Split system:base tasks into roles

group_vars/all/vars.yml

@@ -9,6 +9,7 @@ ansible_become_password: "{{ vault_ansible_become_password }}"
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_ssh_user: "{{ vault_system_base_ssh_user }}"
+system_base_ntp_timezone: "{{ vault_system_base_ntp_timezone }}"
 
 # --------------------------------------------------------------------------------------------------
 # system:mail

playbooks/roles/services/setup/system/meta/main.yml

@@ -1,4 +1,4 @@
 ---
 dependencies:
-  - role: "system/nftables"
+  - role: "system/base/nftables"
   - role: "vpn/bridge"

playbooks/roles/system/base/fail2ban/meta/argument_specs.yml

@@ -0,0 +1,10 @@
+---
+argument_specs:
+  main:
+    options:
+      ansible_port:
+        type: "int"
+        required: true
+      system_base_fail2ban_ignoreip:
+        type: "str"
+        required: true

playbooks/roles/system/base/fail2ban/tasks/main.yml

@@ -1,34 +1,34 @@
 ---
-- name: "fail2ban : install fail2ban"
+- name: "install fail2ban"
   ansible.builtin.apt:
     name: "fail2ban"
 
-- name: "fail2ban : configure fail2ban"
+- name: "configure fail2ban"
   ansible.builtin.template:
-    src: "./fail2ban/jail.local.j2"
+    src: "./jail.local.j2"
     dest: "/etc/fail2ban/jail.local"
     mode: 0644
   register: system_base_fail2ban_conf
 
-- name: "fail2ban : configure fail2ban sshd jail"
+- name: "configure fail2ban sshd jail"
   ansible.builtin.template:
-    src: "./fail2ban/jail.d/sshd.local.j2"
+    src: "./jail.d/sshd.local.j2"
     dest: "/etc/fail2ban/jail.d/sshd.local"
     mode: 0644
   register: system_base_fail2ban_sshd_jail
 
-- name: "fail2ban : enable fail2ban"
+- name: "enable fail2ban"
   ansible.builtin.systemd:
     name: "fail2ban"
     enabled: true
 
-- name: "fail2ban : start fail2ban"
+- name: "start fail2ban"
   ansible.builtin.systemd:
     name: "fail2ban"
     state: "started"
   register: system_base_fail2ban_start
 
-- name: "fail2ban : restart fail2ban"
+- name: "restart fail2ban"
   ansible.builtin.systemd:
     name: "fail2ban"
     state: "restarted"

playbooks/roles/system/base/fstrim/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: "fstrim : enable fstrim.timer"
+- name: "enable fstrim.timer"
   ansible.builtin.systemd:
     name: "fstrim.timer"
     enabled: true

playbooks/roles/system/base/logs/tasks/main.yml

@@ -1,19 +1,19 @@
 ---
-- name: "logs : install logcheck and logrotate"
+- name: "install logcheck and logrotate"
   ansible.builtin.apt:
     name:
       - "logcheck"
       - "logrotate"
 
-- name: "logs : configure logcheck"
+- name: "configure logcheck"
   ansible.builtin.copy:
-    src: "./logcheck/logcheck.conf"
+    src: "./logcheck.conf"
     dest: "/etc/logcheck/logcheck.conf"
     mode: 0640
 
 - name: "logs : configure logcheck ignores"
   ansible.builtin.copy:
-    src: "./logcheck/ignore"
+    src: "./ignore"
     dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
     group: "logcheck"
     mode: 0644

playbooks/roles/system/base/motd/meta/argument_specs.yml

@@ -0,0 +1,10 @@
+---
+argument_specs:
+  main:
+    options:
+      ansible_hostname:
+        type: "str"
+        required: true
+      system_base_motd_dir:
+        type: "str"
+        required: false

playbooks/roles/system/base/motd/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: "motd : set motd"
+- name: "set motd"
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: "/etc/motd"

playbooks/roles/system/base/ntp/meta/argument_specs.yml

@@ -0,0 +1,7 @@
+---
+argument_specs:
+  main:
+    options:
+      system_base_ntp_timezone:
+        type: "str"
+        required: true

playbooks/roles/system/base/ntp/tasks/main.yml

@@ -1,14 +1,14 @@
 ---
-- name: "ntp : install systemd-timesyncd"
+- name: "install systemd-timesyncd"
   ansible.builtin.apt:
     name: "systemd-timesyncd"
 
-- name: "ntp : enable systemd-timesyncd"
+- name: "enable systemd-timesyncd"
   ansible.builtin.systemd:
     name: "systemd-timesyncd"
     enabled: true
     state: started
 
-- name: "ntp : set timezone"
+- name: "set timezone"
   community.general.timezone:
-    name: "Europe/Amsterdam"
+    name: "{{ system_base_ntp_timezone }}"

playbooks/roles/system/base/root/tasks/main.yml

@@ -1,11 +1,11 @@
 ---
-- name: "root : disable root shell"
+- name: "disable root shell"
   ansible.builtin.user:
     name: "root"
     shell: "/usr/sbin/nologin"
 
-- name: "root : disable su for non-wheel users"
+- name: "disable su for non-wheel users"
   ansible.builtin.copy:
-    src: "./root/su"
+    src: "./su"
     dest: "/etc/pam.d/su"
     mode: 0644

playbooks/roles/system/base/sshd/meta/argument_specs.yml

@@ -2,9 +2,6 @@
 argument_specs:
   main:
     options:
-      ansible_hostname:
-        type: "str"
-        required: true
       ansible_port:
         type: "int"
         required: true
@@ -15,9 +12,3 @@ argument_specs:
         type: "list"
         elements: "str"
         required: true
-      system_base_fail2ban_ignoreip:
-        type: "str"
-        required: true
-      system_base_motd_dir:
-        type: "str"
-        required: false

playbooks/roles/system/base/sshd/tasks/main.yml

@@ -1,25 +1,25 @@
 ---
 # SSH must be installed so we don't bother with installing it.
 
-- name: "sshd : configure sshd"
+- name: "configure sshd"
   ansible.builtin.template:
-    src: "./sshd/99-local.conf.j2"
+    src: "./99-local.conf.j2"
     dest: "/etc/ssh/sshd_config.d/99-local.conf"
     mode: 0600
   register: system_base_sshd_conf
 
-- name: "sshd : enable sshd"
+- name: "enable sshd"
   ansible.builtin.systemd:
     name: "sshd"
     enabled: true
 
-- name: "sshd : start sshd"
+- name: "start sshd"
   ansible.builtin.systemd:
     name: "sshd"
     state: "started"
   register: system_base_sshd_start
 
-- name: "sshd : restart sshd"
+- name: "restart sshd"
   ansible.builtin.systemd:
     name: "sshd"
     state: "restarted"

playbooks/roles/system/base/systemd_mail/meta/argument_specs.yml

@@ -0,0 +1,7 @@
+---
+argument_specs:
+  main:
+    options:
+      ansible_hostname:
+        type: "str"
+        required: true

playbooks/roles/system/base/systemd_mail/tasks/main.yml

@@ -1,31 +1,31 @@
 ---
-- name: "systemd_mail : systemd mail root script"
+- name: "systemd mail root script"
   ansible.builtin.template:
-    src: "./systemd_mail/system/systemd-mail-systemctl-status.j2"
+    src: "./system/systemd-mail-systemctl-status.j2"
     dest: "/usr/local/sbin/systemd-mail-systemctl-status"
     mode: 0755
 
-- name: "systemd_mail : systemd mail user script"
+- name: "systemd mail user script"
   ansible.builtin.template:
-    src: "./systemd_mail/user/systemd-mail-systemctl-status.j2"
+    src: "./user/systemd-mail-systemctl-status.j2"
     dest: "/usr/local/bin/systemd-mail-systemctl-status"
     mode: 0755
 
-- name: "systemd_mail : systemd mail root service"
+- name: "systemd mail root service"
   ansible.builtin.copy:
-    src: "./systemd_mail/system/status-mail@.service"
+    src: "./system/status-mail@.service"
     dest: "/etc/systemd/system/status-mail@.service"
     mode: 0644
   register: system_base_system_status_mail_service_file
 
-- name: "systemd_mail : systemd mail user service"
+- name: "systemd mail user service"
   ansible.builtin.copy:
-    src: "./systemd_mail/user/status-mail@.service"
+    src: "./user/status-mail@.service"
     dest: "/etc/systemd/user/status-mail@.service"
     mode: 0644
   register: system_base_user_status_mail_service_file
 
-- name: "systemd_mail : systemd daemon reload"
+- name: "systemd daemon reload"
   ansible.builtin.systemd:
     daemon_reload: true
   when:

playbooks/roles/system/base/tasks/include/unattended_upgrades.yml

@@ -1,16 +0,0 @@
----
-- name: "unattended_upgrades : install unattended-upgrades"
-  ansible.builtin.apt:
-    name: "unattended-upgrades"
-
-- name: "unattended_upgrades : configure unattended-upgrades"
-  ansible.builtin.copy:
-    src: "./unattended_upgrades/50unattended-upgrades"
-    dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
-    mode: 0644
-
-- name: "unattended_upgrades : enable unattended-upgrades"
-  ansible.builtin.copy:
-    src: "./unattended_upgrades/20auto-upgrades"
-    dest: "/etc/apt/apt.conf.d/20auto-upgrades"
-    mode: 0644

playbooks/roles/system/base/tasks/main.yml

@@ -1,44 +0,0 @@
----
-- name: "play:system : role:base : tasks:sshd"
-  ansible.builtin.import_tasks: "include/sshd.yml"
-  tags: "system:base:sshd"
-
-- name: "play:system : role:base : tasks:ntp"
-  ansible.builtin.import_tasks: "include/ntp.yml"
-  tags: "system:base:ntp"
-
-- name: "play:system : role:base : tasks:fail2ban"
-  ansible.builtin.import_tasks: "include/fail2ban.yml"
-  tags: "system:base:fail2ban"
-
-- name: "play:system : role:base : tasks:fstrim"
-  ansible.builtin.import_tasks: "include/fstrim.yml"
-  tags: "system:base:fstrim"
-
-- name: "play:system : role:base : tasks:unattended_upgrades"
-  ansible.builtin.import_tasks: "include/unattended_upgrades.yml"
-  tags: "system:base:unattended_upgrades"
-
-- name: "play:system : role:base : tasks:logs"
-  ansible.builtin.import_tasks: "include/logs.yml"
-  tags: "system:base:logs"
-
-- name: "play:system : role:base : tasks:systemd_mail"
-  ansible.builtin.import_tasks: "include/systemd_mail.yml"
-  tags: "system:base:systemd_mail"
-
-- name: "play:system : role:base : tasks:utils"
-  ansible.builtin.import_tasks: "include/utils.yml"
-  tags: "system:base:utils"
-
-- name: "play:system : role:base : tasks:motd"
-  ansible.builtin.import_tasks: "include/motd.yml"
-  tags: "system:base:motd"
-
-- name: "play:system : role:base : tasks:root"
-  ansible.builtin.import_tasks: "include/root.yml"
-  tags: "system:base:root"
-
-- name: "play:system : role:base : tasks:user"
-  ansible.builtin.import_tasks: "include/user.yml"
-  tags: "system:base:user"

playbooks/roles/system/base/unattended_upgrades/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: "install unattended-upgrades"
+  ansible.builtin.apt:
+    name: "unattended-upgrades"
+
+- name: "configure unattended-upgrades"
+  ansible.builtin.copy:
+    src: "./50unattended-upgrades"
+    dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
+    mode: 0644
+
+- name: "enable unattended-upgrades"
+  ansible.builtin.copy:
+    src: "./20auto-upgrades"
+    dest: "/etc/apt/apt.conf.d/20auto-upgrades"
+    mode: 0644

playbooks/roles/system/base/user/tasks/main.yml

@@ -1,22 +1,22 @@
 ---
 - block:
 
-    - name: "user : clone tmux dotfiles"
+    - name: "clone tmux dotfiles"
       ansible.builtin.git:
         repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
         dest: ".tmux"
         recursive: true
 
     # On first tmux launch install plugins with <Ctrl + a + I>
-    - name: "user : configure tmux"
+    - name: "configure tmux"
       ansible.builtin.copy:
-        src: "./user/tmux.conf"
+        src: "./tmux.conf"
         dest: ".tmux.conf"
         mode: 0644
 
-    - name: "user : configure bashrc"
+    - name: "configure bashrc"
       ansible.builtin.copy:
-        src: "./user/bashrc"
+        src: "./bashrc"
         dest: ".bashrc"
         mode: 0644
 

playbooks/roles/system/base/utils/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: "utils : install utility programs"
+- name: "install utility programs"
   ansible.builtin.apt:
     name:
       - "acl"

playbooks/system.yml

@@ -37,11 +37,57 @@
 - name: "system : all"
   hosts: "all"
   roles:
-    - role: "system/mail"
-      tags: "system:mail"
-    - role: "system/nftables"
-      tags: "system:nftables"
-    - role: "system/base"
+    - role: "system/base/nftables"
+      tags:
+        - "system:base"
+        - "system:base:nftables"
+    - role: "system/base/mail"
+      tags:
+        - "system:base"
+        - "system:base:mail"
+    - role: "system/base/sshd"
+      tags:
+        - "system:base"
+        - "system:base:sshd"
+    - role: "system/base/ntp"
+      tags:
+        - "system:base"
+        - "system:base:ntp"
+    - role: "system/base/fail2ban"
+      tags:
+        - "system:base"
+        - "system:base:fail2ban"
+    - role: "system/base/fstrim"
+      tags:
+        - "system:base"
+        - "system:base:fstrim"
+    - role: "system/base/unattended_upgrades"
+      tags:
+        - "system:base"
+        - "system:base:unattended_upgrades"
+    - role: "system/base/logs"
+      tags:
+        - "system:base"
+        - "system:base:logs"
+    - role: "system/base/systemd_mail"
+      tags:
+        - "system:base"
+        - "system:base:systemd_mail"
+    - role: "system/base/utils"
+      tags:
+        - "system:base"
+        - "system:base:utils"
+    - role: "system/base/motd"
       vars:
         system_base_motd_dir: "files/system/base/motd"
-      tags: "system:base"
+      tags:
+        - "system:base"
+        - "system:base:motd"
+    - role: "system/base/root"
+      tags:
+        - "system:base"
+        - "system:base:root"
+    - role: "system/base/user"
+      tags:
+        - "system:base"
+        - "system:base:user"