Doku aktualisiert (#27)
Bessere erklärung passwörter doku Doku zusammengefasst Housekeeping Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com> Reviewed-on: mg/ansible#27 Co-Authored-By: mg <michael.grote@posteo.de> Co-Committed-By: mg <michael.grote@posteo.de>
This commit is contained in:
parent
640bc6d71c
commit
06a76ef006
6 changed files with 49 additions and 237 deletions
49
README.md
49
README.md
|
@ -1 +1,50 @@
|
||||||
# ansible_heimserver
|
# ansible_heimserver
|
||||||
|
|
||||||
|
## example-cli
|
||||||
|
ansible-playbook playbooks/base/0_master.yml -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml
|
||||||
|
|
||||||
|
|
||||||
|
## install necessary collections
|
||||||
|
`ansible-galaxy collection install -r requirements.yml`
|
||||||
|
|
||||||
|
## list installed collections
|
||||||
|
`ansible-galaxy collection list -vvv`
|
||||||
|
|
||||||
|
## fix ansible vault-permissions
|
||||||
|
```
|
||||||
|
sudo chmod 400 id_rsa_ansible_user
|
||||||
|
sudo chmod 400 vault-pass.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
## vault + KeePass LookUp-Plugin
|
||||||
|
|
||||||
|
### Einrichtung
|
||||||
|
Das Plugin wird bei einer Installation mit dem Playbook "ansible" mit eingerichtet.
|
||||||
|
|
||||||
|
Die "Secrets" liegen in der KeepassDB die mit dem Kennwort aus "vault-pass.yml" verschlüsselt ist.
|
||||||
|
"vault-pass.yml" steht mit in der .gitignore
|
||||||
|
Die Variable "vault_password_file" ist mit " ~/ansible/vault-pass.yml" in der ansible.cfg gesetzt.
|
||||||
|
Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist.
|
||||||
|
Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string <password>` erstellt.
|
||||||
|
|
||||||
|
### Erklärung
|
||||||
|
keepass_dbx: "./keepass_db.kdbx"
|
||||||
|
keepass_psw: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
62383737XXXXXX531
|
||||||
|
1. mit vault-pass.yml wird das Kennwort an ansible-vault übergeben
|
||||||
|
2. ansible-vault entschlüsselt hiermit die variable "keepass_psw"
|
||||||
|
3. der Inhalt der Variable wird dann an das KeePass-Lookup-Plugin übergeben was damit die KeePass-Datei öffnet
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Abfrage der Secrets in tasks/playbooks
|
||||||
|
`restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"`
|
||||||
|
|
||||||
|
#### Erklärung
|
||||||
|
```
|
||||||
|
restic_repository_password: <-- Ansible Variablen Name
|
||||||
|
lookup('keepass' <-- Aufruf Keepass-Lookup-Plugin
|
||||||
|
restic_repository_password <-- Titel Eintrag mit Secret
|
||||||
|
password <-- Feldbzeichner in KeepassDB
|
||||||
|
```
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
ansible-playbook playbooks/base/0_master.yml -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml
|
|
|
@ -1,4 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
sudo chmod 400 /home/mg/ansible/id_rsa_ansible_user
|
|
||||||
sudo chmod 400 /home/mg/ansible/vault-pass.yml
|
|
||||||
# Datei muss Zeilenende LF haben
|
|
|
@ -1,3 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
ansible-galaxy collection list -vvv
|
|
||||||
# Datei muss Zeilenende LF haben
|
|
|
@ -1,207 +0,0 @@
|
||||||
path = /media/share
|
|
||||||
writeable = yes
|
|
||||||
browseable = yes
|
|
||||||
public = yes
|
|
||||||
create mask = 0644
|
|
||||||
directory mask = 0755
|
|
||||||
force user = shareuser
|
|
||||||
fuer alle
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: Erstelle SAMBA-Shares
|
|
||||||
template:
|
|
||||||
