lotte/ChamplainTechJournals
1
Code Activity

migrate to git.charlotte.sh

Browse source
This commit is contained in:
Charlotte Croce 2025-04-19 23:42:08 -04:00
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
sysadmin-ii-sys265/configs/controller/ansible/ansible.cfg Normal file
View file

@ -0,0 +1,2 @@
[defaults]
host_key_checking = false

9
sysadmin-ii-sys265/configs/controller/ansible/inventory.txt Normal file
View file

@ -0,0 +1,9 @@
[apache]
ansible1-charlotte
[webmin]
ansible2-charlotte
[windows]
mgmt01-charlotte
wks01-charlotte
[windows:vars]
ansible_shell_type=powershell

85
sysadmin-ii-sys265/configs/controller/ansible/roles/aidevops-linux.yml Normal file
View file

@ -0,0 +1,85 @@
- name: Rocky Linux Security Configuration
hosts: ansible1-charlotte
become: yes
gather_facts: yes
tasks:
# Create security admin group first
- name: Create security admin group
group:
name: secadmin
state: present
tags: fs_perms
# ============================================================
# SYSTEM ADMINISTRATION ELEMENT: File System Permissions
# ============================================================
# Create parent directory first
- name: Create data directory
file:
path: /data
state: directory
mode: '0755'
owner: root
group: root
tags: fs_perms
- name: Create secure data directory
file:
path: /data/secure
state: directory
mode: '0750'
owner: root
group: secadmin
tags: fs_perms
- name: Set secure permissions on sensitive files
file:
path: "{{ item.path }}"
mode: "{{ item.mode }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
with_items:
- { path: '/etc/passwd', mode: '0644', owner: 'root', group: 'root' }
- { path: '/etc/shadow', mode: '0400', owner: 'root', group: 'root' }
- { path: '/etc/ssh/sshd_config', mode: '0600', owner: 'root', group: 'root' }
tags: fs_perms
# ============================================================
# SYSTEM HARDENING ELEMENT: Firewall Configuration
# ============================================================
- name: Ensure firewalld is installed
dnf:
name: firewalld
state: present
tags: firewall
- name: Enable and start firewalld
service:
name: firewalld
state: started
enabled: yes
tags: firewall
- name: Allow necessary services
firewalld:
service: "{{ item }}"
permanent: yes
state: enabled
immediate: yes
with_items:
- ssh
- http
- https
tags: firewall
- name: Block all other ports
firewalld:
port: "{{ item }}"
permanent: yes
state: disabled
immediate: yes
with_items:
- 21/tcp
- 23/tcp
- 25/tcp
tags: firewall

105
sysadmin-ii-sys265/configs/controller/ansible/roles/aidevops-windows.yml Normal file
View file

@ -0,0 +1,105 @@
- name: Windows Security Configuration
hosts: windows
gather_facts: yes
tasks:
# ============================================================
# SYSTEM ADMINISTRATION ELEMENT: Shared Folder Management
# ============================================================
- name: Create secure shared folder
win_file:
path: C:\SecureShare
state: directory
tags: file_mgmt
- name: Share the secure folder
win_share:
name: SecureData
path: C:\SecureShare
description: "Secure data repository"
list: yes
full: Administrators
read: "Domain Users"
deny: "Everyone"
tags: file_mgmt
- name: Set NTFS permissions on secure folder
win_acl:
path: C:\SecureShare
user: Administrators
rights: FullControl
type: allow
state: present
inheritance_flags: "ContainerInherit,ObjectInherit"
tags: ntfs_perms
- name: Add read permissions for authenticated users
win_acl:
path: C:\SecureShare
user: "Authenticated Users"
rights: ReadAndExecute
type: allow
state: present
inheritance_flags: "ContainerInherit,ObjectInherit"
tags: ntfs_perms
# ============================================================
# SYSTEM HARDENING ELEMENT: Disable Unnecessary Services
# ============================================================
- name: Check for service existence
win_shell: Get-Service -Name "{{ item }}" -ErrorAction SilentlyContinue
register: service_check
with_items:
- XblGameSave # Xbox Game Saving Service
- XboxNetApiSvc # Xbox Live Networking Service
- DiagTrack # Connected User Experiences and Telemetry
- dmwappushservice # WAP Push Message Routing Service
failed_when: false
changed_when: false
tags: hardening
- name: Disable unnecessary services if they exist
win_service:
name: "{{ item.item }}"
state: stopped
start_mode: disabled
with_items: "{{ service_check.results }}"
when: item.rc == 0
tags: hardening
- name: Report on services not found
debug:
msg: "Service {{ item.item }} not found on {{ inventory_hostname }}"
with_items: "{{ service_check.results }}"
when: item.rc != 0
tags: hardening
# ============================================================
# AD DS GPO ELEMENT 1: Password Policy
# ============================================================
- name: Configure password policy
win_security_policy:
section: System Access
key: "{{ item.key }}"
value: "{{ item.value }}"
with_items:
- { key: PasswordComplexity, value: 1 } # Enable password complexity
- { key: MinimumPasswordLength, value: 12 } # 12 character minimum
- { key: PasswordHistorySize, value: 24 } # Remember 24 passwords
when: inventory_hostname in ['wks01-charlotte', 'mgmt01-charlotte']
tags: gpo_password
# ============================================================
# AD DS GPO ELEMENT 2: Account Lockout Policy
# ============================================================
- name: Configure account lockout policy
win_security_policy:
section: System Access
key: "{{ item.key }}"
value: "{{ item.value }}"
with_items:
- { key: LockoutBadCount, value: 5 } # 5 failed attempts
- { key: ResetLockoutCount, value: 30 } # Reset counter after 30 minutes
- { key: LockoutDuration, value: 30 } # Lock for 30 minutes
when: inventory_hostname in ['wks01-charlotte', 'mgmt01-charlotte']
tags: gpo_lockout

39
sysadmin-ii-sys265/configs/controller/ansible/roles/apache.yml Normal file
View file

@ -0,0 +1,39 @@
- name: apache sys265
hosts: apache
become: true # Run all tasks with sudo/root privileges
vars:
install_utilities: false
firewalld_enable: true
ansible_os_family: RedHat
ansible_distribution: CentOS # required because role searches for Rocky config files
roles:
- geerlingguy.apache # apply the apache installation role
handlers: # will run when a task has notify:name parameter
- name: reload firewall # runs after adding firewall rule
command: firewall-cmd --reload
tasks:
# open port 443 in firewall for apache web interface
- name: add firewall rule
firewalld:
port: "{{ item }}"
permanent: true
immediate: true
state: enabled
loop:
- 80/tcp
- 443/tcp
notify: reload firewall
- name: install apache
yum:
name: httpd
state: present # will only install if not already
- name: enable and start apache service
systemd:
name: httpd
enabled: true
state: started
daemon_reload: yes # reload systemd to recognize new service

3
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.ansible-lint Normal file
View file

@ -0,0 +1,3 @@
skip_list:
- 'yaml'
- 'role-name'

4
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,4 @@
# These are supported funding model platforms
---
github: geerlingguy
patreon: geerlingguy

67
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,67 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "0 5 * * 0"
defaults:
run:
working-directory: 'geerlingguy.apache'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v4
with:
path: 'geerlingguy.apache'
- name: Set up Python 3.
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint
- name: Lint code.
run: |
yamllint .
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- rockylinux8
- ubuntu2004
- debian10
steps:
- name: Check out the codebase.
uses: actions/checkout@v4
with:
path: 'geerlingguy.apache'
- name: Set up Python 3.
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule molecule-plugins[docker] docker
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

40
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,40 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.apache'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v4
with:
path: 'geerlingguy.apache'
- name: Set up Python 3.
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-core
- name: Trigger a new import on Galaxy.
run: >-
ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
$(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

34
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.github/workflows/stale.yml vendored Normal file
View file

@ -0,0 +1,34 @@
---
name: Close inactive issues
'on':
schedule:
- cron: "55 18 * * 1" # semi-random time
jobs:
close-issues:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v8
with:
days-before-stale: 120
days-before-close: 60
exempt-issue-labels: bug,pinned,security,planned
exempt-pr-labels: bug,pinned,security,planned
stale-issue-label: "stale"
stale-pr-label: "stale"
stale-issue-message: |
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
close-issue-message: |
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
stale-pr-message: |
This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
close-pr-message: |
This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
repo-token: ${{ secrets.GITHUB_TOKEN }}

5
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.gitignore vendored Normal file
View file

@ -0,0 +1,5 @@
*.retry
*/__pycache__
*.pyc
.cache

10
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/.yamllint Normal file
View file

@ -0,0 +1,10 @@
---
extends: default
rules:
line-length:
max: 120
level: warning
ignore: |
.github/workflows/stale.yml

20
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/LICENSE Normal file
View file

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

208
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/README.md Normal file
View file

@ -0,0 +1,208 @@
# Ansible Role: Apache 2.x
[![CI](https://github.com/geerlingguy/ansible-role-apache/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-apache/actions?query=workflow%3ACI)
An Ansible Role that installs Apache 2.x on RHEL/CentOS, Debian/Ubuntu, SLES and Solaris.
## Requirements
If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.
If you are using Apache with PHP, I recommend using the `geerlingguy.php` role to install PHP, and you can either use mod_php (by adding the proper package, e.g. `libapache2-mod-php5` for Ubuntu, to `php_packages`), or by also using `geerlingguy.apache-php-fpm` to connect Apache to PHP via FPM. See that role's README for more info.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
```yaml
apache_enablerepo: ""
```
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
```yaml
apache_listen_ip: "*"
apache_listen_port: 80
apache_listen_port_ssl: 443
```
The IP address and ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.
```yaml
apache_create_vhosts: true
apache_vhosts_filename: "vhosts.conf"
apache_vhosts_template: "vhosts.conf.j2"
```
If set to true, a vhosts file, managed by this role's variables (see below), will be created and placed in the Apache configuration folder. If set to false, you can place your own vhosts file into Apache's configuration folder and skip the convenient (but more basic) one added by this role. You can also override the template used and set a path to your own template, if you need to further customize the layout of your VirtualHosts.
```yaml
apache_remove_default_vhost: false
```
On Debian/Ubuntu, a default virtualhost is included in Apache's configuration. Set this to `true` to remove that default virtualhost configuration file.
```yaml
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
# Add other global settings on subsequent lines.
```
You can add or override global Apache configuration settings in the role-provided vhosts file (assuming `apache_create_vhosts` is true) using this variable. By default it only sets the DirectoryIndex configuration.
```yaml
apache_vhosts:
# Additional optional properties: 'serveradmin, serveralias, extra_parameters'.
- servername: "local.dev"
documentroot: "/var/www/html"
```
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `allow_override` (optional: defaults to the value of `apache_allow_override`), `options` (optional: defaults to the value of `apache_options`), `serveradmin` (optional), `serveralias` (optional) and `extra_parameters` (optional: you can add whatever additional configuration lines you'd like in here).
Here's an example using `extra_parameters` to add a RewriteRule to redirect all requests to the `www.` site:
```yaml
- servername: "www.local.dev"
serveralias: "local.dev"
documentroot: "/var/www/html"
extra_parameters: |
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
```
The `|` denotes a multiline scalar block in YAML, so newlines are preserved in the resulting configuration file output.
```yaml
apache_vhosts_ssl: []
```
No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
```yaml
apache_vhosts_ssl:
- servername: "local.dev"
documentroot: "/var/www/html"
certificate_file: "/home/vagrant/example.crt"
certificate_key_file: "/home/vagrant/example.key"
certificate_chain_file: "/path/to/certificate_chain.crt"
extra_parameters: |
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
```
Other SSL directives can be managed with other SSL-related role variables.
```yaml
apache_ssl_no_log: true
```
Whether to print SSL-related task output to the console when running the playbook.
```yaml
apache_ssl_protocol: "All -SSLv2 -SSLv3"
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
```
The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.
```yaml
apache_allow_override: "All"
apache_options: "-Indexes +FollowSymLinks"
```
The default values for the `AllowOverride` and `Options` directives for the `documentroot` directory of each vhost. A vhost can overwrite these values by specifying `allow_override` or `options`.
```yaml
apache_mods_enabled:
- rewrite
- ssl
apache_mods_disabled: []
```
Which Apache mods to enable or disable (these will be symlinked into the appropriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` on Debian/Ubuntu) for all the available mods.
```yaml
apache_packages:
- [platform-specific]
```
The list of packages to be installed. This defaults to a set of platform-specific packages for RedHat or Debian-based systems (see `vars/RedHat.yml` and `vars/Debian.yml` for the default values).
```yaml
apache_state: started
```
Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run.
```yaml
apache_enabled: yes
```
Set the Apache service boot time status. This should generally remain `yes`, but you can set it to `no` if you need to run Ansible while leaving the service disabled.
```yaml
apache_packages_state: present
```
If you have enabled any additional repositories such as _ondrej/apache2_, [geerlingguy.repo-epel](https://github.com/geerlingguy/ansible-role-repo-epel), or [geerlingguy.repo-remi](https://github.com/geerlingguy/ansible-role-repo-remi), you may want an easy way to upgrade versions. You can set this to `latest` (combined with `apache_enablerepo` on RHEL) and can directly upgrade to a different Apache version from a different repo (instead of uninstalling and reinstalling Apache).
```yaml
apache_ignore_missing_ssl_certificate: true
```
If you would like to only create SSL vhosts when the vhost certificate is present (e.g. when using Lets Encrypt), set `apache_ignore_missing_ssl_certificate` to `false`. When doing this, you might need to run your playbook more than once so all the vhosts are configured (if another part of the playbook generates the SSL certificates).
## .htaccess-based Basic Authorization
If you require Basic Auth support, you can add it either through a custom template, or by adding `extra_parameters` to a VirtualHost configuration, like so:
```yaml
extra_parameters: |
<Directory "/var/www/password-protected-directory">
Require valid-user
AuthType Basic
AuthName "Please authenticate"
AuthUserFile /var/www/password-protected-directory/.htpasswd
</Directory>
```
To password protect everything within a VirtualHost directive, use the `Location` block instead of `Directory`:
```
<Location "/">
Require valid-user
....
</Location>
```
You would need to generate/upload your own `.htpasswd` file in your own playbook. There may be other roles that support this functionality in a more integrated way.
## Dependencies
None.
## Example Playbook
```yaml
- hosts: webservers
vars_files:
- vars/main.yml
roles:
- { role: geerlingguy.apache }
```
*Inside `vars/main.yml`*:
```yaml
apache_listen_port: 8080
apache_vhosts:
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
```
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

