Refactor server roles into one that handles all OS physical or virtual

README.md

@@ -9,3 +9,62 @@ For example:
 Main ansible is ~/Code/ansible
 Clone this repo into ~/Code/ansible-shared
 ln -s ~/Code/ansible-shared ~/Code/ansible/playbooks/roles/shared
+
+
+# Requirements
+
+These shared roles are geared toward Debian 9 and 10 with a few compatible with Ubuntu.
+
+These shared roles assume a fresh stock Debian base with the main user being `toor`.
+
+
+# Snippets
+
+Quick helpers to remember common tasks
+
+
+```yaml
+# Copy profiles to /etc/profile.d/
+- include_tasks: ../../../functions/copy_etc-profile.d.yml
+
+# Copy scripts to /usr/local/bin
+- include_tasks: ../../../functions/copy_usr-local-bin.yml
+
+# Copy nginx.conf
+- name: Copying /etc/nginx/nginx.conf
+  copy:
+    src: nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart nginx
+
+# Install common apps for all debian machines
+- name: Installing Debian common applications
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - apt-transport-https
+      - openssh-server
+
+# Creat directory /etc/nginx
+- name: Create a directory if it does not exist
+  file:
+    path: /etc/nginx
+    state: directory
+    owner: toor
+    group: toor
+    mode: '0755'
+
+# Set chown toor:toor -R /etc/nginx
+- name: Applying ownership of /etc/nginx
+  file:
+    path: /etc/nginx
+    state: directory
+    recurse: yes
+    owner: toor
+    group: toor
+
+```

functions/user.yml

@@ -0,0 +1,96 @@
+---
+# HELP
+# If you want NO password, set password: '*'
+# If you just want a group with the same users name, and no others, use group: []
+# If you don't want a home directory use create_home: no
+
+# Optional
+# ssh_authorized: true|false (default true) - Adds users public key to authorized_keys on server
+# ssh_keys: true|false (default false) - Adds users public AND private key to server
+# create_home: yes|no (default yes) - Creates /home/user directory
+
+
+
+- name: Registering {{ user }} home directory variable
+  shell: >
+    getent passwd {{ user }} | cut -d: -f6
+  changed_when: false
+  register: user_home
+
+# Notice both group and user is {{id}}, so they are the same!
+- name: Creating group {{ user  }}
+  group:
+    name: '{{ user }}'
+    gid: '{{ id }}'
+
+- name: Creating user {{ user }}
+  user:
+    name: '{{ user }}'
+    uid: '{{ id }}'
+    comment: '{{ user }}'
+    group: '{{ user }}'
+    groups: '{{ group }}'
+    password: '{{ password }}'
+    update_password: always
+    create_home: '{{ create_home | default("yes")  }}'
+    shell: /bin/bash
+
+#- name: Setting user {{ user }} password
+  #user:
+    #password: '{{ password }}'
+  #when: password is defined
+
+- name: Adding users sudoers.d file
+  file:
+    path: '/etc/sudoers.d/{{ user }}'
+    state: touch
+    mode: "0640" #-rw-r-----
+  when: '"sudo" in group'
+
+- name: Setting user to nopasswd sudo access
+  lineinfile:
+    path: '/etc/sudoers.d/{{ user }}'
+    line: '{{ user }}  ALL=(ALL)  NOPASSWD:ALL'
+  when: '"sudo" in group'
+
+# Authorize users SSH keys
+# NOTE, when: ssh_authorize|bool == true
+# IS working, BUT even if ssh_authorize = false the
+# with_file: still errors if 'keys/{{ user }}.key.pub' does NOT exists
+# So you have to create at least a blank users/keys/user.key.pub file
+- name: Authorizing SSH keys for {{ user }}
+  authorized_key:
+    user: '{{ user }}'
+    key: '{{ item }}'
+  with_file:
+    - 'keys/{{ user }}.key.pub'
+  when: ssh_authorize|default(true)|bool
+
+# Create users ~/.ssh directory
+- name: Creating {{ user }} ~/.ssh directory
+  file:
+    path: '{{ "~" + user | expanduser }}/.ssh'
+    state: directory
+  when: ssh_keys|default(false)|bool
+
+# Create users public key
+- name: Copying {{ user }} SSH public key
+  copy:
+    src: 'keys/{{ user }}.key.pub'
+    #dest: '{{ user_home }}/.ssh/id_rsa.pub'
+    dest: '{{ "~" + user | expanduser }}/.ssh/id_rsa.pub'
+    owner: '{{ user }}'
+    group: '{{ user }}'
+    mode: 0644
+  when: ssh_keys|default(false)|bool
+
+# Create users private key
+- name: Copying {{ user }} SSH private key
+  copy:
+    src: '../../../vault/{{ user }}.key'
+    #dest: '{{ user_home }}/.ssh/id_rsa'
+    dest: '{{ "~" + user | expanduser }}/.ssh/id_rsa'
+    owner: '{{ user }}'
+    group: '{{ user }}'
+    mode: 0600
+  when: ssh_keys|default(false)|bool

