From a115df39962980c972c4a286c9fdfb336dbd8142 Mon Sep 17 00:00:00 2001 From: Andrew Wang Date: Sun, 3 Oct 2021 21:52:49 -0400 Subject: [PATCH] fixes --- README.md | 30 ++++---- libvirt/README.md | 8 -- mirror/README.md | 6 +- mirror/main.yml | 5 +- roles/mirror/templates/cron/csc-mirror | 6 +- roles/nginx/templates/includes/mirror.conf | 14 ++-- .../templates/sites-available/debian.conf | 36 +++++---- .../templates/sites-available/mirror.conf | 76 ++++++++++--------- roles/rsync/templates/rsyncd.conf | 4 +- roles/ssh/tasks/main.yml | 6 ++ 10 files changed, 97 insertions(+), 94 deletions(-) diff --git a/README.md b/README.md index 505268f..cdcd21d 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Continue with autoinstall (yes|no) Once the installation is complete, you can run the vm using: ``` -$ ansible-playbook qemu/run/yml +$ ansible-playbook qemu/run.yml ``` The default login user has @@ -53,10 +53,17 @@ password: ubuntu ``` ## VM Install Option 2 (libvirt) -Follow instructions in the README.md of the libvirt directory - -## System Details -Further system information for those that are interested. +Follow the instructions in `libvirt/README.md` +## Issues/Remarks +- cron config `/etc/cron.d/csc-mirror` is commented out for now +- merlin.service is NOT started +- outsider/insider + - ssh server for push user is running on port 23 + - `/etc/nginx/includes/mirror.conf` allow + - `/etc/rsyncd.conf` hosts allow +- commented out + - nginx server_name `debian.csclub.uwaterloo.ca`, `ca.ceph.com`, `ca.releases.ubuntu.com` + - nginx port 443 configuration ``` $ lsblk @@ -83,15 +90,4 @@ vde 252:64 0 10G 0 disk vdf 252:80 0 10G 0 disk ├─vdf1 252:81 0 10G 0 part └─vdf9 252:89 0 8M 0 part -``` -Drives vda and vdb are for the main filesystem, they use raid1. Drives vdc, vdd, vde and vdf are in a raidz2 zpool. - -## Issues/Remarks -- `/etc/cron.d/csc-mirror` is commented out for now -- need to update `/home/mirror/config/(ADDRESS|ADDRESS_V6)` -- `/mirror/root/include/motd.msg` contains the wrong address -- may want to generate cert for nginx -- will need to modify nginx server_name -- update /etc/rsyncd.conf hosts allow -- create playbook to add a new project? -- ssh server for push user is running on port 23 \ No newline at end of file +``` \ No newline at end of file diff --git a/libvirt/README.md b/libvirt/README.md index 3604c2d..4d3fbd2 100644 --- a/libvirt/README.md +++ b/libvirt/README.md @@ -1,7 +1,4 @@ ## Installation - ---- - ### Prerequisites (debian) Install QEMU and KVM @@ -29,8 +26,6 @@ $ pacman -S qemu libvirt virt-install virt-viewer ansible ``` ## Running the Playbook ---- - Run the playbook from one directory down ``` ansible-playbook libvirt/main.yml @@ -74,8 +69,6 @@ $ git clone https://git.csclub.uwaterloo.ca/public/mirror-env.git then enter `mirror-env/mirror` and use the instructions listed there ## Troubleshooting ---- - ``` net.ipv4.ip_forward = 1 ``` @@ -90,7 +83,6 @@ group = "root" $ service restart libvirtd ``` ## Installing Ubuntu ---- - user: local - password: password diff --git a/mirror/README.md b/mirror/README.md index 25f69bb..81aec45 100644 --- a/mirror/README.md +++ b/mirror/README.md @@ -1,4 +1,2 @@ -# mirror playbook -this playbook will be run inside a already set up vm to set up the services - -TODO: varable for which disks to turn into a zfs pool \ No newline at end of file +# Mirror Playbook +This playbook will be run inside a vm to set up the mirror's services \ No newline at end of file diff --git a/mirror/main.yml b/mirror/main.yml index a3b5c47..e2fd5dc 100644 --- a/mirror/main.yml +++ b/mirror/main.yml @@ -1,12 +1,9 @@ - name: setup mirror vm hosts: 127.0.0.1 -# - modify ssh config to allow root login -# - copy over ssh public keys (if provided) roles: - "../roles/system" - "../roles/mirror" - "../roles/ftp" - "../roles/nginx" - "../roles/rsync" - - "../roles/ssh" - # TODO: - "../roles/mirrormanager" \ No newline at end of file + - "../roles/ssh" \ No newline at end of file diff --git a/roles/mirror/templates/cron/csc-mirror b/roles/mirror/templates/cron/csc-mirror index 33c0989..def88d0 100644 --- a/roles/mirror/templates/cron/csc-mirror +++ b/roles/mirror/templates/cron/csc-mirror @@ -22,9 +22,11 @@ # # ztseguin - temporarilly disabled until script can be updated to handle symlink farm # # 40 5 */14 * * mirror cd /home/mirror/mirror-index && /home/mirror/mirror-index/make-index.py # # 30 3 * * 0 mirror cd /home/mirror/mirror-index && /home/mirror/mirror-index/make-index.py -# + +# uncomment +# # # Update index hourly # 0 * * * * mirror cd /home/mirror/mirror-index && /home/mirror/mirror-index/make-index.py -# + # 0 * * * * mirror /home/mirror/bin/zfssync csclub >/home/mirror/merlin/logs/zfssync-csclub 2>/dev/null # 0 * * * * mirror /home/mirror/bin/zfssync wics >/home/mirror/merlin/logs/zfssync-wics 2>/dev/null \ No newline at end of file diff --git a/roles/nginx/templates/includes/mirror.conf b/roles/nginx/templates/includes/mirror.conf index 2830a5e..31054e0 100644 --- a/roles/nginx/templates/includes/mirror.conf +++ b/roles/nginx/templates/includes/mirror.conf @@ -14,13 +14,13 @@ location / { # Server status location /server-status { stub_status on; - allow 127.0.0.1; - allow ::1; - allow 129.97.134.0/24; - allow 129.97.31.128/26; - allow 2620:101:f000:4901::/64; - allow 2620:101:f000:4902::/64; - deny all; +# allow 127.0.0.1; +# allow ::1; +# allow 129.97.134.0/24; +# allow 129.97.31.128/26; +# allow 2620:101:f000:4901::/64; +# allow 2620:101:f000:4902::/64; +# deny all; } # Statistics diff --git a/roles/nginx/templates/sites-available/debian.conf b/roles/nginx/templates/sites-available/debian.conf index 09c28c0..61f8bad 100644 --- a/roles/nginx/templates/sites-available/debian.conf +++ b/roles/nginx/templates/sites-available/debian.conf @@ -1,17 +1,21 @@ -server { - listen 80; - listen [::]:80; - - include includes/csc-debian.conf; -} +# don't have this domain +# +# server { +# listen 80; +# listen [::]:80; +# +# include includes/csc-debian.conf; +# } -server { - listen 443 ssl; - listen [::]:443 ssl; - - ssl_certificate /etc/ssl/private/csclub-wildcard-chain.crt; - ssl_certificate_key /etc/ssl/private/csclub-wildcard.key; - include includes/ssl.conf; - - include includes/csc-debian.conf; -} +# disable ssl +# +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# +# ssl_certificate /etc/ssl/private/csclub-wildcard-chain.crt; +# ssl_certificate_key /etc/ssl/private/csclub-wildcard.key; +# include includes/ssl.conf; +# +# include includes/csc-debian.conf; +# } diff --git a/roles/nginx/templates/sites-available/mirror.conf b/roles/nginx/templates/sites-available/mirror.conf index 4e23a7e..252670b 100644 --- a/roles/nginx/templates/sites-available/mirror.conf +++ b/roles/nginx/templates/sites-available/mirror.conf @@ -5,40 +5,46 @@ server { include includes/mirror.conf; } -server { - listen 443 ssl default_server reuseport; - listen [::]:443 ssl default_server reuseport; +# disable ssl +# +# server { +# listen 443 ssl default_server reuseport; +# listen [::]:443 ssl default_server reuseport; +# +# ssl_certificate /etc/ssl/private/csclub-wildcard-chain.crt; +# ssl_certificate_key /etc/ssl/private/csclub-wildcard.key; +# include includes/ssl.conf; +# +# include includes/mirror.conf; +# } - ssl_certificate /etc/ssl/private/csclub-wildcard-chain.crt; - ssl_certificate_key /etc/ssl/private/csclub-wildcard.key; - include includes/ssl.conf; +# don't have these domains +# +# # ca.releases.ubuntu.com +# server { +# listen 80; +# listen [::]:80; +# +# include includes/ubuntu.conf; +# } +# +# # ca.ceph.com +# server { +# listen 80; +# listen [::]:80; +# +# include includes/ceph.conf; +# } - include includes/mirror.conf; -} - -# ca.releases.ubuntu.com -server { - listen 80; - listen [::]:80; - - include includes/ubuntu.conf; -} - -# ca.ceph.com -server { - listen 80; - listen [::]:80; - - include includes/ceph.conf; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - ssl_certificate /etc/dehydrated/certs/ca.ceph.com/fullchain.pem; - ssl_certificate_key /etc/dehydrated/certs/ca.ceph.com/privkey.pem; - include includes/ssl.conf; - - include includes/ceph.conf; -} +# disable ssl +# +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# +# ssl_certificate /etc/dehydrated/certs/ca.ceph.com/fullchain.pem; +# ssl_certificate_key /etc/dehydrated/certs/ca.ceph.com/privkey.pem; +# include includes/ssl.conf; +# +# include includes/ceph.conf; +# } \ No newline at end of file diff --git a/roles/rsync/templates/rsyncd.conf b/roles/rsync/templates/rsyncd.conf index 357419b..4ff7585 100644 --- a/roles/rsync/templates/rsyncd.conf +++ b/roles/rsync/templates/rsyncd.conf @@ -12,7 +12,9 @@ read only = true [mirror] path = /mirror/root comment = Everything - hosts allow = 129.97.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 2620:101:f000::/47, fd74:6b6a:8eca::/47 +# allow any host +# +# hosts allow = 129.97.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 2620:101:f000::/47, fd74:6b6a:8eca::/47 filter = merge /etc/rsyncd-filter.conf [alpine] diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml index 35d31f8..fdf62ad 100644 --- a/roles/ssh/tasks/main.yml +++ b/roles/ssh/tasks/main.yml @@ -44,6 +44,9 @@ group: "{{ item }}" mode: "0700" state: directory + loop: + - mirror + - push - name: create authorized_keys files for mirror and push file: @@ -51,6 +54,9 @@ owner: "{{ item }}" group: "{{ item }}" mode: "0644" + loop: + - mirror + - push - name: generate key for mirror user command: