mikepell/dsfin-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update Readme

Browse Source 
add requirements.yml for additional modules
This commit is contained in:
Michael Pellegrino
2021-08-30 08:39:21 -04:00
parent 21612189e0
commit 7e68ea16b3
19 changed files with 964 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -81,6 +81,7 @@ The Goal is to evenually be able to be a turnkey solution to spin up a "real" ne
* execute _**sudo apt install -y ansible sshpass git**_ * execute _**sudo apt install -y ansible sshpass git**_
* execute _**git clone ssh://ansibledemo@96.82.16.164:/srv/git/ansible.git**_ - pw C*******9 * execute _**git clone ssh://ansibledemo@96.82.16.164:/srv/git/ansible.git**_ - pw C*******9
* execute _**cd ansible**_ * execute _**cd ansible**_
* execute _**ansible-galaxy collection install -r requirements.yml**_
* execute _**nano hosts**_ and follow the instructions in that file to add all of your Pi devices * execute _**nano hosts**_ and follow the instructions in that file to add all of your Pi devices
* execute _**ssh-keygen -t rsa**_ you will need to press enter three times to accept the defaults * execute _**ssh-keygen -t rsa**_ you will need to press enter three times to accept the defaults
* execute _**PUBKEY="'$(<~/.ssh/id_rsa.pub)'" && ansible-playbook -i hosts deploy_authorized_keys.yml --ask-pass --extra-vars="pubkey=$PUBKEY"**_ it will prompt for the password which is still 'raspberry * execute _**PUBKEY="'$(<~/.ssh/id_rsa.pub)'" && ansible-playbook -i hosts deploy_authorized_keys.yml --ask-pass --extra-vars="pubkey=$PUBKEY"**_ it will prompt for the password which is still 'raspberry

4
requirements.yml
View File

@@ -1,2 +1,2 @@
- name: mikolak-net.raspi_config collections:
- ansible.posix

9
roles/common/vars/os_Debian_10.yml Normal file
View File

@@ -0,0 +1,9 @@
---
dependency_packages:
- vim
- mc
- aptitude
- mtr
- screen
- cockpit-storaged
- cockpit

8
roles/role-samba4-ad-member/defaults/main.yml
View File

@@ -53,3 +53,11 @@ smb_multicastdns : 'no'
smb_dnssec : 'no' smb_dnssec : 'no'
smb_cache : 'yes' smb_cache : 'yes'
smb_dnsstublistener : 'yes' smb_dnsstublistener : 'yes'
#share defaults
public_share_name: share
public_share_path: /media/share
private_share_name: private
private_share_path: /media/private
samba_group_name: Domain\ Users

65
roles/role-samba4-ad-member/tasks/main.yml
View File

@@ -8,7 +8,18 @@
# Samba is the standard Windows interoperability # Samba is the standard Windows interoperability
# suite of programs for Linux and Unix. # suite of programs for Linux and Unix.
# #
- name: update hosts file
become: true
blockinfile:
dest: /etc/hosts
content: "{{ lookup('template', '{{ role_path }}/templates/hosts.j2') }}"
state: present
tags: update_hosts
- name: set hostname
become: true
hostname:
name: '{{ inventory_hostname }}'
tags: set_hostname
- name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64" - name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubt-2004-amd64.yml import_tasks: ubt-2004-amd64.yml
when: when:
@@ -26,3 +37,55 @@
when: when:
- ansible_distribution_version == "18.04" - ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64" - ansible_architecture == "x86_64"
- name: "Check that {{ public_share_path }} exist"
stat:
path: "{{ public_share_path }}"
register: public_dir_exists
- name: "Create {{ public_share_path }} directory"
become: yes
file:
state: directory
path: "{{ public_share_path }}"
owner: nobody
group: nogroup
mode: 0755
recurse: yes
when: public_dir_exists.stat.exists == False
- name: "Check that {{ private_share_path }} exist"
stat:
path: "{{ private_share_path }}"
register: private_dir_exists
- name: "Create {{ private_share_path }} directory"
become: yes
file:
state: directory
path: "{{ private_share_path }}"
owner: root
group: "{{ samba_group_name }}"
mode: 1770
when: private_dir_exists.stat.exists == False
- name: set acl's on public share
ansible.posix.acl:
path: "{{ public_share_path }}"
entry: "{{ item.entry }}"
state: present
with_items:
- { entry: "user::rwx" }
- { entry: "user:nobody:rwx" }
- { entry: "group::r-x" }
- { entry: "group:domain\ users:rwx" }
- { entry: "mask::rwx" }
- { entry: "other::r-x" }
- { entry: "default:user::rwx" }
- { entry: "default:user:administrator:rwx" }
- { entry: "default:group::r-x" }
- { entry: "default:group:domain\ users:rwx" }
- { entry: "default:group:nogroup:r-x" }
- { entry: "default:mask::rwx" }
- { entry: "default:other::r-x" }

