Split machine playbook
This commit is contained in:
parent
e4e7f91612
commit
d65284a6fe
467
machine.yml
467
machine.yml
@ -5,453 +5,20 @@
|
|||||||
- secrets.yml
|
- secrets.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
- import_tasks: tasks/sshd.yml
|
||||||
# ----------------------------------------------------------------------------------------------
|
- import_tasks: tasks/firewall.yml
|
||||||
# SSH configuration.
|
- import_tasks: tasks/ntp.yml
|
||||||
# ----------------------------------------------------------------------------------------------
|
- import_tasks: tasks/mail.yml
|
||||||
|
- import_tasks: tasks/unattended-upgrades.yml
|
||||||
# SSH must be installed and enabled for ansible to even connect so we don't bother with
|
- import_tasks: tasks/fail2ban.yml
|
||||||
# installing and starting it.
|
- import_tasks: tasks/systemd-mail.yml
|
||||||
|
- import_tasks: tasks/zfs-scrub.yml
|
||||||
- name: Configure sshd
|
- import_tasks: tasks/trim.yml
|
||||||
template:
|
- import_tasks: tasks/zfsutils-cron.yml
|
||||||
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
|
- import_tasks: tasks/ups.yml
|
||||||
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
|
- import_tasks: tasks/smart.yml
|
||||||
mode: 0600
|
- import_tasks: tasks/logs.yml
|
||||||
register: sshd_conf
|
- import_tasks: tasks/motd.yml
|
||||||
|
- import_tasks: tasks/utils.yml
|
||||||
- name: Restart sshd
|
- import_tasks: tasks/user.yml
|
||||||
systemd:
|
- import_tasks: tasks/root-shell.yml
|
||||||
name: sshd
|
|
||||||
enabled: yes
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
sshd_conf is changed
|
|
||||||
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
# Firewall configuration.
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install nftables
|
|
||||||
apt:
|
|
||||||
name: nftables
|
|
||||||
|
|
||||||
- name: Configure nftables
|
|
||||||
template:
|
|
||||||
src: ./root/etc/nftables.conf.j2
|
|
||||||
dest: /etc/nftables.conf
|
|
||||||
mode: 0755
|
|
||||||
register: nftables_conf
|
|
||||||
|
|
||||||
- name: Enable/start nftables
|
|
||||||
systemd:
|
|
||||||
name: nftables
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- name: Restart nftables
|
|
||||||
systemd:
|
|
||||||
name: nftables
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
nftables_conf is changed
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# NTP configuration.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install systemd-timesyncd
|
|
||||||
apt:
|
|
||||||
name: systemd-timesyncd
|
|
||||||
|
|
||||||
- name: Enable/start NTP
|
|
||||||
systemd:
|
|
||||||
name: systemd-timesyncd
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# E-mail configuration.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Configure mailname
|
|
||||||
template:
|
|
||||||
src: ./root/etc/mailname.j2
|
|
||||||
dest: /etc/mailname
|
|
||||||
mode: 0644
|
|
||||||
register: mail_mailname
|
|
||||||
|
|
||||||
- name: Configure aliases
|
|
||||||
template:
|
|
||||||
src: ./root/etc/aliases.j2
|
|
||||||
dest: /etc/aliases
|
|
||||||
mode: 0644
|
|
||||||
register: mail_aliases
|
|
||||||
|
|
||||||
- name: Update aliases
|
|
||||||
command: newaliases
|
|
||||||
when: mail_aliases is changed
|
|
||||||
|
|
||||||
- name: Configure mailutils
|
|
||||||
template:
|
|
||||||
src: ./root/etc/mailutils.conf.j2
|
|
||||||
dest: /etc/mailutils.conf
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Install postfix
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postfix
|
|
||||||
- ca-certificates
|
|
||||||
- libsasl2-modules
|
|
||||||
|
|
||||||
- name: Configure postfix
|
|
||||||
template:
|
|
||||||
src: ./root/etc/postfix/main.cf.j2
|
|
||||||
dest: /etc/postfix/main.cf
|
|
||||||
mode: 0644
|
|
||||||
register: mail_postfix_conf
|
|
||||||
|
|
||||||
- name: Configure credentials
|
|
||||||
template:
|
|
||||||
src: ./root/etc/postfix/sasl_passwd.j2
|
|
||||||
dest: /etc/postfix/sasl_passwd
|
|
||||||
mode: 0600
|
|
||||||
register: mail_postfix_credentials
|
|
||||||
|
|
||||||
- name: Create hash database
|
|
||||||
command: postmap /etc/postfix/sasl_passwd
|
|
||||||
when:
|
|
||||||
mail_postfix_credentials is changed
|
|
||||||
|
|
||||||
- name: Set hash database permissions
|
|
||||||
file:
|
|
||||||
path: /etc/postfix/sasl_passwd.db
|
|
||||||
mode: 0600
|
|
||||||
|
|
||||||
- name: Enable/start postfix
|
|
||||||
systemd:
|
|
||||||
name: postfix
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Restart postfix
|
|
||||||
systemd:
|
|
||||||
name: postfix
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
mail_mailname is changed or
|
|
||||||
mail_aliases is changed or
|
|
||||||
mail_postfix_conf is changed or
|
|
||||||
mail_postfix_credentials is changed
|
|
||||||
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
# Unattended upgrades configuration.
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install unattended-upgrades
|
|
||||||
apt:
|
|
||||||
name: unattended-upgrades
|
|
||||||
|
|
||||||
- name: Configure unattended-upgrades
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
|
|
||||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Enable unattended-upgrades
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
|
|
||||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# Fail2Ban configuration.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install fail2ban
|
|
||||||
apt:
|
|
||||||
name: fail2ban
|
|
||||||
|
|
||||||
- name: Configure fail2ban
|
|
||||||
template:
|
|
||||||
src: ./root/etc/fail2ban/jail.local.j2
|
|
||||||
dest: /etc/fail2ban/jail.local
|
|
||||||
mode: 0644
|
|
||||||
register: fail2ban_conf
|
|
||||||
|
|
||||||
- name: Configure fail2ban sshd jail
|
|
||||||
template:
|
|
||||||
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/sshd.local
|
|
||||||
mode: 0644
|
|
||||||
register: fail2ban_sshd_jail
|
|
||||||
|
|
||||||
- name: Enable/start fail2ban
|
|
||||||
systemd:
|
|
||||||
name: fail2ban
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- name: Restart fail2ban
|
|
||||||
systemd:
|
|
||||||
name: fail2ban
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
fail2ban_conf is changed or
|
|
||||||
fail2ban_sshd_jail is changed
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# SystemD mails.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: SystemD mail script
|
|
||||||
template:
|
|
||||||
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
|
|
||||||
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: SystemD mail service
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/systemd/system/status-mail@.service
|
|
||||||
dest: /etc/systemd/system/status-mail@.service
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_status_mail_service_file
|
|
||||||
|
|
||||||
- name: SystemD daemon reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when:
|
|
||||||
systemd_status_mail_service_file is changed
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# ZFS scrubbing.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Zpool status mail script
|
|
||||||
template:
|
|
||||||
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
|
|
||||||
dest: /usr/local/sbin/systemd-mail-zpool-status
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Zfs scrub service file
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/systemd/system/zfs-scrub@.service
|
|
||||||
dest: /etc/systemd/system/zfs-scrub@.service
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_zfs_scrub_service_file
|
|
||||||
|
|
||||||
- name: Zfs scrub timer file
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
|
|
||||||
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_zfs_scrub_monthly_timer_file
|
|
||||||
|
|
||||||
- name: SystemD daemon reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when:
|
|
||||||
systemd_zfs_scrub_service_file is changed or
|
|
||||||
systemd_zfs_scrub_monthly_timer_file is changed
|
|
||||||
|
|
||||||
- name: Enable zfs scrub of bpool
|
|
||||||
systemd:
|
|
||||||
name: zfs-scrub-monthly@bpool.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Enable zfs scrub of rpool
|
|
||||||
systemd:
|
|
||||||
name: zfs-scrub-monthly@rpool.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# Filesystem TRIM.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Enable fstrim
|
|
||||||
systemd:
|
|
||||||
name: fstrim.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Zfs trim service file
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/systemd/system/zfs-trim@.service
|
|
||||||
