diff --git a/README.md b/README.md index 2729393..b2761d7 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,7 @@ The Goal is to evenually be able to be a turnkey solution to spin up a "real" ne * execute _**sudo apt install -y ansible sshpass git**_ * execute _**git clone ssh://ansibledemo@96.82.16.164:/srv/git/ansible.git**_ - pw C*******9 * execute _**cd ansible**_ + * execute _**ansible-galaxy collection install -r requirements.yml**_ * execute _**nano hosts**_ and follow the instructions in that file to add all of your Pi devices * execute _**ssh-keygen -t rsa**_ you will need to press enter three times to accept the defaults * execute _**PUBKEY="'$(<~/.ssh/id_rsa.pub)'" && ansible-playbook -i hosts deploy_authorized_keys.yml --ask-pass --extra-vars="pubkey=$PUBKEY"**_ it will prompt for the password which is still 'raspberry diff --git a/requirements.yml b/requirements.yml index 8eddb1e..adb72c1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,2 @@ -- name: mikolak-net.raspi_config - +collections: +- ansible.posix diff --git a/roles/common/vars/os_Debian_10.yml b/roles/common/vars/os_Debian_10.yml new file mode 100644 index 0000000..e13cfb9 --- /dev/null +++ b/roles/common/vars/os_Debian_10.yml @@ -0,0 +1,9 @@ +--- +dependency_packages: + - vim + - mc + - aptitude + - mtr + - screen + - cockpit-storaged + - cockpit diff --git a/roles/role-samba4-ad-member/defaults/main.yml b/roles/role-samba4-ad-member/defaults/main.yml index bdfc667..6296819 100755 --- a/roles/role-samba4-ad-member/defaults/main.yml +++ b/roles/role-samba4-ad-member/defaults/main.yml @@ -53,3 +53,11 @@ smb_multicastdns : 'no' smb_dnssec : 'no' smb_cache : 'yes' smb_dnsstublistener : 'yes' + +#share defaults +public_share_name: share +public_share_path: /media/share +private_share_name: private +private_share_path: /media/private +samba_group_name: Domain\ Users + diff --git a/roles/role-samba4-ad-member/tasks/main.yml b/roles/role-samba4-ad-member/tasks/main.yml index 2b74bba..3e3dc9b 100644 --- a/roles/role-samba4-ad-member/tasks/main.yml +++ b/roles/role-samba4-ad-member/tasks/main.yml @@ -8,7 +8,18 @@ # Samba is the standard Windows interoperability # suite of programs for Linux and Unix. # - +- name: update hosts file + become: true + blockinfile: + dest: /etc/hosts + content: "{{ lookup('template', '{{ role_path }}/templates/hosts.j2') }}" + state: present + tags: update_hosts +- name: set hostname + become: true + hostname: + name: '{{ inventory_hostname }}' + tags: set_hostname - name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64" import_tasks: ubt-2004-amd64.yml when: @@ -26,3 +37,55 @@ when: - ansible_distribution_version == "18.04" - ansible_architecture == "x86_64" + +- name: "Check that {{ public_share_path }} exist" + stat: + path: "{{ public_share_path }}" + register: public_dir_exists + +- name: "Create {{ public_share_path }} directory" + become: yes + file: + state: directory + path: "{{ public_share_path }}" + owner: nobody + group: nogroup + mode: 0755 + recurse: yes + when: public_dir_exists.stat.exists == False + +- name: "Check that {{ private_share_path }} exist" + stat: + path: "{{ private_share_path }}" + register: private_dir_exists + +- name: "Create {{ private_share_path }} directory" + become: yes + file: + state: directory + path: "{{ private_share_path }}" + owner: root + group: "{{ samba_group_name }}" + mode: 1770 + when: private_dir_exists.stat.exists == False +- name: set acl's on public share + ansible.posix.acl: + path: "{{ public_share_path }}" + entry: "{{ item.entry }}" + state: present + with_items: + - { entry: "user::rwx" } + - { entry: "user:nobody:rwx" } + - { entry: "group::r-x" } + - { entry: "group:domain\ users:rwx" } + - { entry: "mask::rwx" } + - { entry: "other::r-x" } + - { entry: "default:user::rwx" } + - { entry: "default:user:administrator:rwx" } + - { entry: "default:group::r-x" } + - { entry: "default:group:domain\ users:rwx" } + - { entry: "default:group:nogroup:r-x" } + - { entry: "default:mask::rwx" } + - { entry: "default:other::r-x" } + + diff --git a/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml b/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml index 99f718d..c65f34d 100644 --- a/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml +++ b/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml @@ -59,7 +59,8 @@ - name: "Edit Fstab" replace: path: /etc/fstab - regexp: 'errors=remount-ro 0' + #regexp: 'errors=remount-ro 0' + regexp: 'defaults' replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' backup: yes diff --git a/roles/role-samba4-ad-member/templates/hosts.j2 b/roles/role-samba4-ad-member/templates/hosts.j2 new file mode 100644 index 0000000..05d3eca --- /dev/null +++ b/roles/role-samba4-ad-member/templates/hosts.j2 @@ -0,0 +1,8 @@ +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }}.demo.dsfinancial.com +{% endfor %} + +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }} +{% endfor %} + diff --git a/roles/role-samba4-ad-member/templates/smb.conf.j2 b/roles/role-samba4-ad-member/templates/smb.conf.j2 index c679df6..d438106 100755 --- a/roles/role-samba4-ad-member/templates/smb.conf.j2 +++ b/roles/role-samba4-ad-member/templates/smb.conf.j2 @@ -21,3 +21,24 @@ winbind offline logon = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes + +#### Public Share #### +[{{ public_share_name }}] + path = {{ public_share_path }} + browsable =yes + writable = yes + guest ok = yes + read only = no + acl_xattr:ignore system acl = yes + +#### Private Share #### +[{{ private_share_name }}] + path = {{ private_share_path }} + valid users = @{{ samba_group_name }} + guest ok = no + writable = yes + browsable = yes + create mask = 0700 + directory mask = 0700 + acl_xattr:ignore system acl = yes + diff --git a/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml b/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml index c872746..cbf88ab 100644 --- a/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml +++ b/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml @@ -128,7 +128,8 @@ - name: "Edit Fstab" replace: path: /etc/fstab - regexp: 'errors=remount-ro 0' + #regexp: 'errors=remount-ro 0' + regexp: 'defaults' replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' backup: yes @@ -147,4 +148,4 @@ - udp - name: "Ubuntu login" - import_tasks: ubuntu-1804-amd64-login.yml \ No newline at end of file + import_tasks: ubuntu-1804-amd64-login.yml diff --git a/roles/role-samba4-primary-ad-dc/templates/hosts.j2 b/roles/role-samba4-primary-ad-dc/templates/hosts.j2 new file mode 100644 index 0000000..95d082f --- /dev/null +++ b/roles/role-samba4-primary-ad-dc/templates/hosts.j2 @@ -0,0 +1,7 @@ +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }}.demo.dsfinancial.com +{% endfor %} + +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }} +{% endfor %} diff --git a/roles/zabbix/files/check_updates.sh b/roles/zabbix/files/check_updates.sh new file mode 100644 index 0000000..4812b60 --- /dev/null +++ b/roles/zabbix/files/check_updates.