Convert common parts of 00-hosts to roles
This commit is contained in:
parent
1366827abb
commit
c2d98fe242
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,4 +1,3 @@
|
||||
group_vars/asgard
|
||||
host_vars/valkyrie
|
||||
host_vars/yggdrasil
|
||||
group_vars/**
|
||||
host_vars/**
|
||||
playbooks/filesystem/tmp/valkyrie/etc/resolv.conf
|
||||
|
@ -1,33 +0,0 @@
|
||||
# Ansible variables
|
||||
ansible_port:
|
||||
ansible_become_password:
|
||||
|
||||
# SSH variables
|
||||
ssh_user:
|
||||
|
||||
# Machine variables
|
||||
domain:
|
||||
|
||||
# Postfix variables
|
||||
postfix_smtp_server:
|
||||
postfix_smtp_port:
|
||||
postfix_smtp_user:
|
||||
|
||||
# VPN network variables
|
||||
vpn_wg0_port:
|
||||
vpn_wg0_netmask:
|
||||
vpn_wg0_subnet:
|
||||
vpn_wg0_preshared_key:
|
||||
|
||||
# Service variables
|
||||
services: {
|
||||
name: {
|
||||
address: X.X.X.X,
|
||||
},
|
||||
}
|
||||
|
||||
# Backup parameters
|
||||
scw_bucket_endpoint:
|
||||
scw_access_key:
|
||||
scw_secret_key:
|
||||
restic_password:
|
@ -1,35 +0,0 @@
|
||||
# Machine variables
|
||||
subnet_address:
|
||||
subnet_masklen:
|
||||
subnet:
|
||||
ethx:
|
||||
is_zfs:
|
||||
|
||||
# Fail2ban variable:
|
||||
fail2ban_ignoreip:
|
||||
|
||||
# Postfix variables
|
||||
postfix_smtp_pass:
|
||||
|
||||
# VPN network variables
|
||||
vpn_subnet_id:
|
||||
vpn_remote_id:
|
||||
|
||||
vpn_br0_address:
|
||||
vpn_br0_broadcast:
|
||||
vpn_br0_netmask:
|
||||
|
||||
vpn_wg0_address:
|
||||
vpn_wg0_remote_address:
|
||||
vpn_wg0_interface_private_key:
|
||||
vpn_wg0_peer_public_key:
|
||||
vpn_wg0_endpoint_address:
|
||||
|
||||
vpn_remote_br0_subnet:
|
||||
|
||||
# Service variables
|
||||
host_services: [
|
||||
service_name_1,
|
||||
service_name_2,
|
||||
]
|
||||
service_bridge_gateway:
|
27
hosts
27
hosts
@ -1,6 +1,33 @@
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# Functionality.
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
|
||||
# VPN entry-points.
|
||||
[bifrost]
|
||||
heimdall
|
||||
|
||||
# Service running hosts.
|
||||
[asgard]
|
||||
valkyrie
|
||||
yggdrasil
|
||||
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# Network.
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
|
||||
# Hosts physically located within the home LAN.
|
||||
[home]
|
||||
heimdall
|
||||
yggdrasil
|
||||
|
||||
# Hosts remote to the home LAN.
|
||||
[remote]
|
||||
valkyrie
|
||||
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# Special.
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
|
||||
# Hosts running with ZFS.
|
||||
[zfs]
|
||||
yggdrasil
|
||||
|
2
main.yml
Normal file
2
main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
- ansible.builtin.import_playbook: "plays/group-all.yml"
|
@ -1,22 +1,4 @@
|
||||
---
|
||||
- name: Configure hosts
|
||||
hosts: asgard
|
||||
|
||||
tasks:
|
||||
- import_tasks: tasks/hosts/sshd.yml
|
||||
- import_tasks: tasks/hosts/firewall.yml
|
||||
- import_tasks: tasks/hosts/ntp.yml
|
||||
- import_tasks: tasks/hosts/mail.yml
|
||||
- import_tasks: tasks/hosts/systemd-mail.yml
|
||||
- import_tasks: tasks/hosts/unattended-upgrades.yml
|
||||
- import_tasks: tasks/hosts/fail2ban.yml
|
||||
- import_tasks: tasks/hosts/fstrim.yml
|
||||
- import_tasks: tasks/hosts/logs.yml
|
||||
- import_tasks: tasks/hosts/motd.yml
|
||||
- import_tasks: tasks/hosts/utils.yml
|
||||
- import_tasks: tasks/hosts/user.yml
|
||||
- import_tasks: tasks/hosts/root-shell.yml
|
||||
|
||||
- name: Configure yggdrasil extras
|
||||
hosts: yggdrasil
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
{{ ansible_hostname }}.{{ domain }}
|
@ -1,3 +0,0 @@
|
||||
address {
|
||||
email-domain {{ ansible_hostname }}.{{ domain }};
|
||||
};
|
@ -1,2 +0,0 @@
|
||||
# Explicitly set the list of allowed ssh users.
|
||||
AllowUsers {{ ssh_user }} pod-rproxy
|
@ -1,35 +0,0 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
|
||||
# Accept any localhost traffic.
|
||||
iif lo accept;
|
||||
|
||||
# Accept traffic originated from us.
|
||||
ct state established,related accept;
|
||||
|
||||
# Allow ICMP packets.
|
||||
# Note that for IPv6 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert are needed to not break connectivity.
|
||||
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
|
||||
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
|
||||
|
||||
# Drop invalid connections.
|
||||
ct state invalid drop;
|
||||
|
||||
# Accept HTTP, HTTPS, SSH.
|
||||
tcp dport { 80, 443, {{ ansible_port }}, {{ services['git'].ssh_port }} } ct state new accept;
|
||||
|
||||
# Count and drop any other traffic.
|
||||
counter drop;
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
}
|
||||
}
|
@ -1,37 +0,0 @@
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: fail2ban
|
||||
|
||||
- name: Configure fail2ban
|
||||
template:
|
||||
src: ./filesystem/common/etc/fail2ban/jail.local.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: 0644
|
||||
register: fail2ban_conf
|
||||
|
||||
- name: Configure fail2ban sshd jail
|
||||
template:
|
||||
src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
|
||||
dest: /etc/fail2ban/jail.d/sshd.local
|
||||
mode: 0644
|
||||
register: fail2ban_sshd_jail
|
||||
|
||||
- name: Enable fail2ban
|
||||
systemd:
|
||||
name: fail2ban
|
||||
enabled: yes
|
||||
|
||||
- name: Start fail2ban
|
||||
systemd:
|
||||
name: fail2ban
|
||||
state: started
|
||||
register: fail2ban_start
|
||||
|
||||
- name: Restart fail2ban
|
||||
systemd:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
when:
|
||||
(fail2ban_conf is changed or
|
||||
fail2ban_sshd_jail is changed) and
|
||||
fail2ban_start is not changed
|
@ -1,45 +0,0 @@
|
||||
- name: Install nftables
|
||||
apt:
|
||||
name: nftables
|
||||
|
||||
- name: Configure nftables
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_host }}/etc/nftables.conf.j2
|
||||
dest: /etc/nftables.conf
|
||||
mode: 0755
|
||||
register: nftables_conf
|
||||
|
||||
- name: Enable nftables
|
||||
systemd:
|
||||
name: nftables
|
||||
enabled: yes
|
||||
|
||||
- name: Start nftables
|
||||
systemd:
|
||||
name: nftables
|
||||
state: started
|
||||
register: nftables_start
|
||||
|
||||
- name: Restart nftables
|
||||
systemd:
|
||||
name: nftables
|
||||
state: restarted
|
||||
register: nftables_restart
|
||||
when:
|
||||
nftables_conf is changed and
|
||||
nftables_start is not changed
|
||||
|
||||
- block:
|
||||
- name: List all post-up nft scripts for interfaces
|
||||
find:
|
||||
paths: /usr/local/sbin
|
||||
patterns: "post-up-*.nft"
|
||||
register: nft_post_up_scripts
|
||||
|
||||
- name: Reload nft scripts for interfaces
|
||||
command: "{{ item.path }}"
|
||||
with_items:
|
||||
- "{{ nft_post_up_scripts.files }}"
|
||||
|
||||
when:
|
||||
nftables_restart is changed
|
@ -1,22 +0,0 @@
|
||||
# Run fstrim daily on ZFS. It's a no-op on ZFS filesystems, but it will run on zvols mounted via
|
||||
# fstab. This helps keep zvol space requirements down.
|
||||
- name: Configure daily fstrim timer
|
||||
copy:
|
||||
src: ./filesystem/common/etc/systemd/system/fstrim-daily.timer
|
||||
dest: /etc/systemd/system/fstrim.timer
|
||||
mode: 0644
|
||||
register: systemd_fstrim_daily_timer_file
|
||||
when:
|
||||
is_zfs
|
||||
|
||||
- name: SystemD daemon reload
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_fstrim_daily_timer_file is changed
|
||||
|
||||
- name: Enable fstrim
|
||||
systemd:
|
||||
name: fstrim.timer
|
||||
enabled: yes
|
||||
state: started
|
@ -1,18 +0,0 @@
|
||||
- name: Install logcheck and logrotate
|
||||
apt:
|
||||
name:
|
||||
- logcheck
|
||||
- logrotate
|
||||
|
||||
- name: Configure logcheck
|
||||
copy:
|
||||
src: ./filesystem/common/etc/logcheck/logcheck.conf
|
||||
dest: /etc/logcheck/logcheck.conf
|
||||
mode: 0640
|
||||
|
||||
- name: Configure logcheck ignores
|
||||
template:
|
||||
src: ./filesystem/common/etc/logcheck/ignore.d.server/_hostname.j2
|
||||
dest: /etc/logcheck/ignore.d.server/{{ ansible_hostname }}
|
||||
group: logcheck
|
||||
mode: 0644
|
@ -1,77 +0,0 @@
|
||||
- name: Configure mailname
|
||||
template:
|
||||
src: ./filesystem/common/etc/mailname.j2
|
||||
dest: /etc/mailname
|
||||
mode: 0644
|
||||
register: mail_mailname
|
||||
|
||||
- name: Configure mailutils
|
||||
template:
|
||||
src: ./filesystem/common/etc/mailutils.conf.j2
|
||||
dest: /etc/mailutils.conf
|
||||
mode: 0644
|
||||
|
||||
- name: Install postfix
|
||||
apt:
|
||||
name:
|
||||
- postfix
|
||||
- ca-certificates
|
||||
- libsasl2-modules
|
||||
|
||||
- name: Configure aliases
|
||||
template:
|
||||
src: ./filesystem/common/etc/aliases.j2
|
||||
dest: /etc/aliases
|
||||
mode: 0644
|
||||
register: mail_aliases
|
||||
|
||||
- name: Update aliases
|
||||
command: newaliases
|
||||
when: mail_aliases is changed
|
||||
|
||||
- name: Configure postfix
|
||||
template:
|
||||
src: ./filesystem/common/etc/postfix/main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
mode: 0644
|
||||
register: mail_postfix_conf
|
||||
|
||||
- name: Configure credentials
|
||||
template:
|
||||
src: ./filesystem/common/etc/postfix/sasl_passwd.j2
|
||||
dest: /etc/postfix/sasl_passwd
|
||||
mode: 0600
|
||||
register: mail_postfix_credentials
|
||||
|
||||
- name: Create hash database
|
||||
command: postmap /etc/postfix/sasl_passwd
|
||||
when:
|
||||
mail_postfix_credentials is changed
|
||||
|
||||
- name: Set hash database permissions
|
||||
file:
|
||||
path: /etc/postfix/sasl_passwd.db
|
||||
mode: 0600
|
||||
|
||||
- name: Enable postfix
|
||||
systemd:
|
||||
name: postfix
|
||||
enabled: yes
|
||||
|
||||
- name: Start postfix
|
||||
systemd:
|
||||
name: postfix
|
||||
state: started
|
||||
register:
|
||||
mail_postfix_start
|
||||
|
||||
- name: Restart postfix
|
||||
systemd:
|
||||
name: postfix
|
||||
state: restarted
|
||||
when:
|
||||
(mail_mailname is changed or
|
||||
mail_aliases is changed or
|
||||
mail_postfix_conf is changed or
|
||||
mail_postfix_credentials is changed) and
|
||||
mail_postfix_start is not changed
|
@ -1,5 +0,0 @@
|
||||
- name: Set MotD
|
||||
copy:
|
||||
src: ./filesystem/{{ ansible_hostname }}/etc/motd
|
||||
dest: /etc/motd
|
||||
mode: 0644
|
@ -1,9 +0,0 @@
|
||||
- name: Install systemd-timesyncd
|
||||
apt:
|
||||
name: systemd-timesyncd
|
||||
|
||||
- name: Enable NTP
|
||||
systemd:
|
||||
name: systemd-timesyncd
|
||||
enabled: yes
|
||||
state: started
|
@ -1,10 +0,0 @@
|
||||
- name: Disable root shell
|
||||
user:
|
||||
name: root
|
||||
shell: /usr/sbin/nologin
|
||||
|
||||
- name: Disable su for non-wheel users
|
||||
copy:
|
||||
src: ./filesystem/common/etc/pam.d/su
|
||||
dest: /etc/pam.d/su
|
||||
mode: 0644
|
@ -1,27 +0,0 @@
|
||||
# SSH must be installed and enabled for ansible to even connect so we don't bother with installing
|
||||
# and starting it.
|
||||
|
||||
- name: Configure sshd
|
||||
template:
|
||||
src: ./filesystem/common/etc/ssh/sshd_config.d/99-local.conf.j2
|
||||
dest: /etc/ssh/sshd_config.d/99-local.conf
|
||||
mode: 0600
|
||||
register: sshd_conf
|
||||
|
||||
- name: Configure host-specific sshd
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/ssh/sshd_config.d/{{ item | basename | regex_replace('\.j2','') }}
|
||||
mode: 0600
|
||||
with_fileglob:
|
||||
- "./filesystem/{{ ansible_hostname }}/etc/ssh/sshd_config.d/*.j2"
|
||||
register: sshd_special_conf
|
||||
|
||||
- name: Restart sshd
|
||||
systemd:
|
||||
name: sshd
|
||||
enabled: yes
|
||||
state: restarted
|
||||
when:
|
||||
sshd_conf is changed or
|
||||
sshd_special_conf is changed
|
@ -1,32 +0,0 @@
|
||||
- name: SystemD mail root script
|
||||
template:
|
||||
src: ./filesystem/common/usr/local/sbin/systemd-mail-systemctl-status.j2
|
||||
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
||||
mode: 0755
|
||||
|
||||
- name: SystemD mail user script
|
||||
template:
|
||||
src: ./filesystem/common/usr/local/bin/systemd-mail-systemctl-status.j2
|
||||
dest: /usr/local/bin/systemd-mail-systemctl-status
|
||||
mode: 0755
|
||||
|
||||
- name: SystemD mail root service
|
||||
copy:
|
||||
src: ./filesystem/common/etc/systemd/system/status-mail@.service
|
||||
dest: /etc/systemd/system/status-mail@.service
|
||||
mode: 0644
|
||||
register: systemd_system_status_mail_service_file
|
||||
|
||||
- name: SystemD mail user service
|
||||
copy:
|
||||
src: ./filesystem/common/etc/systemd/user/status-mail@.service
|
||||
dest: /etc/systemd/user/status-mail@.service
|
||||
mode: 0644
|
||||
register: systemd_user_status_mail_service_file
|
||||
|
||||
- name: SystemD daemon reload
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_system_status_mail_service_file is changed or
|
||||
systemd_user_status_mail_service_file is changed
|
@ -1,15 +0,0 @@
|
||||
- name: Install unattended-upgrades
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
copy:
|
||||
src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
|
||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
mode: 0644
|
||||
|
||||
- name: Enable unattended-upgrades
|
||||
copy:
|
||||
src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
mode: 0644
|
@ -1,22 +0,0 @@
|
||||
- name: Clone tmux dotfiles
|
||||
become: no
|
||||
git:
|
||||
repo: https://git.wojciechkozlowski.eu/config/tmux.git
|
||||
dest: .tmux
|
||||
recursive: yes
|
||||
|
||||
- name: Configure tmux
|
||||
become: no
|
||||
copy:
|
||||
src: ./filesystem/common/home/user/tmux.conf
|
||||
dest: .tmux.conf
|
||||
mode: 0644
|
||||
|
||||
- name: Configure bashrc
|
||||
become: no
|
||||
copy:
|
||||
src: ./filesystem/common/home/user/bashrc
|
||||
dest: .bashrc
|
||||
mode: 0644
|
||||
|
||||
# On first tmux launch install plugins with <Ctrl + a + I>
|
@ -1,12 +0,0 @@
|
||||
- name: Install utility programs
|
||||
apt:
|
||||
name:
|
||||
- acl
|
||||
- git
|
||||
- htop
|
||||
- man
|
||||
- perl
|
||||
- rsync
|
||||
- tmux
|
||||
- tcpdump
|
||||
- traceroute
|
10
plays/group-all.yml
Normal file
10
plays/group-all.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: "play : all"
|
||||
hosts: "all"
|
||||
roles:
|
||||
- role: "system_mail"
|
||||
tags: "role:system_mail"
|
||||
- role: "system_base"
|
||||
tags: "role:system_base"
|
||||
vars:
|
||||
motd_dir_path: "files/motd"
|
3
plays/group-asgard.yml
Normal file
3
plays/group-asgard.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
- name: "play-group-asgard"
|
||||
hosts: "asgard"
|
3
plays/group-bifrost.yml
Normal file
3
plays/group-bifrost.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
- name: "play-group-bifrost"
|
||||
hosts: "bifrost"
|
6
plays/roles/system_base/defaults/main.yml
Normal file
6
plays/roles/system_base/defaults/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
# sshd
|
||||
additional_ssh_users: []
|
||||
|
||||
# nftables
|
||||
additional_tcp_ports: []
|
||||
udp_ports: []
|
30
plays/roles/system_base/meta/argument_specs.yml
Normal file
30
plays/roles/system_base/meta/argument_specs.yml
Normal file
@ -0,0 +1,30 @@
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
||||
ansible_port:
|
||||
type: "int"
|
||||
required: true
|
||||
ssh_user:
|
||||
type: "str"
|
||||
required: true
|
||||
additional_ssh_users:
|
||||
type: "list"
|
||||
elements: "str"
|
||||
required: true
|
||||
additional_tcp_ports:
|
||||
type: "list"
|
||||
elements: "int"
|
||||
required: true
|
||||
udp_ports:
|
||||
type: "list"
|
||||
elements: "int"