src: smb.conf
|
|
||||||
dest: /etc/samba/smb.conf
|
|
||||||
validate: 'testparm -s %s'
|
|
||||||
notify: smbd neustarten
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: Testing Iteration
|
|
||||||
copy:
|
|
||||||
dest: /etc/samba/smb.conf
|
|
||||||
content: |
|
|
||||||
{% for freigaben in [freigaben] %}
|
|
||||||
[{{ item.freigabename }}]
|
|
||||||
read only = no
|
|
||||||
browseable = yes
|
|
||||||
public = yes
|
|
||||||
writable = yes
|
|
||||||
available = yes
|
|
||||||
valid users {{ item.erlaubte_user }}
|
|
||||||
path = /shares/{{ item.ordnername }}
|
|
||||||
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
(% for freigaben in {{ freigaben }} %)
|
|
||||||
|
|
||||||
{{ item.freigabename }}
|
|
||||||
read only = no
|
|
||||||
|
|
||||||
(% endfor %)
|
|
||||||
|
|
||||||
|
|
||||||
valid users {{ item.erlaubte_user }}
|
|
||||||
|
|
||||||
|
|
||||||
[mg]
|
|
||||||
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/mg
|
|
||||||
hide special files = Yes
|
|
||||||
create mask = 0664
|
|
||||||
directory mask = 0775
|
|
||||||
force create mode = 0664
|
|
||||||
force directory mode = 0775
|
|
||||||
inherit acls = Yes
|
|
||||||
read only = No
|
|
||||||
valid users = michaelgrote win10
|
|
||||||
write list = michaelgrote win10
|
|
||||||
vfs objects = recycle
|
|
||||||
recycle:maxsize = 0
|
|
||||||
recycle:exclude_dir =
|
|
||||||
recycle:exclude =
|
|
||||||
recycle:subdir_mode = 0700
|
|
||||||
recycle:directory_mode = 0777
|
|
||||||
recycle:touch = yes
|
|
||||||
recycle:versions = yes
|
|
||||||
recycle:keeptree = yes
|
|
||||||
recycle:repository = .recycle/%U
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[aptcacherng]
|
|
||||||
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/aptcacherng
|
|
||||||
hide special files = Yes
|
|
||||||
create mask = 0664
|
|
||||||
directory mask = 0775
|
|
||||||
force create mode = 0664
|
|
||||||
force directory mode = 0775
|
|
||||||
inherit permissions = Yes
|
|
||||||
read only = No
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[Backup]
|
|
||||||
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/Backup
|
|
||||||
hide special files = Yes
|
|
||||||
create mask = 0664
|
|
||||||
directory mask = 0775
|
|
||||||
force create mode = 0664
|
|
||||||
force directory mode = 0775
|
|
||||||
inherit acls = Yes
|
|
||||||
read only = No
|
|
||||||
valid users = annemariedroessler michaelgrote restic toolserver win10
|
|
||||||
write list = annemariedroessler michaelgrote restic toolserver win10
|
|
||||||
vfs objects = recycle
|
|
||||||
recycle:maxsize = 0
|
|
||||||
recycle:exclude_dir =
|
|
||||||
recycle:exclude =
|
|
||||||
recycle:subdir_mode = 0700
|
|
||||||
recycle:directory_mode = 0777
|
|
||||||
recycle:touch = yes
|
|
||||||
recycle:versions = yes
|
|
||||||
recycle:keeptree = yes
|
|
||||||
recycle:repository = .recycle/%U
|
|
||||||
|
|
||||||
|
|
||||||
[amd]
|
|
||||||
path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/amd
|
|
||||||
hide special files = Yes
|
|
||||||
create mask = 0664
|
|
||||||
directory mask = 0775
|
|
||||||
force create mode = 0664
|
|
||||||
force directory mode = 0775
|
|
||||||
inherit acls = Yes
|
|
||||||
read list = michaelgrote win10
|
|
||||||
read only = No
|
|
||||||
valid users = michaelgrote annemariedroessler win10
|
|
||||||
write list = annemariedroessler
|
|
||||||
vfs objects = recycle
|
|
||||||
recycle:maxsize = 0
|
|
||||||
recycle:exclude_dir =
|
|
||||||
