From 36183579aa48bd9207237ac69d666f0f222cfc1d Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Fri, 21 Dec 2018 07:36:22 +0100 Subject: elasticsearch --- .gitmodules | 3 + ansible/ansible.cfg | 1 + ansible/elasticsearch.yml | 64 ++++++++++++++++++++ .../elasticsearch-server/tasks/main.yml | 17 ++++++ .../strongswan/files/swanctl/CA/ca-cert.der | Bin 0 -> 834 bytes .../strongswan/files/swanctl/CA/ca-key.der | Bin 0 -> 1191 bytes .../files/swanctl/arius/rsa/arius-key.der | Bin 0 -> 1190 bytes .../files/swanctl/arius/x509/arius-cert.der | Bin 0 -> 806 bytes .../strongswan/roles/strongswan-rw/tasks/main.yml | 21 +++++++ .../roles/strongswan-rw/templates/swanctl.conf | 34 +++++++++++ ansible/experiments/strongswan/strongswan-rw.yml | 9 +++ .../experiments/strongswan/strongswan-server.yml | 67 +++++++++++++++++++++ ansible/experiments/strongswan/strongswan-vars.yml | 7 +++ ansible/experiments/strongswan/strongswan.md | 18 ++++++ ansible/host_vars/fuckaduck/elasticsearch.yml | 4 ++ ansible/inventory | 5 ++ .../files/swanctl/CA/ca-cert.der | Bin 834 -> 0 bytes .../files/swanctl/CA/ca-key.der | Bin 1191 -> 0 bytes .../files/swanctl/arius/rsa/arius-key.der | Bin 1190 -> 0 bytes .../files/swanctl/arius/x509/arius-cert.der | Bin 806 -> 0 bytes .../roles/strongswan-rw/tasks/main.yml | 21 ------- .../roles/strongswan-rw/templates/swanctl.conf | 34 ----------- ansible/strongswan-experiment/strongswan-rw.yml | 9 --- .../strongswan-experiment/strongswan-server.yml | 67 --------------------- ansible/strongswan-experiment/strongswan-vars.yml | 7 --- ansible/strongswan-experiment/strongswan.md | 18 ------ ansible/thirdparty/ansible-elasticsearch | 1 + 27 files changed, 251 insertions(+), 156 deletions(-) create mode 100644 ansible/elasticsearch.yml create mode 100644 ansible/experiments/elasticsearch-server/tasks/main.yml create mode 100644 ansible/experiments/strongswan/files/swanctl/CA/ca-cert.der create mode 100644 ansible/experiments/strongswan/files/swanctl/CA/ca-key.der create mode 100644 ansible/experiments/strongswan/files/swanctl/arius/rsa/arius-key.der create mode 100644 ansible/experiments/strongswan/files/swanctl/arius/x509/arius-cert.der create mode 100644 ansible/experiments/strongswan/roles/strongswan-rw/tasks/main.yml create mode 100644 ansible/experiments/strongswan/roles/strongswan-rw/templates/swanctl.conf create mode 100644 ansible/experiments/strongswan/strongswan-rw.yml create mode 100644 ansible/experiments/strongswan/strongswan-server.yml create mode 100644 ansible/experiments/strongswan/strongswan-vars.yml create mode 100644 ansible/experiments/strongswan/strongswan.md create mode 100644 ansible/host_vars/fuckaduck/elasticsearch.yml delete mode 100644 ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der delete mode 100644 ansible/strongswan-experiment/files/swanctl/CA/ca-key.der delete mode 100644 ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der delete mode 100644 ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der delete mode 100644 ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml delete mode 100644 ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf delete mode 100644 ansible/strongswan-experiment/strongswan-rw.yml delete mode 100644 ansible/strongswan-experiment/strongswan-server.yml delete mode 100644 ansible/strongswan-experiment/strongswan-vars.yml delete mode 100644 ansible/strongswan-experiment/strongswan.md create mode 160000 ansible/thirdparty/ansible-elasticsearch diff --git a/.gitmodules b/.gitmodules index 4e2cc60..49861e4 100644 --- a/.gitmodules +++ b/.gitmodules @@ -4,3 +4,6 @@ [submodule "ansible/misc/ansible-vault-tools"] path = ansible/misc/ansible-vault-tools url = https://github.com/building5/ansible-vault-tools +[submodule "ansible/thirdparty/ansible-elasticsearch"] + path = ansible/thirdparty/ansible-elasticsearch + url = https://github.com/elastic/ansible-elasticsearch diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 4c70c17..44749f8 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -5,3 +5,4 @@ inventory = ./inventory nocows = True stdout_callback = debug vault_password_file = vault-password +roles_path = roles:thirdparty diff --git a/ansible/elasticsearch.yml b/ansible/elasticsearch.yml new file mode 100644 index 0000000..670bbe1 --- /dev/null +++ b/ansible/elasticsearch.yml @@ -0,0 +1,64 @@ +- hosts: + - elasticsearch-servers + tasks: + - name: Create elasticsearch user + become: yes + user: + name: elasticsearch + system: yes + state: "{{ elasticsearch__state }}" + shell: /bin/bash + - become: yes + file: + path: "{{ elasticsearch__data_dir }}" + state: directory + owner: elasticsearch + group: elasticsearch + mode: u=rwx,go=rx + +- hosts: + - elasticsearch-servers + roles: + - ansible-elasticsearch + vars: + es_instance_name: "node1" + es_data_dirs: + - "{{ elasticsearch__data_dir }}" + es_config: + http.port: "{{ elasticsearch__http_port }}" + transport.tcp.port: "{{ elasticsearch__tcp_port }}" + discovery.zen.ping.unicast.hosts: "localhost:9301" + es_api_basic_auth_username: admin + es_api_basic_auth_password: admin + tasks: + - name: enable elasticsearch + tags: elasticsearch + systemd: + name: elasticsearch + state: started + enabled: yes + + - tags: kibana + become: yes + block: + - apt: + name: kibana + install_recommends: false + - lineinfile: + path: /etc/kibana/kibana.yml + #elasticsearch.url: "http://localhost:9200" + regexp: "elasticsearch\\.url" + line: 'elasticsearch.url: "http://localhost:{{ elasticsearch__http_port }}"' + notify: restart kibana + - name: enable kibana + systemd: + name: kibana + state: started + enabled: yes + + handlers: + - name: restart kibana + become: yes + systemd: + name: kibana + state: restarted diff --git a/ansible/experiments/elasticsearch-server/tasks/main.yml b/ansible/experiments/elasticsearch-server/tasks/main.yml new file mode 100644 index 0000000..0019cb6 --- /dev/null +++ b/ansible/experiments/elasticsearch-server/tasks/main.yml @@ -0,0 +1,17 @@ +- become: yes + tags: + - elasticsearch-server + block: + - name: Create elasticsearch user + user: + name: elasticsearch + system: yes + state: "{{ elasticsearch_server__state }}" + shell: /bin/bash + - name: Download ES + when: elasticsearch_server__state == 'present' + get_url: + url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{{ elasticsearch_server__version }}.tar.gz" + checksum: "{{ elasticsearch_server__checksum }}" + dest: /opt/elasticsearch + mode: u=rwx,go=rx diff --git a/ansible/experiments/strongswan/files/swanctl/CA/ca-cert.der b/ansible/experiments/strongswan/files/swanctl/CA/ca-cert.der new file mode 100644 index 0000000..73e9b45 Binary files /dev/null and b/ansible/experiments/strongswan/files/swanctl/CA/ca-cert.der differ diff --git a/ansible/experiments/strongswan/files/swanctl/CA/ca-key.der b/ansible/experiments/strongswan/files/swanctl/CA/ca-key.der new file mode 100644 index 0000000..740545a Binary files /dev/null and b/ansible/experiments/strongswan/files/swanctl/CA/ca-key.der differ diff --git a/ansible/experiments/strongswan/files/swanctl/arius/rsa/arius-key.der b/ansible/experiments/strongswan/files/swanctl/arius/rsa/arius-key.der new file mode 100644 index 0000000..5c988d9 Binary files /dev/null and b/ansible/experiments/strongswan/files/swanctl/arius/rsa/arius-key.der differ diff --git a/ansible/experiments/strongswan/files/swanctl/arius/x509/arius-cert.der b/ansible/experiments/strongswan/files/swanctl/arius/x509/arius-cert.der new file mode 100644 index 0000000..562c76b Binary files /dev/null and b/ansible/experiments/strongswan/files/swanctl/arius/x509/arius-cert.der differ diff --git a/ansible/experiments/strongswan/roles/strongswan-rw/tasks/main.yml b/ansible/experiments/strongswan/roles/strongswan-rw/tasks/main.yml new file mode 100644 index 0000000..fb09476 --- /dev/null +++ b/ansible/experiments/strongswan/roles/strongswan-rw/tasks/main.yml @@ -0,0 +1,21 @@ +- name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - strongswan-swanctl +- name: Install CA certificate + copy: + src=swanctl/CA/ca-cert.der + dest=/etc/swanctl/x509ca/ca-cert.der +- name: Install key + copy: + src=swanctl/{{ inventory_hostname }}/rsa/{{ inventory_hostname }}-key.der + dest=/etc/swanctl/rsa/{{ inventory_hostname }}-key.der +- name: Install certificate + copy: + src=swanctl/{{ inventory_hostname }}/x509/{{ inventory_hostname }}-cert.der + dest=/etc/swanctl/x509/{{ inventory_hostname }}-cert.der +- template: + src: swanctl.conf + dest: /etc/swanctl/conf.d/trygvis.io.conf diff --git a/ansible/experiments/strongswan/roles/strongswan-rw/templates/swanctl.conf b/ansible/experiments/strongswan/roles/strongswan-rw/templates/swanctl.conf new file mode 100644 index 0000000..90d212b --- /dev/null +++ b/ansible/experiments/strongswan/roles/strongswan-rw/templates/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = {{ strongswan_rw[inventory_hostname].local_addrs }} + remote_addrs = {{ strongswan_home_addrs }} + + local { + auth = pubkey + certs = {{ inventory_hostname }}-cert.der + id = {{ inventory_hostname }}.trygvis.io + } + remote { + auth = pubkey + id = {{ strongswan_remote_id }} + } + children { + home { + remote_ts = {{ strongswan_ts }} + +# updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = ca-cert.der + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/ansible/experiments/strongswan/strongswan-rw.yml b/ansible/experiments/strongswan/strongswan-rw.yml new file mode 100644 index 0000000..136e9ad --- /dev/null +++ b/ansible/experiments/strongswan/strongswan-rw.yml @@ -0,0 +1,9 @@ +- hosts: + - arius + vars_files: + - strongswan-vars.yml + tasks: + - name: strongswan-rw + import_role: name=strongswan-rw + tags: strongswan-rw + become: yes diff --git a/ansible/experiments/strongswan/strongswan-server.yml b/ansible/experiments/strongswan/strongswan-server.yml new file mode 100644 index 0000000..e555b90 --- /dev/null +++ b/ansible/experiments/strongswan/strongswan-server.yml @@ -0,0 +1,67 @@ +- hosts: + - knot + vars_files: + - strongswan-vars.yml + vars: + peers: + - arius + handlers: + - name: systemctl restart strongswan + become: true + systemd: + name: strongswan + state: restarted + tasks: + - become: true + block: + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - strongswan-swanctl + - name: install certs + with_items: "{{ peers }}" + copy: + src=swanctl/{{ item }}/rsa/{{ item }}-key.der + dest=/etc/swanctl/rsa/{{ item }}-key.der + - name: install swanctl.conf + notify: systemctl restart strongswan + copy: + dest: /etc/swanctl/conf.d/trygvis.io.conf + content: | + connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = {{ strongswan_ts }} + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + } + + authorities { + strongswan { + #cacert = caCert.pem + #crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + cacert = ca-cert.der + crl_uris = + } + } + diff --git a/ansible/experiments/strongswan/strongswan-vars.yml b/ansible/experiments/strongswan/strongswan-vars.yml new file mode 100644 index 0000000..e72b040 --- /dev/null +++ b/ansible/experiments/strongswan/strongswan-vars.yml @@ -0,0 +1,7 @@ +strongswan_rw: + arius: + local_addrs: fc00:0002::2 + +strongswan_home_addrs: fc00:0001::1 +strongswan_ts: fc00:0001::0/32 +strongswan_remote_id: knot.trygvis.io diff --git a/ansible/experiments/strongswan/strongswan.md b/ansible/experiments/strongswan/strongswan.md new file mode 100644 index 0000000..4258037 --- /dev/null +++ b/ansible/experiments/strongswan/strongswan.md @@ -0,0 +1,18 @@ +# CA certificate + + mkdir -p files/swanctl/CA + pki --gen > files/swanctl/CA/ca-key.der + pki --self \ + --in files/swanctl/CA/ca-key.der \ + --dn "C=NO, O=Trygvis IO AS, CN=Trygvis IO CA" \ + --ca > files/swanctl/CA/ca-cert.der + +# Peer certificate + + mkdir -p files/swanctl/$host/{rsa,x509} + pki --gen > files/swanctl/$host/rsa/$host-key.der + pki --pub --in files/swanctl/$host/rsa/$host-key.der | \ + pki --issue \ + --cakey files/swanctl/CA/ca-key.der \ + --cacert files/swanctl/CA/ca-cert.der \ + --dn "C=NO, O=Trygvis IO AS, CN=$host.trygvis.io" > files/swanctl/$host/x509/$host-cert.der diff --git a/ansible/host_vars/fuckaduck/elasticsearch.yml b/ansible/host_vars/fuckaduck/elasticsearch.yml new file mode 100644 index 0000000..1eb42bc --- /dev/null +++ b/ansible/host_vars/fuckaduck/elasticsearch.yml @@ -0,0 +1,4 @@ +elasticsearch__state: present +elasticsearch__data_dir: /opt/elasticsearch/data +elasticsearch__http_port: 9201 +elasticsearch__tcp_port: 9301 diff --git a/ansible/inventory b/ansible/inventory index ebf9485..990b299 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -18,6 +18,8 @@ all: ansible_host: conflatorio.trygvis.io nextcloud: ansible_host: 192.168.90.101 + fuckaduck: + ansible_host: fuckaduck.local children: desktops: hosts: @@ -25,6 +27,9 @@ all: conflatorio: arius: akysis: + elasticsearch-servers: + hosts: + fuckaduck: sbcs: hosts: homepi: diff --git a/ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der b/ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der deleted file mode 100644 index 73e9b45..0000000 Binary files a/ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der and /dev/null differ diff --git a/ansible/strongswan-experiment/files/swanctl/CA/ca-key.der b/ansible/strongswan-experiment/files/swanctl/CA/ca-key.der deleted file mode 100644 index 740545a..0000000 Binary files a/ansible/strongswan-experiment/files/swanctl/CA/ca-key.der and /dev/null differ diff --git a/ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der b/ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der deleted file mode 100644 index 5c988d9..0000000 Binary files a/ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der and /dev/null differ diff --git a/ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der b/ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der deleted file mode 100644 index 562c76b..0000000 Binary files a/ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der and /dev/null differ diff --git a/ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml b/ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml deleted file mode 100644 index fb09476..0000000 --- a/ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: packages - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - strongswan-swanctl -- name: Install CA certificate - copy: - src=swanctl/CA/ca-cert.der - dest=/etc/swanctl/x509ca/ca-cert.der -- name: Install key - copy: - src=swanctl/{{ inventory_hostname }}/rsa/{{ inventory_hostname }}-key.der - dest=/etc/swanctl/rsa/{{ inventory_hostname }}-key.der -- name: Install certificate - copy: - src=swanctl/{{ inventory_hostname }}/x509/{{ inventory_hostname }}-cert.der - dest=/etc/swanctl/x509/{{ inventory_hostname }}-cert.der -- template: - src: swanctl.conf - dest: /etc/swanctl/conf.d/trygvis.io.conf diff --git a/ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf b/ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf deleted file mode 100644 index 90d212b..0000000 --- a/ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf +++ /dev/null @@ -1,34 +0,0 @@ -connections { - - home { - local_addrs = {{ strongswan_rw[inventory_hostname].local_addrs }} - remote_addrs = {{ strongswan_home_addrs }} - - local { - auth = pubkey - certs = {{ inventory_hostname }}-cert.der - id = {{ inventory_hostname }}.trygvis.io - } - remote { - auth = pubkey - id = {{ strongswan_remote_id }} - } - children { - home { - remote_ts = {{ strongswan_ts }} - -# updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128-sha256-x25519 - } - } - version = 2 - proposals = aes128-sha256-x25519 - } -} - -authorities { - strongswan { - cacert = ca-cert.der - crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl - } -} diff --git a/ansible/strongswan-experiment/strongswan-rw.yml b/ansible/strongswan-experiment/strongswan-rw.yml deleted file mode 100644 index 136e9ad..0000000 --- a/ansible/strongswan-experiment/strongswan-rw.yml +++ /dev/null @@ -1,9 +0,0 @@ -- hosts: - - arius - vars_files: - - strongswan-vars.yml - tasks: - - name: strongswan-rw - import_role: name=strongswan-rw - tags: strongswan-rw - become: yes diff --git a/ansible/strongswan-experiment/strongswan-server.yml b/ansible/strongswan-experiment/strongswan-server.yml deleted file mode 100644 index e555b90..0000000 --- a/ansible/strongswan-experiment/strongswan-server.yml +++ /dev/null @@ -1,67 +0,0 @@ -- hosts: - - knot - vars_files: - - strongswan-vars.yml - vars: - peers: - - arius - handlers: - - name: systemctl restart strongswan - become: true - systemd: - name: strongswan - state: restarted - tasks: - - become: true - block: - - name: packages - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - strongswan-swanctl - - name: install certs - with_items: "{{ peers }}" - copy: - src=swanctl/{{ item }}/rsa/{{ item }}-key.der - dest=/etc/swanctl/rsa/{{ item }}-key.der - - name: install swanctl.conf - notify: systemctl restart strongswan - copy: - dest: /etc/swanctl/conf.d/trygvis.io.conf - content: | - connections { - - rw { - local_addrs = fec0::1 - - local { - auth = pubkey - certs = moonCert.pem - id = moon.strongswan.org - } - remote { - auth = pubkey - } - children { - net { - local_ts = {{ strongswan_ts }} - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128-sha256-x25519 - } - } - version = 2 - proposals = aes128-sha256-x25519 - } - } - - authorities { - strongswan { - #cacert = caCert.pem - #crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl - cacert = ca-cert.der - crl_uris = - } - } - diff --git a/ansible/strongswan-experiment/strongswan-vars.yml b/ansible/strongswan-experiment/strongswan-vars.yml deleted file mode 100644 index e72b040..0000000 --- a/ansible/strongswan-experiment/strongswan-vars.yml +++ /dev/null @@ -1,7 +0,0 @@ -strongswan_rw: - arius: - local_addrs: fc00:0002::2 - -strongswan_home_addrs: fc00:0001::1 -strongswan_ts: fc00:0001::0/32 -strongswan_remote_id: knot.trygvis.io diff --git a/ansible/strongswan-experiment/strongswan.md b/ansible/strongswan-experiment/strongswan.md deleted file mode 100644 index 4258037..0000000 --- a/ansible/strongswan-experiment/strongswan.md +++ /dev/null @@ -1,18 +0,0 @@ -# CA certificate - - mkdir -p files/swanctl/CA - pki --gen > files/swanctl/CA/ca-key.der - pki --self \ - --in files/swanctl/CA/ca-key.der \ - --dn "C=NO, O=Trygvis IO AS, CN=Trygvis IO CA" \ - --ca > files/swanctl/CA/ca-cert.der - -# Peer certificate - - mkdir -p files/swanctl/$host/{rsa,x509} - pki --gen > files/swanctl/$host/rsa/$host-key.der - pki --pub --in files/swanctl/$host/rsa/$host-key.der | \ - pki --issue \ - --cakey files/swanctl/CA/ca-key.der \ - --cacert files/swanctl/CA/ca-cert.der \ - --dn "C=NO, O=Trygvis IO AS, CN=$host.trygvis.io" > files/swanctl/$host/x509/$host-cert.der diff --git a/ansible/thirdparty/ansible-elasticsearch b/ansible/thirdparty/ansible-elasticsearch new file mode 160000 index 0000000..f89f56b --- /dev/null +++ b/ansible/thirdparty/ansible-elasticsearch @@ -0,0 +1 @@ +Subproject commit f89f56bc347fc4f8ecbf1155fc35082a3a21579a -- cgit v1.2.3