Homework from NBaranov

student_files/02/NB_playbook.yml

@@ -0,0 +1,116 @@
+---
+
+- name: lesson 2  - homework 
+  hosts: all
+  become: true
+  become_user: root
+  vars:
+    sshgroup_name: sshusers
+    user:
+      login: deploy
+      password_hash:
+        "$6$NwI7op8FHR1VQta6$zuQXHtNtM/7SRQsf1./18WbBrHMq4mT88nWh67ThmlWcqyVX3F\
+        BTY9uj/07tR9ViDEvjg6/bh0y3mSjeDQYe3."
+      authorized_key:
+        "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr\
+        +kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6I\
+        edplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2\
+        hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZE\
+        nDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHln\
+        VYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
+      group: "{{ sshgroup_name }}"
+  tasks:
+    - name: sshusers group is presented
+      group:
+        name: "{{ sshgroup_name }}"
+        state: present
+
+    - name: Admin account {{ user.login }} is presented
+      user:
+        name: "{{ user.login }}"
+        groups: "{{ user.group }}"
+        shell: /bin/bash
+        update_password: always
+        password: "{{ user.password_hash }}"
+
+    - name: Admins {{ user.login }} can sudo without password
+      lineinfile:
+        dest: /etc/sudoers
+        state: present
+        line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL"
+
+    - name: Authorized key for {{ user.login }} user is presented
+      authorized_key:
+        user: "{{ user.login }}"
+        state: present
+        key: "{{ user.authorized_key }}"
+
+    - name: Software are installed
+      yum:
+        name:
+          - httpd
+          - git          
+        state: present
+
+    - name: by NBaranov ************* snmp daemon installation 
+      yum:
+        name:
+          - net-snmp
+          - net-snmp-utils
+        state: present
+
+    - name: by NBaranov *************  snmpd daemon configuration 
+      copy:
+        dest: /etc/snmp/snmpd.conf
+        content: |
+          syslocation Server Room
+          syscontact SysAdmin (devops@example.com)
+          rocommunity snmp_secret_rocommunity
+
+    - name: by NBaranov *************  snmp port opening
+      iptables:
+        chain: INPUT
+        protocol: udp
+        destination_port: 161
+        jump: ACCEPT
+
+    - name: by NBaranov *************   snmpd daemon starting
+      systemd:
+        name: snmpd
+        enabled: true
+        state: started
+        daemon_reload: true
+
+    - name: by NBaranov ************* validation sudo file
+      lineinfile:
+        dest: /etc/sudoers
+        state: present
+        line: "snmp ALL=(ALL:ALL) NOPASSWD:ALL"
+
+    - name: by NBaranov ************* certificate creation - not ready yet
+      openssl_certificate:
+        path: /etc/ssl/test-ansible.crt
+        csr_path: /etc/ssl/test-ansible.csr
+        provider: selfsigned
+
+
+    - name: Access via HTTP is allowed
+      iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: '80'
+        ctstate: NEW
+        syn: match
+        jump: ACCEPT
+        comment: Accept new http   connections.
+
+    - name: Httpd is restarted
+      systemd:
+        name: httpd
+        enabled: true
+        state: started
+        daemon_reload: true
+
+    - name: Print message
+      debug:
+        msg: "Site locates at http://localhost:8080/"

student_files/02/inventory.ini

@@ -0,0 +1 @@
+asdasd

student_files/02/provision_me.yml

@@ -73,7 +73,7 @@
       systemd:
         name: httpd
         enabled: true
-        state: restarted
+        state: started
         daemon_reload: true
 
     - name: Print message

student_files/03/NB_provision_me.yml

@@ -0,0 +1,45 @@
+---
+
+- name: provision server
+  hosts: all
+  become: true
+  become_user: root
+  vars:
+    # added by NBaranov
+    community_string: my_secret_string
+
+    sshgroup_name: sshusers
+    iptables_allowed_ports:
+      - {protocol: tcp, port: 80}
+    user:
+      login: deploy
+      password_hash:
+        "$6$NwI7op8FHR1VQta6$zuQXHtNtM/7SRQsf1./18WbBrHMq4mT88nWh67ThmlWcqyVX3\
+        FBTY9uj/07tR9ViDEvjg6/bh0y3mSjeDQYe3."
+      authorized_key:
+        "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YV\
+        r+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv\
+        6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn\
+        5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0\
+        jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE9\
+        8OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
+  tasks:
+    - import_tasks: provision_1_users.yml
+    - import_tasks: provision_2_software.yml
+    - import_tasks: provision_config_snmp.yml
+#    - include_tasks: provision_config_ports.yml
+    - name: Apply iptables settings and override defult variable value
+      import_tasks: provision_3_iptables.yml
+      vars:
+        iptables_allowed_ports:
+          - {protocol: tcp, port: 180}
+          - {protocol: tcp, port: 1443}
+          - {protocol: udp, port: 1161}
+          # added by NBaranov
+          - {protocol: tcp, port: 443}
+          - {protocol: udp, port: 161}
+
+    - import_tasks: provision_4_site.yml
+    - name: Print message
+      debug:
+        msg: "Site locates at http://localhost:8080/"

student_files/03/inventory.ini

@@ -0,0 +1 @@
+asdasd

student_files/03/provision_config_snmp.yml

@@ -0,0 +1,15 @@
+---
+- name: install snmpd
+  yum:
+    name:
+      - net-snmp
+      - net-snmp-utils
+    state: present
+  when: ansible_distribution == 'CentOS'
+
+- name: configure snmpd
+  template:
+    src: snmpd.conf.j2
+    dest: "/etc/snmp/snmpd.conf"
+  become: yes    
+  when: ansible_distribution == 'CentOS'

student_files/03/templates/snmpd.conf.j2

@@ -0,0 +1,16 @@
+###############################################################################
+# System contact information
+#
+
+# It is also possible to set the sysContact and sysLocation system
+# variables through the snmpd.conf file:
+
+syslocation Unknown (edit /etc/snmp/snmpd.conf)
+syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
+
+####
+# First, map the community name "public" into a "security name"
+
+#       sec.name  source          community
+com2sec notConfigUser  default       {{ community_string }}
+

student_files/04/NB_provision_me.yml

@@ -0,0 +1,29 @@
+---
+
+- name: provision server
+  hosts: all
+  become: true
+  become_user: root
+  vars:
+    - snmpd_packages:
+      - net-snmp
+      - net-snmp-utils
+  roles:
+    - role: game2048
+      vars:
+        iptables_allowed_ports:
+          - {protocol: tcp, port: 80}
+          - {protocol: tcp, port: 443}
+          - {protocol: udp, port: 161}
+    - role: users
+
+    # added by NBaranov
+    - role: snmpd_role
+    - role: iptables_role
+
+        # use filter
+- debug:
+    msg: "{{ admins | users_without_hash }}"
+
+
+

student_files/04/example_plugins.yml

@@ -45,3 +45,7 @@
     - debug:
         msg: "{{ admins | users_without_email }}"
 
+    # use filter from NBaranov
+    - debug:
+        msg: "{{ admins | users_without_hash }}"
+

student_files/04/inventory.ini

@@ -0,0 +1 @@
+asdasd

student_files/04/roles/example_plugins/filter_plugins/users_without_hash.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python
+class FilterModule(object):
+  def filters(self):
+    return {
+      'users_without_hash': self.a_users_without_hash
+    }
+
+  def a_users_without_hash(self, users_input):
+    users_output = []
+    for user in users_input:
+      if 'password_hash' not in user:
+        users_output.append(user['login'])
+    return users_output

student_files/04/roles/iptables_role/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+iptables_port_list:
+  - {protocol: tcp, port: 80}
+  - {protocol: udp, port: 161}

student_files/04/roles/iptables_role/library/iptables_reload_module.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if iptables-restore /etc/sysconfig/iptables; then
+    JSON='{ "changed": true, "msg": "iptables is reloaded", "date": "%s" }'
+else
+    JSON='{ "changed": false, "msg": "iptables is not reloaded", "date": "%s" }'
+fi
+
+printf "$JSON" "$(date)"

student_files/04/roles/iptables_role/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: ports configure
+  iptables:
+    chain: INPUT
+    protocol: "{{ snmp_port.protocol }}"
+    destination_port: "{{ snmp_port.port }}"
+    jump: ACCEPT
+  register: port_change_result  
+  loop: "{{ iptables_port_list }}"
+  loop_control:
+    loop_var: snmp_port
+
+- name: Execute iptables test bash module
+  iptables_reload_module:
+  register: result_of_reload
+  when: port_change_result.changed
+
+- debug:
+    var: result_of_reload

student_files/04/roles/snmpd_role/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+snmpd_packages:
+  - net-snmp
+  - net-snmp-utils

student_files/04/roles/snmpd_role/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Installation snmpd
+  yum:
+    name: "{{ snmpd_packages }}"
+    state: present