Split machine playbook

This commit is contained in:
Wojciech Kozlowski 2022-09-11 20:55:30 +02:00
parent e4e7f91612
commit d65284a6fe
18 changed files with 382 additions and 450 deletions

View File

@ -5,453 +5,20 @@
- secrets.yml - secrets.yml
tasks: tasks:
- import_tasks: tasks/sshd.yml
# ---------------------------------------------------------------------------------------------- - import_tasks: tasks/firewall.yml
# SSH configuration. - import_tasks: tasks/ntp.yml
# ---------------------------------------------------------------------------------------------- - import_tasks: tasks/mail.yml
- import_tasks: tasks/unattended-upgrades.yml
# SSH must be installed and enabled for ansible to even connect so we don't bother with - import_tasks: tasks/fail2ban.yml
# installing and starting it. - import_tasks: tasks/systemd-mail.yml
- import_tasks: tasks/zfs-scrub.yml
- name: Configure sshd - import_tasks: tasks/trim.yml
template: - import_tasks: tasks/zfsutils-cron.yml
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2 - import_tasks: tasks/ups.yml
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf - import_tasks: tasks/smart.yml
mode: 0600 - import_tasks: tasks/logs.yml
register: sshd_conf - import_tasks: tasks/motd.yml
- import_tasks: tasks/utils.yml
- name: Restart sshd - import_tasks: tasks/user.yml
systemd: - import_tasks: tasks/root-shell.yml
name: sshd
enabled: yes
state: restarted
when:
sshd_conf is changed
# -------------------------------------------------------------------------
# Firewall configuration.
# -------------------------------------------------------------------------
- name: Install nftables
apt:
name: nftables
- name: Configure nftables
template:
src: ./root/etc/nftables.conf.j2
dest: /etc/nftables.conf
mode: 0755
register: nftables_conf
- name: Enable/start nftables
systemd:
name: nftables
state: started
enabled: yes
- name: Restart nftables
systemd:
name: nftables
state: restarted
when:
nftables_conf is changed
# ----------------------------------------------------------------------------------------------
# NTP configuration.
# ----------------------------------------------------------------------------------------------
- name: Install systemd-timesyncd
apt:
name: systemd-timesyncd
- name: Enable/start NTP
systemd:
name: systemd-timesyncd
enabled: yes
state: started
# ----------------------------------------------------------------------------------------------
# E-mail configuration.
# ----------------------------------------------------------------------------------------------
- name: Configure mailname
template:
src: ./root/etc/mailname.j2
dest: /etc/mailname
mode: 0644
register: mail_mailname
- name: Configure aliases
template:
src: ./root/etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: mail_aliases
- name: Update aliases
command: newaliases
when: mail_aliases is changed
- name: Configure mailutils
template:
src: ./root/etc/mailutils.conf.j2
dest: /etc/mailutils.conf
mode: 0644
- name: Install postfix
apt:
name:
- postfix
- ca-certificates
- libsasl2-modules
- name: Configure postfix
template:
src: ./root/etc/postfix/main.cf.j2
dest: /etc/postfix/main.cf
mode: 0644
register: mail_postfix_conf
- name: Configure credentials
template:
src: ./root/etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd
mode: 0600
register: mail_postfix_credentials
- name: Create hash database
command: postmap /etc/postfix/sasl_passwd
when:
mail_postfix_credentials is changed
- name: Set hash database permissions
file:
path: /etc/postfix/sasl_passwd.db
mode: 0600
- name: Enable/start postfix
systemd:
name: postfix
enabled: yes
state: started
- name: Restart postfix
systemd:
name: postfix
state: restarted
when:
mail_mailname is changed or
mail_aliases is changed or
mail_postfix_conf is changed or
mail_postfix_credentials is changed
# -------------------------------------------------------------------------
# Unattended upgrades configuration.
# -------------------------------------------------------------------------
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
- name: Configure unattended-upgrades
copy:
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: 0644
- name: Enable unattended-upgrades
copy:
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: 0644
# ----------------------------------------------------------------------------------------------
# Fail2Ban configuration.
# ----------------------------------------------------------------------------------------------
- name: Install fail2ban
apt:
name: fail2ban
- name: Configure fail2ban
template:
src: ./root/etc/fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
mode: 0644
register: fail2ban_conf
- name: Configure fail2ban sshd jail
template:
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
mode: 0644
register: fail2ban_sshd_jail
- name: Enable/start fail2ban
systemd:
name: fail2ban
state: started
enabled: yes
- name: Restart fail2ban
systemd:
name: fail2ban
state: restarted
when:
fail2ban_conf is changed or
fail2ban_sshd_jail is changed
# ----------------------------------------------------------------------------------------------
# SystemD mails.
# ----------------------------------------------------------------------------------------------
- name: SystemD mail script
template:
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
dest: /usr/local/sbin/systemd-mail-systemctl-status
mode: 0755
- name: SystemD mail service
copy:
src: ./root/etc/systemd/system/status-mail@.service