functions/user_authorize.yml

@@ -0,0 +1,8 @@
+---
+# Authorize this key to this users ~/.ssh/authorized_keys file
+- name: Adding {{ authorize }} to {{ user }} user ~/.ssh/authorized_keys file
+  authorized_key:
+    user: '{{ user }}'
+    key: '{{ item }}'
+  with_file:
+    - 'keys/{{ authorize }}.key.pub'

server/bash-profile/tasks/main.yml

@@ -1,31 +0,0 @@
----
-# Copy profiles to /etc/profile.d/
-- include_tasks: ../../../functions/copy_etc-profile.d.yml
-
-# Copy scripts to /usr/local/bin
-- include_tasks: ../../../functions/copy_usr-local-bin.yml
-
-# Rsync /etc/vim
-- name: Synchronizing /etc/vim
-  synchronize:
-    src: files/vim/vim
-    dest: /etc/
-    delete: yes
-    group: no
-    owner: no
-    rsync_opts:
-      - "--exclude=.git"
-
-- name: Sed /etc/vim/vimrc
-  replace:
-    path: /etc/vim/vimrc
-    regexp: '~/.vim/plugged'
-    replace: '/etc/vim/plugged'
-
-- name: Symlink /usr/share/vim/vimfiles
-  file:
-    src: /etc/vim
-    dest: /usr/share/vim/vimfiles
-    owner: root
-    group: root
-    state: link

server/debian/tasks/main.yml

@@ -1,4 +0,0 @@
----
-# Install and Configure Debian
-- include_tasks: install.yml
-- include_tasks: configure.yml

server/files/bin/purgefiles.py

@@ -0,0 +1,31 @@
+"""Clean old files"""
+
+__author__ = "Matthew Reschke <mail@mreschke.com>"
+__license__ = "MIT"
+
+import os
+import sys
+import subprocess
+
+
+# Usage
+# Create another file, example /usr/local/bin/clean-system.py
+# from purgefiles import purge
+# purge('/store/logs', 540)
+
+
+def purge(path, older_than_days, file_filter='*', max_depth=999, include_folders=False):
+    del_cmd = 'rm -rfv'
+    typestr = '-type f'
+    if include_folders: typestr = ''
+    #_cmd('find ' + path + ' -maxdepth ' + str(max_depth) + ' -iname "' + file_filter + '" ' + typestr + ' -mtime +' + str(older_than_days) + ' -exec ' + del_cmd + ' {} \; | tee -a ' + log)
+    _cmd('find ' + path + ' -maxdepth ' + str(max_depth) + ' -iname "' + file_filter + '" ' + typestr + ' -mtime +' + str(older_than_days) + ' -exec ' + del_cmd + ' {} \;')
+
+def _cmd(run, capture_output=False):
+    # Run the cmd
+    if capture_output:
+        proc = subprocess.Popen(run, universal_newlines=True, executable='bash', shell=True, stdout=subprocess.PIPE).stdout
+        return proc.read().strip()
+    else:
+        run = "bash -c '" + run + "'"
+        os.system(run)

