bitlair/ansible
6
0
Fork 1
Code Issues Pull requests Activity Actions

Automated changes from linter ;P

Browse source
This commit is contained in:
Mark Janssen 2024-07-11 20:47:52 +02:00
parent 44b73a216f
commit f7f04e7a41
Signed by: foobar
GPG key ID: D8674D8FC4F69BD2
65 changed files with 392 additions and 324 deletions
Download patch file Download diff file Expand all files Collapse all files

15
roles/common/handlers/main.yaml
View file

@ -1,30 +1,31 @@
---
- name: update grub
command: update-grub
ansible.builtin.command:
cmd: update-grub
- name: reboot
reboot:
ansible.builtin.reboot:
- name: apt update
apt:
ansible.builtin.apt:
update_cache: true
- name: daemon reload
systemd:
ansible.builtin.systemd:
daemon_reload: true
- name: reload sshd
systemd:
ansible.builtin.systemd:
name: ssh
state: reloaded
- name: reload nginx
systemd:
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: persist iptables
shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
with_items:
- { c: iptables, ip: v4 }
- { c: ip6tables, ip: v6 }

2
roles/common/tasks/apt-minimal.yaml
View file

@ -1,6 +1,6 @@
---
- name: Configure auto-upgrades
template:
ansible.builtin.template:
src: apt-minimal
dest: /etc/apt/apt.conf.d/20minimal
owner: root

4
roles/common/tasks/debian-backports.yaml
View file

@ -1,6 +1,6 @@
---
- name: Install backports source list
template:
ansible.builtin.template:
src: backports-source.list
dest: /etc/apt/sources.list.d/backports.list
owner: root
@ -8,4 +8,4 @@
mode: 0644
notify: apt update
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

12
roles/common/tasks/debian-upgrade.yaml
View file

@ -1,6 +1,6 @@
---
- name: Install source list
template:
ansible.builtin.template:
src: stable-sources.list
dest: /etc/apt/sources.list
owner: root
@ -8,21 +8,21 @@
mode: 0644
- name: Remove backports
file:
ansible.builtin.file:
path: /etc/apt/sources.list.d/backports.list
state: absent
- name: update
apt:
ansible.builtin.apt:
update_cache: yes
- name: full-upgrade
apt:
ansible.builtin.apt:
upgrade: full
- name: Reboot
reboot:
ansible.builtin.reboot:
- name: autoremove
apt:
ansible.builtin.apt:
autoremove: yes

