카. Ansible 자동화

intsrv

apt install -y ansible
ssh-keygen -t ecdsa
ssh-copy-id [email protected]
mkdir -p /etc/ansible/roles/{ftp,ssl,web}
mkdir /etc/ansible/roles/ssl/{files,tasks}
mkdir /etc/ansible/roles/web/{files,handlers,tasks}
mkdir /etc/ansible/roles/ftp/{files,handlers,tasks}

vi /etc/ansible/hosts

#####
[server]
site2.skill39.local
#####

vi /etc/ansible/playbook.yml

#####
---
- hosts: all
  gather_facts: no
  vars_prompt:
    - name: sitename
      prompt: "Please enter the sitename"
      private: no
  roles:
    - ssl
    - web
    - ftp
  tasks:
    - name: Restart all service
      command: echo "Restart systemd daemon"
      notify:
        - Restart proftpd
        - Restart apache2
#####

cp /etc/ssl/chain.crt /etc/ansible/roles/ssl/files/ca.crt
cp /ca/certs/wild.crt /etc/ansible/roles/ssl/files/
cp /ca/certs/wild.key /etc/ansible/roles/ssl/files/

vi /etc/ansible/roles/ssl/tasks/main.yml

#####
---
- name: Copy chain file
	copy:
		src: "files/ca.crt"
		dest: "/etc/ssl/ca.crt"
- name: Copy certificate file
	copy:
		src: "files/wild.crt"
		dest: "/etc/ssl/wild.crt"
- name: Copy certificate key file
	copy:
		src: "files/wild.key"
		dest: "/etc/ssl/wild.key"
#####

vi /etc/ansible/roles/web/files/ldap.conf.j2

#####
<VirtualHost *:80>
	ServerName {{ sitename }}.skill39.local
	DocumentRoot /var/www/ldap
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	<Directory /var/www/ldap>
		AuthType Basic
		AuthName "LDAP Authentication"
		AuthBasicProvider ldap
		AuthLDAPURL
		"ldaps://ldap.skill39.local:636/ou={{ sitename }},dc=skill39,dc=local?sAMAccountName?sub?(objectClass=*)"
		Require valid-user
	</Directory>
</VirtualHost>
#####

vi /etc/ansible/roles/web/files/ssl.conf.j2

#####
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
	DocumentRoot /var/www/html
	ServerName {{ sitename }}.skill39.com
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	SSLEngine on
	SSLUseStapling on
	SSLCertificateFile /etc/ssl/wild.crt
	SSLCertificateKeyFile /etc/ssl/wild.key
	SSLCertificateChainFile /etc/ssl/ca.crt
	<FilesMatch "\\.(?:cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
		SSLOptions +StdEnvVars
	</Directory>
</VirtualHost>
#####

vi /etc/ansible/roles/web/files/private.html.j2

#####
{{ sitename }} auth web service
#####

vi /etc/ansible/roles/web/files/public.html.j2

#####
{{ sitename }} web service
#####

vi /etc/ansible/roles/web/handlers/main.yml

#####
- name: Restart apache2
	systemd:
		name: apache2
		state: restarted
#####

vi /etc/ansible/roles/web/tasks/main.yml

#####
---
- name: Install apache2
	apt:
		name: apache2
		
- name: Enable authentication module
	shell: /usr/sbin/a2enmod ssl ldap authnz_ldap
	
- name: Create document root
	file:
		path: "/var/www/ldap"
		state: directory
		mode: '0755'
		
- name: Copy public html file
	template:
		src: "files/public.html.j2"
		dest: "/var/www/html/index.html"

- name: Copy private html file
	template:
		src: "files/private.html.j2"
		dest: "/var/www/ldap/index.html"

- name: Set up LDAP authentication
	template:
		src: "files/ldap.conf.j2"
		dest: "/etc/apache2/sites-available/ldap.conf"

- name: Set up SSL
	template:
		src: "files/ssl.conf.j2"
		dest: "/etc/apache2/sites-available/ssl.conf"

- name: Enable new site
	shell: /usr/sbin/a2ensite ldap ssl
#####

vi /etc/ansible/roles/ftp/files/ldap.conf.j2

#####
<IfModule mod_ldap.c>
	LDAPServer ldaps://ldap.skill39.local:636/??sub
	LDAPAttr uid sAMAccountName
	LDAPAttr homeDirectory unixhomedirectory
	LDAPProtocolVersion 3
	LDAPUsers "ou={{ sitename }},dc=skill39,dc=local"
	"(&(objectClass=user)(sAMAccountName=%u))"
	LDAPLog /var/log/proftpd/ldap.log
	CreateHome on 770
	LDAPGenerateHomedir on 770
	DebugLevel 3
	LDAPUseTLS on
</IfModule>
#####

scp 192.168.0.1:/etc/proftpd/modules.conf /etc/ansible/roles/ftp/files
scp 192.168.0.1:/etc/proftpd/proftpd.conf /etc/ansible/roles/ftp/files
scp 192.168.0.1:/etc/proftpd/tls.conf /etc/ansible/roles/ftp/files

vi /etc/ansible/roles/ftp/handlers/main.yml

#####
- name: Restart proftpd
	systemd:
		name: proftpd
		state: restarted
#####

vi /etc/ansible/roles/ftp/tasks/main.yml

#####
---
- name: Install proftpd
	apt:
		name:
			- proftpd
			- proftpd-mod-crypto
			- proftpd-mod-ldap

- name: Copy proftpd.conf file
	copy:
		src: "files/proftpd.conf"
		dest: "/etc/proftpd/proftpd.conf"

- name: Copy modules.conf file
	copy:
	src: "files/modules.conf"
	dest: "/etc/proftpd/modules.conf"

- name: Copy tls.conf file
	copy:
		src: "files/tls.conf"
		dest: "/etc/proftpd/tls.conf"

- name: Copy ldap.conf file
template:
src: "files/ldap.conf.j2"
dest: "/etc/proftpd/ldap.conf"
#####

cd /etc/ansible
ansible-playbook playbook.yml