mg/homeserver
1
0
Fork 0
Code Issues 1 Pull requests 3 Activity Actions

Doku aktualisiert (#27)

Browse source 
Bessere erklärung passwörter

doku

Doku zusammengefasst

Housekeeping

Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com>
Reviewed-on: mg/ansible#27
Co-Authored-By: mg <michael.grote@posteo.de>
Co-Committed-By: mg <michael.grote@posteo.de>
This commit is contained in:
Michael Grote 2021-01-06 18:09:09 +01:00
parent 640bc6d71c
commit 06a76ef006
6 changed files with 49 additions and 237 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
README.md
View file

@ -1 +1,50 @@
# ansible_heimserver
## example-cli
ansible-playbook playbooks/base/0_master.yml -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml
## install necessary collections
`ansible-galaxy collection install -r requirements.yml`
## list installed collections
`ansible-galaxy collection list -vvv`
## fix ansible vault-permissions
```
sudo chmod 400 id_rsa_ansible_user
sudo chmod 400 vault-pass.yml
```
## vault + KeePass LookUp-Plugin
### Einrichtung
Das Plugin wird bei einer Installation mit dem Playbook "ansible" mit eingerichtet.
Die "Secrets" liegen in der KeepassDB die mit dem Kennwort aus "vault-pass.yml" verschlüsselt ist.
"vault-pass.yml" steht mit in der .gitignore
Die Variable "vault_password_file" ist mit " ~/ansible/vault-pass.yml" in der ansible.cfg gesetzt.
Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist.
Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string <password>` erstellt.
### Erklärung
keepass_dbx: "./keepass_db.kdbx"
keepass_psw: !vault |
$ANSIBLE_VAULT;1.1;AES256
62383737XXXXXX531
1. mit vault-pass.yml wird das Kennwort an ansible-vault übergeben
2. ansible-vault entschlüsselt hiermit die variable "keepass_psw"
3. der Inhalt der Variable wird dann an das KeePass-Lookup-Plugin übergeben was damit die KeePass-Datei öffnet
### Abfrage der Secrets in tasks/playbooks
`restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"`
#### Erklärung
```
restic_repository_password: <-- Ansible Variablen Name
lookup('keepass' <-- Aufruf Keepass-Lookup-Plugin
restic_repository_password <-- Titel Eintrag mit Secret
password <-- Feldbzeichner in KeepassDB
```

1
example_cli.txt
View file

@ -1 +0,0 @@
ansible-playbook playbooks/base/0_master.yml -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml

4
fix_permissions.sh
View file

@ -1,4 +0,0 @@
#!/bin/bash
sudo chmod 400 /home/mg/ansible/id_rsa_ansible_user
sudo chmod 400 /home/mg/ansible/vault-pass.yml
# Datei muss Zeilenende LF haben

3
list_collections.sh
View file

@ -1,3 +0,0 @@
#!/bin/bash
ansible-galaxy collection list -vvv
# Datei muss Zeilenende LF haben

207
roles/mgrote.fileserver_smb/Notizen.md
View file

@ -1,207 +0,0 @@
path = /media/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser
fuer alle
- name: Erstelle SAMBA-Shares
template:
src: smb.conf
dest: /etc/samba/smb.conf
validate: 'testparm -s %s'
notify: smbd neustarten
- name: Testing Iteration
copy:
dest: /etc/samba/smb.conf
content: |
{% for freigaben in [freigaben] %}
[{{ item.freigabename }}]
read only = no
browseable = yes
public = yes
writable = yes
available = yes
valid users {{ item.erlaubte_user }}
path = /shares/{{ item.ordnername }}
{% endfor %}
(% for freigaben in {{ freigaben }} %)
{{ item.freigabename }}
read only = no
(% endfor %)
valid users {{ item.erlaubte_user }}
[mg]
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/mg
hide special files = Yes
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
inherit acls = Yes
read only = No
valid users = michaelgrote win10
write list = michaelgrote win10
vfs objects = recycle
recycle:maxsize = 0
recycle:exclude_dir =
recycle:exclude =
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U
[aptcacherng]
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/aptcacherng
hide special files = Yes
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
inherit permissions = Yes
read only = No
[Backup]
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/Backup
hide special files = Yes
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
inherit acls = Yes
read only = No
valid users = annemariedroessler michaelgrote restic toolserver win10
write list = annemariedroessler michaelgrote restic toolserver win10
vfs objects = recycle
recycle:maxsize = 0
recycle:exclude_dir =
recycle:exclude =
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U
[amd]
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/amd
hide special files = Yes
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
inherit acls = Yes
read list = michaelgrote win10
read only = No
valid users = michaelgrote annemariedroessler win10
write list = annemariedroessler
vfs objects = recycle
recycle:maxsize = 0
recycle:exclude_dir =
recycle:exclude =
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U
server string = %h server
log file = /var/log/samba/log.%m
logging = syslog
max log size = 1000
panic action = /usr/share/samba/panic-action %d
disable spoolss = Yes
load printers = No
printcap name = /dev/null
map to guest = Bad User
pam password change = Yes
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
socket options = TCP_NODELAY IPTOS_LOWDELAY
dns proxy = No
idmap config * : backend = tdb
printing = bsd
acl allow execute always = Yes
create mask = 0777
directory mask = 0777
aio read size = 16384
aio write size = 16384
allocation roundup size = 4096
use sendfile = Yes
Variable precedence
docs
From 2.0 on, from lowest priority to highest - in other words, if a variable is defined in two places, the place thats farther down in this list takes precedence.
role defaults [1]
inventory file or script group vars [2]
inventory group_vars/all [3]
playbook group_vars/all [3]
inventory group_vars/* [3]
playbook group_vars/* [3]
inventory file or script host vars [2]
inventory host_vars/*
playbook host_vars/*
host facts / cached set_facts [4]
inventory host_vars/* [3]
playbook host_vars/* [3]
host facts
play vars
play vars_prompt
play vars_files
role vars (defined in role/vars/main.yml)
block vars (only for tasks in block)
task vars (only for the task)
include_vars
set_facts / registered vars
role (and include_role) params
include params
extra vars (defined on command line with -e, always win precedence)

22
vault_infos.md
View file

@ -1,22 +0,0 @@
# Ansible Vault + KeePass LookUp-Plugin
# Einrichtung
Das Plugin wird bei einer Installation mit dem Playbook "ansible" mit eingerichtet.
Die "Secrets" liegen in der KeepassDB die mit dem Kennwort aus "vault-pass.yml" verschlüsselt ist.
"vault-pass.yml" steht mit in der .gitignore
Die Variable "vault_password_file" ist mit " ~/ansible/vault-pass.yml" in der ansible.cfg gesetzt.
Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist.
Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string <password>` erstellt.
# Abfrage der Secrets in tasks/playbooks
`restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"`
## Erklärung
```
restic_repository_password: <-- Ansible Variablen Name
lookup('keepass' <-- Aufruf Keepass-Lookup-Plugin
restic_repository_password <-- Titel Eintrag mit Secret
password <-- Feldbzeichner in KeepassDB
```