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# From https://github.com/kvz/bash3boilerplate +# Require at least bash 3.x +if [[ "${BASH_VERSINFO[0]}" -lt "3" ]]; then echo "bash version < 3"; exit 1; fi + +# Exit on error. Append || true if you expect an error. +set -o errexit +set -o nounset + +# Bash will remember and return the highest exit code in a chain of pipes. +set -o pipefail + +PATH=/bin:/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin + +timestamp_file="/run/zabbix/caendra_check_update" +update_interval="86400" # 1 day +timestamp_file_mtime="0" +os="" +epoch=$(date "+%s") +tmpfile=$( mktemp --tmpdir=/run/zabbix ) +outfile="/run/zabbix/zabbix.count.updates" + +function _detectOS { + if [[ -e /etc/centos-release ]]; then + export os="centos" + fi + if [[ -e /etc/debian_version ]]; then + export os="debian" + fi +} + +function _check_last_update { + if [[ ! -e $timestamp_file ]]; then + export update_needed=y + touch $timestamp_file + else + timestamp_file_mtime=$(stat -c %Y $timestamp_file ) + fi + + if [[ "$((epoch-timestamp_file_mtime))" -gt "$update_interval" ]]; then + export update_needed=y + else + export update_needed=n + fi +} + + +function _check_OS_upgrades { + if [[ "$os" == "debian" ]]; then + if [[ "$update_needed" == "y" ]]; then + apt update &>/dev/null + touch $timestamp_file + fi + + pkg_to_update=$((apt-get upgrade --simulate 2>&1 | wc -l) || true) + pkg_to_update=$((pkg_to_update-5)) + fi + +if [[ "$os" == "centos" ]]; then + if [[ ! -e /var/cache/yum/x86_64/7/base/repomd.xml ]]; then + # if the repomd.xml file does not exists, + # we assume that this is a new machine + # or "yum clean all" was run + export update_needed="y" + fi + + if [[ "$update_needed" == "y" ]]; then + # forced true as the --assumeno option + # always returns exit code 1 + yum upgrade --assumeno &> /dev/null || true + touch $timestamp_file + fi + + yum_output=$(yum check-update --cacheonly && rc=$? || rc=$?; echo "rc=$rc" > $tmpfile) + source $tmpfile + rm $tmpfile + + if [[ "$rc" == "0" ]]; then + pkg_to_update="0" + fi + + if [[ "$rc" == "100" ]]; then + pkg_to_update=$(echo "$yum_output" | egrep -v '^(Load| \*|$)' | wc -l) + fi + fi +} + + +_detectOS +_check_last_update + +pkg_to_update="" + +_check_OS_upgrades + +echo "$pkg_to_update" > $outfile diff --git a/roles/zabbix/files/zabbix-release_4.0-3+focal_all.deb b/roles/zabbix/files/zabbix-release_4.0-3+focal_all.deb new file mode 100644 index 0000000..c7029c2 Binary files /dev/null and b/roles/zabbix/files/zabbix-release_4.0-3+focal_all.deb differ diff --git a/roles/zabbix/files/zbx-reboot-required.sh b/roles/zabbix/files/zbx-reboot-required.sh new file mode 100644 index 0000000..b7b3c75 --- /dev/null +++ b/roles/zabbix/files/zbx-reboot-required.sh @@ -0,0 +1,334 @@ +#!/usr/bin/env sh + +usage() { + echo "Usage: $(basename "$0") [-K|-s|-k]" + echo + echo "-K: Output the current kernel flavor" + echo "-k: Only check for updated kernel version (default: enabled)" + echo "-s: Check whether services need to be restarted (default: enabled)" +} + +_chroot() { + if test -e /.dockerenv + then + sudo -E chroot /rootfs bash -c "$*" + else + eval "$@" + fi +} + +arch_current_version() { + # Remove the kernel flavor at the end + # 5.4.22-1-lts -> 5.4.22-1 + _chroot uname -r | sed 's/-[^0-9]*$//' +} + +archarm_current_version() { + arch_current_version +} + +openwrt_current_version() { + uname -r +} + +fedora_current_version() { + # Remove the Fedora version and arch at the end + # 5.5.5-200.fc31.x86_64 -> 5.5.5-200 + uname -r | sed -r 's/.fc[0-9]+.*//' +} + +ubuntu_current_version() { + arch_current_version +} + +raspbian_current_version() { + # Remove the architecture at the end + # 4.19.97-v7+ -> 4.19.97 + uname -r | sed -r 's/-v.+$//' +} + +arch_latest_installed() { + local package + + case "$1" in + LTS) + package=linux-lts + ;; + VFIO) + package=linux-vfio + ;; + *) + package=linux + ;; + esac + _chroot pacman -Qi "$package" | awk '/Version/ {print $3}' +} + +archarm_latest_installed() { + local package + + case "$1" in + *) + package=linux-raspberrypi + ;; + esac + _chroot pacman -Qi "$package" | awk '/Version/ {print $3}' +} + +openwrt_latest_installed() { + _chroot sudo opkg list-installed | awk '/kernel - / {print $NF}' | cut -d - -f 1 +} + +fedora_latest_installed() { + _chroot dnf list installed kernel | \ + awk '{ print $2 }' | sort -rn | head -1 | sed -r 's/.fc[0-9]+$//g' +} + +raspbian_latest_installed() { + local val + local kernel_file + + case "$(uname -a)" in + armv7l) + kernel_file="/boot/kernel7.img" + ;; + aarch64) + kernel_file="/boot/kernel8.img" + ;; + *) + kernel_file="/boot/kernel7l.img" + ;; + esac + + if _chroot test -e /usr/lib/needrestart/vmlinuz-get-version + then + val="$(_chroot /usr/lib/needrestart/vmlinuz-get-version "$kernel_file")" + # echo "Unable to determine current kernel version. Please install needrestart." >&2 + else + # Download latest vmlinuz-get-version + _chroot curl -qqsL -o /tmp/vmlinuz-get-version \ + https://github.com/liske/needrestart/raw/master/lib/vmlinuz-get-version + val="$(_chroot bash /tmp/vmlinuz-get-version "$kernel_file")" + _chroot rm /tmp/vmlinuz-get-version + fi + # Extract version + # Linux version 4.19.97-v7+ (dom@buildbot) (gcc version[...] -> 4.19.97 + # Linux version 4.19.97+ (dom@buildbot) (gcc version[...] -> 4.19.97 + echo "$val" | sed -n -r 's/Linux version ([0-9.]+)[-+]v?.*/\1/p' +} + +ubuntu_latest_installed() { + _chroot dpkg --list | grep linux-image | \ + grep -v 'linux-image-generic' | \ + awk '{ print $2 }' | \ + sort -nr -k 4 -t '-' | head -1 | \ + sed -r 's/linux-image-(.+)-generic/\1/' +} + +arch_kernel_flavour() { + case "$(_chroot uname -a)" in + *vfio*) echo VFIO ;; + *lts*) echo LTS ;; + *) echo latest ;; + esac +} + +kernel_flavour() { + case "$ID" in + arch|antergos) + arch_kernel_flavour + ;; + archarm|turrisos|openwrt|lede|fedora|ubuntu|neon|raspbian|debian) + echo latest + ;; + *) + echo "Unsupported distribution" >&2 + exit 3 + ;; + esac +} + +check_kernel_update() { + local current_version + local flavor + local latest_installed_version + + flavor="$(kernel_flavour)" + + case "$ID" in + arch|antergos) + current_version=$(arch_current_version) + latest_installed_version=$(arch_latest_installed "$flavor") + ;; + archarm) + current_version=$(archarm_current_version) + latest_installed_version=$(archarm_latest_installed "$flavor") + ;; + openwrt|lede|turrisos) + current_version=$(openwrt_current_version "$flavor") + latest_installed_version=$(openwrt_latest_installed "$flavor") + ;; + fedora) + current_version=$(fedora_current_version "$flavor") + latest_installed_version=$(fedora_latest_installed "$flavor") + ;; + ubuntu|neon|debian) + current_version=$(ubuntu_current_version "$flavor") + latest_installed_version=$(ubuntu_latest_installed "$flavor") + ;; + raspbian) + current_version=$(raspbian_current_version "$flavor") + latest_installed_version=$(raspbian_latest_installed "$flavor") + ;; + *) + echo "Unsupported distribution" >&2 + exit 3 + ;; + esac + + if test "$current_version" != "$latest_installed_version" + then + echo "Kernel update: $current_version -> $latest_installed_version" + return 1 + fi + return 0 +} + +check_services() { + local failed=0 + local need_r + + if _chroot sudo needrestart --help >/dev/null 2>&1 + then + # shellcheck disable=2024 + need_r="$(_chroot sudo needrestart -m a -b -n -r l -l -p 2>/dev/null)" + else + echo "ERROR: Please install needrestart" >&2 + fi + if echo "$need_r" | grep -q CRIT + then + echo "$need_r" + failed=1 + fi + + case "$ID" in + ubuntu|neon|raspbian) + if _chroot test -e /var/run/reboot-required + then + echo "/var/run/reboot-required is present on the system" + failed=1 + fi + ;; + fedora) + needs_r=$(_chroot sudo needs-restarting -r) + if test $? -eq 1 + then + echo "$needs_r" + fi + ;; + esac + return $failed +} + +reboot_check() { + local reboot_required=0 + local message + local KERNEL MISC + local tmp + + if test "$#" -eq 0 + then + KERNEL=1 + SERVICES=1 + else + case "$1" in + -k|--kernel|kernel|k) + KERNEL=1 + ;; + -s|--services|--svc|services|svc|s) + SERVICES=1 + ;; + esac + fi + + if test -n "$KERNEL" + then + tmp=$(check_kernel_update) + + if test $? -ne 0 + then + reboot_required=1 + message="$tmp" + fi + fi + + if test -n "$SERVICES" + then + tmp=$(check_services) + + if test $? -ne 0 + then + reboot_required=1 + if test -z "$message" + then + message="$tmp" + else + message="$message\n\n$tmp" + fi + fi + fi + + if test "$reboot_required" = "0" + then + message="No reboot required ✔" + fi + + # shellcheck disable=2039 + if test "$(echo -e)" != "-e" + then + echo -e "$message" + else + # printf "%s\n" "$message" + echo "$message" + fi +} + +determine_os() { + local os_id + + os_id="$(_chroot cat /etc/os-release | sed -nr 's/^ID="?([^"]+)"?/\1/p')" + + if test -z "$os_id" + then + # Old (pre 19.07.1) OpenWRT version don't carry an /etc/os-release + if _chroot test -r /etc/openwrt_version + then + os_id=openwrt + fi + echo "$os_id" + fi + echo "$os_id" +} + +ID="$(determine_os)" + +case "$1" in + help|h|--help|-h) + usage + ;; + -K) + kernel_flavour + ;; + *) + # -k: kernel only + # -m: Misc. services only + # NONE: both + if test "$#" -gt 1 + then + shift + fi + reboot_check "$@" + ;; +esac + +# vim set ft=sh et ts=2 sw=2 : diff --git a/roles/zabbix/tasks/main.yaml b/roles/zabbix/tasks/main.yaml new file mode 100644 index 0000000..ecb3e8c --- /dev/null +++ b/roles/zabbix/tasks/main.yaml @@ -0,0 +1,321 @@ +--- +##### Install zabbix-agent +- name: ping hosts + ping: + +- name: check OS + debug: msg={{ansible_distribution}}-{{ansible_distribution_version}} + tags: configure_zabbix + +### centOS 7 +- name: disable SELinux + selinux: + state: disabled + when: ansible_os_family == "RedHat" + tags: configure_zabbix + +- name: install zabbix centOS 7 rpm file + yum: + name: "{{ centos7_link }}" + when: ansible_os_family == "RedHat" + tags: configure_zabbix + +- name: install zabbix-agent 4.4 for centOS 7 + yum: + name: zabbix-agent + enablerepo: zabbix + update_cache: true + state: latest + when: ansible_os_family == "RedHat" + tags: configure_zabbix + +### Debian 8 +- name: download zabbix deb file for Debian 8 + get_url: + url: "{{ debian8_link }}" + dest: "/tmp/{{ debian8_file }}" + when: ansible_distribution_release == 'jessie' + tags: configure_zabbix + +- name: install zabbix deb in Debian 8 + apt: deb "/tmp/{{ debian8_file }}" + when: ansible_distribution_release == 'jessie' + tags: configure_zabbix + +- name: install zabbix-agent 4.4 Debian 8 + apt: + name: zabbix-agent + state: latest + update_cache: yes + when: ansible_distribution_release == 'jessie' + tags: configure_zabbix + +### Debian 9 +- name: download zabbix deb file for Debian 9 + get_url: + url: "{{ debian9_link }}" + dest: "/tmp/{{ debian9_file }}" + when: ansible_distribution_release == 'stretch' + tags: configure_zabbix + +- name: install zabbix deb in Debian 9 + apt: deb "/tmp/{{ debian9_file }}" + when: ansible_distribution_release == 'stretch' + tags: configure_zabbix + +- name: install zabbix-agent 4.4 Debian 9 + apt: + name: zabbix-agent + state: latest + update_cache: yes + when: ansible_distribution_release == 'stretch' + tags: configure_zabbix + +### Debian 10 +- name: download zabbix deb file for Debian 10 + get_url: + url: "{{ debian10_link }}" + dest: "/tmp/{{ debian10_file }}" + when: ansible_distribution_release == 'buster' + tags: configure_zabbix + +- name: install zabbix deb in Debian 10 + apt: deb "/tmp/{{ debian10_file }}" + when: ansible_distribution_release == 'buster' + tags: configure_zabbix + +- name: install zabbix-agent 4.4 Debian 10 + apt: + name: zabbix-agent + state: latest + update_cache: yes + when: ansible_distribution_release == 'buster' + tags: configure_zabbix + +### Ubuntu 16.04 Xenial +- name: download zabbix deb file fot Ubuntu 16.04 + get_url: + url: "{{ ubuntu16_link }}" + dest: "/tmp/{{ ubuntu16_file }}" + when: ansible_distribution_release == 'xenial' + tags: configure_zabbix + +- name: install zabbix deb for Ubuntu 16.04 Xenial + apt: deb "/tmp/{{ ubuntu16_file }}" + when: ansible_distribution_release == 'xenial' + tags: configure_zabbix + +- name: install zabbix-agent 4.4 Ubuntu 16.04 + apt: + name: zabbix-agent + state: latest + update_cache: yes + when: ansible_distribution_release == 'xenial' + tags: configure_zabbix + + +### Ubuntu 18.04 Bionic Beaver +- name: download zabbix deb file fot Ubuntu 18.04 + get_url: + url: "{{ ubuntu18_link }}" + dest: "/tmp/{{ ubuntu18_file }}" + when: ansible_distribution_release == 'bionic' + tags: configure_zabbix + +- name: install zabbix deb for Ubuntu 18.04 Xenial + apt: deb "/tmp/{{ ubuntu18_file }}" + when: ansible_distribution_release == 'bionic' + tags: configure_zabbix + +- name: install zabbix-agent 4.4 Ubuntu 18.04 + apt: + name: zabbix-agent + state: latest + update_cache: yes + when: ansible_distribution_release == 'bionic' + tags: configure_zabbix +### Ubunto 20.04 Focal +- name: download zabbix deb file fot Ubuntu 20.04 + get_url: + url: "{{ ubuntu20_link }}" + dest: "/tmp/{{ ubuntu20_file }}" + when: ansible_distribution_release == 'focal' + tags: configure_zabbix + +- name: install zabbix deb for Ubuntu 20.04 Xenial + apt: deb "/tmp/{{ ubuntu20_file }}" + when: ansible_distribution_release == 'focal' + tags: configure_zabbix + +- name: install zabbix-agent 4.4 Ubuntu 20.04 + apt: + name: zabbix-agent + state: latest + update_cache: yes + when: ansible_distribution_release == 'focal' + tags: configure_zabbix + +##### enabled zabbix-agent +- name: enable service zabbix-agent and ensure it is not masked + systemd: + name: zabbix-agent + enabled: yes + masked: no + become: yes + tags: configure_zabbix + +##### check zabbix home dir and shell +- name: Make sure a service is stopped + systemd: state=stopped name=zabbix-agent + become: yes + tags: configure_zabbix + +- name: check zabbix home dir and shell + user: + name: zabbix + shell: /bin/bash + home: /etc/zabbix + append: yes + groups: sudo + become: yes + tags: configure_zabbix + +##### mkdir /etc/zabbix/scripts and rights +- name: mkdir /etc/zabbix/scripts and rights + file: + path: /etc/zabbix/scripts + state: directory + owner: zabbix + group: zabbix + mode: 0700 + become: yes + tags: configure_zabbix + +##### change zabbix_agentd.conf +- name: change zabbix_agentd.conf Hostname + lineinfile: + path: /etc/zabbix/zabbix_agentd.conf + state: present + regexp: 'Hostname=Zabbix server' + line: "Hostname={{ ansible_hostname }}" + become: yes + tags: configure_zabbix + +- name: change zabbix_agentd.conf ServerActive + lineinfile: + path: /etc/zabbix/zabbix_agentd.conf + state: present + regexp: 'ServerActive=127.0.0.1' + line: "ServerActive={{ zbx_srv }}" + become: yes + tags: configure_zabbix + +- name: change zabbix_agentd.conf Server + lineinfile: + path: /etc/zabbix/zabbix_agentd.conf + state: present + regexp: 'Server=127.0.0.1' + line: "Server={{ zbx_srv }}" + become: yes + tags: configure_zabbix + +- name: change zabbix_agentd.conf EnableRemoteCommands + lineinfile: + path: /etc/zabbix/zabbix_agentd.conf + state: present + regexp: '# EnableRemoteCommands=0' + line: 'EnableRemoteCommands=1' + become: yes + tags: configure_zabbix + +- name: change zabbix_agentd.conf LogRemoteCommands + lineinfile: + path: /etc/zabbix/zabbix_agentd.conf + state: present + regexp: '# LogRemoteCommands=0' + line: 'LogRemoteCommands=1' + tags: configure_zabbix + +##### Install Vulners plugin +### CentOS7 +- name: install plugin repo centOS 7 rpm file + yum: name=https://repo.vulners.com/redhat/vulners-repo.rpm + when: ansible_os_family == "RedHat" + tags: configure_zabbix + +- name: install plugin for centOS 7 + yum: name=zabbix-threat-control-host + when: ansible_os_family == "RedHat" + tags: configure_zabbix + +### Debian +#- name: download plugin deb file for Debian +# get_url: +# url: https://repo.vulners.com/debian/vulners-repo.deb +# dest: /tmp/vulners-repo.deb +# when: ansible_os_family == "Debian" +# tags: configure_zabbix + +#- name: install plugin deb in Debian +# apt: deb="/tmp/vulners-repo.deb" +# when: ansible_os_family == "Debian" +# tags: configure_zabbix + +#- name: install plugin Debian +# apt: +# name: zabbix-threat-control-host +# update_cache: yes +# when: ansible_os_family == "Debian" +# tags: configure_zabbix + +### Starting zabbix-agent +- name: install needrestart + apt: + name: needrestart + update_cache: yes + when: ansible_os_family == "Debian" + tags: configure_zabbix + +- name: Make sure a service is started + systemd: state=started name=zabbix-agent + become: yes + tags: configure_zabbix +- name: Copy configuration files + become: true + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: 6755 + with_items: + - { src: "{{ role_path }}/files/check_updates.sh", dest: "/opt/zabbix_scripts/" } + - { src: "{{ role_path }}/files/zbx-reboot-required.sh", dest: "/opt/zabbix_scripts/" } + tags: configure_zabbix +- name: enable cron job for update check + become: true + cron: + name: "update_checker" + minute: "*/30" + user: root + job: "/opt/zabbix_scripts/check_updates.sh" + tags: configure_zabbix + +- name: zabbix-agent-config + lineinfile: + path: "/etc/zabbix/zabbix_agentd.conf" + state: present + line: "{{ item.line }}" + with_items: + - { line: "UserParameter=os.updates.pending,cat \"/run/zabbix/zabbix.count.updates\"" } + - { line: "UserParameter=reboot-required.kernel,/opt/zabbix_scripts/zbx-reboot-required.sh -k" } + - { line: "UserParameter=reboot-required.services,/opt/zabbix_scripts/zbx-reboot-required.sh -s" } + become: true + tags: configure_zabbix +- name: Restart service zabbix-agent + service: + name: zabbix-agent + state: restarted + tags: configure_zabbix + become: true + diff --git a/roles/zabbix/vars/main.yml b/roles/zabbix/vars/main.yml new file mode 100644 index 0000000..9b6db7e --- /dev/null +++ b/roles/zabbix/vars/main.yml @@ -0,0 +1,14 @@ +zbx_srv: 192.168.88.16 +centos7_link: https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm +debian8_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+jessie_all.deb +debian8_file: zabbix-release_4.4-1+jessie_all.deb +debian9_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+stretch_all.deb +debian9_file: zabbix-release_4.4-1+stretch_all.deb +debian10_link: https://repo.zabbix.com/zabbix/5.3/debian/pool/main/z/zabbix-release/zabbix-release_5.3-1+debian10_all.deb +debian10_file: zabbix-release_5.3-1+debian10_all.deb +ubuntu16_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+xenial_all.deb +ubuntu16_file: zabbix-release_4.4-1+xenial_all.deb +ubuntu18_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+bionic_all.deb +ubuntu18_file: zabbix-release_4.4-1+bionic_all.deb +ubuntu20_link: https://repo.zabbix.com/zabbix/5.3/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.3-1+ubuntu20.04_all.deb +ubuntu20_file: zabbix-release_5.3-1+ubuntu20.04_all.deb diff --git a/samba-dc.yml b/samba-dc.yml index 4a13c1d..d900a31 100644 --- a/samba-dc.yml +++ b/samba-dc.yml @@ -1,14 +1,14 @@ -- hosts: adc01 +- hosts: dc01 become: true vars: # -- Custom settings: role-samba4-primary-ad-dc -- - smb_workgroup : 'LAB' - smb_realm : 'LAB.LOCAL' + smb_workgroup : 'VSRAPOC' + smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET' smb_username : 'administrator' smb_password : 'Password123' smb_role : 'primary' - smb_dns_servers: '10.100.100.12' + smb_dns_servers: '10.1.10.10' smb_dns_forwarder: '8.8.8.8' roles: diff --git a/samba.yml b/samba.yml index 15d8224..93a560c 100644 --- a/samba.yml +++ b/samba.yml @@ -1,49 +1,30 @@ ---- -- hosts: samba - tasks: - - name: Install Samba Packages - become: yes - apt: - name: ['samba', 'smbclient','winbind','krb5-user','krb5-config','krb5-locales','winbind','libpam-winbind','libnss-winbind','dnsutils'] - state: present - update_cache: true - - name: stop samba services - become: yes - command: systemctl stop "{{ item }}" - ignore_errors: true - with_items: - - samba-ad-dc.service - - smbd.service - - nmbd.service - - winbind.service - - name: disable samba services - become: yes - command: systemctl disable "{{ item }}" - ignore_errors: true - with_items: - - samba-ad-dc.service - - smbd.service - - nmbd.service - - winbind.service - - name: set nsswitch service to use DNS resolution - become: yes - lineinfile: - path: /etc/nsswitch.conf - state: present - regexp: '^hosts:' - line: 'hosts: files dns mdns4_minimal [NOTFOUND=return]' - - name: check if smb.conf exists - stat: - path: /etc/samba/smb.conf - register: stat_result - - name: rename default smb.conf - become: yes - shell: mv /etc/samba/smb.conf /etc/samba/smb.conf.backup - ignore_errors: true - tags: remove_default_samba_config - - name: delete default kerberos configuration if it exists - become: yes - file: - state: absent - path: "/etc/krb5.conf" - tags: remove_default_samba_config +- hosts: dc01 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'VSRAPOC' + smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET' + smb_username : 'administrator' + smb_password : 'Password123' + smb_role : 'primary' + smb_dns_servers: '10.1.10.10' + smb_dns_forwarder: '8.8.8.8' + + roles: + - role-samba4-primary-ad-dc + +- hosts: server01 server02 server03 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'VSRAPOC' + smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET' + smb_username : 'administrator' + smb_password : 'Password123' + smb_dns_servers: '10.1.10.10' + + roles: + - role-samba4-ad-member + diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..ce0dc10 --- /dev/null +++ b/test.yml @@ -0,0 +1,13 @@ +--- + - hosts: server02 + tasks: + - name: test acl + ansible.posix.acl: + path: /media/share + + - name: test dns + community.windows.win_dns_record: + name: "server02.vsrapoc.dsfinancial.comcast.net" + type: "A" + value: "10.1.10.14" + zone: "vsrapoc.dsfinancial.comcast.net" diff --git a/zabbix_agent.yml b/zabbix_agent.yml new file mode 100644 index 0000000..45bb784 --- /dev/null +++ b/zabbix_agent.yml @@ -0,0 +1,27 @@ +##################################################### +# https://github.com/vargaloid # +# Install zabbix-agent-4.0 # +# For CentOS7; Debian 8, 9, 10; Ubuntu 16.04, 18.04 # +# Version 0.07 # +##################################################### +--- +- hosts: all + become: yes +# remote_user: USERNAME + vars: + zbx_srv: 192.168.88.16 + centos7_link: https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm + debian8_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+jessie_all.deb + debian8_file: zabbix-release_4.4-1+jessie_all.deb + debian9_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+stretch_all.deb + debian9_file: zabbix-release_4.4-1+stretch_all.deb + debian10_link: https://repo.zabbix.com/zabbix/5.3/debian/pool/main/z/zabbix-release/zabbix-release_5.3-1+debian10_all.deb + debian10_file: zabbix-release_5.3-1+debian10_all.deb + ubuntu16_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+xenial_all.deb + ubuntu16_file: zabbix-release_4.4-1+xenial_all.deb + ubuntu18_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+bionic_all.deb + ubuntu18_file: zabbix-release_4.4-1+bionic_all.deb + ubuntu20_link: https://repo.zabbix.com/zabbix/5.3/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.3-1+ubuntu20.04_all.deb + ubuntu20_file: zabbix-release_5.3-1+ubuntu20.04_all.deb + roles: + - zabbix