47
roles/common/tasks/main.yaml
View file

@ -1,35 +1,42 @@
---
- tags: [ debian-upgrade, never ]
import_tasks: debian-upgrade.yaml
ansible.builtin.import_tasks:
file: debian-upgrade.yaml
when: ansible_facts['distribution_release'] != "bookworm"
- tags: debian_backports
import_tasks: debian-backports.yaml
ansible.builtin.import_tasks:
file: debian-backports.yaml
- tags: unattended_updates
import_tasks: unattended-updates.yaml
ansible.builtin.import_tasks:
file: unattended-updates.yaml
- tags: apt-minimal
import_tasks: apt-minimal.yaml
ansible.builtin.import_tasks:
file: apt-minimal.yaml
- tags: network
import_tasks: network.yaml
ansible.builtin.import_tasks:
file: network.yaml
- tags: node-exporter
import_tasks: node-exporter.yaml
ansible.builtin.import_tasks:
file: node-exporter.yaml
- tags: vm
import_tasks: node-exporter.yaml
ansible.builtin.import_tasks:
file: node-exporter.yaml
when: is_vm
- name: Remove Vim
apt:
ansible.builtin.apt:
name: vim
state: absent
autoremove: true
- name: Install utilities
apt:
ansible.builtin.apt:
name:
- curl
- fzf
@ -46,38 +53,38 @@
- neovim
- name: Remove netcat-traditional
apt:
ansible.builtin.apt:
name: netcat-traditional
- name: Configure FZF for Bash
lineinfile:
ansible.builtin.lineinfile:
path: /etc/bash.bashrc
insertafter: EOF
regexp: "^source /usr/share/doc/fzf/examples/key-bindings.bash"
line: "source /usr/share/doc/fzf/examples/key-bindings.bash # Managed by Ansible"
- name: Configure FZF for Bash (Bookworm)
lineinfile:
ansible.builtin.lineinfile:
path: /etc/bash.bashrc
insertafter: EOF
regexp: "^source /usr/share/doc/fzf/examples/completion.bash"
state: absent
- name: Shorten Grub timeout
lineinfile:
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_TIMEOUT='
line: "GRUB_TIMEOUT=1 # Managed by Ansible"
notify: update grub
- name: Configure cron email
lineinfile:
ansible.builtin.lineinfile:
path: /etc/crontab
insertafter: '^PATH'
line: 'MAILTO={{ notify_email }}'
- name: Configure SSH
lineinfile:
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
@ -91,7 +98,7 @@
notify: reload sshd
- name: Allow SSH
iptables:
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ ssh_port }}"
@ -104,7 +111,7 @@
notify: persist iptables
- name: Allow ICMP
iptables:
ansible.builtin.iptables:
chain: INPUT
protocol: "{{ item.proto }}"
jump: ACCEPT
@ -115,7 +122,7 @@
notify: persist iptables
- name: Allow related and established connections
iptables:
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
@ -126,7 +133,7 @@
notify: persist iptables
- name: Allow local connections
iptables:
ansible.builtin.iptables:
chain: INPUT
source: "{{ item.cidr }}"
jump: ACCEPT
@ -135,7 +142,7 @@
notify: persist iptables
- name: Deny inbound connections
iptables:
ansible.builtin.iptables:
chain: INPUT
policy: DROP
ip_version: "{{ item }}"

10
roles/common/tasks/network.yaml
View file

@ -1,12 +1,12 @@
---
- name: Install bridge-utils
apt:
ansible.builtin.apt:
name: bridge-utils
state: present
when: network_br
- name: Configure sysctl.conf
lineinfile:
ansible.builtin.lineinfile:
path: /etc/sysctl.conf
regexp: "^#?{{ item.k }}"
line: "{{ item.k }}={{ item.v }} # Managed by Ansible"
@ -17,7 +17,7 @@
when: network_br
- name: Make network interfaces really predictable
lineinfile:
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
@ -27,7 +27,7 @@
when: network_br or network_dhcp or network_static
- name: Configure network interfaces
template:
ansible.builtin.template:
src: network-interfaces
dest: /etc/network/interfaces
owner: root
@ -36,4 +36,4 @@
notify: reboot
when: network_br or network_dhcp or network_static
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

4
roles/common/tasks/node-exporter.yaml
View file

@ -1,12 +1,12 @@
---
- name: Install node-exporter
apt:
ansible.builtin.apt:
name: prometheus-node-exporter
state: present
when: node_exporter
- name: Remove node-exporter
apt:
ansible.builtin.apt:
name: prometheus-node-exporter
state: absent
autoremove: yes

6
roles/common/tasks/unattended-updates.yaml
View file

@ -1,13 +1,13 @@
---
- name: Install unattended-upgrades
apt:
ansible.builtin.apt:
name:
- unattended-upgrades
- apt-listchanges
state: present
- name: Configure auto-upgrades
template:
ansible.builtin.template:
src: auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
owner: root
@ -15,7 +15,7 @@
mode: 0644
- name: Configure unattended-upgrades
template:
ansible.builtin.template:
src: unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root

6
roles/common/tasks/vm.yaml
View file

@ -1,10 +1,10 @@
---
- name: Install guest agent
apt:
ansible.builtin.apt:
name: qemu-guest-agent
- name: Serial Console
lineinfile:
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
@ -12,4 +12,4 @@
- update grub
- reboot
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers