Merge pull request #41 from caktus/metal-roles

Add `email_forwarding`, `rsyslog_forwarding`, `smartd`, and `users` roles

.github/workflows/pre-commit.yml

@@ -9,8 +9,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v1
-    - uses: actions/setup-python@v2
-      with:
-        python-version: '3.9'
-    - uses: pre-commit/[email protected]
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.9"
+      - uses: pre-commit/[email protected]

.github/workflows/test.yml

@@ -12,8 +12,8 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v3
         with:
-          python-version: '3.9'
-          cache: 'pip'
+          python-version: "3.9"
+          cache: "pip"
       - name: Install dependencies
         run: pip install -r requirements.txt
       - name: Run tests

.pre-commit-config.yaml

@@ -1,19 +1,24 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: check-yaml
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-added-large-files
+
   - repo: https://github.com/psf/black
     rev: 22.3.0
     hooks:
       - id: black
 
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: "v2.6.0"
+    hooks:
+      - id: prettier
+
   - repo: https://github.com/PyCQA/flake8
     rev: 4.0.1
     hooks:
       - id: flake8
         exclude: settings|migrations|tests
-
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
-    hooks:
-      - id: check-yaml
-      - id: end-of-file-fixer
-      - id: trailing-whitespace
-      - id: check-added-large-files

README.md

@@ -1,3 +1,136 @@
 # Ansible Collection - caktus.hosting_services
 
-Documentation for the collection.
+A collection of useful Ansible roles for managing virtual and physical servers
+
+We aim to support the following operating systems:
+
+- Ubuntu 20.04
+- Ubuntu 22.04
+
+## `hosting_services.email_forwarding`
+
+Forwards some or all mail via an external SMTP service such as SES, via the `Oefenweb.ansible-postfix` role.
+
+```yaml
+# playbook.yaml
+- hosts: all
+  become: yes
+  tags: email
+  roles:
+    - caktus.hosting_services.email_forwarding
+```
+
+```yaml
+# vars file
+email_forwarding_smtp_host: ...
+email_forwarding_smtp_user: AKI...
+email_forwarding_smtp_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  ...
+
+# Optionally send all mail for root to the configured address
+email_forwarding_root_destination: "[email protected]"
+
+# Optionally override the sender for all outgoing mail (not suitable if your
+# app already sets an acceptable and more desirable From address):
+email_forwarding_rewrite_sender: "yoursite+{{ inventory_hostname | replace('_', '-') }}@example.com"
+```
+
+Include required role in `requirements.yaml`:
+
+```yaml
+# requirements.yaml
+roles:
+  - name: oefenweb.postfix
+    src: https://github.com/Oefenweb/ansible-postfix
+```
+
+## `hosting_services.rsyslog_forwarding`
+
+Forwards logs to an external syslog server via rsyslog.
+
+```yaml
+# playbook.yaml
+- hosts: all
+  become: yes
+  tags: rsyslog
+  roles:
+    - caktus.hosting_services.rsyslog_forwarding
+```
+
+```yaml
+# vars file
+rsyslog_forwarding_endpoint: logsN.papertrailapp.com:NNNNN
+```
+
+## `hosting_services.smartd`
+
+Installs and runs smartd tests periodically on all attached devices that support it.
+
+```yaml
+# playbook.yaml
+- hosts: bare_metal
+  become: yes
+  tags: smartd
+  roles:
+    - caktus.hosting_services.smartd
+```
+
+```yaml
+# vars file
+
+# Define an admin email to receive notices from smartd:
+smartd_admin_email: [email protected]
+
+# Optionally override the smartd scan schedule. The default is to start a short self-test
+# every day between 3-4am, and a long self test Saturdays between 4-5am.
+smartd_scan_schedule: "(S/../.././03|L/../../6/04)"
+```
+
+## `hosting_services.statuscake_monitoring`
+
+Add docs here.
+
+## `hosting_services.users`
+
+Enables passwordless sudo for all managed users and includes the `weareinteractive.users` role to do the heavy lifting.
+
+```yaml
+# playbook.yaml
+- hosts: all
+  become: yes
+  tags: users
+  roles:
+    - caktus.hosting_services.users
+```
+
+```yaml
+# vars file
+# Remove default user. You might need to run your playbook initially with
+# "-u ubuntu -e users_remove=[]" until the final users are provisioned.
+users_remove:
+  - ubuntu
+
+# Users to provision on servers.
+# Find your ssh key with: `cat ~/.ssh/id_*.pub` (should be one line)
+# Optionally generate password via `mkpasswd -m sha-512 -R 2000000`
+users:
+  # in alphabetical order
+  - username: ...
+    password: $6$rounds=2000000$....
+    authorized_keys:
+      - ssh-ed25519 ...
+# You can optionally override the default groups and shell or disable
+# passwordless sudo, if needed:
+# users_groups: [adm, dialout, docker, sudo]
+# users_shell: /bin/bash
+# users_enable_passwordless_sudo: no
+```
+
+Include required role in `requirements.yaml`:
+
+```yaml
+# requirements.yaml
+roles:
+  - src: weareinteractive.users
+```

galaxy.yml

@@ -16,8 +16,7 @@ readme: README.md
 # A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
 # @nicks:irc/im.site#channel'
 authors:
-- your name <[email protected]>
-
+  - your name <[email protected]>
 
 ### OPTIONAL but strongly recommended
 # A short summary description of the collection
@@ -26,11 +25,11 @@ description: your collection description
 # Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
 # accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
 license:
-- MIT
+  - MIT
 
 # The path to the license file for the collection. This path is relative to the root of the collection. This key is
 # mutually exclusive with 'license'
-license_file: 'LICENSE'
+license_file: "LICENSE"
 
 # A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
 # requirements as 'namespace' and 'name'

roles/email_forwarding/defaults/main.yml

@@ -0,0 +1,14 @@
+# At minimum, you must provided credentials for SES (or another email provider):
+# email_forwarding_smtp_host: ""
+# email_forwarding_smtp_user: ""
+# email_forwarding_smtp_password: ""
+
+# Optionally set a destation for all root mail:
+# email_forwarding_root_destination: [email protected]
+
+# Optionally override the sender for all outgoing mail (not suitable if your
+# app already sets an acceptable and more desirable From address):
+# email_forwarding_rewrite_sender: "{{ inventory_hostname | replace('_', '-') }}@example.com"
+
+# Default sender to match against for sender rewrites (defaults to all mail):
+email_forwarding_rewrite_sender_regexp: "/.+/"

roles/email_forwarding/tasks/main.yml

@@ -0,0 +1,37 @@
+# Defaults from this role aren't passed to include_role, so use set_fact instead.
+# https://stackoverflow.com/a/65323791/166053
+
+- set_fact:
+    postfix_sasl_user: "{{ email_forwarding_smtp_user }}"
+  when: postfix_sasl_user is not defined
+
+- set_fact:
+    postfix_sasl_password: "{{ email_forwarding_smtp_password }}"
+  when: postfix_sasl_password is not defined
+
+- set_fact:
+    postfix_aliases:
+      - user: "root"
+        alias: "{{ email_forwarding_root_destination }}"
+  when: postfix_aliases is not defined and email_forwarding_root_destination is defined
+
+- set_fact:
+    postfix_relayhost: "{{ email_forwarding_smtp_host | default('email-smtp.us-east-1.amazonaws.com') }}"
+  when: postfix_relayhost is not defined
+
+- set_fact:
+    postfix_relaytls: true
+  when: postfix_relaytls is not defined
+
+- set_fact:
+    # Override the sender for all mail (not suitable if your
+    # app already sets an acceptable From address):
+    postfix_sender_canonical_maps_database_type: regexp
+    postfix_sender_canonical_maps:
+      - sender: "{{ email_forwarding_rewrite_sender_regexp }}"
+        rewrite: "{{ email_forwarding_rewrite_sender }}"
+  when: email_forwarding_rewrite_sender is defined
+
+- name: Include oefenweb.postfix role
+  include_role:
+    name: oefenweb.postfix

