@ü.li:Listing 1: Vagrantfile @li:Vagrant.configure("2") do |config| # Konfiguration (Name & URL der zu nutzenden Box) config.vm.box = "chef/debian-7.8" config.vm.box_url = "https://vagrantcloud.com/chef/debian-7.8" # Hostname der VM config.vm.hostname = "test.example.com" # Weitergeleitete Ports config.vm.network "forwarded_port", guest: 80, host: 8080 config.vm.network "forwarded_port", guest: 22, host: 2200 # Geteiltes Verzeichnis config.vm.synced_folder "src/", "/var/www/demo" # Das angegebene Skript wird zur Provisionierung genutzt config.vm.provision "shell", path: "src/script.sh" end @ü.li:Listing 2: Ansible Inventory File @li:demo.example.com [mail-servers] mail.example.com [web-servers] web1.example.com:2222 web2.example.com ansible_ssh_user=rob [db-servers] db.example.com @ü.li:Listing 3:VM-Netzkonfiguration in Vagrant @li:- config.vm.network "private_network", ip: "192.168.56.110" - config.vm.network "public_network", ip: "42.43.45.46" @ü.li:Listing 4: playbook.yml @li:--- - hosts: webservers sudo: yes vars: vhosts: - name: demo doc_root: /var/www/demo servername: localhost demo.web.dev handlers: - name: restart apache2 service: name=apache2 state=restarted tasks: - name: ensure that the apache web server is installed apt: pkg=apache2 state=installed update_cache=yes - name: ensure that the virtual hosts are configured template: src=vhost.conf.j2 dest=/etc/apache2/sites-available/{{ item.name }} with_items: vhosts notify: restart apache2 - name: ensure that the virtual hosts are enabled command: "a2ensite {{ item.name }}" with_items: vhosts when: vhosts notify: restart apache2 @ü.li:Listing 5: vhost.conf.j2 @li: DocumentRoot {{ item.doc_root }} {% set servernames = item.servername.split() %} {% for servername in servernames %} {% if loop.first %} ServerName {{ servername }} {% else %} ServerAlias {{ servername }} {% endif %} {% endfor %} CustomLog /var/log/apache2/{{ item.name }}-access.log common ErrorLog /var/log/apache2/{{ item.name }}-error.log # ... @ü.li:Listing 6: Standard-Konfiguration der Apache-2-Rolle @li:--- # File: roles/apache2/defaults/main.yml # Packages to install apache2_packages: - apache2 - apache2-mpm-worker - libapache2-mod-fastcgi # Default modules apache2_modules: - rewrite - vhost_alias - headers - expires - filter - actions - suexec - fastcgi # Default vhosts apache2_sites: - name: default owner: www-data servername: "localhost" doc_root: /var/www/default php: true php_socket: /var/run/php5-fpm.sock # Disabled sites: apache2_sites_disabled: [] @ü.li:Listing 7: Tasks für Apache-2-Rolle @li:--- # File: roles/apache2/tasks/main.yml # Description: Apache2 installation and configuration # Apache2 installation - name: install | ensure that non-free packages are used replace: dest: /etc/apt/sources.list regexp: '(^deb(-src)? http(s?):\/\/.*\/.* main$)' replace: '\1 non-free' - name: install | enforce update of apt cache apt: update_cache=yes - name: install | ensure that apache2 packages are installed apt: name={{ item }} state=latest update_cache=yes cache_valid_time=3600 with_items: apache2_packages when: apache2_packages - name: install | ensure that apache2 service is enabled service: name=apache2 enabled=yes - name: install | ensure that desired apache2 modules are installed apache2_module: state=present name={{ item }} with_items: apache2_modules when: apache2_modules notify: apache2 restart # Manage VirtualHosts - name: sites | ensure that DocumentRoots exist file: path={{ item.doc_root }} owner={{ item.owner }} group={{ item.owner }} mode=0755 state=directory with_items: apache2_sites when: apache2_sites - name: sites | ensure that VirtualHosts are configured template: src=vhost.conf.j2 dest=/etc/apache2/sites-available/{{ item.name }} with_items: apache2_sites notify: apache2 restart when: apache2_sites - name: sites | ensure that VirtualHosts are enabled command: "a2ensite {{ item.name }}" with_items: apache2_sites notify: apache2 restart when: apache2_sites - name: sites | ensure that non-desired VirtualHosts are disabled command: "a2dissite {{ item.name }}" with_items: apache2_sites_disabled notify: apache2 restart when: apache2_sites_disabled @ü.li:Listing 8: Handler für Apache-2-Rolle @li:--- # File: roles/apache2/handlers/main.yml - name: apache2 start service: name=apache2 state=started - name: apache2 stop service: name=apache2 state=reloaded - name: apache2 restart service: name=apache2 state=restarted @ü.li:Listing 9: Sicherheitskonfiguration Apache~~2 @li:# {{ ansible_managed }} # Security - disable signature + tokens ServerSignature Off ServerTokens Prod # If mod_headers module is available, we will disable # the Server and X-Powered-By response header Header unset Server Header unset