From ccb15983b1db8c0baacde0024831b966f94b777d Mon Sep 17 00:00:00 2001 From: VC Date: Fri, 5 Jul 2024 11:53:04 +0200 Subject: [PATCH] =?UTF-8?q?Plein=20de=20modif=20de=20partout=20pour=20?= =?UTF-8?q?=C3=AAtre=20certain=20que=20=C3=A7a=20va=20bien=20se=20passer?= =?UTF-8?q?=20lors=20des=20diff=C3=A9rentes=20m=C3=A0j=20des=20playbooks?= =?UTF-8?q?=20qui=20vont=20bien?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bittorrent.yml | 1 + borgbackup.yml | 3 + docker.yml | 1 + firewall.yml | 1 + icecast2.yml | 1 + loadbalancinghttp.yml | 1 + mail.yml | 1 + mariadb.yml | 1 + mumble.yml | 1 + munin.yml | 2 + nut.yml | 2 + pgsql.yml | 1 + php.yml | 1 + roles/firewall/templates/firewall.j2 | 117 ++++++++++++------ roles/mariadb/files/50-server.cnf | 137 --------------------- roles/mariadb/files/override.conf | 2 + roles/mariadb/handlers/main.yml | 3 + roles/mariadb/tasks/main.yml | 14 +++ roles/spamassassin/files/local.cf | 1 + roles/system/files/ssh/work.id_rsa.pub | 2 +- roles/system/files/ssh/work_old.id_rsa.pub | 1 + roles/system/tasks/sshd.yml | 6 + smtprelay.yml | 1 + syslog.yml | 1 + system.yml | 1 + unifi.yml | 1 + webservers.yml | 1 + xmpp.yml | 1 + 28 files changed, 130 insertions(+), 176 deletions(-) delete mode 100644 roles/mariadb/files/50-server.cnf create mode 100644 roles/mariadb/files/override.conf create mode 100644 roles/system/files/ssh/work_old.id_rsa.pub diff --git a/bittorrent.yml b/bittorrent.yml index cafd17a..9d90de4 100644 --- a/bittorrent.yml +++ b/bittorrent.yml @@ -1,3 +1,4 @@ - hosts: transmission + diff: yes roles: - bittorrent diff --git a/borgbackup.yml b/borgbackup.yml index 4ae3c4c..8288244 100644 --- a/borgbackup.yml +++ b/borgbackup.yml @@ -1,9 +1,12 @@ - hosts: borgbackup + diff: yes roles: - borgbackup - hosts: borg_client + diff: yes roles: - borg-client - hosts: borg_server + diff: yes roles: - borg-server diff --git a/docker.yml b/docker.yml index f320eb2..e25c572 100644 --- a/docker.yml +++ b/docker.yml @@ -1,3 +1,4 @@ - hosts: dockerservers + diff: yes roles: - docker diff --git a/firewall.yml b/firewall.yml index 9c8098d..c52aa4a 100644 --- a/firewall.yml +++ b/firewall.yml @@ -1,5 +1,6 @@ - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan tasks: [] - hosts: router + diff: yes roles: - firewall diff --git a/icecast2.yml b/icecast2.yml index 04663ac..fade732 100644 --- a/icecast2.yml +++ b/icecast2.yml @@ -1,3 +1,4 @@ - hosts: icecastservers + diff: yes roles: - icecast2 diff --git a/loadbalancinghttp.yml b/loadbalancinghttp.yml index 6c95cde..05c5404 100644 --- a/loadbalancinghttp.yml +++ b/loadbalancinghttp.yml @@ -1,3 +1,4 @@ - hosts: loadbalancers + diff: yes roles: - haproxy diff --git a/mail.yml b/mail.yml index 2bdcb56..8baa00d 100644 --- a/mail.yml +++ b/mail.yml @@ -1,4 +1,5 @@ - hosts: mailservers + diff: yes roles: - postfix - dovecot diff --git a/mariadb.yml b/mariadb.yml index 797f82c..17cc333 100644 --- a/mariadb.yml +++ b/mariadb.yml @@ -1,3 +1,4 @@ - hosts: mariadbservers + diff: yes roles: - mariadb diff --git a/mumble.yml b/mumble.yml index 337f92f..e432b3a 100644 --- a/mumble.yml +++ b/mumble.yml @@ -1,3 +1,4 @@ - hosts: mumbleservers + diff: yes roles: - mumble diff --git a/munin.yml b/munin.yml index 215cfc5..e8eeb3d 100644 --- a/munin.yml +++ b/munin.yml @@ -1,7 +1,9 @@ - hosts: all:!baybay-ponay.mateu.be:!muse-macbookair.lan + diff: yes roles: - munin-client - hosts: muninservers + diff: yes roles: - munin-server diff --git a/nut.yml b/nut.yml index 36d9e3d..1db6253 100644 --- a/nut.yml +++ b/nut.yml @@ -1,6 +1,8 @@ - hosts: nut_client + diff: yes roles: - nut-client - hosts: nut_server + diff: yes roles: - nut-server diff --git a/pgsql.yml b/pgsql.yml index 6b8e843..ec61459 100644 --- a/pgsql.yml +++ b/pgsql.yml @@ -1,3 +1,4 @@ - hosts: pgsqlservers + diff: yes roles: - postgres diff --git a/php.yml b/php.yml index c176bef..c4388a0 100644 --- a/php.yml +++ b/php.yml @@ -1,3 +1,4 @@ - hosts: phpservers + diff: yes roles: - php diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2 index fe389d5..7d516c3 100644 --- a/roles/firewall/templates/firewall.j2 +++ b/roles/firewall/templates/firewall.j2 @@ -2,7 +2,7 @@ config rule option name 'Allow-DHCP-Renew' option src 'wan' - option proto 'udp' + list proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' @@ -10,7 +10,7 @@ config rule config rule option name 'Allow-Ping' option src 'wan' - option proto 'icmp' + list proto 'icmp' option icmp_type 'echo-request' option target 'ACCEPT' option family 'ipv4' @@ -20,7 +20,7 @@ config rule option src 'wan' option src_ip 'fe80::/10' option src_port '547' - option proto 'udp' + list proto 'udp' option dest_ip 'fe80::/10' option dest_port '546' option target 'ACCEPT' @@ -29,7 +29,7 @@ config rule config rule option name 'Allow-ICMPv6-Input' option src 'wan' - option proto 'icmp' + list proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' @@ -49,7 +49,7 @@ config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' - option proto 'icmp' + list proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' @@ -61,25 +61,32 @@ config rule option family 'ipv6' option limit '1000/sec' +config rule + option name 'Allow-INPUT-SSH' + option src 'wan' + list proto 'tcp' + option dest_port '22' + option target 'ACCEPT' + ### DMZ Rules ## General Rules # ICMP config rule option name 'Allow-ICMP' option dest 'dmz' - option proto 'icmp' + list proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'dmz' - option proto 'icmp' + list proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'dmz' - option proto 'icmp' + list proto 'icmp' option dest '*' option target 'ACCEPT' @@ -88,23 +95,42 @@ config rule option name 'Allow-DMZ-DHCP' option dest 'dmz' option dest_port '67-68' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-DMZ-DHCP' option src 'dmz' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest_port '67-68' option target 'ACCEPT' option family 'ipv4' +# SSH rules +config rule + option name 'Allow-DMZ-SSH' + option dest 'dmz' + list proto 'tcp' + option dest_port '22' + option target 'ACCEPT' + +config rule + option name 'Allow-DMZ-Syslog' + option dest 'dmz' + option dest_ip '{{ hostvars['syslog.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '514' + list proto 'udp' + option target 'ACCEPT' + # DNS Resolution config rule option name 'Allow-INPUT-DNS' option src 'dmz' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest_port '53' option target 'ACCEPT' option family 'ipv4' @@ -113,7 +139,7 @@ config rule config rule option name 'Allow-OUTPUT-NTP' option src 'dmz' - option proto 'udp' + list proto 'udp' option dest 'wan' option dest_port '123' option target 'ACCEPT' @@ -122,7 +148,8 @@ config rule config rule option name 'Allow-OUTPUT-Web' option src 'dmz' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'wan' option dest_port '80 443' option target 'ACCEPT' @@ -131,7 +158,7 @@ config rule config rule option name 'Allow-INPUT-SSH' option src 'wan' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_port '22' option target 'ACCEPT' @@ -143,7 +170,8 @@ config redirect option name 'Allow-INPUT-v4-HTTP' option src 'wan' option src_dport '80' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '80' @@ -153,7 +181,8 @@ config redirect option name 'Allow-INPUT-v4-HTTPS' option src 'wan' option src_dport '443' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '443' @@ -164,7 +193,8 @@ config redirect config rule option name 'Allow-INPUT-{{ host }}-Web' option src 'wan' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' option dest_port '80 443' @@ -177,7 +207,8 @@ config rule option name 'Allow-OUTPUT-BT' option src 'dmz' option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'wan' option target 'ACCEPT' option family 'ipv4' @@ -186,7 +217,8 @@ config rule option name 'Allow-OUTPUT-BT' option src 'dmz' option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'wan' option target 'ACCEPT' option family 'ipv6' @@ -194,7 +226,8 @@ config rule config rule option name 'Allow-INPUT-BT' option src 'wan' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '10010' @@ -205,7 +238,8 @@ config redirect option name 'Allow-INPUT-BT' option src 'wan' option src_dport '10010' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '10010' @@ -216,7 +250,7 @@ config redirect config rule option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}' option src 'wan' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' option dest_port '8006' @@ -229,7 +263,8 @@ config rule option name 'Allow-OUTPUT-XMPP-s2s' option src 'dmz' option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address']}}' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'wan' option dest_port '5269' option target 'ACCEPT' @@ -239,7 +274,8 @@ config rule option name 'Allow-OUTPUT-XMPP-s2s' option src 'dmz' option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'wan' option dest_port '5269' option target 'ACCEPT' @@ -249,7 +285,8 @@ config redirect option name 'Allow-INPUT-XMPP-c2s' option src 'wan' option src_dport '5222' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '5222' @@ -259,7 +296,8 @@ config redirect option name 'Allow-INPUT-XMPP-s2s' option src 'wan' option src_dport '5269' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '5269' @@ -268,7 +306,8 @@ config redirect config rule option name 'Allow-INPUT-XMPP-c2s+s2s' option src 'wan' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '5222 5269' @@ -279,7 +318,8 @@ config rule config rule option name 'Allow-INPUT-mumble' option src 'wan' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '64738' @@ -290,7 +330,8 @@ config redirect option name 'Allow-INPUT-mumble' option src 'wan' option src_dport '64738' - option proto 'tcpudp' + list proto 'tcp' + list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '64738' @@ -301,7 +342,7 @@ config rule option name 'Allow-OUTPUT-SMTP' option src 'dmz' option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' - option proto 'tcp' + list proto 'tcp' option dest 'wan' option dst_port '25' option target 'ACCEPT' @@ -310,7 +351,7 @@ config rule config rule option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION' option src 'wan' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '25 465 587' @@ -320,7 +361,7 @@ config rule config rule option name 'Allow-INPUT-IMAP+IMAPS' option src 'wan' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '143 993' @@ -331,7 +372,7 @@ config redirect option name 'Allow-INPUT-SMTP' option src 'wan' option src_dport '25' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '25' @@ -341,7 +382,7 @@ config redirect option name 'Allow-INPUT-SMTPS' option src 'wan' option src_dport '465' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '465' @@ -351,7 +392,7 @@ config redirect option name 'Allow-INPUT-SUBMISSION' option src 'wan' option src_dport '587' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '587' @@ -361,7 +402,7 @@ config redirect option name 'Allow-INPUT-IMAP' option src 'wan' option src_dport '143' - option proto 'tcp' + list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '143' @@ -371,7 +412,7 @@ config redirect option name 'Allow-INPUT-IMAPS' option src 'wan' option src_dport '993' - option proto 'tcp' + list proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '993' @@ -382,7 +423,7 @@ config rule option name 'Allow-INPUT-Munin' option src 'dmz' option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' - option proto 'tcp' + list proto 'tcp' option dest_port '4949' option target 'ACCEPT' option family 'ipv4' diff --git a/roles/mariadb/files/50-server.cnf b/roles/mariadb/files/50-server.cnf deleted file mode 100644 index 3b50076..0000000 --- a/roles/mariadb/files/50-server.cnf +++ /dev/null @@ -1,137 +0,0 @@ -# -# These groups are read by MariaDB server. -# Use it for options that only the server (but not clients) should see -# -# See the examples of server my.cnf files in /usr/share/mysql - -# this is read by the standalone daemon and embedded servers -[server] - -# this is only for the mysqld standalone daemon -[mysqld] - -# -# * Basic Settings -# -user = mysql -pid-file = /run/mysqld/mysqld.pid -socket = /run/mysqld/mysqld.sock -#port = 3306 -basedir = /usr -datadir = /srv/mysql -tmpdir = /tmp -lc-messages-dir = /usr/share/mysql -default-storage-engine = InnoDB -#skip-external-locking - -# Instead of skip-networking the default is now to listen only on -# localhost which is more compatible and is not less secure. -bind-address = 127.0.0.1 - -# -# * Fine Tuning -# -key_buffer_size = 32M -max_allowed_packet = 64M -thread_stack = 256K -thread_cache_size = 8 -# This replaces the startup script and checks MyISAM tables if needed -# the first time they are touched -myisam_recover_options = BACKUP -#max_connections = 100 -#table_cache = 64 -#thread_concurrency = 10 - -# -# * Query Cache Configuration -# -query_cache_limit = 16M -query_cache_size = 64M - -# -# * Logging and Replication -# -# Both location gets rotated by the cronjob. -# Be aware that this log type is a performance killer. -# As of 5.1 you can enable the log at runtime! -#general_log_file = /var/log/mysql/mysql.log -#general_log = 1 -# -# Error log - should be very few entries. -# -log_error = /var/log/mysql/error.log -# -# Enable the slow query log to see queries with especially long duration -#slow_query_log_file = /var/log/mysql/mariadb-slow.log -#long_query_time = 10 -#log_slow_rate_limit = 1000 -#log_slow_verbosity = query_plan -#log-queries-not-using-indexes -# -# The following can be used as easy to replay backup logs or for replication. -# note: if you are setting up a replication slave, see README.Debian about -# other settings you may need to change. -#server-id = 1 -#log_bin = /var/log/mysql/mysql-bin.log -expire_logs_days = 10 -max_binlog_size = 100M -#binlog_do_db = include_database_name -#binlog_ignore_db = exclude_database_name - -# -# * Security Features -# -# Read the manual, too, if you want chroot! -#chroot = /srv/mysql/ -# -# For generating SSL certificates you can use for example the GUI tool "tinyca". -# -#ssl-ca = /etc/mysql/cacert.pem -#ssl-cert = /etc/mysql/server-cert.pem -#ssl-key = /etc/mysql/server-key.pem -# -# Accept only connections using the latest and most secure TLS protocol version. -# ..when MariaDB is compiled with OpenSSL: -#ssl-cipher = TLSv1.2 -# ..when MariaDB is compiled with YaSSL (default in Debian): -#ssl = on - -# -# * Character sets -# -# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full -# utf8 4-byte character set. See also client.cnf -# -character-set-server = utf8mb4 -collation-server = utf8mb4_general_ci - -# -# * InnoDB -# -# InnoDB is enabled by default with a 10MB datafile in /srv/mysql/. -# Read the manual for more InnoDB related options. There are many! - -innodb_file_per_table -innodb_data_file_path=ibdata1:10M:autoextend - -# -# * Unix socket authentication plugin is built-in since 10.0.22-6 -# -# Needed so the root database user can authenticate without a password but -# only when running as the unix root user. -# -# Also available for other users if required. -# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/ - -# this is only for embedded server -[embedded] - -# This group is only read by MariaDB servers, not by MySQL. -# If you use the same .cnf file for MySQL and MariaDB, -# you can put MariaDB-only options here -[mariadb] - -# This group is only read by MariaDB-10.3 servers. -# If you use the same .cnf file for MariaDB of different versions, -# use this group for options that older servers don't understand -[mariadb-10.3] diff --git a/roles/mariadb/files/override.conf b/roles/mariadb/files/override.conf new file mode 100644 index 0000000..4493665 --- /dev/null +++ b/roles/mariadb/files/override.conf @@ -0,0 +1,2 @@ +[Service] +LimitNOFILE=infinity diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml index 97d8b02..a200c48 100644 --- a/roles/mariadb/handlers/main.yml +++ b/roles/mariadb/handlers/main.yml @@ -2,3 +2,6 @@ service: name: mariadb state: restarted + +- name: daemon-reload + command: systemctl daemon-reload diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index db98035..2f106bd 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -72,6 +72,20 @@ - "mysql -e \"FLUSH PRIVILEGES;\"" - touch ~/mysql_secure_installation +- name: Create MariaDB service dir + file: + path: /etc/systemd/system/mariadb.service.d/ + state: directory + mode: 0755 + +- name: Create MariaDB service override + copy: + src: files/override.conf + dest: /etc/systemd/system/mariadb.service.d/override.conf + notify: + - restart mariadb + - daemon-reload + - name: install backup script copy: src: files/backup_mysql.sh diff --git a/roles/spamassassin/files/local.cf b/roles/spamassassin/files/local.cf index 692c75d..3db2d64 100644 --- a/roles/spamassassin/files/local.cf +++ b/roles/spamassassin/files/local.cf @@ -97,6 +97,7 @@ score LOCAL_BITCOIN 10.0 whitelist_from *@chichiclothing.com # Blacklist manuel +blacklist_from *@sintoskym.es blacklist_from *@comention.ch blacklist_from *@tipontale.it blacklist_from *@totalshape.com diff --git a/roles/system/files/ssh/work.id_rsa.pub b/roles/system/files/ssh/work.id_rsa.pub index 9e4687b..b84c3b0 100644 --- a/roles/system/files/ssh/work.id_rsa.pub +++ b/roles/system/files/ssh/work.id_rsa.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkSaRN59sJo1ncJekhBpRjn5NzeHa+VJpT1M/3ypmRtDbkRz6GOFArOL0yPVnHhLNuO/9gueBGB0MNnt7+2be5S5XfsiNHXMB5D+omgH+nu1DR773Rm65SdduLShW8bIyg37WMP5sssi9C5uYr5QJcgrKzYDf715HQazvcKD0zdYJWKd/AwbsuouB2FzTMNxv1nmH6DiPFmTzlVei/HN1CHapQPPGnsNyG3JdaS6aUC88HpYrX/ALOEPsrsdc5HXtuCM+qkCHNHtejBhEniKcBj2ijJa8j9z+FUenNtIIIkDw1SfjzmH/1pmd9HOQlLaahiwBpbZ93mvBk0QoxvRGMjPdhPsVfbJk4NJceCv6FUrsfNa2kMHKCGd7KY6DLo1nUg6EBuYM3KxBp/ZWdMdFlnYLst2kDHNikbO8TzK4aU/9XZhmclwbsAVDQM8GDZvf1el+nN/qQr8WlxFBOSmqPqFQfpxBJgS8oJmCK+42IQcr+YSk+8or0OhI4jnOTlaM= cveret@scaleway.com diff --git a/roles/system/files/ssh/work_old.id_rsa.pub b/roles/system/files/ssh/work_old.id_rsa.pub new file mode 100644 index 0000000..9e4687b --- /dev/null +++ b/roles/system/files/ssh/work_old.id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib diff --git a/roles/system/tasks/sshd.yml b/roles/system/tasks/sshd.yml index 10e3aae..42650e3 100644 --- a/roles/system/tasks/sshd.yml +++ b/roles/system/tasks/sshd.yml @@ -16,3 +16,9 @@ user: root state: present key: "{{ lookup('file', 'ssh/work.id_rsa.pub') }}" + +- name: remove old work key + authorized_key: + user: root + state: absent + key: "{{ lookup('file', 'ssh/work_old.id_rsa.pub')}}" diff --git a/smtprelay.yml b/smtprelay.yml index fb22e7b..3b1fec9 100644 --- a/smtprelay.yml +++ b/smtprelay.yml @@ -1,3 +1,4 @@ - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!mail.dmz.mateu.be:!muse-macbookair.lan + diff: yes roles: - smtprelay diff --git a/syslog.yml b/syslog.yml index ca9e0b8..7fad0b7 100644 --- a/syslog.yml +++ b/syslog.yml @@ -1,3 +1,4 @@ - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan + diff: yes roles: - rsyslog diff --git a/system.yml b/system.yml index cab6bd4..cb861c1 100644 --- a/system.yml +++ b/system.yml @@ -1,4 +1,5 @@ - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan + diff: yes roles: - system - x509 diff --git a/unifi.yml b/unifi.yml index 61ff001..3856095 100644 --- a/unifi.yml +++ b/unifi.yml @@ -1,3 +1,4 @@ - hosts: unifiservers + diff: yes roles: - unifi diff --git a/webservers.yml b/webservers.yml index 2399ee0..65faf48 100644 --- a/webservers.yml +++ b/webservers.yml @@ -1,4 +1,5 @@ - hosts: webservers + diff: yes roles: - nginx - webapps diff --git a/xmpp.yml b/xmpp.yml index fe42f23..b82d800 100644 --- a/xmpp.yml +++ b/xmpp.yml @@ -1,3 +1,4 @@ - hosts: xmppservers + diff: yes roles: - xmpp