Updates 'n' stuff (#108)

* add iptables rules to limit access to node_exporter

* limit time we store logs

* encrypt only secret vars

* update requirements

* reduce clutter

* smaller fixes

* allow setting individual logretention & also limiting journald

* fix linting

* fix linting

inventory/host_vars/buildbot-worker-01/main.yml

@@ -1,14 +1,13 @@
-$ANSIBLE_VAULT;1.1;AES256
-32353938343661303364353839376239366266353566343639356435346431646266386461366138
-3135323063346165636463636137643766326462313365340a646565643834653032373732616133
-39393236396166343064613030633539613233663866383737386238626335666230653035656634
-6532386534613463350a373238643265636538383836386238323837346564353434656561653332
-62353933323030396264616237613132313830646466386238386336623637666630383062613261
-37663239366561663266626532383638393033643639363036366338333437616262353437393732
-62656262646333366134626531303532343963386134363131663765623631616633663438303432
-32393938363661316662373335363036636537363333613463383530646165343336326362363163
-31303563323639343162373162333531326235396539386530653438333266306464666265656461
-32623462366433373063396265643538363764316131653731613930633137373937663464343036
-66653238613534623131663530663839376665306630626265376463336465346333383431663062
-61656430666632633164616535363461306530326464303065633164646261643433353831376262
-3961
+---
+bbworker_name: ionos-worker01
+bbworker_pwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31346537316530326135363566653164343165326531336537356239323238393835623064356437
+          3639346231663735383066653335383361363836666132370a636531636236663335396136643832
+          39393865363666613432616636353136613233613631386634366236663735356461306562383939
+          6363336164646263360a636666303531386136303539656539623932626436643336653136373935
+          63333832623765373739366439633065366439326562363130306561383639633633
+
+bbworker_contact: Martin <martin.hubner uff web ponkt de>
+bbworker_info: VM with 6 Cores, 24GB RAM
+...

inventory/host_vars/buildbot-worker-02/main.yml

@@ -1,14 +1,13 @@
-$ANSIBLE_VAULT;1.1;AES256
-34616635316533303531376636353861626332353737366130653166626637343039663639323465
-3432626564633935333337393862336364323362656333630a656663383536393861303436353964
-30316633353033363639373863373532363164303266633864653034613436643637666165363163
-6137633663613965630a313139623135613862323130323161326366653938386638346639613433
-37626534396137396566633130343133396532356462646639333535346464346232643961333034
-66643138313539396663393538373265343536346462346566393336303263613339373462306564
-63373034353636643465666636396636393962393163343733306438616535366363353031313561
-66623730626630333632396262656561396239393937353830396262353537623931613236323932
-33303634623930386634656165363535626264383463313834353133613637373661336262663330
-61656232636439383938303831383430396439313861633336363365623632626566386538656637
-39636666333662663164633935613066646332626562653737396230326536636130316239663737
-37316130396534326364363838383934663366306262336363653932393730663061633562356333
-3962
+---
+bbworker_name: ionos-worker02
+bbworker_pwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31346337613865323530323561326234306231653632616632363539353236386165613933333738
+          6134383964353931313131393833653335316330613861620a366361633961333361353835373436
+          64393538383361613163383237666332366436636464613166633264343661353662316134376430
+          3061353037323162650a363461336137663066633730303761626134623563336165323634323035
+          3464
+
+bbworker_contact: Martin <martin.hubner uff web ponkt de>
+bbworker_info: VM with 3 Cores, 12GB RAM
+...

inventory/host_vars/buildbot-worker-03/main.yml

@@ -1,15 +1,14 @@
-$ANSIBLE_VAULT;1.1;AES256
-31383135316665326565333562373566646436633030363764616663613565333665303565366564
-6233663762356166333261373138663962323036393361640a643466333631653164306366616630
-63636337626631363339306133323264353965346633363263333161643562663261376264376630
-3333313837303563350a343237343662396134376161343864393237396335326232656335323031
-33353335363138323262303431333065313066363765373666363262383232373364663930623932
-37396437666264386636343438616661373661346562363062623639303931633266616266396330
-66323235626661666462353631653534373265376463623139646637353234376637366261646138
-66383631306337663336613735356135353930323339663432306630663832613837396535373866
-36333034313934623164653061663430616338313766336330653135346164323262383833373862
-66396166386330643464376238636466653334373535306339323033643936303937666236626264
-37366163336266343131633331303163386138353865646335386330336533393864663761333334
-33646234616163643133383232613366666630313264353365373637646536383236313463326339
-30353630613464323938633738303763666438666363373162333863356237633633623361623636
-6231306339373639613636353338396462376639306634393261
+---
+bbworker_name: ionos-worker03
+bbworker_pwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62366332653164316130393534653231323463363430323430616566646636363839656362633836
+          3431663162633830303563333263626531343062356662320a343162383237613163376165363063
+          30623862613935306666383463383464323065616537386161626561336263313364313866363831
+          6331363462656363370a663966333032336338653035316537323438363561656664633736363837
+          63646437653665366135613036383732646233613062393665646138316138356631613561336630
+          6166356431653536653931656536343836643763663632386236
+
+bbworker_contact: Martin <martin.hubner uff web ponkt de>
+bbworker_info: VM with 3 Cores, 12GB RAM
+...

inventory/host_vars/buildbot-worker-04/main.yml

@@ -1,15 +1,15 @@
-$ANSIBLE_VAULT;1.1;AES256
-30313035326638393066313364623836303361376165363539636364333036616363316163313332
-3762363264303435633162373435383862393635633738650a636339646330376661656634383033
-63363637343837653535623964623862383535623637653530323538373539636532646339303035
-6338353262306665640a356234623237383836303563636334336461616665383263353464313661
-33356666376465353633663135626166353663316662376366656636626637333365383039303337
-31663163353935366432356436386465316330333262623133626166643565323230303761313065
-39623661626634356631376638343232323438303037643033366535323465353463343237623338
-33396234373638396666343066373439666265663135396130383166653332666663366533336530
-63363635646163633838356433643338383466356665326332356134336330666337363434303865
-36303737373336346236616132663263303139623839633937336139666465353632323236653533
-65393537343438383333613435393238336636343666623538663334366132653539396365666432
-30373233333561646432656631343232313162323638316438393533396433303037313830386639
-33363436643237346534383062383435656434623061323737646430313331636639343365346534
-3538396534613433336633343037613034636531633638643733
+---
+bbworker_name: ionos-worker04
+bbworker_pwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          37633536613934613263316238646162313261373233333238626665356662336464396466383338
+          3337643434306530363666633330313934626664323864350a653565626238633831363735366161
+          36333533653332333763326665393033666235316538636365303562653836323530373564633065
+          3636323236656161320a353034653665626431313337646261336131353066666162383862306564
+          31396430383462666262336364393564303934336635373439666138353765353032303238333262
+          32303464393464326363616536613964376538656634636162623763326662383036316133313163
+          383763386662393238303833393533626432
+
+bbworker_contact: Martin <martin.hubner uff web ponkt de>
+bbworker_info: VM with 3 Cores, 12GB RAM
+...

inventory/host_vars/buildbot-worker-akira/main.yml

@@ -1,15 +1,15 @@
-$ANSIBLE_VAULT;1.1;AES256
-30306439353363636363643861303165363830316632316264333032366563363061653333366336
-6632623230316334323637616437653539646263363231620a376562616131666332646433643765
-31363832636461623437663166306434343234343236323961373061326236623231663938666130
-3738613639663833640a363863363938393835613734316535326634653666363638636537373761
-31663837333665613761636133306431613438626635623630623231336562363464663566373661
-62653566653333333637663562353239363836316662373430353835663966346235666465323532
-30343565393230353733386565616333633963373738336436323861323162303937643338366261
-31333332663033383364366363313938333865663234353238333964613138613338643264393061
-63386561633433336233356364326164653334383831363638393964333663356639373666313736
-36313735353835333334346432633833363034346239393436636565633866376235633734626134
-62663264373638343237303063653732363137313030386364343032393838393465626337303536
-36383531326362616430393630336465633230323734613234346630346163653137643532353038
-66613666336632366564393466396638336463393461316633313038653633376133346463613731
-3738636637643732623030383435653862366262643238623561
+---
+bbworker_name: akira-home
+bbworker_pwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30393433623335303735613338373662303938653663646538386561363964646633346464323630
+          3063306265346139363963396162643966383832353864660a356631333664363232633962356635
+          33396532633538326538333461636537393332666464663639633064636639653730333138636430
+          3130323561663931650a343730396665343336663336306662346137643432373165303739383035
+          32343737636135386530333462653631333266326238343964383439343938323233633165316136
+          36643036626466633666373863346364666466313534353632646633336635333735646262306666
+          396463343061613935336238346462373761
+
+bbworker_contact: Martin <martin.hubner uff web ponkt de>
+bbworker_info: VM with 4 Cores, 4GB RAM
+...

inventory/host_vars/buildbot-worker-scherer8/main.yml

@@ -1,16 +1,14 @@
-$ANSIBLE_VAULT;1.1;AES256
-32326436303736366262343839626133336466366164393962643139363266306536646463306135
-3731306133663461636264633761343466363034306165330a376362316339396132353032666164
-37663637353833356630636661323963623831653330396235343839323464363063323533393839
-3737623165643938650a316566643763666363363434333361656265376330626662633034396633
-65333838333031633264613763616433323039316530643761373737333631393262616266386265
-33386532393262396234346437336637306236346562663436386136396435353332663736373339
-30373233373930323734316463653863633734626633623364373035313565363365663966313335
-30653033343865316564356334386361393564623434316565643235623737373936383830633933
-39366635643063306333333665643939636664653865363537386237363834663230356165313739
-61353438313536316436303062313562646662393038656265316633643136313537396631303831
-64623562313763633439336135623161663362346239303962663831326536643765623831636162
-36626534373239363065353662376630653438643530393266343131343537653231343130613364
-62633263616139353532653832323564633335363135623530306637643338646636373365343965
-36346364333531386338656232663563303861663434663962376532613738656430643433613638
-323439303230636566623833656437303938
+---
+bbworker_name: scherer8-buildbot
+bbworker_pwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36613534396238373130313633326162643830316566656231616562623464653265316633376438
+          3466353430663635383263336133316261633339356337370a376330353437363061353064653238
+          62623431643533356337316632653032656234396637303430623231663433333064666639373630
+          3839313730393261380a356263666164356137353230396535386432366462643133333337613837
+          38363432653565353637623762346335643638643662303063303461356536623938
+
+bbworker_contact: Perry <isprotejesvalkata AT gmail.com>
+bbworker_info: Xeon 3.6GHz, 16 Cores, 60GB Ramdisk
+
+bbworker_path: /ramdisk/bb_worker/

inventory/hosts

@@ -26,11 +26,11 @@ f.tunnel.berlin.freifunk.net # vpn03h.berlin.freifunk.net
 utils
 
 [utils]
-util.berlin.freifunk.net
+util.berlin.freifunk.net # hopglass
 
 [download]
 download-master.berlin.freifunk.net
 
 [uisp]
-uisp ansible_host=10.31.130.158 # New uisp VM
+uisp.berlin.freifunk.net ansible_host=10.31.130.158 # New uisp VM
 

requirements.yml

@@ -14,4 +14,4 @@ collections:
   - name: community.mysql
     version: 3.8.0
   - name: community.general
-    version: 7.5.1
+    version: 8.2.0

roles/common/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+common_packages_base:
+  - atop
+  - curl
+  - fail2ban
+  - git
+  - gpg
+  - gpg-agent
+  - htop
+  - iptables-persistent
+  - mc
+  - mosh
+  - nano
+  - prometheus-node-exporter
+  - tcpdump
+  - tmux
+  - vnstat
+  - zsh
+
+common_packages_extra: []
+
+common_log_retention: 30

roles/common/tasks/logrotate.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure logrotate
+  ansible.builtin.template:
+    src: "{{ item.template }}"
+    dest: "{{ item.dest }}"
+    mode: "0640"
+    owner: root
+    group: root
+  loop:
+    - {template: "logrotate_conf.j2", dest: "/etc/logrotate.conf"}
+    - {template: "logrotate_d_alternatives.j2", dest: "/etc/logrotate.d/alternatives"}
+    - {template: "logrotate_d_dpkg.j2", dest: "/etc/logrotate.d/dpkg"}
+    - {template: "logrotate_d_rsyslog.j2", dest: "/etc/logrotate.d/rsyslog"}
+    - {template: "logrotate_d_fail2ban.j2", dest: "/etc/logrotate.d/fail2ban"}
+
+- name: Set Journald Max Size to 1G
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/journald.conf
+    insertafter: ^#SystemMaxUse
+    regexp: ^SystemMaxUse
+    line: SystemMaxUse=1G
+  notify: Restart journald
+
+- name: Set Journald Max retention time
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/journald.conf
+    insertafter: ^#SystemMaxUse
+    regexp: ^MaxRetentionSec
+    line: MaxRetentionSec={{ common_log_retention }}day
+  notify: Restart journald

roles/common/tasks/main.yml

@@ -2,22 +2,7 @@
 # tasks to be run on all machines
 - name: Install basic tools
   ansible.builtin.apt:
-    name:
-      - atop
-      - curl
-      - fail2ban
-      - git
-      - gpg
-      - gpg-agent
-      - htop
-      - mc
-      - mosh
-      - nano
-      - prometheus-node-exporter
-      - tcpdump
-      - tmux
-      - vnstat
-      - zsh
+    name: "{{ common_packages_base + common_packages_extra }}"
     state: present
     update_cache: true
 
@@ -38,15 +23,6 @@
     owner: root
     group: root
 
-- name: Configure prometheus-node-exporter
-  ansible.builtin.template:
-    src: prometheus-node-exporter.j2
-    dest: /etc/default/prometheus-node-exporter
-    mode: "0640"
-    owner: root
-    group: root
-  notify: Restart prometheus-node-exporter
-
 - name: Disallow password-based login for all users
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
@@ -61,10 +37,9 @@
     insertafter: EOF
   notify: Restart sshd
 
-- name: Set Journald Max Size to 1G
-  ansible.builtin.lineinfile:
-    path: /etc/systemd/journald.conf
-    insertafter: ^#SystemMaxUse
-    regexp: ^SystemMaxUse
-    line: SystemMaxUse=1G
-  notify: Restart journald
+- name: Include monitoring tasks
+  ansible.builtin.include_tasks: monitoring.yml
+
+
+- name: Include logrotate tasks
+  ansible.builtin.include_tasks: logrotate.yml

roles/common/tasks/monitoring.yml

@@ -0,0 +1,26 @@
+---
+- name: Configure prometheus-node-exporter
+  ansible.builtin.template:
+    src: prometheus-node-exporter.j2
+    dest: /etc/default/prometheus-node-exporter
+    mode: "0640"
+    owner: root
+    group: root
+  notify: Restart prometheus-node-exporter
+
+- name: Allow access to node-exporter
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 77.87.50.8,10.0.0.0/8,127.0.0.1
+    protocol: tcp
+    destination_port: 9100
+    jump: ACCEPT
+    comment: Allow prometheus exporter access
+
+- name: Limit access to node-exporter for the rest
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 9100
+    jump: REJECT
+    comment: Reject prometheus exporter access for everyone else

roles/common/templates/logrotate_conf.j2

@@ -0,0 +1,23 @@
+# see "man logrotate" for details
+
+# global options do not affect preceding include directives
+
+# rotate log files weekly
+daily
+
+# keep 4 weeks worth of backlogs
+rotate {{ common_log_retention }}
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+# uncomment this if you want your log files compressed
+#compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.

roles/common/templates/logrotate_d_alternatives.j2

@@ -0,0 +1,10 @@
+/var/log/alternatives.log {
+        daily
+        rotate {{ common_log_retention }}
+        compress
+        dateext
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}

roles/common/templates/logrotate_d_dpkg.j2

@@ -0,0 +1,10 @@
+/var/log/dpkg.log {
+       daily
+       rotate {{ common_log_retention }}
+       dateext
+       compress
+       delaycompress
+       missingok
+       notifempty
+       create 644 root root
+}