Fixed ret-val

README.md

@@ -0,0 +1,5 @@
+
+ansible-galaxy install  -f -r roles/requirements.yml
+
+cd install-rapsberry
+cd ;rm -rf install-rapsberry/;git clone https://gitweb.dyndns.org/raspberry/install-rapsberry.git;cd install-rapsberry;git checkout dev;./inst-rasp.sh

ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+system_warnings = False
+deprecation_warnings = False
+command_warnings = False

assert-vars.yml

@@ -0,0 +1,4 @@
+- name: verify if vars are defined and not empty
+  assert:
+    that:
+    - mail_domain

create-gilles-user.yml

@@ -0,0 +1,21 @@
+- name: install mandatory python for encrypt password
+  dnf:
+    name: [python3, python3-bcrypt]
+    state: present
+
+- name: create password for user kadmin
+  shell: python -c 'import crypt;hashed = crypt.crypt("{{ gilles_passwd }}"); print(hashed);'
+  register: passwd
+
+- name: create user kadmin
+  user: 
+    name: gilles
+    comment: Gilles Mouchet
+    password: "{{ passwd.stdout }}"
+
+- name: copy sudo file
+  lineinfile:
+    path: /etc/sudoers.d/gilles
+    create: true
+    insertbefore: EOF
+    line: 'gilles    ALL=(ALL)   NOPASSWD: ALL'    

disable-ipv6.yml

@@ -0,0 +1,31 @@
+---
+- name: disable IPv6 with sysctl
+  sysctl: name={{ item }} value=1 state=present reload=yes
+  with_items:
+    - net.ipv6.conf.all.disable_ipv6
+    - net.ipv6.conf.default.disable_ipv6
+    - net.ipv6.conf.lo.disable_ipv6
+
+#- name: placeholder true for ipv6 in modprobe
+#  lineinfile:
+#    dest: /etc/modprobe.conf
+#    line: 'install ipv6 /bin/true'
+#    mode: '0644'
+
+- name: disable ipv6 in sysconfig/network
+  lineinfile:
+    dest: /etc/sysconfig/network
+    regexp: "^{{ item.regexp }}"
+    line: "{{ item.line }}"
+    mode: '0644'
+    backup: yes
+    create: yes
+  with_items:
+    - { regexp: 'NETWORKING_IPV6=.*', line: 'NETWORKING_IPV6=NO' }
+    - { regexp: 'IPV6INIT=.*', line: 'IPV6INIT=no' }
+
+- name: unactive ipv6 sshd
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertafter: '^#ListenAddress 0.0.0.0'
+    line: 'ListenAddress 0.0.0.0'

files/chrony/chrony.conf

@@ -0,0 +1,42 @@
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+#pool 2.pool.ntp.org iburst
+# https://www.metas.ch/metas/fr/home/fabe/zeit-und-frequenz/time-dissemination.html
+server ntp11.metas.ch iburst
+server ntp12.metas.ch iburst
+server ntp13.metas.ch iburst
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+#makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+#allow 192.168.0.0/16
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+log measurements statistics tracking rtc

files/chrony/chronyd

@@ -0,0 +1,2 @@
+# Command-line options for chronyd
+OPTIONS="-4 -F 2"

