Browse Source

Added common module(selinux, yum repos and Iptables)

feature/ansible_provision
Juan Manuel Parrilla 7 years ago
parent
commit
fc2ea52e3a
  1. 3
      .gitignore
  2. 1
      provisioning/group_vars/all
  3. 0
      provisioning/group_vars/production
  4. 1
      provisioning/group_vars/vagrant
  5. 4
      provisioning/hosts
  6. 1
      provisioning/roles/common/files/id_rsa.pub
  7. 28
      provisioning/roles/common/files/iptables
  8. 10
      provisioning/roles/common/handlers/main.yml
  9. 28
      provisioning/roles/common/tasks/main.yml
  10. 24
      provisioning/roles/common/tasks/security.yml
  11. 14
      provisioning/roles/common/tasks/yum_repositories.yml
  12. 6
      provisioning/roles/common/templates/Puias_6_compu.repo
  13. 10
      provisioning/roles/common/templates/ntp.conf.j2
  14. 3
      provisioning/roles/common/vars/main.yml

3
.gitignore

@ -32,3 +32,6 @@ django.pot
fixtures/
tmp/
# Vagrant
.vagrant

1
provisioning/group_vars/all

@ -1 +0,0 @@
ntpserver: 192.168.1.1

0
provisioning/group_vars/production

1
provisioning/group_vars/vagrant

@ -0,0 +1 @@
local_environment: True

4
provisioning/hosts

@ -1,5 +1,5 @@
shelfzilla ansible_ssh_host=198.211.124.169 ansible_ssh_port=22 ansible_ssh_user=root
vagrantServer ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user=vagrant
shelfzilla ansible_ssh_host=198.211.124.169 ansible_ssh_port=22 ansible_ssh_user=root
vagrantServer ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user=vagrant
[production]
shelfzilla

1
provisioning/roles/common/files/id_rsa.pub

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDk7B0r4at0lUVF5D3pXFyGRklExP640xrvKX2bMFmRH1eCbtx1CReVxi41ZtsEWA9vi2ZIWxlTGK0av1eBSZh5HChViKLqcb6OsvFDTq+txb1flEPs+QlHcOVs7urxAkazkwnngRbYUDYjIyK02brOJTV/Tp/83AtrPZt8t5LZJVj2oyOyOp8nUttlRpJDLLk+YLWa3P3CaqEfZs0K5Z0DjrrhMmJbqF/1+1Mg3oOkiaFuJXTbmQErggV0hIiZEX0WHy3yMGTpAyuYx60DRteT0IC1pqP6lE5m8D2gC9oD9NkH8wmMPlU3eP1kI1VHG52mH6rV+0Y7XeDhFH6f7Tad Juanpa@KerberossMBP.local

28
provisioning/roles/common/files/iptables

@ -0,0 +1,28 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -p tcp -d 198.211.124.169 --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -p tcp -d 198.211.124.169 --dport 443 -j ACCEPT
# JP house
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 213.37.133.114 -d 198.211.124.169 --sport 513:65535 --dport 22 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 213.37.133.114 -d 198.211.124.169 --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 213.37.133.114 -d 198.211.124.169 --sport 80 -j ACCEPT
# Felipe´s Office
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 2.139.188.200 -d 198.211.124.169 --sport 513:65535 --dport 22 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 2.139.188.200 -d 198.211.124.169 --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 2.139.188.200 -d 198.211.124.169 --sport 80 -j ACCEPT
# Felipe´s house
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 88.26.241.211 -d 198.211.124.169 --sport 513:65535 --dport 22 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 88.26.241.211 -d 198.211.124.169 --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 88.26.241.211 -d 198.211.124.169 --sport 80 -j ACCEPT
# Moriarti CI
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 37.139.15.172 -d 198.211.124.169 --sport 513:65535 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

10
provisioning/roles/common/handlers/main.yml

@ -1,4 +1,8 @@
---
- name: restart ntpd
service: name=ntpd state=restarted
sudo: yes
- name: Clean yum packages
command: /usr/bin/yum clean all
sudo: yes
- service: name=iptables pattern=/sbin/iptables state=restarted
sudo: yes
when: local_environment is true

28
provisioning/roles/common/tasks/main.yml

@ -1,26 +1,4 @@
---
- name: be sure ntp is installed
yum: pkg=ntp state=installed
sudo: yes
- name: Install libselinux python
yum: pkg=libselinux-python state=installed
sudo: yes
- name: test to see if selinux is running
command: /usr/sbin/getenforce
register: sestatus
- name: Selinux Down
command: setenforce 0
when: sestatus == 'Enforcing'
- name: be sure ntp is configured
template: src=ntp.conf.j2 dest=/etc/ntp.conf
notify:
- restart ntpd
sudo: yes
- name: be sure ntpd is running and enabled
service: name=ntpd state=running enabled=yes
sudo: yes
- debug: msg="Starting Common module"
- include: yum_repositories.yml
- include: security.yml

24
provisioning/roles/common/tasks/security.yml

@ -0,0 +1,24 @@
---
- name: Selinux module Dependecy
yum: name=libselinux-python state=latest
sudo: yes
- selinux: policy=targeted state=permissive
sudo: yes
- name: Clean iptables
shell: /sbin/iptables -F
sudo: yes
- stat: path=/etc/sysconfig/iptables
register: st
- name: Install Iptables statements
file:
src=iptables
dest=/etc/sysconfig/iptables
sudo: yes
when: local_environment and st.stat.exists
notify:
- iptables

14
provisioning/roles/common/tasks/yum_repositories.yml

@ -0,0 +1,14 @@
---
- name: Puias Repo RPM Key
get_url:
url=http://springdale.math.ias.edu/data/puias/6/x86_64/os/RPM-GPG-KEY-puias
dest=/etc/pki/rpm-gpg/RPM-GPG-KEY-puias
mode=0644
- name: Install Puias Repo
template:
src=Puias_6_compu.repo
dest=/etc/yum.repos.d/Puias_6_compu.repo
sudo: yes
notify:
- Clean yum packages

6
provisioning/roles/common/templates/Puias_6_compu.repo

@ -0,0 +1,6 @@
[PUIAS_6_computational]
name=PUIAS computational Base $releasever - $basearch
mirrorlist= {{ Puias_url }}
#baseurl=http://puias.math.ias.edu/data/puias/computational/$releasever/$basearch
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puias

10
provisioning/roles/common/templates/ntp.conf.j2

@ -1,10 +0,0 @@
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server {{ ntpserver }}
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

3
provisioning/roles/common/vars/main.yml

@ -1,4 +1,3 @@
---
# Variables here are applicable to all host groups
ntpserver: 192.168.1.2
Puias_url: http://puias.math.ias.edu/data/puias/computational/$releasever/$basearch/mirrorlist