3
roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml
View File

@@ -59,7 +59,8 @@
- name: "Edit Fstab" - name: "Edit Fstab"
replace: replace:
path: /etc/fstab path: /etc/fstab
regexp: 'errors=remount-ro 0' #regexp: 'errors=remount-ro 0'
regexp: 'defaults'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes backup: yes

8
roles/role-samba4-ad-member/templates/hosts.j2 Normal file
View File

@@ -0,0 +1,8 @@
{% for item in ansible_play_batch %}
{{ hostvars[item].ansible_host }} {{ item }}.demo.dsfinancial.com
{% endfor %}
{% for item in ansible_play_batch %}
{{ hostvars[item].ansible_host }} {{ item }}
{% endfor %}

21
roles/role-samba4-ad-member/templates/smb.conf.j2
View File

@@ -21,3 +21,24 @@ winbind offline logon = yes
vfs objects = acl_xattr vfs objects = acl_xattr
map acl inherit = Yes map acl inherit = Yes
store dos attributes = Yes store dos attributes = Yes
#### Public Share ####
[{{ public_share_name }}]
path = {{ public_share_path }}
browsable =yes
writable = yes
guest ok = yes
read only = no
acl_xattr:ignore system acl = yes
#### Private Share ####
[{{ private_share_name }}]
path = {{ private_share_path }}
valid users = @{{ samba_group_name }}
guest ok = no
writable = yes
browsable = yes
create mask = 0700
directory mask = 0700
acl_xattr:ignore system acl = yes

5
roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml
View File

@@ -128,7 +128,8 @@
- name: "Edit Fstab" - name: "Edit Fstab"
replace: replace:
path: /etc/fstab path: /etc/fstab
regexp: 'errors=remount-ro 0' #regexp: 'errors=remount-ro 0'
regexp: 'defaults'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes backup: yes
@@ -147,4 +148,4 @@
- udp - udp
- name: "Ubuntu login" - name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml import_tasks: ubuntu-1804-amd64-login.yml

7
roles/role-samba4-primary-ad-dc/templates/hosts.j2 Normal file
View File

@@ -0,0 +1,7 @@
{% for item in ansible_play_batch %}
{{ hostvars[item].ansible_host }} {{ item }}.demo.dsfinancial.com
{% endfor %}
{% for item in ansible_play_batch %}
{{ hostvars[item].ansible_host }} {{ item }}
{% endfor %}

