Add common roles from polyfloyd's playbookds

2022-10-05 21:17:25 +02:00 · 2022-10-05 21:17:25 +02:00 · e43ec3229f
commit e43ec3229f
parent 1332f49101
23 changed files with 694 additions and 0 deletions
--- a/roles/common/tasks/debian-backports.yaml
+++ b/roles/common/tasks/debian-backports.yaml
@ -0,0 +1,18 @@
+---
+- name: Install backports source list
+  template:
+    src: backports-source.list
+    dest: /etc/apt/sources.list.d/backports.list
+    owner: root
+    group: root
+    mode: 0644
+  notify: apt update
+
+- meta: flush_handlers
+
+- name: Install backports kernel
+  apt:
+    name: linux-image-amd64
+    state: latest
+    default_release: "{{ ansible_facts['distribution_release'] }}-backports"
+  when: ansible_facts['architecture'] == "x86_64"
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@ -0,0 +1,116 @@
+---
+- tags: debian_backports
+  import_tasks: debian-backports.yaml
+
+- tags: unattended_updates
+  import_tasks: unattended-updates.yaml
+
+- tags: network
+  import_tasks: network.yaml
+
+- tags: node-exporter
+  import_tasks: node-exporter.yaml
+
+- name: Install utilities
+  apt:
+    name:
+      - curl
+      - fzf
+      - git
+      - htop
+      - iptables
+      - iptables-persistent
+      - jq
+      - net-tools
+      - ripgrep
+      - rsync
+      - tree
+      - vim
+
+- name: Configure FZF for Bash
+  lineinfile:
+    path: /etc/bash.bashrc
+    insertafter: EOF
+    regexp: "^source /usr/share/doc/fzf/{{ item }}"
+    line: "source /usr/share/doc/fzf/examples/{{ item }} # Managed by Ansible"
+  with_items:
+    - key-bindings.bash
+    - completion.bash
+
+- name: Shorten Grub timeout
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_TIMEOUT='
+    line: "GRUB_TIMEOUT=1 # Managed by Ansible"
+  notify: update grub
+
+- name: Configure cron email
+  lineinfile:
+    path: /etc/crontab
+    insertafter: '^PATH'
+    line: 'MAILTO={{ notify_email }}'
+
+- name: Turn off SSH password auth
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+  notify: reload sshd
+
+- name: Configure SSH port
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?Port'
+    line: 'Port {{ ssh_port }}'
+  notify: reload sshd
+
+- name: Allow SSH
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ ssh_port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item }}"
+  with_items:
+    - ipv4
+    - ipv6
+  notify: persist iptables
+
+- name: Allow IPv6 ICMP
+  iptables:
+    chain: INPUT
+    protocol: ipv6-icmp
+    jump: ACCEPT
+    ip_version: ipv6
+  notify: persist iptables
+
+- name: Allow related and established connections
+  iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    ip_version: "{{ item }}"
+  with_items:
+    - ipv4
+    - ipv6
+  notify: persist iptables
+
+- name: Allow local connections
+  iptables:
+    chain: INPUT
+    source: "{{ item.cidr }}"
+    jump: ACCEPT
+    ip_version: "{{ item.v }}"
+  with_items: "{{ trusted_ranges }}"
+  notify: persist iptables
+
+- name: Deny inbound connections
+  iptables:
+    chain: INPUT
+    policy: DROP
+    ip_version: "{{ item }}"
+  with_items:
+    - ipv4
+    - ipv6
+  notify: persist iptables
--- a/roles/common/tasks/network.yaml
+++ b/roles/common/tasks/network.yaml
@ -0,0 +1,42 @@
+---
+- name: Install bridge-utils
+  apt:
+    name: bridge-utils
+    state: present
+  when: network_br
+
+- lineinfile:
+    path: /etc/sysctl.conf
+    regexp: ^#?net.ipv4.ip_forward
+    line: "net.ipv4.ip_forward=1 # Managed by Ansible"
+  notify: reboot
+  when: network_br
+
+- lineinfile:
+    path: /etc/sysctl.conf
+    regexp: ^#?net.ipv6.conf.all.forwarding
+    line: "net.ipv6.conf.all.forwarding=1 # Managed by Ansible"
+  notify: reboot
+  when: network_br
+
+- name: Make network interfaces really predictable
+  lineinfile:
+    path: /etc/default/grub
+    regexp: ^GRUB_CMDLINE_LINUX
+    line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
+  notify:
+    - update grub
+    - reboot
+  when: network_br or network_dhcp or network_static
+
+- name: Configure network interfaces
+  template:
+    src: network-interfaces
+    dest: /etc/network/interfaces
+    owner: root
+    group: root
+    mode: 0644
+  notify: reboot
+  when: network_br or network_dhcp or network_static
+
+- meta: flush_handlers
--- a/roles/common/tasks/node-exporter.yaml
+++ b/roles/common/tasks/node-exporter.yaml
@ -0,0 +1,5 @@
+---
+- name: Install node-exporter
+  apt:
+    name: prometheus-node-exporter
+    state: present
--- a/roles/common/tasks/unattended-updates.yaml
+++ b/roles/common/tasks/unattended-updates.yaml
@ -0,0 +1,23 @@
+---
+- name: Install unattended-upgrades
+  apt:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+    state: present
+
+- name: Configure auto-upgrades
+  template:
+    src: auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Configure unattended-upgrades
+  template:
+    src: unattended-upgrades
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: 0644