parent
935aca5ba2
commit
54431f3e1e
|
@ -3,10 +3,9 @@
|
||||||
A few simple roles / plays I've put together in learning how to use Ansible can be found under their corresponding directories.
|
A few simple roles / plays I've put together in learning how to use Ansible can be found under their corresponding directories.
|
||||||
|
|
||||||
Examples
|
Examples
|
||||||
- core.yml - Playbook example for using core configuration role
|
- `roles/` - A collection of custom ansible roles for various services
|
||||||
- docker.yml - Playbook example for using docker install role (Debian / Ubuntu)
|
- `plays/` - A collection of custom ansible plays for various uses
|
||||||
- hosts - Sample / partially default ansible hosts file
|
- `core.yml` - Playbook example for using core configuration role
|
||||||
- make-host.yml - Playbook example for using multiple roles together to create a new host
|
- `docker.yml` - Playbook example for using docker install role (Debian / Ubuntu)
|
||||||
- nginx.yml - Playbook example for using nginx role
|
- `make-host.yml` - Playbook example for using multiple roles together to create a new host
|
||||||
- fail2ban.yml - Playbook example for using fail2ban role
|
- `hosts` - Sample / partially default ansible hosts file
|
||||||
- postfix.yml - Playbook example for using postfix role
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: nginx-server
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- fail2ban
|
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: dev
|
|
||||||
become: yes
|
|
||||||
tasks:
|
|
||||||
- name: Backup Hexo files
|
|
||||||
archive:
|
|
||||||
path: /home/hexo/site
|
|
||||||
dest: /home/hexo/site.tgz
|
|
||||||
- name: Fetching backup files
|
|
||||||
fetch:
|
|
||||||
src: /home/hexo/site.tgz
|
|
||||||
dest: /home/someuser/backups/
|
|
||||||
flat: yes
|
|
|
@ -1,34 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install Hexo static site generator
|
|
||||||
hosts: dev
|
|
||||||
become: yes
|
|
||||||
tasks:
|
|
||||||
- name: Update apt sources and install npm
|
|
||||||
apt:
|
|
||||||
name: npm
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
- name: Install hexo-cli
|
|
||||||
npm:
|
|
||||||
name: hexo-cli
|
|
||||||
global: yes
|
|
||||||
- name: Adding hexo user / administrator
|
|
||||||
user:
|
|
||||||
name: hexo
|
|
||||||
shell: /bin/bash
|
|
||||||
groups: sudo
|
|
||||||
uid: 1001
|
|
||||||
- name: Initialize site files
|
|
||||||
command:
|
|
||||||
chdir: /home/hexo/
|
|
||||||
cmd: hexo init site
|
|
||||||
- name: Install site packages
|
|
||||||
npm:
|
|
||||||
path: /home/hexo/site/
|
|
||||||
- name: Start server
|
|
||||||
command:
|
|
||||||
chdir: /home/hexo/site/
|
|
||||||
cmd: nohup hexo server &
|
|
||||||
async: 45
|
|
||||||
poll: 0
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
- hosts: dev
|
- hosts: dev
|
||||||
become: yes
|
become: yes
|
||||||
roles:
|
roles:
|
||||||
- shared
|
- core
|
||||||
- nginx
|
- nginx
|
||||||
- fail2ban
|
- fail2ban
|
||||||
- postfix
|
- postfix
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: nginx-server
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- nginx
|
|
||||||
|
|
|
@ -5,4 +5,3 @@ Playbooks
|
||||||
- bookstack-backup.yml - Playbook for taking a backup of BookStack
|
- bookstack-backup.yml - Playbook for taking a backup of BookStack
|
||||||
- hexo-backup.yml - Playbook for taking a backup of Hexo
|
- hexo-backup.yml - Playbook for taking a backup of Hexo
|
||||||
- hexo-install.yml - Playbook to install and deploy the Hexo site generator
|
- hexo-install.yml - Playbook to install and deploy the Hexo site generator
|
||||||
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: othergroup
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- postfix
|
|
||||||
|
|
|
@ -25,12 +25,13 @@ Git
|
||||||
SSH
|
SSH
|
||||||
- MOTD (Template, replacable, displayed on login.)
|
- MOTD (Template, replacable, displayed on login.)
|
||||||
- PAM (Template, replacable, authusers file to bypass)
|
- PAM (Template, replacable, authusers file to bypass)
|
||||||
|
- Yubikey authentication PAM module
|
||||||
- authusers (Add users to file to bypass PAM settings)
|
- authusers (Add users to file to bypass PAM settings)
|
||||||
|
|
||||||
Vim
|
Vim
|
||||||
- Install Vim
|
- Install Vim and customizable list of plugins
|
||||||
- Run https://github.com/shaunrd0/klips/blob/master/scripts/setup-vim.sh
|
|
||||||
|
|
||||||
|
Ranger
|
||||||
|
|
||||||
docker
|
docker
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -1,31 +1,73 @@
|
||||||
Role Name
|
Fail2ban
|
||||||
=========
|
=========
|
||||||
|
|
||||||
A brief description of the role goes here.
|
An ansible role for installing fail2ban with basic configuration options
|
||||||
|
|
||||||
Requirements
|
|
||||||
------------
|
|
||||||
|
|
||||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
`packages: [fail2ban]`
|
||||||
|
* A list of packages to install on the server
|
||||||
|
|
||||||
|
`ssh_port: 22`
|
||||||
|
* The port SSH where is running on the remote server
|
||||||
|
|
||||||
|
`relay_host: "[sub.domain.com]:777"`
|
||||||
|
`sender_email: "senderemail@domain.com"`
|
||||||
|
* The relay to route mail through, and a corresponding email to send as
|
||||||
|
|
||||||
|
`email: "email@domain.com"`
|
||||||
|
* The email address to send alerts to when an IP is banned or jailed
|
||||||
|
|
||||||
|
`nginx_botsearch: "true"`
|
||||||
|
`nginx_http_auth: "true"`
|
||||||
|
`nginx_nobinary: "true"`
|
||||||
|
`nginx_nohome: "true"`
|
||||||
|
`nginx_noproxy: "true"`
|
||||||
|
`nginx_wplogin: "true"`
|
||||||
|
`nginx_noscan: "true"`
|
||||||
|
`nginx_noenv: "true"`
|
||||||
|
`nginx_noscript: "true"`
|
||||||
|
`sshd: "true"`
|
||||||
|
`sshd_badproto: "true"`
|
||||||
|
* Each of these variables are an existing fail2ban filter with a corresponding
|
||||||
|
bool to enable or disable them.
|
||||||
|
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
Requires that postfix is configured to send email alerts
|
||||||
|
on behalf of the `sender_email` address.
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
First, make sure all settings within `defaults/main.yml` are correct for your
|
||||||
|
server. All settings and their purposes are outline in the section above.
|
||||||
|
|
||||||
- hosts: servers
|
Create a new ansible play. You can name it whatever you want, but this
|
||||||
roles:
|
example play will simply be named `fail2ban.yml`.
|
||||||
- { role: username.rolename, x: 42 }
|
|
||||||
|
```yml
|
||||||
|
---
|
||||||
|
- hosts: testserver
|
||||||
|
become: yes
|
||||||
|
roles:
|
||||||
|
- fail2ban
|
||||||
|
```
|
||||||
|
|
||||||
|
Make sure the IP for `testserver` is correct in the `/etc/ansible/hosts` file -
|
||||||
|
```
|
||||||
|
[testserver]
|
||||||
|
123.123.123.123:22
|
||||||
|
```
|
||||||
|
|
||||||
|
Run the play!
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ansible-playbook fail2ban.yml
|
||||||
|
```
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
@ -35,4 +77,4 @@ BSD
|
||||||
Author Information
|
Author Information
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
Contact: shaunrd0@gmail.com | URL: www.shaunreed.com | GitHub: shaunrd0
|
||||||
|
|
|
@ -4,7 +4,8 @@
|
||||||
packages: [fail2ban]
|
packages: [fail2ban]
|
||||||
ssh_port: 22
|
ssh_port: 22
|
||||||
relay_host: "[sub.domain.com]:777"
|
relay_host: "[sub.domain.com]:777"
|
||||||
email: "email@domain.com"
|
sender_email: "senderemail@domain.com"
|
||||||
|
dest_email: "email@domain.com"
|
||||||
nginx_botsearch: "true"
|
nginx_botsearch: "true"
|
||||||
nginx_http_auth: "true"
|
nginx_http_auth: "true"
|
||||||
nginx_nobinary: "true"
|
nginx_nobinary: "true"
|
||||||
|
|
|
@ -54,7 +54,7 @@ __date_ambit = (?:\[\])
|
||||||
#
|
#
|
||||||
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
|
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
|
||||||
#
|
#
|
||||||
# This can be optional (for instance if we match named native log files)
|
# This can be optional (for getInstance if we match named native log files)
|
||||||
__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
|
__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
|
||||||
|
|
||||||
# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
|
# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
|
||||||
|
|
|
@ -31,7 +31,7 @@ __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
||||||
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
||||||
|
|
||||||
# hostname daemon_id spaces
|
# hostname daemon_id spaces
|
||||||
# this can be optional (for instance if we match named native log files)
|
# this can be optional (for getInstance if we match named native log files)
|
||||||
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
||||||
|
|
||||||
prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
|
prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
|
@ -134,10 +134,10 @@ filter = %(__name__)s[mode=%(mode)s]
|
||||||
|
|
||||||
# Destination email address used solely for the interpolations in
|
# Destination email address used solely for the interpolations in
|
||||||
# jail.{conf,local,d/*} configuration files.
|
# jail.{conf,local,d/*} configuration files.
|
||||||
destemail = {{ email }}
|
destemail = {{ dest_email }}
|
||||||
|
|
||||||
# Sender email address used solely for some actions
|
# Sender email address used solely for some actions
|
||||||
sender = admin@bookstack
|
sender = {{ sender_email }}
|
||||||
|
|
||||||
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
|
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
|
||||||
# mailing. Change mta configuration parameter to mail if you want to
|
# mailing. Change mta configuration parameter to mail if you want to
|
||||||
|
|
Loading…
Reference in New Issue