Add 'installbox' configuration.

2018-05-31 18:20:51 +03:00 · 2018-05-31 18:20:51 +03:00 · 546dabd7aa
commit 546dabd7aa
16 changed files with 323 additions and 0 deletions
--- a/installbox.yml
+++ b/installbox.yml
@ -0,0 +1,24 @@
 ---
 # This playbook deploys the installbox on a minimal installation.
 - name: apply configuration to the installbox
  hosts: installboxes
  remote_user: ansible
  become: yes
  vars:
    hostname: installbox
    di_dist: "stretch"
    if_lan: "ens8"
    if_wan: "{{ ansible_default_ipv4.interface }}"
    ipaddr_lan: 192.168.0.10
    dhcp_range: 192.168.0.50,192.168.0.150,2h
    tftp_root: "/var/lib/tftpboot"
    deb_mirror: "ftp-stud.hs-esslingen.de"
  roles:
    - up2date-debian
    - two-interface-shorewall
    - dhcp-dns-dnsmasq
    - transparent-squid
    - tftp-netboot-installer
    - preseed-installer
--- a/roles/dhcp-dns-dnsmasq/handlers/main.yml
+++ b/roles/dhcp-dns-dnsmasq/handlers/main.yml
@ -0,0 +1,3 @@
 - name: restart dnsmasq
  service: name=dnsmasq state=restarted enabled=yes
  listen: "restart dnsmasq"
--- a/roles/dhcp-dns-dnsmasq/tasks/main.yml
+++ b/roles/dhcp-dns-dnsmasq/tasks/main.yml
@ -0,0 +1,10 @@
 - name: install dns-firewall packages
  apt:
    name: dnsmasq
    state: latest
 - name: configure dnsmasq
  template:
    src: dnsmasq-transparent-proxy.j2
    dest: /etc/dnsmasq.d/transparent-proxy
  notify: "restart dnsmasq"
--- a/roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2
+++ b/roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2
@ -0,0 +1,2 @@
 interface={{ if_lan }}
 dhcp-range={{ dhcp_range }}
--- a/roles/preseed-installer/tasks/main.yml
+++ b/roles/preseed-installer/tasks/main.yml
@ -0,0 +1,27 @@
 - name: make preseed directory available
  file:
    path: "{{ tftp_root }}/d-i/{{ di_dist }}"
    state: directory
 - name: provide preseed file
  template:
    src: preseed.cfg
    dest: "{{ tftp_root }}/d-i/{{ di_dist }}"
 - name: make installbox resolvable in /etc/hosts from LAN
  replace:
    dest: /etc/hosts
    regexp: '(127.0.1.1\s+)installbox'
    replace: '\1localhost\n{{ ipaddr_lan }}	installbox'
 - name: add auto boot entry to di-netboot-assistant
  blockinfile:
    dest: /etc/di-netboot-assistant/pxelinux.HEAD
    insertbefore: EOF
    block: |
      LABEL quick
      MENU LABEL Debian Installer ({{ di_dist }} ; amd64 + Preseed)
      kernel ::/di-netboot-pkg/images/9/amd64/text/debian-installer/amd64/linux
      append initrd=::/di-netboot-pkg/images/9/amd64/text/debian-installer/amd64/initrd.gz auto=true priority=critical url=tftp://installbox
      TIMEOUT 100
  notify: "rebuild di-netboot-assistant menu"
--- a/roles/preseed-installer/templates/preseed.cfg
+++ b/roles/preseed-installer/templates/preseed.cfg
@ -0,0 +1,37 @@
 #### Preconfiguration file
 ## For more examples and comments:
 ##   https://www.debian.org/releases/stable/example-preseed.txt
 ## To change default values:
 #d-i foo/bar string value
 #d-i foo/bar seen false
 ## Use this as boot parameter:
 ## DEBCONF_DEBUG=5
 ## Boot parameter locale?=de_DE
 # Preseeding only locale sets language, country and locale:
 d-i debian-installer/locale string de_DE
 d-i keyboard-configuration/xkb-keymap select de
 ## Skip root account:
 d-i passwd/root-login boolean false
 ### Apt setup
 d-i apt-setup/non-free boolean true
 d-i apt-setup/contrib boolean true
 d-i mirror/http/mirror string {{ deb_mirror }}
 ### Ansible User
 d-i passwd/user-fullname string Ansible User
 d-i passwd/username string ansible
 d-i passwd/user-password password insecure
 d-i passwd/user-password-again password insecure
 #d-i passwd/user-password-crypted password [crypt(3) hash]
 ### Package selection
 tasksel tasksel/desktop multiselect standard openssh-server