dest: /etc/systemd/system/zfs-trim@.service
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_zfs_trim_service_file
|
|
||||||
|
|
||||||
- name: Zfs trim timer file
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
|
|
||||||
dest: /etc/systemd/system/zfs-trim-monthly@.timer
|
|
||||||
mode: 0644
|
|
||||||
register: systemd_zfs_trim_monthly_timer_file
|
|
||||||
|
|
||||||
- name: SystemD daemon reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when:
|
|
||||||
systemd_zfs_trim_service_file is changed or
|
|
||||||
systemd_zfs_trim_monthly_timer_file is changed
|
|
||||||
|
|
||||||
- name: Enable zfs trim of bpool
|
|
||||||
systemd:
|
|
||||||
name: zfs-trim-monthly@bpool.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Enable zfs trim of rpool
|
|
||||||
systemd:
|
|
||||||
name: zfs-trim-monthly@rpool.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Remove the zfsutils cron job
|
|
||||||
file:
|
|
||||||
state: absent
|
|
||||||
path: /etc/cron.d/zfsutils-linux
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# UPS configuration.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install acpupsd
|
|
||||||
apt:
|
|
||||||
name: apcupsd
|
|
||||||
|
|
||||||
- name: Apcupsd configuration
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/apcupsd/apcupsd.conf
|
|
||||||
dest: /etc/apcupsd/apcupsd.conf
|
|
||||||
mode: 0644
|
|
||||||
register: apcupsd_conf
|
|
||||||
|
|
||||||
- name: Enable/start apcupsd
|
|
||||||
systemd:
|
|
||||||
name: apcupsd
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Restart apcupsd
|
|
||||||
systemd:
|
|
||||||
name: apcupsd
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
apcupsd_conf is changed
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# Disk monitoring.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install smartmontools
|
|
||||||
apt:
|
|
||||||
name: smartmontools
|
|
||||||
|
|
||||||
- name: Smartd configuration
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/smartd.conf
|
|
||||||
dest: /etc/smartd.conf
|
|
||||||
mode: 0644
|
|
||||||
register: smartd_conf
|
|
||||||
|
|
||||||
- name: Enable/start smartmontools
|
|
||||||
systemd:
|
|
||||||
name: smartmontools
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Restart smartmontools
|
|
||||||
systemd:
|
|
||||||
name: smartmontools
|
|
||||||
state: restarted
|
|
||||||
when:
|
|
||||||
smartd_conf is changed
|
|
||||||
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
# Log monitoring.
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install logcheck and logrotate
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- logcheck
|
|
||||||
- logrotate
|
|
||||||
|
|
||||||
- name: Configure logcheck
|
|
||||||
template:
|
|
||||||
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
|
|
||||||
dest: /etc/logcheck/ignore.d.server/yggdrasil
|
|
||||||
group: logcheck
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
# Set MotD.
|
|
||||||
# -------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Set MotD
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/motd
|
|
||||||
dest: /etc/motd
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# Utility programs.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install utility programs
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- git
|
|
||||||
- htop
|
|
||||||
- man
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# Set up utilities for the user.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Install tmux
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- tmux
|
|
||||||
|
|
||||||
- name: Clone tmux dotfiles
|
|
||||||
become: no
|
|
||||||
git:
|
|
||||||
repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git
|
|
||||||
dest: .tmux
|
|
||||||
recursive: yes
|
|
||||||
|
|
||||||
- name: Configure tmux
|
|
||||||
become: no
|
|
||||||
copy:
|
|
||||||
src: ./root/home/user/tmux.conf
|
|
||||||
dest: .tmux.conf
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Configure bashrc
|
|
||||||
become: no
|
|
||||||
copy:
|
|
||||||
src: ./root/home/user/bashrc
|
|
||||||
dest: .bashrc
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
# On first tmux launch install plugins with <Ctrl + a + I>
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
# Set the root's shell to nologin.
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Disable root shell
|
|
||||||
user:
|
|
||||||
name: root
|
|
||||||
shell: /usr/sbin/nologin
|
|
||||||
|
|
||||||
- name: Disable su for non-wheel users
|
|
||||||
copy:
|
|
||||||
src: ./root/etc/pam.d/su
|
|
||||||
dest: /etc/pam.d/su
|
|
||||||
mode: 0644
|
|
||||||
|
31
tasks/fail2ban.yml
Normal file
31
tasks/fail2ban.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
- name: Install fail2ban
|
||||||
|
apt:
|
||||||
|
name: fail2ban
|
||||||
|
|
||||||
|
- name: Configure fail2ban
|
||||||
|
template:
|
||||||
|
src: ./root/etc/fail2ban/jail.local.j2
|
||||||
|
dest: /etc/fail2ban/jail.local
|
||||||
|
mode: 0644
|
||||||
|
register: fail2ban_conf
|
||||||
|
|
||||||
|
- name: Configure fail2ban sshd jail
|
||||||
|
template:
|
||||||
|
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
|
||||||
|
dest: /etc/fail2ban/jail.d/sshd.local
|
||||||
|
mode: 0644
|
||||||
|
register: fail2ban_sshd_jail
|
||||||
|
|
||||||
|
- name: Enable/start fail2ban
|
||||||
|
systemd:
|
||||||
|
name: fail2ban
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Restart fail2ban
|
||||||
|
systemd:
|
||||||
|
name: fail2ban
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
fail2ban_conf is changed or
|
||||||
|
fail2ban_sshd_jail is changed
|
23
tasks/firewall.yml
Normal file
23
tasks/firewall.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
- name: Install nftables
|
||||||
|
apt:
|
||||||
|
name: nftables
|
||||||
|
|
||||||
|
- name: Configure nftables
|
||||||
|
template:
|
||||||
|
src: ./root/etc/nftables.conf.j2
|
||||||
|
dest: /etc/nftables.conf
|
||||||
|
mode: 0755
|
||||||
|
register: nftables_conf
|
||||||
|
|
||||||
|
- name: Enable/start nftables
|
||||||
|
systemd:
|
||||||
|
name: nftables
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Restart nftables
|
||||||
|
systemd:
|
||||||
|
name: nftables
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
nftables_conf is changed
|
12
tasks/logs.yml
Normal file
12
tasks/logs.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
- name: Install logcheck and logrotate
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- logcheck
|
||||||
|
- logrotate
|
||||||
|
|
||||||
|
- name: Configure logcheck
|
||||||
|
template:
|
||||||
|
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
|
||||||
|
dest: /etc/logcheck/ignore.d.server/yggdrasil
|
||||||
|
group: logcheck
|
||||||
|
mode: 0644
|
70
tasks/mail.yml
Normal file
70
tasks/mail.yml
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
- name: Configure mailname
|
||||||
|
template:
|
||||||
|
src: ./root/etc/mailname.j2
|
||||||
|
dest: /etc/mailname
|
||||||
|
mode: 0644
|
||||||
|
register: mail_mailname
|
||||||
|
|
||||||
|
- name: Configure aliases
|
||||||
|
template:
|
||||||
|
src: ./root/etc/aliases.j2
|
||||||
|
dest: /etc/aliases
|
||||||
|
mode: 0644
|
||||||
|
register: mail_aliases
|
||||||
|
|
||||||
|
- name: Update aliases
|
||||||
|
command: newaliases
|
||||||
|
when: mail_aliases is changed
|
||||||
|
|
||||||
|
- name: Configure mailutils
|
||||||
|
template:
|
||||||
|
src: ./root/etc/mailutils.conf.j2
|
||||||
|
dest: /etc/mailutils.conf
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Install postfix
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- postfix
|
||||||
|
- ca-certificates
|
||||||
|
- libsasl2-modules
|
||||||
|
|
||||||
|
- name: Configure postfix
|
||||||
|
template:
|
||||||
|
src: ./root/etc/postfix/main.cf.j2
|
||||||
|
dest: /etc/postfix/main.cf
|
||||||
|
mode: 0644
|
||||||
|
register: mail_postfix_conf
|
||||||
|
|
||||||
|
- name: Configure credentials
|
||||||
|
template:
|
||||||
|
src: ./root/etc/postfix/sasl_passwd.j2
|
||||||
|
dest: /etc/postfix/sasl_passwd
|
||||||
|
mode: 0600
|
||||||
|
register: mail_postfix_credentials
|
||||||
|
|
||||||
|
- name: Create hash database
|
||||||
|
command: postmap /etc/postfix/sasl_passwd
|
||||||
|
when:
|
||||||
|
mail_postfix_credentials is changed
|
||||||
|
|
