Namespace variables

This commit is contained in:
Wojciech Kozlowski 2022-12-08 23:19:54 +01:00
parent 5982ddfcf9
commit 4285e87477
28 changed files with 92 additions and 101 deletions

View File

@ -10,7 +10,7 @@
roles: roles:
- role: "smart" - role: "smart"
vars: vars:
smartd_conf_file_path: "files/smart/smartd.conf" system_base_smartd_conf_file: "files/smart/smartd.conf"
tags: "system:smart" tags: "system:smart"
- name: "system : group:zfs" - name: "system : group:zfs"
@ -28,4 +28,4 @@
- role: "base" - role: "base"
tags: "system:base" tags: "system:base"
vars: vars:
motd_dir_path: "files/base/motd" system_base_motd_dir: "files/base/motd"

View File

@ -1,6 +1,3 @@
# sshd system_base_additional_ssh_users: []
additional_ssh_users: [] system_base_additional_tcp_ports: []
system_base_udp_ports: []
# nftables
additional_tcp_ports: []
udp_ports: []

View File

@ -10,21 +10,21 @@ argument_specs:
ssh_user: ssh_user:
type: "str" type: "str"
required: true required: true
additional_ssh_users: system_base_additional_ssh_users:
type: "list" type: "list"
elements: "str" elements: "str"
required: true required: true
additional_tcp_ports: system_base_additional_tcp_ports:
type: "list" type: "list"
elements: "int" elements: "int"
required: true required: true
udp_ports: system_base_udp_ports:
type: "list" type: "list"
elements: "int" elements: "int"
required: true required: true
fail2ban_ignoreip: system_base_fail2ban_ignoreip:
type: "str" type: "str"
required: true required: true
motd_dir_path: system_base_motd_dir:
type: "str" type: "str"
required: false required: false

View File

@ -7,14 +7,14 @@
src: "./fail2ban/jail.local.j2" src: "./fail2ban/jail.local.j2"
dest: "/etc/fail2ban/jail.local" dest: "/etc/fail2ban/jail.local"
mode: 0644 mode: 0644
register: fail2ban_conf register: system_base_fail2ban_conf
- name: "fail2ban : configure fail2ban sshd jail" - name: "fail2ban : configure fail2ban sshd jail"
ansible.builtin.template: ansible.builtin.template:
src: "./fail2ban/jail.d/sshd.local.j2" src: "./fail2ban/jail.d/sshd.local.j2"
dest: "/etc/fail2ban/jail.d/sshd.local" dest: "/etc/fail2ban/jail.d/sshd.local"
mode: 0644 mode: 0644
register: fail2ban_sshd_jail register: system_base_fail2ban_sshd_jail
- name: "fail2ban : enable fail2ban" - name: "fail2ban : enable fail2ban"
ansible.builtin.systemd: ansible.builtin.systemd:
@ -25,13 +25,13 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "fail2ban" name: "fail2ban"
state: "started" state: "started"
register: fail2ban_start register: system_base_fail2ban_start
- name: "fail2ban : restart fail2ban" - name: "fail2ban : restart fail2ban"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "fail2ban" name: "fail2ban"
state: "restarted" state: "restarted"
when: when:
(fail2ban_conf.changed or (system_base_fail2ban_conf.changed or
fail2ban_sshd_jail.changed) and system_base_fail2ban_sshd_jail.changed) and
not fail2ban_start.changed not system_base_fail2ban_start.changed

View File

@ -4,10 +4,10 @@
dest: "/etc/motd" dest: "/etc/motd"
mode: 0644 mode: 0644
when: when:
motd_dir_path is defined and system_base_motd_dir is defined and
_system_base_motd_file != "" _system_base_motd_file != ""
vars: vars:
_file_path: _file_path:
- "{{ motd_dir_path }}/{{ ansible_hostname }}" - "{{ system_base_motd_dir }}/{{ ansible_hostname }}"
_system_base_motd_file: >- _system_base_motd_file: >-
{{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }} {{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}

View File

@ -7,7 +7,7 @@
src: "./nftables/nftables.conf.j2" src: "./nftables/nftables.conf.j2"
dest: "/etc/nftables.conf" dest: "/etc/nftables.conf"
mode: 0755 mode: 0755
register: nftables_conf register: system_base_nftables_conf
- name: "nftables : enable nftables" - name: "nftables : enable nftables"
ansible.builtin.systemd: ansible.builtin.systemd:
@ -18,11 +18,11 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "nftables" name: "nftables"
state: "started" state: "started"
register: nftables_start register: system_base_nftables_start
- name: "nftables : reload nftables configuration" - name: "nftables : reload nftables configuration"
ansible.builtin.command: ansible.builtin.command:
cmd: "nft -f /etc/nftables.conf" cmd: "nft -f /etc/nftables.conf"
when: when:
nftables_conf.changed and system_base_nftables_conf.changed and
not nftables_start.changed not system_base_nftables_start.changed

View File

@ -5,7 +5,7 @@
src: "./sshd/99-local.conf.j2" src: "./sshd/99-local.conf.j2"
dest: "/etc/ssh/sshd_config.d/99-local.conf" dest: "/etc/ssh/sshd_config.d/99-local.conf"
mode: 0600 mode: 0600
register: sshd_conf register: system_base_sshd_conf
- name: "sshd : enable sshd" - name: "sshd : enable sshd"
ansible.builtin.systemd: ansible.builtin.systemd:
@ -16,12 +16,12 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "sshd" name: "sshd"
state: "started" state: "started"
register: sshd_start register: system_base_sshd_start
- name: "sshd : restart sshd" - name: "sshd : restart sshd"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "sshd" name: "sshd"
state: "restarted" state: "restarted"
when: when:
sshd_conf.changed and system_base_sshd_conf.changed and
not sshd_start.changed not system_base_sshd_start.changed

View File

@ -15,18 +15,18 @@
src: "./systemd_mail/system/status-mail@.service" src: "./systemd_mail/system/status-mail@.service"
dest: "/etc/systemd/system/status-mail@.service" dest: "/etc/systemd/system/status-mail@.service"
mode: 0644 mode: 0644
register: systemd_system_status_mail_service_file register: system_base_system_status_mail_service_file
- name: "systemd_mail : systemd mail user service" - name: "systemd_mail : systemd mail user service"
ansible.builtin.copy: ansible.builtin.copy:
src: "./systemd_mail/user/status-mail@.service" src: "./systemd_mail/user/status-mail@.service"
dest: "/etc/systemd/user/status-mail@.service" dest: "/etc/systemd/user/status-mail@.service"
mode: 0644 mode: 0644
register: systemd_user_status_mail_service_file register: system_base_user_status_mail_service_file
- name: "systemd_mail : systemd daemon reload" - name: "systemd_mail : systemd daemon reload"
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
when: when:
systemd_system_status_mail_service_file.changed or system_base_system_status_mail_service_file.changed or
systemd_user_status_mail_service_file.changed system_base_user_status_mail_service_file.changed

View File

@ -3,7 +3,7 @@
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses # will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. # can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 {{ fail2ban_ignoreip }} ignoreip = 127.0.0.1/8 ::1 {{ system_base_fail2ban_ignoreip }}
# "bantime" is the number of seconds that a host is banned. # "bantime" is the number of seconds that a host is banned.
bantime = 1d bantime = 1d

View File

@ -22,11 +22,11 @@ table inet filter {
ct state invalid drop; ct state invalid drop;
# TCP ports. # TCP ports.
tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept; tcp dport { {{ [ansible_port] | union(system_base_additional_tcp_ports) | join(", ") }} } ct state new accept;
{% if udp_ports %} {% if system_base_udp_ports %}
# UDP ports. # UDP ports.
udp dport { {{ udp_ports | join(", ") }} } accept; udp dport { {{ system_base_udp_ports | join(", ") }} } accept;
{% endif %} {% endif %}
# Count and drop any other traffic. # Count and drop any other traffic.

View File

@ -7,7 +7,7 @@ Port {{ ansible_port }}
PermitRootLogin no PermitRootLogin no
# Explicitly set the list of allowed ssh users. # Explicitly set the list of allowed ssh users.
AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }} AllowUsers {{ [ssh_user] | union(system_base_additional_ssh_users) | join(" ") }}
# SSH enabled only via ssh-key. # SSH enabled only via ssh-key.
PasswordAuthentication no PasswordAuthentication no

View File

@ -4,18 +4,18 @@ argument_specs:
ansible_hostname: ansible_hostname:
type: "str" type: "str"
required: true required: true
mail_domain: system_mail_domain:
type: "str" type: "str"
required: true required: true
postfix_smtp_server: system_mail_smtp_server:
type: "str" type: "str"
required: true required: true
postfix_smtp_port: system_mail_smtp_port:
type: "int" type: "int"
required: true required: true
postfix_smtp_user: system_mail_smtp_user:
type: "str" type: "str"
required: true required: true
postfix_smtp_pass: system_mail_smtp_pass:
type: "str" type: "str"
required: true required: true

View File

@ -3,7 +3,7 @@
src: "./mailname.j2" src: "./mailname.j2"
dest: "/etc/mailname" dest: "/etc/mailname"
mode: 0644 mode: 0644
register: mail_mailname register: system_mail_mailname
- name: "configure mailutils" - name: "configure mailutils"
ansible.builtin.template: ansible.builtin.template:
@ -23,33 +23,33 @@
src: "./aliases.j2" src: "./aliases.j2"
dest: "/etc/aliases" dest: "/etc/aliases"
mode: 0644 mode: 0644
register: mail_aliases register: system_mail_aliases
- name: "update aliases" - name: "update aliases"
ansible.builtin.command: ansible.builtin.command:
cmd: "newaliases" cmd: "newaliases"
when: when:
mail_aliases.changed system_mail_aliases.changed
- name: "configure postfix" - name: "configure postfix"
ansible.builtin.template: ansible.builtin.template:
src: "./postfix/main.cf.j2" src: "./postfix/main.cf.j2"
dest: "/etc/postfix/main.cf" dest: "/etc/postfix/main.cf"
mode: 0644 mode: 0644
register: mail_postfix_conf register: system_mail_postfix_conf
- name: "configure credentials" - name: "configure credentials"
ansible.builtin.template: ansible.builtin.template:
src: "./postfix/sasl_passwd.j2" src: "./postfix/sasl_passwd.j2"
dest: "/etc/postfix/sasl_passwd" dest: "/etc/postfix/sasl_passwd"
mode: 0600 mode: 0600
register: mail_postfix_credentials register: system_mail_postfix_credentials
- name: "create hash database" - name: "create hash database"
ansible.builtin.command: ansible.builtin.command:
cmd: "postmap /etc/postfix/sasl_passwd" cmd: "postmap /etc/postfix/sasl_passwd"
when: when:
mail_postfix_credentials.changed system_mail_postfix_credentials.changed
- name: "set hash database permissions" - name: "set hash database permissions"
ansible.builtin.file: ansible.builtin.file:
@ -65,16 +65,15 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "postfix" name: "postfix"
state: "started" state: "started"
register: register: system_mail_postfix_start
mail_postfix_start
- name: "restart postfix" - name: "restart postfix"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "postfix" name: "postfix"
state: "restarted" state: "restarted"
when: when:
(mail_mailname.changed or (system_mail_mailname.changed or
mail_aliases.changed or system_mail_aliases.changed or
mail_postfix_conf.changed or system_mail_postfix_conf.changed or
mail_postfix_credentials.changed) and system_mail_postfix_credentials.changed) and
not mail_postfix_start.changed not system_mail_postfix_start.changed

View File

@ -11,4 +11,4 @@ ftp: root
abuse: root abuse: root
noc: root noc: root
security: root security: root
root: root@{{ mail_domain }} root: root@{{ system_mail_domain }}

View File

@ -1 +1 @@
{{ ansible_hostname }}.{{ mail_domain }} {{ ansible_hostname }}.{{ system_mail_domain }}

View File

@ -1,3 +1,3 @@
address { address {
email-domain {{ ansible_hostname }}.{{ mail_domain }}; email-domain {{ ansible_hostname }}.{{ system_mail_domain }};
}; };

View File

@ -35,11 +35,11 @@ smtp_tls_wrappermode = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = {{ ansible_hostname }}.{{ mail_domain }} myhostname = {{ ansible_hostname }}.{{ system_mail_domain }}
alias_maps = hash:/etc/aliases alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases alias_database = hash:/etc/aliases
mydestination = $myhostname, {{ ansible_hostname }}, localhost mydestination = $myhostname, {{ ansible_hostname }}, localhost
relayhost = [{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} relayhost = [{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0 mailbox_size_limit = 0
recipient_delimiter = + recipient_delimiter = +

View File

@ -1 +1 @@
[{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} {{ postfix_smtp_user }}:{{ postfix_smtp_pass }} [{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }} {{ system_mail_smtp_user }}:{{ system_mail_smtp_pass }}

View File

@ -1,6 +1,6 @@
argument_specs: argument_specs:
main: main:
options: options:
smartd_conf_file_path: system_base_smartd_conf_file:
type: "str" type: "str"
required: true required: true

View File

@ -4,10 +4,10 @@
- name: "smartd configuration" - name: "smartd configuration"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ smartd_conf_file_path }}" src: "{{ system_base_smartd_conf_file }}"
dest: "/etc/smartd.conf" dest: "/etc/smartd.conf"
mode: 0644 mode: 0644
register: smartd_conf register: system_smart_smartd_conf
- name: "enable smartmontools" - name: "enable smartmontools"
ansible.builtin.systemd: ansible.builtin.systemd:
@ -18,12 +18,12 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "smartmontools" name: "smartmontools"
state: "started" state: "started"
register: smartd_start register: system_smart_smartd_start
- name: "restart smartmontools" - name: "restart smartmontools"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "smartmontools" name: "smartmontools"
state: "restarted" state: "restarted"
when: when:
smartd_conf.changed and system_smart_smartd_conf.changed and
not smartd_start.changed not system_smart_smartd_start.changed

View File

@ -7,7 +7,7 @@
src: "./apcupsd.conf" src: "./apcupsd.conf"
dest: "/etc/apcupsd/apcupsd.conf" dest: "/etc/apcupsd/apcupsd.conf"
mode: 0644 mode: 0644
register: apcupsd_conf register: system_ups_apcupsd_conf
- name: "enable apcupsd" - name: "enable apcupsd"
ansible.builtin.systemd: ansible.builtin.systemd:
@ -18,12 +18,12 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: "apcupsd" name: "apcupsd"
state: "started" state: "started"
register: apcupsd_start register: system_ups_apcupsd_start
- name: "restart apcupsd" - name: "restart apcupsd"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "apcupsd" name: "apcupsd"
state: "restarted" state: "restarted"
when: when:
apcupsd_conf.changed and system_ups_apcupsd_conf.changed and
not apcupsd_start.changed not system_ups_apcupsd_start.changed

View File

@ -1,8 +1,3 @@
# scrub system_zfs_zpools: []
zpools: [] system_zfs_zpools_trim: []
system_zfs_zpools_load_key: []
# trim
zpools_trim: []
# load_key
zpools_load_key: []

View File

@ -4,15 +4,15 @@ argument_specs:
ansible_hostname: ansible_hostname:
type: "str" type: "str"
required: true required: true
zpools: system_zfs_zpools:
type: "list" type: "list"
elements: "str" elements: "str"
required: true required: true
zpools_trim: system_zfs_zpools_trim:
type: "list" type: "list"
elements: "str" elements: "str"
required: true required: true
zpools_load_key: system_zfs_zpools_load_key:
type: "list" type: "list"
elements: "str" elements: "str"
required: true required: true

View File

@ -3,7 +3,7 @@
src: "./conf/zfs.conf" src: "./conf/zfs.conf"
dest: "/etc/modprobe.d/zfs.conf" dest: "/etc/modprobe.d/zfs.conf"
mode: 0644 mode: 0644
register: zfs_conf_file register: system_zfs_conf_file
- block: - block:
@ -15,4 +15,4 @@
ansible.builtin.reboot: ansible.builtin.reboot:
when: when:
zfs_conf_file.changed system_zfs_conf_file.changed

View File

@ -6,13 +6,13 @@
src: "./fstrim/fstrim.timer" src: "./fstrim/fstrim.timer"
dest: "/etc/systemd/system/fstrim.timer" dest: "/etc/systemd/system/fstrim.timer"
mode: 0644 mode: 0644
register: systemd_fstrim_timer_file register: system_zfs_fstrim_timer_file
- name: "fstrim : systemd daemon reload" - name: "fstrim : systemd daemon reload"
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
when: when:
systemd_fstrim_timer_file.changed system_zfs_fstrim_timer_file.changed
# Disabling is necessary to make sure systemd uses the new timer file. # Disabling is necessary to make sure systemd uses the new timer file.
- name: "fstrim : disable fstrim.timer" - name: "fstrim : disable fstrim.timer"
@ -21,7 +21,7 @@
enabled: false enabled: false
state: "stopped" state: "stopped"
when: when:
systemd_fstrim_timer_file.changed system_zfs_fstrim_timer_file.changed
- name: "fstrim : enable fstrim.timer" - name: "fstrim : enable fstrim.timer"
ansible.builtin.systemd: ansible.builtin.systemd:

View File

@ -3,16 +3,16 @@
src: "./load_key/zfs-load-key@.service" src: "./load_key/zfs-load-key@.service"
dest: "/etc/systemd/system/zfs-load-key@.service" dest: "/etc/systemd/system/zfs-load-key@.service"
mode: 0644 mode: 0644
register: systemd_zfs_load_key_service_file register: system_zfs_load_key_service_file
- name: "load_key : systemd daemon reload" - name: "load_key : systemd daemon reload"
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
when: when:
systemd_zfs_load_key_service_file.changed system_zfs_load_key_service_file.changed
- name: "load_key : enable service to load key for {{ item }}" - name: "load_key : enable service to load key for {{ item }}"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "zfs-load-key@{{ item }}.service" name: "zfs-load-key@{{ item }}.service"
enabled: true enabled: true
loop: "{{ zpools_load_key }}" loop: "{{ system_zfs_zpools_load_key }}"

View File

@ -9,25 +9,25 @@
src: "./scrub/zfs-scrub@.service" src: "./scrub/zfs-scrub@.service"
dest: "/etc/systemd/system/zfs-scrub@.service" dest: "/etc/systemd/system/zfs-scrub@.service"
mode: 0644 mode: 0644
register: systemd_zfs_scrub_service_file register: system_zfs_scrub_service_file
- name: "scrub : zfs scrub systemd timer file" - name: "scrub : zfs scrub systemd timer file"
ansible.builtin.copy: ansible.builtin.copy:
src: "./scrub/zfs-scrub-monthly@.timer" src: "./scrub/zfs-scrub-monthly@.timer"
dest: "/etc/systemd/system/zfs-scrub-monthly@.timer" dest: "/etc/systemd/system/zfs-scrub-monthly@.timer"
mode: 0644 mode: 0644
register: systemd_zfs_scrub_monthly_timer_file register: system_zfs_scrub_monthly_timer_file
- name: "scrub : systemd daemon reload" - name: "scrub : systemd daemon reload"
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
when: when:
systemd_zfs_scrub_service_file.changed or system_zfs_scrub_service_file.changed or
systemd_zfs_scrub_monthly_timer_file.changed system_zfs_scrub_monthly_timer_file.changed
- name: "scrub : enable and start timer for zfs scrub of {{ item }}" - name: "scrub : enable and start timer for zfs scrub of {{ item }}"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "zfs-scrub-monthly@{{ item }}.timer" name: "zfs-scrub-monthly@{{ item }}.timer"
enabled: true enabled: true
state: "started" state: "started"
loop: "{{ zpools }}" loop: "{{ system_zfs_zpools }}"

View File

@ -3,25 +3,25 @@
src: "./trim/zfs-trim@.service" src: "./trim/zfs-trim@.service"
dest: "/etc/systemd/system/zfs-trim@.service" dest: "/etc/systemd/system/zfs-trim@.service"
mode: 0644 mode: 0644
register: systemd_zfs_trim_service_file register: system_zfs_trim_service_file
- name: "trim : zfs trim timer file" - name: "trim : zfs trim timer file"
ansible.builtin.copy: ansible.builtin.copy:
src: "./trim/zfs-trim-monthly@.timer" src: "./trim/zfs-trim-monthly@.timer"
dest: "/etc/systemd/system/zfs-trim-monthly@.timer" dest: "/etc/systemd/system/zfs-trim-monthly@.timer"
mode: 0644 mode: 0644
register: systemd_zfs_trim_monthly_timer_file register: system_zfs_trim_monthly_timer_file
- name: "trim : systemd daemon reload" - name: "trim : systemd daemon reload"
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
when: when:
systemd_zfs_trim_service_file.changed or system_zfs_trim_service_file.changed or
systemd_zfs_trim_monthly_timer_file.changed system_zfs_trim_monthly_timer_file.changed
- name: "trim : enable and start timer for zfs trim of {{ item }}" - name: "trim : enable and start timer for zfs trim of {{ item }}"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "zfs-trim-monthly@{{ item }}.timer" name: "zfs-trim-monthly@{{ item }}.timer"
enabled: true enabled: true
state: "started" state: "started"
loop: "{{ zpools_trim }}" loop: "{{ system_zfs_zpools_trim }}"