---
- name: Include public variables.
include_vars: ../public/vars.yml
tags: accounts
- name: Include private variables.
include_vars: ../private/vars.yml
tags: accounts
- name: Include members.
include_vars: "{{ lookup('first_found', membership_rolls) }}"
tags: accounts
- name: Configure hostname.
become: yes
copy:
content: "{{ domain_name }}\n"
dest: "{{ item }}"
loop:
- /etc/hostname
- /etc/mailname
notify: Update hostname.
- name: Add {{ ansible_user }} to system groups.
become: yes
user:
name: "{{ ansible_user }}"
append: yes
groups: root,adm
- name: Install SSH host keys.
become: yes
copy:
src: ../Secret/ssh_front/etc/ssh/{{ item.name }}
dest: /etc/ssh/{{ item.name }}
mode: "{{ item.mode }}"
loop:
- { name: ssh_host_ecdsa_key, mode: "u=rw,g=,o=" }
- { name: ssh_host_ecdsa_key.pub, mode: "u=rw,g=r,o=r" }
- { name: ssh_host_ed25519_key, mode: "u=rw,g=,o=" }
- { name: ssh_host_ed25519_key.pub, mode: "u=rw,g=r,o=r" }
- { name: ssh_host_rsa_key, mode: "u=rw,g=,o=" }
- { name: ssh_host_rsa_key.pub, mode: "u=rw,g=r,o=r" }
notify: Reload SSH server.
- name: Create monkey.
become: yes
user:
name: monkey
system: yes
- name: Authorize monkey@core.
become: yes
vars:
pubkeyfile: ../Secret/ssh_monkey/id_rsa.pub
authorized_key:
user: monkey
key: "{{ lookup('file', pubkeyfile) }}"
manage_dir: yes
- name: Add {{ ansible_user }} to monkey group.
become: yes
user:
name: "{{ ansible_user }}"
append: yes
groups: monkey
- name: Install rsync.
become: yes
apt: pkg=rsync
- name: Install basic software.
become: yes
apt: pkg=unattended-upgrades
- name: Create user accounts.
become: yes
user:
name: "{{ item }}"
password: "{{ members[item].password_front }}"
update_password: always
home: /home/{{ item }}
loop: "{{ usernames }}"
when: members[item].status == 'current'
tags: accounts
- name: Disable former users.
become: yes
user:
name: "{{ item }}"
password: "!"
loop: "{{ usernames }}"
when: members[item].status != 'current'
tags: accounts
- name: Revoke former user authorized_keys.
become: yes
file:
path: /home/{{ item }}/.ssh/authorized_keys
state: absent
loop: "{{ usernames }}"
when: members[item].status != 'current'
tags: accounts
- name: Install server certificate/key.
become: yes
copy:
src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
dest: /etc/server.{{ item.typ }}
mode: "{{ item.mode }}"
force: no
loop:
- { path: "issued/{{ domain_name }}", typ: crt,
mode: "u=r,g=r,o=r" }
- { path: "private/{{ domain_name }}", typ: key,
mode: "u=r,g=,o=" }
notify:
- Restart Postfix.
- Restart Dovecot.
- name: Install Postfix.
become: yes
apt: pkg=postfix
- name: Configure Postfix.
become: yes
lineinfile:
path: /etc/postfix/main.cf
regexp: "^ *{{ item.p }} *="
line: "{{ item.p }} = {{ item.v }}"
loop:
- { p: smtpd_tls_cert_file, v: /etc/server.crt }
- { p: smtpd_tls_key_file, v: /etc/server.key }
- p: mynetworks
v: >-
{{ public_vpn_net_cidr }}
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
- p: smtpd_recipient_restrictions
v: >-
permit_mynetworks
reject_unauth_pipelining
reject_unauth_destination
reject_unknown_sender_domain
- p: smtpd_relay_restrictions
v: permit_mynetworks reject_unauth_destination
- { p: message_size_limit, v: 104857600 }
- { p: delay_warning_time, v: 1h }
- { p: maximal_queue_lifetime, v: 4h }
- { p: bounce_queue_lifetime, v: 4h }
- { p: home_mailbox, v: Maildir/ }
- p: smtp_header_checks
v: regexp:/etc/postfix/header_checks.cf
notify: Restart Postfix.
- name: Install Postfix header_checks.
become: yes
copy:
content: |
/^Received:/ IGNORE
/^User-Agent:/ IGNORE
dest: /etc/postfix/header_checks.cf
notify: Postmap header checks.
- name: Enable/Start Postfix.
become: yes
systemd:
service: postfix
enabled: yes
state: started
- name: Install institute email aliases.
become: yes
blockinfile:
block: |
abuse: root
webmaster: root
admin: root
monkey: monkey@{{ front_private_addr }}
root: {{ ansible_user }}
path: /etc/aliases
marker: "# {mark} INSTITUTE MANAGED BLOCK"
notify: New aliases.
- name: Install Dovecot IMAPd.
become: yes
apt: pkg=dovecot-imapd
- name: Configure Dovecot IMAPd.
become: yes
copy:
content: |
protocols = imap
ssl = required
ssl_cert =
Require all granted
AllowOverride None
UserDir /home/www-users
Require all granted
AllowOverride None
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://{{ domain_name }}/
SSLEngine on
SSLCertificateFile /etc/server.crt
SSLCertificateKeyFile /etc/server.key
IncludeOptional \
/etc/apache2/sites-available/{{ domain_name }}-vhost.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite {{ [ 'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-SHA',
'ECDHE-ECDSA-AES256-SHA',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-SHA',
'ECDHE-RSA-AES256-SHA',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384',
'DHE-RSA-AES128-GCM-SHA256',
'DHE-RSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-SHA',
'DHE-RSA-AES256-SHA',
'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES256-SHA256',
'!aNULL',
'!eNULL',
'!LOW',
'!3DES',
'!MD5',
'!EXP',
'!PSK',
'!SRP',
'!DSS',
'!RC4' ] |join(":") }}
dest: /etc/apache2/sites-available/{{ domain_name }}.conf
notify: Restart Apache2.
- name: Enable web site.
become: yes
command:
cmd: a2ensite -q {{ domain_name }}
creates: /etc/apache2/sites-enabled/{{ domain_name }}.conf
notify: Restart Apache2.
- name: Enable/Start Apache2.
become: yes
systemd:
service: apache2
enabled: yes
state: started
- name: Disable default vhosts.
become: yes
file:
path: /etc/apache2/sites-enabled/{{ item }}
state: absent
loop: [ 000-default.conf, default-ssl.conf ]
notify: Restart Apache2.
- name: Disable other-vhosts-access-log option.
become: yes
file:
path: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
state: absent
notify: Restart Apache2.
- name: Create UserDir.
become: yes
file:
path: /home/www-users/
state: directory
- name: Create UserDir links.
become: yes
file:
path: /home/www-users/{{ item }}
src: /home/{{ item }}/Public/HTML
state: link
force: yes
loop: "{{ usernames }}"
when: members[item].status == 'current'
tags: accounts
- name: Disable former UserDir links.
become: yes
file:
path: /home/www-users/{{ item }}
state: absent
loop: "{{ usernames }}"
when: members[item].status != 'current'
tags: accounts
- name: Install OpenVPN.
become: yes
apt: pkg=openvpn
- name: Enable IP forwarding.
become: yes
sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
- name: Create OpenVPN client configuration directory.
become: yes
file:
path: /etc/openvpn/ccd
state: directory
notify: Restart OpenVPN.
- name: Install OpenVPN client configuration for Core.
become: yes
copy:
content: |
iroute {{ private_net_and_mask }}
iroute {{ campus_vpn_net_and_mask }}
dest: /etc/openvpn/ccd/core
notify: Restart OpenVPN.
- name: Disable former VPN clients.
become: yes
copy:
content: "disable\n"
dest: /etc/openvpn/ccd/{{ item }}
loop: "{{ revoked }}"
tags: accounts
- name: Install OpenVPN server certificate/key.
become: yes
copy:
src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
dest: /etc/openvpn/server.{{ item.typ }}
mode: "{{ item.mode }}"
loop:
- { path: "issued/{{ domain_name }}", typ: crt,
mode: "u=r,g=r,o=r" }
- { path: "private/{{ domain_name }}", typ: key,
mode: "u=r,g=,o=" }
notify: Restart OpenVPN.
- name: Install OpenVPN secrets.
become: yes
copy:
src: ../Secret/{{ item.src }}
dest: /etc/openvpn/{{ item.dest }}
mode: u=r,g=,o=
loop:
- { src: front-dh2048.pem, dest: dh2048.pem }
- { src: front-ta.key, dest: ta.key }
notify: Restart OpenVPN.
- name: Configure OpenVPN.
become: yes
copy:
content: |
server {{ public_vpn_net_and_mask }}
client-config-dir /etc/openvpn/ccd
route {{ private_net_and_mask }}
route {{ campus_vpn_net_and_mask }}
push "route {{ private_net_and_mask }}"
push "route {{ campus_vpn_net_and_mask }}"
dev-type tun
dev ovpn
topology subnet
client-to-client
keepalive 10 120
push "dhcp-option DOMAIN {{ domain_priv }}"
push "dhcp-option DNS {{ core_addr }}"
user nobody
group nogroup
persist-key
persist-tun
cipher AES-256-GCM
auth SHA256
max-clients 20
ifconfig-pool-persist ipp.txt
status openvpn-status.log
verb 3
ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
dest: /etc/openvpn/server.conf
mode: u=r,g=r,o=
notify: Restart OpenVPN.
- name: Enable/Start OpenVPN.
become: yes
systemd:
service: openvpn@server
enabled: yes
state: started
- name: Install Kamailio.
become: yes
apt: pkg=kamailio
- name: Create Kamailio/Systemd configuration drop.
become: yes
file:
path: /etc/systemd/system/kamailio.service.d
state: directory
- name: Create Kamailio dependence on OpenVPN server.
become: yes
copy:
content: |
[Unit]
Requires=sys-devices-virtual-net-ovpn.device
After=sys-devices-virtual-net-ovpn.device
dest: /etc/systemd/system/kamailio.service.d/depend.conf
notify: Reload Systemd.
- name: Configure Kamailio.
become: yes
copy:
content: |
listen=udp:{{ front_private_addr }}:5060
dest: /etc/kamailio/kamailio-local.cfg
notify: Restart Kamailio.
- name: Enable/Start Kamailio.
become: yes
systemd:
service: kamailio
enabled: yes
state: started