Split system:base tasks into roles

This commit is contained in:
Wojciech Kozlowski 2022-12-20 17:31:37 +01:00
parent bec1c8b658
commit 4d797ed4c4
47 changed files with 145 additions and 117 deletions

View File

@ -9,6 +9,7 @@ ansible_become_password: "{{ vault_ansible_become_password }}"
# system:base
# --------------------------------------------------------------------------------------------------
system_base_ssh_user: "{{ vault_system_base_ssh_user }}"
system_base_ntp_timezone: "{{ vault_system_base_ntp_timezone }}"
# --------------------------------------------------------------------------------------------------
# system:mail

View File

@ -1,4 +1,4 @@
---
dependencies:
- role: "system/nftables"
- role: "system/base/nftables"
- role: "vpn/bridge"

View File

@ -0,0 +1,10 @@
---
argument_specs:
main:
options:
ansible_port:
type: "int"
required: true
system_base_fail2ban_ignoreip:
type: "str"
required: true

View File

@ -1,34 +1,34 @@
---
- name: "fail2ban : install fail2ban"
- name: "install fail2ban"
ansible.builtin.apt:
name: "fail2ban"
- name: "fail2ban : configure fail2ban"
- name: "configure fail2ban"
ansible.builtin.template:
src: "./fail2ban/jail.local.j2"
src: "./jail.local.j2"
dest: "/etc/fail2ban/jail.local"
mode: 0644
register: system_base_fail2ban_conf
- name: "fail2ban : configure fail2ban sshd jail"
- name: "configure fail2ban sshd jail"
ansible.builtin.template:
src: "./fail2ban/jail.d/sshd.local.j2"
src: "./jail.d/sshd.local.j2"
dest: "/etc/fail2ban/jail.d/sshd.local"
mode: 0644
register: system_base_fail2ban_sshd_jail
- name: "fail2ban : enable fail2ban"
- name: "enable fail2ban"
ansible.builtin.systemd:
name: "fail2ban"
enabled: true
- name: "fail2ban : start fail2ban"
- name: "start fail2ban"
ansible.builtin.systemd:
name: "fail2ban"
state: "started"
register: system_base_fail2ban_start
- name: "fail2ban : restart fail2ban"
- name: "restart fail2ban"
ansible.builtin.systemd:
name: "fail2ban"
state: "restarted"

View File

@ -1,5 +1,5 @@
---
- name: "fstrim : enable fstrim.timer"
- name: "enable fstrim.timer"
ansible.builtin.systemd:
name: "fstrim.timer"
enabled: true

View File

@ -1,19 +1,19 @@
---
- name: "logs : install logcheck and logrotate"
- name: "install logcheck and logrotate"
ansible.builtin.apt:
name:
- "logcheck"
- "logrotate"
- name: "logs : configure logcheck"
- name: "configure logcheck"
ansible.builtin.copy:
src: "./logcheck/logcheck.conf"
src: "./logcheck.conf"
dest: "/etc/logcheck/logcheck.conf"
mode: 0640
- name: "logs : configure logcheck ignores"
ansible.builtin.copy:
src: "./logcheck/ignore"
src: "./ignore"
dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
group: "logcheck"
mode: 0644

View File

@ -0,0 +1,10 @@
---
argument_specs:
main:
options:
ansible_hostname:
type: "str"
required: true
system_base_motd_dir:
type: "str"
required: false

View File

@ -1,5 +1,5 @@
---
- name: "motd : set motd"
- name: "set motd"
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/motd"

View File

@ -0,0 +1,7 @@
---
argument_specs:
main:
options:
system_base_ntp_timezone:
type: "str"
required: true

View File

@ -1,14 +1,14 @@
---
- name: "ntp : install systemd-timesyncd"
- name: "install systemd-timesyncd"
ansible.builtin.apt:
name: "systemd-timesyncd"
- name: "ntp : enable systemd-timesyncd"
- name: "enable systemd-timesyncd"
ansible.builtin.systemd:
name: "systemd-timesyncd"
enabled: true
state: started
- name: "ntp : set timezone"
- name: "set timezone"
community.general.timezone:
name: "Europe/Amsterdam"
name: "{{ system_base_ntp_timezone }}"

View File

@ -1,11 +1,11 @@
---
- name: "root : disable root shell"
- name: "disable root shell"
ansible.builtin.user:
name: "root"
shell: "/usr/sbin/nologin"
- name: "root : disable su for non-wheel users"
- name: "disable su for non-wheel users"
ansible.builtin.copy:
src: "./root/su"
src: "./su"
dest: "/etc/pam.d/su"
mode: 0644

View File

@ -2,9 +2,6 @@
argument_specs:
main:
options:
ansible_hostname:
type: "str"
required: true
ansible_port:
type: "int"
required: true
@ -15,9 +12,3 @@ argument_specs:
type: "list"
elements: "str"
required: true
system_base_fail2ban_ignoreip:
type: "str"
required: true
system_base_motd_dir:
type: "str"
required: false

View File

@ -1,25 +1,25 @@
---
# SSH must be installed so we don't bother with installing it.
- name: "sshd : configure sshd"
- name: "configure sshd"
ansible.builtin.template:
src: "./sshd/99-local.conf.j2"
src: "./99-local.conf.j2"
dest: "/etc/ssh/sshd_config.d/99-local.conf"
mode: 0600
register: system_base_sshd_conf
- name: "sshd : enable sshd"
- name: "enable sshd"
ansible.builtin.systemd:
name: "sshd"
enabled: true
- name: "sshd : start sshd"
- name: "start sshd"
ansible.builtin.systemd:
name: "sshd"
state: "started"
register: system_base_sshd_start
- name: "sshd : restart sshd"
- name: "restart sshd"
ansible.builtin.systemd:
name: "sshd"
state: "restarted"

View File

@ -0,0 +1,7 @@
---
argument_specs:
main:
options:
ansible_hostname:
type: "str"
required: true

View File

@ -1,31 +1,31 @@
---
- name: "systemd_mail : systemd mail root script"
- name: "systemd mail root script"
ansible.builtin.template:
src: "./systemd_mail/system/systemd-mail-systemctl-status.j2"
src: "./system/systemd-mail-systemctl-status.j2"
dest: "/usr/local/sbin/systemd-mail-systemctl-status"
mode: 0755
- name: "systemd_mail : systemd mail user script"
- name: "systemd mail user script"
ansible.builtin.template:
src: "./systemd_mail/user/systemd-mail-systemctl-status.j2"
src: "./user/systemd-mail-systemctl-status.j2"
dest: "/usr/local/bin/systemd-mail-systemctl-status"
mode: 0755
- name: "systemd_mail : systemd mail root service"
- name: "systemd mail root service"
ansible.builtin.copy:
src: "./systemd_mail/system/status-mail@.service"
src: "./system/status-mail@.service"
dest: "/etc/systemd/system/status-mail@.service"
mode: 0644
register: system_base_system_status_mail_service_file
- name: "systemd_mail : systemd mail user service"
- name: "systemd mail user service"
ansible.builtin.copy:
src: "./systemd_mail/user/status-mail@.service"
src: "./user/status-mail@.service"
dest: "/etc/systemd/user/status-mail@.service"
mode: 0644
register: system_base_user_status_mail_service_file
- name: "systemd_mail : systemd daemon reload"
- name: "systemd daemon reload"
ansible.builtin.systemd:
daemon_reload: true
when:

View File

@ -1,16 +0,0 @@
---
- name: "unattended_upgrades : install unattended-upgrades"
ansible.builtin.apt:
name: "unattended-upgrades"
- name: "unattended_upgrades : configure unattended-upgrades"
ansible.builtin.copy:
src: "./unattended_upgrades/50unattended-upgrades"
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
mode: 0644
- name: "unattended_upgrades : enable unattended-upgrades"
ansible.builtin.copy:
src: "./unattended_upgrades/20auto-upgrades"
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
mode: 0644

View File

@ -1,44 +0,0 @@
---
- name: "play:system : role:base : tasks:sshd"
ansible.builtin.import_tasks: "include/sshd.yml"
tags: "system:base:sshd"
- name: "play:system : role:base : tasks:ntp"
ansible.builtin.import_tasks: "include/ntp.yml"
tags: "system:base:ntp"
- name: "play:system : role:base : tasks:fail2ban"
ansible.builtin.import_tasks: "include/fail2ban.yml"
tags: "system:base:fail2ban"
- name: "play:system : role:base : tasks:fstrim"
ansible.builtin.import_tasks: "include/fstrim.yml"
tags: "system:base:fstrim"
- name: "play:system : role:base : tasks:unattended_upgrades"
ansible.builtin.import_tasks: "include/unattended_upgrades.yml"
tags: "system:base:unattended_upgrades"
- name: "play:system : role:base : tasks:logs"
ansible.builtin.import_tasks: "include/logs.yml"
tags: "system:base:logs"
- name: "play:system : role:base : tasks:systemd_mail"
ansible.builtin.import_tasks: "include/systemd_mail.yml"
tags: "system:base:systemd_mail"
- name: "play:system : role:base : tasks:utils"
ansible.builtin.import_tasks: "include/utils.yml"
tags: "system:base:utils"
- name: "play:system : role:base : tasks:motd"
ansible.builtin.import_tasks: "include/motd.yml"
tags: "system:base:motd"
- name: "play:system : role:base : tasks:root"
ansible.builtin.import_tasks: "include/root.yml"
tags: "system:base:root"
- name: "play:system : role:base : tasks:user"
ansible.builtin.import_tasks: "include/user.yml"
tags: "system:base:user"

View File

@ -0,0 +1,16 @@
---
- name: "install unattended-upgrades"
ansible.builtin.apt:
name: "unattended-upgrades"
- name: "configure unattended-upgrades"
ansible.builtin.copy:
src: "./50unattended-upgrades"
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
mode: 0644
- name: "enable unattended-upgrades"
ansible.builtin.copy:
src: "./20auto-upgrades"
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
mode: 0644

View File

@ -1,22 +1,22 @@
---
- block:
- name: "user : clone tmux dotfiles"
- name: "clone tmux dotfiles"
ansible.builtin.git:
repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
dest: ".tmux"
recursive: true
# On first tmux launch install plugins with <Ctrl + a + I>
- name: "user : configure tmux"
- name: "configure tmux"
ansible.builtin.copy:
src: "./user/tmux.conf"
src: "./tmux.conf"
dest: ".tmux.conf"
mode: 0644
- name: "user : configure bashrc"
- name: "configure bashrc"
ansible.builtin.copy:
src: "./user/bashrc"
src: "./bashrc"
dest: ".bashrc"
mode: 0644

View File

@ -1,5 +1,5 @@
---
- name: "utils : install utility programs"
- name: "install utility programs"
ansible.builtin.apt:
name:
- "acl"

View File

@ -37,11 +37,57 @@
- name: "system : all"
hosts: "all"
roles:
- role: "system/mail"
tags: "system:mail"
- role: "system/nftables"
tags: "system:nftables"
- role: "system/base"
- role: "system/base/nftables"
tags:
- "system:base"
- "system:base:nftables"
- role: "system/base/mail"
tags:
- "system:base"
- "system:base:mail"
- role: "system/base/sshd"
tags:
- "system:base"
- "system:base:sshd"
- role: "system/base/ntp"
tags:
- "system:base"
- "system:base:ntp"
- role: "system/base/fail2ban"
tags:
- "system:base"
- "system:base:fail2ban"
- role: "system/base/fstrim"
tags:
- "system:base"
- "system:base:fstrim"
- role: "system/base/unattended_upgrades"
tags:
- "system:base"
- "system:base:unattended_upgrades"
- role: "system/base/logs"
tags:
- "system:base"
- "system:base:logs"
- role: "system/base/systemd_mail"
tags:
- "system:base"
- "system:base:systemd_mail"
- role: "system/base/utils"
tags:
- "system:base"
- "system:base:utils"
- role: "system/base/motd"
vars:
system_base_motd_dir: "files/system/base/motd"
tags: "system:base"
tags:
- "system:base"
- "system:base:motd"
- role: "system/base/root"
tags:
- "system:base"
- "system:base:root"
- role: "system/base/user"
tags:
- "system:base"
- "system:base:user"