 tasksel tasksel/desktop seen false
 # Individual additional packages to install
 d-i pkgsel/include string firmware-linux
--- a/roles/tftp-netboot-installer/handlers/main.yml
+++ b/roles/tftp-netboot-installer/handlers/main.yml
@ -0,0 +1,3 @@
 - name: rebuild di-netboot-assistant menu
  command: di-netboot-assistant rebuild-menu
  listen: rebuild di-netboot-assistant menu
--- a/roles/tftp-netboot-installer/tasks/main.yml
+++ b/roles/tftp-netboot-installer/tasks/main.yml
@ -0,0 +1,28 @@
 - name: install tftp-netboot-installer packages
  apt:
    name:
      - di-netboot-assistant
      - debian-installer-9-netboot-amd64
 - name: bind mount images
  mount:
    name: "{{ tftp_root }}/di-netboot-pkg/"
    src: /usr/lib/debian-installer/
    fstype: none
    opts: bind
 #    state: mounted   BEGINN WORKAROUND
    state: present
  register: fstab
 - name: Reload fstab
  command: mount -a
  when: fstab.changed
 # https://github.com/ansible/ansible/issues/23487 END WORKAROUND
 - name: configure dnsmasq
  template:
    src: dnsmasq-tftp-netboot-installer.j2
    dest: /etc/dnsmasq.d/tftp-netboot-installer
  notify:
    - restart dnsmasq
    - rebuild di-netboot-assistant menu
--- a/roles/tftp-netboot-installer/templates/dnsmasq-tftp-netboot-installer.j2
+++ b/roles/tftp-netboot-installer/templates/dnsmasq-tftp-netboot-installer.j2
@ -0,0 +1,5 @@
 enable-tftp
 tftp-root={{ tftp_root }}
 dhcp-boot=debian-installer/pxelinux.0
 dhcp-match=set:efi-x86_64,option:client-arch,7
 dhcp-boot=tag:efi-x86_64,debian-installer/bootnetx64.efi
--- a/roles/transparent-squid/files/store_id_regex.conf
+++ b/roles/transparent-squid/files/store_id_regex.conf
@ -0,0 +1,2 @@
 ^http:\/\/.+\/(.+\.deb)	http://debian.mirrors.squid.internal/Archive-http/$1
 ^http:\/\/.+\/(.+\.udeb)	http://debian.mirrors.squid.internal/Archive-http/$1
--- a/roles/transparent-squid/handlers/main.yml
+++ b/roles/transparent-squid/handlers/main.yml
@ -0,0 +1,3 @@
 - name: restart squid
  service: name=squid state=restarted enabled=yes
  listen: "restart squid"
--- a/roles/transparent-squid/tasks/main.yml
+++ b/roles/transparent-squid/tasks/main.yml
@ -0,0 +1,62 @@
 - name: install squid package
  apt:
    name: squid
    state: latest
 - name: configure squid extra lines
  lineinfile:
    dest: /etc/squid/squid.conf
    line: "{{ item.line }}"
    insertafter: "{{ item.insertafter }}"
  with_items:
    - { line: "acl localnet src 192.168.0.0/16", insertafter: "#acl localnet src 192.168.0.0/16" }
    - { line: "http_access allow localnet", insertafter: "#http_access allow localnet" }
    - { line: "http_port 3129 intercept", insertafter: "http_port 3128" }
    - { line: "maximum_object_size_in_memory 10240 KB", insertafter: "# maximum_object_size_in_memory" }
    - { line: "maximum_object_size 512 MB", insertafter: "# maximum_object_size" }
    - { line: "cache_dir aufs /var/spool/squid 20000 16 256", insertafter: "#cache_dir ufs /var/spool/squid" }
  notify: "restart squid"
 - name: configure squid store IDs
  blockinfile:
    dest: /etc/squid/squid.conf
    insertbefore: "TAG: store_miss"
    block: |
      store_id_program /usr/lib/squid/storeid_file_rewrite /etc/squid/store_id_regex.conf
      store_id_bypass off
      acl Ordinary http_status 200-299
      send_hit deny !Ordinary
      store_miss deny !Ordinary
    marker: "# {mark} ANSIBLE MANAGED BLOCK store_id"
  notify: "restart squid"
 - name: provide store_id_regex.conf
  copy:
    src: store_id_regex.conf
    dest: /etc/squid/store_id_regex.conf
  notify: "restart squid"
 - name: configure squid as package cache
  blockinfile:
    dest: /etc/squid/squid.conf
    insertbefore: "# Add any of your own refresh_pattern entries above these."
