Initial commit

2021-04-09 19:57:32 +02:00 · 2021-04-09 19:57:32 +02:00 · fecc1d77d4
commit fecc1d77d4
25 changed files with 637 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+hcloud/
--- a/README.md
+++ b/README.md
@ -0,0 +1,101 @@
+# mini-beieli-server - Bienenstock Ueberwachung
+
+Code zum Erstellen des Servers
+
+Spezifikaktion:
+- CentOS 8
+- Hetzner Cloud Server
+- nginx Webserver/Proxy
+- mini-beieli-web (Webapplikation/Golang)
+- lorahandler (Webapplikation/Golang)
+- Redis
+- InfluxDB
+
+## Erstellen des Servers
+
+Mit dem Binary hcloud von:
+https://github.com/hetznercloud/cli
+
+Temporaer einen API Key erstellen (nachher wieder loeschen)
+
+$ hcloud context create mini-beieli-server
+$ hcloud image list                          # zeigt moegliche Images
+$ hcloud server-type list                    # zeigt moegliche Typen
+
+$ hcloud server create --name mb1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch
+$ hcloud server set-rdns mb1 --hostname mb1.nbit.ch
+$ IPV6="$(hcloud server ip mb1 -6)"
+$ hcloud server set-rdns mb1 --ip $IPV6 --hostname mb1.nbit.ch
+
+DNS Eintraege erstellen:
+$ hcloud server ip mb1 
+$ hcloud server ip mb1 -6                     
+
+Root-Passwort setzen (das machen wir von Hand)
+
+## Ansible Playbook laufen lassen
+
+$ cd ansible
+$ ansible-playbook -i production mini-beieli-server.yml --limit mb1.mini-beieli.ch  # or mb2.mini-beieli.ch
+
+Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)!
+
+
+
+Root-Passwort setzen (das machen wir von Hand)
+
+`
+# yum update
+`
+
+### Let's Encrypt Zertifikat einrichten
+
+`
+# curl https://get.acme.sh | sh -s email=info@nbit.ch
+# systemctl stop nginx
+# acme.sh --issue -d mini-beieli.ch -d www.mini-beieli.ch -w /home/appuser/wo-bisch-web --standalone
+# restorecon -irv /etc/letsencrypt
+
+
+[Sa Feb 27 17:27:34 CET 2021] Your cert is in  /root/.acme.sh/mini-beieli.ch/mini-beieli.ch.cer 
+[Sa Feb 27 17:27:34 CET 2021] Your cert key is in  /root/.acme.sh/mini-beieli.ch/mini-beieli.ch.key 
+[Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in  /root/.acme.sh/mini-beieli.ch/ca.cer 
+[Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there:  /root/.acme.sh/mini-beieli.ch/fullchain.cer 
+
+Install Certificate:
+# acme.sh --install-cert -d mini-beieli.ch --key-file /etc/letsencrypt/mini-beieli.ch/mini-beieli.ch.key --fullchain-file /etc/letsencrypt/mini-beieli.ch/fullchain.cer --reloadcmd  "service nginx force-reload"
+`
+
+### Influxdb Users
+
+mb1:
+
+admin: admin7355
+Org: minibeieliorg
+Bucket: minibeielibucket
+RW-Token: 
+RO-Token:
+
+mb2:
+
+admin: admin7355
+Org: minibeieliorg
+Bucket: minibeielibucket
+RW-Token: 
+RO-Token: 
+
+## Redis Dump
+
+Backup/Restore Tool fuer Redis von https://github.com/yannh/redis-dump-go
+
+`
+# cd /var/tmp && wget https://github.com/yannh/redis-dump-go/releases/download/v0.4.1/redis-dump-go-linux-amd64.tar.gz
+# tar xzvf redis-dump-go-linux-amd64.tar.gz
+# cp redis-dump-go /usr/local/bin
+
+Zum Backup:
+$ redis-dump-go -output commands >redis-backup-$(date +%Y%m%W).out
+
+Zum Restore:
+$ redis-cli --pipe < redis-backup.out
+`
--- a/ansible/mini-beieli-server.yml
+++ b/ansible/mini-beieli-server.yml
@ -0,0 +1,13 @@
+---
+# file: mini-beieli-server.yml
+- hosts: mini_beieli_servers
+  vars:
+    ansible_ssh_pipelining: yes
+  roles:
+    - common
+    - aide
+    - nginx
+    - redis
+    - influxsw
+    - lorahandler
+    - mini-beieli-web
--- a/ansible/production
+++ b/ansible/production
@ -0,0 +1,12 @@
+[all:vars]
+ansible_user=root
+my_domain=mini-beieli.ch
+zabbix_server_ip=195.201.222.24
+mailserver=mail.nbit.ch
+mail_forward_address=joerg.lehmann@nbit.ch
+document_root=/home/beieli/mini-beieli-web
+
+[mini_beieli_servers]
+mb1.mini-beieli.ch letsEncryptDomain=dev.mini-beieli.ch influx_token=XXX
+mb2.mini-beieli.ch letsEncryptDomain=mini-beieli.ch influx_token=YYY
+
--- a/ansible/roles/aide/files/aide-update
+++ b/ansible/roles/aide/files/aide-update
@ -0,0 +1,4 @@
+#!/bin/bash
+/usr/sbin/aide -c /etc/aide.conf --init
+/bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
--- a/ansible/roles/aide/files/aide.conf.local
+++ b/ansible/roles/aide/files/aide.conf.local
@ -0,0 +1 @@
+!/root/.ansible/tmp
--- a/ansible/roles/aide/handlers/main.yml
+++ b/ansible/roles/aide/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: update aide database
+  action: command /usr/local/bin/aide-update
--- a/ansible/roles/aide/tasks/main.yml
+++ b/ansible/roles/aide/tasks/main.yml
@ -0,0 +1,42 @@
+---  
+- name: Install aide
+  yum: 
+    name: aide
+
+- name: Remove all the current ignore list in aide.conf
+  lineinfile:
+    dest: /etc/aide.conf
+    backup: yes
+    regexp: "^#!|!/"
+    state: absent 
+
+- name: change up aide.conf to standards set in aide_ignore_list var
+  lineinfile:
+    dest: /etc/aide.conf
+    line: "@@include /etc/aide.conf.local"
+    insertafter: EOF
+    state: present
+
+- name: copy aide.conf.local
+  copy:
+    src: aide.conf.local
+    dest: /etc/aide.conf.local
+    mode: '0600'
+
+- name: copy aide-update script
+  copy:
+    src: aide-update
+    dest: /usr/local/bin/aide-update
+    mode: '0755'
+
+- name:  Add crontab to check aide nightly
+  cron:
+    cron_file: aide_check
+    user: root
+    name: "Check Aide DB nightly"
+    hour: "23"
+    minute: "45"
+    job: "/usr/sbin/aide --check" 
+
+  notify: 
+    - update aide database
--- a/ansible/roles/common/files/jail.local
+++ b/ansible/roles/common/files/jail.local
@ -0,0 +1,2 @@
+[sshd]
+enabled = true
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@ -0,0 +1,30 @@
+---
+- name: Restart ssh
+  service: 
+    name=sshd
+    state=restarted
+
+- name: Restart zabbix-agent
+  service: 
+    name=zabbix-agent
+    state=restarted
+
+- name: Restart postfix
+  service: 
+    name=postfix
+    state=restarted
+
+- name: Restart fail2ban
+  service: 
+    name=fail2ban
+    state=restarted
+
+- name: reload firewalld
+  systemd: 
+    name=firewalld
+    state=reloaded
+
+- name: Restore selinux context
+  command: restorecon -irv /home/beieli/mini-beieli-web
+
+
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -0,0 +1,172 @@
+---
+- name: install basic packages
+  yum:
+    name: "{{ packages }}"
+  vars:
+    packages:
+    - langpacks-en 
+    - langpacks-de 
+    - glibc-all-langpacks
+    - podman
+    - sysstat
+    - mailx
+    - bind-utils
+    - epel-release
+    - setroubleshoot-server
+    - socat
+    - unzip
+    - wget
+    - git
+    - bzip2
+
+- name: Enable SELinux
+  selinux:
+    policy: targeted
+    state: enforcing
+
+- name: disable kdump
+  systemd:
+    name: kdump
+    enabled: no
+
+- name: Add Group beieli
+  group:
+    name: beieli
+    gid: 1000
+    state: present
+
+- name: Add User beieli
+  user:
+    name: beieli
+    shell: /bin/bash
+    uid: 1000
+    group: beieli
+    
+- name: Change permission of /home/beieli
+  file:
+    path: /home/beieli
+    state: directory
+    owner: beieli
+    group: beieli
+    mode: '0755'
+
+- name: Create /home/beieli/mini-beieli-web
+  file:
+    path: /home/beieli/mini-beieli-web
+    state: directory
+    owner: beieli
+    group: beieli
+    mode: '0755'
+
+- name: Allow apache to read files in /home/beieli/mini-beieli-web
+  sefcontext:
+    target: '/home/beieli/mini-beieli-web(/.*)?'
+    setype: httpd_sys_content_t
+    state: present
+  notify:
+    - Restore selinux context
+
+- name: allow root SSH with key only
+  lineinfile: dest=/etc/ssh/sshd_config
+              regexp="^PermitRootLogin"
+              line="PermitRootLogin without-password"
+              state=present
+  notify: Restart ssh
+
+- name: create /etc/hosts from template
+  template:
+    src: hosts.j2
+    dest: /etc/hosts
+    owner: root
+    group: root
+    backup: yes
+    mode: '0644'
+
+- name: install zabbix agent
+  yum:
+    name: zabbix40-agent
+
+- name: enable zabbix agent
+  systemd:
+    name: zabbix-agent
+    enabled: yes
+
+- name: zabbix config
+  lineinfile: dest=/etc/zabbix/zabbix_agentd.conf
+              regexp="^Server="
+              line="Server={{ zabbix_server_ip }}"
+              state=present
+  notify: Restart zabbix-agent
+
+- name: install postfix
+  yum:
+    name: postfix
+
+- name: enable postfix
+  systemd:
+    name: postfix
+    enabled: yes
+
+- name: postfix config
+  lineinfile: dest=/etc/postfix/main.cf
+              regexp="^relayhost"
+              line="relayhost = [{{ mailserver }}]:25"
+              state=present
+  notify: Restart postfix
+
+- name: postfix config
+  lineinfile: dest=/etc/postfix/main.cf
+              regexp="^myhostname"
+              line="myhostname = {{ ansible_hostname }}.{{ my_domain }}"
+              state=present
+  notify: Restart postfix
+
+- name: create .forward file
+  copy:
+    dest: "/root/.forward"
+    content: "{{ mail_forward_address }}\n"
+
+- name: install fail2ban
+  yum:
+    name: fail2ban
+
+- name: enable fail2ban
+  systemd:
+    name: fail2ban
+    enabled: yes
+
+- name: copy fail2ban config
+  copy:
+    src: jail.local
+    dest: /etc/fail2ban/jail.local
+    mode: '0644'
+  notify: Restart fail2ban
+
+- name: setup firewalld rules - services
+  firewalld:
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+  loop:
+    - ssh
+    - http
+    - https
+  notify: reload firewalld
+
+- name: setup firewalld rules - remove services
+  firewalld:
+    service: "{{ item }}"
+    permanent: yes
+    state: disabled
+  loop:
+    - cockpit
+  notify: reload firewalld
+
+- name: setup firewalld rules - ports
+  firewalld:
+    port: "{{ item }}"
+    permanent: yes
+    state: enabled
+  loop:
+    - 10050/tcp
+  notify: reload firewalld
--- a/ansible/roles/common/templates/hosts.j2
+++ b/ansible/roles/common/templates/hosts.j2
@ -0,0 +1,16 @@
+# Your system has configured 'manage_etc_hosts' as True.
+# As a result, if you wish for changes to this file to persist
+# then you will need to either
+# a.) make changes to the master file in /etc/cloud/templates/hosts.redhat.tmpl
+# b.) change or remove the value of 'manage_etc_hosts' in
+#     /etc/cloud/cloud.cfg or cloud-config from user-data
+# 
+# The following lines are desirable for IPv4 capable hosts
+{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ my_domain }} {{ ansible_hostname }}
+127.0.0.1 localhost.localdomain localhost
+127.0.0.1 localhost4.localdomain4 localhost4
+
+# The following lines are desirable for IPv6 capable hosts
+{{ ansible_default_ipv6.address }} {{ ansible_hostname }}.{{ my_domain }} {{ ansible_hostname }}
+::1 localhost.localdomain localhost
+::1 localhost6.localdomain6 localhost6
--- a/ansible/roles/influxsw/handlers/main.yml
+++ b/ansible/roles/influxsw/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart telegraf
+  service: 
+    name=telegraf
+    state=restarted
--- a/ansible/roles/influxsw/tasks/main.yml
+++ b/ansible/roles/influxsw/tasks/main.yml
@ -0,0 +1,33 @@
+---  
+- name: Add repository
+  yum_repository:
+    name: influxrepo
+    description: InfluxDB Repository - RHEL
+    baseurl: https://repos.influxdata.com/rhel/8/x86_64/stable/
+    gpgkey: https://repos.influxdata.com/influxdb.key
+    gpgcheck: yes
+
+- name: Install influx packages
+  yum: 
+    name: "{{ item }}"
+  loop:
+    - telegraf
+    - influxdb2
+
+- name: enable telegraf
+  systemd:
+    name: telegraf
+    enabled: yes
+
+- name: enable influxdb
+  systemd:
+    name: influxdb
+    enabled: yes
+    state: started
+
+- name: create telegraf config from template
+  template:
+    src: telegraf.conf.j2
+    dest: /etc/telegraf/telegraf.conf
+    mode: '0644'
+  notify: Restart telegraf
--- a/ansible/roles/influxsw/templates/telegraf.conf.j2
+++ b/ansible/roles/influxsw/templates/telegraf.conf.j2
@ -0,0 +1,31 @@
+[global_tags]
+
+# Configuration for telegraf agent
+[agent]
+  interval = "10s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 100000
+  collection_jitter = "0s"
+  flush_interval = "10s"
+  flush_jitter = "0s"
+  precision = ""
+  debug = false
+  quiet = false
+  logfile = ""
+  hostname = ""
+  omit_hostname = false
+
+[[inputs.tail]]
+  files = ["/home/beieli/mini-beieli-lorahandler/mini-beieli-lorahandler.log"]
+  from_beginning = false
+  pipe = false
+  tagexclude = ["path","host"]
+  data_format = "influx"
+
+# Configuration for sending metrics to InfluxDB 2.0
+[[outputs.influxdb_v2]]
+  urls = ["http://127.0.0.1:8086"]
+  token = "{{ influx_token }}"
+  organization = "minibeieliorg"
+  bucket = "minibeielibucket"
--- a/ansible/roles/mini-beieli-lorahandler/handlers/main.yml
+++ b/ansible/roles/mini-beieli-lorahandler/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: Restore selinux context
+  command: restorecon -irv /home/beieli
--- a/ansible/roles/mini-beieli-lorahandler/tasks/main.yml
+++ b/ansible/roles/mini-beieli-lorahandler/tasks/main.yml
@ -0,0 +1,15 @@
+---
+- name: Allow apache to read files in /home/beieli/mini-beieli-web
+  sefcontext:
+    target: '/home/beieli/mini-beieli-web(/.*)?'
+    setype: httpd_sys_content_t
+    state: present
+  notify:
+    - Restore selinux context
+
+- name: set SELinux permissions on binary
+  sefcontext:
+    target: "/home/beieli/mini-beieli-lorahandler/mini-beieli-lorahandler"
+    setype: bin_t
+  notify:
+    - Restore selinux context
--- a/ansible/roles/mini-beieli-web/handlers/main.yml
+++ b/ansible/roles/mini-beieli-web/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: Restore selinux context
+  command: restorecon -irv /home/beieli
--- a/ansible/roles/mini-beieli-web/tasks/main.yml
+++ b/ansible/roles/mini-beieli-web/tasks/main.yml
@ -0,0 +1,7 @@
+---  
+- name: set SELinux permissions on binary
+  sefcontext:
+    target: "/home/beieli/mini-beieli-web/mini-beieli-web"
+    setype: bin_t
+  notify:
+    - Restore selinux context
--- a/ansible/roles/nginx/handlers/main.yml
+++ b/ansible/roles/nginx/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart nginx
+  service: 
+    name=nginx
+    state=restarted
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@ -0,0 +1,27 @@
+---  
+- name: Install nginx
+  yum: 
+    name: nginx
+
+- name: enable nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: started
+
+- name: create /etc/nginx/nginx.conf from template
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart nginx
+
+- name: Allow apache to read files in /etc/letsencrypt/{{ letsEncryptDomain }}
+  sefcontext:
+    target: '/etc/letsencrypt/{{ letsEncryptDomain }}(/.*)?'
+    setype: httpd_sys_content_t
+    state: present
+  notify:
+    - Restore selinux context
--- a/ansible/roles/nginx/templates/nginx.conf.j2
+++ b/ansible/roles/nginx/templates/nginx.conf.j2
@ -0,0 +1,74 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # GZip Settings
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 10240;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript;
+    gzip_disable "MSIE [1-6]\.";
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+
+        return 301   https://{{ letsEncryptDomain }}$request_uri;
+
+    }
+
+
+    server {
+        server_name  mini-beieli.ch;
+        root         {{ document_root }}/static;
+
+        error_page 502 /502.html;
+
+        location /lorahandler {
+            proxy_pass http://127.0.0.1:8080;
+        }
+
+        location /static {
+            autoindex off;
+            root {{ document_root }}/;
+            expires 30d;
+        }
+
+        location / { try_files $uri @mini-beieli; }
+        location @mini-beieli {
+            proxy_pass http://127.0.0.1:4000;
+        }
+
+        listen [::]:443 ssl ipv6only=on; 
+        listen 443 ssl; 
+        ssl_certificate /etc/letsencrypt/{{ letsEncryptDomain }}/fullchain.cer;
+        ssl_certificate_key /etc/letsencrypt/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key;
+    }
+
+}
--- a/ansible/roles/nginx/templates/vhost.j2
+++ b/ansible/roles/nginx/templates/vhost.j2
@ -0,0 +1,18 @@
+server {
+   server_name www.{{ my_domain }};
+   root /opt/nginx/www.linuxtechwhiz.info;
+
+   location / {
+       index index.html index.htm index.php;
+   }
+
+   access_log /var/log/nginx/www.linuxtechwhiz.info.access.log;
+   error_log /var/log/nginx/www.linuxtechwhiz.info.error.log;
+
+   location ~ \.php$ {
+      include /etc/nginx/fastcgi_params;
+      fastcgi_pass 127.0.0.1:9000;
+      fastcgi_index index.php;
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+   }
+}
--- a/ansible/roles/nginx/templates/vserver.conf.j2
+++ b/ansible/roles/nginx/templates/vserver.conf.j2
@ -0,0 +1,9 @@
+server {
+        listen 80;
+        listen [::]:80;
+        root {{ document_root }};
+        server_name {{ ansible_hostname }}.{{ my_domain }};
+        location / {
+                try_files $uri $uri/ =404;
+        }
+}
--- a/ansible/roles/redis/tasks/main.yml
+++ b/ansible/roles/redis/tasks/main.yml
@ -0,0 +1,10 @@
+---  
+- name: Install redis
+  yum: 
+    name: redis
+
+- name: enable redis
+  systemd:
+    name: redis
+    enabled: yes
+    state: started