merge

deploy-cert/defaults/main.yml

@@ -1,6 +1,7 @@
-ca_dir: "{{ root_dir }}/storage/ansible-simple-pki/{{ default_ca_host }}"
+ca_dir: "{{ root_dir }}/storage/simple-pki/{{ default_ca_host }}"
+type: "servers"
+dest_name: "server"
 ca_name: "ca.crt"
-crt_name: "server.crt"
-key_name: "server.key"
+crt_name: "{{dest_name}}.crt"
+key_name: "{{dest_name}}.key"
 hostname: "{{ inventory_hostname }}" 
-cert_type: "sha256.4096"

deploy-cert/tasks/main.yml

@@ -5,25 +5,25 @@
 
  - name: deploy ca chain
    copy:
-     src: "{{ ca_dir }}/ca/certs/chained-ca.{{ cert_type }}.crt"
+     src: "{{ ca_dir }}/ca/certs/chained-ca.{{simplepki_message_digest}}.{{ simplepki_key_size }}.crt"
      dest: "{{ dest_dir }}/{{ ca_name }}"
    when: ca_name is defined and ca_name != ""
 
- - name: deploy server cert
+ - name: deploy cert
    copy:
-     src: "{{ ca_dir }}/servers/certs/{{ hostname }}.{{ cert_type }}.crt"
+     src: "{{ ca_dir }}/{{ type }}/certs/{{ hostname }}.{{simplepki_message_digest}}.{{ simplepki_key_size }}.crt"
      dest: "{{ dest_dir }}/{{ crt_name }}"
    when: crt_name is defined and crt_name != ""
 
- - name: deploy server key
+ - name: deploy key
    copy:
-     src: "{{ ca_dir }}/servers/keys/{{ hostname }}.{{ cert_type }}.key"
+     src: "{{ ca_dir }}/{{ type }}/keys/{{ hostname }}.{{simplepki_message_digest}}.{{ simplepki_key_size }}.key"
      dest: "{{ dest_dir }}/{{ key_name }}"
    when: key_name is defined and key_name != ""
 
- - name: deploy server pem
+ - name: deploy pem
    copy:
-     src: "{{ ca_dir }}/servers/pem/{{ hostname }}.pem"
+     src: "{{ ca_dir }}/{{ type }}/pem/{{ hostname }}.pem"
      dest: "{{ dest_dir }}/{{ pem_name }}"
    when: pem_name is defined and pem_name != ""
 

monitor/client/defaults/main.yml

@@ -24,6 +24,7 @@ monitor_user_parameters:
  - sockstat.conf
  - varnish.conf
  - ntp.conf
+ - apt.conf
 
 monitor_scripts:
  - zabbix_mdraid.sh

monitor/client/tasks/main.yml

@@ -107,6 +107,12 @@
     owner: "root"
     mode: 0640
 
+- name: enable periodic apt-get update
+  template:
+    src: "10periodic"
+    dest: "/etc/apt/apt.conf.d/10periodic"
+    owner: "root"
+
 - name: install logging dependencies
   package:
     name: logrotate

monitor/client/templates/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Enable "1";
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "0";

monitor/client/templates/apt.conf

@@ -0,0 +1,6 @@
+# Treat security and regular updates differently
+# This is just a simulation, that can be run under zabbix user
+# Since updating packages lists (apt-get update) requires root user,
+# use APT::Periodic or some other functionality for that
+UserParameter=apt.security,apt-get -s upgrade | grep -ci ^inst.*security | tr -d '\n'
+UserParameter=apt.updates,apt-get -s upgrade | grep -iPc '^Inst((?!security).)*$' | tr -d '\n'

openvpn-node/defaults/main.yml

@@ -6,7 +6,7 @@ vpn_server_port: 1194         # default is 1194
 use_tls_key: false            # defines whether tls PSK is used to harden initial communication (openvpn --tls-auth)
 # TODO: Implement creation of tls_key file from variable value
 # tls_key_path:               # needs to be filled on per-group basis if use_tls_key is enabled. Expects path to TLS PSK
-enable_compresion: yes
+enable_compresion: no
 vpn_cipher: AES-256-CBC
 script_security: 2
 

openvpn-node/tasks/main.yml

@@ -41,4 +41,4 @@
     enabled: true
     state: started
 
-
+# todo autorestart a override na network-online.target

syslog-remote/defaults/main.yml

@@ -0,0 +1 @@
+syslog_remote_port: 514

syslog-remote/templates/remote.conf

@@ -4,7 +4,7 @@
 destination d_remote {
 	network(
 		"{{ syslog_remote }}"
-		port(514)
+		port({{ syslog_remote_port }})
 		transport(tcp)
 	);
 };