dest: /etc/systemd/system/status-mail@.service
mode: 0644
register: systemd_status_mail_service_file
- name: SystemD daemon reload
systemd:
daemon_reload: true
when:
systemd_status_mail_service_file is changed
# ----------------------------------------------------------------------------------------------
# ZFS scrubbing.
# ----------------------------------------------------------------------------------------------
- name: Zpool status mail script
template:
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
dest: /usr/local/sbin/systemd-mail-zpool-status
mode: 0755
- name: Zfs scrub service file
copy:
src: ./root/etc/systemd/system/zfs-scrub@.service
dest: /etc/systemd/system/zfs-scrub@.service
mode: 0644
register: systemd_zfs_scrub_service_file
- name: Zfs scrub timer file
copy:
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
mode: 0644
register: systemd_zfs_scrub_monthly_timer_file
- name: SystemD daemon reload
systemd:
daemon_reload: true
when:
systemd_zfs_scrub_service_file is changed or
systemd_zfs_scrub_monthly_timer_file is changed
- name: Enable zfs scrub of bpool
systemd:
name: zfs-scrub-monthly@bpool.timer
enabled: yes
state: started
- name: Enable zfs scrub of rpool
systemd:
name: zfs-scrub-monthly@rpool.timer
enabled: yes
state: started
# ----------------------------------------------------------------------------------------------
# Filesystem TRIM.
# ----------------------------------------------------------------------------------------------
- name: Enable fstrim
systemd:
name: fstrim.timer
enabled: yes
state: started
- name: Zfs trim service file
copy:
src: ./root/etc/systemd/system/zfs-trim@.service
dest: /etc/systemd/system/zfs-trim@.service
mode: 0644
register: systemd_zfs_trim_service_file
- name: Zfs trim timer file
copy:
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
dest: /etc/systemd/system/zfs-trim-monthly@.timer
mode: 0644
register: systemd_zfs_trim_monthly_timer_file
- name: SystemD daemon reload
systemd:
daemon_reload: true
when:
systemd_zfs_trim_service_file is changed or
systemd_zfs_trim_monthly_timer_file is changed
- name: Enable zfs trim of bpool
systemd:
name: zfs-trim-monthly@bpool.timer
enabled: yes
state: started
- name: Enable zfs trim of rpool
systemd:
name: zfs-trim-monthly@rpool.timer
enabled: yes
state: started
- name: Remove the zfsutils cron job
file:
state: absent
path: /etc/cron.d/zfsutils-linux
# ----------------------------------------------------------------------------------------------
# UPS configuration.
# ----------------------------------------------------------------------------------------------
- name: Install acpupsd
apt:
name: apcupsd
- name: Apcupsd configuration
copy:
src: ./root/etc/apcupsd/apcupsd.conf
dest: /etc/apcupsd/apcupsd.conf
mode: 0644
register: apcupsd_conf
- name: Enable/start apcupsd
systemd:
name: apcupsd
enabled: yes
state: started
- name: Restart apcupsd
systemd:
name: apcupsd
state: restarted
when:
apcupsd_conf is changed
# ----------------------------------------------------------------------------------------------
# Disk monitoring.
# ----------------------------------------------------------------------------------------------
- name: Install smartmontools
apt:
name: smartmontools
- name: Smartd configuration
copy:
src: ./root/etc/smartd.conf
dest: /etc/smartd.conf
mode: 0644
register: smartd_conf
- name: Enable/start smartmontools
systemd:
name: smartmontools
enabled: yes
state: started
- name: Restart smartmontools
systemd:
name: smartmontools
state: restarted
when:
smartd_conf is changed
# -------------------------------------------------------------------------
# Log monitoring.
# -------------------------------------------------------------------------
- name: Install logcheck and logrotate
apt:
name:
- logcheck
- logrotate
- name: Configure logcheck
template:
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
dest: /etc/logcheck/ignore.d.server/yggdrasil
group: logcheck
mode: 0644
# -------------------------------------------------------------------------
# Set MotD.
# -------------------------------------------------------------------------
- name: Set MotD
copy:
src: ./root/etc/motd
dest: /etc/motd
mode: 0644
# ----------------------------------------------------------------------------------------------
# Utility programs.
# ----------------------------------------------------------------------------------------------
- name: Install utility programs
apt:
name:
- git
- htop
- man
# ----------------------------------------------------------------------------------------------
# Set up utilities for the user.
# ----------------------------------------------------------------------------------------------
- name: Install tmux
apt:
name:
- tmux
- name: Clone tmux dotfiles
become: no
git:
repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git
dest: .tmux
recursive: yes
- name: Configure tmux
become: no
copy:
src: ./root/home/user/tmux.conf
dest: .tmux.conf
mode: 0644
- name: Configure bashrc
become: no
copy:
src: ./root/home/user/bashrc
dest: .bashrc
mode: 0644
# On first tmux launch install plugins with <Ctrl + a + I>
# ----------------------------------------------------------------------------------------------
# Set the root's shell to nologin.
# ----------------------------------------------------------------------------------------------
- name: Disable root shell
user:
name: root
shell: /usr/sbin/nologin
- name: Disable su for non-wheel users
copy:
src: ./root/etc/pam.d/su
dest: /etc/pam.d/su
mode: 0644

31
tasks/fail2ban.yml Normal file
View File

@ -0,0 +1,31 @@
- name: Install fail2ban
apt:
name: fail2ban
- name: Configure fail2ban
template:
src: ./root/etc/fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
mode: 0644
register: fail2ban_conf
- name: Configure fail2ban sshd jail
template:
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
mode: 0644
register: fail2ban_sshd_jail
- name: Enable/start fail2ban
systemd:
name: fail2ban
state: started
enabled: yes
- name: Restart fail2ban
systemd:
name: fail2ban
state: restarted
when:
fail2ban_conf is changed or
fail2ban_sshd_jail is changed

23
tasks/firewall.yml Normal file
View File

@ -0,0 +1,23 @@
- name: Install nftables
apt:
name: nftables
- name: Configure nftables
template:
src: ./root/etc/nftables.conf.j2
dest: /etc/nftables.conf
mode: 0755
register: nftables_conf
- name: Enable/start nftables
systemd:
name: nftables
state: started
enabled: yes
- name: Restart nftables
systemd:
name: nftables
state: restarted
when:
nftables_conf is changed

12
tasks/logs.yml Normal file
View File

@ -0,0 +1,12 @@
- name: Install logcheck and logrotate
apt:
name:
- logcheck
- logrotate
- name: Configure logcheck
template:
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
dest: /etc/logcheck/ignore.d.server/yggdrasil
group: logcheck
mode: 0644

70
tasks/mail.yml Normal file
View File

@ -0,0 +1,70 @@
- name: Configure mailname
template:
src: ./root/etc/mailname.j2
dest: /etc/mailname
mode: 0644
register: mail_mailname
- name: Configure aliases
template:
src: ./root/etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: mail_aliases
- name: Update aliases
command: newaliases
when: mail_aliases is changed
- name: Configure mailutils
template:
src: ./root/etc/mailutils.conf.j2
dest: /etc/mailutils.conf
mode: 0644
- name: Install postfix
apt:
name:
- postfix
- ca-certificates
- libsasl2-modules
- name: Configure postfix
template:
src: ./root/etc/postfix/main.cf.j2
dest: /etc/postfix/main.cf
mode: 0644
register: mail_postfix_conf
- name: Configure credentials
template:
src: ./root/etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd
mode: 0600
register: mail_postfix_credentials
- name: Create hash database
command: postmap /etc/postfix/sasl_passwd
when:
mail_postfix_credentials is changed
- name: Set hash database permissions
file:
path: /etc/postfix/sasl_passwd.db
mode: 0600
- name: Enable/start postfix
systemd:
name: postfix
enabled: yes
state: started
- name: Restart postfix
systemd:
name: postfix
state: restarted
when:
mail_mailname is changed or
mail_aliases is changed or
mail_postfix_conf is changed or
mail_postfix_credentials is changed

5
tasks/motd.yml Normal file
View File

@ -0,0 +1,5 @@
- name: Set MotD
copy:
src: ./root/etc/motd
dest: /etc/motd
mode: 0644

9
tasks/ntp.yml Normal file
View File

@ -0,0 +1,9 @@
- name: Install systemd-timesyncd
apt:
name: systemd-timesyncd
- name: Enable/start NTP
systemd:
name: systemd-timesyncd
enabled: yes
state: started

10
tasks/root-shell.yml Normal file
View File

@ -0,0 +1,10 @@
- name: Disable root shell
user:
name: root
shell: /usr/sbin/nologin
- name: Disable su for non-wheel users
copy:
src: ./root/etc/pam.d/su
dest: /etc/pam.d/su
mode: 0644

23
tasks/smart.yml Normal file
View File

@ -0,0 +1,23 @@
- name: Install smartmontools
apt:
name: smartmontools
- name: Smartd configuration
copy:
src: ./root/etc/smartd.conf
dest: /etc/smartd.conf
mode: 0644
register: smartd_conf
- name: Enable/start smartmontools
systemd:
name: smartmontools
enabled: yes
state: started
- name: Restart smartmontools
systemd:
name: smartmontools
state: restarted
when:
smartd_conf is changed

