Linter + Dashboard fixes
This commit is contained in:
parent
e1bf3e1765
commit
abc64144a8
GPG key ID:
D8674D8FC4F69BD2
44 changed files with 265 additions and 379 deletions
|
|
@ -1,30 +1,27 @@
|
|||
---
|
||||
- name: update grub
|
||||
- name: Update grub
|
||||
ansible.builtin.command:
|
||||
cmd: update-grub
|
||||
|
||||
- name: reboot
|
||||
ansible.builtin.reboot:
|
||||
|
||||
- name: apt update
|
||||
- name: Apt update
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
|
||||
- name: daemon reload
|
||||
- name: Daemon reload
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: reload sshd
|
||||
- name: Reload sshd
|
||||
ansible.builtin.systemd:
|
||||
name: ssh
|
||||
state: reloaded
|
||||
|
||||
- name: reload nginx
|
||||
- name: Reload nginx
|
||||
ansible.builtin.systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: persist iptables
|
||||
- name: Persist iptables
|
||||
ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
|
||||
with_items:
|
||||
- { c: iptables, ip: v4 }
|
||||
|
|
|
|||
|
|
@ -21,9 +21,6 @@
|
|||
ansible.builtin.apt:
|
||||
upgrade: full
|
||||
|
||||
- name: Reboot
|
||||
ansible.builtin.reboot:
|
||||
|
||||
- name: autoremove
|
||||
ansible.builtin.apt:
|
||||
autoremove: yes
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@
|
|||
path: /etc/default/grub
|
||||
regexp: '^GRUB_TIMEOUT='
|
||||
line: "GRUB_TIMEOUT=1 # Managed by Ansible"
|
||||
notify: update grub
|
||||
notify: Update grub
|
||||
|
||||
- name: Configure cron email
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
@ -118,63 +118,5 @@
|
|||
- regexp: '^#?DebianBanner'
|
||||
line: 'DebianBanner no'
|
||||
when: manage_sshd_config | default(true)
|
||||
notify: reload sshd
|
||||
notify: Reload sshd
|
||||
|
||||
- name: Allow SSH
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: "{{ ssh_port }}"
|
||||
ctstate: NEW
|
||||
jump: ACCEPT
|
||||
ip_version: "{{ item }}"
|
||||
with_items:
|
||||
- ipv4
|
||||
- ipv6
|
||||
notify: persist iptables
|
||||
when: not nft | bool
|
||||
|
||||
- name: Allow ICMP
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
protocol: "{{ item.proto }}"
|
||||
jump: ACCEPT
|
||||
ip_version: "{{ item.ip }}"
|
||||
with_items:
|
||||
- { ip: ipv4, proto: icmp }
|
||||
- { ip: ipv6, proto: ipv6-icmp }
|
||||
notify: persist iptables
|
||||
when: not nft | bool
|
||||
|
||||
- name: Allow related and established connections
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
ctstate: ESTABLISHED,RELATED
|
||||
jump: ACCEPT
|
||||
ip_version: "{{ item }}"
|
||||
with_items:
|
||||
- ipv4
|
||||
- ipv6
|
||||
notify: persist iptables
|
||||
when: not nft | bool
|
||||
|
||||
- name: Allow local connections
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
source: "{{ item.cidr }}"
|
||||
jump: ACCEPT
|
||||
ip_version: "{{ item.v }}"
|
||||
with_items: "{{ trusted_ranges }}"
|
||||
notify: persist iptables
|
||||
when: not nft | bool
|
||||
|
||||
- name: Deny inbound connections
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
policy: DROP
|
||||
ip_version: "{{ item }}"
|
||||
with_items:
|
||||
- ipv4
|
||||
- ipv6
|
||||
notify: persist iptables
|
||||
when: not nft | bool
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@
|
|||
with_items:
|
||||
- { k: net.ipv4.ip_forward, v: "1" }
|
||||
- { k: net.ipv6.conf.all.forwarding, v: "1" }
|
||||
notify: reboot
|
||||
when: network_br
|
||||
|
||||
- name: Make network interfaces really predictable
|
||||
|
|
@ -22,8 +21,7 @@
|
|||
regexp: ^GRUB_CMDLINE_LINUX
|
||||
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
|
||||
notify:
|
||||
- update grub
|
||||
- reboot
|
||||
- Update grub
|
||||
when: network_br or network_dhcp or network_static
|
||||
|
||||
- name: Configure network interfaces
|
||||
|
|
@ -33,7 +31,6 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reboot
|
||||
when: network_br or network_dhcp or network_static
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@
|
|||
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
|
||||
notify:
|
||||
- update grub
|
||||
- reboot
|
||||
- Update grub
|
||||
tags:
|
||||
- questagent
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
|
||||
{% for name in root_access %}
|
||||
# {{ name }}
|
||||
{{ lookup('file', 'authorized_keys/'+name+'.keys') }}
|
||||
{{ lookup('file', 'authorized_keys/' + name + '.keys') }}
|
||||
{% endfor %}
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% if debian_source_repos|default(false) %}
|
||||
{% set SRC = "" %}
|
||||
{% if debian_source_repos | default(false) %}
|
||||
{% set SRC = "" %}
|
||||
{% else %}
|
||||
{% set SRC = "# " %}
|
||||
{% set SRC = "# " %}
|
||||
{% endif %}
|
||||
{% set components = "main contrib non-free-firmware" %}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue