Convert common parts of 00-hosts to roles
This commit is contained in:
parent
1366827abb
commit
c2d98fe242
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,4 +1,3 @@
|
|||||||
group_vars/asgard
|
group_vars/**
|
||||||
host_vars/valkyrie
|
host_vars/**
|
||||||
host_vars/yggdrasil
|
|
||||||
playbooks/filesystem/tmp/valkyrie/etc/resolv.conf
|
playbooks/filesystem/tmp/valkyrie/etc/resolv.conf
|
||||||
|
@ -1,33 +0,0 @@
|
|||||||
# Ansible variables
|
|
||||||
ansible_port:
|
|
||||||
ansible_become_password:
|
|
||||||
|
|
||||||
# SSH variables
|
|
||||||
ssh_user:
|
|
||||||
|
|
||||||
# Machine variables
|
|
||||||
domain:
|
|
||||||
|
|
||||||
# Postfix variables
|
|
||||||
postfix_smtp_server:
|
|
||||||
postfix_smtp_port:
|
|
||||||
postfix_smtp_user:
|
|
||||||
|
|
||||||
# VPN network variables
|
|
||||||
vpn_wg0_port:
|
|
||||||
vpn_wg0_netmask:
|
|
||||||
vpn_wg0_subnet:
|
|
||||||
vpn_wg0_preshared_key:
|
|
||||||
|
|
||||||
# Service variables
|
|
||||||
services: {
|
|
||||||
name: {
|
|
||||||
address: X.X.X.X,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
# Backup parameters
|
|
||||||
scw_bucket_endpoint:
|
|
||||||
scw_access_key:
|
|
||||||
scw_secret_key:
|
|
||||||
restic_password:
|
|
@ -1,35 +0,0 @@
|
|||||||
# Machine variables
|
|
||||||
subnet_address:
|
|
||||||
subnet_masklen:
|
|
||||||
subnet:
|
|
||||||
ethx:
|
|
||||||
is_zfs:
|
|
||||||
|
|
||||||
# Fail2ban variable:
|
|
||||||
fail2ban_ignoreip:
|
|
||||||
|
|
||||||
# Postfix variables
|
|
||||||
postfix_smtp_pass:
|
|
||||||
|
|
||||||
# VPN network variables
|
|
||||||
vpn_subnet_id:
|
|
||||||
vpn_remote_id:
|
|
||||||
|
|
||||||
vpn_br0_address:
|
|
||||||
vpn_br0_broadcast:
|
|
||||||
vpn_br0_netmask:
|
|
||||||
|
|
||||||
vpn_wg0_address:
|
|
||||||
vpn_wg0_remote_address:
|
|
||||||
vpn_wg0_interface_private_key:
|
|
||||||
vpn_wg0_peer_public_key:
|
|
||||||
vpn_wg0_endpoint_address:
|
|
||||||
|
|
||||||
vpn_remote_br0_subnet:
|
|
||||||
|
|
||||||
# Service variables
|
|
||||||
host_services: [
|
|
||||||
service_name_1,
|
|
||||||
service_name_2,
|
|
||||||
]
|
|
||||||
service_bridge_gateway:
|
|
27
hosts
27
hosts
@ -1,6 +1,33 @@
|
|||||||
|
# --------------------------------------------------------------------------------------------------
|
||||||
|
# Functionality.
|
||||||
|
# --------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# VPN entry-points.
|
||||||
[bifrost]
|
[bifrost]
|
||||||
heimdall
|
heimdall
|
||||||
|
|
||||||
|
# Service running hosts.
|
||||||
[asgard]
|
[asgard]
|
||||||
valkyrie
|
valkyrie
|
||||||
yggdrasil
|
yggdrasil
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------------------------------
|
||||||
|
# Network.
|
||||||
|
# --------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Hosts physically located within the home LAN.
|
||||||
|
[home]
|
||||||
|
heimdall
|
||||||
|
yggdrasil
|
||||||
|
|
||||||
|
# Hosts remote to the home LAN.
|
||||||
|
[remote]
|
||||||
|
valkyrie
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------------------------------
|
||||||
|
# Special.
|
||||||
|
# --------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Hosts running with ZFS.
|
||||||
|
[zfs]
|
||||||
|
yggdrasil
|
||||||
|
2
main.yml
Normal file
2
main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
- ansible.builtin.import_playbook: "plays/group-all.yml"
|
@ -1,22 +1,4 @@
|
|||||||
---
|
---
|
||||||
- name: Configure hosts
|
|
||||||
hosts: asgard
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- import_tasks: tasks/hosts/sshd.yml
|
|
||||||
- import_tasks: tasks/hosts/firewall.yml
|
|
||||||
- import_tasks: tasks/hosts/ntp.yml
|
|
||||||
- import_tasks: tasks/hosts/mail.yml
|
|
||||||
- import_tasks: tasks/hosts/systemd-mail.yml
|
|
||||||
- import_tasks: tasks/hosts/unattended-upgrades.yml
|
|
||||||
- import_tasks: tasks/hosts/fail2ban.yml
|
|
||||||
- import_tasks: tasks/hosts/fstrim.yml
|
|
||||||
- import_tasks: tasks/hosts/logs.yml
|
|
||||||
- import_tasks: tasks/hosts/motd.yml
|
|
||||||
- import_tasks: tasks/hosts/utils.yml
|
|
||||||
- import_tasks: tasks/hosts/user.yml
|
|
||||||
- import_tasks: tasks/hosts/root-shell.yml
|
|
||||||
|
|
||||||
- name: Configure yggdrasil extras
|
- name: Configure yggdrasil extras
|
||||||
hosts: yggdrasil
|
hosts: yggdrasil
|
||||||
|
|
||||||
|
@ -1 +0,0 @@
|
|||||||
{{ ansible_hostname }}.{{ domain }}
|
|
@ -1,3 +0,0 @@
|
|||||||
address {
|
|
||||||
email-domain {{ ansible_hostname }}.{{ domain }};
|
|
||||||
};
|
|
@ -1,2 +0,0 @@
|
|||||||
# Explicitly set the list of allowed ssh users.
|
|
||||||
AllowUsers {{ ssh_user }} pod-rproxy
|
|
@ -1,35 +0,0 @@
|
|||||||
#!/usr/sbin/nft -f
|
|
||||||
|
|
||||||
flush ruleset
|
|
||||||
|
|
||||||
table inet filter {
|
|
||||||
chain input {
|
|
||||||
type filter hook input priority 0;
|
|
||||||
|
|
||||||
# Accept any localhost traffic.
|
|
||||||
iif lo accept;
|
|
||||||
|
|
||||||
# Accept traffic originated from us.
|
|
||||||
ct state established,related accept;
|
|
||||||
|
|
||||||
# Allow ICMP packets.
|
|
||||||
# Note that for IPv6 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert are needed to not break connectivity.
|
|
||||||
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
|
|
||||||
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
|
|
||||||
|
|
||||||
# Drop invalid connections.
|
|
||||||
ct state invalid drop;
|
|
||||||
|
|
||||||
# Accept HTTP, HTTPS, SSH.
|
|
||||||
tcp dport { 80, 443, {{ ansible_port }}, {{ services['git'].ssh_port }} } ct state new accept;
|
|
||||||
|
|
||||||
# Count and drop any other traffic.
|
|
||||||
counter drop;
|
|
||||||
}
|
|
||||||
chain forward {
|
|
||||||
type filter hook forward priority 0;
|
|
||||||
}
|
|
||||||
chain output {
|
|
||||||
type filter hook output priority 0;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,37 +0,0 @@
|
|||||||
- name: Install fail2ban
|
|
||||||
apt:
|
|
||||||
name: fail2ban
|
|
||||||
|
|
||||||
- name: Configure fail2ban
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/fail2ban/jail.local.j2
|
|
||||||
dest: /etc/fail2ban/jail.local
|
|
||||||
mode: 0644
|
|
||||||
register: fail2ban_conf
|
|
||||||
|
|
||||||
- name: Configure fail2ban sshd jail
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/sshd.local
|
|
||||||
mode: 0644
|
|
||||||
register: fail2ban_sshd_jail
|
|
||||||
|
|
||||||
- name: Enable fail2ban
|
|
||||||
systemd:
|
|
||||||
name: fail2ban
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- name: Start fail2ban
|
|
||||||
systemd:
|
|
||||||
name: fail2ban
|
|
||||||
state: started
|
|
||||||
register: fail2ban_start
|
|
||||||
|
|
||||||
- name: Restart fail2ban
|
|
||||||
systemd:
|
|
||||||
name: fail2ban
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
(fail2ban_conf is changed or
|
|
||||||
fail2ban_sshd_jail is changed) and
|
|
||||||
fail2ban_start is not changed
|
|
@ -1,45 +0,0 @@
|
|||||||
- name: Install nftables
|
|
||||||
apt:
|
|
||||||
name: nftables
|
|
||||||
|
|
||||||
- name: Configure nftables
|
|
||||||
template:
|
|
||||||
src: ./filesystem/{{ ansible_host }}/etc/nftables.conf.j2
|
|
||||||
dest: /etc/nftables.conf
|
|
||||||
mode: 0755
|
|
||||||
register: nftables_conf
|
|
||||||
|
|
||||||
- name: Enable nftables
|
|
||||||
systemd:
|
|
||||||
name: nftables
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- name: Start nftables
|
|
||||||
systemd:
|
|
||||||
name: nftables
|
|
||||||
state: started
|
|
||||||
register: nftables_start
|
|
||||||
|
|
||||||
- name: Restart nftables
|
|
||||||
systemd:
|
|
||||||
name: nftables
|
|
||||||
state: restarted
|
|
||||||
register: nftables_restart
|
|
||||||
when:
|
|
||||||
nftables_conf is changed and
|
|
||||||
nftables_start is not changed
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: List all post-up nft scripts for interfaces
|
|
||||||
find:
|
|
||||||
paths: /usr/local/sbin
|
|
||||||
patterns: "post-up-*.nft"
|
|
||||||
register: nft_post_up_scripts
|
|
||||||
|
|
||||||
- name: Reload nft scripts for interfaces
|
|
||||||
command: "{{ item.path }}"
|
|
||||||
with_items:
|
|
||||||
- "{{ nft_post_up_scripts.files }}"
|
|
||||||
|
|
||||||
when:
|
|
||||||
nftables_restart is changed
|
|
@ -1,22 +0,0 @@
|
|||||||
# Run fstrim daily on ZFS. It's a no-op on ZFS filesystems, but it will run on zvols mounted via
|
|
||||||
# fstab. This helps keep zvol space requirements down.
|
|
||||||
- name: Configure daily fstrim timer
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/systemd/system/fstrim-daily.timer
|
|
||||||
dest: /etc/systemd/system/fstrim.timer
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_fstrim_daily_timer_file
|
|
||||||
when:
|
|
||||||
is_zfs
|
|
||||||
|
|
||||||
- name: SystemD daemon reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when:
|
|
||||||
systemd_fstrim_daily_timer_file is changed
|
|
||||||
|
|
||||||
- name: Enable fstrim
|
|
||||||
systemd:
|
|
||||||
name: fstrim.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
@ -1,18 +0,0 @@
|
|||||||
- name: Install logcheck and logrotate
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- logcheck
|
|
||||||
- logrotate
|
|
||||||
|
|
||||||
- name: Configure logcheck
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/logcheck/logcheck.conf
|
|
||||||
dest: /etc/logcheck/logcheck.conf
|
|
||||||
mode: 0640
|
|
||||||
|
|
||||||
- name: Configure logcheck ignores
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/logcheck/ignore.d.server/_hostname.j2
|
|
||||||
dest: /etc/logcheck/ignore.d.server/{{ ansible_hostname }}
|
|
||||||
group: logcheck
|
|
||||||
mode: 0644
|
|
@ -1,77 +0,0 @@
|
|||||||
- name: Configure mailname
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/mailname.j2
|
|
||||||
dest: /etc/mailname
|
|
||||||
mode: 0644
|
|
||||||
register: mail_mailname
|
|
||||||
|
|
||||||
- name: Configure mailutils
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/mailutils.conf.j2
|
|
||||||
dest: /etc/mailutils.conf
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Install postfix
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postfix
|
|
||||||
- ca-certificates
|
|
||||||
- libsasl2-modules
|
|
||||||
|
|
||||||
- name: Configure aliases
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/aliases.j2
|
|
||||||
dest: /etc/aliases
|
|
||||||
mode: 0644
|
|
||||||
register: mail_aliases
|
|
||||||
|
|
||||||
- name: Update aliases
|
|
||||||
command: newaliases
|
|
||||||
when: mail_aliases is changed
|
|
||||||
|
|
||||||
- name: Configure postfix
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/postfix/main.cf.j2
|
|
||||||
dest: /etc/postfix/main.cf
|
|
||||||
mode: 0644
|
|
||||||
register: mail_postfix_conf
|
|
||||||
|
|
||||||
- name: Configure credentials
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/postfix/sasl_passwd.j2
|
|
||||||
dest: /etc/postfix/sasl_passwd
|
|
||||||
mode: 0600
|
|
||||||
register: mail_postfix_credentials
|
|
||||||
|
|
||||||
- name: Create hash database
|
|
||||||
command: postmap /etc/postfix/sasl_passwd
|
|
||||||
when:
|
|
||||||
mail_postfix_credentials is changed
|
|
||||||
|
|
||||||
- name: Set hash database permissions
|
|
||||||
file:
|
|
||||||
path: /etc/postfix/sasl_passwd.db
|
|
||||||
mode: 0600
|
|
||||||
|
|
||||||
- name: Enable postfix
|
|
||||||
systemd:
|
|
||||||
name: postfix
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- name: Start postfix
|
|
||||||
systemd:
|
|
||||||
name: postfix
|
|
||||||
state: started
|
|
||||||
register:
|
|
||||||
mail_postfix_start
|
|
||||||
|
|
||||||
- name: Restart postfix
|
|
||||||
systemd:
|
|
||||||
name: postfix
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
(mail_mailname is changed or
|
|
||||||
mail_aliases is changed or
|
|
||||||
mail_postfix_conf is changed or
|
|
||||||
mail_postfix_credentials is changed) and
|
|
||||||
mail_postfix_start is not changed
|
|
@ -1,5 +0,0 @@
|
|||||||
- name: Set MotD
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/{{ ansible_hostname }}/etc/motd
|
|
||||||
dest: /etc/motd
|
|
||||||
mode: 0644
|
|
@ -1,9 +0,0 @@
|
|||||||
- name: Install systemd-timesyncd
|
|
||||||
apt:
|
|
||||||
name: systemd-timesyncd
|
|
||||||
|
|
||||||
- name: Enable NTP
|
|
||||||
systemd:
|
|
||||||
name: systemd-timesyncd
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
@ -1,10 +0,0 @@
|
|||||||
- name: Disable root shell
|
|
||||||
user:
|
|
||||||
name: root
|
|
||||||
shell: /usr/sbin/nologin
|
|
||||||
|
|
||||||
- name: Disable su for non-wheel users
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/pam.d/su
|
|
||||||
dest: /etc/pam.d/su
|
|
||||||
mode: 0644
|
|
@ -1,27 +0,0 @@
|
|||||||
# SSH must be installed and enabled for ansible to even connect so we don't bother with installing
|
|
||||||
# and starting it.
|
|
||||||
|
|
||||||
- name: Configure sshd
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/etc/ssh/sshd_config.d/99-local.conf.j2
|
|
||||||
dest: /etc/ssh/sshd_config.d/99-local.conf
|
|
||||||
mode: 0600
|
|
||||||
register: sshd_conf
|
|
||||||
|
|
||||||
- name: Configure host-specific sshd
|
|
||||||
template:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: /etc/ssh/sshd_config.d/{{ item | basename | regex_replace('\.j2','') }}
|
|
||||||
mode: 0600
|
|
||||||
with_fileglob:
|
|
||||||
- "./filesystem/{{ ansible_hostname }}/etc/ssh/sshd_config.d/*.j2"
|
|
||||||
register: sshd_special_conf
|
|
||||||
|
|
||||||
- name: Restart sshd
|
|
||||||
systemd:
|
|
||||||
name: sshd
|
|
||||||
enabled: yes
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
sshd_conf is changed or
|
|
||||||
sshd_special_conf is changed
|
|
@ -1,32 +0,0 @@
|
|||||||
- name: SystemD mail root script
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/usr/local/sbin/systemd-mail-systemctl-status.j2
|
|
||||||
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: SystemD mail user script
|
|
||||||
template:
|
|
||||||
src: ./filesystem/common/usr/local/bin/systemd-mail-systemctl-status.j2
|
|
||||||
dest: /usr/local/bin/systemd-mail-systemctl-status
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: SystemD mail root service
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/systemd/system/status-mail@.service
|
|
||||||
dest: /etc/systemd/system/status-mail@.service
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_system_status_mail_service_file
|
|
||||||
|
|
||||||
- name: SystemD mail user service
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/systemd/user/status-mail@.service
|
|
||||||
dest: /etc/systemd/user/status-mail@.service
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_user_status_mail_service_file
|
|
||||||
|
|
||||||
- name: SystemD daemon reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when:
|
|
||||||
systemd_system_status_mail_service_file is changed or
|
|
||||||
systemd_user_status_mail_service_file is changed
|
|
@ -1,15 +0,0 @@
|
|||||||
- name: Install unattended-upgrades
|
|
||||||
apt:
|
|
||||||
name: unattended-upgrades
|
|
||||||
|
|
||||||
- name: Configure unattended-upgrades
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
|
|
||||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Enable unattended-upgrades
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
|
|
||||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
||||||
mode: 0644
|
|
@ -1,22 +0,0 @@
|
|||||||
- name: Clone tmux dotfiles
|
|
||||||
become: no
|
|
||||||
git:
|
|
||||||
repo: https://git.wojciechkozlowski.eu/config/tmux.git
|
|
||||||
dest: .tmux
|
|
||||||
recursive: yes
|
|
||||||
|
|
||||||
- name: Configure tmux
|
|
||||||
become: no
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/home/user/tmux.conf
|
|
||||||
dest: .tmux.conf
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Configure bashrc
|
|
||||||
become: no
|
|
||||||
copy:
|
|
||||||
src: ./filesystem/common/home/user/bashrc
|
|
||||||
dest: .bashrc
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
# On first tmux launch install plugins with <Ctrl + a + I>
|
|
@ -1,12 +0,0 @@
|
|||||||
- name: Install utility programs
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- acl
|
|
||||||
- git
|
|
||||||
- htop
|
|
||||||
- man
|
|
||||||
- perl
|
|
||||||
- rsync
|
|
||||||
- tmux
|
|
||||||
- tcpdump
|
|
||||||
- traceroute
|
|
10
plays/group-all.yml
Normal file
10
plays/group-all.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
- name: "play : all"
|
||||||
|
hosts: "all"
|
||||||
|
roles:
|
||||||
|
- role: "system_mail"
|
||||||
|
tags: "role:system_mail"
|
||||||
|
- role: "system_base"
|
||||||
|
tags: "role:system_base"
|
||||||
|
vars:
|
||||||
|
motd_dir_path: "files/motd"
|
3
plays/group-asgard.yml
Normal file
3
plays/group-asgard.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
- name: "play-group-asgard"
|
||||||
|
hosts: "asgard"
|
3
plays/group-bifrost.yml
Normal file
3
plays/group-bifrost.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
- name: "play-group-bifrost"
|
||||||
|
hosts: "bifrost"
|
6
plays/roles/system_base/defaults/main.yml
Normal file
6
plays/roles/system_base/defaults/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# sshd
|
||||||
|
additional_ssh_users: []
|
||||||
|
|
||||||
|
# nftables
|
||||||
|
additional_tcp_ports: []
|
||||||
|
udp_ports: []
|
30
plays/roles/system_base/meta/argument_specs.yml
Normal file
30
plays/roles/system_base/meta/argument_specs.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
argument_specs:
|
||||||
|
main:
|
||||||
|
options:
|
||||||
|
ansible_hostname:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
ansible_port:
|
||||||
|
type: "int"
|
||||||
|
required: true
|
||||||
|
ssh_user:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
additional_ssh_users:
|
||||||
|
type: "list"
|
||||||
|
elements: "str"
|
||||||
|
required: true
|
||||||
|
additional_tcp_ports:
|
||||||
|
type: "list"
|
||||||
|
elements: "int"
|
||||||
|
required: true
|
||||||
|
udp_ports:
|
||||||
|
type: "list"
|
||||||
|
elements: "int"
|
||||||
|
required: true
|
||||||
|
fail2ban_ignoreip:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
motd_dir_path:
|
||||||
|
type: "str"
|
||||||
|
required: false
|
37
plays/roles/system_base/tasks/include/fail2ban.yml
Normal file
37
plays/roles/system_base/tasks/include/fail2ban.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
- name: "fail2ban : install fail2ban"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "fail2ban"
|
||||||
|
|
||||||
|
- name: "fail2ban : configure fail2ban"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./fail2ban/jail.local.j2"
|
||||||
|
dest: "/etc/fail2ban/jail.local"
|
||||||
|
mode: 0644
|
||||||
|
register: fail2ban_conf
|
||||||
|
|
||||||
|
- name: "fail2ban : configure fail2ban sshd jail"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./fail2ban/jail.d/sshd.local.j2"
|
||||||
|
dest: "/etc/fail2ban/jail.d/sshd.local"
|
||||||
|
mode: 0644
|
||||||
|
register: fail2ban_sshd_jail
|
||||||
|
|
||||||
|
- name: "fail2ban : enable fail2ban"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "fail2ban"
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: "fail2ban : start fail2ban"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "fail2ban"
|
||||||
|
state: "started"
|
||||||
|
register: fail2ban_start
|
||||||
|
|
||||||
|
- name: "fail2ban : restart fail2ban"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "fail2ban"
|
||||||
|
state: "restarted"
|
||||||
|
when:
|
||||||
|
(fail2ban_conf.changed or
|
||||||
|
fail2ban_sshd_jail.changed) and
|
||||||
|
not fail2ban_start.changed
|
5
plays/roles/system_base/tasks/include/fstrim.yml
Normal file
5
plays/roles/system_base/tasks/include/fstrim.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
- name: "fstrim : enable fstrim.timer"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "fstrim.timer"
|
||||||
|
enabled: true
|
||||||
|
state: "started"
|
18
plays/roles/system_base/tasks/include/logs.yml
Normal file
18
plays/roles/system_base/tasks/include/logs.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
- name: "logs : install logcheck and logrotate"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- "logcheck"
|
||||||
|
- "logrotate"
|
||||||
|
|
||||||
|
- name: "logs : configure logcheck"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./logcheck/logcheck.conf"
|
||||||
|
dest: "/etc/logcheck/logcheck.conf"
|
||||||
|
mode: 0640
|
||||||
|
|
||||||
|
- name: "logs : configure logcheck ignores"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./logcheck/ignore"
|
||||||
|
dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
|
||||||
|
group: "logcheck"
|
||||||
|
mode: 0644
|
13
plays/roles/system_base/tasks/include/motd.yml
Normal file
13
plays/roles/system_base/tasks/include/motd.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
- name: "motd : set motd"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "{{ _system_base_motd_file }}"
|
||||||
|
dest: "/etc/motd"
|
||||||
|
mode: 0644
|
||||||
|
when:
|
||||||
|
motd_dir_path is defined and
|
||||||
|
_system_base_motd_file != ""
|
||||||
|
vars:
|
||||||
|
_file_path:
|
||||||
|
- ../../../{{ motd_dir_path }}/{{ ansible_hostname }}
|
||||||
|
_system_base_motd_file: >-
|
||||||
|
{{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}
|
28
plays/roles/system_base/tasks/include/nftables.yml
Normal file
28
plays/roles/system_base/tasks/include/nftables.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
- name: "nftables : install nftables"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "nftables"
|
||||||
|
|
||||||
|
- name: "nftables : configure nftables"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./nftables/nftables.conf.j2"
|
||||||
|
dest: "/etc/nftables.conf"
|
||||||
|
mode: 0755
|
||||||
|
register: nftables_conf
|
||||||
|
|
||||||
|
- name: "nfntables : enable nftables"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "nftables"
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: "nftables : start nftables"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "nftables"
|
||||||
|
state: "started"
|
||||||
|
register: nftables_start
|
||||||
|
|
||||||
|
- name: "nftables : reload nftables configuration"
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "nft -f /etc/nftables.conf"
|
||||||
|
when:
|
||||||
|
nftables_conf.changed and
|
||||||
|
not nftables_start.changed
|
13
plays/roles/system_base/tasks/include/ntp.yml
Normal file
13
plays/roles/system_base/tasks/include/ntp.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
- name: "ntp : install systemd-timesyncd"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "systemd-timesyncd"
|
||||||
|
|
||||||
|
- name: "ntp : enable systemd-timesyncd"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "systemd-timesyncd"
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: "ntp : set timezone"
|
||||||
|
community.general.timezone:
|
||||||
|
name: "Europe/Amsterdam"
|
10
plays/roles/system_base/tasks/include/root.yml
Normal file
10
plays/roles/system_base/tasks/include/root.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
- name: "root : disable root shell"
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "root"
|
||||||
|
shell: "/usr/sbin/nologin"
|
||||||
|
|
||||||
|
- name: "root : disable su for non-wheel users"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./root/su"
|
||||||
|
dest: "/etc/pam.d/su"
|
||||||
|
mode: 0644
|
27
plays/roles/system_base/tasks/include/sshd.yml
Normal file
27
plays/roles/system_base/tasks/include/sshd.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# SSH must be installed so we don't bother with installing it.
|
||||||
|
|
||||||
|
- name: "sshd : configure sshd"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./sshd/99-local.conf.j2"
|
||||||
|
dest: "/etc/ssh/sshd_config.d/99-local.conf"
|
||||||
|
mode: 0600
|
||||||
|
register: sshd_conf
|
||||||
|
|
||||||
|
- name: "sshd : enable sshd"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "sshd"
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: "sshd : start sshd"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "sshd"
|
||||||
|
state: "started"
|
||||||
|
register: sshd_start
|
||||||
|
|
||||||
|
- name: "sshd : restart sshd"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "sshd"
|
||||||
|
state: "restarted"
|
||||||
|
when:
|
||||||
|
sshd_conf.changed and
|
||||||
|
not sshd_start.changed
|
32
plays/roles/system_base/tasks/include/systemd-mail.yml
Normal file
32
plays/roles/system_base/tasks/include/systemd-mail.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
- name: "systemd-mail : systemd mail root script"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./systemd-mail/system/systemd-mail-systemctl-status.j2"
|
||||||
|
dest: "/usr/local/sbin/systemd-mail-systemctl-status"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: "systemd-mail : systemd mail user script"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./systemd-mail/user/systemd-mail-systemctl-status.j2"
|
||||||
|
dest: "/usr/local/bin/systemd-mail-systemctl-status"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: "systemd-mail : systemd mail root service"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./systemd-mail/system/status-mail@.service"
|
||||||
|
dest: "/etc/systemd/system/status-mail@.service"
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_system_status_mail_service_file
|
||||||
|
|
||||||
|
- name: "systemd-mail : systemd mail user service"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./systemd-mail/user/status-mail@.service"
|
||||||
|
dest: "/etc/systemd/user/status-mail@.service"
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_user_status_mail_service_file
|
||||||
|
|
||||||
|
- name: "systemd-mail : systemd daemon reload"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when:
|
||||||
|
systemd_system_status_mail_service_file.changed or
|
||||||
|
systemd_user_status_mail_service_file.changed
|
@ -0,0 +1,15 @@
|
|||||||
|
- name: "unattended-upgrades : install unattended-upgrades"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "unattended-upgrades"
|
||||||
|
|
||||||
|
- name: "unattended-upgrades : configure unattended-upgrades"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./unattended-upgrades/50unattended-upgrades"
|
||||||
|
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: "unattended-upgrades : enable unattended-upgrades"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./unattended-upgrades/20auto-upgrades"
|
||||||
|
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
|
||||||
|
mode: 0644
|
22
plays/roles/system_base/tasks/include/user.yml
Normal file
22
plays/roles/system_base/tasks/include/user.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
- block:
|
||||||
|
|
||||||
|
- name: "user : clone tmux dotfiles"
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
|
||||||
|
dest: ".tmux"
|
||||||
|
recursive: true
|
||||||
|
|
||||||
|
# On first tmux launch install plugins with <Ctrl + a + I>
|
||||||
|
- name: "user : configure tmux"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./user/tmux.conf"
|
||||||
|
dest: ".tmux.conf"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: "user : configure bashrc"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./user/bashrc"
|
||||||
|
dest: ".bashrc"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
become: false
|
12
plays/roles/system_base/tasks/include/utils.yml
Normal file
12
plays/roles/system_base/tasks/include/utils.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
- name: "utils : install utility programs"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- "acl"
|
||||||
|
- "git"
|
||||||
|
- "htop"
|
||||||
|
- "man"
|
||||||
|
- "perl"
|
||||||
|
- "rsync"
|
||||||
|
- "tmux"
|
||||||
|
- "tcpdump"
|
||||||
|
- "traceroute"
|
47
plays/roles/system_base/tasks/main.yml
Normal file
47
plays/roles/system_base/tasks/main.yml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
- name: "role:system_base:sshd"
|
||||||
|
import_tasks: "include/sshd.yml"
|
||||||
|
tags: "role:system_base:sshd"
|
||||||
|
|
||||||
|
- name: "role:system_base:nftables"
|
||||||
|
import_tasks: "include/nftables.yml"
|
||||||
|
tags: "role:system_base:nftables"
|
||||||
|
|
||||||
|
- name: "role:system_base:ntp"
|
||||||
|
import_tasks: "include/ntp.yml"
|
||||||
|
tags: "role:system_base:ntp"
|
||||||
|
|
||||||
|
- name: "role:system_base:fail2ban"
|
||||||
|
import_tasks: "include/fail2ban.yml"
|
||||||
|
tags: "role:system_base:fail2ban"
|
||||||
|
|
||||||
|
- name: "role:system_base:fstrim"
|
||||||
|
import_tasks: "include/fstrim.yml"
|
||||||
|
tags: "role:system_base:fstrim"
|
||||||
|
|
||||||
|
- name: "role:system_base:unattended-upgrades"
|
||||||
|
import_tasks: "include/unattended-upgrades.yml"
|
||||||
|
tags: "role:system_base:unattended-upgrades"
|
||||||
|
|
||||||
|
- name: "role:system_base:logs"
|
||||||
|
import_tasks: "include/logs.yml"
|
||||||
|
tags: "role:system_base:logs"
|
||||||
|
|
||||||
|
- name: "role:system_base:systemd-mail"
|
||||||
|
import_tasks: "include/systemd-mail.yml"
|
||||||
|
tags: "role:system_base:systemd-mail"
|
||||||
|
|
||||||
|
- name: "role:system_base:utils"
|
||||||
|
import_tasks: "include/utils.yml"
|
||||||
|
tags: "role:system_base:utils"
|
||||||
|
|
||||||
|
- name: "role:system_base:motd"
|
||||||
|
import_tasks: "include/motd.yml"
|
||||||
|
tags: "role:system_base:motd"
|
||||||
|
|
||||||
|
- name: "role:system_base:root"
|
||||||
|
import_tasks: "include/root.yml"
|
||||||
|
tags: "role:system_base:root"
|
||||||
|
|
||||||
|
- name: "role:system_base:user"
|
||||||
|
import_tasks: "include/user.yml"
|
||||||
|
tags: "role:system_base:user"
|
@ -1,6 +1,7 @@
|
|||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
flush ruleset
|
table inet filter
|
||||||
|
delete table inet filter
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
@ -20,12 +21,14 @@ table inet filter {
|
|||||||
# Drop invalid connections.
|
# Drop invalid connections.
|
||||||
ct state invalid drop;
|
ct state invalid drop;
|
||||||
|
|
||||||
# Accept HTTP, HTTPS, SSH.
|
# TCP ports.
|
||||||
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
|
tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept;
|
||||||
|
|
||||||
# Accept WireGuard.
|
{% if udp_ports %}
|
||||||
iif {{ ethx }} udp dport {{ vpn_wg0_port }} accept;
|
# UDP ports.
|
||||||
|
udp dport { {{ udp_ports | join(", ") }} } accept;
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
# Count and drop any other traffic.
|
# Count and drop any other traffic.
|
||||||
counter drop;
|
counter drop;
|
||||||
}
|
}
|
@ -7,7 +7,7 @@ Port {{ ansible_port }}
|
|||||||
PermitRootLogin no
|
PermitRootLogin no
|
||||||
|
|
||||||
# Explicitly set the list of allowed ssh users.
|
# Explicitly set the list of allowed ssh users.
|
||||||
AllowUsers {{ ssh_user }}
|
AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }}
|
||||||
|
|
||||||
# SSH enabled only via ssh-key.
|
# SSH enabled only via ssh-key.
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
21
plays/roles/system_mail/meta/argument_specs.yml
Normal file
21
plays/roles/system_mail/meta/argument_specs.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
argument_specs:
|
||||||
|
main:
|
||||||
|
options:
|
||||||
|
ansible_hostname:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
mail_domain:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
postfix_smtp_server:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
postfix_smtp_port:
|
||||||
|
type: "int"
|
||||||
|
required: true
|
||||||
|
postfix_smtp_user:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
|
postfix_smtp_pass:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
80
plays/roles/system_mail/tasks/main.yml
Normal file
80
plays/roles/system_mail/tasks/main.yml
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
- name: "configure mailname"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./mailname.j2"
|
||||||
|
dest: "/etc/mailname"
|
||||||
|
mode: 0644
|
||||||
|
register: mail_mailname
|
||||||
|
|
||||||
|
- name: "configure mailutils"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./mailutils.conf.j2"
|
||||||
|
dest: "/etc/mailutils.conf"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: "install postfix"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- "postfix"
|
||||||
|
- "ca-certificates"
|
||||||
|
- "libsasl2-modules"
|
||||||
|
|
||||||
|
- name: "configure aliases"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./aliases.j2"
|
||||||
|
dest: "/etc/aliases"
|
||||||
|
mode: 0644
|
||||||
|
register: mail_aliases
|
||||||
|
|
||||||
|
- name: "update aliases"
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "newaliases"
|
||||||
|
when:
|
||||||
|
mail_aliases.changed
|
||||||
|
|
||||||
|
- name: "configure postfix"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./postfix/main.cf.j2"
|
||||||
|
dest: "/etc/postfix/main.cf"
|
||||||
|
mode: 0644
|
||||||
|
register: mail_postfix_conf
|
||||||
|
|
||||||
|
- name: "configure credentials"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./postfix/sasl_passwd.j2"
|
||||||
|
dest: "/etc/postfix/sasl_passwd"
|
||||||
|
mode: 0600
|
||||||
|
register: mail_postfix_credentials
|
||||||
|
|
||||||
|
- name: "create hash database"
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "postmap /etc/postfix/sasl_passwd"
|
||||||
|
when:
|
||||||
|
mail_postfix_credentials.changed
|
||||||
|
|
||||||
|
- name: "set hash database permissions"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/etc/postfix/sasl_passwd.db"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: "enable postfix"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "postfix"
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: "start postfix"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "postfix"
|
||||||
|
state: "started"
|
||||||
|
register:
|
||||||
|
mail_postfix_start
|
||||||
|
|
||||||
|
- name: "restart postfix"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "postfix"
|
||||||
|
state: "restarted"
|
||||||
|
when:
|
||||||
|
(mail_mailname.changed or
|
||||||
|
mail_aliases.changed or
|
||||||
|
mail_postfix_conf.changed or
|
||||||
|
mail_postfix_credentials.changed) and
|
||||||
|
not mail_postfix_start.changed
|
@ -11,4 +11,4 @@ ftp: root
|
|||||||
abuse: root
|
abuse: root
|
||||||
noc: root
|
noc: root
|
||||||
security: root
|
security: root
|
||||||
root: root@{{ domain }}
|
root: root@{{ mail_domain }}
|
1
plays/roles/system_mail/templates/mailname.j2
Normal file
1
plays/roles/system_mail/templates/mailname.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ ansible_hostname }}.{{ mail_domain }}
|
3
plays/roles/system_mail/templates/mailutils.conf.j2
Normal file
3
plays/roles/system_mail/templates/mailutils.conf.j2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
address {
|
||||||
|
email-domain {{ ansible_hostname }}.{{ mail_domain }};
|
||||||
|
};
|
@ -35,7 +35,7 @@ smtp_tls_wrappermode = yes
|
|||||||
|
|
||||||
|
|
||||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||||
myhostname = {{ ansible_hostname }}.{{ domain }}
|
myhostname = {{ ansible_hostname }}.{{ mail_domain }}
|
||||||
alias_maps = hash:/etc/aliases
|
alias_maps = hash:/etc/aliases
|
||||||
alias_database = hash:/etc/aliases
|
alias_database = hash:/etc/aliases
|
||||||
mydestination = $myhostname, {{ ansible_hostname }}, localhost
|
mydestination = $myhostname, {{ ansible_hostname }}, localhost
|
30
plays/roles/system_zfs/tasks/include/fstrim.yml
Normal file
30
plays/roles/system_zfs/tasks/include/fstrim.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# Run fstrim daily on ZFS. It's a no-op on ZFS filesystems, but it will run on zvols mounted via
|
||||||
|
# fstab. Untrimmed zvol blocks occupy space in th ZFS pool. Therefore, this helps keep zvol space
|
||||||
|
# requirements down if they are busy.
|
||||||
|
- name: "fstrim : configure a daily fstrim timer"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "./fstrim/fstrim.timer"
|
||||||
|
dest: "/etc/systemd/system/fstrim.timer"
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_fstrim_timer_file
|
||||||
|
|
||||||
|
- name: "fstrim : systemd daemon reload"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when:
|
||||||
|
systemd_fstrim_timer_file.changed
|
||||||
|
|
||||||
|
# Disabling is necessary to make sure systemd uses the new timer file.
|
||||||
|
- name: "fstrim : disable fstrim.timer"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "fstrim.timer"
|
||||||
|
enabled: false
|
||||||
|
state: "stopped"
|
||||||
|
when:
|
||||||
|
systemd_fstrim_timer_file.changed
|
||||||
|
|
||||||
|
- name: "fstrim : enable fstrim.timer"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "fstrim.timer"
|
||||||
|
enabled: true
|
||||||
|
state: "started"
|
3
plays/roles/system_zfs/tasks/main.yml
Normal file
3
plays/roles/system_zfs/tasks/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
- name: "role:system_zfs:fstrim"
|
||||||
|
import_tasks: "include/fstrim.yml"
|
||||||
|
tags: "role:system_zfs:fstrim"
|
Loading…
Reference in New Issue
Block a user