Namespace variables

This commit is contained in:
Wojciech Kozlowski 2022-12-08 23:19:54 +01:00
parent 5982ddfcf9
commit 4285e87477
28 changed files with 92 additions and 101 deletions

View File

@ -10,7 +10,7 @@
roles:
- role: "smart"
vars:
smartd_conf_file_path: "files/smart/smartd.conf"
system_base_smartd_conf_file: "files/smart/smartd.conf"
tags: "system:smart"
- name: "system : group:zfs"
@ -28,4 +28,4 @@
- role: "base"
tags: "system:base"
vars:
motd_dir_path: "files/base/motd"
system_base_motd_dir: "files/base/motd"

View File

@ -1,6 +1,3 @@
# sshd
additional_ssh_users: []
# nftables
additional_tcp_ports: []
udp_ports: []
system_base_additional_ssh_users: []
system_base_additional_tcp_ports: []
system_base_udp_ports: []

View File

@ -10,21 +10,21 @@ argument_specs:
ssh_user:
type: "str"
required: true
additional_ssh_users:
system_base_additional_ssh_users:
type: "list"
elements: "str"
required: true
additional_tcp_ports:
system_base_additional_tcp_ports:
type: "list"
elements: "int"
required: true
udp_ports:
system_base_udp_ports:
type: "list"
elements: "int"
required: true
fail2ban_ignoreip:
system_base_fail2ban_ignoreip:
type: "str"
required: true
motd_dir_path:
system_base_motd_dir:
type: "str"
required: false

View File

@ -7,14 +7,14 @@
src: "./fail2ban/jail.local.j2"
dest: "/etc/fail2ban/jail.local"
mode: 0644
register: fail2ban_conf
register: system_base_fail2ban_conf
- name: "fail2ban : configure fail2ban sshd jail"
ansible.builtin.template:
src: "./fail2ban/jail.d/sshd.local.j2"
dest: "/etc/fail2ban/jail.d/sshd.local"
mode: 0644
register: fail2ban_sshd_jail
register: system_base_fail2ban_sshd_jail
- name: "fail2ban : enable fail2ban"
ansible.builtin.systemd:
@ -25,13 +25,13 @@
ansible.builtin.systemd:
name: "fail2ban"
state: "started"
register: fail2ban_start
register: system_base_fail2ban_start
- name: "fail2ban : restart fail2ban"
ansible.builtin.systemd:
name: "fail2ban"
state: "restarted"
when:
(fail2ban_conf.changed or
fail2ban_sshd_jail.changed) and
not fail2ban_start.changed
(system_base_fail2ban_conf.changed or
system_base_fail2ban_sshd_jail.changed) and
not system_base_fail2ban_start.changed

View File

@ -4,10 +4,10 @@
dest: "/etc/motd"
mode: 0644
when:
motd_dir_path is defined and
system_base_motd_dir is defined and
_system_base_motd_file != ""
vars:
_file_path:
- "{{ motd_dir_path }}/{{ ansible_hostname }}"
- "{{ system_base_motd_dir }}/{{ ansible_hostname }}"
_system_base_motd_file: >-
{{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}

View File

@ -7,7 +7,7 @@
src: "./nftables/nftables.conf.j2"
dest: "/etc/nftables.conf"
mode: 0755
register: nftables_conf
register: system_base_nftables_conf
- name: "nftables : enable nftables"
ansible.builtin.systemd:
@ -18,11 +18,11 @@
ansible.builtin.systemd:
name: "nftables"
state: "started"
register: nftables_start
register: system_base_nftables_start
- name: "nftables : reload nftables configuration"
ansible.builtin.command:
cmd: "nft -f /etc/nftables.conf"
when:
nftables_conf.changed and
not nftables_start.changed
system_base_nftables_conf.changed and
not system_base_nftables_start.changed

View File

@ -5,7 +5,7 @@
src: "./sshd/99-local.conf.j2"
dest: "/etc/ssh/sshd_config.d/99-local.conf"
mode: 0600
register: sshd_conf
register: system_base_sshd_conf
- name: "sshd : enable sshd"
ansible.builtin.systemd:
@ -16,12 +16,12 @@
ansible.builtin.systemd:
name: "sshd"
state: "started"
register: sshd_start
register: system_base_sshd_start
- name: "sshd : restart sshd"
ansible.builtin.systemd:
name: "sshd"
state: "restarted"
when:
sshd_conf.changed and
not sshd_start.changed
system_base_sshd_conf.changed and
not system_base_sshd_start.changed

View File

@ -15,18 +15,18 @@
src: "./systemd_mail/system/status-mail@.service"
dest: "/etc/systemd/system/status-mail@.service"
mode: 0644
register: systemd_system_status_mail_service_file
register: system_base_system_status_mail_service_file
- name: "systemd_mail : systemd mail user service"
ansible.builtin.copy:
src: "./systemd_mail/user/status-mail@.service"
dest: "/etc/systemd/user/status-mail@.service"
mode: 0644
register: systemd_user_status_mail_service_file
register: system_base_user_status_mail_service_file
- name: "systemd_mail : systemd daemon reload"
ansible.builtin.systemd:
daemon_reload: true
when:
systemd_system_status_mail_service_file.changed or
systemd_user_status_mail_service_file.changed
system_base_system_status_mail_service_file.changed or
system_base_user_status_mail_service_file.changed

View File

@ -3,7 +3,7 @@
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 {{ fail2ban_ignoreip }}
ignoreip = 127.0.0.1/8 ::1 {{ system_base_fail2ban_ignoreip }}
# "bantime" is the number of seconds that a host is banned.
bantime = 1d

View File

@ -22,11 +22,11 @@ table inet filter {
ct state invalid drop;
# TCP ports.
tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept;
tcp dport { {{ [ansible_port] | union(system_base_additional_tcp_ports) | join(", ") }} } ct state new accept;
{% if udp_ports %}
{% if system_base_udp_ports %}
# UDP ports.
udp dport { {{ udp_ports | join(", ") }} } accept;
udp dport { {{ system_base_udp_ports | join(", ") }} } accept;
{% endif %}
# Count and drop any other traffic.

View File

@ -7,7 +7,7 @@ Port {{ ansible_port }}
PermitRootLogin no
# Explicitly set the list of allowed ssh users.
AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }}
AllowUsers {{ [ssh_user] | union(system_base_additional_ssh_users) | join(" ") }}
# SSH enabled only via ssh-key.
PasswordAuthentication no

View File

@ -4,18 +4,18 @@ argument_specs:
ansible_hostname:
type: "str"
required: true
mail_domain:
system_mail_domain:
type: "str"
required: true
postfix_smtp_server:
system_mail_smtp_server:
type: "str"
required: true
postfix_smtp_port:
system_mail_smtp_port:
type: "int"
required: true
postfix_smtp_user:
system_mail_smtp_user:
type: "str"
required: true
postfix_smtp_pass:
system_mail_smtp_pass:
type: "str"
required: true

View File

@ -3,7 +3,7 @@
src: "./mailname.j2"
dest: "/etc/mailname"
mode: 0644
register: mail_mailname
register: system_mail_mailname
- name: "configure mailutils"
ansible.builtin.template:
@ -23,33 +23,33 @@
src: "./aliases.j2"
dest: "/etc/aliases"
mode: 0644
register: mail_aliases
register: system_mail_aliases
- name: "update aliases"
ansible.builtin.command:
cmd: "newaliases"
when:
mail_aliases.changed
system_mail_aliases.changed
- name: "configure postfix"
ansible.builtin.template:
src: "./postfix/main.cf.j2"
dest: "/etc/postfix/main.cf"
mode: 0644
register: mail_postfix_conf
register: system_mail_postfix_conf
- name: "configure credentials"
ansible.builtin.template:
src: "./postfix/sasl_passwd.j2"
dest: "/etc/postfix/sasl_passwd"
mode: 0600
register: mail_postfix_credentials
register: system_mail_postfix_credentials
- name: "create hash database"
ansible.builtin.command:
cmd: "postmap /etc/postfix/sasl_passwd"
when:
mail_postfix_credentials.changed
system_mail_postfix_credentials.changed
- name: "set hash database permissions"
ansible.builtin.file:
@ -65,16 +65,15 @@
ansible.builtin.systemd:
name: "postfix"
state: "started"
register:
mail_postfix_start
register: system_mail_postfix_start
- name: "restart postfix"
ansible.builtin.systemd:
name: "postfix"
state: "restarted"
when:
(mail_mailname.changed or
mail_aliases.changed or
mail_postfix_conf.changed or
mail_postfix_credentials.changed) and
not mail_postfix_start.changed
(system_mail_mailname.changed or
system_mail_aliases.changed or
system_mail_postfix_conf.changed or
system_mail_postfix_credentials.changed) and
not system_mail_postfix_start.changed

View File

@ -11,4 +11,4 @@ ftp: root
abuse: root
noc: root
security: root
root: root@{{ mail_domain }}
root: root@{{ system_mail_domain }}

View File

@ -1 +1 @@
{{ ansible_hostname }}.{{ mail_domain }}
{{ ansible_hostname }}.{{ system_mail_domain }}

View File

@ -1,3 +1,3 @@
address {
email-domain {{ ansible_hostname }}.{{ mail_domain }};
email-domain {{ ansible_hostname }}.{{ system_mail_domain }};
};

View File

@ -35,11 +35,11 @@ smtp_tls_wrappermode = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = {{ ansible_hostname }}.{{ mail_domain }}
myhostname = {{ ansible_hostname }}.{{ system_mail_domain }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, {{ ansible_hostname }}, localhost
relayhost = [{{ postfix_smtp_server }}]:{{ postfix_smtp_port }}
relayhost = [{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +

View File

@ -1 +1 @@
[{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} {{ postfix_smtp_user }}:{{ postfix_smtp_pass }}
[{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }} {{ system_mail_smtp_user }}:{{ system_mail_smtp_pass }}

View File

@ -1,6 +1,6 @@
argument_specs:
main:
options:
smartd_conf_file_path:
system_base_smartd_conf_file:
type: "str"
required: true

View File

@ -4,10 +4,10 @@
- name: "smartd configuration"
ansible.builtin.copy:
src: "{{ smartd_conf_file_path }}"
src: "{{ system_base_smartd_conf_file }}"
dest: "/etc/smartd.conf"
mode: 0644
register: smartd_conf
register: system_smart_smartd_conf
- name: "enable smartmontools"
ansible.builtin.systemd:
@ -18,12 +18,12 @@
ansible.builtin.systemd:
name: "smartmontools"
state: "started"
register: smartd_start
register: system_smart_smartd_start
- name: "restart smartmontools"
ansible.builtin.systemd:
name: "smartmontools"
state: "restarted"
when:
smartd_conf.changed and
not smartd_start.changed
system_smart_smartd_conf.changed and
not system_smart_smartd_start.changed

View File

@ -7,7 +7,7 @@
src: "./apcupsd.conf"
dest: "/etc/apcupsd/apcupsd.conf"
mode: 0644
register: apcupsd_conf
register: system_ups_apcupsd_conf
- name: "enable apcupsd"
ansible.builtin.systemd:
@ -18,12 +18,12 @@
ansible.builtin.systemd:
name: "apcupsd"
state: "started"
register: apcupsd_start
register: system_ups_apcupsd_start
- name: "restart apcupsd"
ansible.builtin.systemd:
name: "apcupsd"
state: "restarted"
when:
apcupsd_conf.changed and
not apcupsd_start.changed
system_ups_apcupsd_conf.changed and
not system_ups_apcupsd_start.changed

View File

@ -1,8 +1,3 @@
# scrub
zpools: []
# trim
zpools_trim: []
# load_key
zpools_load_key: []
system_zfs_zpools: []
system_zfs_zpools_trim: []
system_zfs_zpools_load_key: []

View File

@ -4,15 +4,15 @@ argument_specs:
ansible_hostname:
type: "str"
required: true
zpools:
system_zfs_zpools:
type: "list"
elements: "str"
required: true
zpools_trim:
system_zfs_zpools_trim:
type: "list"
elements: "str"
required: true
zpools_load_key:
system_zfs_zpools_load_key:
type: "list"
elements: "str"
required: true

View File

@ -3,7 +3,7 @@
src: "./conf/zfs.conf"
dest: "/etc/modprobe.d/zfs.conf"
mode: 0644
register: zfs_conf_file
register: system_zfs_conf_file
- block:
@ -15,4 +15,4 @@
ansible.builtin.reboot:
when:
zfs_conf_file.changed
system_zfs_conf_file.changed

View File

@ -6,13 +6,13 @@
src: "./fstrim/fstrim.timer"
dest: "/etc/systemd/system/fstrim.timer"
mode: 0644
register: systemd_fstrim_timer_file
register: system_zfs_fstrim_timer_file
- name: "fstrim : systemd daemon reload"
ansible.builtin.systemd:
daemon_reload: true
when:
systemd_fstrim_timer_file.changed
system_zfs_fstrim_timer_file.changed
# Disabling is necessary to make sure systemd uses the new timer file.
- name: "fstrim : disable fstrim.timer"
@ -21,7 +21,7 @@
enabled: false
state: "stopped"
when:
systemd_fstrim_timer_file.changed
system_zfs_fstrim_timer_file.changed
- name: "fstrim : enable fstrim.timer"
ansible.builtin.systemd:

View File

@ -3,16 +3,16 @@
src: "./load_key/zfs-load-key@.service"
dest: "/etc/systemd/system/zfs-load-key@.service"
mode: 0644
register: systemd_zfs_load_key_service_file
register: system_zfs_load_key_service_file
- name: "load_key : systemd daemon reload"
ansible.builtin.systemd:
daemon_reload: true
when:
systemd_zfs_load_key_service_file.changed
system_zfs_load_key_service_file.changed
- name: "load_key : enable service to load key for {{ item }}"
ansible.builtin.systemd:
name: "zfs-load-key@{{ item }}.service"
enabled: true
loop: "{{ zpools_load_key }}"
loop: "{{ system_zfs_zpools_load_key }}"

View File

@ -9,25 +9,25 @@
src: "./scrub/zfs-scrub@.service"
dest: "/etc/systemd/system/zfs-scrub@.service"
mode: 0644
register: systemd_zfs_scrub_service_file
register: system_zfs_scrub_service_file
- name: "scrub : zfs scrub systemd timer file"
ansible.builtin.copy:
src: "./scrub/zfs-scrub-monthly@.timer"
dest: "/etc/systemd/system/zfs-scrub-monthly@.timer"
mode: 0644
register: systemd_zfs_scrub_monthly_timer_file
register: system_zfs_scrub_monthly_timer_file
- name: "scrub : systemd daemon reload"
ansible.builtin.systemd:
daemon_reload: true
when:
systemd_zfs_scrub_service_file.changed or
systemd_zfs_scrub_monthly_timer_file.changed
system_zfs_scrub_service_file.changed or
system_zfs_scrub_monthly_timer_file.changed
- name: "scrub : enable and start timer for zfs scrub of {{ item }}"
ansible.builtin.systemd:
name: "zfs-scrub-monthly@{{ item }}.timer"
enabled: true
state: "started"
loop: "{{ zpools }}"
loop: "{{ system_zfs_zpools }}"

View File

@ -3,25 +3,25 @@
src: "./trim/zfs-trim@.service"
dest: "/etc/systemd/system/zfs-trim@.service"
mode: 0644
register: systemd_zfs_trim_service_file
register: system_zfs_trim_service_file
- name: "trim : zfs trim timer file"
ansible.builtin.copy:
src: "./trim/zfs-trim-monthly@.timer"
dest: "/etc/systemd/system/zfs-trim-monthly@.timer"
mode: 0644
register: systemd_zfs_trim_monthly_timer_file
register: system_zfs_trim_monthly_timer_file
- name: "trim : systemd daemon reload"
ansible.builtin.systemd:
daemon_reload: true
when:
systemd_zfs_trim_service_file.changed or
systemd_zfs_trim_monthly_timer_file.changed
system_zfs_trim_service_file.changed or
system_zfs_trim_monthly_timer_file.changed
- name: "trim : enable and start timer for zfs trim of {{ item }}"
ansible.builtin.systemd:
name: "zfs-trim-monthly@{{ item }}.timer"
enabled: true
state: "started"
loop: "{{ zpools_trim }}"
loop: "{{ system_zfs_zpools_trim }}"