Debian / Ubuntu mass dist-upgrade with Ansible (with fallback and logging)

ansible-playbook dist-upgrade.yml -i your_inventory [-l host_name]

---
- hosts:
    all
  gather_facts: no
  vars:
    verbose: false
    log_dir: "log/dist-upgrade/{{ inventory_hostname }}"
  pre_tasks:
    - block:
        - setup:
      rescue:
        - name: "Install required python-minimal package"
          raw: "apt-get update && apt-get install -y --force-yes python-apt python-minimal"
        - setup:
  tasks:
    - name: Update packages
      apt:
        update_cache: yes
        upgrade: dist
        autoremove: yes
      register: output

    - name: Check changes
      set_fact:
        updated: true
      when: not output.stdout | search("0 upgraded, 0 newly installed")

    - name: Display changes
      debug:
        msg: "{{ output.stdout_lines }}"
      when: verbose or updated is defined

    - block:
      - name: "Create log directory"
        file:
          path: "{{ log_dir }}"
          state: directory
        changed_when: false

      - name: "Write changes to logfile"
        copy:
          content: "{{ output.stdout }}"
          dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
        changed_when: false

      when: updated is defined
      connection: local

dnsmasq

# cat /etc/dnsmasq.conf
dhcp-authoritative
server=192.168.1.6

log-facility=/var/log/dnsmasq.log
log-queries

local=/example.com/
domain=example.com

# cat /etc/dnsmasq.conf | grep "^dhcp-host" | awk -v OFS="\t" -F "," '{print $3, $2}' | sort -k2 > /etc/hosts.pre
addn-hosts=/etc/hosts.pre

# DHCP
dhcp-range=192.168.1.150,192.168.1.200,255.255.255.0,1d
dhcp-option=option:router,192.168.1.6
dhcp-option=option:ntp-server,217.7.239.199

# PXE
dhcp-boot=pxelinux.0,srv,192.168.1.9
dhcp-boot=net:sip,http://srv/snom3x0/snom3x0.xml,srv,192.168.1.9

Apache authentification

# vi /etc/apache2/sites-enabled/000-default.conf 
<VirtualHost *:80>
    ...
    <Directory "/var/www/html">
      AllowOverride AuthConfig
      Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      Order allow,deny
      Allow from all
    </Directory>
    ...
</VirtualHost>
 
cat <<EOF> /var/www/html/.htaccess
AuthBasicAuthoritative On
AuthName "Authorized Users Only."
AuthType Basic
AuthUserFile /etc/apache2/htpasswd
Require user USER_NAME
EOF
 
htpasswd -b /etc/apache2/htpasswd USER_NAME 'USER_PASS'

Mate

# install
sudo apt-get install ubuntu-mate-desktop

# reset panel
mate-panel --reset

# configuration
https://github.com/vinadoros/CustomScripts/blob/master/DMATE.sh

gsettings set org.mate.caja.preferences default-folder-viewer 'list-view'

# Caja bookmarks
~/.gtk-bookmarks

Ansible templates

{% for host in groups['db_servers'] %}
{{ host }}
{% endfor %}

{% for host in groups['db_servers'] %}
{{ hostvars[host]['ansible_eth0']['ipv4']['address'] }}
{% endfor %}

Create and install StartCom SSL certificate

openssl \
req \
-nodes \
-newkey rsa:2048 \
-keyout www.example.com.key \
-out www.example.com.csr \
-subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com"

a2enmod ssl
a2ensite default-ssl
service apache2 restart

cp /tmp/2_*.crt /etc/ssl/certs/
cp /tmp/1_root_bundle.crt /etc/ssl/certs/
cp /tmp/*.key /etc/ssl/private/

/etc/apache2/sites-enabled/default-ssl.conf
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL

SSL

# check certificate
https://www.ssllabs.com/ssltest/analyze.html
http://www.panticz.de/Check-SSL-TLS-server-encryption-support

# list certificate domains
cat cert.pem | openssl x509 -text | grep DNS
openssl s_client -showcerts -connect www.example.com:443 | openssl x509 -text | grep DNS

# letsencrypt
http://www.panticz.de/letsencrypt

# StartCom / startssl.com
http://www.panticz.de/Create-and-install-StartCom-SSL-certificate

# remove password from private key
openssl rsa -in www.example.key.pass -out www.example.key

# Links
http://panticz.de/apache2_openssl_certificate

Squid: Compile with SSL support under Debian Wheezy / Jessie

wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/scripts/master/compile.squid.with.ssl.support.sh -O - | bash -s

#!/bin/bash

# add Debian Wheezy backports repository
cat <<EOF> /etc/apt/sources.list.d/wheezy-backports.list
deb http://ftp.de.debian.org/debian wheezy-backports main
deb-src http://ftp.de.debian.org/debian wheezy-backports main
EOF
 
# update repository list
apt-get update
 
# install required dev packages
apt-get install -y wget openssl devscripts build-essential libssl-dev
 
# install debian squid3 source code
apt-get source -y squid3
 
# install all required dependeny packages
apt-get build-dep -y squid3
 
# enable SSL support
wget -q http://dl.panticz.de/squid/squid3-3.4.8_enable_ssl.diff -O - | patch -p2 squid3-3.4.8/debian/rules
 
# build packages
cd squid3-3.4.8
debuild -us -uc

Install packages
apt-get install logrotate
dpkg -i *.deb
apt-get install -f

Test configuration
# squid3 -v
Squid Cache: Version 3.4.8
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--with-open-ssl=/etc/ssl/openssl.cnf' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

Links
http://ubuntuforums.org/showthread.php?t=2171061

Syndicate content