    block: |
      # refresh pattern for debs and udebs
      refresh_pattern deb$ 129600 100% 129600
      refresh_pattern udeb$ 129600 100% 129600
      refresh_pattern tar.gz$ 129600 100% 129600
      refresh_pattern tar.xz$ 129600 100% 129600
      refresh_pattern tar.bz2$ 129600 100% 129600
      # always refresh Packages and Release files
      refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
      refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
      refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
      refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0
    marker: "# {mark} ANSIBLE MANAGED BLOCK refresh_pattern"
  notify: "restart squid"
 - name: redirect www traffic in shorewall
  lineinfile:
    dest: /etc/shorewall/rules
    line: "REDIRECT	loc		3129		tcp	www"
  notify: "restart shorewall"
--- a/roles/two-interface-shorewall/handlers/main.yml
+++ b/roles/two-interface-shorewall/handlers/main.yml
@ -0,0 +1,7 @@
 - name: restart networking
  service: name=networking state=restarted enabled=yes
  listen: restart networking
 - name: restart shorewall
  service: name=shorewall state=restarted enabled=yes
  listen: restart shorewall
--- a/roles/two-interface-shorewall/tasks/main.yml
+++ b/roles/two-interface-shorewall/tasks/main.yml
@ -0,0 +1,86 @@
 - name: add if_lan with static address
  template:
    src: interfaces-static.j2
    dest: /etc/network/interfaces.d/static
 - name: make if_wan auto start
  lineinfile:
    dest: /etc/network/interfaces
    line: "auto {{ if_wan }}"
    insertbefore: "iface\\s+{{ if_wan }}\\s+inet\\s+dhcp"
  notify: restart networking
 - name: install shorewall packages
  apt: name=shorewall state=latest
 - name: copy shorewall configuration
  command: cp {{ item }} /etc/shorewall/
  args:
    chdir: /usr/share/doc/shorewall/examples/two-interfaces/
    creates: "/etc/shorewall/{{ item }}"
  with_items:
    - interfaces
    - snat
    - policy
    - rules
    - stoppedrules
    - zones
  notify: restart shorewall
 - name: find files in /etc/shorewall/
  find:
    paths: /etc/shorewall/
    use_regex: yes
    pattern: '.+[^~]$'
    contains: '.*(eth0|eth1).*'
  register: find_result
  notify: restart shorewall
 - name: fix WAN interface name in shorewall configuration
  replace:
    dest: "{{ item.path }}"
    regexp: 'eth0'
    replace: "{{ if_wan }}"
    backup: yes
  with_items: "{{ find_result.files }}"
  notify: restart shorewall
 - name: fix LAN interface name in shorewall configuration
  replace:
    dest: "{{ item.path }}"
    regexp: 'eth1'
    replace: "{{ if_lan }}"
    backup: yes
  with_items: "{{ find_result.files }}"
  notify: restart shorewall
 - name: configure forwarding in shorewall.conf
  replace:
    dest: /etc/shorewall/shorewall.conf
    regexp: 'IP_FORWARDING=Keep'
    replace: 'IP_FORWARDING=Yes'
    backup: yes
  notify: restart shorewall
 - name: configure shorewall policy
  replace:
    dest: /etc/shorewall/policy
    regexp: 'loc(\s+)net(\s+)ACCEPT'
    replace: 'loc\1all\2ACCEPT\n$FW\1all\2ACCEPT'
    backup: yes
  notify: restart shorewall
 - name: configure shorewall rules
  replace:
    dest: /etc/shorewall/rules
    regexp: '(SSH\(ACCEPT\)\s+)loc(\s+\$FW)'
    replace: '\1all\2'
    backup: yes
  notify: restart shorewall
 - name: enable shorewall in /etc/defaults/shorewall
  replace:
    dest: /etc/default/shorewall
    regexp: 'startup=0'
    replace: 'startup=1'
  notify: restart shorewall
--- a/roles/two-interface-shorewall/templates/interfaces-static.j2
+++ b/roles/two-interface-shorewall/templates/interfaces-static.j2
@ -0,0 +1,5 @@
 auto {{ if_lan }}
 allow-hotplug {{ if_lan }}
 iface {{ if_lan }} inet static
  address {{ ipaddr_lan }}
  netmask 255.255.255.0
--- a/roles/up2date-debian/tasks/main.yml
+++ b/roles/up2date-debian/tasks/main.yml
@ -0,0 +1,19 @@
 # Update lists and upgrade packages.
 - name: update apt package lists
  apt:
    update_cache: yes
    cache_valid_time: 86400
 - name: upgrade packages
  apt:
    upgrade: dist
    autoremove: yes
 - name: install some packages
  apt: name={{ item }} state=latest
  with_items:
    - etckeeper
 #- name: clean apt package cache
 #  command: apt clean
		`@ -0,0 +1,2 @@`
							`interface={{ if_lan }}`
							`dhcp-range={{ dhcp_range }}`
		`@ -0,0 +1,2 @@`
							`^http:\/\/.+\/(.+\.deb) http://debian.mirrors.squid.internal/Archive-http/$1`
							`^http:\/\/.+\/(.+\.udeb) http://debian.mirrors.squid.internal/Archive-http/$1`