Split system:base tasks into roles
This commit is contained in:
parent
bec1c8b658
commit
4d797ed4c4
@ -9,6 +9,7 @@ ansible_become_password: "{{ vault_ansible_become_password }}"
|
||||
# system:base
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
system_base_ssh_user: "{{ vault_system_base_ssh_user }}"
|
||||
system_base_ntp_timezone: "{{ vault_system_base_ntp_timezone }}"
|
||||
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# system:mail
|
||||
|
@ -1,4 +1,4 @@
|
||||
---
|
||||
dependencies:
|
||||
- role: "system/nftables"
|
||||
- role: "system/base/nftables"
|
||||
- role: "vpn/bridge"
|
||||
|
10
playbooks/roles/system/base/fail2ban/meta/argument_specs.yml
Normal file
10
playbooks/roles/system/base/fail2ban/meta/argument_specs.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_port:
|
||||
type: "int"
|
||||
required: true
|
||||
system_base_fail2ban_ignoreip:
|
||||
type: "str"
|
||||
required: true
|
@ -1,34 +1,34 @@
|
||||
---
|
||||
- name: "fail2ban : install fail2ban"
|
||||
- name: "install fail2ban"
|
||||
ansible.builtin.apt:
|
||||
name: "fail2ban"
|
||||
|
||||
- name: "fail2ban : configure fail2ban"
|
||||
- name: "configure fail2ban"
|
||||
ansible.builtin.template:
|
||||
src: "./fail2ban/jail.local.j2"
|
||||
src: "./jail.local.j2"
|
||||
dest: "/etc/fail2ban/jail.local"
|
||||
mode: 0644
|
||||
register: system_base_fail2ban_conf
|
||||
|
||||
- name: "fail2ban : configure fail2ban sshd jail"
|
||||
- name: "configure fail2ban sshd jail"
|
||||
ansible.builtin.template:
|
||||
src: "./fail2ban/jail.d/sshd.local.j2"
|
||||
src: "./jail.d/sshd.local.j2"
|
||||
dest: "/etc/fail2ban/jail.d/sshd.local"
|
||||
mode: 0644
|
||||
register: system_base_fail2ban_sshd_jail
|
||||
|
||||
- name: "fail2ban : enable fail2ban"
|
||||
- name: "enable fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
enabled: true
|
||||
|
||||
- name: "fail2ban : start fail2ban"
|
||||
- name: "start fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
state: "started"
|
||||
register: system_base_fail2ban_start
|
||||
|
||||
- name: "fail2ban : restart fail2ban"
|
||||
- name: "restart fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
state: "restarted"
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: "fstrim : enable fstrim.timer"
|
||||
- name: "enable fstrim.timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "fstrim.timer"
|
||||
enabled: true
|
@ -1,19 +1,19 @@
|
||||
---
|
||||
- name: "logs : install logcheck and logrotate"
|
||||
- name: "install logcheck and logrotate"
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "logcheck"
|
||||
- "logrotate"
|
||||
|
||||
- name: "logs : configure logcheck"
|
||||
- name: "configure logcheck"
|
||||
ansible.builtin.copy:
|
||||
src: "./logcheck/logcheck.conf"
|
||||
src: "./logcheck.conf"
|
||||
dest: "/etc/logcheck/logcheck.conf"
|
||||
mode: 0640
|
||||
|
||||
- name: "logs : configure logcheck ignores"
|
||||
ansible.builtin.copy:
|
||||
src: "./logcheck/ignore"
|
||||
src: "./ignore"
|
||||
dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
|
||||
group: "logcheck"
|
||||
mode: 0644
|
10
playbooks/roles/system/base/motd/meta/argument_specs.yml
Normal file
10
playbooks/roles/system/base/motd/meta/argument_specs.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
||||
system_base_motd_dir:
|
||||
type: "str"
|
||||
required: false
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: "motd : set motd"
|
||||
- name: "set motd"
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/motd"
|
7
playbooks/roles/system/base/ntp/meta/argument_specs.yml
Normal file
7
playbooks/roles/system/base/ntp/meta/argument_specs.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
system_base_ntp_timezone:
|
||||
type: "str"
|
||||
required: true
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
- name: "ntp : install systemd-timesyncd"
|
||||
- name: "install systemd-timesyncd"
|
||||
ansible.builtin.apt:
|
||||
name: "systemd-timesyncd"
|
||||
|
||||
- name: "ntp : enable systemd-timesyncd"
|
||||
- name: "enable systemd-timesyncd"
|
||||
ansible.builtin.systemd:
|
||||
name: "systemd-timesyncd"
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: "ntp : set timezone"
|
||||
- name: "set timezone"
|
||||
community.general.timezone:
|
||||
name: "Europe/Amsterdam"
|
||||
name: "{{ system_base_ntp_timezone }}"
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
- name: "root : disable root shell"
|
||||
- name: "disable root shell"
|
||||
ansible.builtin.user:
|
||||
name: "root"
|
||||
shell: "/usr/sbin/nologin"
|
||||
|
||||
- name: "root : disable su for non-wheel users"
|
||||
- name: "disable su for non-wheel users"
|
||||
ansible.builtin.copy:
|
||||
src: "./root/su"
|
||||
src: "./su"
|
||||
dest: "/etc/pam.d/su"
|
||||
mode: 0644
|
@ -2,9 +2,6 @@
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
||||
ansible_port:
|
||||
type: "int"
|
||||
required: true
|
||||
@ -15,9 +12,3 @@ argument_specs:
|
||||
type: "list"
|
||||
elements: "str"
|
||||
required: true
|
||||
system_base_fail2ban_ignoreip:
|
||||
type: "str"
|
||||
required: true
|
||||
system_base_motd_dir:
|
||||
type: "str"
|
||||
required: false
|
@ -1,25 +1,25 @@
|
||||
---
|
||||
# SSH must be installed so we don't bother with installing it.
|
||||
|
||||
- name: "sshd : configure sshd"
|
||||
- name: "configure sshd"
|
||||
ansible.builtin.template:
|
||||
src: "./sshd/99-local.conf.j2"
|
||||
src: "./99-local.conf.j2"
|
||||
dest: "/etc/ssh/sshd_config.d/99-local.conf"
|
||||
mode: 0600
|
||||
register: system_base_sshd_conf
|
||||
|
||||
- name: "sshd : enable sshd"
|
||||
- name: "enable sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
enabled: true
|
||||
|
||||
- name: "sshd : start sshd"
|
||||
- name: "start sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
state: "started"
|
||||
register: system_base_sshd_start
|
||||
|
||||
- name: "sshd : restart sshd"
|
||||
- name: "restart sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
state: "restarted"
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
@ -1,31 +1,31 @@
|
||||
---
|
||||
- name: "systemd_mail : systemd mail root script"
|
||||
- name: "systemd mail root script"
|
||||
ansible.builtin.template:
|
||||
src: "./systemd_mail/system/systemd-mail-systemctl-status.j2"
|
||||
src: "./system/systemd-mail-systemctl-status.j2"
|
||||
dest: "/usr/local/sbin/systemd-mail-systemctl-status"
|
||||
mode: 0755
|
||||
|
||||
- name: "systemd_mail : systemd mail user script"
|
||||
- name: "systemd mail user script"
|
||||
ansible.builtin.template:
|
||||
src: "./systemd_mail/user/systemd-mail-systemctl-status.j2"
|
||||
src: "./user/systemd-mail-systemctl-status.j2"
|
||||
dest: "/usr/local/bin/systemd-mail-systemctl-status"
|
||||
mode: 0755
|
||||
|
||||
- name: "systemd_mail : systemd mail root service"
|
||||
- name: "systemd mail root service"
|
||||
ansible.builtin.copy:
|
||||
src: "./systemd_mail/system/status-mail@.service"
|
||||
src: "./system/status-mail@.service"
|
||||
dest: "/etc/systemd/system/status-mail@.service"
|
||||
mode: 0644
|
||||
register: system_base_system_status_mail_service_file
|
||||
|
||||
- name: "systemd_mail : systemd mail user service"
|
||||
- name: "systemd mail user service"
|
||||
ansible.builtin.copy:
|
||||
src: "./systemd_mail/user/status-mail@.service"
|
||||
src: "./user/status-mail@.service"
|
||||
dest: "/etc/systemd/user/status-mail@.service"
|
||||
mode: 0644
|
||||
register: system_base_user_status_mail_service_file
|
||||
|
||||
- name: "systemd_mail : systemd daemon reload"
|
||||
- name: "systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
@ -1,16 +0,0 @@
|
||||
---
|
||||
- name: "unattended_upgrades : install unattended-upgrades"
|
||||
ansible.builtin.apt:
|
||||
name: "unattended-upgrades"
|
||||
|
||||
- name: "unattended_upgrades : configure unattended-upgrades"
|
||||
ansible.builtin.copy:
|
||||
src: "./unattended_upgrades/50unattended-upgrades"
|
||||
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
|
||||
mode: 0644
|
||||
|
||||
- name: "unattended_upgrades : enable unattended-upgrades"
|
||||
ansible.builtin.copy:
|
||||
src: "./unattended_upgrades/20auto-upgrades"
|
||||
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
|
||||
mode: 0644
|
@ -1,44 +0,0 @@
|
||||
---
|
||||
- name: "play:system : role:base : tasks:sshd"
|
||||
ansible.builtin.import_tasks: "include/sshd.yml"
|
||||
tags: "system:base:sshd"
|
||||
|
||||
- name: "play:system : role:base : tasks:ntp"
|
||||
ansible.builtin.import_tasks: "include/ntp.yml"
|
||||
tags: "system:base:ntp"
|
||||
|
||||
- name: "play:system : role:base : tasks:fail2ban"
|
||||
ansible.builtin.import_tasks: "include/fail2ban.yml"
|
||||
tags: "system:base:fail2ban"
|
||||
|
||||
- name: "play:system : role:base : tasks:fstrim"
|
||||
ansible.builtin.import_tasks: "include/fstrim.yml"
|
||||
tags: "system:base:fstrim"
|
||||
|
||||
- name: "play:system : role:base : tasks:unattended_upgrades"
|
||||
ansible.builtin.import_tasks: "include/unattended_upgrades.yml"
|
||||
tags: "system:base:unattended_upgrades"
|
||||
|
||||
- name: "play:system : role:base : tasks:logs"
|
||||
ansible.builtin.import_tasks: "include/logs.yml"
|
||||
tags: "system:base:logs"
|
||||
|
||||
- name: "play:system : role:base : tasks:systemd_mail"
|
||||
ansible.builtin.import_tasks: "include/systemd_mail.yml"
|
||||
tags: "system:base:systemd_mail"
|
||||
|
||||
- name: "play:system : role:base : tasks:utils"
|
||||
ansible.builtin.import_tasks: "include/utils.yml"
|
||||
tags: "system:base:utils"
|
||||
|
||||
- name: "play:system : role:base : tasks:motd"
|
||||
ansible.builtin.import_tasks: "include/motd.yml"
|
||||
tags: "system:base:motd"
|
||||
|
||||
- name: "play:system : role:base : tasks:root"
|
||||
ansible.builtin.import_tasks: "include/root.yml"
|
||||
tags: "system:base:root"
|
||||
|
||||
- name: "play:system : role:base : tasks:user"
|
||||
ansible.builtin.import_tasks: "include/user.yml"
|
||||
tags: "system:base:user"
|
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: "install unattended-upgrades"
|
||||
ansible.builtin.apt:
|
||||
name: "unattended-upgrades"
|
||||
|
||||
- name: "configure unattended-upgrades"
|
||||
ansible.builtin.copy:
|
||||
src: "./50unattended-upgrades"
|
||||
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
|
||||
mode: 0644
|
||||
|
||||
- name: "enable unattended-upgrades"
|
||||
ansible.builtin.copy:
|
||||
src: "./20auto-upgrades"
|
||||
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
|
||||
mode: 0644
|
@ -1,22 +1,22 @@
|
||||
---
|
||||
- block:
|
||||
|
||||
- name: "user : clone tmux dotfiles"
|
||||
- name: "clone tmux dotfiles"
|
||||
ansible.builtin.git:
|
||||
repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
|
||||
dest: ".tmux"
|
||||
recursive: true
|
||||
|
||||
# On first tmux launch install plugins with <Ctrl + a + I>
|
||||
- name: "user : configure tmux"
|
||||
- name: "configure tmux"
|
||||
ansible.builtin.copy:
|
||||
src: "./user/tmux.conf"
|
||||
src: "./tmux.conf"
|
||||
dest: ".tmux.conf"
|
||||
mode: 0644
|
||||
|
||||
- name: "user : configure bashrc"
|
||||
- name: "configure bashrc"
|
||||
ansible.builtin.copy:
|
||||
src: "./user/bashrc"
|
||||
src: "./bashrc"
|
||||
dest: ".bashrc"
|
||||
mode: 0644
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: "utils : install utility programs"
|
||||
- name: "install utility programs"
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "acl"
|
@ -37,11 +37,57 @@
|
||||
- name: "system : all"
|
||||
hosts: "all"
|
||||
roles:
|
||||
- role: "system/mail"
|
||||
tags: "system:mail"
|
||||
- role: "system/nftables"
|
||||
tags: "system:nftables"
|
||||
- role: "system/base"
|
||||
- role: "system/base/nftables"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:nftables"
|
||||
- role: "system/base/mail"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:mail"
|
||||
- role: "system/base/sshd"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:sshd"
|
||||
- role: "system/base/ntp"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:ntp"
|
||||
- role: "system/base/fail2ban"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:fail2ban"
|
||||
- role: "system/base/fstrim"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:fstrim"
|
||||
- role: "system/base/unattended_upgrades"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:unattended_upgrades"
|
||||
- role: "system/base/logs"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:logs"
|
||||
- role: "system/base/systemd_mail"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:systemd_mail"
|
||||
- role: "system/base/utils"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:utils"
|
||||
- role: "system/base/motd"
|
||||
vars:
|
||||
system_base_motd_dir: "files/system/base/motd"
|
||||
tags: "system:base"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:motd"
|
||||
- role: "system/base/root"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:root"
|
||||
- role: "system/base/user"
|
||||
tags:
|
||||
- "system:base"
|
||||
- "system:base:user"
|
||||
|
Loading…
Reference in New Issue
Block a user