Added common module(selinux, yum repos and Iptables)

2014-11-13 13:13:09 +01:00 · 2014-11-13 13:13:09 +01:00 · fc2ea52e3a
parent d449afbf7e
commit fc2ea52e3a
14 changed files with 89 additions and 44 deletions
--- a/.gitignore
+++ b/.gitignore
@ -32,3 +32,6 @@ django.pot
 fixtures/

 tmp/
+
+# Vagrant
+.vagrant
--- a/provisioning/group_vars/all
+++ b/provisioning/group_vars/all
@ -1 +0,0 @@
-ntpserver: 192.168.1.1
--- a/provisioning/group_vars/production
+++ b/provisioning/group_vars/production
--- a/provisioning/group_vars/vagrant
+++ b/provisioning/group_vars/vagrant
@ -0,0 +1 @@
+local_environment: True
--- a/provisioning/roles/common/files/id_rsa.pub
+++ b/provisioning/roles/common/files/id_rsa.pub
@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDk7B0r4at0lUVF5D3pXFyGRklExP640xrvKX2bMFmRH1eCbtx1CReVxi41ZtsEWA9vi2ZIWxlTGK0av1eBSZh5HChViKLqcb6OsvFDTq+txb1flEPs+QlHcOVs7urxAkazkwnngRbYUDYjIyK02brOJTV/Tp/83AtrPZt8t5LZJVj2oyOyOp8nUttlRpJDLLk+YLWa3P3CaqEfZs0K5Z0DjrrhMmJbqF/1+1Mg3oOkiaFuJXTbmQErggV0hIiZEX0WHy3yMGTpAyuYx60DRteT0IC1pqP6lE5m8D2gC9oD9NkH8wmMPlU3eP1kI1VHG52mH6rV+0Y7XeDhFH6f7Tad Juanpa@KerberossMBP.local
--- a/provisioning/roles/common/files/iptables
+++ b/provisioning/roles/common/files/iptables
@ -0,0 +1,28 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -p tcp -d 198.211.124.169 --dport 80 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -p tcp -d 198.211.124.169 --dport 443 -j ACCEPT
+# JP house
+-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 213.37.133.114 -d 198.211.124.169 --sport 513:65535 --dport 22  -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 213.37.133.114 -d 198.211.124.169 --dport 80 -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 213.37.133.114 -d 198.211.124.169 --sport 80 -j ACCEPT
+# Felipe´s Office
+-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 2.139.188.200 -d 198.211.124.169 --sport 513:65535 --dport 22  -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 2.139.188.200 -d 198.211.124.169 --dport 80 -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 2.139.188.200 -d 198.211.124.169 --sport 80 -j ACCEPT
+# Felipe´s house
+-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 88.26.241.211 -d 198.211.124.169 --sport 513:65535 --dport 22  -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 88.26.241.211 -d 198.211.124.169 --dport 80 -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 88.26.241.211 -d 198.211.124.169 --sport 80 -j ACCEPT
+# Moriarti CI
+-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp -s 37.139.15.172 -d 198.211.124.169 --sport 513:65535 --dport 22  -j ACCEPT
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT
--- a/provisioning/roles/common/handlers/main.yml
+++ b/provisioning/roles/common/handlers/main.yml
@ -1,4 +1,8 @@
 ---
- name: restart ntpd
-  service: name=ntpd state=restarted
+-   name: Clean yum packages
+    command: /usr/bin/yum clean all
    sudo: yes
+
+-   service: name=iptables pattern=/sbin/iptables state=restarted
+    sudo: yes
+    when: local_environment is true
--- a/provisioning/roles/common/tasks/main.yml
+++ b/provisioning/roles/common/tasks/main.yml
@ -1,26 +1,4 @@
 ---
- name: be sure ntp is installed
-  yum: pkg=ntp state=installed
-  sudo: yes
-
- name: Install libselinux python
-  yum: pkg=libselinux-python state=installed
-  sudo: yes
-
- name: test to see if selinux is running
-  command: /usr/sbin/getenforce
-  register: sestatus
-
- name: Selinux Down
-  command: setenforce 0
-  when: sestatus == 'Enforcing' 
-
- name: be sure ntp is configured
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf
-  notify:
-    - restart ntpd
-  sudo: yes
-
- name: be sure ntpd is running and enabled
-  service: name=ntpd state=running enabled=yes
-  sudo: yes
+- debug: msg="Starting Common module"
+- include: yum_repositories.yml
+- include: security.yml
--- a/provisioning/roles/common/tasks/security.yml
+++ b/provisioning/roles/common/tasks/security.yml
@ -0,0 +1,24 @@
+---
+-   name: Selinux module Dependecy
+    yum: name=libselinux-python state=latest
+    sudo: yes
+
+-   selinux: policy=targeted state=permissive
+    sudo: yes
+
+-   name: Clean iptables
+    shell: /sbin/iptables -F
+    sudo: yes
+
+-   stat: path=/etc/sysconfig/iptables
+    register: st
+
+-   name: Install Iptables statements
+    file: 
+        src=iptables
+        dest=/etc/sysconfig/iptables
+    sudo: yes
+    when: local_environment and st.stat.exists
+    notify: 
+        - iptables
+
--- a/provisioning/roles/common/tasks/yum_repositories.yml
+++ b/provisioning/roles/common/tasks/yum_repositories.yml
@ -0,0 +1,14 @@
+---
+-   name: Puias Repo RPM Key
+    get_url: 
+        url=http://springdale.math.ias.edu/data/puias/6/x86_64/os/RPM-GPG-KEY-puias 
+        dest=/etc/pki/rpm-gpg/RPM-GPG-KEY-puias 
+        mode=0644
+
+-   name: Install Puias Repo
+    template: 
+        src=Puias_6_compu.repo
+        dest=/etc/yum.repos.d/Puias_6_compu.repo
+    sudo: yes
+    notify:
+        - Clean yum packages
--- a/provisioning/roles/common/templates/Puias_6_compu.repo
+++ b/provisioning/roles/common/templates/Puias_6_compu.repo
@ -0,0 +1,6 @@
+[PUIAS_6_computational]
+name=PUIAS computational Base $releasever - $basearch
+mirrorlist= {{ Puias_url }}
+#baseurl=http://puias.math.ias.edu/data/puias/computational/$releasever/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puias
--- a/provisioning/roles/common/templates/ntp.conf.j2
+++ b/provisioning/roles/common/templates/ntp.conf.j2
@ -1,10 +0,0 @@
-driftfile /var/lib/ntp/drift
-
-restrict 127.0.0.1 
-restrict -6 ::1
-
-server {{ ntpserver }}
-
-includefile /etc/ntp/crypto/pw
-
-keys /etc/ntp/keys
--- a/provisioning/roles/common/vars/main.yml
+++ b/provisioning/roles/common/vars/main.yml
@ -1,4 +1,3 @@
 ---
-# Variables here are applicable to all host groups

-ntpserver: 192.168.1.2
+Puias_url: http://puias.math.ias.edu/data/puias/computational/$releasever/$basearch/mirrorlist
				`@ -1 +0,0 @@`
				`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDk7B0r4at0lUVF5D3pXFyGRklExP640xrvKX2bMFmRH1eCbtx1CReVxi41ZtsEWA9vi2ZIWxlTGK0av1eBSZh5HChViKLqcb6OsvFDTq+txb1flEPs+QlHcOVs7urxAkazkwnngRbYUDYjIyK02brOJTV/Tp/83AtrPZt8t5LZJVj2oyOyOp8nUttlRpJDLLk+YLWa3P3CaqEfZs0K5Z0DjrrhMmJbqF/1+1Mg3oOkiaFuJXTbmQErggV0hIiZEX0WHy3yMGTpAyuYx60DRteT0IC1pqP6lE5m8D2gC9oD9NkH8wmMPlU3eP1kI1VHG52mH6rV+0Y7XeDhFH6f7Tad Juanpa@KerberossMBP.local`