Split system:base tasks into roles

This commit is contained in:
Wojciech Kozlowski 2022-12-20 17:31:37 +01:00
parent bec1c8b658
commit 4d797ed4c4
47 changed files with 145 additions and 117 deletions

View File

@ -9,6 +9,7 @@ ansible_become_password: "{{ vault_ansible_become_password }}"
# system:base # system:base
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
system_base_ssh_user: "{{ vault_system_base_ssh_user }}" system_base_ssh_user: "{{ vault_system_base_ssh_user }}"
system_base_ntp_timezone: "{{ vault_system_base_ntp_timezone }}"
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
# system:mail # system:mail

View File

@ -1,4 +1,4 @@
--- ---
dependencies: dependencies:
- role: "system/nftables" - role: "system/base/nftables"
- role: "vpn/bridge" - role: "vpn/bridge"

View File

@ -0,0 +1,10 @@
---
argument_specs:
main:
options:
ansible_port:
type: "int"
required: true
system_base_fail2ban_ignoreip:
type: "str"
required: true

View File

@ -1,34 +1,34 @@
--- ---
- name: "fail2ban : install fail2ban" - name: "install fail2ban"
ansible.builtin.apt: ansible.builtin.apt:
name: "fail2ban" name: "fail2ban"
- name: "fail2ban : configure fail2ban" - name: "configure fail2ban"
ansible.builtin.template: ansible.builtin.template:
src: "./fail2ban/jail.local.j2" src: "./jail.local.j2"
dest: "/etc/fail2ban/jail.local" dest: "/etc/fail2ban/jail.local"
mode: 0644 mode: 0644
register: system_base_fail2ban_conf register: system_base_fail2ban_conf
- name: "fail2ban : configure fail2ban sshd jail" - name: "configure fail2ban sshd jail"
ansible.builtin.template: ansible.builtin.template:
src: "./fail2ban/jail.d/sshd.local.j2" src: "./jail.d/sshd.local.j2"
dest: "/etc/fail2ban/jail.d/sshd.local" dest: "/etc/fail2ban/jail.d/sshd.local"
mode: 0644 mode: 0644
register: system_base_fail2ban_sshd_jail register: system_base_fail2ban_sshd_jail
- name: "fail2ban : enable fail2ban" - name: "enable fail2ban"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "fail2ban" name: "fail2ban"
enabled: true enabled: true
- name: "fail2ban : start fail2ban" - name: "start fail2ban"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "fail2ban" name: "fail2ban"
state: "started" state: "started"
register: system_base_fail2ban_start register: system_base_fail2ban_start
- name: "fail2ban : restart fail2ban" - name: "restart fail2ban"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "fail2ban" name: "fail2ban"
state: "restarted" state: "restarted"

View File

@ -1,5 +1,5 @@
--- ---
- name: "fstrim : enable fstrim.timer" - name: "enable fstrim.timer"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "fstrim.timer" name: "fstrim.timer"
enabled: true enabled: true

View File

@ -1,19 +1,19 @@
--- ---
- name: "logs : install logcheck and logrotate" - name: "install logcheck and logrotate"
ansible.builtin.apt: ansible.builtin.apt:
name: name:
- "logcheck" - "logcheck"
- "logrotate" - "logrotate"
- name: "logs : configure logcheck" - name: "configure logcheck"
ansible.builtin.copy: ansible.builtin.copy:
src: "./logcheck/logcheck.conf" src: "./logcheck.conf"
dest: "/etc/logcheck/logcheck.conf" dest: "/etc/logcheck/logcheck.conf"
mode: 0640 mode: 0640
- name: "logs : configure logcheck ignores" - name: "logs : configure logcheck ignores"
ansible.builtin.copy: ansible.builtin.copy:
src: "./logcheck/ignore" src: "./ignore"
dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}" dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
group: "logcheck" group: "logcheck"
mode: 0644 mode: 0644

View File

@ -0,0 +1,10 @@
---
argument_specs:
main:
options:
ansible_hostname:
type: "str"
required: true
system_base_motd_dir:
type: "str"
required: false

View File

@ -1,5 +1,5 @@
--- ---
- name: "motd : set motd" - name: "set motd"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item }}" src: "{{ item }}"
dest: "/etc/motd" dest: "/etc/motd"

View File

@ -0,0 +1,7 @@
---
argument_specs:
main:
options:
system_base_ntp_timezone:
type: "str"
required: true

View File

@ -1,14 +1,14 @@
--- ---
- name: "ntp : install systemd-timesyncd" - name: "install systemd-timesyncd"
ansible.builtin.apt: ansible.builtin.apt:
name: "systemd-timesyncd" name: "systemd-timesyncd"
- name: "ntp : enable systemd-timesyncd" - name: "enable systemd-timesyncd"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "systemd-timesyncd" name: "systemd-timesyncd"
enabled: true enabled: true
state: started state: started
- name: "ntp : set timezone" - name: "set timezone"
community.general.timezone: community.general.timezone:
name: "Europe/Amsterdam" name: "{{ system_base_ntp_timezone }}"

