key type|key exchange method) found\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: no hostkey alg \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: input_userauth_request: invalid user.+\[preauth\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_unix(sshd:auth): bad username + diff --git a/playbooks/redhat/roles/logcheck/files/ignore.d/local-transmission b/playbooks/redhat/roles/logcheck/files/ignore.d/local-transmission new file mode 100644 index 0000000..c75af02 --- /dev/null +++ b/playbooks/redhat/roles/logcheck/files/ignore.d/local-transmission @@ -0,0 +1 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ transmission-daemon\[[0-9]+\]: UDP Failed to set (send|receive) buffer: diff --git a/playbooks/redhat/roles/logcheck/tasks/main.yml b/playbooks/redhat/roles/logcheck/tasks/main.yml new file mode 100644 index 0000000..727d4ff --- /dev/null +++ b/playbooks/redhat/roles/logcheck/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Install logcheck + become: true + dnf: + name: logcheck + state: latest + update_cache: yes + +- name: Configure logcheck + become: true + lineinfile: + path: /etc/logcheck/logcheck.conf + regexp: "^INTRO=0$" + line: "INTRO=0" + insertafter: "^#INTRO=1$" + +- name: Update logcheck ignore patterns + become: true + copy: + src: ignore.d/ + dest: "/etc/logcheck/ignore.d.{{ item }}" + owner: root + group: logcheck + directory_mode: '0750' + mode: 0640 + loop: ['server', 'workstation'] diff --git a/playbooks/redhat/roles/packages/README.txt b/playbooks/redhat/roles/packages/README.txt new file mode 100644 index 0000000..f68b96d --- /dev/null +++ b/playbooks/redhat/roles/packages/README.txt @@ -0,0 +1 @@ +Install RPM packages. diff --git a/playbooks/redhat/roles/packages/tasks/main.yml b/playbooks/redhat/roles/packages/tasks/main.yml new file mode 100644 index 0000000..af8cc80 --- /dev/null +++ b/playbooks/redhat/roles/packages/tasks/main.yml @@ -0,0 +1,8 @@ +- name: Install software packages + become: true + dnf: + name: ['adjtimex', 'arj', 'mailx', 'elinks', 'fetchmail', 'links', + 'lzip', 'lzma', 'lzop', 'p7zip', 'xz', + ] + state: latest + update_cache: yes diff --git a/playbooks/redhat/roles/phd/README.txt b/playbooks/redhat/roles/phd/README.txt new file mode 100644 index 0000000..84c7fa3 --- /dev/null +++ b/playbooks/redhat/roles/phd/README.txt @@ -0,0 +1,2 @@ +Init remote user phd: create system and user groups, create the user, +upload SSH public key. diff --git a/playbooks/redhat/roles/phd/defaults/main.yml b/playbooks/redhat/roles/phd/defaults/main.yml new file mode 100644 index 0000000..1e4d321 --- /dev/null +++ b/playbooks/redhat/roles/phd/defaults/main.yml @@ -0,0 +1 @@ +system_groups: root,wheel,adm,disk,cdrom,floppy,audio,video,users,mail,input diff --git a/playbooks/redhat/roles/phd/meta/main.yml b/playbooks/redhat/roles/phd/meta/main.yml new file mode 100644 index 0000000..8f82bb2 --- /dev/null +++ b/playbooks/redhat/roles/phd/meta/main.yml @@ -0,0 +1 @@ +dependencies: ['init-system'] diff --git a/playbooks/redhat/roles/phd/tasks/main.yml b/playbooks/redhat/roles/phd/tasks/main.yml new file mode 100644 index 0000000..8ed988b --- /dev/null +++ b/playbooks/redhat/roles/phd/tasks/main.yml @@ -0,0 +1,50 @@ +- name: Test if user phd already exists + stat: + path: "{{ item }}" + register: phd_exists + changed_when: not phd_exists.stat.exists + loop: ['~/.profile', '~/.shellrc'] + +- debug: + msg: "User phd has already been created" + when: phd_exists.results|selectattr('stat.exists')|list|length == 2 + +- name: Create and setup user phd + block: + - name: Create system groups + become: true + group: + name: "{{ item }}" + system: true + loop: "{{ system_groups.split(',') }}" + + - name: Create group phd + become: true + group: + name: phd + + - name: Add user phd + become: true + user: + name: phd + group: phd + groups: "{{ system_groups }}" + + - name: Remove mc directories + file: + path: "{{ item }}" + state: absent + loop: ['~/.cache/mc', '~/.config/mc', '~/.local/share/mc'] + + - name: Upload and extract home archive + unarchive: + src: ~/archive/STORE/phd/Home/phd.tar.bz2 + dest: /home + when: phd_exists.results|selectattr('stat.exists')|list|length != 2 + +- name: Add alias + become: true + lineinfile: + path: /etc/aliases + regexp: "^root: phd$" + line: "root: phd" diff --git a/playbooks/redhat/roles/sudo/README.txt b/playbooks/redhat/roles/sudo/README.txt new file mode 100644 index 0000000..9d2929b --- /dev/null +++ b/playbooks/redhat/roles/sudo/README.txt @@ -0,0 +1 @@ +Init sudo: install sudo, add user phd, allow passwordless operations. diff --git a/playbooks/redhat/roles/sudo/meta/main.yml b/playbooks/redhat/roles/sudo/meta/main.yml new file mode 100644 index 0000000..8f82bb2 --- /dev/null +++ b/playbooks/redhat/roles/sudo/meta/main.yml @@ -0,0 +1 @@ +dependencies: ['init-system'] diff --git a/playbooks/redhat/roles/sudo/tasks/main.yml b/playbooks/redhat/roles/sudo/tasks/main.yml new file mode 100644 index 0000000..469b9ae --- /dev/null +++ b/playbooks/redhat/roles/sudo/tasks/main.yml @@ -0,0 +1,8 @@ +- name: Allow passwordless operations for phd + become: true + copy: + content: 'phd ALL=(ALL:ALL) NOPASSWD: ALL' + dest: /etc/sudoers.d/phd + owner: root + group: root + mode: 0640 diff --git a/playbooks/redhat/update-all-dnf.yml b/playbooks/redhat/update-all-dnf.yml new file mode 100644 index 0000000..fee790a --- /dev/null +++ b/playbooks/redhat/update-all-dnf.yml @@ -0,0 +1,10 @@ +- name: Update RPM systems with dnf + hosts: "{{ hosts | default('all') }}" + become: yes + gather_facts: false + tasks: + - name: Update system using dnf + dnf: + name: "*" + state: latest + update_cache: yes diff --git a/playbooks/redhat/update-root.yml b/playbooks/redhat/update-root.yml new file mode 100644 index 0000000..1deda04 --- /dev/null +++ b/playbooks/redhat/update-root.yml @@ -0,0 +1,42 @@ +- name: "Update ~root from ~phd" + hosts: "{{ hosts | default('all') }}" + become: yes + gather_facts: false + tasks: + - name: "Update ~root - sync directories from ~phd" + synchronize: + src: "~phd/{{ item }}" + dest: ~root + archive: no # avoid setting owner/group + recursive: yes + links: yes + times: yes + delegate_to: "{{ inventory_hostname }}" + loop: ['.vim', 'bin', 'lib'] + + - name: "Update ~root - sync files from ~phd" + copy: + src: "~phd/{{ item }}" + remote_src: yes + dest: ~root + owner: root + group: root + mode: "0600" + force: no + loop: ['.bashrc', 'admin/home/root/.profile', + '.bash_logout', '.inputrc', '.less', '.lesskey', + '.screenrc', '.shellrc', '.tmux.conf', '.vimrc', + ] + + - name: "Update root mc - overwrite files from ~phd/admin" + become: true + copy: + src: "~phd/admin/home/root/.mc/{{ item }}" + remote_src: yes + dest: ~root/.mc + owner: root + group: root + mode: "0600" + force: no + loop: ['hotlist', 'ini', 'panels.ini'] + diff --git a/vbox-inventory b/vbox-inventory index 1383329..6d49280 100644 --- a/vbox-inventory +++ b/vbox-inventory @@ -1,2 +1,3 @@ -vbox9 ansible_host=localhost ansible_port=2022 debian_distr=stretch debian_mirror=http://mirror.yandex.ru/debian -vbox10 ansible_host=localhost ansible_port=2022 debian_distr=buster debian_mirror=https://mirror.yandex.ru/debian +vbox-d9 ansible_host=localhost ansible_port=2022 debian_distr=stretch debian_mirror=http://mirror.yandex.ru/debian +vbox-d10 ansible_host=localhost ansible_port=2022 debian_distr=buster debian_mirror=https://mirror.yandex.ru/debian +vbox-f30-64 ansible_host=localhost ansible_port=2022