62
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/defaults/main.yml Normal file
View file

@ -0,0 +1,62 @@
---
apache_enablerepo: ""
apache_listen_ip: "*"
apache_listen_port: 80
apache_listen_port_ssl: 443
apache_create_vhosts: true
apache_vhosts_filename: "vhosts.conf"
apache_vhosts_template: "vhosts.conf.j2"
# On Debian/Ubuntu, a default virtualhost is included in Apache's configuration.
# Set this to `true` to remove that default.
apache_remove_default_vhost: false
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
apache_vhosts:
# Additional properties:
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
- servername: "local.dev"
documentroot: "/var/www/html"
apache_allow_override: "All"
apache_options: "-Indexes +FollowSymLinks"
apache_vhosts_ssl: []
# Additional properties:
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
# - servername: "local.dev",
# documentroot: "/var/www/html",
# certificate_file: "/path/to/certificate.crt",
# certificate_key_file: "/path/to/certificate.key",
# # Optional.
# certificate_chain_file: "/path/to/certificate_chain.crt"
apache_ignore_missing_ssl_certificate: true
apache_ssl_no_log: true
apache_ssl_protocol: "All -SSLv2 -SSLv3"
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
# Only used on Debian/Ubuntu/Redhat.
apache_mods_enabled:
- rewrite
- ssl
apache_mods_disabled: []
# Set initial apache state. Recommended values: `started` or `stopped`
apache_state: started
# Set initial apache service status. Recommended values: `true` or `false`
apache_enabled: true
# Set apache state when configuration changes are made. Recommended values:
# `restarted` or `reloaded`
apache_restart_state: restarted
# Apache package state; use `present` to make sure it's installed, or `latest`
# if you want to upgrade or switch versions using a new repo.
apache_packages_state: present

5
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: restart apache
service:
name: "{{ apache_service }}"
state: "{{ apache_restart_state }}"

2
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/meta/.galaxy_install_info Normal file
View file

@ -0,0 +1,2 @@
install_date: Sun Feb 23 19:19:22 2025
version: 4.0.0

36
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/meta/main.yml Normal file
View file

@ -0,0 +1,36 @@
---
dependencies: []
galaxy_info:
role_name: apache
author: geerlingguy
description: Apache 2.x for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.10
platforms:
- name: Fedora
versions:
- all
- name: Amazon
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- trusty
- xenial
- bionic
- name: Solaris
versions:
- 11.3
galaxy_tags:
- web
- apache
- webserver
- html
- httpd
allow_duplicates: true

21
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/molecule/default/converge.yml Normal file
View file

@ -0,0 +1,21 @@
---
- name: Converge
hosts: all
become: true
vars:
apache_listen_port_ssl: 443
apache_create_vhosts: true
apache_vhosts_filename: "vhosts.conf"
apache_vhosts:
- servername: "example.com"
documentroot: "/var/www/vhosts/example_com"
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
roles:
- role: geerlingguy.apache

21
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/molecule/default/molecule.yml Normal file
View file

@ -0,0 +1,21 @@
---
role_name_check: 1
dependency:
name: galaxy
options:
ignore-errors: true
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

59
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/configure-Debian.yml Normal file
View file

@ -0,0 +1,59 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/ports.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Enable Apache mods.
file:
src: "{{ apache_server_root }}/mods-available/{{ item }}.load"
dest: "{{ apache_server_root }}/mods-enabled/{{ item }}.load"
state: link
mode: 0644
with_items: "{{ apache_mods_enabled }}"
notify: restart apache
- name: Disable Apache mods.
file:
path: "{{ apache_server_root }}/mods-enabled/{{ item }}.load"
state: absent
with_items: "{{ apache_mods_disabled }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: "path={{ item.certificate_file }}"
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
no_log: "{{ apache_ssl_no_log }}"
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool
- name: Add vhost symlink in sites-enabled.
file:
src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}"
state: link
mode: 0644
force: "{{ ansible_check_mode }}"
notify: restart apache
when: apache_create_vhosts | bool
- name: Remove default vhost in sites-enabled.
file:
path: "{{ apache_conf_path }}/sites-enabled/{{ apache_default_vhost_filename }}"
state: absent
notify: restart apache
when: apache_remove_default_vhost

54
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml Normal file
View file

@ -0,0 +1,54 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/conf/{{ apache_daemon }}.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: path={{ item.certificate_file }}
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
no_log: "{{ apache_ssl_no_log }}"
- name: Enable Apache mods.
copy:
dest: "{{ apache_server_root }}/conf.modules.d/99-ansible-{{ item }}.conf"
content: |
LoadModule {{ item }}_module modules/mod_{{ item }}.so
mode: 0644
with_items: "{{ apache_mods_enabled }}"
notify: restart apache
- name: Disable Apache mods
file:
path: "{{ apache_server_root }}/conf.modules.d/99-ansible-{{ item }}.conf"
state: absent
with_items: "{{ apache_mods_disabled }}"
notify: restart apache
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool
- name: Check if localhost cert exists (RHEL 8 and later).
stat:
path: /etc/pki/tls/certs/localhost.crt
register: localhost_cert
when: ansible_distribution_major_version | int >= 8
- name: Ensure httpd certs are installed (RHEL 8 and later).
command: /usr/libexec/httpd-ssl-gencerts
when:
- ansible_distribution_major_version | int >= 8
- not localhost_cert.stat.exists

20
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/configure-Solaris.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/{{ apache_daemon }}.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool

26
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/configure-Suse.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/listen.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: path={{ item.certificate_file }}
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
no_log: "{{ apache_ssl_no_log }}"
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool

47
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/main.yml Normal file
View file

@ -0,0 +1,47 @@
---
# Include variables and define needed variables.
- name: Include OS-specific variables.
include_vars: "{{ ansible_os_family }}.yml"
- name: Include variables for Amazon Linux.
include_vars: "AmazonLinux.yml"
when:
- ansible_distribution == "Amazon"
- ansible_distribution_major_version == "NA"
- name: Define apache_packages.
set_fact:
apache_packages: "{{ __apache_packages | list }}"
when: apache_packages is not defined
# Setup/install tasks.
- include_tasks: "setup-{{ ansible_os_family }}.yml"
# Figure out what version of Apache is installed.
- name: Get installed version of Apache.
command: "{{ apache_daemon_path }}{{ apache_daemon }} -v"
changed_when: false
check_mode: false
register: _apache_version
- name: Create apache_version variable.
set_fact:
apache_version: "{{ _apache_version.stdout.split()[2].split('/')[1] }}"
- name: Include Apache 2.2 variables.
include_vars: apache-22.yml
when: "apache_version.split('.')[1] == '2'"
- name: Include Apache 2.4 variables.
include_vars: apache-24.yml
when: "apache_version.split('.')[1] == '4'"
# Configure Apache.
- name: Configure Apache.
include_tasks: "configure-{{ ansible_os_family }}.yml"
- name: Ensure Apache has selected state and enabled on boot.
service:
name: "{{ apache_service }}"
state: "{{ apache_state }}"
enabled: "{{ apache_enabled }}"

6
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/setup-Debian.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=3600
- name: Ensure Apache is installed on Debian.
apt: "name={{ apache_packages }} state={{ apache_packages_state }}"

6
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/setup-RedHat.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: Ensure Apache is installed on RHEL.
package:
name: "{{ apache_packages }}"
state: "{{ apache_packages_state }}"
enablerepo: "{{ apache_enablerepo | default(omit, true) }}"

5
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/setup-Solaris.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Ensure Apache is installed on Solaris.
pkg5:
name: "{{ apache_packages }}"
state: "{{ apache_packages_state }}"

5
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/tasks/setup-Suse.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Ensure Apache is installed on Suse.
zypper:
name: "{{ apache_packages }}"
state: "{{ apache_packages_state }}"

82
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/templates/vhosts.conf.j2 Normal file
View file

@ -0,0 +1,82 @@
{{ apache_global_vhost_settings }}
{# Set up VirtualHosts #}
{% for vhost in apache_vhosts %}
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}>
ServerName {{ vhost.servername }}
{% if vhost.serveralias is defined %}
ServerAlias {{ vhost.serveralias }}
{% endif %}
{% if vhost.documentroot is defined %}
DocumentRoot "{{ vhost.documentroot }}"
{% endif %}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
{% if vhost.documentroot is defined %}
<Directory "{{ vhost.documentroot }}">
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
Options {{ vhost.options | default(apache_options) }}
{% if apache_vhosts_version == "2.2" %}
Order allow,deny
Allow from all
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}
{% if vhost.extra_parameters is defined %}
{{ vhost.extra_parameters | indent(width=2, first=True) }}
{% endif %}
</VirtualHost>
{% endfor %}
{# Set up SSL VirtualHosts #}
{% for vhost in apache_vhosts_ssl %}
{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %}
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port_ssl }}>
ServerName {{ vhost.servername }}
{% if vhost.serveralias is defined %}
ServerAlias {{ vhost.serveralias }}
{% endif %}
{% if vhost.documentroot is defined %}
DocumentRoot "{{ vhost.documentroot }}"
{% endif %}
SSLEngine on
SSLCipherSuite {{ apache_ssl_cipher_suite }}
SSLProtocol {{ apache_ssl_protocol }}
SSLHonorCipherOrder On
{% if apache_vhosts_version == "2.4" %}
SSLCompression off
{% endif %}
SSLCertificateFile {{ vhost.certificate_file }}
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
{% if vhost.certificate_chain_file is defined %}
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
{% endif %}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
{% if vhost.documentroot is defined %}
<Directory "{{ vhost.documentroot }}">
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
Options {{ vhost.options | default(apache_options) }}
{% if apache_vhosts_version == "2.2" %}
Order allow,deny
Allow from all
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}
{% if vhost.extra_parameters is defined %}
{{ vhost.extra_parameters | indent(width=2, first=True) }}
{% endif %}
</VirtualHost>
{% endif %}
{% endfor %}

18
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/AmazonLinux.yml Normal file
View file

@ -0,0 +1,18 @@
---
apache_service: httpd
apache_daemon: httpd
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/httpd
apache_conf_path: /etc/httpd/conf.d
apache_vhosts_version: "2.4"
__apache_packages:
- httpd24
- httpd24-devel
- mod24_ssl
- openssh
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"

14
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/Debian.yml Normal file
View file

@ -0,0 +1,14 @@
---
apache_service: apache2
apache_daemon: apache2
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/apache2
apache_conf_path: /etc/apache2
__apache_packages:
- apache2
- apache2-utils
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"

20
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/RedHat.yml Normal file
View file

@ -0,0 +1,20 @@
---
apache_service: httpd
apache_daemon: httpd
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/httpd
apache_conf_path: /etc/httpd/conf.d
apache_vhosts_version: "2.2"
__apache_packages:
- httpd
- httpd-devel
- mod_ssl
- openssh
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"

19
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/Solaris.yml Normal file
View file

@ -0,0 +1,19 @@
---
apache_service: apache24
apache_daemon: httpd
apache_daemon_path: /usr/apache2/2.4/bin/
apache_server_root: /etc/apache2/2.4/
apache_conf_path: /etc/apache2/2.4/conf.d
apache_vhosts_version: "2.2"
__apache_packages:
- web/server/apache-24
- web/server/apache-24/module/apache-ssl
- web/server/apache-24/module/apache-security
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"

18
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/Suse.yml Normal file
View file

@ -0,0 +1,18 @@
---
apache_service: apache2
apache_daemon: httpd2
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/apache2
apache_conf_path: /etc/apache2/conf.d
apache_vhosts_version: "2.2"
__apache_packages:
- apache2
- openssh
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"

12
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/apache-22.yml Normal file
View file

@ -0,0 +1,12 @@
---
apache_vhosts_version: "2.2"
apache_default_vhost_filename: 000-default
apache_ports_configuration_items:
- {
regexp: "^Listen ",
line: "Listen {{ apache_listen_port }}"
}
- {
regexp: "^#?NameVirtualHost ",
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
}

8
sysadmin-ii-sys265/configs/controller/ansible/roles/geerlingguy.apache/vars/apache-24.yml Normal file
View file

@ -0,0 +1,8 @@
---
apache_vhosts_version: "2.4"
apache_default_vhost_filename: 000-default.conf
apache_ports_configuration_items:
- {
regexp: "^Listen ",
line: "Listen {{ (apache_listen_ip == '*') | ternary('', apache_listen_ip + ':') }}{{ apache_listen_port }}"
}

2
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
.DS_Store
.dropbox

26
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/LICENSE Normal file
View file

@ -0,0 +1,26 @@
BSD 3-Clause License ("BSD License 2.0", "Revised BSD License", "New BSD License", or "Modified BSD License")
Copyright (c) 2019, SEMU Consulting
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the <organization> nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

66
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/README.md Normal file
View file

@ -0,0 +1,66 @@
Role Name
=========
## THIS REPO IS NO LONGER BEING ACTIVELY MAINTAINED OR SUPPORTED.
### IF ANYONE ELSE WANTS TO TAKE ON THE MAINTENANCE AND SUPPORT, FEEL FREE TO FORK IT.
[Ansible role](https://galaxy.ansible.com/semuadmin/webmin) to deploy Webmin web-based linux administration utility, running as a
systemd service.
Webmin service will be available on https://hostip:10000.
Default login will be the userid and password of the installer user.
You may get a browser warning about Webmin's default self-sign SSL certificate.
System will reboot after installation.
Requirements
------------
- Installation requires sudo privileges.
- Systemd for services control.
- Firewalld for firewall control (if required).
- Python for Ansible provisioning (note that some minimal distributions do not include python out of the box).
Role Variables
--------------
- `install_utilities`: false. Set to True to install various utility packages used by Webmin management functions (wget, git, ntpdate, sntp, smartmontools).
Note that some minimal distributions do not support all these tools out of the box and may require interactive installation.
- `enable_firewalld`: false. Set to True to open port 10000 via firewalld (assumes firewalld is installed and running).
- `uninstall_webmin` : false. Set to true to uninstall Webmin.
Dependencies
------------
None.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
```yaml
- name: Provision webmin role
hosts: all
become: true
become_user: root
vars:
enable_firewalld: true
install_utilities: true
roles:
- semuadmin.webmin
```
License
-------
BSD 3-Clause

15
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/defaults/main.yml Normal file
View file

@ -0,0 +1,15 @@
---
# defaults file for webmin
webmin_dir: /etc/webmin
webmin_yum_repo: "http://download.webmin.com/download/yum"
webmin_mirrorlist: "http://download.webmin.com/download/yum/mirrorlist"
webmin_gpgkey: "http://www.webmin.com/jcameron-key.asc"
webmin_apt_repo: "deb [signed-by=/etc/apt/trusted.gpg.d/jcameron-key.asc] https://download.webmin.com/download/repository sarge contrib"
enable_firewalld: false
install_utilities: false
uninstall_webmin: false
webmin_disable_reboot: false

7
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
# handlers file for webmin
- name: Restart webmin
ansible.builtin.systemd:
name: webmin
state: restarted

2
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/meta/.galaxy_install_info Normal file
View file

@ -0,0 +1,2 @@
install_date: Sat Feb 22 17:36:07 2025
version: v1.0.9

29
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/meta/main.yml Normal file
View file

@ -0,0 +1,29 @@
galaxy_info:
role_name: webmin
author: semu
description: webmin role
company: SEMU Consulting
license: BSD 3-Clause
min_ansible_version: "7"
platforms:
- name: EL
versions:
- "9"
- "8"
- "7"
- name: Fedora
versions:
- "36"
- name: Debian
versions:
- bullseye
- name: Ubuntu
versions:
- focal
- bionic
- jammy
galaxy_tags:
- webmin

10
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/tasks/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
# tasks file for webmin #
- name: Install webmin
ansible.builtin.include_tasks: webmin.yml
when: not uninstall_webmin
- name: Uninstall webmin
ansible.builtin.include_tasks: uninstall.yml
when: uninstall_webmin

42
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/tasks/uninstall.yml Normal file
View file

@ -0,0 +1,42 @@
---
# tasks file for uninstall webmin #
- name: Remove Webmin files and directories
ansible.builtin.file:
path: "/etc/webmin"
state: absent
- name: Disable firewalld service.
ansible.posix.firewalld:
zone: public
service: webmin
permanent: true
state: disabled
immediate: true
when: enable_firewalld
- name: Remove yum repository for Redhat platforms
ansible.builtin.yum_repository:
name: webmin
description: Webmin yum repo
baseurl: "{{ webmin_yum_repo }}"
mirrorlist: "{{ webmin_mirrorlist }}"
state: absent
when: ansible_os_family == "RedHat"
- name: Remove apt repository for Debian platforms
ansible.builtin.apt_repository:
repo: "{{ webmin_apt_repo }}"
state: absent
when: ansible_os_family == "Debian"
- name: Unnstall supporting packages if added
ansible.builtin.package:
name:
- wget
- git
- ntpdate
- sntp
- smartmontools
state: absent
when: install_utilities

94
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/tasks/webmin.yml Normal file
View file

@ -0,0 +1,94 @@
---
# tasks file for webmin#
- name: Install firewalld service template.
ansible.builtin.template:
src: webmin.xml.j2
dest: "/etc/firewalld/services/webmin.xml"
owner: root
group: root
mode: "0644"
when: enable_firewalld
- name: Reload firewalld to register new service.
ansible.builtin.command: firewall-cmd --reload
register: firewall
changed_when: "'success' in firewall.stdout"
when: enable_firewalld
- name: Enable firewalld service.
ansible.posix.firewalld:
zone: public
service: webmin
permanent: true
state: enabled
immediate: true
when: enable_firewalld
- name: Add yum repository and gpg key for Redhat platforms.
ansible.builtin.yum_repository:
name: webmin
description: Webmin yum repo
baseurl: "{{ webmin_yum_repo }}"
mirrorlist: "{{ webmin_mirrorlist }}"
gpgkey: "{{ webmin_gpgkey }}"
gpgcheck: true
state: present
when: ansible_os_family == "RedHat"
- name: Add a gpg key for Debian platforms.
ansible.builtin.get_url:
url: "{{ webmin_gpgkey }}"
dest: /etc/apt/trusted.gpg.d/jcameron-key.asc
owner: root
group: root
mode: "0644"
when: ansible_os_family == "Debian"
- name: Add apt repository for Debian platforms.
ansible.builtin.apt_repository:
repo: "{{ webmin_apt_repo }}"
state: present
update_cache: true
when: ansible_os_family == "Debian"
- name: Install https transport for Debian platforms.
ansible.builtin.package:
name:
- apt-transport-https
state: present
when: ansible_os_family == "Debian"
- name: Install Webmin.
ansible.builtin.package:
name:
- webmin
state: present
- name: Install supporting packages if required.
ansible.builtin.package:
name:
- wget
- git
- ntpdate
- sntp
- smartmontools
state: present
when: install_utilities
- name: Remove old systemd service.
ansible.builtin.file:
path: /etc/systemd/system/webmin.service
state: absent
- name: Enable webmin as systemd service.
ansible.builtin.systemd:
state: started
enabled: true
daemon_reload: true
name: webmin
- name: Reboot machine.
ansible.builtin.reboot:
reboot_timeout: 3600
when: not webmin_disable_reboot

6
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/templates/webmin.xml.j2 Normal file
View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>webmin</short>
<description>Webmin Web Based Administration</description>
<port port="10000" protocol="tcp"/>
</service>

2
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

6
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/tests/test.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: Test webmin role
hosts: localhost
remote_user: root
roles:
- webmin

2
sysadmin-ii-sys265/configs/controller/ansible/roles/semuadmin.webmin/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for webmin

49
sysadmin-ii-sys265/configs/controller/ansible/roles/webmin.yml Normal file
View file

@ -0,0 +1,49 @@
- name: webmin sys265
hosts: webmin
become: true
vars:
install_utilities: false
firewalld_enable: true
pre_tasks:
- name: add webmin repo and GPG key
yum_repository:
name: webmin
description: Webmin Distribution Neutral
baseurl: http://download.webmin.com/download/yum
enabled: true
gpgcheck: true
gpgkey: http://www.webmin.com/jcameron-key.asc
- name: clean and update YUM cache
yum:
update_cache: yes
roles:
- semuadmin.webmin
handlers:
- name: reload firewall
command: firewall-cmd --reload
tasks:
- name: add firewall rule
firewalld:
port: 10000/tcp
permanent: true
state: enabled
notify: reload firewall
- name: install webmin
yum:
name: webmin
state: present
- name: enable and start webmin service
systemd:
name: webmin
enabled: true
state: started
daemon_reload: yes

10
sysadmin-ii-sys265/configs/controller/ansible/roles/windows_software.yml Normal file
View file

@ -0,0 +1,10 @@
- name: install windows applications
hosts: windows
tasks:
- name: install firefox and 7zip
win_chocolatey:
name:
- firefox
- 7zip
- notepadplusplus
state: present