diff --git a/machine.yml b/machine.yml index e605f09..4529a66 100644 --- a/machine.yml +++ b/machine.yml @@ -5,453 +5,20 @@ - secrets.yml tasks: - - # ---------------------------------------------------------------------------------------------- - # SSH configuration. - # ---------------------------------------------------------------------------------------------- - - # SSH must be installed and enabled for ansible to even connect so we don't bother with - # installing and starting it. - - - name: Configure sshd - template: - src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2 - dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf - mode: 0600 - register: sshd_conf - - - name: Restart sshd - systemd: - name: sshd - enabled: yes - state: restarted - when: - sshd_conf is changed - - # ------------------------------------------------------------------------- - # Firewall configuration. - # ------------------------------------------------------------------------- - - - name: Install nftables - apt: - name: nftables - - - name: Configure nftables - template: - src: ./root/etc/nftables.conf.j2 - dest: /etc/nftables.conf - mode: 0755 - register: nftables_conf - - - name: Enable/start nftables - systemd: - name: nftables - state: started - enabled: yes - - - name: Restart nftables - systemd: - name: nftables - state: restarted - when: - nftables_conf is changed - - # ---------------------------------------------------------------------------------------------- - # NTP configuration. - # ---------------------------------------------------------------------------------------------- - - - name: Install systemd-timesyncd - apt: - name: systemd-timesyncd - - - name: Enable/start NTP - systemd: - name: systemd-timesyncd - enabled: yes - state: started - - # ---------------------------------------------------------------------------------------------- - # E-mail configuration. - # ---------------------------------------------------------------------------------------------- - - - name: Configure mailname - template: - src: ./root/etc/mailname.j2 - dest: /etc/mailname - mode: 0644 - register: mail_mailname - - - name: Configure aliases - template: - src: ./root/etc/aliases.j2 - dest: /etc/aliases - mode: 0644 - register: mail_aliases - - - name: Update aliases - command: newaliases - when: mail_aliases is changed - - - name: Configure mailutils - template: - src: ./root/etc/mailutils.conf.j2 - dest: /etc/mailutils.conf - mode: 0644 - - - name: Install postfix - apt: - name: - - postfix - - ca-certificates - - libsasl2-modules - - - name: Configure postfix - template: - src: ./root/etc/postfix/main.cf.j2 - dest: /etc/postfix/main.cf - mode: 0644 - register: mail_postfix_conf - - - name: Configure credentials - template: - src: ./root/etc/postfix/sasl_passwd.j2 - dest: /etc/postfix/sasl_passwd - mode: 0600 - register: mail_postfix_credentials - - - name: Create hash database - command: postmap /etc/postfix/sasl_passwd - when: - mail_postfix_credentials is changed - - - name: Set hash database permissions - file: - path: /etc/postfix/sasl_passwd.db - mode: 0600 - - - name: Enable/start postfix - systemd: - name: postfix - enabled: yes - state: started - - - name: Restart postfix - systemd: - name: postfix - state: restarted - when: - mail_mailname is changed or - mail_aliases is changed or - mail_postfix_conf is changed or - mail_postfix_credentials is changed - - # ------------------------------------------------------------------------- - # Unattended upgrades configuration. - # ------------------------------------------------------------------------- - - - name: Install unattended-upgrades - apt: - name: unattended-upgrades - - - name: Configure unattended-upgrades - copy: - src: ./root/etc/apt/apt.conf.d/50unattended-upgrades - dest: /etc/apt/apt.conf.d/50unattended-upgrades - mode: 0644 - - - name: Enable unattended-upgrades - copy: - src: ./root/etc/apt/apt.conf.d/20auto-upgrades - dest: /etc/apt/apt.conf.d/20auto-upgrades - mode: 0644 - - # ---------------------------------------------------------------------------------------------- - # Fail2Ban configuration. - # ---------------------------------------------------------------------------------------------- - - - name: Install fail2ban - apt: - name: fail2ban - - - name: Configure fail2ban - template: - src: ./root/etc/fail2ban/jail.local.j2 - dest: /etc/fail2ban/jail.local - mode: 0644 - register: fail2ban_conf - - - name: Configure fail2ban sshd jail - template: - src: ./root/etc/fail2ban/jail.d/sshd.local.j2 - dest: /etc/fail2ban/jail.d/sshd.local - mode: 0644 - register: fail2ban_sshd_jail - - - name: Enable/start fail2ban - systemd: - name: fail2ban - state: started - enabled: yes - - - name: Restart fail2ban - systemd: - name: fail2ban - state: restarted - when: - fail2ban_conf is changed or - fail2ban_sshd_jail is changed - - # ---------------------------------------------------------------------------------------------- - # SystemD mails. - # ---------------------------------------------------------------------------------------------- - - - name: SystemD mail script - template: - src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2 - dest: /usr/local/sbin/systemd-mail-systemctl-status - mode: 0755 - - - name: SystemD mail service - copy: - src: ./root/etc/systemd/system/status-mail@.service - dest: /etc/systemd/system/status-mail@.service - mode: 0644 - register: systemd_status_mail_service_file - - - name: SystemD daemon reload - systemd: - daemon_reload: true - when: - systemd_status_mail_service_file is changed - - # ---------------------------------------------------------------------------------------------- - # ZFS scrubbing. - # ---------------------------------------------------------------------------------------------- - - - name: Zpool status mail script - template: - src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2 - dest: /usr/local/sbin/systemd-mail-zpool-status - mode: 0755 - - - name: Zfs scrub service file - copy: - src: ./root/etc/systemd/system/zfs-scrub@.service - dest: /etc/systemd/system/zfs-scrub@.service - mode: 0644 - register: systemd_zfs_scrub_service_file - - - name: Zfs scrub timer file - copy: - src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer - dest: /etc/systemd/system/zfs-scrub-monthly@.timer - mode: 0644 - register: systemd_zfs_scrub_monthly_timer_file - - - name: SystemD daemon reload - systemd: - daemon_reload: true - when: - systemd_zfs_scrub_service_file is changed or - systemd_zfs_scrub_monthly_timer_file is changed - - - name: Enable zfs scrub of bpool - systemd: - name: zfs-scrub-monthly@bpool.timer - enabled: yes - state: started - - - name: Enable zfs scrub of rpool - systemd: - name: zfs-scrub-monthly@rpool.timer - enabled: yes - state: started - - # ---------------------------------------------------------------------------------------------- - # Filesystem TRIM. - # ---------------------------------------------------------------------------------------------- - - - name: Enable fstrim - systemd: - name: fstrim.timer - enabled: yes - state: started - - - name: Zfs trim service file - copy: - src: ./root/etc/systemd/system/zfs-trim@.service - dest: /etc/systemd/system/zfs-trim@.service - mode: 0644 - register: systemd_zfs_trim_service_file - - - name: Zfs trim timer file - copy: - src: ./root/etc/systemd/system/zfs-trim-monthly@.timer - dest: /etc/systemd/system/zfs-trim-monthly@.timer - mode: 0644 - register: systemd_zfs_trim_monthly_timer_file - - - name: SystemD daemon reload - systemd: - daemon_reload: true - when: - systemd_zfs_trim_service_file is changed or - systemd_zfs_trim_monthly_timer_file is changed - - - name: Enable zfs trim of bpool - systemd: - name: zfs-trim-monthly@bpool.timer - enabled: yes - state: started - - - name: Enable zfs trim of rpool - systemd: - name: zfs-trim-monthly@rpool.timer - enabled: yes - state: started - - - name: Remove the zfsutils cron job - file: - state: absent - path: /etc/cron.d/zfsutils-linux - - # ---------------------------------------------------------------------------------------------- - # UPS configuration. - # ---------------------------------------------------------------------------------------------- - - - name: Install acpupsd - apt: - name: apcupsd - - - name: Apcupsd configuration - copy: - src: ./root/etc/apcupsd/apcupsd.conf - dest: /etc/apcupsd/apcupsd.conf - mode: 0644 - register: apcupsd_conf - - - name: Enable/start apcupsd - systemd: - name: apcupsd - enabled: yes - state: started - - - name: Restart apcupsd - systemd: - name: apcupsd - state: restarted - when: - apcupsd_conf is changed - - # ---------------------------------------------------------------------------------------------- - # Disk monitoring. - # ---------------------------------------------------------------------------------------------- - - - name: Install smartmontools - apt: - name: smartmontools - - - name: Smartd configuration - copy: - src: ./root/etc/smartd.conf - dest: /etc/smartd.conf - mode: 0644 - register: smartd_conf - - - name: Enable/start smartmontools - systemd: - name: smartmontools - enabled: yes - state: started - - - name: Restart smartmontools - systemd: - name: smartmontools - state: restarted - when: - smartd_conf is changed - - # ------------------------------------------------------------------------- - # Log monitoring. - # ------------------------------------------------------------------------- - - - name: Install logcheck and logrotate - apt: - name: - - logcheck - - logrotate - - - name: Configure logcheck - template: - src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2 - dest: /etc/logcheck/ignore.d.server/yggdrasil - group: logcheck - mode: 0644 - - # ------------------------------------------------------------------------- - # Set MotD. - # ------------------------------------------------------------------------- - - - name: Set MotD - copy: - src: ./root/etc/motd - dest: /etc/motd - mode: 0644 - - # ---------------------------------------------------------------------------------------------- - # Utility programs. - # ---------------------------------------------------------------------------------------------- - - - name: Install utility programs - apt: - name: - - git - - htop - - man - - # ---------------------------------------------------------------------------------------------- - # Set up utilities for the user. - # ---------------------------------------------------------------------------------------------- - - - name: Install tmux - apt: - name: - - tmux - - - name: Clone tmux dotfiles - become: no - git: - repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git - dest: .tmux - recursive: yes - - - name: Configure tmux - become: no - copy: - src: ./root/home/user/tmux.conf - dest: .tmux.conf - mode: 0644 - - - name: Configure bashrc - become: no - copy: - src: ./root/home/user/bashrc - dest: .bashrc - mode: 0644 - - # On first tmux launch install plugins with - - # ---------------------------------------------------------------------------------------------- - # Set the root's shell to