added dyndns client role

author: Christian Pointner <equinox@spreadspace.org> 2019-01-12 03:30:30 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2019-01-12 03:30:30 +0100
commit: 83e27ac758c38ffd9931ef8830e0256e772e5881 (patch)
tree: 69c9637f488f5db46bacd6b0c47705e4c0309a9e
parent: elevate/media: minor cleanup and fixes (diff)
7 files changed, 103 insertions, 0 deletions
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index 0adac6a7..95e5d472 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -13,6 +13,10 @@ install:
     primary: /dev/disk/by-id/ata-Samsung_SSD_840_Series_S14GNEACC92243K
 
 
+dyndns_server: pan
+dyndns_client_name: "{{ hostvars[dyndns_server].dyndns.clients[inventory_hostname] }}"
+
+
 admin_user_host:
 - "{{ equinox_user }}"
 
diff --git a/inventory/host_vars/pan.yml b/inventory/host_vars/pan.yml
new file mode 100644
index 00000000..6cb1bddc
--- /dev/null
+++ b/inventory/host_vars/pan.yml
@@ -0,0 +1,5 @@
+---
+dyndns:
+  domain: schaaas.at
+  clients:
+    ele-media: elemedia
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index a3a27c7f..9d225a3b 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -17,6 +17,7 @@ ansible_host={{ host_name }}.{{ host_domain }}
 #prometheus
 atlas
 keyserver
+pan ansible_host=ch-pan ansible_port=222
 
 
 [k8s-test:vars]
diff --git a/roles/dyndns/client/tasks/main.yml b/roles/dyndns/client/tasks/main.yml
new file mode 100644
index 00000000..81f74936
--- /dev/null
+++ b/roles/dyndns/client/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+- name: create user for dyndns
+  user:
+    name: dyndns
+    home: /var/lib/dyndns
+    system: yes
+    shell: /bin/false
+    generate_ssh_key: yes
+    ssh_key_type: ed25519
+    ssh_key_comment: "dyndns@{{ host_name }}.{{ host_domain }}"
+  register: dyndns_user
+
+- name: install ssh key on server
+  delegate_to: "{{ dyndns_server }}"
+  lineinfile:
+    path: /var/lib/dyndns/.ssh/authorized_keys
+    mode: 0600
+    regexp: 'command="/usr/local/bin/dyndns.py {{ dyndns_client_name }}"'
+    line: 'no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,no-user-rc,command="/usr/local/bin/dyndns.py {{ dyndns_client_name }}" {{ dyndns_user.ssh_public_key }}'
+
+- name: install ssh config
+  template:
+    src: ssh_config.j2
+    dest: /var/lib/dyndns/.ssh/config
+    owner: dyndns
+    group: dyndns
+
+
+  ## TODO: fix me!!!
+- name: hack to make known_hosts work (1/2)
+  command: "ssh-keyscan -p {{ hostvars[dyndns_server].ansible_port }} {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }}"
+  args:
+    creates: /var/lib/dyndns/.ssh/known_hosts
+  changed_when: False
+  check_mode: False
+  register: dyndns_ssh_keyscan
+
+- name: hack to make known_hosts work (1/2)
+  copy:
+    content: "{{ dyndns_ssh_keyscan.stdout }}"
+    dest: /var/lib/dyndns/.ssh/known_hosts
+    owner: dyndns
+    group: dyndns
+   # fix me
+
+
+- name: install systemd uints
+  template:
+    src: "dyndns.{{ item }}.j2"
+    dest: "/etc/systemd/system/dyndns.{{ item }}"
+  with_items:
+    - service
+    - timer
+
+- name: make sure the systemd timer is enabled and running
+  systemd:
+    daemon_reload: yes
+    name: dyndns.timer
+    enabled: yes
+    state: started
diff --git a/roles/dyndns/client/templates/dyndns.service.j2 b/roles/dyndns/client/templates/dyndns.service.j2
new file mode 100644
index 00000000..31a430ee
--- /dev/null
+++ b/roles/dyndns/client/templates/dyndns.service.j2
@@ -0,0 +1,19 @@
+[Unit]
+Description=Update dyndns using {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }}
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ssh {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }} {{ dyndns_client_name }}
+User=dyndns
+Group=dyndns
+Nice=19
+CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/roles/dyndns/client/templates/dyndns.timer.j2 b/roles/dyndns/client/templates/dyndns.timer.j2
new file mode 100644
index 00000000..c5a08c8d
--- /dev/null
+++ b/roles/dyndns/client/templates/dyndns.timer.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Trigger dyndns updates
+
+[Timer]
+OnCalendar=*:1/3
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/dyndns/client/templates/ssh_config.j2 b/roles/dyndns/client/templates/ssh_config.j2
new file mode 100644
index 00000000..fd15bc49
--- /dev/null
+++ b/roles/dyndns/client/templates/ssh_config.j2
@@ -0,0 +1,6 @@
+Host {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }}
+   Port {{ hostvars[dyndns_server].ansible_port }}
+   User {{ hostvars[dyndns_server].user | default('dyndns') }}
+   IdentityFile {{ dyndns_user.ssh_key_file }}
+   IdentitiesOnly yes
+   PasswordAuthentication no
author	Christian Pointner <equinox@spreadspace.org>	2019-01-12 03:30:30 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2019-01-12 03:30:30 +0100
commit	83e27ac758c38ffd9931ef8830e0256e772e5881 (patch)
tree	69c9637f488f5db46bacd6b0c47705e4c0309a9e
parent	elevate/media: minor cleanup and fixes (diff)