Browse Source
new file: .gitignore new file: ansible.cfg new file: lxd_host_playbook.yml new file: site_vars.yml new file: tasks/container_common.yml new file: tasks/dokuwiki.yml new file: templates/sshd_config.j2master
commit
acf40fd217
7 changed files with 296 additions and 0 deletions
@ -0,0 +1,47 @@
|
||||
--- |
||||
- name: top level playbook for lxd server provisioning |
||||
hosts: lxd_host |
||||
tasks: |
||||
- name: include variables |
||||
include_vars: |
||||
file: site_vars.yml |
||||
|
||||
# TODO: use template for lxd-init --preseed |
||||
- name: copy ssh pubkey from controller to lxd host |
||||
copy: |
||||
src: "{{ lookup('env', 'HOME') + '/.ssh/id_rsa.pub' }}" |
||||
dest: "{{ tmp_pubkey }}" |
||||
when: not debug_skip |
||||
|
||||
- include_tasks: tasks/container_common.yml |
||||
vars: |
||||
container_name: "{{ item.key }}" |
||||
container_sshd_port: "{{ item.value.sshd_port }}" |
||||
container_ip: "{{ item.value.ip }}" |
||||
tmp_sshd_config: "/tmp/sshd_config_{{ item.key }}" |
||||
with_items: "{{ containers | dict2items }}" |
||||
|
||||
# NOTE: do container specific provisioning |
||||
- import_tasks: tasks/dokuwiki.yml |
||||
vars: |
||||
doku_lxc_cmd: "{{ lxc_cmd }}" |
||||
when: not debug_skip |
||||
|
||||
# NOTE: do host routing last so we can can on no sudo pass |
||||
# TODO: add task for installing iptables & iptables-persistent on debian |
||||
# TODO: save rules after updating |
||||
- name: add DNAT rules for ssh to containers |
||||
iptables: |
||||
table: nat |
||||
chain: PREROUTING |
||||
in_interface: "{{ host_iface }}" |
||||
protocol: tcp |
||||
match: tcp |
||||
source: "{{ host_cidr }}" |
||||
jump: DNAT |
||||
destination_port: "{{ item.value.sshd_port }}" |
||||
to_destination: "{{ item.value.ip }}" |
||||
become: yes |
||||
when: not debug_skip |
||||
with_items: "{{ containers | dict2items }}" |
||||
|
||||
@ -0,0 +1,22 @@
|
||||
--- |
||||
debug_skip: False # NOTE: skip tasks when debugging |
||||
|
||||
img_server: https://images.linuxcontainers.org |
||||
alp_img_alias: alpine/edge/amd64 |
||||
lxc_cmd: /snap/bin/lxc |
||||
lxd_subnet_pfx: 10.98.46 |
||||
lxd_bridge: lxdbr0 |
||||
tmp_pubkey: /tmp/controller_key_rsa.pub |
||||
host_iface: enp2s0 |
||||
host_cidr: '192.168.11.0/24' |
||||
containers: |
||||
#- transmission |
||||
dokuwiki: |
||||
ip: "{{ lxd_subnet_pfx }}.100" |
||||
sshd_port: 2225 |
||||
freshrss: |
||||
ip: "{{ lxd_subnet_pfx }}.101" |
||||
sshd_port: 2226 |
||||
gitweb: |
||||
ip: "{{ lxd_subnet_pfx }}.102" |
||||
sshd_port: 2227 |
||||
@ -0,0 +1,67 @@
|
||||
--- |
||||
- name: "install container {{ container_name }}" |
||||
community.general.lxd_container: |
||||
name: "{{ container_name }}" |
||||
state: started |
||||
profiles: default |
||||
wait_for_ipv4_addresses: true |
||||
source: |
||||
type: image |
||||
mode: pull |
||||
server: "{{ img_server }}" |
||||
protocol: simplestreams |
||||
alias: "{{ alp_img_alias }}" |
||||
devices: |
||||
eth0: |
||||
type: nic |
||||
nictype: bridged |
||||
parent: "{{ lxd_bridge }}" |
||||
ipv4.address: "{{ container_ip }}" |
||||
when: not debug_skip |
||||
|
||||
- name: update container packages |
||||
command: "{{ lxc_cmd }} exec {{ container_name }} -- apk upgrade -U" |
||||