96
roles/zabbix/files/check_updates.sh Normal file
View File

@@ -0,0 +1,96 @@
#!/usr/bin/env bash
# From https://github.com/kvz/bash3boilerplate
# Require at least bash 3.x
if [[ "${BASH_VERSINFO[0]}" -lt "3" ]]; then echo "bash version < 3"; exit 1; fi
# Exit on error. Append || true if you expect an error.
set -o errexit
set -o nounset
# Bash will remember and return the highest exit code in a chain of pipes.
set -o pipefail
PATH=/bin:/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
timestamp_file="/run/zabbix/caendra_check_update"
update_interval="86400" # 1 day
timestamp_file_mtime="0"
os=""
epoch=$(date "+%s")
tmpfile=$( mktemp --tmpdir=/run/zabbix )
outfile="/run/zabbix/zabbix.count.updates"
function _detectOS {
if [[ -e /etc/centos-release ]]; then
export os="centos"
fi
if [[ -e /etc/debian_version ]]; then
export os="debian"
fi
}
function _check_last_update {
if [[ ! -e $timestamp_file ]]; then
export update_needed=y
touch $timestamp_file
else
timestamp_file_mtime=$(stat -c %Y $timestamp_file )
fi
if [[ "$((epoch-timestamp_file_mtime))" -gt "$update_interval" ]]; then
export update_needed=y
else
export update_needed=n
fi
}
function _check_OS_upgrades {
if [[ "$os" == "debian" ]]; then
if [[ "$update_needed" == "y" ]]; then
apt update &>/dev/null
touch $timestamp_file
fi
pkg_to_update=$((apt-get upgrade --simulate 2>&1 | wc -l) || true)
pkg_to_update=$((pkg_to_update-5))
fi
if [[ "$os" == "centos" ]]; then
if [[ ! -e /var/cache/yum/x86_64/7/base/repomd.xml ]]; then
# if the repomd.xml file does not exists,
# we assume that this is a new machine
# or "yum clean all" was run
export update_needed="y"
fi
if [[ "$update_needed" == "y" ]]; then
# forced true as the --assumeno option
# always returns exit code 1
yum upgrade --assumeno &> /dev/null || true
touch $timestamp_file
fi
yum_output=$(yum check-update --cacheonly && rc=$? || rc=$?; echo "rc=$rc" > $tmpfile)
source $tmpfile
rm $tmpfile
if [[ "$rc" == "0" ]]; then
pkg_to_update="0"
fi
if [[ "$rc" == "100" ]]; then
pkg_to_update=$(echo "$yum_output" | egrep -v '^(Load| \*|$)' | wc -l)
fi
fi
}
_detectOS
_check_last_update
pkg_to_update=""
_check_OS_upgrades
echo "$pkg_to_update" > $outfile

BIN
roles/zabbix/files/zabbix-release_4.0-3+focal_all.deb Normal file
View File

Binary file not shown.

334
roles/zabbix/files/zbx-reboot-required.sh Normal file
View File

@@ -0,0 +1,334 @@
#!/usr/bin/env sh
usage() {
echo "Usage: $(basename "$0") [-K|-s|-k]"
echo
echo "-K: Output the current kernel flavor"
echo "-k: Only check for updated kernel version (default: enabled)"
echo "-s: Check whether services need to be restarted (default: enabled)"
}
_chroot() {
if test -e /.dockerenv
then
sudo -E chroot /rootfs bash -c "$*"
else
eval "$@"
fi
}
arch_current_version() {
# Remove the kernel flavor at the end
# 5.4.22-1-lts -> 5.4.22-1
_chroot uname -r | sed 's/-[^0-9]*$//'
}
archarm_current_version() {
arch_current_version
}
openwrt_current_version() {
uname -r
}
fedora_current_version() {
# Remove the Fedora version and arch at the end
# 5.5.5-200.fc31.x86_64 -> 5.5.5-200
uname -r | sed -r 's/.fc[0-9]+.*//'
}
ubuntu_current_version() {
arch_current_version
}
raspbian_current_version() {
# Remove the architecture at the end
# 4.19.97-v7+ -> 4.19.97
uname -r | sed -r 's/-v.+$//'
}
arch_latest_installed() {
local package
case "$1" in
LTS)
package=linux-lts
;;
VFIO)
package=linux-vfio
;;
*)
package=linux
;;
esac
_chroot pacman -Qi "$package" | awk '/Version/ {print $3}'
}
archarm_latest_installed() {
local package
case "$1" in
*)
package=linux-raspberrypi
;;
esac
_chroot pacman -Qi "$package" | awk '/Version/ {print $3}'
}
openwrt_latest_installed() {
_chroot sudo opkg list-installed | awk '/kernel - / {print $NF}' | cut -d - -f 1
}
fedora_latest_installed() {
_chroot dnf list installed kernel | \
awk '{ print $2 }' | sort -rn | head -1 | sed -r 's/.fc[0-9]+$//g'
}
raspbian_latest_installed() {
local val
local kernel_file
case "$(uname -a)" in
armv7l)
kernel_file="/boot/kernel7.img"
;;
aarch64)
kernel_file="/boot/kernel8.img"
;;
*)
kernel_file="/boot/kernel7l.img"
;;
esac
if _chroot test -e /usr/lib/needrestart/vmlinuz-get-version
then
val="$(_chroot /usr/lib/needrestart/vmlinuz-get-version "$kernel_file")"
# echo "Unable to determine current kernel version. Please install needrestart." >&2
else
# Download latest vmlinuz-get-version
_chroot curl -qqsL -o /tmp/vmlinuz-get-version \
https://github.com/liske/needrestart/raw/master/lib/vmlinuz-get-version
val="$(_chroot bash /tmp/vmlinuz-get-version "$kernel_file")"
_chroot rm /tmp/vmlinuz-get-version
fi
# Extract version
# Linux version 4.19.97-v7+ (dom@buildbot) (gcc version[...] -> 4.19.97
# Linux version 4.19.97+ (dom@buildbot) (gcc version[...] -> 4.19.97
echo "$val" | sed -n -r 's/Linux version ([0-9.]+)[-+]v?.*/\1/p'
}
ubuntu_latest_installed() {
_chroot dpkg --list | grep linux-image | \
grep -v 'linux-image-generic' | \
awk '{ print $2 }' | \
sort -nr -k 4 -t '-' | head -1 | \
sed -r 's/linux-image-(.+)-generic/\1/'
}
arch_kernel_flavour() {
case "$(_chroot uname -a)" in
*vfio*) echo VFIO ;;
*lts*) echo LTS ;;
*) echo latest ;;
esac
}
kernel_flavour() {
case "$ID" in
arch|antergos)
arch_kernel_flavour
;;
archarm|turrisos|openwrt|lede|fedora|ubuntu|neon|raspbian|debian)
echo latest
;;
*)
echo "Unsupported distribution" >&2
exit 3
;;
esac
}
check_kernel_update() {
local current_version
local flavor
local latest_installed_version
flavor="$(kernel_flavour)"
case "$ID" in
arch|antergos)
current_version=$(arch_current_version)
latest_installed_version=$(arch_latest_installed "$flavor")
;;
archarm)
current_version=$(archarm_current_version)
latest_installed_version=$(archarm_latest_installed "$flavor")
;;
openwrt|lede|turrisos)
current_version=$(openwrt_current_version "$flavor")
latest_installed_version=$(openwrt_latest_installed "$flavor")
;;
fedora)
current_version=$(fedora_current_version "$flavor")
latest_installed_version=$(fedora_latest_installed "$flavor")
;;
ubuntu|neon|debian)
current_version=$(ubuntu_current_version "$flavor")
latest_installed_version=$(ubuntu_latest_installed "$flavor")
;;
raspbian)
current_version=$(raspbian_current_version "$flavor")
latest_installed_version=$(raspbian_latest_installed "$flavor")
;;
*)
echo "Unsupported distribution" >&2
exit 3
;;
esac
if test "$current_version" != "$latest_installed_version"
then
echo "Kernel update: $current_version -> $latest_installed_version"
return 1
fi
return 0
}
check_services() {
local failed=0
local need_r
if _chroot sudo needrestart --help >/dev/null 2>&1
then
# shellcheck disable=2024
need_r="$(_chroot sudo needrestart -m a -b -n -r l -l -p 2>/dev/null)"
else
echo "ERROR: Please install needrestart" >&2
fi
if echo "$need_r" | grep -q CRIT
then
echo "$need_r"
failed=1
fi
case "$ID" in
ubuntu|neon|raspbian)
if _chroot test -e /var/run/reboot-required
then
echo "/var/run/reboot-required is present on the system"
failed=1
fi
;;
fedora)
needs_r=$(_chroot sudo needs-restarting -r)
if test $? -eq 1
then
echo "$needs_r"
fi
;;
esac
return $failed
}
reboot_check() {
local reboot_required=0
local message
local KERNEL MISC
local tmp
if test "$#" -eq 0
then
KERNEL=1
SERVICES=1
else
case "$1" in
-k|--kernel|kernel|k)
KERNEL=1
;;
-s|--services|--svc|services|svc|s)
SERVICES=1
;;
esac
fi
if test -n "$KERNEL"
then
tmp=$(check_kernel_update)
if test $? -ne 0
then
reboot_required=1
message="$tmp"
fi
fi
if test -n "$SERVICES"
then
tmp=$(check_services)
if test $? -ne 0
then
reboot_required=1
if test -z "$message"
then
message="$tmp"
else
message="$message\n\n$tmp"
fi
fi
fi
if test "$reboot_required" = "0"
then
message="No reboot required ✔"
fi
# shellcheck disable=2039
if test "$(echo -e)" != "-e"
then
echo -e "$message"
else
# printf "%s\n" "$message"
echo "$message"
fi
}
determine_os() {
local os_id
os_id="$(_chroot cat /etc/os-release | sed -nr 's/^ID="?([^"]+)"?/\1/p')"
if test -z "$os_id"
then
# Old (pre 19.07.1) OpenWRT version don't carry an /etc/os-release
if _chroot test -r /etc/openwrt_version
then
os_id=openwrt
fi
echo "$os_id"
fi
echo "$os_id"
}
ID="$(determine_os)"
case "$1" in
help|h|--help|-h)
usage
;;
-K)
kernel_flavour
;;
*)
# -k: kernel only
# -m: Misc. services only
# NONE: both
if test "$#" -gt 1
then
shift
fi
reboot_check "$@"
;;
esac
# vim set ft=sh et ts=2 sw=2 :