recycle:exclude =
|
|
||||||
recycle:subdir_mode = 0700
|
|
||||||
recycle:directory_mode = 0777
|
|
||||||
recycle:touch = yes
|
|
||||||
recycle:versions = yes
|
|
||||||
recycle:keeptree = yes
|
|
||||||
recycle:repository = .recycle/%U
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
server string = %h server
|
|
||||||
log file = /var/log/samba/log.%m
|
|
||||||
logging = syslog
|
|
||||||
max log size = 1000
|
|
||||||
panic action = /usr/share/samba/panic-action %d
|
|
||||||
disable spoolss = Yes
|
|
||||||
load printers = No
|
|
||||||
printcap name = /dev/null
|
|
||||||
map to guest = Bad User
|
|
||||||
pam password change = Yes
|
|
||||||
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
|
||||||
passwd program = /usr/bin/passwd %u
|
|
||||||
socket options = TCP_NODELAY IPTOS_LOWDELAY
|
|
||||||
dns proxy = No
|
|
||||||
idmap config * : backend = tdb
|
|
||||||
printing = bsd
|
|
||||||
acl allow execute always = Yes
|
|
||||||
create mask = 0777
|
|
||||||
directory mask = 0777
|
|
||||||
aio read size = 16384
|
|
||||||
aio write size = 16384
|
|
||||||
allocation roundup size = 4096
|
|
||||||
use sendfile = Yes
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Variable precedence
|
|
||||||
docs
|
|
||||||
|
|
||||||
From 2.0 on, from lowest priority to highest - in other words, if a variable is defined in two places, the place that’s farther down in this list takes precedence.
|
|
||||||
|
|
||||||
role defaults [1]
|
|
||||||
inventory file or script group vars [2]
|
|
||||||
inventory group_vars/all [3]
|
|
||||||
playbook group_vars/all [3]
|
|
||||||
inventory group_vars/* [3]
|
|
||||||
playbook group_vars/* [3]
|
|
||||||
inventory file or script host vars [2]
|
|
||||||
inventory host_vars/*
|
|
||||||
playbook host_vars/*
|
|
||||||
host facts / cached set_facts [4]
|
|
||||||
inventory host_vars/* [3]
|
|
||||||
playbook host_vars/* [3]
|
|
||||||
host facts
|
|
||||||
play vars
|
|
||||||
play vars_prompt
|
|
||||||
play vars_files
|
|
||||||
role vars (defined in role/vars/main.yml)
|
|
||||||
block vars (only for tasks in block)
|
|
||||||
task vars (only for the task)
|
|
||||||
include_vars
|
|
||||||
set_facts / registered vars
|
|
||||||
role (and include_role) params
|
|
||||||
include params
|
|
||||||
extra vars (defined on command line with -e, always win precedence)
|
|
|
@ -1,22 +0,0 @@
|
||||||
# Ansible Vault + KeePass LookUp-Plugin
|
|
||||||
|
|
||||||
# Einrichtung
|
|
||||||
Das Plugin wird bei einer Installation mit dem Playbook "ansible" mit eingerichtet.
|
|
||||||
|
|
||||||
Die "Secrets" liegen in der KeepassDB die mit dem Kennwort aus "vault-pass.yml" verschlüsselt ist.
|
|
||||||
"vault-pass.yml" steht mit in der .gitignore
|
|
||||||
Die Variable "vault_password_file" ist mit " ~/ansible/vault-pass.yml" in der ansible.cfg gesetzt.
|
|
||||||
Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist.
|
|
||||||
Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string <password>` erstellt.
|
|
||||||
|
|
||||||
|
|
||||||
# Abfrage der Secrets in tasks/playbooks
|
|
||||||
`restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"`
|
|
||||||
|
|
||||||
## Erklärung
|
|
||||||
```
|
|
||||||
restic_repository_password: <-- Ansible Variablen Name
|
|
||||||
lookup('keepass' <-- Aufruf Keepass-Lookup-Plugin
|
|
||||||
restic_repository_password <-- Titel Eintrag mit Secret
|
|
||||||
password <-- Feldbzeichner in KeepassDB
|
|
||||||
```
|
|
Loading…
Reference in a new issue