||||||
|
- name: Set hash database permissions
|
||||||
|
file:
|
||||||
|
path: /etc/postfix/sasl_passwd.db
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Enable/start postfix
|
||||||
|
systemd:
|
||||||
|
name: postfix
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Restart postfix
|
||||||
|
systemd:
|
||||||
|
name: postfix
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
mail_mailname is changed or
|
||||||
|
mail_aliases is changed or
|
||||||
|
mail_postfix_conf is changed or
|
||||||
|
mail_postfix_credentials is changed
|
5
tasks/motd.yml
Normal file
5
tasks/motd.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
- name: Set MotD
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/motd
|
||||||
|
dest: /etc/motd
|
||||||
|
mode: 0644
|
9
tasks/ntp.yml
Normal file
9
tasks/ntp.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
- name: Install systemd-timesyncd
|
||||||
|
apt:
|
||||||
|
name: systemd-timesyncd
|
||||||
|
|
||||||
|
- name: Enable/start NTP
|
||||||
|
systemd:
|
||||||
|
name: systemd-timesyncd
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
10
tasks/root-shell.yml
Normal file
10
tasks/root-shell.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
- name: Disable root shell
|
||||||
|
user:
|
||||||
|
name: root
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
|
||||||
|
- name: Disable su for non-wheel users
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/pam.d/su
|
||||||
|
dest: /etc/pam.d/su
|
||||||
|
mode: 0644
|
23
tasks/smart.yml
Normal file
23
tasks/smart.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
- name: Install smartmontools
|
||||||
|
apt:
|
||||||
|
name: smartmontools
|
||||||
|
|
||||||
|
- name: Smartd configuration
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/smartd.conf
|
||||||
|
dest: /etc/smartd.conf
|
||||||
|
mode: 0644
|
||||||
|
register: smartd_conf
|
||||||
|
|
||||||
|
- name: Enable/start smartmontools
|
||||||
|
systemd:
|
||||||
|
name: smartmontools
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Restart smartmontools
|
||||||
|
systemd:
|
||||||
|
name: smartmontools
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
smartd_conf is changed
|
17
tasks/sshd.yml
Normal file
17
tasks/sshd.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# SSH must be installed and enabled for ansible to even connect so we don't bother with installing
|
||||||
|
# and starting it.
|
||||||
|
|
||||||
|
- name: Configure sshd
|
||||||
|
template:
|
||||||
|
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
|
||||||
|
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
|
||||||
|
mode: 0600
|
||||||
|
register: sshd_conf
|
||||||
|
|
||||||
|
- name: Restart sshd
|
||||||
|
systemd:
|
||||||
|
name: sshd
|
||||||
|
enabled: yes
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
sshd_conf is changed
|
18
tasks/systemd-mail.yml
Normal file
18
tasks/systemd-mail.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
- name: SystemD mail script
|
||||||
|
template:
|
||||||
|
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
|
||||||
|
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: SystemD mail service
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/systemd/system/status-mail@.service
|
||||||
|
dest: /etc/systemd/system/status-mail@.service
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_status_mail_service_file
|
||||||
|
|
||||||
|
- name: SystemD daemon reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when:
|
||||||
|
systemd_status_mail_service_file is changed
|
38
tasks/trim.yml
Normal file
38
tasks/trim.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
- name: Enable fstrim
|
||||||
|
systemd:
|
||||||
|
name: fstrim.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Zfs trim service file
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/systemd/system/zfs-trim@.service
|
||||||
|
dest: /etc/systemd/system/zfs-trim@.service
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_zfs_trim_service_file
|
||||||
|
|
||||||
|
- name: Zfs trim timer file
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
|
||||||
|
dest: /etc/systemd/system/zfs-trim-monthly@.timer
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_zfs_trim_monthly_timer_file
|
||||||
|
|
||||||
|
- name: SystemD daemon reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when:
|
||||||
|
systemd_zfs_trim_service_file is changed or
|
||||||
|
systemd_zfs_trim_monthly_timer_file is changed
|
||||||
|
|
||||||
|
- name: Enable zfs trim of bpool
|
||||||
|
systemd:
|
||||||
|
name: zfs-trim-monthly@bpool.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Enable zfs trim of rpool
|
||||||
|
systemd:
|
||||||
|
name: zfs-trim-monthly@rpool.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
15
tasks/unattended-upgrades.yml
Normal file
15
tasks/unattended-upgrades.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
- name: Install unattended-upgrades
|
||||||
|
apt:
|
||||||
|
name: unattended-upgrades
|
||||||
|
|
||||||
|
- name: Configure unattended-upgrades
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Enable unattended-upgrades
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
|
||||||
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
|
mode: 0644
|
23
tasks/ups.yml
Normal file
23
tasks/ups.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
- name: Install acpupsd
|
||||||
|
apt:
|
||||||
|
name: apcupsd
|
||||||
|
|
||||||
|
- name: Apcupsd configuration
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/apcupsd/apcupsd.conf
|
||||||
|
dest: /etc/apcupsd/apcupsd.conf
|
||||||
|
mode: 0644
|
||||||
|
register: apcupsd_conf
|
||||||
|
|
||||||
|
- name: Enable/start apcupsd
|
||||||
|
systemd:
|
||||||
|
name: apcupsd
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Restart apcupsd
|
||||||
|
systemd:
|
||||||
|
name: apcupsd
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
apcupsd_conf is changed
|
22
tasks/user.yml
Normal file
22
tasks/user.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
- name: Clone tmux dotfiles
|
||||||
|
become: no
|
||||||
|
git:
|
||||||
|
repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git
|
||||||
|
dest: .tmux
|
||||||
|
recursive: yes
|
||||||
|
|
||||||
|
- name: Configure tmux
|
||||||
|
become: no
|
||||||
|
copy:
|
||||||
|
src: ./root/home/user/tmux.conf
|
||||||
|
dest: .tmux.conf
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Configure bashrc
|
||||||
|
become: no
|
||||||
|
copy:
|
||||||
|
src: ./root/home/user/bashrc
|
||||||
|
dest: .bashrc
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
# On first tmux launch install plugins with <Ctrl + a + I>
|
7
tasks/utils.yml
Normal file
7
tasks/utils.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
- name: Install utility programs
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- git
|
||||||
|
- htop
|
||||||
|
- man
|
||||||
|
- tmux
|
38
tasks/zfs-scrub.yml
Normal file
38
tasks/zfs-scrub.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
- name: Zpool status mail script
|
||||||
|
template:
|
||||||
|
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
|
||||||
|
dest: /usr/local/sbin/systemd-mail-zpool-status
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Zfs scrub service file
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/systemd/system/zfs-scrub@.service
|
||||||
|
dest: /etc/systemd/system/zfs-scrub@.service
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_zfs_scrub_service_file
|
||||||
|
|
||||||
|
- name: Zfs scrub timer file
|
||||||
|
copy:
|
||||||
|
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
|
||||||
|
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_zfs_scrub_monthly_timer_file
|
||||||
|
|
||||||
|
- name: SystemD daemon reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when:
|
||||||
|
systemd_zfs_scrub_service_file is changed or
|
||||||
|
systemd_zfs_scrub_monthly_timer_file is changed
|
||||||
|
|
||||||
|
- name: Enable zfs scrub of bpool
|
||||||
|
systemd:
|
||||||
|
name: zfs-scrub-monthly@bpool.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Enable zfs scrub of rpool
|
||||||
|
systemd:
|
||||||
|
name: zfs-scrub-monthly@rpool.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
4
tasks/zfsutils-cron.yml
Normal file
4
tasks/zfsutils-cron.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- name: Remove the zfsutils cron job
|
||||||
|
file:
|
||||||
|
state: absent
|
||||||
|
path: /etc/cron.d/zfsutils-linux
|
Loading…
Reference in New Issue
Block a user