X-Powered-By @ü.li:Listing 10: Rolle für MySQL @li:--- # File: roles/mysql/defaults/main.yml # Packages to install mysql_packages: - mysql-server - mysql-client - python-mysqldb # List of databases and users to be created mysql_databases: [] mysql_users: [] # Security mysql_security_storedprocedures_check: true # Basic configuration settings mysql_daemon_user: mysql mysql_datadir: /var/lib/mysql mysql_port: 3306 mysql_bind_address: 127.0.0.1 mysql_root_password: mysqlpassword mysql_collation_server: utf8_general_ci mysql_character_set_server: utf8 # Security mysql_max_connections: 100 max_connect_errors: 10 @ü.li:Listing 11:PHP5-Rolle @li:--- # File: roles/php5-fpm/defaults/main.yml # Packages to install php5_packages: - imagemagick - php5 - php5-fpm - php5-cli - php5-common - php5-curl - php5-gd - php5-imagick - php5-mysql # Configuration php5_timezone: Europe/Berlin php5_fpm_pools: - name: www user: www-data group: www-data socket: /var/run/php5-fpm.sock # ... @ü.li:Listing 12: Tasks für Icinga @li:--- # File: roles/icinga2/tasks/install.yml # Install required packages - name: install | ensure that the debmon apt-repository key is present apt_key: url=http://debmon.org/debmon/repo.key state=present - name: install | ensure that the debmon apt-repository is present apt_repository: repo="deb http://debmon.org/debmon debmon-wheezy main" state=present - name: install | ensure that the icinga 2 packages are installed apt: name={{ item }} state=latest update_cache=yes cache_valid_time=3600 with_items: icinga2_packages when: icinga2_packages - name: install | ensure that the check_linux_memory plugin is installed get_url: url: https://raw.githubusercontent.com/hugme/Nag_checks/master/check_linux_memory dest: /usr/lib/nagios/plugins/check_linux_memory sha256sum: db99638c5fcdf93eb2b9d1612c84aab25242c3ebe358f5643a1e5d4728c7ac9a owner: root group: root mode: 0755 - name: install | ensure that icinga 2 is registered as a service service: name=icinga2 enabled=yes @ü.li:Listing 13: Konfiguration für den Icinga-Server @li:--- # File: roles/icinga2/defaults/main.yml # ... icinga2_hosts: - name: test fqdn: test.example.com address: 80.80.80.80 os: linux ssh_port: 4022 ssh_user: "icinga" ssh_id: /home/nagios/.ssh/id_rsa notification_groups: [ "example" ] checks: - name: ssh_swap - name: ssh_mem - name: ssh_load - name: ssh_apt - name: ssh_ntptime - name: ssh_disk - name: ssh_procs - name: http value: '{ http_uri = "/" }' @ü.li:Listing 14: Einstellungen für Icinga-Clients @li:--- # File: roles/icinga2-client/defaults/main.yml icinga2_remotemonitoring_user_name: icinga icinga2_remotemonitoring_user_uid: 1234 @ü.li:Listing 15: dirvish-Konfiguration (master.conf) @li:# Banks bank: /backup/server /backup/notebook # Backup schedule (vaults) Runall: demo.example.com 22:00 mail.example.com 02:00 # Expiry rules expire-default: +1 week expire-rule: # MIN HR DOM MON DOW STRFTIME_FMT * * * * * +2 weeks * * * * 1 +4 weeks # Defaults image-default: %Y-%m-%d log: gzip index: gzip @ü.li:Listing 16: Tresor-Einstellungen für dirvish @li:### Beispiel Konfiguration '/backup/server/demo.example.com-home/dirvish/default.conf' file: client: root@demo.example.com # der zu sichernde Rechner samt Benutzer tree: /home # der zu sichernde Verzeichnisbaum xdev: 1 # im selben Dateisystem bleiben log: gzip # das Logfile wird abschließend komprimiert exclude: *.bak # .bak-Dateien werden nicht mit gesichert @ü.li:Listing 17: Rolle für Fail2Ban @li:--- # File: roles/fail2ban/defaults/main.yml # Fail2Ban fail2ban_ignoreip: "127.0.0.1/8" fail2ban_findtime: 600 fail2ban_maxretry: 6 fail2ban_bantime: 1200 fail2ban_banaction: "iptables-multiport" fail2ban_destemail: "root@localhost" fail2ban_mta: "mail" fail2ban_action: "action_mw" # Jails # fail2ban_jails_ssh_enabled: "true" # SSH fail2ban_jails_sshddos_enabled: "true" # SSH DDoS fail2ban_jails_postfix_enabled: "true" # Postfix fail2ban_jails_apacheauth_enabled: "false" # Apache auth fail2ban_jails_apachebadbots_enabled: "false" # Apache bad bots fail2ban_jails_apachenoscript_enabled: "false" # Apache noscript fail2ban_jails_apacheoverflows_enabled: "false" # Apache overflows fail2ban_jails_nginxauth_enabled: "false" # Nginx auth # ... @ü.li:Listing 18: Playbook Web-Server @li:--- # File: web-servers.yml # Web Servers - hosts: web-servers sudo: yes roles: - ... - apache2 - php5-fpm - mysql - ... # Enable Monitoring - hosts: monitoring-servers sudo: yes roles: [ icinga2 ] # Enable Backup - hosts: backup-servers sudo: yes roles: [ dirvish ] @ü.li:Listing 19: Playbook im Vagrantfile aufrufen @li:config.vm.provision :ansible do |ansible| ansible.playbook = "playbook.yml" ansible.inventory_path = "./inventardatei" ansible.limit = "127.0.0.1" end