when: not debug_skip |
||||
|
||||
- name: install openssh, rsync, and shadow packages in containers |
||||
command: "{{ lxc_cmd }} exec {{ container_name }} -- apk add openssh rsync shadow" |
||||
when: not debug_skip |
||||
|
||||
- name: "copy container sshd_config for {{ container_name }} to lxd host" |
||||
template: |
||||
src: templates/sshd_config.j2 |
||||
dest: "{{ tmp_sshd_config }}" |
||||
when: not debug_skip |
||||
|
||||
- name: use lxc file push to get sshd_config into container |
||||
command: "{{ lxc_cmd }} file push {{ tmp_sshd_config}} \ |
||||
{{ container_name }}/etc/ssh/sshd_config" |
||||
when: not debug_skip |
||||
|
||||
- name: mkdir /root/.ssh in {{ container_name }} |
||||
command: "{{ lxc_cmd }} exec {{ container_name }} -- mkdir -p /root/.ssh" |
||||
when: not debug_skip |
||||
|
||||
- name: add controller public key to {{ container_name }} authorized keys |
||||
command: "{{ lxc_cmd }} file push {{ tmp_pubkey }} \ |
||||
{{ container_name }}/root/.ssh/authorized_keys \ |
||||
--gid 0 --uid 0 --mode 600" |
||||
when: not debug_skip |
||||
|
||||
- name: make hash of a random password |
||||
set_fact: |
||||
root_pass: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') | password_hash('sha512') }}" |
||||
when: not debug_skip |
||||
|
||||
- name: "set password to unlock root account (NOTE: still using pubkey only)" |
||||
shell: '{{ lxc_cmd }} exec {{ container_name }} -- usermod -p {{ root_pass }} root' |
||||
when: not debug_skip |
||||
|
||||
- name: ensure sshd service is enabled |
||||
command: "{{ lxc_cmd }} exec {{ container_name }} -- rc-update add sshd" |
||||
when: not debug_skip |
||||
|
||||
- name: ensure sshd service is enabled |
||||
command: "{{ lxc_cmd }} exec {{ container_name }} -- rc-service sshd start" |
||||
when: not debug_skip |
||||
|
||||
@ -0,0 +1,36 @@
|
||||
--- |
||||
# NOTE: https://wiki.alpinelinux.org/wiki/DokuWiki |
||||
|
||||
- name: test task variables |
||||
debug: |
||||
var: doku_lxc_cmd |
||||
|
||||
- name: install packages |
||||
vars: |
||||
packages: |
||||
- lighttpd |
||||
- php7-common |
||||
- php7-session |
||||
- php7-iconv |
||||
- php7-json |
||||
- php7-gd |
||||
- php7-curl |
||||
- php7-xml |
||||
- php7-mysqli |
||||
- php7-imap |
||||
- php7-cgi |
||||
- php7-pdo |
||||
- php7-pdo_mysql |
||||
- php7-soap |
||||
- php7-xmlrpc |
||||
- php7-posix |
||||
- php7-mcrypt |
||||
- php7-gettext |
||||
- php7-ldap |
||||
- php7-ctype |
||||
- php7-dom |
||||
- fcgi |
||||
command: |
||||
"{{ lxc_cmd }} exec dokuwiki -- apk add {{ packages | join(' ') }}" |
||||
when: True |
||||
|
||||
@ -0,0 +1,117 @@
|
||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ |
||||
|
||||
# This is the sshd server system-wide configuration file. See |
||||
# sshd_config(5) for more information. |
||||
|
||||
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin |
||||
|
||||
# The strategy used for options in the default sshd_config shipped with |
||||
# OpenSSH is to specify options with their default value where |
||||
# possible, but leave them commented. Uncommented options override the |
||||
# default value. |
||||
|
||||
Port {{ container_sshd_port }} |
||||
#AddressFamily any |
||||
#ListenAddress 0.0.0.0 |
||||
#ListenAddress :: |
