diff --git a/.gitmodules b/.gitmodules index 89140586..59938208 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,3 +31,9 @@ [submodule "roles/geerlingguy.dotfiles"] path = roles/geerlingguy.dotfiles url = https://github.com/geerlingguy/ansible-role-dotfiles +[submodule "roles/geerlingguy.jenkins"] + path = roles/geerlingguy.jenkins + url = https://github.com/geerlingguy/ansible-role-jenkins +[submodule "roles/geerlingguy.java"] + path = roles/geerlingguy.java + url = https://github.com/geerlingguy/ansible-role-java diff --git a/ansible.cfg b/ansible.cfg index a53c9f27..5581fb0d 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,9 +1,22 @@ [defaults] -inventory = ~/ansible +inventory = ./inventory nocows = 1 retry_files_enabled = False -roles_path = ~/ansible/roles -vault_password_file = ~/ansible/vault-pass.yml +roles_path = ./roles + +#action_plugins = /usr/share/ansible/plugins/action +#become_plugins = /usr/share/ansible/plugins/become +#cache_plugins = /usr/share/ansible/plugins/cache +#callback_plugins = /usr/share/ansible/plugins/callback +#connection_plugins = /usr/share/ansible/plugins/connection +lookup_plugins = ./plugins/lookup +#inventory_plugins = /usr/share/ansible/plugins/inventory +#vars_plugins = /usr/share/ansible/plugins/vars +#filter_plugins = /usr/share/ansible/plugins/filter +#test_plugins = /usr/share/ansible/plugins/test +#terminal_plugins = /usr/share/ansible/plugins/terminal +#strategy_plugins = /usr/share/ansible/plugins/strategy + [inventory] [privilege_escalation] diff --git a/group_vars/acng.yml b/group_vars/acng.yml index 3836448d..a7a2df93 100644 --- a/group_vars/acng.yml +++ b/group_vars/acng.yml @@ -8,3 +8,6 @@ - rule: allow to_port: 9999 comment: 'acng' + ### mgrote.acng + acng_server_port: 9999 + apt_cacher_ng_exthreshold: "60" #hebt Pakete 60 Tage auf diff --git a/group_vars/all.yml b/group_vars/all.yml index 9ba317a9..522c8805 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -66,13 +66,12 @@ ### python3 # https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html ansible_python_interpreter: "/usr/bin/python3" - ansible_ssh_private_key_file: /home/mg/ansible/id_rsa_ansible_user # Ansible Plugin Variablen ### Keepass # https://github.com/viczem/ansible-keepass - # liegt unter /home/mg/ansible/.ansible/plugins/keepass.py - keepass_dbx: "/home/mg/ansible/keepass_db.kdbx" + # liegt unter ./plugins/lookup/keepass.py + keepass_dbx: "./keepass_db.kdbx" keepass_psw: !vault | $ANSIBLE_VAULT;1.1;AES256 62383737623066396239383336646164616537646630653964313532383130343533346561633039 diff --git a/group_vars/ansible.yml b/group_vars/ansible.yml index f03558bd..0550bfe4 100644 --- a/group_vars/ansible.yml +++ b/group_vars/ansible.yml @@ -2,7 +2,6 @@ ### geerlingguy.pip pip_package: python3-pip pip_install_packages: - # Specify names and versions. - name: pykeepass - name: Jinja2 - name: markupsafe diff --git a/group_vars/jenkins.yml b/group_vars/jenkins.yml new file mode 100644 index 00000000..3c676990 --- /dev/null +++ b/group_vars/jenkins.yml @@ -0,0 +1,30 @@ +--- + ### geerlingguy.jenkins + jenkins_package_state: latest + jenkins_http_port: 8080 + jenkins_admin_username: "{{ lookup('keepass', 'jenkins_admin_name', 'password') }}" + jenkins_admin_password: "{{ lookup('keepass', 'jenkins_admin_password', 'password') }}" +# jenkins_plugins: +# - name: ansible +# - name: docker + jenkins_plugins_install_dependencies: true + jenkins_plugins_state: latest + jenkins_java_options: "-Djenkins.install.runSetupWizard=true" + ### geerlingguy.pip + pip_package: python3-pip + pip_install_packages: + - name: pykeepass + - name: Jinja2 + - name: markupsafe + ### geerlingguy.ansible + ansible_install_method: pip + ansible_install_version_pip: '2.10' + ### oefenweb.ufw + ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + - rule: allow + to_port: 8080 + comment: 'jenkins' diff --git a/inventory b/inventory index 8141c613..22e45b73 100644 --- a/inventory +++ b/inventory @@ -15,6 +15,11 @@ all: fileserver2.grote.lan: fileserver-staging.grote.lan: fileserver-test.grote.lan: + jenkins: + hosts: + jenkins.grote.lan: + jenkins-staging.grote.lan: + jenkins-test.grote.lan: dns: hosts: pi.hole: @@ -53,20 +58,7 @@ all: # qmk: # hosts: # qmk.grote.lan: -# ceph: -# hosts: -# ceph-1.grote.lan: -# ceph-2.grote.lan: -# ceph-3.grote.lan: -# ceph-4.grote.lan: -# ceph-5.grote.lan: -# ceph-6.grote.lan: -# ceph-7.grote.lan: -# k8s: -# hosts: -# k8s-1.grote.lan: -# k8s-2.grote.lan: -# k8s-3.grote.lan: + production: @@ -79,6 +71,7 @@ all: ansible.grote.lan: docker.grote.lan: pve2.grote.lan: + jenkins.grote.lan: staging: hosts: wireguard-staging.grote.lan: @@ -89,6 +82,7 @@ all: ansible-staging.grote.lan: docker-staging.grote.lan: pve-staging.grote.lan: + jenkins-staging.grote.lan: test: hosts: wireguard-test.grote.lan: @@ -101,3 +95,4 @@ all: vm-test.grote.lan: lxc-test.grote.lan: pve-test.grote.lan: + jenkins-test.grote.lan: diff --git a/keepass_db.kdbx b/keepass_db.kdbx index a3894a87..639d0549 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/playbooks/service/acng.yml b/playbooks/service/acng.yml index 2765af03..2dc9134a 100644 --- a/playbooks/service/acng.yml +++ b/playbooks/service/acng.yml @@ -2,7 +2,3 @@ - hosts: acng roles: - { role: mgrote.acng, tags: "acng" } - vars: - ### mgrote.acng - acng_server_port: 9999 - apt_cacher_ng_exthreshold: "60" #hebt Pakete 60 Tage auf diff --git a/playbooks/service/ansible.yml b/playbooks/service/ansible.yml index b97700e9..1edb291a 100644 --- a/playbooks/service/ansible.yml +++ b/playbooks/service/ansible.yml @@ -3,4 +3,3 @@ roles: - { role: geerlingguy.pip, tags: "pip", become: true } - { role: geerlingguy.ansible, tags: "ansible", become: true } - - { role: mgrote.ansible, tags: "ansible-mg" } diff --git a/playbooks/service/jenkins.yml b/playbooks/service/jenkins.yml new file mode 100644 index 00000000..c5cdb782 --- /dev/null +++ b/playbooks/service/jenkins.yml @@ -0,0 +1,7 @@ +--- +- hosts: jenkins + roles: + - { role: geerlingguy.pip, tags: "pip", become: true } + - { role: geerlingguy.ansible, tags: "ansible", become: true } + - { role: geerlingguy.java, tags: "java", become: true } + - { role: geerlingguy.jenkins, tags: "jenkins", become: true } diff --git a/plugins/lookup/keepass.py b/plugins/lookup/keepass.py new file mode 100644 index 00000000..c30e480b --- /dev/null +++ b/plugins/lookup/keepass.py @@ -0,0 +1,119 @@ +# -*- coding: utf-8 -*- + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +try: + from __main__ import display +except ImportError: + from ansible.utils.display import Display + display = Display() + +import os +import json +import socket +import tempfile +from pykeepass import PyKeePass +from construct.core import ChecksumError +from ansible.errors import AnsibleError +from ansible.plugins.lookup import LookupBase + + +DOCUMENTATION = """ + lookup: keepass + author: Victor Zemtsov + version_added: '0.2' + short_description: fetch data from KeePass file + description: + - This lookup returns a value of a property of a KeePass entry + - which fetched by given path + options: + _terms: + description: + - first is a path to KeePass entry + - second is a property name of the entry, e.g. username or password + required: True + notes: + - https://github.com/viczem/ansible-keepass + + example: + - "{{ lookup('keepass', 'path/to/entry', 'password') }}" +""" + + +class LookupModule(LookupBase): + keepass = None + + def run(self, terms, variables=None, **kwargs): + if not terms or len(terms) < 2 or len(terms) > 3: + raise AnsibleError('Wrong request format') + entry_path = terms[0].strip('/') + entry_attr = terms[1] + enable_custom_attr = False + + if len(terms) == 3: + enable_custom_attr = terms[2] + + kp_dbx = variables.get('keepass_dbx', '') + kp_dbx = os.path.realpath(os.path.expanduser(kp_dbx)) + if os.path.isfile(kp_dbx): + display.v(u"Keepass: database file %s" % kp_dbx) + + kp_soc = "%s/ansible-keepass.sock" % tempfile.gettempdir() + if os.path.exists(kp_soc): + display.v(u"Keepass: fetch from socket") + return self._fetch_socket(kp_soc, entry_path, entry_attr) + + kp_psw = variables.get('keepass_psw', '') + kp_key = variables.get('keepass_key') + display.v(u"Keepass: fetch from kdbx file") + return self._fetch_file( + kp_dbx, str(kp_psw), kp_key, entry_path, entry_attr, enable_custom_attr) + + def _fetch_file(self, kp_dbx, kp_psw, kp_key, entry_path, entry_attr, enable_custom_attr): + if kp_key: + kp_key = os.path.realpath(os.path.expanduser(kp_key)) + if os.path.isfile(kp_key): + display.vvv(u"Keepass: database keyfile: %s" % kp_key) + + try: + if not LookupModule.keepass: + LookupModule.keepass = PyKeePass(kp_dbx, kp_psw, kp_key) + entry = LookupModule.keepass.\ + find_entries_by_path(entry_path, first=True) + if entry is None: + raise AnsibleError(u"Entry '%s' is not found" % entry_path) + display.vv( + u"KeePass: attr: %s in path: %s" % (entry_attr, entry_path)) + entry_val = None + if enable_custom_attr: + entry_val = entry.get_custom_property(entry_attr) + if entry_val is not None: + return [entry_val] + else: + raise AnsibleError(AttributeError(u"'No custom field property '%s'" % (entry_attr))) + else: + return [getattr(entry, entry_attr)] + except ChecksumError: + raise AnsibleError("Wrong password/keyfile {}".format(kp_dbx)) + except (AttributeError, FileNotFoundError) as e: + raise AnsibleError(e) + + def _fetch_socket(self, kp_soc, entry_path, entry_attr): + display.vvvv(u"KeePass: try to socket connect") + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + sock.connect(kp_soc) + display.vvvv(u"KeePass: connected") + sock.send(json.dumps({'attr': entry_attr, 'path': entry_path}).encode()) + display.vv(u"KeePass: attr: %s in path: %s" % (entry_attr, entry_path)) + try: + msg = json.loads(sock.recv(1024).decode()) + except json.JSONDecodeError as e: + raise AnsibleError(str(e)) + finally: + sock.close() + display.vvvv(u"KeePass: disconnected") + + if msg['status'] == 'error': + raise AnsibleError(msg['text']) + return [msg['text']] diff --git a/roles/geerlingguy.java b/roles/geerlingguy.java new file mode 160000 index 00000000..2091e47c --- /dev/null +++ b/roles/geerlingguy.java @@ -0,0 +1 @@ +Subproject commit 2091e47c2512415e9ccc84ba269a936e23cc9fc1 diff --git a/roles/geerlingguy.jenkins b/roles/geerlingguy.jenkins new file mode 160000 index 00000000..43ce4e46 --- /dev/null +++ b/roles/geerlingguy.jenkins @@ -0,0 +1 @@ +Subproject commit 43ce4e4608030dd35fbeda0865d779a43e6d9cdb diff --git a/roles/mgrote.ansible/README.md b/roles/mgrote.ansible/README.md deleted file mode 100644 index da1f405a..00000000 --- a/roles/mgrote.ansible/README.md +++ /dev/null @@ -1,8 +0,0 @@ -## mgrote.ansible - -### Beschreibung -Installiert ansible und konfiguriert es damit "cowsay" nicht benutzt wird. - -### Funktioniert auf -- [x] Ubuntu (>=18.04) -- [ ] Debian diff --git a/roles/mgrote.ansible/defaults/main.yml b/roles/mgrote.ansible/defaults/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/mgrote.ansible/handlers/main.yml b/roles/mgrote.ansible/handlers/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/mgrote.ansible/meta/main.yml b/roles/mgrote.ansible/meta/main.yml deleted file mode 100644 index 97888f33..00000000 --- a/roles/mgrote.ansible/meta/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -dependencies: - - role: geerlingguy.pip -galaxy_info: - author: mgrote - description: configures an ansible-host - min_ansible_version: 2.0 - license: GPLv3 - platforms: - - name: Ubuntu - versions: - - all - galaxy_tags: - - system diff --git a/roles/mgrote.ansible/tasks/main.yml b/roles/mgrote.ansible/tasks/main.yml deleted file mode 100644 index b1067204..00000000 --- a/roles/mgrote.ansible/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ - # pykeepass wird durch geerlingguy.pip mit installiert - # https://github.com/viczem/ansible-keepass#readme - - name: create ~/.ansible/plugins/lookup - become: yes - ansible.builtin.file: - path: /home/mg/.ansible/plugins/lookup - state: directory - - - name: Download keepass.py - become: yes - ansible.builtin.get_url: - url: https://raw.githubusercontent.com/viczem/ansible-keepass/master/keepass.py - dest: /home/mg/.ansible/plugins/lookup/keepass.py - backup: yes