roles/rsyslog_forwarding/defaults/main.yml

@@ -0,0 +1,6 @@
+# This regular expression must match against the defined endpoint;
+# it is used by lineinfile for updating rsyslog.conf.
+# Override if needed.
+rsyslog_forwarding_regexp: papertrailapp
+# Define a papertrail_endpoint in your variables as follows:
+# rsyslog_forwarding_endpoint: "logsN.papertrailapp.com:NNNNN"

roles/rsyslog_forwarding/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart rsyslog
+  ansible.builtin.service:
+    name: rsyslog
+    state: restarted

roles/rsyslog_forwarding/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Forward logs to remote syslog endpoint
+  ansible.builtin.lineinfile:
+    path: /etc/rsyslog.conf
+    regexp: "{{ rsyslog_forwarding_regexp }}"
+    line: "*.* @{{ rsyslog_forwarding_endpoint }}"
+  notify:
+    - Restart rsyslog

roles/smartd/defaults/main.yml

@@ -0,0 +1,5 @@
+# Smartd scan schedule. The default is to start a short self-test
+# every day between 3-4am, and a long self test Saturdays between 4-5am.
+smartd_scan_schedule: "(S/../.././03|L/../../6/04)"
+# Define an admin email in your local variables to receive notices from smartd:
+# smartd_admin_email: [email protected]

roles/smartd/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart smartd
+  ansible.builtin.service:
+    name: smartd
+    state: restarted

roles/smartd/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: Install packages
+  ansible.builtin.apt:
+    pkg:
+      - smartmontools
+
+- name: Configure smartmontools
+  lineinfile:
+    path: /etc/smartd.conf
+    state: present
+    regexp: "^DEVICESCAN"
+    line: >-
+      DEVICESCAN
+      -d removable
+      -n standby
+      {{ '-m ' + smartd_admin_email if smartd_admin_email is defined else '' }}
+      -M exec /usr/share/smartmontools/smartd-runner
+      -s {{ smartd_scan_schedule }}
+  notify:
+    - Restart smartd

roles/statuscake_monitoring/defaults/main.yml

@@ -23,7 +23,47 @@ statuscake_post_body: ""
 statuscake_post_raw: ""
 statuscake_regions: null
 statuscake_state: present
-statuscake_status_codes: ['204', '205', '206', '303', '400', '401', '403', '404', '405', '406', '408', '410', '413', '444', '429', '494', '495', '496', '499', '500', '501', '502', '503', '504', '505', '506', '507', '508', '509', '510', '511', '521', '522', '523', '524', '520', '598', '599']
+statuscake_status_codes:
+  [
+    "204",
+    "205",
+    "206",
+    "303",
+    "400",
+    "401",
+    "403",
+    "404",
+    "405",
+    "406",
+    "408",
+    "410",
+    "413",
+    "444",
+    "429",
+    "494",
+    "495",
+    "496",
+    "499",
+    "500",
+    "501",
+    "502",
+    "503",
+    "504",
+    "505",
+    "506",
+    "507",
+    "508",
+    "509",
+    "510",
+    "511",
+    "521",
+    "522",
+    "523",
+    "524",
+    "520",
+    "598",
+    "599",
+  ]
 statuscake_tags: null
 statuscake_test_type: HTTP
 statuscake_timeout: ""

roles/users/defaults/main.yml

@@ -0,0 +1,25 @@
+# Enable passwordless sudo by default
+users_enable_passwordless_sudo: yes
+# In your local variables file, you will need to define the users
+# to add and/or remove, and you may need to tweak other configuration
+# as well. Refer to the main role for further detail:
+# https://github.com/weareinteractive/ansible-users
+
+# Remove default user. You might need to run your playbook initially with
+# "-u ubuntu -e users_remove=[]" until the final users are provisioned.
+# users_remove:
+#   - ubuntu
+
+# Users to provision on servers.
+# Find your ssh key with: `cat ~/.ssh/id_*.pub` (should be one line)
+# Optionally generate password via `mkpasswd -m sha-512 -R 2000000`
+# users:
+#   # in alphabetical order
+#   - username: ...
+#     password: $6$rounds=2000000$....
+#     authorized_keys:
+#       - ssh-ed25519 ...
+
+# You can optionally override the default groups and shell, if needed:
+# users_groups: [adm, dialout, docker, sudo]
+# users_shell: /bin/bash