nologin. - # ---------------------------------------------------------------------------------------------- - - - name: Disable root shell - user: - name: root - shell: /usr/sbin/nologin - - - name: Disable su for non-wheel users - copy: - src: ./root/etc/pam.d/su - dest: /etc/pam.d/su - mode: 0644 + - import_tasks: tasks/sshd.yml + - import_tasks: tasks/firewall.yml + - import_tasks: tasks/ntp.yml + - import_tasks: tasks/mail.yml + - import_tasks: tasks/unattended-upgrades.yml + - import_tasks: tasks/fail2ban.yml + - import_tasks: tasks/systemd-mail.yml + - import_tasks: tasks/zfs-scrub.yml + - import_tasks: tasks/trim.yml + - import_tasks: tasks/zfsutils-cron.yml + - import_tasks: tasks/ups.yml + - import_tasks: tasks/smart.yml + - import_tasks: tasks/logs.yml + - import_tasks: tasks/motd.yml + - import_tasks: tasks/utils.yml + - import_tasks: tasks/user.yml + - import_tasks: tasks/root-shell.yml diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml new file mode 100644 index 0000000..bf4d5f2 --- /dev/null +++ b/tasks/fail2ban.yml @@ -0,0 +1,31 @@ +- name: Install fail2ban + apt: + name: fail2ban + +- name: Configure fail2ban + template: + src: ./root/etc/fail2ban/jail.local.j2 + dest: /etc/fail2ban/jail.local + mode: 0644 + register: fail2ban_conf + +- name: Configure fail2ban sshd jail + template: + src: ./root/etc/fail2ban/jail.d/sshd.local.j2 + dest: /etc/fail2ban/jail.d/sshd.local + mode: 0644 + register: fail2ban_sshd_jail + +- name: Enable/start fail2ban + systemd: + name: fail2ban + state: started + enabled: yes + +- name: Restart fail2ban + systemd: + name: fail2ban + state: restarted + when: + fail2ban_conf is changed or + fail2ban_sshd_jail is changed diff --git a/tasks/firewall.yml b/tasks/firewall.yml new file mode 100644 index 0000000..1a7e2de --- /dev/null +++ b/tasks/firewall.yml @@ -0,0 +1,23 @@ +- name: Install nftables + apt: + name: nftables + +- name: Configure nftables + template: + src: ./root/etc/nftables.conf.j2 + dest: /etc/nftables.conf + mode: 0755 + register: nftables_conf + +- name: Enable/start nftables + systemd: + name: nftables + state: started + enabled: yes + +- name: Restart nftables + systemd: + name: nftables + state: restarted + when: + nftables_conf is changed diff --git a/tasks/logs.yml b/tasks/logs.yml new file mode 100644 index 0000000..66bc4ac --- /dev/null +++ b/tasks/logs.yml @@ -0,0 +1,12 @@ +- name: Install logcheck and logrotate + apt: + name: + - logcheck + - logrotate + +- name: Configure logcheck + template: + src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2 + dest: /etc/logcheck/ignore.d.server/yggdrasil + group: logcheck + mode: 0644 diff --git a/tasks/mail.yml b/tasks/mail.yml new file mode 100644 index 0000000..88ee82d --- /dev/null +++ b/tasks/mail.yml @@ -0,0 +1,70 @@ +- name: Configure mailname + template: + src: ./root/etc/mailname.j2 + dest: /etc/mailname + mode: 0644 + register: mail_mailname + +- name: Configure aliases + template: + src: ./root/etc/aliases.j2 + dest: /etc/aliases + mode: 0644 + register: mail_aliases + +- name: Update aliases + command: newaliases + when: mail_aliases is changed + +- name: Configure mailutils + template: + src: ./root/etc/mailutils.conf.j2 + dest: /etc/mailutils.conf + mode: 0644 + +- name: Install postfix + apt: + name: + - postfix + - ca-certificates + - libsasl2-modules + +- name: Configure postfix + template: + src: ./root/etc/postfix/main.cf.j2 + dest: /etc/postfix/main.cf + mode: 0644 + register: mail_postfix_conf + +- name: Configure credentials + template: + src: ./root/etc/postfix/sasl_passwd.j2 + dest: /etc/postfix/sasl_passwd + mode: 0600 + register: mail_postfix_credentials + +- name: Create hash database + command: postmap /etc/postfix/sasl_passwd + when: + mail_postfix_credentials is changed + +- name: Set hash database permissions + file: + path: /etc/postfix/sasl_passwd.db + mode: 0600 + +- name: Enable/start postfix + systemd: + name: postfix + enabled: yes + state: started + +- name: Restart postfix + systemd: + name: postfix + state: restarted + when: + mail_mailname is changed or + mail_aliases is changed or + mail_postfix_conf is changed or + mail_postfix_credentials is changed diff --git a/tasks/motd.yml b/tasks/motd.yml new file mode 100644 index 0000000..4985225 --- /dev/null +++ b/tasks/motd.yml @@ -0,0 +1,5 @@ +- name: Set MotD + copy: + src: ./root/etc/motd + dest: /etc/motd + mode: 0644 diff --git a/tasks/ntp.yml b/tasks/ntp.yml new file mode 100644 index 0000000..3ebba86 --- /dev/null +++ b/tasks/ntp.yml @@ -0,0 +1,9 @@ +- name: Install systemd-timesyncd + apt: + name: systemd-timesyncd + +- name: Enable/start NTP + systemd: + name: systemd-timesyncd + enabled: yes + state: started diff --git a/tasks/root-shell.yml b/tasks/root-shell.yml new file mode 100644 index 0000000..8dd4206 --- /dev/null +++ b/tasks/root-shell.yml @@ -0,0 +1,10 @@ +- name: Disable root shell + user: + name: root + shell: /usr/sbin/nologin + +- name: Disable su for non-wheel users + copy: + src: ./root/etc/pam.d/su + dest: /etc/pam.d/su + mode: 0644 diff --git a/tasks/smart.yml b/tasks/smart.yml new file mode 100644 index 0000000..f88dec7 --- /dev/null +++ b/tasks/smart.yml @@ -0,0 +1,23 @@ +- name: Install smartmontools + apt: + name: smartmontools + +- name: Smartd configuration + copy: + src: ./root/etc/smartd.conf + dest: /etc/smartd.conf + mode: 0644 + register: smartd_conf + +- name: Enable/start smartmontools + systemd: + name: smartmontools + enabled: yes + state: started + +- name: Restart smartmontools + systemd: + name: smartmontools + state: restarted + when: + smartd_conf is changed diff --git a/tasks/sshd.yml b/tasks/sshd.yml new file mode 100644 index 0000000..054eef2 --- /dev/null +++ b/tasks/sshd.yml @@ -0,0 +1,17 @@ +# SSH must be installed and enabled for ansible to even connect so we don't bother with installing +# and starting it. + +- name: Configure sshd + template: + src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2 + dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf + mode: 0600 + register: sshd_conf + +- name: Restart sshd + systemd: + name: sshd + enabled: yes + state: restarted + when: + sshd_conf is changed diff --git a/tasks/systemd-mail.yml b/tasks/systemd-mail.yml new file mode 100644 index 0000000..8e407a9 --- /dev/null +++ b/tasks/systemd-mail.yml @@ -0,0 +1,18 @@ +- name: SystemD mail script + template: + src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2 + dest: /usr/local/sbin/systemd-mail-systemctl-status + mode: 0755 + +- name: SystemD mail service + copy: + src: ./root/etc/systemd/system/status-mail@.service + dest: /etc/systemd/system/status-mail@.service + mode: 0644 + register: systemd_status_mail_service_file + +- name: SystemD daemon reload + systemd: + daemon_reload: true + when: + systemd_status_mail_service_file is changed diff --git a/tasks/trim.yml b/tasks/trim.yml new file mode 100644 index 0000000..b90fd35 --- /dev/null +++ b/tasks/trim.yml @@ -0,0 +1,38 @@ +- name: Enable fstrim + systemd: + name: fstrim.timer + enabled: yes + state: started + +- name: Zfs trim service file + copy: + src: ./root/etc/systemd/system/zfs-trim@.service + dest: /etc/systemd/system/zfs-trim@.service + mode: 0644 + register: systemd_zfs_trim_service_file + +- name: Zfs trim timer file + copy: + src: ./root/etc/systemd/system/zfs-trim-monthly@.timer + dest: /etc/systemd/system/zfs-trim-monthly@.timer + mode: 0644 + register: systemd_zfs_trim_monthly_timer_file + +- name: SystemD daemon reload + systemd: + daemon_reload: true + when: + systemd_zfs_trim_service_file is changed or + systemd_zfs_trim_monthly_timer_file is changed + +- name: Enable zfs trim of bpool + systemd: + name: zfs-trim-monthly@bpool.timer + enabled: yes + state: started + +- name: Enable zfs trim of rpool + systemd: + name: zfs-trim-monthly@rpool.timer + enabled: yes + state: started diff --git a/tasks/unattended-upgrades.yml b/tasks/unattended-upgrades.yml new file mode 100644 index 0000000..579c274 --- /dev/null +++ b/tasks/unattended-upgrades.yml @@ -0,0 +1,15 @@ +- name: Install unattended-upgrades + apt: + name: unattended-upgrades + +- name: Configure unattended-upgrades + copy: + src: ./root/etc/apt/apt.conf.d/50unattended-upgrades + dest: /etc/apt/apt.conf.d/50unattended-upgrades + mode: 0644 + +- name: Enable unattended-upgrades + copy: + src: ./root/etc/apt/apt.conf.d/20auto-upgrades + dest: /etc/apt/apt.conf.d/20auto-upgrades + mode: 0644 diff --git a/tasks/ups.yml b/tasks/ups.yml new file mode 100644 index 0000000..6b257e1 --- /dev/null +++ b/tasks/ups.yml @@ -0,0 +1,23 @@ +- name: Install acpupsd + apt: + name: apcupsd + +- name: Apcupsd configuration + copy: + src: ./root/etc/apcupsd/apcupsd.conf + dest: /etc/apcupsd/apcupsd.conf + mode: 0644 + register: apcupsd_conf + +- name: Enable/start apcupsd + systemd: + name: apcupsd + enabled: yes + state: started + +- name: Restart apcupsd + systemd: + name: apcupsd + state: restarted + when: + apcupsd_conf is changed diff --git a/tasks/user.yml b/tasks/user.yml new file mode 100644 index 0000000..0418081 --- /dev/null +++ b/tasks/user.yml @@ -0,0 +1,22 @@ +- name: Clone tmux dotfiles + become: no + git: + repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git + dest: .tmux + recursive: yes + +- name: Configure tmux + become: no + copy: + src: ./root/home/user/tmux.conf + dest: .tmux.conf + mode: 0644 + +- name: Configure bashrc + become: no + copy: + src: ./root/home/user/bashrc + dest: .bashrc + mode: 0644 + +# On first tmux launch install plugins with diff --git a/tasks/utils.yml b/tasks/utils.yml new file mode 100644 index 0000000..8a3410a --- /dev/null +++ b/tasks/utils.yml @@ -0,0 +1,7 @@ +- name: Install utility programs + apt: + name: + - git + - htop + - man + - tmux diff --git a/tasks/zfs-scrub.yml b/tasks/zfs-scrub.yml new file mode 100644 index 0000000..240f543 --- /dev/null +++ b/tasks/zfs-scrub.yml @@ -0,0 +1,38 @@ +- name: Zpool status mail script + template: + src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2 + dest: /usr/local/sbin/systemd-mail-zpool-status + mode: 0755 + +- name: Zfs scrub service file + copy: + src: ./root/etc/systemd/system/zfs-scrub@.service + dest: /etc/systemd/system/zfs-scrub@.service + mode: 0644 + register: systemd_zfs_scrub_service_file + +- name: Zfs scrub timer file + copy: + src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer + dest: /etc/systemd/system/zfs-scrub-monthly@.timer + mode: 0644 + register: systemd_zfs_scrub_monthly_timer_file + +- name: SystemD daemon reload + systemd: + daemon_reload: true + when: + systemd_zfs_scrub_service_file is changed or + systemd_zfs_scrub_monthly_timer_file is changed + +- name: Enable zfs scrub of bpool + systemd: + name: zfs-scrub-monthly@bpool.timer + enabled: yes + state: started + +- name: Enable zfs scrub of rpool + systemd: + name: zfs-scrub-monthly@rpool.timer + enabled: yes + state: started diff --git a/tasks/zfsutils-cron.yml b/tasks/zfsutils-cron.yml new file mode 100644 index 0000000..ba5eb39 --- /dev/null +++ b/tasks/zfsutils-cron.yml @@ -0,0 +1,4 @@ +- name: Remove the zfsutils cron job + file: + state: absent + path: /etc/cron.d/zfsutils-linux