From acf40fd21762d348b7b6de5c6975777321aa7be8 Mon Sep 17 00:00:00 2001 From: cinnaboot Date: Thu, 8 Apr 2021 20:33:13 -0400 Subject: [PATCH] Initial commit new file: .gitignore new file: ansible.cfg new file: lxd_host_playbook.yml new file: site_vars.yml new file: tasks/container_common.yml new file: tasks/dokuwiki.yml new file: templates/sshd_config.j2 --- .gitignore | 3 + ansible.cfg | 4 ++ lxd_host_playbook.yml | 47 +++++++++++++++ site_vars.yml | 22 +++++++ tasks/container_common.yml | 67 +++++++++++++++++++++ tasks/dokuwiki.yml | 36 ++++++++++++ templates/sshd_config.j2 | 117 +++++++++++++++++++++++++++++++++++++ 7 files changed, 296 insertions(+) create mode 100644 .gitignore create mode 100644 ansible.cfg create mode 100644 lxd_host_playbook.yml create mode 100644 site_vars.yml create mode 100644 tasks/container_common.yml create mode 100644 tasks/dokuwiki.yml create mode 100644 templates/sshd_config.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bd8a149 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +inventory/ +data/ + diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..8d4a8ed --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,4 @@ + +[defaults] +inventory = inventory/hosts.yml + diff --git a/lxd_host_playbook.yml b/lxd_host_playbook.yml new file mode 100644 index 0000000..91dd760 --- /dev/null +++ b/lxd_host_playbook.yml @@ -0,0 +1,47 @@ +--- +- name: top level playbook for lxd server provisioning + hosts: lxd_host + tasks: + - name: include variables + include_vars: + file: site_vars.yml + + # TODO: use template for lxd-init --preseed + - name: copy ssh pubkey from controller to lxd host + copy: + src: "{{ lookup('env', 'HOME') + '/.ssh/id_rsa.pub' }}" + dest: "{{ tmp_pubkey }}" + when: not debug_skip + + - include_tasks: tasks/container_common.yml + vars: + container_name: "{{ item.key }}" + container_sshd_port: "{{ item.value.sshd_port }}" + container_ip: "{{ item.value.ip }}" + tmp_sshd_config: "/tmp/sshd_config_{{ item.key }}" + with_items: "{{ containers | dict2items }}" + + # NOTE: do container specific provisioning + - import_tasks: tasks/dokuwiki.yml + vars: + doku_lxc_cmd: "{{ lxc_cmd }}" + when: not debug_skip + + # NOTE: do host routing last so we can can on no sudo pass + # TODO: add task for installing iptables & iptables-persistent on debian + # TODO: save rules after updating + - name: add DNAT rules for ssh to containers + iptables: + table: nat + chain: PREROUTING + in_interface: "{{ host_iface }}" + protocol: tcp + match: tcp + source: "{{ host_cidr }}" + jump: DNAT + destination_port: "{{ item.value.sshd_port }}" + to_destination: "{{ item.value.ip }}" + become: yes + when: not debug_skip + with_items: "{{ containers | dict2items }}" + diff --git a/site_vars.yml b/site_vars.yml new file mode 100644 index 0000000..fd90407 --- /dev/null +++ b/site_vars.yml @@ -0,0 +1,22 @@ +--- +debug_skip: False # NOTE: skip tasks when debugging + +img_server: https://images.linuxcontainers.org +alp_img_alias: alpine/edge/amd64 +lxc_cmd: /snap/bin/lxc +lxd_subnet_pfx: 10.98.46 +lxd_bridge: lxdbr0 +tmp_pubkey: /tmp/controller_key_rsa.pub +host_iface: enp2s0 +host_cidr: '192.168.11.0/24' +containers: + #- transmission + dokuwiki: + ip: "{{ lxd_subnet_pfx }}.100" + sshd_port: 2225 + freshrss: + ip: "{{ lxd_subnet_pfx }}.101" + sshd_port: 2226 + gitweb: + ip: "{{ lxd_subnet_pfx }}.102" + sshd_port: 2227 diff --git a/tasks/container_common.yml b/tasks/container_common.yml new file mode 100644 index 0000000..837ddc4 --- /dev/null +++ b/tasks/container_common.yml @@ -0,0 +1,67 @@ +--- +- name: "install container {{ container_name }}" + community.general.lxd_container: + name: "{{ container_name }}" + state: started + profiles: default + wait_for_ipv4_addresses: true + source: + type: image + mode: pull + server: "{{ img_server }}" + protocol: simplestreams + alias: "{{ alp_img_alias }}" + devices: + eth0: + type: nic + nictype: bridged + parent: "{{ lxd_bridge }}" + ipv4.address: "{{ container_ip }}" + when: not debug_skip + +- name: update container packages + command: "{{ lxc_cmd }} exec {{ container_name }} -- apk upgrade -U" + when: not debug_skip + +- name: install openssh, rsync, and shadow packages in containers + command: "{{ lxc_cmd }} exec {{ container_name }} -- apk add openssh rsync shadow" + when: not debug_skip + +- name: "copy container sshd_config for {{ container_name }} to lxd host" + template: + src: templates/sshd_config.j2 + dest: "{{ tmp_sshd_config }}" + when: not debug_skip + +- name: use lxc file push to get sshd_config into container + command: "{{ lxc_cmd }} file push {{ tmp_sshd_config}} \ + {{ container_name }}/etc/ssh/sshd_config" + when: not debug_skip + +- name: mkdir /root/.ssh in {{ container_name }} + command: "{{ lxc_cmd }} exec {{ container_name }} -- mkdir -p /root/.ssh" + when: not debug_skip + +- name: add controller public key to {{ container_name }} authorized keys + command: "{{ lxc_cmd }} file push {{ tmp_pubkey }} \ + {{ container_name }}/root/.ssh/authorized_keys \ + --gid 0 --uid 0 --mode 600" + when: not debug_skip + +- name: make hash of a random password + set_fact: + root_pass: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') | password_hash('sha512') }}" + when: not debug_skip + +- name: "set password to unlock root account (NOTE: still using pubkey only)" + shell: '{{ lxc_cmd }} exec {{ container_name }} -- usermod -p {{ root_pass }} root' + when: not debug_skip + +- name: ensure sshd service is enabled + command: "{{ lxc_cmd }} exec {{ container_name }} -- rc-update add sshd" + when: not debug_skip + +- name: ensure sshd service is enabled + command: "{{ lxc_cmd }} exec {{ container_name }} -- rc-service sshd start" + when: not debug_skip + diff --git a/tasks/dokuwiki.yml b/tasks/dokuwiki.yml new file mode 100644 index 0000000..93fb943 --- /dev/null +++ b/tasks/dokuwiki.yml @@ -0,0 +1,36 @@ +--- +# NOTE: https://wiki.alpinelinux.org/wiki/DokuWiki + +- name: test task variables + debug: + var: doku_lxc_cmd + +- name: install packages + vars: + packages: + - lighttpd + - php7-common + - php7-session + - php7-iconv + - php7-json + - php7-gd + - php7-curl + - php7-xml + - php7-mysqli + - php7-imap + - php7-cgi + - php7-pdo + - php7-pdo_mysql + - php7-soap + - php7-xmlrpc + - php7-posix + - php7-mcrypt + - php7-gettext + - php7-ldap + - php7-ctype + - php7-dom + - fcgi + command: + "{{ lxc_cmd }} exec dokuwiki -- apk add {{ packages | join(' ') }}" + when: True + diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 new file mode 100644 index 0000000..fd03a18 --- /dev/null +++ b/templates/sshd_config.j2 @@ -0,0 +1,117 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port {{ container_sshd_port }} +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server