View File

@ -1,11 +1,11 @@
--- ---
- name: "root : disable root shell" - name: "disable root shell"
ansible.builtin.user: ansible.builtin.user:
name: "root" name: "root"
shell: "/usr/sbin/nologin" shell: "/usr/sbin/nologin"
- name: "root : disable su for non-wheel users" - name: "disable su for non-wheel users"
ansible.builtin.copy: ansible.builtin.copy:
src: "./root/su" src: "./su"
dest: "/etc/pam.d/su" dest: "/etc/pam.d/su"
mode: 0644 mode: 0644

View File

@ -2,9 +2,6 @@
argument_specs: argument_specs:
main: main:
options: options:
ansible_hostname:
type: "str"
required: true
ansible_port: ansible_port:
type: "int" type: "int"
required: true required: true
@ -15,9 +12,3 @@ argument_specs:
type: "list" type: "list"
elements: "str" elements: "str"
required: true required: true
system_base_fail2ban_ignoreip:
type: "str"
required: true
system_base_motd_dir:
type: "str"
required: false

View File

@ -1,25 +1,25 @@
--- ---
# SSH must be installed so we don't bother with installing it. # SSH must be installed so we don't bother with installing it.
- name: "sshd : configure sshd" - name: "configure sshd"
ansible.builtin.template: ansible.builtin.template:
src: "./sshd/99-local.conf.j2" src: "./99-local.conf.j2"
dest: "/etc/ssh/sshd_config.d/99-local.conf" dest: "/etc/ssh/sshd_config.d/99-local.conf"
mode: 0600 mode: 0600
register: system_base_sshd_conf register: system_base_sshd_conf
- name: "sshd : enable sshd" - name: "enable sshd"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "sshd" name: "sshd"
enabled: true enabled: true
- name: "sshd : start sshd" - name: "start sshd"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "sshd" name: "sshd"
state: "started" state: "started"
register: system_base_sshd_start register: system_base_sshd_start
- name: "sshd : restart sshd" - name: "restart sshd"
ansible.builtin.systemd: ansible.builtin.systemd:
name: "sshd" name: "sshd"
state: "restarted" state: "restarted"

View File

@ -0,0 +1,7 @@
---
argument_specs:
main:
options:
ansible_hostname:
type: "str"
required: true

View File

@ -1,31 +1,31 @@
--- ---
- name: "systemd_mail : systemd mail root script" - name: "systemd mail root script"
ansible.builtin.template: ansible.builtin.template:
src: "./systemd_mail/system/systemd-mail-systemctl-status.j2" src: "./system/systemd-mail-systemctl-status.j2"
dest: "/usr/local/sbin/systemd-mail-systemctl-status" dest: "/usr/local/sbin/systemd-mail-systemctl-status"
mode: 0755 mode: 0755
- name: "systemd_mail : systemd mail user script" - name: "systemd mail user script"
ansible.builtin.template: ansible.builtin.template:
src: "./systemd_mail/user/systemd-mail-systemctl-status.j2" src: "./user/systemd-mail-systemctl-status.j2"
dest: "/usr/local/bin/systemd-mail-systemctl-status" dest: "/usr/local/bin/systemd-mail-systemctl-status"
mode: 0755 mode: 0755
- name: "systemd_mail : systemd mail root service" - name: "systemd mail root service"
ansible.builtin.copy: ansible.builtin.copy:
src: "./systemd_mail/system/status-mail@.service" src: "./system/status-mail@.service"
dest: "/etc/systemd/system/status-mail@.service" dest: "/etc/systemd/system/status-mail@.service"
mode: 0644 mode: 0644
register: system_base_system_status_mail_service_file register: system_base_system_status_mail_service_file
- name: "systemd_mail : systemd mail user service" - name: "systemd mail user service"
ansible.builtin.copy: ansible.builtin.copy:
src: "./systemd_mail/user/status-mail@.service" src: "./user/status-mail@.service"
dest: "/etc/systemd/user/status-mail@.service" dest: "/etc/systemd/user/status-mail@.service"
mode: 0644 mode: 0644
register: system_base_user_status_mail_service_file register: system_base_user_status_mail_service_file
- name: "systemd_mail : systemd daemon reload" - name: "systemd daemon reload"
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
when: when:

View File

@ -1,16 +0,0 @@
---
- name: "unattended_upgrades : install unattended-upgrades"
ansible.builtin.apt:
name: "unattended-upgrades"
- name: "unattended_upgrades : configure unattended-upgrades"
ansible.builtin.copy:
src: "./unattended_upgrades/50unattended-upgrades"
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
mode: 0644
- name: "unattended_upgrades : enable unattended-upgrades"
ansible.builtin.copy:
src: "./unattended_upgrades/20auto-upgrades"
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
mode: 0644

View File

@ -1,44 +0,0 @@
---
- name: "play:system : role:base : tasks:sshd"
ansible.builtin.import_tasks: "include/sshd.yml"
tags: "system:base:sshd"
- name: "play:system : role:base : tasks:ntp"
ansible.builtin.import_tasks: "include/ntp.yml"
tags: "system:base:ntp"
- name: "play:system : role:base : tasks:fail2ban"
ansible.builtin.import_tasks: "include/fail2ban.yml"
tags: "system:base:fail2ban"
- name: "play:system : role:base : tasks:fstrim"
ansible.builtin.import_tasks: "include/fstrim.yml"
tags: "system:base:fstrim"
- name: "play:system : role:base : tasks:unattended_upgrades"
ansible.builtin.import_tasks: "include/unattended_upgrades.yml"
tags: "system:base:unattended_upgrades"
- name: "play:system : role:base : tasks:logs"
ansible.builtin.import_tasks: "include/logs.yml"
tags: "system:base:logs"
- name: "play:system : role:base : tasks:systemd_mail"
ansible.builtin.import_tasks: "include/systemd_mail.yml"
tags: "system:base:systemd_mail"
- name: "play:system : role:base : tasks:utils"
ansible.builtin.import_tasks: "include/utils.yml"
tags: "system:base:utils"
- name: "play:system : role:base : tasks:motd"
ansible.builtin.import_tasks: "include/motd.yml"
tags: "system:base:motd"
- name: "play:system : role:base : tasks:root"
ansible.builtin.import_tasks: "include/root.yml"
tags: "system:base:root"
- name: "play:system : role:base : tasks:user"
ansible.builtin.import_tasks: "include/user.yml"
tags: "system:base:user"

View File

@ -0,0 +1,16 @@
---
- name: "install unattended-upgrades"
ansible.builtin.apt:
name: "unattended-upgrades"
- name: "configure unattended-upgrades"
ansible.builtin.copy:
src: "./50unattended-upgrades"
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
mode: 0644
- name: "enable unattended-upgrades"
ansible.builtin.copy:
src: "./20auto-upgrades"
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
mode: 0644

View File

@ -1,22 +1,22 @@
--- ---
- block: - block:
- name: "user : clone tmux dotfiles" - name: "clone tmux dotfiles"
ansible.builtin.git: ansible.builtin.git:
repo: "https://git.wojciechkozlowski.eu/config/tmux.git" repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
dest: ".tmux" dest: ".tmux"
recursive: true recursive: true
# On first tmux launch install plugins with <Ctrl + a + I> # On first tmux launch install plugins with <Ctrl + a + I>
- name: "user : configure tmux" - name: "configure tmux"
ansible.builtin.copy: ansible.builtin.copy:
src: "./user/tmux.conf" src: "./tmux.conf"
dest: ".tmux.conf" dest: ".tmux.conf"
mode: 0644 mode: 0644
- name: "user : configure bashrc" - name: "configure bashrc"
ansible.builtin.copy: ansible.builtin.copy:
src: "./user/bashrc" src: "./bashrc"
dest: ".bashrc" dest: ".bashrc"
mode: 0644 mode: 0644

View File

@ -1,5 +1,5 @@
--- ---
- name: "utils : install utility programs" - name: "install utility programs"
ansible.builtin.apt: ansible.builtin.apt:
name: name:
- "acl" - "acl"

View File

@ -37,11 +37,57 @@
- name: "system : all" - name: "system : all"
hosts: "all" hosts: "all"
roles: roles:
- role: "system/mail" - role: "system/base/nftables"
tags: "system:mail" tags:
- role: "system/nftables" - "system:base"
tags: "system:nftables" - "system:base:nftables"
- role: "system/base" - role: "system/base/mail"
tags:
- "system:base"
- "system:base:mail"
- role: "system/base/sshd"
tags:
- "system:base"
- "system:base:sshd"
- role: "system/base/ntp"
tags:
- "system:base"
- "system:base:ntp"
- role: "system/base/fail2ban"
tags:
- "system:base"
- "system:base:fail2ban"
- role: "system/base/fstrim"
tags:
- "system:base"
- "system:base:fstrim"
- role: "system/base/unattended_upgrades"
tags:
- "system:base"
- "system:base:unattended_upgrades"
- role: "system/base/logs"
tags:
- "system:base"
- "system:base:logs"
- role: "system/base/systemd_mail"
tags:
- "system:base"
- "system:base:systemd_mail"
- role: "system/base/utils"
tags:
- "system:base"
- "system:base:utils"
- role: "system/base/motd"
vars: vars:
system_base_motd_dir: "files/system/base/motd" system_base_motd_dir: "files/system/base/motd"
tags: "system:base" tags:
- "system:base"
- "system:base:motd"
- role: "system/base/root"
tags:
- "system:base"
- "system:base:root"
- role: "system/base/user"
tags:
- "system:base"
- "system:base:user"