Last active
March 21, 2020 15:17
-
-
Save fishi0x01/4d613f4fb0034b7197a92cd36bd34801 to your computer and use it in GitHub Desktop.
Snippets for ansible, ansible-vault and travis. Code for blog post https://fishi.devtail.io/weblog/2016/04/02/testing-ansible-ansible-vault-travis-ci/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| SENSITIVE_FILES="roles/ssh/templates/sshd_config.j2.enc" | |
| if [ "$1" != "clean" ] && [ "$1" != "decrypt" ] | |
| then | |
| echo "only 'clean' or 'decrypt' are allowed" | |
| exit 1 | |
| fi | |
| if [ "$1" = "decrypt" ] | |
| then | |
| for SECRET in $SENSITIVE_FILES | |
| do | |
| ANSIBLE_VAULT_PASSWORD_FILE=vault_pass_file ansible-vault view $SECRET > ${SECRET::-4} | |
| done | |
| elif [ "$1" = "clean" ] | |
| then | |
| for SECRET in $SENSITIVE_FILES | |
| do | |
| rm ${SECRET::-4} | |
| done | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: app | |
| become: yes | |
| no_log: "{{ disable_log | default('no') }}" | |
| roles: | |
| - roles/ssh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| sudo: required | |
| dist: trusty | |
| language: python | |
| python: '2.7' | |
| addons: | |
| hosts: | |
| - app | |
| before_install: | |
| - sudo apt-get update -qq | |
| - sudo apt-get install -qq python-apt | |
| install: | |
| - pip install ansible==${ANSIBLE_VERSION} | |
| script: | |
| - "ansible-playbook -i inventories/dev ${PLAYBOOK} --syntax-check" | |
| - "ansible-playbook -i inventories/dev ${PLAYBOOK} --connection=local --become" | |
| - "ansible-playbook -i inventories/dev ${PLAYBOOK} --connection=local --become | tee /tmp/output.txt; grep -q 'changed=0.*failed=0' /tmp/output.txt && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)" | |
| env: | |
| global: | |
| - ANSIBLE_VERSION=2.0.1.0 | |
| matrix: | |
| - PLAYBOOK=app.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [app] | |
| app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| sshd_port: 5133 | |
| sshd_service: "ssh" | |
| sshd_handler_id: "restart sshd" | |
| sshd_pkg: "openssh-server" | |
| sshd_groups: | |
| - name: devops | |
| ssh: | |
| allow_tcp_fwd: True | |
| allow_agent_fwd: True | |
| x11_fwd: True | |
| - name: developers | |
| ssh: | |
| allow_tcp_fwd: True | |
| allow_agent_fwd: True | |
| x11_fwd: True | |
| - name: qa | |
| ssh: | |
| allow_tcp_fwd: True | |
| allow_agent_fwd: False | |
| x11_fwd: False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: "{{ sshd_handler_id }}" | |
| service: | |
| name={{ sshd_service }} | |
| state=restarted | |
| enabled=yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Install sshd | |
| apt: | |
| name={{ sshd_pkg }} | |
| update_cache=yes | |
| - name: Decrypt sshd_config template | |
| local_action: "shell ansible-vault --vault-password-file {{ lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE') }} view {{ role_path }}/templates/sshd_config.j2.enc > {{ role_path }}/templates/sshd_config.j2" | |
| changed_when: False | |
| when: "{{ not_travis }}" | |
| - name: Add sshd_config | |
| template: | |
| src=templates/sshd_config.j2 | |
| dest=/etc/ssh/sshd_config | |
| owner=root | |
| group=root | |
| mode=644 | |
| notify: "{{ sshd_handler_id }}" | |
| vars: | |
| all_groups: "{{ sshd_groups }}" | |
| - name: Remove decrypted sshd_config template | |
| local_action: "file path={{ role_path }}/templates/{{ sshd_config_template }} state=absent" | |
| changed_when: False | |
| when: "{{ not_travis }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Install sshd | |
| apt: | |
| name={{ sshd_pkg }} | |
| update_cache=yes | |
| - name: Add sshd_config | |
| template: | |
| src=templates/sshd_config.j2 | |
| dest=/etc/ssh/sshd_config | |
| owner=root | |
| group=root | |
| mode=644 | |
| notify: "{{ sshd_handler_id }}" | |
| vars: | |
| all_groups: "{{ sshd_groups }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # `man sshd_config` to check options | |
| Port {{ sshd_port }} | |
| AddressFamily inet | |
| ListenAddress 0.0.0.0 | |
| Protocol 2 | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| HostKey /etc/ssh/ssh_host_ecdsa_key | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| UsePrivilegeSeparation sandbox | |
| KeyRegenerationInterval 1h | |
| ServerKeyBits 1024 | |
| SyslogFacility AUTHPRIV | |
| LogLevel VERBOSE | |
| PermitRootLogin no | |
| PermitEmptyPasswords no | |
| PasswordAuthentication no | |
| StrictModes yes | |
| LoginGraceTime 30 | |
| MaxAuthTries 5 | |
| MaxSessions 10 | |
| ClientAliveInterval 5 | |
| ClientAliveCountMax 6 | |
| RSAAuthentication yes | |
| PubkeyAuthentication yes | |
| IgnoreRhosts yes | |
| RhostsRSAAuthentication no | |
| HostbasedAuthentication no | |
| ChallengeResponseAuthentication no | |
| UsePAM yes | |
| AllowAgentForwarding no | |
| AllowTcpForwarding no | |
| X11Forwarding no | |
| X11DisplayOffset 10 | |
| Banner none | |
| PrintMotd yes | |
| PrintLastLog yes | |
| TCPKeepAlive no | |
| Subsystem sftp /usr/lib/openssh/sftp-server | |
| AllowGroups {% for group in all_groups %}{% if 'ssh' in group %}{{ group.name }}{% endif %} {% endfor %} | |
| {% for group in all_groups %} | |
| {% if 'ssh' in group %} | |
| Match Group {{ group.name }} | |
| {% if 'allow_tcp_fwd' in group.ssh %}AllowTcpForwarding {{ 'yes' if group.ssh.allow_tcp_fwd else 'no' }}{% endif %} | |
| {% if 'x11_fwd' in group.ssh %}X11Forwarding {{ 'yes' if group.ssh.x11_fwd else 'no' }}{% endif %} | |
| {% if 'allow_agent_fwd' in group.ssh %}AllowAgentForwarding {{ 'yes' if group.ssh.allow_agent_fwd else 'no' }}{% endif %} | |
| {% endif %} | |
| {% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo: required | |
| dist: trusty | |
| language: python | |
| python: '2.7' | |
| addons: | |
| hosts: | |
| - app | |
| before_install: | |
| - sudo apt-get update -qq | |
| - sudo apt-get install -qq python-apt | |
| - openssl aes-256-cbc -k "$vault_file_pass" -in vault_pass_file.enc -out vault_pass_file -d | |
| - ${TRAVIS_BUILD_DIR}/.travis/sensitive_data.sh decrypt | |
| install: | |
| - pip install ansible==${ANSIBLE_VERSION} | |
| script: | |
| - "ANSIBLE_VAULT_PASSWORD_FILE=vault_pass_file ansible-playbook -i inventories/dev ${PLAYBOOK} --syntax-check --extra-vars='{\"disable_log\": \"yes\"}'" | |
| - "ANSIBLE_VAULT_PASSWORD_FILE=vault_pass_file ansible-playbook -i inventories/dev ${PLAYBOOK} --connection=local --become --extra-vars='{\"disable_log\": \"yes\"}'" | |
| - "ANSIBLE_VAULT_PASSWORD_FILE=vault_pass_file ansible-playbook -i inventories/dev ${PLAYBOOK} --connection=local --become --extra-vars='{\"disable_log\": \"yes\"}' | tee /tmp/output.txt; grep -q 'changed=0.*failed=0' /tmp/output.txt && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)" | |
| after_script: | |
| ${TRAVIS_BUILD_DIR}/.travis/sensitive_data.sh clean | |
| - shred vault_pass_file | |
| env: | |
| global: | |
| - secure: DtNbh7+iKwx0HFc+RZoxhmIspTpkcKTJnH7gS1fiXut+UQ0fTeR2JfRvNMxUMrCy9o0R07VyEo3hwjmtClZrUsLnicbJKRcesNTC1KKrZWsHJWxX/XODrjIMd2ag7jlhLrvKfhDT4OIP20Q6gjFk8vM7CVGGzEmYdth+MrgwiFfKN+YcWqDPv4wYTEDf3S53FYC7uVMfE1tpq4mHUNfv+B4cYmuzP9LOF5lJ7DwLUf129oQOdJJXMBBubPwuWK0oaB3e6fqhbxuIq1tuJBxX8SppiFx8Gd//wZStl1D5M+0MHnxwCb4DOSDtOCPxeV/Hk5xbNTPCYOLll978egDUBnUQykjwvQb3gvOJrjdTzAfQ5XT5TKT7KW/gg6dYIhtOiLdwAuuxbsWATJJ808UgZGZ/u4OxqdZ/E5EJdquLDw99pb5SYM/eAv2R4/Kms/rEPxTXyZLfr0Y5jjjZa8tpj6Kf/L7zk++GJ9BHn5qfsQDfKCMsPWe0UFT27j7JRMQKFv03GA529FhTyX6lNlKhC/KgfxPYlZZRjjjtbgsadEHsajw3bej6tFAPHHDCtMS9SYSoOcdpAc7vSNmNKkotAbALMW5fusJKiVmOwIBD6p42NAaFbpbS0Bslf+BCstRMmjHZBCQXvyiZtXD0vgdY9uRR2ZNQJSLiAW5hbnmjpfw= | |
| - ANSIBLE_VERSION=2.0.1.0 | |
| matrix: | |
| - PLAYBOOK=app.yml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment