Codechange: Reorganise playbook into an actually defined role that we…

… call before certbot/nginx
OpenTTD · Feb 27, 2021 · 4be0c5b · 4be0c5b
1 parent 6188c8d
commit 4be0c5b
Show file tree

Hide file tree

Showing 6 changed files with 171 additions and 161 deletions.
diff --git a/ansible/content-servers.yml b/ansible/content-servers.yml
@@ -2,152 +2,16 @@
   gather_facts: true
   become: true
 
-  pre_tasks:
-    # Unlikely to be necessary after upgrading to bullseye (needed to pull in python3-firewall)
-    - name: Add backports repo
-      apt_repository:
-        repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main
-        state: present
-        filename: backports
-
-    - name: Update apt
-      apt:
-        update_cache: true
-        cache_valid_time: 86400  # a day is plenty
-      changed_when: false
-
-    - name: Upgrade & cleanup apt
-      apt:
-        upgrade: safe
-        autoremove: true
-        autoclean: true
-
-    - name: Install apt https support & cron
-      apt:
-        name:
-          - apt-transport-https
-          - cron  # required for certbot
-        state: present
-
-    - name: Install firewalld & python bindings
-      apt:
-        name:  # required for ansible.posix.firewalld
-          - firewalld
-          - python3-firewall
-          - iptables  # Newer version fixes a bug in buster iptables
-        default_release: "{{ ansible_distribution_release }}-backports"
-        state: present
-
   roles:
+    - ovh  # Do this as early as possible to ensure ipv6 is configured and working
+    - standard-setup
     - geerlingguy.certbot
     - geerlingguy.nginx
 
   tasks:
-    - name: Flush handlers in case any configs have changed
+    - name: Force nginx handlers to run before testing nginx
       meta: flush_handlers
 
-    - name: Add users' ssh keys to the current account
-      authorized_key:
-        user: "{{ ansible_user }}"
-        key: "{{ item }}"
-      with_items: "{{ keys }}"
-
-    - name: Install some helpful utilities
-      apt:
-        name:
-          - bash-completion
-          - logrotate
-          - molly-guard
-          - rsync
-          - sshguard
-          - unattended-upgrades
-          - vim
-        state: present
-
-    - name: Disable cloud-init networking
-      copy:
-        dest: /etc/cloud/cloud.cfg.d/98-disable-network-config.cfg
-        content: "network: {config: disabled}\n"
-      notify:
-        restart networking
-
-    - name: Configure IPv6
-      template:
-        src: templates/60-ipv6.j2
-        dest: /etc/network/interfaces.d/60-ipv6
-      notify:
-        restart networking
-      when: ipv6_addr is defined
-
-    - name: Enable persistent systemd journal
-      lineinfile:
-        path: /etc/systemd/journald.conf
-        regexp: "^Storage="
-        line: "Storage=persistent"
-      notify:
-        restart journal
-
-    - name: Copy sshd config
-      copy:
-        src: files/sshd_config
-        dest: /etc/ssh/sshd_config
-      notify:
-        restart ssh
-
-    ######
-    # Firewall stuff
-    ######
-
-    - name: Configure firewalld.
-      lineinfile:
-        path: /etc/firewalld/firewalld.conf
-        regexp: "^FirewallBackend="
-        line: "FirewallBackend=nftables"
-      notify:
-        - restart firewalld
-
-    - name: Configure firewall rules
-      ansible.posix.firewalld:
-        permanent: true
-        state: enabled
-        port: "{{ item }}"
-      with_items:
-        - "22/tcp"
-        - "80/tcp"
-        - "443/tcp"
-        - "67/udp"   # dhcp
-        - "68/udp"   # dhcp
-        - "123/udp"  # ntp
-      notify:
-        - restart firewalld
-
-    - name: Create sshguard blacklist db directory
-      file:
-        path: /var/db/sshguard
-        state: directory
-
-    # Use firewalld backend
-    # Workaround https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928525
-    # Set persistent blacklist
-    - name: Configure sshguard
-      lineinfile:
-        path: /etc/sshguard/sshguard.conf
-        regexp: "{{ item.regexp }}"
-        line: "{{ item.line }}"
-      with_items:
-        - regexp: "^BACKEND="
-          line: 'BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-firewalld"'
-        - regexp: "^LOGREADER="
-          line: 'LOGREADER="LANG=C /bin/journalctl -afb -p info -t sshd -n1 -o cat"'
-        - regexp: "^BLACKLIST_FILE="
-          line: 'BLACKLIST_FILE=100:/var/db/sshguard/blacklist.db'
-      notify:
-        - restart sshguard
-
-    - name: Flush handlers in case any configs have changed
-      meta: flush_handlers
-
-    # Put these last (and after a flush_handlers) so that pending firewall changes have been applied
     - name: Test HTTPS to health check endpoint
       uri:
         url: https://{{ inventory_hostname }}/healthz
@@ -165,25 +29,3 @@
         - http
         - https
       become: false
-
-  handlers:
-    - name: restart ssh
-      service:
-        name: ssh
-        state: restarted
-    - name: restart sshguard
-      service:
-        name: sshguard
-        state: restarted
-    - name: restart journal
-      service:
-        name: systemd-journald
-        state: restarted
-    - name: restart firewalld
-      service:
-        name: firewalld
-        state: restarted
-    - name: restart networking
-      service:
-        name: networking
-        state: restarted
diff --git a/ansible/group_vars/bananas_fileservers b/ansible/group_vars/bananas_fileservers
@@ -3,6 +3,7 @@ cache_timeout: "1y"  # Basically just as long as nginx runs for
 bananas_production_cdn: bananas.cdn.openttd.org
 bananas_staging_cdn: bananas.cdn.staging.openttd.org
 staging_hostname: "{{ inventory_hostname_short }}.cdn.staging.openttd.org"
+# End of our vars
 
 certbot_admin_email: info@openttd.org
 certbot_create_if_missing: true

diff --git a/ansible/roles/ovh/tasks/main.yml b/ansible/roles/ovh/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Disable cloud-init networking
+  copy:
+    dest: /etc/cloud/cloud.cfg.d/98-disable-network-config.cfg
+    content: "network: {config: disabled}\n"
+  notify:
+    restart networking
+
+- name: Configure IPv6
+  template:
+    src: templates/60-ipv6.j2
+    dest: /etc/network/interfaces.d/60-ipv6
+  notify:
+    restart networking
+  when: ipv6_addr is defined
+
+- name: Flush handlers to restart networking
+  meta: flush_handlers
diff --git a/ansible/roles/standard-setup/handlers/main.yml b/ansible/roles/standard-setup/handlers/main.yml
@@ -0,0 +1,24 @@
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
+
+- name: restart sshguard
+  service:
+    name: sshguard
+    state: restarted
+
+- name: restart journal
+  service:
+    name: systemd-journald
+    state: restarted
+
+- name: restart firewalld
+  service:
+    name: firewalld
+    state: restarted
+
+- name: restart networking
+  service:
+    name: networking
+    state: restarted
diff --git a/ansible/roles/standard-setup/tasks/firewall.yml b/ansible/roles/standard-setup/tasks/firewall.yml
@@ -0,0 +1,66 @@
+- name: Install firewalld & python bindings
+  apt:
+    name:
+      - firewalld  # Required for ansible.posix.firewalld
+      - python3-firewall
+      - iptables   # Newer version fixes a bug in buster iptables
+      - sshguard   # Helpful at blocking ssh attacks
+    default_release: "{{ ansible_distribution_release }}-backports"
+    state: present
+
+- name: Configure firewalld
+  lineinfile:
+    path: /etc/firewalld/firewalld.conf
+    regexp: "^FirewallBackend="
+    line: "FirewallBackend=nftables"
+  notify:
+    - restart firewalld
+  register: firewalld_backend
+
+- name: Reboot to get new firewall configuration (notably iptables)
+  reboot:
+    search_paths:
+      - "/lib/molly-guard"
+      - "/usr/sbin"  # molly-guard might not have been installed yet
+  when: firewalld_backend.changed
+
+- name: Configure firewall rules
+  ansible.posix.firewalld:
+    permanent: true
+    state: enabled
+    port: "{{ item }}"
+  with_items:
+    - "22/tcp"
+    - "80/tcp"
+    - "443/tcp"
+    - "67/udp"   # dhcp
+    - "68/udp"   # dhcp
+    - "123/udp"  # ntp
+  notify:
+    - restart firewalld
+
+- name: Create sshguard blacklist db directory
+  file:
+    path: /var/db/sshguard
+    state: directory
+
+- name: Configure sshguard
+  lineinfile:
+    path: /etc/sshguard/sshguard.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    # Use firewalld backend
+    - regexp: "^BACKEND="
+      line: 'BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-firewalld"'
+    # Workaround https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928525
+    - regexp: "^LOGREADER="
+      line: 'LOGREADER="LANG=C /bin/journalctl -afb -p info -t sshd -n1 -o cat"'
+    # Set persistent blacklist
+    - regexp: "^BLACKLIST_FILE="
+      line: 'BLACKLIST_FILE=100:/var/db/sshguard/blacklist.db'
+  notify:
+    - restart sshguard
+
+- name: Flush handlers to reload firewall with new config
+  meta: flush_handlers
diff --git a/ansible/roles/standard-setup/tasks/main.yml b/ansible/roles/standard-setup/tasks/main.yml
@@ -0,0 +1,60 @@
+# Needed to pull in python3-firewall (buster only)
+- name: Add backports repo
+  apt_repository:
+    repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main
+    state: present
+    filename: backports
+
+- name: Update apt
+  apt:
+    update_cache: true
+    cache_valid_time: 86400  # a day is plenty
+  changed_when: false
+
+- name: Upgrade & cleanup apt
+  apt:
+    upgrade: safe
+    autoremove: true
+    autoclean: true
+
+- name: Install apt https support & cron
+  apt:
+    name:
+      - apt-transport-https
+      - cron  # required for certbot
+    state: present
+
+- name: Firewall setup
+  include: firewall.yml
+
+- name: Enable persistent systemd journal
+  lineinfile:
+    path: /etc/systemd/journald.conf
+    regexp: "^Storage="
+    line: "Storage=persistent"
+  notify:
+    restart journal
+
+- name: Add users' ssh keys to the current account
+  authorized_key:
+    user: "{{ ansible_user }}"
+    key: "{{ item }}"
+  with_items: "{{ keys }}"
+
+- name: Copy sshd config
+  copy:
+    src: files/sshd_config
+    dest: /etc/ssh/sshd_config
+  notify:
+    restart ssh
+
+- name: Install some helpful utilities
+  apt:
+    name:
+      - bash-completion
+      - logrotate
+      - molly-guard
+      - rsync
+      - unattended-upgrades
+      - vim
+    state: present