321
roles/zabbix/tasks/main.yaml Normal file
View File

@@ -0,0 +1,321 @@
---
##### Install zabbix-agent
- name: ping hosts
ping:
- name: check OS
debug: msg={{ansible_distribution}}-{{ansible_distribution_version}}
tags: configure_zabbix
### centOS 7
- name: disable SELinux
selinux:
state: disabled
when: ansible_os_family == "RedHat"
tags: configure_zabbix
- name: install zabbix centOS 7 rpm file
yum:
name: "{{ centos7_link }}"
when: ansible_os_family == "RedHat"
tags: configure_zabbix
- name: install zabbix-agent 4.4 for centOS 7
yum:
name: zabbix-agent
enablerepo: zabbix
update_cache: true
state: latest
when: ansible_os_family == "RedHat"
tags: configure_zabbix
### Debian 8
- name: download zabbix deb file for Debian 8
get_url:
url: "{{ debian8_link }}"
dest: "/tmp/{{ debian8_file }}"
when: ansible_distribution_release == 'jessie'
tags: configure_zabbix
- name: install zabbix deb in Debian 8
apt: deb "/tmp/{{ debian8_file }}"
when: ansible_distribution_release == 'jessie'
tags: configure_zabbix
- name: install zabbix-agent 4.4 Debian 8
apt:
name: zabbix-agent
state: latest
update_cache: yes
when: ansible_distribution_release == 'jessie'
tags: configure_zabbix
### Debian 9
- name: download zabbix deb file for Debian 9
get_url:
url: "{{ debian9_link }}"
dest: "/tmp/{{ debian9_file }}"
when: ansible_distribution_release == 'stretch'
tags: configure_zabbix
- name: install zabbix deb in Debian 9
apt: deb "/tmp/{{ debian9_file }}"
when: ansible_distribution_release == 'stretch'
tags: configure_zabbix
- name: install zabbix-agent 4.4 Debian 9
apt:
name: zabbix-agent
state: latest
update_cache: yes
when: ansible_distribution_release == 'stretch'
tags: configure_zabbix
### Debian 10
- name: download zabbix deb file for Debian 10
get_url:
url: "{{ debian10_link }}"
dest: "/tmp/{{ debian10_file }}"
when: ansible_distribution_release == 'buster'
tags: configure_zabbix
- name: install zabbix deb in Debian 10
apt: deb "/tmp/{{ debian10_file }}"
when: ansible_distribution_release == 'buster'
tags: configure_zabbix
- name: install zabbix-agent 4.4 Debian 10
apt:
name: zabbix-agent
state: latest
update_cache: yes
when: ansible_distribution_release == 'buster'
tags: configure_zabbix
### Ubuntu 16.04 Xenial
- name: download zabbix deb file fot Ubuntu 16.04
get_url:
url: "{{ ubuntu16_link }}"
dest: "/tmp/{{ ubuntu16_file }}"
when: ansible_distribution_release == 'xenial'
tags: configure_zabbix
- name: install zabbix deb for Ubuntu 16.04 Xenial
apt: deb "/tmp/{{ ubuntu16_file }}"
when: ansible_distribution_release == 'xenial'
tags: configure_zabbix
- name: install zabbix-agent 4.4 Ubuntu 16.04
apt:
name: zabbix-agent
state: latest
update_cache: yes
when: ansible_distribution_release == 'xenial'
tags: configure_zabbix
### Ubuntu 18.04 Bionic Beaver
- name: download zabbix deb file fot Ubuntu 18.04
get_url:
url: "{{ ubuntu18_link }}"
dest: "/tmp/{{ ubuntu18_file }}"
when: ansible_distribution_release == 'bionic'
tags: configure_zabbix
- name: install zabbix deb for Ubuntu 18.04 Xenial
apt: deb "/tmp/{{ ubuntu18_file }}"
when: ansible_distribution_release == 'bionic'
tags: configure_zabbix
- name: install zabbix-agent 4.4 Ubuntu 18.04
apt:
name: zabbix-agent
state: latest
update_cache: yes
when: ansible_distribution_release == 'bionic'
tags: configure_zabbix
### Ubunto 20.04 Focal
- name: download zabbix deb file fot Ubuntu 20.04
get_url:
url: "{{ ubuntu20_link }}"
dest: "/tmp/{{ ubuntu20_file }}"
when: ansible_distribution_release == 'focal'
tags: configure_zabbix
- name: install zabbix deb for Ubuntu 20.04 Xenial
apt: deb "/tmp/{{ ubuntu20_file }}"
when: ansible_distribution_release == 'focal'
tags: configure_zabbix
- name: install zabbix-agent 4.4 Ubuntu 20.04
apt:
name: zabbix-agent
state: latest
update_cache: yes
when: ansible_distribution_release == 'focal'
tags: configure_zabbix
##### enabled zabbix-agent
- name: enable service zabbix-agent and ensure it is not masked
systemd:
name: zabbix-agent
enabled: yes
masked: no
become: yes
tags: configure_zabbix
##### check zabbix home dir and shell
- name: Make sure a service is stopped
systemd: state=stopped name=zabbix-agent
become: yes
tags: configure_zabbix
- name: check zabbix home dir and shell
user:
name: zabbix
shell: /bin/bash
home: /etc/zabbix
append: yes
groups: sudo
become: yes
tags: configure_zabbix
##### mkdir /etc/zabbix/scripts and rights
- name: mkdir /etc/zabbix/scripts and rights
file:
path: /etc/zabbix/scripts
state: directory
owner: zabbix
group: zabbix
mode: 0700
become: yes
tags: configure_zabbix
##### change zabbix_agentd.conf
- name: change zabbix_agentd.conf Hostname
lineinfile:
path: /etc/zabbix/zabbix_agentd.conf
state: present
regexp: 'Hostname=Zabbix server'
line: "Hostname={{ ansible_hostname }}"
become: yes
tags: configure_zabbix
- name: change zabbix_agentd.conf ServerActive
lineinfile:
path: /etc/zabbix/zabbix_agentd.conf
state: present
regexp: 'ServerActive=127.0.0.1'
line: "ServerActive={{ zbx_srv }}"
become: yes
tags: configure_zabbix
- name: change zabbix_agentd.conf Server
lineinfile:
path: /etc/zabbix/zabbix_agentd.conf
state: present
regexp: 'Server=127.0.0.1'
line: "Server={{ zbx_srv }}"
become: yes
tags: configure_zabbix
- name: change zabbix_agentd.conf EnableRemoteCommands
lineinfile:
path: /etc/zabbix/zabbix_agentd.conf
state: present
regexp: '# EnableRemoteCommands=0'
line: 'EnableRemoteCommands=1'
become: yes
tags: configure_zabbix
- name: change zabbix_agentd.conf LogRemoteCommands
lineinfile:
path: /etc/zabbix/zabbix_agentd.conf
state: present
regexp: '# LogRemoteCommands=0'
line: 'LogRemoteCommands=1'
tags: configure_zabbix
##### Install Vulners plugin
### CentOS7
- name: install plugin repo centOS 7 rpm file
yum: name=https://repo.vulners.com/redhat/vulners-repo.rpm
when: ansible_os_family == "RedHat"
tags: configure_zabbix
- name: install plugin for centOS 7
yum: name=zabbix-threat-control-host
when: ansible_os_family == "RedHat"
tags: configure_zabbix
### Debian
#- name: download plugin deb file for Debian
# get_url:
# url: https://repo.vulners.com/debian/vulners-repo.deb
# dest: /tmp/vulners-repo.deb
# when: ansible_os_family == "Debian"
# tags: configure_zabbix
#- name: install plugin deb in Debian
# apt: deb="/tmp/vulners-repo.deb"
# when: ansible_os_family == "Debian"
# tags: configure_zabbix
#- name: install plugin Debian
# apt:
# name: zabbix-threat-control-host
# update_cache: yes
# when: ansible_os_family == "Debian"
# tags: configure_zabbix
### Starting zabbix-agent
- name: install needrestart
apt:
name: needrestart
update_cache: yes
when: ansible_os_family == "Debian"
tags: configure_zabbix
- name: Make sure a service is started
systemd: state=started name=zabbix-agent
become: yes
tags: configure_zabbix
- name: Copy configuration files
become: true
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 6755
with_items:
- { src: "{{ role_path }}/files/check_updates.sh", dest: "/opt/zabbix_scripts/" }
- { src: "{{ role_path }}/files/zbx-reboot-required.sh", dest: "/opt/zabbix_scripts/" }
tags: configure_zabbix
- name: enable cron job for update check
become: true
cron:
name: "update_checker"
minute: "*/30"
user: root
job: "/opt/zabbix_scripts/check_updates.sh"
tags: configure_zabbix
- name: zabbix-agent-config
lineinfile:
path: "/etc/zabbix/zabbix_agentd.conf"
state: present
line: "{{ item.line }}"
with_items:
- { line: "UserParameter=os.updates.pending,cat \"/run/zabbix/zabbix.count.updates\"" }
- { line: "UserParameter=reboot-required.kernel,/opt/zabbix_scripts/zbx-reboot-required.sh -k" }
- { line: "UserParameter=reboot-required.services,/opt/zabbix_scripts/zbx-reboot-required.sh -s" }
become: true
tags: configure_zabbix
- name: Restart service zabbix-agent
service:
name: zabbix-agent
state: restarted
tags: configure_zabbix
become: true

