Convert common parts of 00-hosts to roles

.gitignore

@@ -1,4 +1,3 @@
-group_vars/asgard
-host_vars/valkyrie
-host_vars/yggdrasil
+group_vars/**
+host_vars/**
 playbooks/filesystem/tmp/valkyrie/etc/resolv.conf

group_vars/asgard.template

@@ -1,33 +0,0 @@
-# Ansible variables
-ansible_port:
-ansible_become_password:
-
-# SSH variables
-ssh_user:
-
-# Machine variables
-domain:
-
-# Postfix variables
-postfix_smtp_server:
-postfix_smtp_port:
-postfix_smtp_user:
-
-# VPN network variables
-vpn_wg0_port:
-vpn_wg0_netmask:
-vpn_wg0_subnet:
-vpn_wg0_preshared_key:
-
-# Service variables
-services: {
-    name: {
-        address: X.X.X.X,
-    },
-}
-
-# Backup parameters
-scw_bucket_endpoint:
-scw_access_key:
-scw_secret_key:
-restic_password:

host_vars/asgard.template

@@ -1,35 +0,0 @@
-# Machine variables
-subnet_address:
-subnet_masklen:
-subnet:
-ethx:
-is_zfs:
-
-# Fail2ban variable:
-fail2ban_ignoreip:
-
-# Postfix variables
-postfix_smtp_pass:
-
-# VPN network variables
-vpn_subnet_id:
-vpn_remote_id:
-
-vpn_br0_address:
-vpn_br0_broadcast:
-vpn_br0_netmask:
-
-vpn_wg0_address:
-vpn_wg0_remote_address:
-vpn_wg0_interface_private_key:
-vpn_wg0_peer_public_key:
-vpn_wg0_endpoint_address:
-
-vpn_remote_br0_subnet:
-
-# Service variables
-host_services: [
-    service_name_1,
-    service_name_2,
-]
-service_bridge_gateway:

hosts

@@ -1,6 +1,33 @@
+# --------------------------------------------------------------------------------------------------
+# Functionality.
+# --------------------------------------------------------------------------------------------------
+
+# VPN entry-points.
 [bifrost]
 heimdall
 
+# Service running hosts.
 [asgard]
 valkyrie
 yggdrasil
+
+# --------------------------------------------------------------------------------------------------
+# Network.
+# --------------------------------------------------------------------------------------------------
+
+# Hosts physically located within the home LAN.
+[home]
+heimdall
+yggdrasil
+
+# Hosts remote to the home LAN.
+[remote]
+valkyrie
+
+# --------------------------------------------------------------------------------------------------
+# Special.
+# --------------------------------------------------------------------------------------------------
+
+# Hosts running with ZFS.
+[zfs]
+yggdrasil

main.yml

@@ -0,0 +1,2 @@
+---
+- ansible.builtin.import_playbook: "plays/group-all.yml"

playbooks/00-hosts.yml

@@ -1,22 +1,4 @@
 ---
-- name: Configure hosts
-  hosts: asgard
-
-  tasks:
-    - import_tasks: tasks/hosts/sshd.yml
-    - import_tasks: tasks/hosts/firewall.yml
-    - import_tasks: tasks/hosts/ntp.yml
-    - import_tasks: tasks/hosts/mail.yml
-    - import_tasks: tasks/hosts/systemd-mail.yml
-    - import_tasks: tasks/hosts/unattended-upgrades.yml
-    - import_tasks: tasks/hosts/fail2ban.yml
-    - import_tasks: tasks/hosts/fstrim.yml
-    - import_tasks: tasks/hosts/logs.yml
-    - import_tasks: tasks/hosts/motd.yml
-    - import_tasks: tasks/hosts/utils.yml
-    - import_tasks: tasks/hosts/user.yml
-    - import_tasks: tasks/hosts/root-shell.yml
-
 - name: Configure yggdrasil extras
   hosts: yggdrasil
 

playbooks/filesystem/common/etc/mailname.j2

@@ -1 +0,0 @@
-{{ ansible_hostname }}.{{ domain }}

playbooks/filesystem/common/etc/mailutils.conf.j2

@@ -1,3 +0,0 @@
-address {
-  email-domain {{ ansible_hostname }}.{{ domain }};
-};

playbooks/filesystem/valkyrie/etc/ssh/sshd_config.d/00-allow-users.conf.j2

@@ -1,2 +0,0 @@
-# Explicitly set the list of allowed ssh users.
-AllowUsers {{ ssh_user }} pod-rproxy

playbooks/filesystem/yggdrasil/etc/nftables.conf.j2

@@ -1,35 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
-        chain input {
-                type filter hook input priority 0;
-
-                # Accept any localhost traffic.
-                iif lo accept;
-
-                # Accept traffic originated from us.
-                ct state established,related accept;
-
-                # Allow ICMP packets.
-                # Note that for IPv6 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert are needed to not break connectivity.
-                ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
-                ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
-
-                # Drop invalid connections.
-                ct state invalid drop;
-
-                # Accept HTTP, HTTPS, SSH.
-                tcp dport { 80, 443, {{ ansible_port }}, {{ services['git'].ssh_port }} } ct state new accept;
-
-                # Count and drop any other traffic.
-                counter drop;
-        }
-        chain forward {
-                type filter hook forward priority 0;
-        }
-        chain output {
-                type filter hook output priority 0;
-        }
-}

playbooks/tasks/hosts/fail2ban.yml

@@ -1,37 +0,0 @@
-- name: Install fail2ban
-  apt:
-    name: fail2ban
-
-- name: Configure fail2ban
-  template:
-    src: ./filesystem/common/etc/fail2ban/jail.local.j2
-    dest: /etc/fail2ban/jail.local
-    mode: 0644
-  register: fail2ban_conf
-
-- name: Configure fail2ban sshd jail
-  template:
-    src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
-    dest: /etc/fail2ban/jail.d/sshd.local
-    mode: 0644
-  register: fail2ban_sshd_jail
-
-- name: Enable fail2ban
-  systemd:
-    name: fail2ban
-    enabled: yes
-
-- name: Start fail2ban
-  systemd:
-    name: fail2ban
-    state: started
-  register: fail2ban_start
-
-- name: Restart fail2ban
-  systemd:
-    name: fail2ban
-    state: restarted
-  when:
-    (fail2ban_conf is changed or
-    fail2ban_sshd_jail is changed) and
-    fail2ban_start is not changed

playbooks/tasks/hosts/firewall.yml

@@ -1,45 +0,0 @@
-- name: Install nftables
-  apt:
-    name: nftables
-
-- name: Configure nftables
-  template:
-    src: ./filesystem/{{ ansible_host }}/etc/nftables.conf.j2
-    dest: /etc/nftables.conf
-    mode: 0755
-  register: nftables_conf
-
-- name: Enable nftables
-  systemd:
-    name: nftables
-    enabled: yes
-
-- name: Start nftables
-  systemd:
-    name: nftables
-    state: started
-  register: nftables_start
-
-- name: Restart nftables
-  systemd:
-    name: nftables
-    state: restarted
-  register: nftables_restart
-  when:
-    nftables_conf is changed and
-    nftables_start is not changed
-
-- block:
-    - name: List all post-up nft scripts for interfaces
-      find:
-        paths: /usr/local/sbin
-        patterns: "post-up-*.nft"
-      register: nft_post_up_scripts
-
-    - name: Reload nft scripts for interfaces
-      command: "{{ item.path }}"
-      with_items:
-        - "{{ nft_post_up_scripts.files }}"
-
-  when:
-    nftables_restart is changed

playbooks/tasks/hosts/fstrim.yml

@@ -1,22 +0,0 @@
-# Run fstrim daily on ZFS. It's a no-op on ZFS filesystems, but it will run on zvols mounted via
-# fstab. This helps keep zvol space requirements down.
-- name: Configure daily fstrim timer
-  copy:
-    src: ./filesystem/common/etc/systemd/system/fstrim-daily.timer
-    dest: /etc/systemd/system/fstrim.timer
-    mode: 0644
-  register: systemd_fstrim_daily_timer_file
-  when:
-    is_zfs
-
-- name: SystemD daemon reload
-  systemd:
-    daemon_reload: true
-  when:
-    systemd_fstrim_daily_timer_file is changed
-
-- name: Enable fstrim
-  systemd:
-    name: fstrim.timer
-    enabled: yes
-    state: started

playbooks/tasks/hosts/logs.yml

@@ -1,18 +0,0 @@
-- name: Install logcheck and logrotate
-  apt:
-    name:
-      - logcheck
-      - logrotate
-
-- name: Configure logcheck
-  copy:
-    src: ./filesystem/common/etc/logcheck/logcheck.conf
-    dest: /etc/logcheck/logcheck.conf
-    mode: 0640
-
-- name: Configure logcheck ignores
-  template:
-    src: ./filesystem/common/etc/logcheck/ignore.d.server/_hostname.j2
-    dest: /etc/logcheck/ignore.d.server/{{ ansible_hostname }}
-    group: logcheck
-    mode: 0644

playbooks/tasks/hosts/mail.yml

@@ -1,77 +0,0 @@
-- name: Configure mailname
-  template:
-    src: ./filesystem/common/etc/mailname.j2
-    dest: /etc/mailname
-    mode: 0644
-  register: mail_mailname
-
-- name: Configure mailutils
-  template:
-    src: ./filesystem/common/etc/mailutils.conf.j2
-    dest: /etc/mailutils.conf
-    mode: 0644
-
-- name: Install postfix
-  apt:
-    name:
-      - postfix
-      - ca-certificates
-      - libsasl2-modules
-
-- name: Configure aliases
-  template:
-    src: ./filesystem/common/etc/aliases.j2
-    dest: /etc/aliases
-    mode: 0644
-  register: mail_aliases
-
-- name: Update aliases
-  command: newaliases
-  when: mail_aliases is changed
-
-- name: Configure postfix
-  template:
-    src: ./filesystem/common/etc/postfix/main.cf.j2
-    dest: /etc/postfix/main.cf
-    mode: 0644
-  register: mail_postfix_conf
-
-- name: Configure credentials
-  template:
-    src: ./filesystem/common/etc/postfix/sasl_passwd.j2
-    dest: /etc/postfix/sasl_passwd
-    mode: 0600
-  register: mail_postfix_credentials
-
-- name: Create hash database
-  command: postmap /etc/postfix/sasl_passwd
-  when:
-    mail_postfix_credentials is changed
-
-- name: Set hash database permissions
-  file:
-    path: /etc/postfix/sasl_passwd.db
-    mode: 0600
-
-- name: Enable postfix
-  systemd:
-    name: postfix
-    enabled: yes
-
-- name: Start postfix
-  systemd:
-    name: postfix
-    state: started
-  register:
-    mail_postfix_start
-
-- name: Restart postfix
-  systemd:
-    name: postfix
-    state: restarted
-  when:
-    (mail_mailname is changed or
-    mail_aliases is changed or
-    mail_postfix_conf is changed or
-    mail_postfix_credentials is changed) and
-    mail_postfix_start is not changed

playbooks/tasks/hosts/motd.yml

@@ -1,5 +0,0 @@
-- name: Set MotD
-  copy:
-    src: ./filesystem/{{ ansible_hostname }}/etc/motd
-    dest: /etc/motd
-    mode: 0644

playbooks/tasks/hosts/ntp.yml

@@ -1,9 +0,0 @@
-- name: Install systemd-timesyncd
-  apt:
-    name: systemd-timesyncd
-
-- name: Enable NTP
-  systemd:
-    name: systemd-timesyncd
-    enabled: yes
-    state: started

playbooks/tasks/hosts/root-shell.yml

@@ -1,10 +0,0 @@
-- name: Disable root shell
-  user:
-    name: root
-    shell: /usr/sbin/nologin
-
-- name: Disable su for non-wheel users
-  copy:
-    src: ./filesystem/common/etc/pam.d/su
-    dest: /etc/pam.d/su
-    mode: 0644

playbooks/tasks/hosts/sshd.yml

@@ -1,27 +0,0 @@
-# SSH must be installed and enabled for ansible to even connect so we don't bother with installing
-# and starting it.
-
-- name: Configure sshd
-  template:
-    src: ./filesystem/common/etc/ssh/sshd_config.d/99-local.conf.j2
-    dest: /etc/ssh/sshd_config.d/99-local.conf
-    mode: 0600
-  register: sshd_conf
-
-- name: Configure host-specific sshd
-  template:
-    src:  "{{ item }}"
-    dest: /etc/ssh/sshd_config.d/{{ item | basename | regex_replace('\.j2','') }}
-    mode: 0600
-  with_fileglob:
-    - "./filesystem/{{ ansible_hostname }}/etc/ssh/sshd_config.d/*.j2"
-  register: sshd_special_conf
-
-- name: Restart sshd
-  systemd:
-    name: sshd
-    enabled: yes
-    state: restarted
-  when:
-    sshd_conf is changed or
-    sshd_special_conf is changed

playbooks/tasks/hosts/systemd-mail.yml

@@ -1,32 +0,0 @@
-- name: SystemD mail root script
-  template:
-    src: ./filesystem/common/usr/local/sbin/systemd-mail-systemctl-status.j2
-    dest: /usr/local/sbin/systemd-mail-systemctl-status
-    mode: 0755
-
-- name: SystemD mail user script
-  template:
-    src: ./filesystem/common/usr/local/bin/systemd-mail-systemctl-status.j2
-    dest: /usr/local/bin/systemd-mail-systemctl-status
-    mode: 0755
-
-- name: SystemD mail root service
-  copy:
-    src: ./filesystem/common/etc/systemd/system/status-mail@.service
-    dest: /etc/systemd/system/status-mail@.service
-    mode: 0644
-  register: systemd_system_status_mail_service_file
-
-- name: SystemD mail user service
-  copy:
-    src: ./filesystem/common/etc/systemd/user/status-mail@.service
-    dest: /etc/systemd/user/status-mail@.service
-    mode: 0644
-  register: systemd_user_status_mail_service_file
-
-- name: SystemD daemon reload
-  systemd:
-    daemon_reload: true
-  when:
-    systemd_system_status_mail_service_file is changed or
-    systemd_user_status_mail_service_file is changed

playbooks/tasks/hosts/unattended-upgrades.yml

@@ -1,15 +0,0 @@
-- name: Install unattended-upgrades
-  apt:
-    name: unattended-upgrades
-
-- name: Configure unattended-upgrades
-  copy:
-    src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
-    dest: /etc/apt/apt.conf.d/50unattended-upgrades
-    mode: 0644
-
-- name: Enable unattended-upgrades
-  copy:
-    src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
-    dest: /etc/apt/apt.conf.d/20auto-upgrades
-    mode: 0644

playbooks/tasks/hosts/user.yml

@@ -1,22 +0,0 @@
-- name: Clone tmux dotfiles
-  become: no
-  git:
-    repo: https://git.wojciechkozlowski.eu/config/tmux.git
-    dest: .tmux
-    recursive: yes
-
-- name: Configure tmux
-  become: no
-  copy:
-    src: ./filesystem/common/home/user/tmux.conf
-    dest: .tmux.conf
-    mode: 0644
-
-- name: Configure bashrc
-  become: no
-  copy:
-    src: ./filesystem/common/home/user/bashrc
-    dest: .bashrc
-    mode: 0644
-
-# On first tmux launch install plugins with <Ctrl + a + I>

playbooks/tasks/hosts/utils.yml

@@ -1,12 +0,0 @@
-- name: Install utility programs
-  apt:
-    name:
-      - acl
-      - git
-      - htop
-      - man
-      - perl
-      - rsync
-      - tmux
-      - tcpdump
-      - traceroute

plays/group-all.yml

@@ -0,0 +1,10 @@
+---
+- name: "play : all"
+  hosts: "all"
+  roles:
+    - role: "system_mail"
+      tags: "role:system_mail"
+    - role: "system_base"
+      tags: "role:system_base"
+      vars:
+        motd_dir_path: "files/motd"

plays/group-asgard.yml

@@ -0,0 +1,3 @@
+---
+- name: "play-group-asgard"
+  hosts: "asgard"

plays/group-bifrost.yml

@@ -0,0 +1,3 @@
+---
+- name: "play-group-bifrost"
+  hosts: "bifrost"

plays/roles/system_base/defaults/main.yml

@@ -0,0 +1,6 @@
+# sshd
+additional_ssh_users: []
+
+# nftables
+additional_tcp_ports: []
+udp_ports: []

plays/roles/system_base/meta/argument_specs.yml

@@ -0,0 +1,30 @@
+argument_specs:
+  main:
+    options:
+      ansible_hostname:
+        type: "str"
+        required: true
+      ansible_port:
+        type: "int"
+        required: true
+      ssh_user:
+        type: "str"
+        required: true
+      additional_ssh_users:
+        type: "list"
+        elements: "str"
+        required: true
+      additional_tcp_ports:
+        type: "list"
+        elements: "int"
+        required: true
+      udp_ports:
+        type: "list"
+        elements: "int"
+        required: true
+      fail2ban_ignoreip:
+        type: "str"
+        required: true
+      motd_dir_path:
+        type: "str"
+        required: false

plays/roles/system_base/tasks/include/fail2ban.yml

@@ -0,0 +1,37 @@
+- name: "fail2ban : install fail2ban"
+  ansible.builtin.apt:
+    name: "fail2ban"
+
+- name: "fail2ban : configure fail2ban"
+  ansible.builtin.template:
+    src: "./fail2ban/jail.local.j2"
+    dest: "/etc/fail2ban/jail.local"
+    mode: 0644
+  register: fail2ban_conf
+
+- name: "fail2ban : configure fail2ban sshd jail"
+  ansible.builtin.template:
+    src: "./fail2ban/jail.d/sshd.local.j2"
+    dest: "/etc/fail2ban/jail.d/sshd.local"
+    mode: 0644
+  register: fail2ban_sshd_jail
+
+- name: "fail2ban : enable fail2ban"
+  ansible.builtin.systemd:
+    name: "fail2ban"
+    enabled: true
+
+- name: "fail2ban : start fail2ban"
+  ansible.builtin.systemd:
+    name: "fail2ban"
+    state: "started"
+  register: fail2ban_start
+
+- name: "fail2ban : restart fail2ban"
+  ansible.builtin.systemd:
+    name: "fail2ban"
+    state: "restarted"
+  when:
+    (fail2ban_conf.changed or
+    fail2ban_sshd_jail.changed) and
+    not fail2ban_start.changed

plays/roles/system_base/tasks/include/fstrim.yml

@@ -0,0 +1,5 @@
+- name: "fstrim : enable fstrim.timer"
+  ansible.builtin.systemd:
+    name: "fstrim.timer"
+    enabled: true
+    state: "started"

plays/roles/system_base/tasks/include/logs.yml

@@ -0,0 +1,18 @@
+- name: "logs : install logcheck and logrotate"
+  ansible.builtin.apt:
+    name:
+      - "logcheck"
+      - "logrotate"
+
+- name: "logs : configure logcheck"
+  ansible.builtin.copy:
+    src: "./logcheck/logcheck.conf"
+    dest: "/etc/logcheck/logcheck.conf"
+    mode: 0640
+
+- name: "logs : configure logcheck ignores"
+  ansible.builtin.copy:
+    src: "./logcheck/ignore"
+    dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
+    group: "logcheck"
+    mode: 0644

plays/roles/system_base/tasks/include/motd.yml

@@ -0,0 +1,13 @@
+- name: "motd : set motd"
+  ansible.builtin.copy:
+    src: "{{ _system_base_motd_file }}"
+    dest: "/etc/motd"
+    mode: 0644
+  when:
+    motd_dir_path is defined and
+    _system_base_motd_file != ""
+  vars:
+    _file_path:
+      - ../../../{{ motd_dir_path  }}/{{ ansible_hostname }}
+    _system_base_motd_file: >-
+      {{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}

plays/roles/system_base/tasks/include/nftables.yml

@@ -0,0 +1,28 @@
+- name: "nftables : install nftables"
+  ansible.builtin.apt:
+    name: "nftables"
+
+- name: "nftables : configure nftables"
+  ansible.builtin.template:
+    src: "./nftables/nftables.conf.j2"
+    dest: "/etc/nftables.conf"
+    mode: 0755
+  register: nftables_conf
+
+- name: "nfntables : enable nftables"
+  ansible.builtin.systemd:
+    name: "nftables"
+    enabled: true
+
+- name: "nftables : start nftables"
+  ansible.builtin.systemd:
+    name: "nftables"
+    state: "started"
+  register: nftables_start
+
+- name: "nftables : reload nftables configuration"
+  ansible.builtin.command:
+    cmd: "nft -f /etc/nftables.conf"
+  when:
+    nftables_conf.changed and
+    not nftables_start.changed

plays/roles/system_base/tasks/include/ntp.yml

@@ -0,0 +1,13 @@
+- name: "ntp : install systemd-timesyncd"
+  ansible.builtin.apt:
+    name: "systemd-timesyncd"
+
+- name: "ntp : enable systemd-timesyncd"
+  ansible.builtin.systemd:
+    name: "systemd-timesyncd"
+    enabled: true
+    state: started
+
+- name: "ntp : set timezone"
+  community.general.timezone:
+    name: "Europe/Amsterdam"

plays/roles/system_base/tasks/include/root.yml

@@ -0,0 +1,10 @@
+- name: "root : disable root shell"
+  ansible.builtin.user:
+    name: "root"
+    shell: "/usr/sbin/nologin"
+
+- name: "root : disable su for non-wheel users"
+  ansible.builtin.copy:
+    src: "./root/su"
+    dest: "/etc/pam.d/su"
+    mode: 0644

plays/roles/system_base/tasks/include/sshd.yml

@@ -0,0 +1,27 @@
+# SSH must be installed so we don't bother with installing it.
+
+- name: "sshd : configure sshd"
+  ansible.builtin.template:
+    src: "./sshd/99-local.conf.j2"
+    dest: "/etc/ssh/sshd_config.d/99-local.conf"
+    mode: 0600
+  register: sshd_conf
+
+- name: "sshd : enable sshd"
+  ansible.builtin.systemd:
+    name: "sshd"
+    enabled: true
+
+- name: "sshd : start sshd"
+  ansible.builtin.systemd:
+    name: "sshd"
+    state: "started"
+  register: sshd_start
+
+- name: "sshd : restart sshd"
+  ansible.builtin.systemd:
+    name: "sshd"
+    state: "restarted"
+  when:
+    sshd_conf.changed and
+    not sshd_start.changed

plays/roles/system_base/tasks/include/systemd-mail.yml

@@ -0,0 +1,32 @@
+- name: "systemd-mail : systemd mail root script"
+  ansible.builtin.template:
+    src: "./systemd-mail/system/systemd-mail-systemctl-status.j2"
+    dest: "/usr/local/sbin/systemd-mail-systemctl-status"
+    mode: 0755
+
+- name: "systemd-mail : systemd mail user script"
+  ansible.builtin.template:
+    src: "./systemd-mail/user/systemd-mail-systemctl-status.j2"
+    dest: "/usr/local/bin/systemd-mail-systemctl-status"
+    mode: 0755
+
+- name: "systemd-mail : systemd mail root service"
+  ansible.builtin.copy:
+    src: "./systemd-mail/system/status-mail@.service"
+    dest: "/etc/systemd/system/status-mail@.service"
+    mode: 0644
+  register: systemd_system_status_mail_service_file
+
+- name: "systemd-mail : systemd mail user service"
+  ansible.builtin.copy:
+    src: "./systemd-mail/user/status-mail@.service"
+    dest: "/etc/systemd/user/status-mail@.service"
+    mode: 0644
+  register: systemd_user_status_mail_service_file
+
+- name: "systemd-mail : systemd daemon reload"
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when:
+    systemd_system_status_mail_service_file.changed or
+    systemd_user_status_mail_service_file.changed

plays/roles/system_base/tasks/include/unattended-upgrades.yml

@@ -0,0 +1,15 @@
+- name: "unattended-upgrades : install unattended-upgrades"
+  ansible.builtin.apt:
+    name: "unattended-upgrades"
+
+- name: "unattended-upgrades : configure unattended-upgrades"
+  ansible.builtin.copy:
+    src: "./unattended-upgrades/50unattended-upgrades"
+    dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
+    mode: 0644
+
+- name: "unattended-upgrades : enable unattended-upgrades"
+  ansible.builtin.copy:
+    src: "./unattended-upgrades/20auto-upgrades"
+    dest: "/etc/apt/apt.conf.d/20auto-upgrades"
+    mode: 0644

plays/roles/system_base/tasks/include/user.yml

@@ -0,0 +1,22 @@
+- block:
+
+    - name: "user : clone tmux dotfiles"
+      ansible.builtin.git:
+        repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
+        dest: ".tmux"
+        recursive: true
+
+    # On first tmux launch install plugins with <Ctrl + a + I>
+    - name: "user : configure tmux"
+      ansible.builtin.copy:
+        src: "./user/tmux.conf"
+        dest: ".tmux.conf"
+        mode: 0644
+
+    - name: "user : configure bashrc"
+      ansible.builtin.copy:
+        src: "./user/bashrc"
+        dest: ".bashrc"
+        mode: 0644
+
+  become: false

plays/roles/system_base/tasks/include/utils.yml

@@ -0,0 +1,12 @@
+- name: "utils : install utility programs"
+  ansible.builtin.apt:
+    name:
+      - "acl"
+      - "git"
+      - "htop"
+      - "man"
+      - "perl"
+      - "rsync"
+      - "tmux"
+      - "tcpdump"
+      - "traceroute"

plays/roles/system_base/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: "role:system_base:sshd"
+  import_tasks: "include/sshd.yml"
+  tags: "role:system_base:sshd"
+
+- name: "role:system_base:nftables"
+  import_tasks: "include/nftables.yml"
+  tags: "role:system_base:nftables"
+
+- name: "role:system_base:ntp"
+  import_tasks: "include/ntp.yml"
+  tags: "role:system_base:ntp"
+
+- name: "role:system_base:fail2ban"
+  import_tasks: "include/fail2ban.yml"
+  tags: "role:system_base:fail2ban"
+
+- name: "role:system_base:fstrim"
+  import_tasks: "include/fstrim.yml"
+  tags: "role:system_base:fstrim"
+
+- name: "role:system_base:unattended-upgrades"
+  import_tasks: "include/unattended-upgrades.yml"
+  tags: "role:system_base:unattended-upgrades"
+
+- name: "role:system_base:logs"
+  import_tasks: "include/logs.yml"
+  tags: "role:system_base:logs"
+
+- name: "role:system_base:systemd-mail"
+  import_tasks: "include/systemd-mail.yml"
+  tags: "role:system_base:systemd-mail"
+
+- name: "role:system_base:utils"
+  import_tasks: "include/utils.yml"
+  tags: "role:system_base:utils"
+
+- name: "role:system_base:motd"
+  import_tasks: "include/motd.yml"
+  tags: "role:system_base:motd"
+
+- name: "role:system_base:root"
+  import_tasks: "include/root.yml"
+  tags: "role:system_base:root"
+
+- name: "role:system_base:user"
+  import_tasks: "include/user.yml"
+  tags: "role:system_base:user"

plays/roles/system_base/templates/nftables/nftables.conf.j2

@@ -1,6 +1,7 @@
 #!/usr/sbin/nft -f
 
-flush ruleset
+table inet filter
+delete table inet filter
 
 table inet filter {
         chain input {
@@ -20,12 +21,14 @@ table inet filter {
                 # Drop invalid connections.
                 ct state invalid drop;
 
-                # Accept HTTP, HTTPS, SSH.
-                tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
+                # TCP ports.
+                tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept;
 
-                # Accept WireGuard.
-                iif {{ ethx }} udp dport {{ vpn_wg0_port }} accept;
+{% if udp_ports %}
+                # UDP ports.
+                udp dport { {{ udp_ports | join(", ") }} } accept;
 
+{% endif %}
                 # Count and drop any other traffic.
                 counter drop;
         }

plays/roles/system_base/templates/sshd/99-local.conf.j2

@@ -7,7 +7,7 @@ Port {{ ansible_port }}
 PermitRootLogin no
 
 # Explicitly set the list of allowed ssh users.
-AllowUsers {{ ssh_user }}
+AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }}
 
 # SSH enabled only via ssh-key.
 PasswordAuthentication no

plays/roles/system_mail/meta/argument_specs.yml

@@ -0,0 +1,21 @@
+argument_specs:
+  main:
+    options:
+      ansible_hostname:
+        type: "str"
+        required: true
+      mail_domain:
+        type: "str"
+        required: true
+      postfix_smtp_server:
+        type: "str"
+        required: true
+      postfix_smtp_port:
+        type: "int"
+        required: true
+      postfix_smtp_user:
+        type: "str"
+        required: true
+      postfix_smtp_pass:
+        type: "str"
+        required: true

plays/roles/system_mail/tasks/main.yml

@@ -0,0 +1,80 @@
+- name: "configure mailname"
+  ansible.builtin.template:
+    src: "./mailname.j2"
+    dest: "/etc/mailname"
+    mode: 0644
+  register: mail_mailname
+
+- name: "configure mailutils"
+  ansible.builtin.template:
+    src: "./mailutils.conf.j2"
+    dest: "/etc/mailutils.conf"
+    mode: 0644
+
+- name: "install postfix"
+  ansible.builtin.apt:
+    name:
+      - "postfix"
+      - "ca-certificates"
+      - "libsasl2-modules"
+
+- name: "configure aliases"
+  ansible.builtin.template:
+    src: "./aliases.j2"
+    dest: "/etc/aliases"
+    mode: 0644
+  register: mail_aliases
+
+- name: "update aliases"
+  ansible.builtin.command:
+    cmd: "newaliases"
+  when:
+    mail_aliases.changed
+
+- name: "configure postfix"
+  ansible.builtin.template:
+    src: "./postfix/main.cf.j2"
+    dest: "/etc/postfix/main.cf"
+    mode: 0644
+  register: mail_postfix_conf
+
+- name: "configure credentials"
+  ansible.builtin.template:
+    src: "./postfix/sasl_passwd.j2"
+    dest: "/etc/postfix/sasl_passwd"
+    mode: 0600
+  register: mail_postfix_credentials
+
+- name: "create hash database"
+  ansible.builtin.command:
+    cmd: "postmap /etc/postfix/sasl_passwd"
+  when:
+    mail_postfix_credentials.changed
+
+- name: "set hash database permissions"
+  ansible.builtin.file:
+    path: "/etc/postfix/sasl_passwd.db"
+    mode: 0600
+
+- name: "enable postfix"
+  ansible.builtin.systemd:
+    name: "postfix"
+    enabled: true
+
+- name: "start postfix"
+  ansible.builtin.systemd:
+    name: "postfix"
+    state: "started"
+  register:
+    mail_postfix_start
+
+- name: "restart postfix"
+  ansible.builtin.systemd:
+    name: "postfix"
+    state: "restarted"
+  when:
+    (mail_mailname.changed or
+    mail_aliases.changed or
+    mail_postfix_conf.changed or
+    mail_postfix_credentials.changed) and
+    not mail_postfix_start.changed

plays/roles/system_mail/templates/aliases.j2

@@ -11,4 +11,4 @@ ftp: root
 abuse: root
 noc: root
 security: root
-root: root@{{ domain }}
+root: root@{{ mail_domain }}

plays/roles/system_mail/templates/mailname.j2

@@ -0,0 +1 @@
+{{ ansible_hostname }}.{{ mail_domain }}

plays/roles/system_mail/templates/mailutils.conf.j2

@@ -0,0 +1,3 @@
+address {
+  email-domain {{ ansible_hostname }}.{{ mail_domain }};
+};

plays/roles/system_mail/templates/postfix/main.cf.j2

@@ -35,7 +35,7 @@ smtp_tls_wrappermode = yes
 
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ ansible_hostname }}.{{ domain }}
+myhostname = {{ ansible_hostname }}.{{ mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = $myhostname, {{ ansible_hostname }}, localhost

plays/roles/system_zfs/tasks/include/fstrim.yml

@@ -0,0 +1,30 @@
+# Run fstrim daily on ZFS. It's a no-op on ZFS filesystems, but it will run on zvols mounted via
+# fstab. Untrimmed zvol blocks occupy space in th ZFS pool. Therefore, this helps keep zvol space
+# requirements down if they are busy.
+- name: "fstrim : configure a daily fstrim timer"
+  ansible.builtin.copy:
+    src: "./fstrim/fstrim.timer"
+    dest: "/etc/systemd/system/fstrim.timer"
+    mode: 0644
+  register: systemd_fstrim_timer_file
+
+- name: "fstrim : systemd daemon reload"
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when:
+    systemd_fstrim_timer_file.changed
+
+# Disabling is necessary to make sure systemd uses the new timer file.
+- name: "fstrim : disable fstrim.timer"
+  ansible.builtin.systemd:
+    name: "fstrim.timer"
+    enabled: false
+    state: "stopped"
+  when:
+    systemd_fstrim_timer_file.changed
+
+- name: "fstrim : enable fstrim.timer"
+  ansible.builtin.systemd:
+    name: "fstrim.timer"
+    enabled: true
+    state: "started"

plays/roles/system_zfs/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: "role:system_zfs:fstrim"
+  import_tasks: "include/fstrim.yml"
+  tags: "role:system_zfs:fstrim"