files/os/gmo-cfg.sh

@@ -0,0 +1,61 @@
+# source IA
+# check if is a scp connexion
+is_scp() {
+    # If SSH_ORIGINAL_COMMAND is defined and contains "scp"
+    if [[ -n "$SSH_ORIGINAL_COMMAND" && "$SSH_ORIGINAL_COMMAND" == scp* ]]; then
+        return 0
+    fi
+    # if script name ($0) contains "scp"
+    if [[ "$0" == *scp* ]]; then
+        return 0
+    fi
+    return 1
+}
+
+# source prompt color: https://robotmoon.com/bash-prompt-generator/^
+if [ $(whoami) == "gilles" ]; then
+    #export PS1="\[\033[0;32m\][\[\033[1;94m\]\u\[\033[0;33m\]@\h \[\033[0;32m\]\W]# \[\033[0;37m\]"
+    export PS1="\[\e[38;5;216m\]\u\[\e[38;5;160m\]@\[\e[38;5;202m\]\h \[\e[38;5;131m\]\w \[\033[0m\]$ "
+elif [ $(whoami) == "blutch" ]; then
+    export PS1="\[\033[0;32m\][\[\033[1;94m\]\u\[\033[0;33m\]@\h \[\033[0;32m\]\W]# \[\033[0;37m\]"
+elif [ $(whoami) == "root" ]; then
+    export PS1="\[\033[0;32m\][\[\033[0;31m\]\u\[\033[0;31m\]@\h \[\033[0;32m\]\W]# \[\033[0;37m\]"
+else
+    export PS1="[\u@\h \W]\$ "
+fi	
+
+# Aliases
+alias rm='rm -i'
+alias cp='cp -i'
+alias mv='mv -i'
+alias ls='ls --color=auto'
+alias sudo='sudo --preserve-env=PATH env' # https://www.petefreitag.com/blog/environment-variables-sudo/
+
+if ! is_scp; then
+    if [[ "$USER" == "gilles" || "$USER" == "root" ]]; then
+        host_domain=$(cat /etc/hostname| rev | cut -d. -f1-2 | rev)
+        host_fqdn=$(hostname)
+        host_short=$(hostname -s)
+        ip=$(hostname -I)
+        dist=$(cat /etc/redhat-release)
+        kern=$(uname -r)
+        cat << EOF
+---------------------------------------------------------
+      Date - Hour: $(date +"%d.%m.%Y - %H:%M:%S")
+---------------------------------------------------------      
+      Host domain: $host_domain
+ Host name (fqdn): $host_fqdn
+Host name (short): $host_short 
+     Distribution: $dist
+           Kernel: $kern
+---------------------------------------------------------      
+EOF
+    fi
+fi
+# execute only if user is gilles or root
+#if [[ "$USER" == "gilles" || "$USER" == "root" ]]; then
+#    # display proxy status
+#    if [ -f "/usr/local/bin/proxyOnOff.sh" ]; then
+#        sudo  /usr/local/bin/proxyOnOff.sh status
+#    fi
+#fi

files/os/vimrc

@@ -0,0 +1,4 @@
+syntax on
+set tabstop=4
+set bg=dark
+set paste

files/updhosts/update-hosts.cron

@@ -0,0 +1 @@
+*/5 * * * * root /usr/local/bin/gmotools/update-hosts.sh > /dev/null 2>&1

group_vars/all.yml

@@ -0,0 +1,14 @@
+---
+#postfix
+mail_domain: gmotech.dyndns.org
+#mail_relay_host: smtpauths.bluewin.ch
+#mail_relay_host: smtp.gmail.com
+# DNS
+#dns_domain_search: gmotech.net
+gilles_passwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30333961653331613064333063326538393232633833663932386632653765613933396239316230
+          3061626535666636333866633538623365333139666163340a336531643364626630653331306264
+          35326238636466643938366535666462666534613137633631316638363763313164343563353734
+          6366393333326564340a623738653735363932313635616530613863313639306130363562656332
+          3738

hosts.yml

@@ -0,0 +1,9 @@
+---
+- name: build hosts file
+  lineinfile:
+    dest: /etc/hosts
+    insertafter: EOF
+    line: '{{ item }}'
+    state: present
+  with_items:
+      - '{{ ansible_default_ipv4.address }} {{ ansible_hostname }} {{ ansible_hostname }}.gmotech.net'

inst-apache.yml

@@ -0,0 +1,47 @@
+---
+- name: install apache
+  yum:
+    state: installed
+    name:
+      - httpd
+      - mod_ssl
+
+- name: start and enable the httpd service
+  service:
+    state: started
+    name: httpd
+    enabled: true
+
+- name: open http port
+  firewalld:
+    service: http
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: open https port
+  firewalld:
+    service: https
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: create cert path
+  file:
+    path: /etc/httpd/certs
+    state: directory
+
+- name: delete welcome.conf
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/httpd/conf.d/welcome.conf
+    - /etc/httpd/conf.d/userdir.conf
+
+- name: modify config to not navigate on os from browser (You don't have permission to access / on this server.)
+  lineinfile:
+    path: /etc/httpd/conf/httpd.conf
+    regexp: 'Options Indexes FollowSymLinks'
+    line: '#Options Indexes FollowSymLinks'
+  notify: restart httpd

inst-packages.yml

@@ -0,0 +1,35 @@
+- name: install epel-release
+  yum:
+    state: installed
+    name:
+      - epel-release
+
+#- name: active repo PowerTools
+#  replace:
+#    path: /etc/yum.repos.d/CentOS-Stream-PowerTools.repo
+#    regexp: 'enabled=0'
+#    replace: 'enabled=1'
+
+- name: install package
+  yum:
+    state: installed
+    name:
+#     - epel-release
+      - vim
+      - rsync
+      - lsof
+      - man
+      - mlocate
+      - mutt
+      - s-nail
+      - wget
+      - bind-utils
+      - yum-utils
+      - dnf-utils
+      - bash-completion
+#      - postfix-perl-scripts
+      - cifs-utils
+      - htop
+      - git
+      - tar
+      - unzip

inst-rasp.sh

@@ -0,0 +1,232 @@
+#!/bin/bash
+############################################################
+# Description: install an config raspberry
+# Usage: ./inst_raspberry.sh
+# Author: Gilles Mouchet (gilles.mouchet@gmail.com)
+# Creation Date: 26-Mar-2021
+# Version: 1.0
+#
+# History:
+#    1.0 - 26-Mar-2021: Creation of script from scratch
+#
+############################################################
+
+# server vars
+#hostName=actarus01p
+#hostIp=192.168.1.12
+# check if is not on mac
+os=$(uname)
+os_mac="Darwin"
+t=1
+#if [ "$t" -eq "1" ]; then
+if [ "$(uname)" = "Darwin" ]; then
+    echo "do not execute on mac"
+    exit 1
+fi
+# scripts vars (do not edit)
+scriptName=`echo $0 | sed -e 's|.*/||g' | cut -f1 -d.`
+dayOfWeek=`/bin/date +%a`
+daySuffix="_$dayOfWeek"
+logPath=`pwd`                        # log path is from execute script path
+logFile=$logPath/$scriptName$daySuffix.log
+tempOutputFile=$logPath/$progName.$$ # temp output console file
+backupFolder=/root/backup            # destination folder backup
+hostName=actarus01p
+
+# constants
+RED="\e[31m"
+GREEN="\e[32m"
+YELLOW="\e[33m"
+BLUE="\e[36m"
+ENDCOLOR="\e[0m"
+
+#-----------------------------------------------------------------------------
+# Function
+#-----------------------------------------------------------------------------
+function saveFile(){
+    if [ -f $1 ]; then
+        cp $1 $backupFolder >/dev/null 2>&1
+        if [ $? -ne 0 ]; then printError "Problem to save $1 to $backupFolder";exit; fi
+    fi
+}
+function printSuccess() {
+    echo -e "[${GREEN}SUCCESS${ENDCOLOR}] - $1"
+}
+function printWarning() {
+    echo -e "[${YELLOW}WARNING${ENDCOLOR}] - $1"
+}
+function printError() {
+    echo -e "[${RED}ERROR${ENDCOLOR}] - $1"
+}
+function printInfo() {
+    echo -e "\n[${BLUE}INFO${ENDCOLOR}] - $1"
+}
+function printSubInfo() {
+    echo -e "       - $1"
+}
+
+function delete_folder() {
+    local folder_path=$1
+    if [ -z "$folder_path" ]; then
+        printError "Error: Folder path not provided."
+        exit 1
+    fi
+
+    if [ -d "$folder_path" ]; then
+        rm -rf "$folder_path"
+        if [ $? -eq 0 ]; then
+            printSuccess "Folder '$folder_path' deleted successfully."
+        else
+            printError "Error: Failed to delete folder '$folder_path'."
+            exit 1
+        fi
+    fi
+}
+
+#-----------------------------------------------------------------------------
+# cleanup /tmp folder (if during the last execution the script ended with
+# an error)
+#-----------------------------------------------------------------------------
+printInfo "Cleanup"
+delete_folder "/tmp/yumupd"
+delete_folder "/tmp/hostsupd"
+printSuccess "Cleanup completed"
+
+#-----------------------------------------------------------------------------
+# install rootfs-expand
+#-----------------------------------------------------------------------------
+printInfo "Install rootfs-expand package"
+dnf -q install rocky-release-rpi-9.0-5.el9.noarch -y > /dev/null
+if [ "$?" -ne "0" ]; then printError "Problem to install rootfs-extand package";exit; fi
+printSuccess "rootfs-expand package installed successfully"
+
+#-----------------------------------------------------------------------------
+# extend root part
+#-----------------------------------------------------------------------------
+printInfo "Extend root partition"
+#rootfs-expand
+partSize=`df  --output=size -B 1 "$PWD" |tail -n 1`
+# For prod
+if [ $partSize -gt 61780000000 ]; then
+# For dev
+#if [ $partSize -gt 21407727600 ]; then
+    printSuccess "Root partion already extended"
+else
+     rootfs-expand
+     retVal=$?
+     if [ $retVal -ne 0 ]; then printError "Problem to extend root partition";exit; fi
+     printSuccess "Root partition extended"
+#    parted /dev/mmcblk0 resizepart 3 100% >/dev/null 2>&1
+#    rror=$?
+#    resize2fs /dev/mmcblk0p3 >/dev/null 2>&1
+#    let retVal=retVal+$error
+#    if [ $retVal -ne 0 ]; then printError "Problem to extend root partition";exit; fi
+#    printSuccess "Root partition extended"
+fi
+
+#-----------------------------------------------------------------------------
+# install package python
+#-----------------------------------------------------------------------------
+printInfo "Install package"
+printSubInfo "install python"
+yum install -y python3 python3-pip >/dev/null 2>&1
+if [ $? -ne 0 ]; then printError "Problem to install packages";exit; fi
+printSuccess "Packages installed successfully"
+
+#-----------------------------------------------------------------------------
+# update pip
+#-----------------------------------------------------------------------------
+printInfo "Upgrade pip3"
+pip3 install --upgrade pip >/dev/null 2>&1
+if [ $? -ne 0 ]; then printError "Problem to upgrade pip3";exit; fi
+printSuccess "Pip3 upgraded successfully"
+
+#-----------------------------------------------------------------------------
+# install ansible
+#-----------------------------------------------------------------------------
+printInfo "Install ansible. Please wait ..."
+pip3 install --user ansible >/dev/null 2>&1
+if [ $? -ne 0 ]; then printError "Problem to install ansible";exit; fi
+printSuccess "Ansible installed successfully"
+
+#-----------------------------------------------------------------------------
+# add path .local/bin
+#-----------------------------------------------------------------------------
+printInfo "Add ./.local/bin in path"
+echo "export PATH=~/.local/bin:\$PATH" >> ~/.bashrc
+if [ $? -ne 0 ]; then printError "Problem to install ansible";exit; fi
+printSuccess "./.local/bin added in path successfully "
+
+#-----------------------------------------------------------------------------
+# check /root/ansible/.vault_pass.txt exits
+#-----------------------------------------------------------------------------
+printInfo "Check /root/ansible/.vault_pass.txt"
+if [ ! -f "/root/ansible/.vault_pass.txt" ]; then
+   printError "You must create /root/ansible/.vault_pass.txt"
+   exit
+fi
+printSuccess "/root/ansible/.vault_pass.txt exist"
+
+#-----------------------------------------------------------------------------
+# update date and time
+#-----------------------------------------------------------------------------
+printInfo "Update date and time"
+~/.local/bin/ansible-playbook playbook-chrony.yml
+if [ $? -ne 0 ]; then printError "Problem to update date and time";exit; fi
+printSuccess "Date and Time updated successfully"
+
+#-----------------------------------------------------------------------------
+# get yum-check-update script
+#-----------------------------------------------------------------------------
+printInfo "Get yum-check-update script"
+git clone https://gitweb.dyndns.org/scripts/yum-check.git /tmp/yumupd
+if [ $? -ne 0 ]; then printError "Problem to clone yum-check-update script";exit; fi
+printSuccess "yum-check-update script cloned successfully"
+
+#-----------------------------------------------------------------------------
+# get update-hosts script
+#-----------------------------------------------------------------------------
+printInfo "Get update-hosts script"
+git clone https://gitweb.dyndns.org/scripts/gest-hosts-file.git /tmp/hostsupd
+if [ $? -ne 0 ]; then printError "Problem to clone update-hosts script";exit; fi
+printSuccess "update-hosts script cloned successfully"
+
+#-----------------------------------------------------------------------------
+# update role
+#-----------------------------------------------------------------------------
+printInfo "Update roles"
+~/.local/bin/ansible-galaxy install  -f -r roles/requirements.yml
+if [ $? -ne 0 ]; then printError "Problem to update roles";exit; fi
+printSuccess "Role updated successfully"
+
+#-----------------------------------------------------------------------------
+# execute playbook
+#-----------------------------------------------------------------------------
+printInfo "Execute playbook"
+~/.local/bin/ansible-playbook main.yml --vault-password-file ~/ansible/.vault_pass.txt
+if [ $? -ne 0 ]; then printError "Problem to execute playbook"; fi
+printSuccess "Ansible playbook finished"
+
+#-----------------------------------------------------------------------------
+# Cleanup /tmp folder 
+#-----------------------------------------------------------------------------
+printInfo "Cleanup"
+delete_folder "/tmp/yumupd"
+delete_folder "/tmp/hostsupd"
+printSuccess "Cleanup completed"
+
+#-----------------------------------------------------------------------------
+# set timezone
+#-----------------------------------------------------------------------------
+#printInfo "Set timzone"
+#timedatectl set-timezone Europe/Zurich
+#if [ $? -ne 0 ]; then printError "Problem to set timezone";exit; fi
+#printSuccess "Timezone setted successfully"
+
+#-----------------------------------------------------------------------------
+# set locale
+#-----------------------------------------------------------------------------
+#printInfo "Set timzone"
+#timedatectl set-timezone Europe/Zurich
+#if [ $? -ne 0 ]; then printError "Problem to set timezone";exit; fi
+#printSuccess "Timezone setted successfully"