|
||||
required: true
|
||||
fail2ban_ignoreip:
|
||||
type: "str"
|
||||
required: true
|
||||
motd_dir_path:
|
||||
type: "str"
|
||||
required: false
|
37
plays/roles/system_base/tasks/include/fail2ban.yml
Normal file
37
plays/roles/system_base/tasks/include/fail2ban.yml
Normal file
@ -0,0 +1,37 @@
|
||||
- name: "fail2ban : install fail2ban"
|
||||
ansible.builtin.apt:
|
||||
name: "fail2ban"
|
||||
|
||||
- name: "fail2ban : configure fail2ban"
|
||||
ansible.builtin.template:
|
||||
src: "./fail2ban/jail.local.j2"
|
||||
dest: "/etc/fail2ban/jail.local"
|
||||
mode: 0644
|
||||
register: fail2ban_conf
|
||||
|
||||
- name: "fail2ban : configure fail2ban sshd jail"
|
||||
ansible.builtin.template:
|
||||
src: "./fail2ban/jail.d/sshd.local.j2"
|
||||
dest: "/etc/fail2ban/jail.d/sshd.local"
|
||||
mode: 0644
|
||||
register: fail2ban_sshd_jail
|
||||
|
||||
- name: "fail2ban : enable fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
enabled: true
|
||||
|
||||
- name: "fail2ban : start fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
state: "started"
|
||||
register: fail2ban_start
|
||||
|
||||
- name: "fail2ban : restart fail2ban"
|
||||
ansible.builtin.systemd:
|
||||
name: "fail2ban"
|
||||
state: "restarted"
|
||||
when:
|
||||
(fail2ban_conf.changed or
|
||||
fail2ban_sshd_jail.changed) and
|
||||
not fail2ban_start.changed
|
5
plays/roles/system_base/tasks/include/fstrim.yml
Normal file
5
plays/roles/system_base/tasks/include/fstrim.yml
Normal file
@ -0,0 +1,5 @@
|
||||
- name: "fstrim : enable fstrim.timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "fstrim.timer"
|
||||
enabled: true
|
||||
state: "started"
|
18
plays/roles/system_base/tasks/include/logs.yml
Normal file
18
plays/roles/system_base/tasks/include/logs.yml
Normal file
@ -0,0 +1,18 @@
|
||||
- name: "logs : install logcheck and logrotate"
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "logcheck"
|
||||
- "logrotate"
|
||||
|
||||
- name: "logs : configure logcheck"
|
||||
ansible.builtin.copy:
|
||||
src: "./logcheck/logcheck.conf"
|
||||
dest: "/etc/logcheck/logcheck.conf"
|
||||
mode: 0640
|
||||
|
||||
- name: "logs : configure logcheck ignores"
|
||||
ansible.builtin.copy:
|
||||
src: "./logcheck/ignore"
|
||||
dest: "/etc/logcheck/ignore.d.server/{{ ansible_hostname }}"
|
||||
group: "logcheck"
|
||||
mode: 0644
|
13
plays/roles/system_base/tasks/include/motd.yml
Normal file
13
plays/roles/system_base/tasks/include/motd.yml
Normal file
@ -0,0 +1,13 @@
|
||||
- name: "motd : set motd"
|
||||
ansible.builtin.copy:
|
||||
src: "{{ _system_base_motd_file }}"
|
||||
dest: "/etc/motd"
|
||||
mode: 0644
|
||||
when:
|
||||
motd_dir_path is defined and
|
||||
_system_base_motd_file != ""
|
||||
vars:
|
||||
_file_path:
|
||||
- ../../../{{ motd_dir_path }}/{{ ansible_hostname }}
|
||||
_system_base_motd_file: >-
|
||||
{{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}
|
28
plays/roles/system_base/tasks/include/nftables.yml
Normal file
28
plays/roles/system_base/tasks/include/nftables.yml
Normal file
@ -0,0 +1,28 @@
|
||||
- name: "nftables : install nftables"
|
||||
ansible.builtin.apt:
|
||||
name: "nftables"
|
||||
|
||||
- name: "nftables : configure nftables"
|
||||
ansible.builtin.template:
|
||||
src: "./nftables/nftables.conf.j2"
|
||||
dest: "/etc/nftables.conf"
|
||||
mode: 0755
|
||||
register: nftables_conf
|
||||
|
||||
- name: "nfntables : enable nftables"
|
||||
ansible.builtin.systemd:
|
||||
name: "nftables"
|
||||
enabled: true
|
||||
|
||||
- name: "nftables : start nftables"
|
||||
ansible.builtin.systemd:
|
||||
name: "nftables"
|
||||
state: "started"
|
||||
register: nftables_start
|
||||
|
||||
- name: "nftables : reload nftables configuration"
|
||||
ansible.builtin.command:
|
||||
cmd: "nft -f /etc/nftables.conf"
|
||||
when:
|
||||
nftables_conf.changed and
|
||||
not nftables_start.changed
|
13
plays/roles/system_base/tasks/include/ntp.yml
Normal file
13
plays/roles/system_base/tasks/include/ntp.yml
Normal file
@ -0,0 +1,13 @@
|
||||
- name: "ntp : install systemd-timesyncd"
|
||||
ansible.builtin.apt:
|
||||
name: "systemd-timesyncd"
|
||||
|
||||
- name: "ntp : enable systemd-timesyncd"
|
||||
ansible.builtin.systemd:
|
||||
name: "systemd-timesyncd"
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: "ntp : set timezone"
|
||||
community.general.timezone:
|
||||
name: "Europe/Amsterdam"
|
10
plays/roles/system_base/tasks/include/root.yml
Normal file
10
plays/roles/system_base/tasks/include/root.yml
Normal file
@ -0,0 +1,10 @@
|
||||
- name: "root : disable root shell"
|
||||
ansible.builtin.user:
|
||||
name: "root"
|
||||
shell: "/usr/sbin/nologin"
|
||||
|
||||
- name: "root : disable su for non-wheel users"
|
||||
ansible.builtin.copy:
|
||||
src: "./root/su"
|
||||
dest: "/etc/pam.d/su"
|
||||
mode: 0644
|
27
plays/roles/system_base/tasks/include/sshd.yml
Normal file
27
plays/roles/system_base/tasks/include/sshd.yml
Normal file
@ -0,0 +1,27 @@
|
||||
# SSH must be installed so we don't bother with installing it.
|
||||
|
||||
- name: "sshd : configure sshd"
|
||||
ansible.builtin.template:
|
||||
src: "./sshd/99-local.conf.j2"
|
||||
dest: "/etc/ssh/sshd_config.d/99-local.conf"
|
||||
mode: 0600
|
||||
register: sshd_conf
|
||||
|
||||
- name: "sshd : enable sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
enabled: true
|
||||
|
||||
- name: "sshd : start sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
state: "started"
|
||||
register: sshd_start
|
||||
|
||||
- name: "sshd : restart sshd"
|
||||
ansible.builtin.systemd:
|
||||
name: "sshd"
|
||||
state: "restarted"
|
||||
when:
|
||||
sshd_conf.changed and
|
||||
not sshd_start.changed
|
32
plays/roles/system_base/tasks/include/systemd-mail.yml
Normal file
32
plays/roles/system_base/tasks/include/systemd-mail.yml
Normal file
@ -0,0 +1,32 @@
|
||||
- name: "systemd-mail : systemd mail root script"
|
||||
ansible.builtin.template:
|
||||
src: "./systemd-mail/system/systemd-mail-systemctl-status.j2"
|
||||
dest: "/usr/local/sbin/systemd-mail-systemctl-status"
|
||||
mode: 0755
|
||||
|
||||
- name: "systemd-mail : systemd mail user script"
|
||||
ansible.builtin.template:
|
||||
src: "./systemd-mail/user/systemd-mail-systemctl-status.j2"
|
||||
dest: "/usr/local/bin/systemd-mail-systemctl-status"
|
||||
mode: 0755
|
||||
|
||||
- name: "systemd-mail : systemd mail root service"
|
||||
ansible.builtin.copy:
|
||||
src: "./systemd-mail/system/status-mail@.service"
|
||||
dest: "/etc/systemd/system/status-mail@.service"
|
||||
mode: 0644
|
||||
register: systemd_system_status_mail_service_file
|
||||
|
||||
- name: "systemd-mail : systemd mail user service"
|
||||
ansible.builtin.copy:
|
||||
src: "./systemd-mail/user/status-mail@.service"
|
||||
dest: "/etc/systemd/user/status-mail@.service"
|
||||
mode: 0644
|
||||
register: systemd_user_status_mail_service_file
|
||||
|
||||
- name: "systemd-mail : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_system_status_mail_service_file.changed or
|
||||
systemd_user_status_mail_service_file.changed
|
@ -0,0 +1,15 @@
|
||||
- name: "unattended-upgrades : install unattended-upgrades"
|
||||
ansible.builtin.apt:
|
||||
name: "unattended-upgrades"
|
||||
|
||||
- name: "unattended-upgrades : configure unattended-upgrades"
|
||||
ansible.builtin.copy:
|
||||
src: "./unattended-upgrades/50unattended-upgrades"
|
||||
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
|
||||
mode: 0644
|
||||
|
||||
- name: "unattended-upgrades : enable unattended-upgrades"
|
||||
ansible.builtin.copy:
|
||||
src: "./unattended-upgrades/20auto-upgrades"
|
||||
dest: "/etc/apt/apt.conf.d/20auto-upgrades"
|
||||
mode: 0644
|
22
plays/roles/system_base/tasks/include/user.yml
Normal file
22
plays/roles/system_base/tasks/include/user.yml
Normal file
@ -0,0 +1,22 @@
|
||||
- block:
|
||||
|
||||
- name: "user : clone tmux dotfiles"
|
||||
ansible.builtin.git:
|
||||
repo: "https://git.wojciechkozlowski.eu/config/tmux.git"
|
||||
dest: ".tmux"
|
||||
recursive: true
|
||||
|
||||
# On first tmux launch install plugins with <Ctrl + a + I>
|
||||
- name: "user : configure tmux"
|
||||
ansible.builtin.copy:
|
||||
src: "./user/tmux.conf"
|
||||
dest: ".tmux.conf"
|
||||
mode: 0644
|
||||
|
||||
- name: "user : configure bashrc"
|
||||
ansible.builtin.copy:
|
||||
src: "./user/bashrc"
|
||||
dest: ".bashrc"
|
||||
mode: 0644
|
||||
|
||||
become: false
|
12
plays/roles/system_base/tasks/include/utils.yml
Normal file
12
plays/roles/system_base/tasks/include/utils.yml
Normal file
@ -0,0 +1,12 @@
|
||||
- name: "utils : install utility programs"
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "acl"
|
||||
- "git"
|
||||
- "htop"
|
||||
- "man"
|
||||
- "perl"
|
||||
- "rsync"
|
||||
- "tmux"
|
||||
- "tcpdump"
|
||||
- "traceroute"
|
47
plays/roles/system_base/tasks/main.yml
Normal file
47
plays/roles/system_base/tasks/main.yml
Normal file
@ -0,0 +1,47 @@
|
||||
- name: "role:system_base:sshd"
|
||||
import_tasks: "include/sshd.yml"
|
||||
tags: "role:system_base:sshd"
|
||||
|
||||
- name: "role:system_base:nftables"
|
||||
import_tasks: "include/nftables.yml"
|
||||
tags: "role:system_base:nftables"
|
||||
|
||||
- name: "role:system_base:ntp"
|
||||
import_tasks: "include/ntp.yml"
|
||||
tags: "role:system_base:ntp"
|
||||
|
||||
- name: "role:system_base:fail2ban"
|
||||
import_tasks: "include/fail2ban.yml"
|
||||
tags: "role:system_base:fail2ban"
|
||||
|
||||
- name: "role:system_base:fstrim"
|
||||
import_tasks: "include/fstrim.yml"
|
||||
tags: "role:system_base:fstrim"
|
||||
|
||||
- name: "role:system_base:unattended-upgrades"
|
||||
import_tasks: "include/unattended-upgrades.yml"
|
||||
tags: "role:system_base:unattended-upgrades"
|
||||
|
||||
- name: "role:system_base:logs"
|
||||
import_tasks: "include/logs.yml"
|
||||
tags: "role:system_base:logs"
|
||||
|
||||
- name: "role:system_base:systemd-mail"
|
||||
import_tasks: "include/systemd-mail.yml"
|
||||
tags: "role:system_base:systemd-mail"
|
||||
|
||||
- name: "role:system_base:utils"
|
||||
import_tasks: "include/utils.yml"
|
||||
tags: "role:system_base:utils"
|
||||
|
||||
- name: "role:system_base:motd"
|
||||
import_tasks: "include/motd.yml"
|
||||
tags: "role:system_base:motd"
|
||||
|
||||
- name: "role:system_base:root"
|
||||
import_tasks: "include/root.yml"
|
||||
tags: "role:system_base:root"
|
||||
|
||||
- name: "role:system_base:user"
|
||||
import_tasks: "include/user.yml"
|
||||
tags: "role:system_base:user"
|
@ -1,6 +1,7 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
table inet filter
|
||||
delete table inet filter
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
@ -20,12 +21,14 @@ table inet filter {
|
||||
# Drop invalid connections.
|
||||
ct state invalid drop;
|
||||
|
||||
# Accept HTTP, HTTPS, SSH.
|
||||
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
|
||||
# TCP ports.
|
||||
tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept;
|
||||
|
||||
# Accept WireGuard.
|
||||
iif {{ ethx }} udp dport {{ vpn_wg0_port }} accept;
|
||||
{% if udp_ports %}
|
||||
# UDP ports.
|
||||
udp dport { {{ udp_ports | join(", ") }} } accept;
|
||||
|
||||
{% endif %}
|
||||
# Count and drop any other traffic.
|
||||
counter drop;
|
||||
}
|
@ -7,7 +7,7 @@ Port {{ ansible_port }}
|
||||
PermitRootLogin no
|
||||
|
||||
# Explicitly set the list of allowed ssh users.
|
||||
AllowUsers {{ ssh_user }}
|
||||
AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }}
|
||||
|
||||
# SSH enabled only via ssh-key.
|
||||
PasswordAuthentication no
|
21
plays/roles/system_mail/meta/argument_specs.yml
Normal file
21
plays/roles/system_mail/meta/argument_specs.yml
Normal file
@ -0,0 +1,21 @@
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_hostname:
|
||||
type: "str"
|
||||
required: true
|
||||
mail_domain:
|
||||
type: "str"
|
||||
required: true
|
||||
postfix_smtp_server:
|
||||
type: "str"
|
||||
required: true
|
||||
postfix_smtp_port:
|
||||
type: "int"
|
||||
required: true
|
||||
postfix_smtp_user:
|
||||
type: "str"
|
||||
required: true
|
||||
postfix_smtp_pass:
|
||||
type: "str"
|
||||
required: true
|
80
plays/roles/system_mail/tasks/main.yml
Normal file
80
plays/roles/system_mail/tasks/main.yml
Normal file
@ -0,0 +1,80 @@
|
||||
- name: "configure mailname"
|
||||
ansible.builtin.template:
|
||||
src: "./mailname.j2"
|
||||
dest: "/etc/mailname"
|
||||
mode: 0644
|
||||
register: mail_mailname
|
||||
|
||||
- name: "configure mailutils"
|
||||
ansible.builtin.template:
|
||||
src: "./mailutils.conf.j2"
|
||||
dest: "/etc/mailutils.conf"
|
||||
mode: 0644
|
||||
|
||||
- name: "install postfix"
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "postfix"
|
||||
- "ca-certificates"
|
||||
- "libsasl2-modules"
|
||||
|
||||
- name: "configure aliases"
|
||||
ansible.builtin.template:
|
||||
src: "./aliases.j2"
|
||||
dest: "/etc/aliases"
|
||||
mode: 0644
|
||||
register: mail_aliases
|
||||
|
||||
- name: "update aliases"
|
||||
ansible.builtin.command:
|
||||
cmd: "newaliases"
|
||||
when:
|
||||
mail_aliases.changed
|
||||
|
||||
- name: "configure postfix"
|
||||
ansible.builtin.template:
|
||||
src: "./postfix/main.cf.j2"
|
||||
dest: "/etc/postfix/main.cf"
|
||||
mode: 0644
|
||||
register: mail_postfix_conf
|
||||
|
||||
- name: "configure credentials"
|
||||
ansible.builtin.template:
|
||||
src: "./postfix/sasl_passwd.j2"
|
||||
dest: "/etc/postfix/sasl_passwd"
|
||||
mode: 0600
|
||||
register: mail_postfix_credentials
|
||||
|
||||
- name: "create hash database"
|
||||
ansible.builtin.command:
|
||||
cmd: "postmap /etc/postfix/sasl_passwd"
|
||||
when:
|
||||
mail_postfix_credentials.changed
|
||||
|
||||
- name: "set hash database permissions"
|
||||
ansible.builtin.file:
|
||||
path: "/etc/postfix/sasl_passwd.db"
|
||||
mode: 0600
|
||||
|
||||
- name: "enable postfix"
|
||||
ansible.builtin.systemd:
|
||||
name: "postfix"
|
||||
enabled: true
|
||||
|
||||
- name: "start postfix"
|
||||
ansible.builtin.systemd:
|
||||
name: "postfix"
|
||||
state: "started"
|
||||
register:
|
||||
mail_postfix_start
|
||||
|
||||
- name: "restart postfix"
|
||||
ansible.builtin.systemd:
|
||||
name: "postfix"
|
||||
state: "restarted"
|
||||
when:
|
||||
(mail_mailname.changed or
|
||||
mail_aliases.changed or
|
||||
mail_postfix_conf.changed or
|
||||
mail_postfix_credentials.changed) and
|
||||
not mail_postfix_start.changed
|
@ -11,4 +11,4 @@ ftp: root
|
||||
abuse: root
|
||||
noc: root
|
||||
security: root
|
||||
root: root@{{ domain }}
|
||||
root: root@{{ mail_domain }}
|
1
plays/roles/system_mail/templates/mailname.j2
Normal file
1
plays/roles/system_mail/templates/mailname.j2
Normal file
@ -0,0 +1 @@
|
||||
{{ ansible_hostname }}.{{ mail_domain }}
|
3
plays/roles/system_mail/templates/mailutils.conf.j2
Normal file
3
plays/roles/system_mail/templates/mailutils.conf.j2
Normal file
@ -0,0 +1,3 @@
|
||||
address {
|
||||
email-domain {{ ansible_hostname }}.{{ mail_domain }};
|
||||
};
|
@ -35,7 +35,7 @@ smtp_tls_wrappermode = yes
|
||||
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = {{ ansible_hostname }}.{{ domain }}
|
||||
myhostname = {{ ansible_hostname }}.{{ mail_domain }}
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
mydestination = $myhostname, {{ ansible_hostname }}, localhost
|
30
plays/roles/system_zfs/tasks/include/fstrim.yml
Normal file
30
plays/roles/system_zfs/tasks/include/fstrim.yml
Normal file
@ -0,0 +1,30 @@
|
||||
# Run fstrim daily on ZFS. It's a no-op on ZFS filesystems, but it will run on zvols mounted via
|
||||
# fstab. Untrimmed zvol blocks occupy space in th ZFS pool. Therefore, this helps keep zvol space
|
||||
# requirements down if they are busy.
|
||||
- name: "fstrim : configure a daily fstrim timer"
|
||||
ansible.builtin.copy:
|
||||
src: "./fstrim/fstrim.timer"
|
||||
dest: "/etc/systemd/system/fstrim.timer"
|
||||
mode: 0644
|
||||
register: systemd_fstrim_timer_file
|
||||
|
||||
- name: "fstrim : systemd daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when:
|
||||
systemd_fstrim_timer_file.changed
|
||||
|
||||
# Disabling is necessary to make sure systemd uses the new timer file.
|
||||
- name: "fstrim : disable fstrim.timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "fstrim.timer"
|
||||
enabled: false
|
||||
state: "stopped"
|
||||
when:
|
||||
systemd_fstrim_timer_file.changed
|
||||
|
||||
- name: "fstrim : enable fstrim.timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "fstrim.timer"
|
||||
enabled: true
|
||||
state: "started"
|
3
plays/roles/system_zfs/tasks/main.yml
Normal file
3
plays/roles/system_zfs/tasks/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
- name: "role:system_zfs:fstrim"
|
||||
import_tasks: "include/fstrim.yml"
|
||||
tags: "role:system_zfs:fstrim"
|
Loading…
Reference in New Issue
Block a user