Namespace variables
This commit is contained in:
parent
5982ddfcf9
commit
4285e87477
@ -10,7 +10,7 @@
|
||||
roles:
|
||||
- role: "smart"
|
||||
vars:
|
||||
smartd_conf_file_path: "files/smart/smartd.conf"
|
||||
system_base_smartd_conf_file: "files/smart/smartd.conf"
|
||||
tags: "system:smart"
|
||||
|
||||
- name: "system : group:zfs"
|
||||
@ -28,4 +28,4 @@
|
||||
- role: "base"
|
||||
tags: "system:base"
|
||||
vars:
|
||||
motd_dir_path: "files/base/motd"
|
||||
system_base_motd_dir: "files/base/motd"
|
||||
|
||||
@ -1,6 +1,3 @@
|
||||
# sshd
|
||||
additional_ssh_users: []
|
||||
|
||||
# nftables
|
||||
additional_tcp_ports: []
|
||||
udp_ports: []
|
||||
system_base_additional_ssh_users: []
|
||||
system_base_additional_tcp_ports: []
|
||||
system_base_udp_ports: []
|
||||
|
||||
@ -10,21 +10,21 @@ argument_specs:
|
||||
ssh_user:
|
||||
type: "str"
|
||||
required: true
|
||||
additional_ssh_users:
|
||||
system_base_additional_ssh_users:
|
||||
type: "list"
|
||||
elements: "str"
|
||||
required: true
|
||||
additional_tcp_ports:
|
||||
system_base_additional_tcp_ports:
|
||||
type: "list"
|
||||
elements: "int"
|
||||
required: true
|
||||
udp_ports:
|
||||
system_base_udp_ports:
|
||||
type: "list"
|
||||
elements: "int"
|
||||
required: true
|
||||
fail2ban_ignoreip:
|
||||
system_base_fail2ban_ignoreip:
|
||||
type: "str"
|
||||
required: true
|
||||
motd_dir_path:
|
||||
system_base_motd_dir:
|
||||
type: "str"
|
||||
required: false
|
||||
|
||||
@ -7,14 +7,14 @@
|
||||
src: "./fail2ban/jail.local.j2"
|
||||
dest: "/etc/fail2ban/jail.local"
|
||||
mode: 0644
|
||||
register: fail2ban_conf
|
||||
register: system_base_fail2ban_conf
|
||||
|
||||
- name: "fail2ban : configure fail2ban sshd jail"
|
||||
ansible.builtin.template:
|
||||
src: "./fail2ban/jail.d/sshd.local.j2"
|
||||
dest: "/etc/fail2ban/jail.d/sshd.local"
|
||||
mode: 0644
|
||||
register: fail2ban_sshd_jail
|
||||
register: system_base_fail2ban_sshd_jail
|
||||
|
||||
- name: "fail2ban : enable fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
@ -25,13 +25,13 @@
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
state: "started"
|
||||
register: fail2ban_start
|
||||
register: system_base_fail2ban_start
|
||||
|
||||
- name: "fail2ban : restart fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
state: "restarted"
|
||||
when:
|
||||
(fail2ban_conf.changed or
|
||||
fail2ban_sshd_jail.changed) and
|
||||
not fail2ban_start.changed
|
||||
(system_base_fail2ban_conf.changed or
|
||||
system_base_fail2ban_sshd_jail.changed) and
|
||||
not system_base_fail2ban_start.changed
|
||||
|
||||
@ -4,10 +4,10 @@
|
||||
dest: "/etc/motd"
|
||||
mode: 0644
|
||||
when:
|
||||
motd_dir_path is defined and
|
||||
system_base_motd_dir is defined and
|
||||
_system_base_motd_file != ""
|
||||
vars:
|
||||
_file_path:
|
||||
- "{{ motd_dir_path }}/{{ ansible_hostname }}"
|
||||
- "{{ system_base_motd_dir }}/{{ ansible_hostname }}"
|
||||
_system_base_motd_file: >-
|
||||
{{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
src: "./nftables/nftables.conf.j2"
|
||||
dest: "/etc/nftables.conf"
|
||||
mode: 0755
|
||||
register: nftables_conf
|
||||
register: system_base_nftables_conf
|
||||
|
||||
- name: "nftables : enable nftables"
|
||||
ansible.builtin.systemd:
|
||||
@ -18,11 +18,11 @@
|
||||
ansible.builtin.systemd:
|
||||
name: "nftables"
|
||||
state: "started"
|
||||
register: nftables_start
|
||||
register: system_base_nftables_start
|
||||
|
||||
- name: "nftables : reload nftables configuration"
|
||||
ansible.builtin.command:
|
||||
cmd: "nft -f /etc/nftables.conf"
|
||||
when:
|
||||
nftables_conf.changed and
|
||||
not nftables_start.changed
|
||||
system_base_nftables_conf.changed and
|
||||
not system_base_nftables_start.changed
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
src: "./sshd/99-local.conf.j2"
|
||||
dest: "/etc/ssh/sshd_config.d/99-local.conf"
|
||||
mode: 0600
|
||||
register: sshd_conf
|
||||
register: system_base_sshd_conf
|
||||
|
||||
- name: "sshd : enable sshd"
|
||||
ansible.builtin.systemd:
|
||||
@ -16,12 +16,12 @@
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
state: "started"
|
||||
register: sshd_start
|
||||
register: system_base_sshd_start
|
||||
|
||||
- name: "sshd : restart sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
state: "restarted"
|
||||
when:
|
||||
sshd_conf.changed and
|
||||
not sshd_start.changed
|
||||
system_base_sshd_conf.changed and
|
||||
not system_base_sshd_start.changed
|
||||
|
||||
@ -15,18 +15,18 @@
|
||||
src: "./systemd_mail/system/status-mail@.service"
|
||||
dest: "/etc/systemd/system/status-mail@.service"
|
||||
mode: 0644
|
||||
register: systemd_system_status_mail_service_file
|
||||
register: system_base_system_status_mail_service_file
|
||||
|
||||
- name: "systemd_mail : systemd mail user service"
|
||||
ansible.builtin.copy:
|
||||
src: "./systemd_mail/user/status-mail@.service"
|
||||
dest: "/etc/systemd/user/status-mail@.service"
|
||||
mode: 0644
|
||||
register: systemd_user_status_mail_service_file
|
||||
register: system_base_user_status_mail_service_file
|
||||
|
||||
- name: "systemd_mail : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_system_status_mail_service_file.changed or
|
||||
systemd_user_status_mail_service_file.changed
|
||||
system_base_system_status_mail_service_file.changed or
|
||||
system_base_user_status_mail_service_file.changed
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||
# will not ban a host which matches an address in this list. Several addresses
|
||||
# can be defined using space (and/or comma) separator.
|
||||
ignoreip = 127.0.0.1/8 ::1 {{ fail2ban_ignoreip }}
|
||||
ignoreip = 127.0.0.1/8 ::1 {{ system_base_fail2ban_ignoreip }}
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = 1d
|
||||
|
||||
@ -22,11 +22,11 @@ table inet filter {
|
||||
ct state invalid drop;
|
||||
|
||||
# TCP ports.
|
||||
tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept;
|
||||
tcp dport { {{ [ansible_port] | union(system_base_additional_tcp_ports) | join(", ") }} } ct state new accept;
|
||||
|
||||
{% if udp_ports %}
|
||||
{% if system_base_udp_ports %}
|
||||
# UDP ports.
|
||||
udp dport { {{ udp_ports | join(", ") }} } accept;
|
||||
udp dport { {{ system_base_udp_ports | join(", ") }} } accept;
|
||||
|
||||
{% endif %}
|
||||
# Count and drop any other traffic.
|
||||
|
||||
@ -7,7 +7,7 @@ Port {{ ansible_port }}
|
||||
PermitRootLogin no
|
||||
|
||||
# Explicitly set the list of allowed ssh users.
|
||||
AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }}
|
||||
AllowUsers {{ [ssh_user] | union(system_base_additional_ssh_users) | join(" ") }}
|
||||
|
||||
# SSH enabled only via ssh-key.
|
||||
PasswordAuthentication no
|
||||
|
||||
@ -4,18 +4,18 @@ argument_specs:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
||||
mail_domain:
|
||||
system_mail_domain:
|
||||
type: "str"
|
||||
required: true
|
||||
postfix_smtp_server:
|
||||
system_mail_smtp_server:
|
||||
type: "str"
|
||||
required: true
|
||||
postfix_smtp_port:
|
||||
system_mail_smtp_port:
|
||||
type: "int"
|
||||
required: true
|
||||
postfix_smtp_user:
|
||||
system_mail_smtp_user:
|
||||
type: "str"
|
||||
required: true
|
||||
postfix_smtp_pass:
|
||||
system_mail_smtp_pass:
|
||||
type: "str"
|
||||
required: true
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
src: "./mailname.j2"
|
||||
dest: "/etc/mailname"
|
||||
mode: 0644
|
||||
register: mail_mailname
|
||||
register: system_mail_mailname
|
||||
|
||||
- name: "configure mailutils"
|
||||
ansible.builtin.template:
|
||||
@ -23,33 +23,33 @@
|
||||
src: "./aliases.j2"
|
||||
dest: "/etc/aliases"
|
||||
mode: 0644
|
||||
register: mail_aliases
|
||||
register: system_mail_aliases
|
||||
|
||||
- name: "update aliases"
|
||||
ansible.builtin.command:
|
||||
cmd: "newaliases"
|
||||
when:
|
||||
mail_aliases.changed
|
||||
system_mail_aliases.changed
|
||||
|
||||
- name: "configure postfix"
|
||||
ansible.builtin.template:
|
||||
src: "./postfix/main.cf.j2"
|
||||
dest: "/etc/postfix/main.cf"
|
||||
mode: 0644
|
||||
register: mail_postfix_conf
|
||||
register: system_mail_postfix_conf
|
||||
|
||||
- name: "configure credentials"
|
||||
ansible.builtin.template:
|
||||
src: "./postfix/sasl_passwd.j2"
|
||||
dest: "/etc/postfix/sasl_passwd"
|
||||
mode: 0600
|
||||
register: mail_postfix_credentials
|
||||
register: system_mail_postfix_credentials
|
||||
|
||||
- name: "create hash database"
|
||||
ansible.builtin.command:
|
||||
cmd: "postmap /etc/postfix/sasl_passwd"
|
||||
when:
|
||||
mail_postfix_credentials.changed
|
||||
system_mail_postfix_credentials.changed
|
||||
|
||||
- name: "set hash database permissions"
|
||||
ansible.builtin.file:
|
||||
@ -65,16 +65,15 @@
|
||||
ansible.builtin.systemd:
|
||||
name: "postfix"
|
||||
state: "started"
|
||||
register:
|
||||
mail_postfix_start
|
||||
register: system_mail_postfix_start
|
||||
|
||||
- name: "restart postfix"
|
||||
ansible.builtin.systemd:
|
||||
name: "postfix"
|
||||
state: "restarted"
|
||||
when:
|
||||
(mail_mailname.changed or
|
||||
mail_aliases.changed or
|
||||
mail_postfix_conf.changed or
|
||||
mail_postfix_credentials.changed) and
|
||||
not mail_postfix_start.changed
|
||||
(system_mail_mailname.changed or
|
||||
system_mail_aliases.changed or
|
||||
system_mail_postfix_conf.changed or
|
||||
system_mail_postfix_credentials.changed) and
|
||||
not system_mail_postfix_start.changed
|
||||
|
||||
@ -11,4 +11,4 @@ ftp: root
|
||||
abuse: root
|
||||
noc: root
|
||||
security: root
|
||||
root: root@{{ mail_domain }}
|
||||
root: root@{{ system_mail_domain }}
|
||||
|
||||
@ -1 +1 @@
|
||||
{{ ansible_hostname }}.{{ mail_domain }}
|
||||
{{ ansible_hostname }}.{{ system_mail_domain }}
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
address {
|
||||
email-domain {{ ansible_hostname }}.{{ mail_domain }};
|
||||
email-domain {{ ansible_hostname }}.{{ system_mail_domain }};
|
||||
};
|
||||
|
||||
@ -35,11 +35,11 @@ smtp_tls_wrappermode = yes
|
||||
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = {{ ansible_hostname }}.{{ mail_domain }}
|
||||
myhostname = {{ ansible_hostname }}.{{ system_mail_domain }}
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
mydestination = $myhostname, {{ ansible_hostname }}, localhost
|
||||
relayhost = [{{ postfix_smtp_server }}]:{{ postfix_smtp_port }}
|
||||
relayhost = [{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }}
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
|
||||
@ -1 +1 @@
|
||||
[{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} {{ postfix_smtp_user }}:{{ postfix_smtp_pass }}
|
||||
[{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }} {{ system_mail_smtp_user }}:{{ system_mail_smtp_pass }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
smartd_conf_file_path:
|
||||
system_base_smartd_conf_file:
|
||||
type: "str"
|
||||
required: true
|
||||
|
||||
@ -4,10 +4,10 @@
|
||||
|
||||
- name: "smartd configuration"
|
||||
ansible.builtin.copy:
|
||||
src: "{{ smartd_conf_file_path }}"
|
||||
src: "{{ system_base_smartd_conf_file }}"
|
||||
dest: "/etc/smartd.conf"
|
||||
mode: 0644
|
||||
register: smartd_conf
|
||||
register: system_smart_smartd_conf
|
||||
|
||||
- name: "enable smartmontools"
|
||||
ansible.builtin.systemd:
|
||||
@ -18,12 +18,12 @@
|
||||
ansible.builtin.systemd:
|
||||
name: "smartmontools"
|
||||
state: "started"
|
||||
register: smartd_start
|
||||
register: system_smart_smartd_start
|
||||
|
||||
- name: "restart smartmontools"
|
||||
ansible.builtin.systemd:
|
||||
name: "smartmontools"
|
||||
state: "restarted"
|
||||
when:
|
||||
smartd_conf.changed and
|
||||
not smartd_start.changed
|
||||
system_smart_smartd_conf.changed and
|
||||
not system_smart_smartd_start.changed
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
src: "./apcupsd.conf"
|
||||
dest: "/etc/apcupsd/apcupsd.conf"
|
||||
mode: 0644
|
||||
register: apcupsd_conf
|
||||
register: system_ups_apcupsd_conf
|
||||
|
||||
- name: "enable apcupsd"
|
||||
ansible.builtin.systemd:
|
||||
@ -18,12 +18,12 @@
|
||||
ansible.builtin.systemd:
|
||||
name: "apcupsd"
|
||||
state: "started"
|
||||
register: apcupsd_start
|
||||
register: system_ups_apcupsd_start
|
||||
|
||||
- name: "restart apcupsd"
|
||||
ansible.builtin.systemd:
|
||||
name: "apcupsd"
|
||||
state: "restarted"
|
||||
when:
|
||||
apcupsd_conf.changed and
|
||||
not apcupsd_start.changed
|
||||
system_ups_apcupsd_conf.changed and
|
||||
not system_ups_apcupsd_start.changed
|
||||
|
||||
@ -1,8 +1,3 @@
|
||||
# scrub
|
||||
zpools: []
|
||||
|
||||
# trim
|
||||
zpools_trim: []
|
||||
|
||||
# load_key
|
||||
zpools_load_key: []
|
||||
system_zfs_zpools: []
|
||||
system_zfs_zpools_trim: []
|
||||
system_zfs_zpools_load_key: []
|
||||
|
||||
@ -4,15 +4,15 @@ argument_specs:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
||||
zpools:
|
||||
system_zfs_zpools:
|
||||
type: "list"
|
||||
elements: "str"
|
||||
required: true
|
||||
zpools_trim:
|
||||
system_zfs_zpools_trim:
|
||||
type: "list"
|
||||
elements: "str"
|
||||
required: true
|
||||
zpools_load_key:
|
||||
system_zfs_zpools_load_key:
|
||||
type: "list"
|
||||
elements: "str"
|
||||
required: true
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
src: "./conf/zfs.conf"
|
||||
dest: "/etc/modprobe.d/zfs.conf"
|
||||
mode: 0644
|
||||
register: zfs_conf_file
|
||||
register: system_zfs_conf_file
|
||||
|
||||
- block:
|
||||
|
||||
@ -15,4 +15,4 @@
|
||||
ansible.builtin.reboot:
|
||||
|
||||
when:
|
||||
zfs_conf_file.changed
|
||||
system_zfs_conf_file.changed
|
||||
|
||||
@ -6,13 +6,13 @@
|
||||
src: "./fstrim/fstrim.timer"
|
||||
dest: "/etc/systemd/system/fstrim.timer"
|
||||
mode: 0644
|
||||
register: systemd_fstrim_timer_file
|
||||
register: system_zfs_fstrim_timer_file
|
||||
|
||||
- name: "fstrim : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_fstrim_timer_file.changed
|
||||
system_zfs_fstrim_timer_file.changed
|
||||
|
||||
# Disabling is necessary to make sure systemd uses the new timer file.
|
||||
- name: "fstrim : disable fstrim.timer"
|
||||
@ -21,7 +21,7 @@
|
||||
enabled: false
|
||||
state: "stopped"
|
||||
when:
|
||||
systemd_fstrim_timer_file.changed
|
||||
system_zfs_fstrim_timer_file.changed
|
||||
|
||||
- name: "fstrim : enable fstrim.timer"
|
||||
ansible.builtin.systemd:
|
||||
|
||||
@ -3,16 +3,16 @@
|
||||
src: "./load_key/zfs-load-key@.service"
|
||||
dest: "/etc/systemd/system/zfs-load-key@.service"
|
||||
mode: 0644
|
||||
register: systemd_zfs_load_key_service_file
|
||||
register: system_zfs_load_key_service_file
|
||||
|
||||
- name: "load_key : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_zfs_load_key_service_file.changed
|
||||
system_zfs_load_key_service_file.changed
|
||||
|
||||
- name: "load_key : enable service to load key for {{ item }}"
|
||||
ansible.builtin.systemd:
|
||||
name: "zfs-load-key@{{ item }}.service"
|
||||
enabled: true
|
||||
loop: "{{ zpools_load_key }}"
|
||||
loop: "{{ system_zfs_zpools_load_key }}"
|
||||
|
||||
@ -9,25 +9,25 @@
|
||||
src: "./scrub/zfs-scrub@.service"
|
||||
dest: "/etc/systemd/system/zfs-scrub@.service"
|
||||
mode: 0644
|
||||
register: systemd_zfs_scrub_service_file
|
||||
register: system_zfs_scrub_service_file
|
||||
|
||||
- name: "scrub : zfs scrub systemd timer file"
|
||||
ansible.builtin.copy:
|
||||
src: "./scrub/zfs-scrub-monthly@.timer"
|
||||
dest: "/etc/systemd/system/zfs-scrub-monthly@.timer"
|
||||
mode: 0644
|
||||
register: systemd_zfs_scrub_monthly_timer_file
|
||||
register: system_zfs_scrub_monthly_timer_file
|
||||
|
||||
- name: "scrub : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_zfs_scrub_service_file.changed or
|
||||
systemd_zfs_scrub_monthly_timer_file.changed
|
||||
system_zfs_scrub_service_file.changed or
|
||||
system_zfs_scrub_monthly_timer_file.changed
|
||||
|
||||
- name: "scrub : enable and start timer for zfs scrub of {{ item }}"
|
||||
ansible.builtin.systemd:
|
||||
name: "zfs-scrub-monthly@{{ item }}.timer"
|
||||
enabled: true
|
||||
state: "started"
|
||||
loop: "{{ zpools }}"
|
||||
loop: "{{ system_zfs_zpools }}"
|
||||
|
||||
@ -3,25 +3,25 @@
|
||||
src: "./trim/zfs-trim@.service"
|
||||
dest: "/etc/systemd/system/zfs-trim@.service"
|
||||
mode: 0644
|
||||
register: systemd_zfs_trim_service_file
|
||||
register: system_zfs_trim_service_file
|
||||
|
||||
- name: "trim : zfs trim timer file"
|
||||
ansible.builtin.copy:
|
||||
src: "./trim/zfs-trim-monthly@.timer"
|
||||
dest: "/etc/systemd/system/zfs-trim-monthly@.timer"
|
||||
mode: 0644
|
||||
register: systemd_zfs_trim_monthly_timer_file
|
||||
register: system_zfs_trim_monthly_timer_file
|
||||
|
||||
- name: "trim : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_zfs_trim_service_file.changed or
|
||||
systemd_zfs_trim_monthly_timer_file.changed
|
||||
system_zfs_trim_service_file.changed or
|
||||
system_zfs_trim_monthly_timer_file.changed
|
||||
|
||||
- name: "trim : enable and start timer for zfs trim of {{ item }}"
|
||||
ansible.builtin.systemd:
|
||||
name: "zfs-trim-monthly@{{ item }}.timer"
|
||||
enabled: true
|
||||
state: "started"
|
||||
loop: "{{ zpools_trim }}"
|
||||
loop: "{{ system_zfs_zpools_trim }}"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user