main.yml

@@ -0,0 +1,43 @@
+---
+- hosts: localhost
+  
+  handlers:
+  - name: restart httpd
+    service:
+      name: httpd
+      state: restarted
+
+  - name: restart php-fpm
+    service:
+      name: php-fpm
+      state: restarted
+
+  vars:
+    mail_relay_host: smtp.gmail.com
+    mail_domain: gmotech.dyndns.org
+
+  tasks:
+  - include_tasks: assert-vars.yml
+  - include_tasks: disable-ipv6.yml
+  - include_tasks: hosts.yml
+  - include_tasks: inst-packages.yml
+  - include_tasks: misc.yml  
+  - include_tasks: create-gilles-user.yml
+  
+  - name: import postfix role
+    import_role:
+      name: role-postfix
+
+  - include_tasks: yum-check-update.yml
+  - include_tasks: update-hosts-file.yml
+  - name: import netdata role
+    import_role:
+      name: role-netdata
+
+  - include_tasks: inst-apache.yml
+  
+  - name: import php83 role
+    import_role:
+      name: role-php83
+  
+    

misc.yml

@@ -0,0 +1,63 @@
+---
+- name: set correct time zone
+  timezone:
+    name: Europe/Zurich
+
+- name: correct AM/PM rocky 9 bug
+  lineinfile:
+    path: /etc/locale.conf
+    insertafter: EOF
+    line: LC_TIME=C
+    
+- name: secure stack ip part 1
+  sysctl:
+    name: net.ipv4.tcp_timestamps
+    value: "0"
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: secure stack ip part 2
+  firewalld:
+    service: dhcpv6-client
+    permanent: true
+    state: disabled
+
+- name: forward X11
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertafter: '^#X11UseLocalhost yes'
+    line: 'X11UseLocalhost no'
+
+- name: unactivate CRTL-DEL
+  file:
+    src: /dev/null
+    dest: /usr/lib/systemd/system/ctrl-alt-del.target
+  changed_when: false
+
+- name: bash gmo-cfg.sh
+  copy:
+    src: os/gmo-cfg.sh
+    dest: /etc/profile.d/gmo-cfg.sh
+
+- name: add ~/.local/bin in path
+  lineinfile:
+    path: /root/.bashrc
+    line: export PATH=~/.local/bin:$PATH
+
+- name: vimrc
+  copy:
+    src: os/vimrc
+    dest: /root/.vimrc
+
+- name: put SELinux in permissive mode
+  selinux:
+    policy: targeted
+    state: permissive
+
+#- name: create message in motd
+#  copy:
+#   content: "\n**************************************************\n*    !! This
+#server is managed by ANSIBLE !!     *\n* The config files must be changed in repos
+#itory *\n**************************************************\n\n"
+#   dest: /etc/motd

playbook-chrony.yml

@@ -0,0 +1,24 @@
+---
+- hosts: localhost
+  tasks:
+
+  - name: install chrony
+    yum:
+      name: chrony
+      state: present
+
+  - name: config time server
+    copy:
+       src: chrony/chrony.conf
+       dest: /etc/chrony.conf
+
+  - name: disable chrony ipv6
+    copy:
+      src: chrony/chronyd
+      dest: /etc/sysconfig/chronyd
+   
+  - name: start and active service chronyd
+    systemd:
+      name: chronyd
+      enabled: true
+      state: started

roles/requirements.yml

@@ -0,0 +1,12 @@
+---
+- name: role-postfix
+  src: git+https://gitweb.dyndns.org/awx/role-postfix.git
+  
+- name: role-yum-check
+  src: git+https://gitweb.dyndns.org/scripts/yum-check.git
+
+- name: role-netdata
+  src: git+https://gitweb.dyndns.org/awx/role_netdata.git
+
+- name: role-php83
+  src: git+https://gitweb.dyndns.org/awx/role-php83.git

update-hosts-file.yml

@@ -0,0 +1,17 @@
+---
+- name: create destination folder
+  file:
+    path: /usr/local/bin/gmotools
+    state: directory
+
+- name: copy script to folder
+  copy:
+    src: /tmp/hostsupd/update-hosts.sh
+    dest: /usr/local/bin/gmotools/update-hosts.sh
+    mode: 0750
+    remote_src: yes  
+
+- name: copy cron file  
+  copy:
+    src: updhosts/update-hosts.cron
+    dest: /etc/cron.d/update-hosts.cron

yum-check-update.yml

@@ -0,0 +1,17 @@
+---
+- name: create destination folder
+  file:
+    path: /usr/local/bin/gmotools
+    state: directory
+
+- name: get check-yum-update
+  copy:
+    src: /tmp/yumupd/check-yum-updates.sh
+    dest: /usr/local/bin/gmotools/check-yum-updates.sh
+    mode: 0755
+
+- name: create link crontab daily
+  file:
+    src: /usr/local/bin/gmotools/check-yum-updates.sh
+    dest: /etc/cron.daily/check-yum-updates
+    state: link