--- - hosts: yggdrasil vars_files: - secrets.yml tasks: # ---------------------------------------------------------------------------------------------- # SSH configuration. # ---------------------------------------------------------------------------------------------- # SSH must be installed and enabled for ansible to even connect so we don't bother with # installing and starting it. - name: Configure sshd template: src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2 dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf mode: 0600 register: sshd_conf - name: Restart sshd service: name: sshd enabled: yes state: restarted when: sshd_conf is changed # ------------------------------------------------------------------------- # Firewall configuration. # ------------------------------------------------------------------------- - name: Install nftables apt: name: nftables - name: Configure nftables template: src: ./root/etc/nftables.conf.j2 dest: /etc/nftables.conf mode: 0755 register: nftables_conf - name: Enable/start nftables service: name: nftables state: started enabled: yes - name: Restart nftables service: name: nftables state: restarted when: nftables_conf is changed # ---------------------------------------------------------------------------------------------- # NTP configuration. # ---------------------------------------------------------------------------------------------- - name: Install systemd-timesyncd apt: name: systemd-timesyncd - name: Enable/start NTP service: name: systemd-timesyncd enabled: yes state: started # ---------------------------------------------------------------------------------------------- # E-mail configuration. # ---------------------------------------------------------------------------------------------- - name: Configure mailname template: src: ./root/etc/mailname.j2 dest: /etc/mailname mode: 0644 register: mail_mailname - name: Configure aliases template: src: ./root/etc/aliases.j2 dest: /etc/aliases mode: 0644 register: mail_aliases - name: Update aliases command: newaliases when: mail_aliases is changed - name: Configure mailutils template: src: ./root/etc/mailutils.conf.j2 dest: /etc/mailutils.conf mode: 0644 - name: Install postfix apt: name: - postfix - ca-certificates - libsasl2-modules - name: Configure postfix template: src: ./root/etc/postfix/main.cf.j2 dest: /etc/postfix/main.cf mode: 0644 register: mail_postfix_conf - name: Configure credentials template: src: ./root/etc/postfix/sasl_passwd.j2 dest: /etc/postfix/sasl_passwd mode: 0600 register: mail_postfix_credentials - name: Create hash database command: postmap /etc/postfix/sasl_passwd when: mail_postfix_credentials is changed - name: Set hash database permissions file: path: /etc/postfix/sasl_passwd.db mode: 0600 - name: Enable/start postfix service: name: postfix enabled: yes state: started - name: Restart postfix service: name: postfix state: restarted when: mail_mailname is changed or mail_aliases is changed or mail_postfix_conf is changed or mail_postfix_credentials is changed # ------------------------------------------------------------------------- # Unattended upgrades configuration. # ------------------------------------------------------------------------- - name: Install unattended-upgrades apt: name: unattended-upgrades - name: Configure unattended-upgrades copy: src: ./root/etc/apt/apt.conf.d/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades mode: 0644 - name: Enable unattended-upgrades copy: src: ./root/etc/apt/apt.conf.d/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades mode: 0644 # ---------------------------------------------------------------------------------------------- # Fail2Ban configuration. # ---------------------------------------------------------------------------------------------- - name: Install fail2ban apt: name: fail2ban - name: Configure fail2ban template: src: ./root/etc/fail2ban/jail.local.j2 dest: /etc/fail2ban/jail.local mode: 0644 register: fail2ban_conf - name: Configure fail2ban sshd jail template: src: ./root/etc/fail2ban/jail.d/sshd.local.j2 dest: /etc/fail2ban/jail.d/sshd.local mode: 0644 register: fail2ban_sshd_jail - name: Enable/start fail2ban service: name: fail2ban state: started enabled: yes - name: Restart fail2ban service: name: fail2ban state: restarted when: fail2ban_conf is changed or fail2ban_sshd_jail is changed # ---------------------------------------------------------------------------------------------- # SystemD mails. # ---------------------------------------------------------------------------------------------- - name: SystemD mail script template: src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2 dest: /usr/local/sbin/systemd-mail-systemctl-status mode: 0755 - name: SystemD mail service copy: src: ./root/etc/systemd/system/status-mail@.service dest: /etc/systemd/system/status-mail@.service mode: 0644 register: systemd_status_mail_service_file - name: SystemD daemon reload systemd: daemon_reload: true when: systemd_status_mail_service_file is changed # ---------------------------------------------------------------------------------------------- # ZFS scrubbing. # ---------------------------------------------------------------------------------------------- - name: Zpool status mail script template: src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2 dest: /usr/local/sbin/systemd-mail-zpool-status mode: 0755 - name: Zfs scrub service file copy: src: ./root/etc/systemd/system/zfs-scrub@.service dest: /etc/systemd/system/zfs-scrub@.service mode: 0644 register: systemd_zfs_scrub_service_file - name: Zfs scrub timer file copy: src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer dest: /etc/systemd/system/zfs-scrub-monthly@.timer mode: 0644 register: systemd_zfs_scrub_monthly_timer_file - name: SystemD daemon reload systemd: daemon_reload: true when: systemd_zfs_scrub_service_file is changed or systemd_zfs_scrub_monthly_timer_file is changed - name: Enable zfs scrub of bpool service: name: zfs-scrub-monthly@bpool.timer enabled: yes state: started - name: Enable zfs scrub of rpool service: name: zfs-scrub-monthly@rpool.timer enabled: yes state: started # ---------------------------------------------------------------------------------------------- # Filesystem TRIM. # ---------------------------------------------------------------------------------------------- - name: Enable fstrim service: name: fstrim.timer enabled: yes state: started - name: Zfs trim service file copy: src: ./root/etc/systemd/system/zfs-trim@.service dest: /etc/systemd/system/zfs-trim@.service mode: 0644 register: systemd_zfs_trim_service_file - name: Zfs trim timer file copy: src: ./root/etc/systemd/system/zfs-trim-monthly@.timer dest: /etc/systemd/system/zfs-trim-monthly@.timer mode: 0644 register: systemd_zfs_trim_monthly_timer_file - name: SystemD daemon reload systemd: daemon_reload: true when: systemd_zfs_trim_service_file is changed or systemd_zfs_trim_monthly_timer_file is changed - name: Enable zfs trim of bpool service: name: zfs-trim-monthly@bpool.timer enabled: yes state: started - name: Enable zfs trim of rpool service: name: zfs-trim-monthly@rpool.timer enabled: yes state: started # ---------------------------------------------------------------------------------------------- # UPS configuration. # ---------------------------------------------------------------------------------------------- - name: Install acpupsd apt: name: apcupsd - name: Apcupsd configuration copy: src: ./root/etc/apcupsd/apcupsd.conf dest: /etc/apcupsd/apcupsd.conf mode: 0644 register: apcupsd_conf - name: Enable/start apcupsd service: name: apcupsd enabled: yes state: started - name: Restart apcupsd service: name: apcupsd state: restarted when: apcupsd_conf is changed # ---------------------------------------------------------------------------------------------- # Disk monitoring. # ---------------------------------------------------------------------------------------------- - name: Install smartmontools apt: name: smartmontools - name: Smartd configuration copy: src: ./root/etc/smartd.conf dest: /etc/smartd.conf mode: 0644 register: smartd_conf - name: Enable/start smartmontools service: name: smartmontools enabled: yes state: started - name: Restart smartmontools service: name: smartmontools state: restarted when: smartd_conf is changed # ------------------------------------------------------------------------- # Log monitoring. # ------------------------------------------------------------------------- - name: Install logcheck and logrotate apt: name: - logcheck - logrotate - name: Configure logcheck template: src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2 dest: /etc/logcheck/ignore.d.server/yggdrasil group: logcheck mode: 0644 # ------------------------------------------------------------------------- # Set MotD. # ------------------------------------------------------------------------- - name: Set MotD copy: src: ./root/etc/motd dest: /etc/motd mode: 0644 # ---------------------------------------------------------------------------------------------- # Utility programs. # ---------------------------------------------------------------------------------------------- - name: Install utility programs apt: name: - git - htop - man # ---------------------------------------------------------------------------------------------- # Set up utilities for the user. # ---------------------------------------------------------------------------------------------- - name: Install tmux apt: name: - tmux - name: Clone tmux dotfiles become: no git: repo: https://gitlab.wojciechkozlowski.eu/config/tmux.git dest: .tmux recursive: yes - name: Configure tmux become: no copy: src: ./root/home/user/tmux.conf dest: .tmux.conf mode: 0644 - name: Configure bashrc become: no copy: src: ./root/home/user/bashrc dest: .bashrc mode: 0644 # On first tmux launch install plugins with