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key |
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key |
||||
#HostKey /etc/ssh/ssh_host_ed25519_key |
||||
|
||||
# Ciphers and keying |
||||
#RekeyLimit default none |
||||
|
||||
# Logging |
||||
#SyslogFacility AUTH |
||||
#LogLevel INFO |
||||
|
||||
# Authentication: |
||||
|
||||
#LoginGraceTime 2m |
||||
PermitRootLogin yes |
||||
#StrictModes yes |
||||
#MaxAuthTries 6 |
||||
#MaxSessions 10 |
||||
|
||||
#PubkeyAuthentication yes |
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
||||
# but this is overridden so installations will only check .ssh/authorized_keys |
||||
AuthorizedKeysFile .ssh/authorized_keys |
||||
|
||||
#AuthorizedPrincipalsFile none |
||||
|
||||
#AuthorizedKeysCommand none |
||||
#AuthorizedKeysCommandUser nobody |
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
||||
#HostbasedAuthentication no |
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for |
||||
# HostbasedAuthentication |
||||
#IgnoreUserKnownHosts no |
||||
# Don't read the user's ~/.rhosts and ~/.shosts files |
||||
#IgnoreRhosts yes |
||||
|
||||
# To disable tunneled clear text passwords, change to no here! |
||||
PasswordAuthentication no |
||||
#PermitEmptyPasswords no |
||||
|
||||
# Change to no to disable s/key passwords |
||||
#ChallengeResponseAuthentication yes |
||||
|
||||
# Kerberos options |
||||
#KerberosAuthentication no |
||||
#KerberosOrLocalPasswd yes |
||||
#KerberosTicketCleanup yes |
||||
#KerberosGetAFSToken no |
||||
|
||||
# GSSAPI options |
||||
#GSSAPIAuthentication no |
||||
#GSSAPICleanupCredentials yes |
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing, |
||||
# and session processing. If this is enabled, PAM authentication will |
||||
# be allowed through the ChallengeResponseAuthentication and |
||||
# PasswordAuthentication. Depending on your PAM configuration, |
||||
# PAM authentication via ChallengeResponseAuthentication may bypass |
||||
# the setting of "PermitRootLogin without-password". |
||||
# If you just want the PAM account and session checks to run without |
||||
# PAM authentication, then enable this but set PasswordAuthentication |
||||
# and ChallengeResponseAuthentication to 'no'. |
||||
#UsePAM no |
||||
|
||||
#AllowAgentForwarding yes |
||||
# Feel free to re-enable these if your use case requires them. |
||||
AllowTcpForwarding no |
||||
GatewayPorts no |
||||
X11Forwarding no |
||||
#X11DisplayOffset 10 |
||||
#X11UseLocalhost yes |
||||
#PermitTTY yes |
||||
#PrintMotd yes |
||||
#PrintLastLog yes |
||||
#TCPKeepAlive yes |
||||
#PermitUserEnvironment no |
||||
#Compression delayed |
||||
#ClientAliveInterval 0 |
||||
#ClientAliveCountMax 3 |
||||
#UseDNS no |
||||
#PidFile /run/sshd.pid |
||||
#MaxStartups 10:30:100 |
||||
#PermitTunnel no |
||||
#ChrootDirectory none |
||||
#VersionAddendum none |
||||
|
||||
# no default banner path |
||||
#Banner none |
||||
|
||||
# override default of no subsystems |
||||
Subsystem sftp /usr/lib/ssh/sftp-server |
||||
|
||||
# Example of overriding settings on a per-user basis |
||||
#Match User anoncvs |
||||
# X11Forwarding no |
||||
# AllowTcpForwarding no |
||||
# PermitTTY no |
||||
# ForceCommand cvs server |
||||
Loading…
Reference in new issue