14
roles/zabbix/vars/main.yml Normal file
View File

@@ -0,0 +1,14 @@
zbx_srv: 192.168.88.16
centos7_link: https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
debian8_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+jessie_all.deb
debian8_file: zabbix-release_4.4-1+jessie_all.deb
debian9_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+stretch_all.deb
debian9_file: zabbix-release_4.4-1+stretch_all.deb
debian10_link: https://repo.zabbix.com/zabbix/5.3/debian/pool/main/z/zabbix-release/zabbix-release_5.3-1+debian10_all.deb
debian10_file: zabbix-release_5.3-1+debian10_all.deb
ubuntu16_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+xenial_all.deb
ubuntu16_file: zabbix-release_4.4-1+xenial_all.deb
ubuntu18_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+bionic_all.deb
ubuntu18_file: zabbix-release_4.4-1+bionic_all.deb
ubuntu20_link: https://repo.zabbix.com/zabbix/5.3/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.3-1+ubuntu20.04_all.deb
ubuntu20_file: zabbix-release_5.3-1+ubuntu20.04_all.deb

8
samba-dc.yml
View File

@@ -1,14 +1,14 @@
- hosts: adc01 - hosts: dc01
become: true become: true
vars: vars:
# -- Custom settings: role-samba4-primary-ad-dc -- # -- Custom settings: role-samba4-primary-ad-dc --
smb_workgroup : 'LAB' smb_workgroup : 'VSRAPOC'
smb_realm : 'LAB.LOCAL' smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET'
smb_username : 'administrator' smb_username : 'administrator'
smb_password : 'Password123' smb_password : 'Password123'
smb_role : 'primary' smb_role : 'primary'
smb_dns_servers: '10.100.100.12' smb_dns_servers: '10.1.10.10'
smb_dns_forwarder: '8.8.8.8' smb_dns_forwarder: '8.8.8.8'
roles: roles:

79
samba.yml
View File

@@ -1,49 +1,30 @@
--- - hosts: dc01
- hosts: samba become: true
tasks:
- name: Install Samba Packages vars:
become: yes # -- Custom settings: role-samba4-primary-ad-dc --
apt: smb_workgroup : 'VSRAPOC'
name: ['samba', 'smbclient','winbind','krb5-user','krb5-config','krb5-locales','winbind','libpam-winbind','libnss-winbind','dnsutils'] smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET'
state: present smb_username : 'administrator'
update_cache: true smb_password : 'Password123'
- name: stop samba services smb_role : 'primary'
become: yes smb_dns_servers: '10.1.10.10'
command: systemctl stop "{{ item }}" smb_dns_forwarder: '8.8.8.8'
ignore_errors: true
with_items: roles:
- samba-ad-dc.service - role-samba4-primary-ad-dc
- smbd.service
- nmbd.service - hosts: server01 server02 server03
- winbind.service become: true
- name: disable samba services
become: yes vars:
command: systemctl disable "{{ item }}" # -- Custom settings: role-samba4-primary-ad-dc --
ignore_errors: true smb_workgroup : 'VSRAPOC'
with_items: smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET'
- samba-ad-dc.service smb_username : 'administrator'
- smbd.service smb_password : 'Password123'
- nmbd.service smb_dns_servers: '10.1.10.10'
- winbind.service
- name: set nsswitch service to use DNS resolution roles:
become: yes - role-samba4-ad-member
lineinfile:
path: /etc/nsswitch.conf
state: present
regexp: '^hosts:'
line: 'hosts: files dns mdns4_minimal [NOTFOUND=return]'
- name: check if smb.conf exists
stat:
path: /etc/samba/smb.conf
register: stat_result
- name: rename default smb.conf
become: yes
shell: mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
ignore_errors: true
tags: remove_default_samba_config
- name: delete default kerberos configuration if it exists
become: yes
file:
state: absent
path: "/etc/krb5.conf"
tags: remove_default_samba_config

13
test.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- hosts: server02
tasks:
- name: test acl
ansible.posix.acl:
path: /media/share
- name: test dns
community.windows.win_dns_record:
name: "server02.vsrapoc.dsfinancial.comcast.net"
type: "A"
value: "10.1.10.14"
zone: "vsrapoc.dsfinancial.comcast.net"

27
zabbix_agent.yml Normal file
View File

@@ -0,0 +1,27 @@
#####################################################
# https://github.com/vargaloid #
# Install zabbix-agent-4.0 #
# For CentOS7; Debian 8, 9, 10; Ubuntu 16.04, 18.04 #
# Version 0.07 #
#####################################################
---
- hosts: all
become: yes
# remote_user: USERNAME
vars:
zbx_srv: 192.168.88.16
centos7_link: https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
debian8_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+jessie_all.deb
debian8_file: zabbix-release_4.4-1+jessie_all.deb
debian9_link: https://repo.zabbix.com/zabbix/4.4/debian/pool/main/z/zabbix-release/zabbix-release_4.4-1+stretch_all.deb
debian9_file: zabbix-release_4.4-1+stretch_all.deb
debian10_link: https://repo.zabbix.com/zabbix/5.3/debian/pool/main/z/zabbix-release/zabbix-release_5.3-1+debian10_all.deb
debian10_file: zabbix-release_5.3-1+debian10_all.deb
ubuntu16_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+xenial_all.deb
ubuntu16_file: zabbix-release_4.4-1+xenial_all.deb
ubuntu18_link: https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+bionic_all.deb
ubuntu18_file: zabbix-release_4.4-1+bionic_all.deb
ubuntu20_link: https://repo.zabbix.com/zabbix/5.3/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.3-1+ubuntu20.04_all.deb
ubuntu20_file: zabbix-release_5.3-1+ubuntu20.04_all.deb
roles:
- zabbix