server/files/profile.d/bash_prompt.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+
+# Custom prompt
+# mReschke 2019-04-10
+
+# At first these colors did not contain the \[ and \] which caused bash prompt mess up on long lines as it was miscounting the length of the line. See https://unix.stackexchange.com/questions/389008/bash-messed-up-display-for-long-lines
+DEFAULT="\[\033[0;0m\]"
+BLUE="\[\033[0;34m\]"
+GREEN="\[\033[0;32m\]"
+CYAN="\[\033[0;36m\]"
+RED="\[\033[0;31m\]"
+PURPLE="\[\033[0;35m\]"
+BROWN="\[\033[0;33m\]"
+GRAY="\[\033[0;37m\]"
+
+DARKGRAY="\[\033[1;30m\]"
+LIGHTBLUE="\[\033[1;34m\]"
+LIGHTGREEN="\[\033[1;32m\]"
+LIGHTCYAN="\[\033[1;36m\]"
+LIGHTRED="\[\033[1;31m\]"
+LIGHTPURPLE="\[\033[1;35m\]"
+YELLOW="\[\033[1;33m\]"
+WHITE="\[\033[1;37m\]"
+
+GIT_PS1_SHOWDIRTYSTATE=1
+GIT_PS1_SHOWSTASHSTATE=1
+GIT_PS1_SHOWUNTRACKEDFILES=1
+GIT_PS1_SHOWCOLORHINTS=
+GIT_PS1_DESCRIBE_STYLE="branch"
+GIT_PS1_SHOWUPSTREAM="auto git"
+
+date="${CYAN}\D{%Y-%m-%d} ${LIGHTCYAN}\t"
+user="${LIGHTPURPLE}\u${DARKGRAY}@${PURPLE}\h"
+path="${DARKGRAY}in ${GREEN}\w"
+#prompt1="${DARKGRAY}o"
+#prompt1="${DARKGRAY}ooo"
+#prompt1="${RED}o${GREEN}o${BLUE}o"
+#prompt1="${DARKGRAY}o${GREEN}O${DARKGRAY}o"
+#prompt1="${DARKGRAY}o${GREEN}O${DARKGRAY}o"
+prompt1="${GREEN}o${DARKGRAY}o${GREEN}o"
+#prompt1="${RED}o${DARKGRAY}-${GREEN}o${DARKGRAY}-${BLUE}o"
+#prompt2="${BROWN} \\$ ${GREEN}→ ${DEFAULT}" # Not all terms understand this arrow
+prompt2="${BROWN} \\$ ${DEFAULT}"
+git="${LIGHTGREEN}"
+
+# PS1 vs PROMPT_COMMAND?
+# PS1 is a string like MyPrompt> While PROMPT_COMMAND is evaulated using bash
+# In this case __git_ps1 is a bash function and all the stuff inside the "" are its parameters
+# It places the actual (master) prompt AFTER the "".  This is why you see "stuff" "more stuff", the space
+# in between the quoted strings is where the (master) git prompt goes
+
+# No, hostname -f requires DNS connection, breaks bash if no internet, slow
+#PROMPT_COMMAND='__git_ps1 "\n'${TITLEBAR}$DARK_BLUE'\u'$DEFAULT'@'$CYAN'$(hostname -f) '$BROWN'\w\n'$RED'CAUTION: mReschke Production!'$GREEN'" " '$CYAN'"\\\$"'$GREEN' → '$DEFAULT'"'
+#PROMPT_COMMAND='__git_ps1 "\n'${TITLEBAR}$DARK_BLUE'\u'$DEFAULT'@'$CYAN'$(hostname) '$BROWN'\w\n'$RED'mreschke.net production!'$GREEN'" " '$CYAN'"\\\$"'$GREEN' → '$DEFAULT'"'
+#PROMPT_COMMAND='__git_ps1 "\n'$date' '$user' in '$path'\n'$prompt'" "'$DEFAULT'"'
+PROMPT_COMMAND="__git_ps1 '\n$date $user $path\n$prompt1$git' '$prompt2'"
+
+
+# If you do just PS1 and no prompt_command, toor does not get a prompt
+# maybe because PS1 is overwritten elsewhere down the chain?  Prompt_comman is not, so it works for all
+#export PS1=$date' '$user' in '$path'\n'$prompt' $(__git_ps1 " (%s)") '
+#export PS1=$date' '$user' in '$path'\n'$git' '$prompt
+
+PS1=""
+PS2='continue-> '
+PS4='$0.$LINENO+ '
+
+
+#  The full list comes from reading man bash, at the section PROMPTING:
+# ---------------------------------------------------------------------
+#   \a     an ASCII bell character (07)
+#   \d     the date in "Weekday Month Date" format (e.g., "Tue May 26")
+#   \D{format} the format is passed to strftime(3) and the result is inserted into the prompt string; an empty format results in a locale-specific time representation.  The braces are required
+#   \e     an ASCII escape character (033)
+#   \h     the hostname up to the first `.'
+#   \H     the hostname
+#   \j     the number of jobs currently managed by the shell
+#   \l     the basename of the shell's terminal device name
+#   \n     newline
+#   \r     carriage return
+#   \s     the name of the shell, the basename of $0 (the portion following the final slash)
+#   \t     the current time in 24-hour HH:MM:SS format
+#   \T     the current time in 12-hour HH:MM:SS format
+#   \@     the current time in 12-hour am/pm format
+#   \A     the current time in 24-hour HH:MM format
+#   \u     the username of the current user
+#   \v     the version of bash (e.g., 2.00)
+#   \V     the release of bash, version + patch level (e.g., 2.00.0)
+#   \w     the current working directory, with $HOME abbreviated with a tilde (uses the value of the PROMPT_DIRTRIM variable)
+#   \W     the basename of the current working directory, with $HOME abbreviated with a tilde
+#   \!     the history number of this command
+#   \#     the command number of this command
+#   \$     if the effective UID is 0, a #, otherwise a $
+#   \nnn   the character corresponding to the octal number nnn
+#   \\     a backslash
+#   \[     begin a sequence of non-printing characters, which could be used to embed a terminal control sequence into the prompt
+#   \]     end a sequence of non-printing characters

server/tasks/agnostic/main.yml

@@ -1,4 +1,39 @@
 ---
+# ------------------------------------------------------------------------------
+# These tasks run for ALL servers be it Debian, CentOS, Virtual or Physical
+# ------------------------------------------------------------------------------
+
+# Copy profiles to /etc/profile.d/
+- include_tasks: ../../../../functions/copy_etc-profile.d.yml
+
+# Copy scripts to /usr/local/bin
+- include_tasks: ../../../../functions/copy_usr-local-bin.yml
+
+# Rsync /etc/vim
+- name: Synchronizing /etc/vim
+  synchronize:
+    src: vim/vim
+    dest: /etc/
+    delete: yes
+    group: no
+    owner: no
+    rsync_opts:
+      - "--exclude=.git"
+
+- name: Sed /etc/vim/vimrc
+  replace:
+    path: /etc/vim/vimrc
+    regexp: '~/.vim/plugged'
+    replace: '/etc/vim/plugged'
+
+- name: Symlink /usr/share/vim/vimfiles
+  file:
+    src: /etc/vim
+    dest: /usr/share/vim/vimfiles
+    owner: root
+    group: root
+    state: link
+
 # Increase number of TCP connections per port (debian default 128)
 - name: Increasing number of TCP connections per port /etc/sysctl.conf net.core.somaxconn = 4096
   sysctl:

server/tasks/debian/all.yml

@@ -1,36 +1,29 @@
 ---
+# ------------------------------------------------------------------------------
+# These tasks run for any Debian/Ubuntu server (physical or virtual)
+# ------------------------------------------------------------------------------
+
 # Copy Debian 9 sources.list
 - name: Copying Debian 9 apt/sources.list
-  copy: src=debian9/sources.list dest=/etc/apt/sources.list
+  copy: src=debian/9/sources.list dest=/etc/apt/sources.list
   when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
 
 # Copy Debian 10 sources.list
 - name: Copying Debian 10 apt/sources.list
-  copy: src=debian10/sources.list dest=/etc/apt/sources.list
+  copy: src=debian/10/sources.list dest=/etc/apt/sources.list
   when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
 
   # Copy Ubuntu 16.04 sources.list
 - name: Copying Ubuntu 16.04 apt/sources.list
-  copy: src=ubuntu1604/sources.list dest=/etc/apt/sources.list
+  copy: src=ubuntu/16.04/sources.list dest=/etc/apt/sources.list
   when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04"
 
 # Ignore apt translations
 - name: Ignoring apt tranlations
-  copy: src=99translations dest=/etc/apt/apt.conf.d/99translations
-
-# ??? hum, I don't want dotdeb on my debian 8 controller
-# may have ZERO debian 8 except for physical, so maybe don't do this generically
-# Many packages we install for Debian8 require dotdeb, so just install it generically
-#- name: Adding Debian8 dotdeb sources
-#  apt_repository: repo='deb http://packages.dotdeb.org jessie all' state=present
-#  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "8"
-
-#- name: Addding Debian8 dotdeb GPG key
-#  apt_key: url='https://www.dotdeb.org/dotdeb.gpg' state=present
-#  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "8"
+  copy: src=debian/99translations dest=/etc/apt/apt.conf.d/99translations
 
 # Install common apps for all debian machines
-- name: Installing Debian common applications
+- name: Installing common Debian/Ubuntu applications
   apt:
     update_cache: yes
     state: present
@@ -62,46 +55,3 @@
       - dos2unix            # Convert dos line endings to unix and visa versa
       - acl                 # I customize directories often with ACL
       - dnsutils            # Dig command and other dns commands
-
-# Install PHP by default, unless explicitly ignored with - { role: server/debian, include_php: false }
-- name: Installing PHP 7 cli
-  apt:
-    update_cache: yes
-    state: present
-    name: php-cli
-  when: include_php|default(true)|bool
-
-
-
-      #    - nfs-kernel-server
-      #    - samba
-      #    - cifs-utils
-      #    - libnet-ssleay-perl
-      #    - libio-socket-ssl-perl
-      #    - libxrender1
-      #    - supervisor
-
-      # Were generic here, then commented out, careful
-      # - dos2unix
-      # - nfs-common
-      # - entr
-
-# libnet and libio are for sendEmail
-# libxrender1 is for wkhtmltopdf
-# python git dos2unix
-
-
-# other:
-# unattended-upgrades https://wiki.debian.org/UnattendedUpgrades
-# -- sending emails about updates...
-# log monitoring, security etc... maybe a new role
-
-
-#- name: Installing Debian8 applications
-#  apt: name={{ item }} update_cache=yes state=present
-#  with_items:
-
-#- name: Installing Debian 9 applications
-#  apt: name={{ item }} update_cache=yes state=present
-#  with_items:
-#  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"

server/tasks/debian/main.yml

@@ -0,0 +1,20 @@
+---
+# Debian Server
+# ------------------------------------------------------------------------------
+- name: Configuring debian/ubuntu server
+  include_tasks: all.yml
+
+# Physical Debian Server
+# ------------------------------------------------------------------------------
+- name: Configuring physical debian/ubuntu server
+  include_tasks: physical.yml
+  when: type == 'physical'
+
+
+# Virtual Debian Server
+# ------------------------------------------------------------------------------
+# Currently NO virtual specific debian customizations
+#- name: Configuring virtual debian/ubuntu server
+#  include_tasks: virtual.yml
+#  when: type == 'virtual'
+

server/tasks/debian/physical.yml

@@ -1,6 +1,10 @@
 ---
-# Assuming physical servers are Debian
-- name: Installing physical server applications
+# ------------------------------------------------------------------------------
+# These tasks run for physical Debian/Ubuntu servers
+# ------------------------------------------------------------------------------
+
+# Physical Debian/Ubuntu Server
+- name: Installing physical Debian/Ubuntu server applications
   apt:
     update_cache: yes
     state: present

server/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+# Any server (OS agnostic)
+# ------------------------------------------------------------------------------
+- name: Configure any server (OS agnostic)
+  include_tasks: agnostic/main.yml
+
+
+# Debian server
+# ------------------------------------------------------------------------------
+- name: Configure debian/ubuntu server
+  include_tasks: debian/main.yml
+  when: ansible_os_family == "Debian"

server/virtual/tasks/main.yml

@@ -1 +0,0 @@
----