17
tasks/sshd.yml Normal file
View File

@ -0,0 +1,17 @@
# SSH must be installed and enabled for ansible to even connect so we don't bother with installing
# and starting it.
- name: Configure sshd
template:
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
mode: 0600
register: sshd_conf
- name: Restart sshd
systemd:
name: sshd
enabled: yes
state: restarted
when:
sshd_conf is changed

18
tasks/systemd-mail.yml Normal file
View File

@ -0,0 +1,18 @@
- name: SystemD mail script
template:
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
dest: /usr/local/sbin/systemd-mail-systemctl-status
mode: 0755
- name: SystemD mail service
copy:
src: ./root/etc/systemd/system/status-mail@.service
dest: /etc/systemd/system/status-mail@.service
mode: 0644
register: systemd_status_mail_service_file
- name: SystemD daemon reload
systemd:
daemon_reload: true
when:
systemd_status_mail_service_file is changed

38
tasks/trim.yml Normal file
View File

@ -0,0 +1,38 @@
- name: Enable fstrim
systemd:
name: fstrim.timer
enabled: yes
state: started
- name: Zfs trim service file
copy:
src: ./root/etc/systemd/system/zfs-trim@.service
dest: /etc/systemd/system/zfs-trim@.service
mode: 0644
register: systemd_zfs_trim_service_file
- name: Zfs trim timer file
copy:
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
dest: /etc/systemd/system/zfs-trim-monthly@.timer
mode: 0644
register: systemd_zfs_trim_monthly_timer_file
- name: SystemD daemon reload
systemd:
daemon_reload: true
when:
systemd_zfs_trim_service_file is changed or
systemd_zfs_trim_monthly_timer_file is changed
- name: Enable zfs trim of bpool
systemd:
name: zfs-trim-monthly@bpool.timer
enabled: yes
state: started
- name: Enable zfs trim of rpool
systemd:
name: zfs-trim-monthly@rpool.timer
enabled: yes
state: started

View File

@ -0,0 +1,15 @@
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
- name: Configure unattended-upgrades
copy:
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: 0644
- name: Enable unattended-upgrades
copy:
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: 0644

23
tasks/ups.yml Normal file
View File

@ -0,0 +1,23 @@
- name: Install acpupsd
apt:
name: apcupsd
- name: Apcupsd configuration
copy:
src: ./root/etc/apcupsd/apcupsd.conf
dest: /etc/apcupsd/apcupsd.conf
mode: 0644
register: apcupsd_conf
- name: Enable/start apcupsd
systemd:
name: apcupsd
enabled: yes
state: started
- name: Restart apcupsd
systemd:
name: apcupsd
state: restarted
when:
apcupsd_conf is changed

22
tasks/user.yml Normal file
View File

@ -0,0 +1,22 @@
- name: Clone tmux dotfiles
become: no
git:
repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git
dest: .tmux
recursive: yes
- name: Configure tmux
become: no
copy:
src: ./root/home/user/tmux.conf
dest: .tmux.conf
mode: 0644
- name: Configure bashrc
become: no
copy:
src: ./root/home/user/bashrc
dest: .bashrc
mode: 0644
# On first tmux launch install plugins with <Ctrl + a + I>

7
tasks/utils.yml Normal file
View File

@ -0,0 +1,7 @@
- name: Install utility programs
apt:
name:
- git
- htop
- man
- tmux

38
tasks/zfs-scrub.yml Normal file
View File

@ -0,0 +1,38 @@
- name: Zpool status mail script
template:
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
dest: /usr/local/sbin/systemd-mail-zpool-status
mode: 0755
- name: Zfs scrub service file
copy:
src: ./root/etc/systemd/system/zfs-scrub@.service
dest: /etc/systemd/system/zfs-scrub@.service
mode: 0644
register: systemd_zfs_scrub_service_file
- name: Zfs scrub timer file
copy:
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
mode: 0644
register: systemd_zfs_scrub_monthly_timer_file
- name: SystemD daemon reload
systemd:
daemon_reload: true
when:
systemd_zfs_scrub_service_file is changed or
systemd_zfs_scrub_monthly_timer_file is changed
- name: Enable zfs scrub of bpool
systemd:
name: zfs-scrub-monthly@bpool.timer
enabled: yes
state: started
- name: Enable zfs scrub of rpool
systemd:
name: zfs-scrub-monthly@rpool.timer
enabled: yes
state: started

4
tasks/zfsutils-cron.yml Normal file
View File

@ -0,0 +1,4 @@
- name: Remove the zfsutils cron job
file:
state: absent
path: /etc/cron.d/zfsutils-linux