r/serterm: Deploy serial terminal multiplexer

Using `tmux`, we can spawn a bunch of `picocom` processes for the serial ports connected to other server's console ports. The _serial-terminal-server_ service manages the `tmux` server process, while the individual _serial-terminal-server-window@.service_ units create a window in the `tmux` session. The serial terminal server runs as a dedicated user. The SSH server is configured to force this user to connect to the `tmux` session. This should help ensure the serial consoles are accessible, even if the Active Directory server is unavailable.
2024-11-07 21:36:07 -06:00
parent 8b9cf1985a
commit 6115762847
16 changed files with 280 additions and 0 deletions
--- a/roles/serterm/tasks/main.yml
+++ b/roles/serterm/tasks/main.yml
@@ -0,0 +1,153 @@
+- name: ensure serial terminal packages are instaled
+  package:
+    name:
+    - picocom
+    - tmux
+    state: present
+  tags:
+  - install
+
+- name: ensure serterm group exists
+  group:
+    name: serterm
+    state: present
+  tags:
+  - group
+  - user
+- name: ensure serterm user exists
+  user:
+    name: serterm
+    create_home: false
+    home: /
+    group: serterm
+    groups:
+    - dialout
+    state: present
+  tags:
+  - user
+
+- name: ensure serial log directory exists
+  file:
+    path: /var/log/serial
+    owner: root
+    group: serterm
+    mode: ug=rwx,o=
+    state: directory
+  tags:
+  - logs
+
+- name: ensure serterm configuration directory exists
+  file:
+    path: /etc/serterm
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - config
+- name: ensure serterm is configured
+  template:
+    src: tmux.conf.j2
+    dest: /etc/serterm/tmux.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+
+- name: ensure serterm script directory exists
+  file:
+    path: /usr/local/libexec/serterm
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - script
+- name: ensure serterm scripts are installed
+  copy:
+    src: '{{ item }}.sh'
+    dest: /usr/local/libexec/serterm/{{ item }}
+    mode: u=rwx,go=rx
+    owner: root
+    group: root
+  loop:
+  - add-window
+  - connect-serial
+  - remove-window
+  - start-server
+  notify:
+  - restart serial-terminal-server
+
+- name: ensure serterm systemd units are installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/systemd/system/
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload systemd
+  - restart serial-terminal-server
+  loop:
+  - serial-terminal-server.service
+  - serial-terminal-server-window@.service
+  tags:
+  - systemd
+
+- name: ensure serial-terminal-server is enabled
+  service:
+    name: serial-terminal-server
+    enabled: true
+  tags:
+  - service
+- name: ensure static serial-terminal-server-window units are enabled
+  service:
+    name: serial-terminal-server-window@{{ item }}
+    enabled: true
+  loop: '{{ serterm_static_windows }}'
+  tags:
+  - service
+
+- name: flush handlers
+  meta: flush_handlers
+  tags:
+  - always
+
+- name: ensure serial-terminal-server is running
+  service:
+    name: serial-terminal-server
+    state: started
+  tags:
+  - service
+- name: ensure static serial-terminal-server-window units are started
+  service:
+    name: serial-terminal-server-window@{{ item }}
+    state: started
+  loop: '{{ serterm_static_windows }}'
+  tags:
+  - service
+
+- name: ensure serterm user ssh keys are authorized
+  template:
+    src: authorized_keys.j2
+    dest: /etc/serterm/authorized_keys
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - ssh
+  - authorized_keys
+
+- name: ensure sshd is configured for serterm
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/80-serterm.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - ssh
+  - sshd_config