feat: move to dedicated repo

2024-11-22 11:13:16 +01:00 · 2024-11-22 11:13:16 +01:00 · 4a88a5b28d
commit 4a88a5b28d
54 changed files with 1524 additions and 0 deletions
--- a/tasks/apt/config.yaml
+++ b/tasks/apt/config.yaml
@ -0,0 +1,24 @@
+---
+
+# configure apt auto update
+- name: "apt - config - configure apt periodic"
+  ansible.builtin.template:
+    src: "templates/apt/conf.d/10periodic.j2"
+    dest: "/etc/apt/apt.conf.d/10periodic"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "apt"
+
+- name: "apt - config - configure apt unatteded updates"
+  ansible.builtin.template:
+    src: "templates/apt/conf.d/50unattended-upgrades.{{ ansible_distribution }}.j2"
+    dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "apt"
--- a/tasks/apt/packages.yaml
+++ b/tasks/apt/packages.yaml
@ -0,0 +1,27 @@
+---
+
+# install packages
+- name: "apt - install - packages"
+  ansible.builtin.apt:
+    name: "{{ apt_default_install }}"
+    state: "present"
+    update_cache: true
+  when: 'ansible_os_family == "Debian"'
+  loop: "{{ apt_default_packages_install }}"
+  loop_control:
+    loop_var: "apt_default_install"
+  tags:
+    - "apt"
+
+# purge packages
+- name: "apt - delete - packages"
+  ansible.builtin.apt:
+    name: "{{ apt_default_delete }}"
+    state: "absent"
+    purge: true
+  when: 'ansible_os_family == "Debian"'
+  loop: "{{ apt_default_packages_delete }}"
+  loop_control:
+    loop_var: "apt_default_delete"
+  tags:
+    - "apt"
--- a/tasks/apt/sources.yaml
+++ b/tasks/apt/sources.yaml
@ -0,0 +1,42 @@
+---
+
+# configure apt sources
+- name: "apt - config - configure apt sources"
+  ansible.builtin.template:
+    src: "templates/apt/sources.d/sources.list.{{ ansible_distribution }}.j2"
+    dest: "/etc/apt/sources.list"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when:
+    - 'ansible_os_family == "Debian"'
+    - 'ansible_distribution_major_version <= "23"'
+  notify: "apt force cache update"
+  tags:
+    - "apt"
+
+# configure apt sources
+- name: "apt - config - configure apt sources"
+  ansible.builtin.template:
+    src: "templates/apt/sources.d/{{ ansible_distribution }}.sources.j2"
+    dest: "/etc/apt/sources.list.d/ubuntu.sources"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when:
+    - 'ansible_distribution == "Ubuntu"'
+    - 'ansible_distribution_major_version >= "24"'
+  notify: "apt force cache update"
+  tags:
+    - "apt"
+
+# delete unused sources.list
+- name: "apt - config - remove old sources.list"
+  ansible.builtin.file:
+    path: "/etc/apt/sources.list"
+    state: "absent"
+  when:
+    - 'ansible_distribution == "Ubuntu"'
+    - 'ansible_distribution_major_version >= "24"'
+  tags:
+    - "apt"
--- a/tasks/cron.yaml
+++ b/tasks/cron.yaml
@ -0,0 +1,13 @@
+---
+
+# configure cron
+- name: "cron - config - zfs kstat"
+  ansible.builtin.template:
+    src: "templates/cron/mount_zfs_kstat.j2"
+    dest: "/etc/cron.d/mount_zfs_kstat"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'type == "lxc"'
+  tags:
+    - "cron"
--- a/tasks/crowdsec.yaml
+++ b/tasks/crowdsec.yaml
@ -0,0 +1,42 @@
+---
+
+# install crowdsec signing key
+- name: "install signing key"
+  ansible.builtin.get_url:
+    url: "https://packagecloud.io/crowdsec/crowdsec/gpgkey"
+    dest: "/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg"
+    mode: "0644"
+  register: "install_crowdsec_key"
+  tags:
+    - "crowdsec"
+
+# update apt cache if required
+- name: "update apt cache"
+  ansible.builtin.apt:
+    update_cache: true
+  when:
+    - 'ansible_os_family == "Debian"'
+    - "install_crowdsec_key.changed"
+  tags:
+    - "crowdsec"
+
+# install crowdsec security engine
+- name: "install crowdsec security engine"
+  ansible.builtin.apt:
+    name: "crowdsec"
+    state: "present"
+    cache_valid_time: "120"
+  when: 'ansible_os_family == "Debian"'
+  register: "crowdsec_installed"
+  tags:
+    - "crowdsec"
+
+# install crowdsec firewall bouncer
+- name: "install crowdsec firewall bouncer"
+  ansible.builtin.apt:
+    name: "crowdsec-firewall-bouncer"
+    state: "present"
+    cache_valid_time: "120"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "crowdsec"
--- a/tasks/environment.yaml
+++ b/tasks/environment.yaml
@ -0,0 +1,13 @@
+---
+
+# set environment file
+- name: "set environment file"
+  ansible.builtin.template:
+    src: "templates/environment/environment.j2"
+    dest: "/etc/environment"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_distribution == "Ubuntu"'
+  tags:
+    - "environment-file"
--- a/tasks/firewall/firewall-general.yaml
+++ b/tasks/firewall/firewall-general.yaml
@ -0,0 +1,11 @@
+---
+
+# generic settings
+- name: "firewall - set default policy and enable logging"
+  community.general.ufw:
+    state: "enabled"
+    direction: "incoming"
+    policy: "deny"
+    logging: "on"
+  tags:
+    - "firewall"
--- a/tasks/firewall/firewall-rules-routed.yaml
+++ b/tasks/firewall/firewall-rules-routed.yaml
@ -0,0 +1,26 @@
+---
+
+# basic firewall rules
+- name: "firewall - allow incoming routed traffic"
+  community.general.ufw:
+    rule: "allow"
+    route: "yes"
+    src: "{{ item[0] }}"
+    dest: "{{ item[1] }}"
+  with_nested:
+    - "{{ __rule['source_nets'] }}"
+    - "{{ __rule['destination_nets'] }}"
+  tags:
+    - "firewall"
+
+- name: "firewall - allow outgoing routed traffic"
+  community.general.ufw:
+    rule: "allow"
+    route: "yes"
+    src: "{{ item[1] }}"
+    dest: "{{ item[0] }}"
+  with_nested:
+    - "{{ __rule['source_nets'] }}"
+    - "{{ __rule['destination_nets'] }}"
+  tags:
+    - "firewall"
--- a/tasks/firewall/firewall-rules.yaml
+++ b/tasks/firewall/firewall-rules.yaml
@ -0,0 +1,12 @@
+---
+
+# create firewall rule
+- name: "firewall - allow {{ __rule['to_port'] }} from {{ __rule['from_ip'] }}"
+  community.general.ufw:
+    rule: "allow"
+    direction: "in"
+    proto: "{{ __rule['proto'] | default('tcp') }}"
+    from_ip: "{{ __rule['from_ip'] }}"
+    to_port: "{{ __rule['to_port'] }}"
+  tags:
+    - "firewall"
--- a/tasks/hostname.yaml
+++ b/tasks/hostname.yaml
@ -0,0 +1,9 @@
+---
+
+# set hostname
+- name: "set hostname"
+  ansible.builtin.hostname:
+    name: "{{ set_hostname | default(inventory_hostname) }}"
+    use: "{{ hostname_use_method }}"
+  tags:
+    - "hostname"
--- a/tasks/journald.yaml
+++ b/tasks/journald.yaml
@ -0,0 +1,14 @@
+---
+
+# configure journald
+- name: "syslog - config - configure journald"
+  ansible.builtin.template:
+    src: "templates/journald/journald.conf.j2"
+    dest: "/etc/systemd/journald.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_distribution == "Ubuntu"'
+  notify: "restart journald"
+  tags:
+    - "journald"
--- a/tasks/lldpd.yaml
+++ b/tasks/lldpd.yaml
@ -0,0 +1,12 @@
+---
+
+# install lldpd
+- name: "lldpd - installation package"
+  ansible.builtin.apt:
+    name: "lldpd"
+    state: "present"
+    cache_valid_time: "3600"
+  when: 'ansible_os_family == "Debian"'
+  notify: "restart lldpd"
+  tags:
+    - "lldp"
--- a/tasks/locale.yaml
+++ b/tasks/locale.yaml
@ -0,0 +1,9 @@
+---
+
+# set locale
+- name: "set locale"
+  community.general.locale_gen:
+    name: "en_US.UTF-8"
+    state: "present"
+  tags:
+    - "locale"
--- a/tasks/lxd.yaml
+++ b/tasks/lxd.yaml
@ -0,0 +1,11 @@
+---
+
+# remove lxd
+- name: "lxd - purge package"
+  ansible.builtin.apt:
+    name: "lxd"
+    state: "absent"
+    purge: "yes"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "lxd"
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -0,0 +1,321 @@
+---
+
+# check os support
+- name: "check for os support"
+  ansible.builtin.import_tasks: "ossupport.yaml"
+  tags:
+    - "apt"
+    - "cron"
+    - "crowdsec"
+    - "environment-file"
+    - "hostname"
+    - "firewall"
+    - "journald"
+    - "locale"
+    - "lldp"
+    - "lxd"
+    - "motd"
+    - "ntp"
+    - "telemetry"
+    - "snap"
+    - "sshd"
+    - "swap"
+    - "sysctl"
+    - "systemctl"
+    - "syslog"
+    - "timezone"
+    - "usermanagement"
+
+# load os variables
+- name: "include os specific vars"
+  ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml"
+  when: "os_support"
+  tags:
+    - "apt"
+    - "cron"
+    - "crowdsec"
+    - "environment-file"
+    - "hostname"
+    - "firewall"
+    - "journald"
+    - "locale"
+    - "lldp"
+    - "lxd"
+    - "motd"
+    - "ntp"
+    - "telemetry"
+    - "snap"
+    - "sshd"
+    - "sysctl"
+    - "systemctl"
+    - "syslog"
+    - "timezone"
+    - "usermanagement"
+
+# set hostname
+- name: "set hostname"
+  ansible.builtin.import_tasks: "hostname.yaml"
+  when: "os_support"
+  tags: "hostname"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# set locale
+- name: "set locale"
+  ansible.builtin.import_tasks: "locale.yaml"
+  when: "os_support"
+  tags: "locale"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# environment
+- name: "environment"
+  ansible.builtin.import_tasks: "environment.yaml"
+  when: "os_support"
+  tags: "environment-file"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# motd
+- name: "motd"
+  ansible.builtin.import_tasks: "motd.yaml"
+  when: "os_support"
+  tags: "motd"
+
+# cron jobs
+- name: "cron jobs"
+  ansible.builtin.import_tasks: "cron.yaml"
+  when: "os_support"
+  tags: "cron"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# swap
+- name: "swap"
+  ansible.builtin.import_tasks: "swap.yaml"
+  when:
+    - "os_support"
+    - 'type == "vm"'
+  tags: "swap"
+
+# apt
+- name: "apt"
+  ansible.builtin.import_tasks: "apt/sources.yaml"
+  when: "os_support"
+  tags: "apt"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+- name: "apt - packages"
+  ansible.builtin.import_tasks: "apt/packages.yaml"
+  when: "os_support"
+  tags: "apt"
+
+- name: "apt - config"
+  ansible.builtin.import_tasks: "apt/config.yaml"
+  when: "os_support"
+  tags: "apt"
+
+# telemetry
+- name: "telemetry"
+  ansible.builtin.import_tasks: "telemetry.yaml"
+  when: "os_support"
+  tags: "telemetry"
+
+# service
+- name: "service"
+  ansible.builtin.include_tasks: "service.yaml"
+  loop: "{{ service }}"
+  loop_control:
+    loop_var: "__service"
+  when:
+    - "os_support"
+    - "service is defined"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# chrony
+- name: "ntp"
+  ansible.builtin.import_tasks: "ntp.yaml"
+  when:
+    - "os_support"
+    - 'type == "vm" or type == "hw"'
+  tags: "ntp"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# snap
+- name: "snap - daemon"
+  ansible.builtin.import_tasks: "snap/snap_daemon.yaml"
+  when: "os_support"
+  tags: "snap"
+
+- name: "snap - package"
+  ansible.builtin.import_tasks: "snap/snap_package.yaml"
+  when:
+    - "os_support"
+    - "snap_package is defined"
+  tags: "snap"
+
+# llpd
+- name: "lldpd"
+  ansible.builtin.import_tasks: "lldpd.yaml"
+  when:
+    - "os_support"
+    - 'type == "vm" or type == "hw"'
+  tags: "lldp"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# lxd
+- name: "lxd"
+  ansible.builtin.import_tasks: "lxd.yaml"
+  when:
+    - "os_support"
+    - 'type == "vm"'
+  tags: "lxd"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# sysctl
+- name: "sysctl - set sysctl"
+  ansible.builtin.include_tasks: "sysctl.yaml"
+  loop: "{{ sysctl }}"
+  loop_control:
+    loop_var: "__sysctl"
+  when:
+    - "os_support"
+    - 'type == "vm" or type == "hw"'
+  tags: "sysctl"
+
+# systemctl
+- name: "sysctl - set systemctl"
+  ansible.builtin.include_tasks: "systemctl.yaml"
+  loop: "{{ systemctl }}"
+  loop_control:
+    loop_var: "__systemctl"
+  when:
+    - "os_support"
+    - 'type == "vm"'
+  tags: "systemctl"
+
+# syslog
+- name: "syslog - install"
+  ansible.builtin.import_tasks: "syslog/install.yaml"
+  when:
+    - "os_support"
+    - "syslog_enable"
+  tags: "syslog"
+
+- name: "syslog - config"
+  ansible.builtin.import_tasks: "syslog/config.yaml"
+  when:
+    - "os_support"
+    - "syslog_enable"
+  tags: "syslog"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# journald
+- name: "journald"
+  ansible.builtin.import_tasks: "journald.yaml"
+  when: "os_support"
+  tags: "journald"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# timezone
+- name: "timezone"
+  ansible.builtin.import_tasks: "timezone.yaml"
+  when: "os_support"
+  tags: "timezone"
+
+# sshd
+- name: "sshd"
+  ansible.builtin.import_tasks: "sshd.yaml"
+  when: "os_support"
+  tags: "sshd"
+
+# flush handler
+- name: "flush handlers"
+  ansible.builtin.meta: "flush_handlers"
+
+# user
+- name: "user - create users"
+  ansible.builtin.include_tasks: "user.yaml"
+  loop: "{{ user }}"
+  loop_control:
+    loop_var: "__user"
+  when: "os_support"
+  tags: "usermanagement"
+
+# crowdsec
+- name: "crowdsec security engine"
+  ansible.builtin.include_tasks: "crowdsec.yaml"
+  when:
+    - "os_support"
+    - "crowdsec_enable"
+  tags: "crowdsec"
+
+# firewall
+- name: "firewall"
+  ansible.builtin.import_tasks: "firewall/firewall-general.yaml"
+  when:
+    - "os_support"
+    - "firewall_enabled"
+  tags: "firewall"
+
+# firewall common rules
+- name: "create firewall rules"
+  ansible.builtin.include_tasks: "firewall/firewall-rules.yaml"
+  loop: "{{ firewall_rules_common }}"
+  loop_control:
+    loop_var: "__rule"
+  when:
+    - "os_support"
+    - "firewall_rules_common is defined and firewall_enabled"
+  tags: "firewall"
+
+# firewall routed rules
+- name: "create routed firewall rules"
+  ansible.builtin.include_tasks: "firewall/firewall-rules-routed.yaml"
+  loop: "{{ firewall_rules_routed }}"
+  loop_control:
+    loop_var: "__rule"
+  when:
+    - "os_support"
+    - "firewall_rules_routed is defined and firewall_enabled"
+  tags: "firewall"
+
+# firewall host rules
+- name: "create firewall rules"
+  ansible.builtin.include_tasks: "firewall/firewall-rules.yaml"
+  loop: "{{ firewall_rules }}"
+  loop_control:
+    loop_var: "__rule"
+  when:
+    - "os_support"
+    - "firewall_rules is defined and firewall_enabled"
+  tags: "firewall"
--- a/tasks/motd.yaml
+++ b/tasks/motd.yaml
@ -0,0 +1,43 @@
+---
+
+# find old motd files
+- name: "motd - find old scripts"
+  ansible.builtin.find:
+    paths: "/etc/update-motd.d/"
+    file_type: "file"
+    excludes:
+      - "10-custom-motd"
+  register: "old_motd"
+  tags:
+    - "motd"
+
+# remove old custom motd files
+- name: "motd - cleanup directory"
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: "absent"
+  loop: "{{ old_motd.files }}"
+  when: "old_motd.files|length > 0"
+  tags:
+    - "motd"
+
+# remove old motd files
+- name: "motd - cleanup main file"
+  ansible.builtin.file:
+    path: "/etc/motd"
+    state: "absent"
+  when: "inventory_hostname != 'bastion.siempie.internal'"
+  tags:
+    - "motd"
+
+# configure motd
+- name: "motd - siempie"
+  ansible.builtin.template:
+    src: "templates/motd/motd.sh.j2"
+    dest: "/etc/update-motd.d/10-custom-motd"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "motd"
--- a/tasks/ntp.yaml
+++ b/tasks/ntp.yaml
@ -0,0 +1,23 @@
+---
+
+# install chrony
+- name: "ntp - install - chrony debian"
+  ansible.builtin.apt:
+    name: "chrony"
+    state: "present"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "ntp"
+
+# configure chrony
+- name: "ntp - config - configure chrony"
+  ansible.builtin.template:
+    src: "templates/chrony/chrony.conf.j2"
+    dest: "/etc/chrony/chrony.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_os_family == "Debian"'
+  notify: "restart chrony"
+  tags:
+    - "ntp"
--- a/tasks/ossupport.yaml
+++ b/tasks/ossupport.yaml
@ -0,0 +1,32 @@
+---
+
+# support debian 12
+- name: "check for os support"
+  ansible.builtin.set_fact:
+    os_support: true
+  when:
+    - 'ansible_distribution == "Debian"'
+    - 'ansible_distribution_major_version == "12"'
+
+# support ubuntu 22
+- name: "check for os support"
+  ansible.builtin.set_fact:
+    os_support: true
+  when:
+    - 'ansible_distribution == "Ubuntu"'
+    - 'ansible_distribution_major_version == "22"'
+
+# support ubuntu 24
+- name: "check for os support"
+  ansible.builtin.set_fact:
+    os_support: true
+  when:
+    - 'ansible_distribution == "Ubuntu"'
+    - 'ansible_distribution_major_version == "24"'
+
+# fail role when not supported
+- name: "unsupported role"
+  ansible.builtin.fail:
+    msg: "This role not supported on this Operating System."
+  when:
+    - "os_support is not defined"
--- a/tasks/service.yaml
+++ b/tasks/service.yaml
@ -0,0 +1,8 @@
+---
+
+# manage service
+- name: "service - {{ __service['name'] }}"
+  ansible.builtin.service:
+    name: "{{ __service['name'] }}"
+    enabled: "{{ __service['enabled'] }}"
+    state: "{{ __service['state'] }}"
--- a/tasks/snap/snap_daemon.yaml
+++ b/tasks/snap/snap_daemon.yaml
@ -0,0 +1,38 @@
+---
+
+# set defaults
+- name: "set facts"
+  ansible.builtin.set_fact:
+    __snapd_service: "{{ snapd_service | default('false') }}"
+  tags:
+    - "snap"
+
+# purge snapd
+- name: "snapd - purge - package"
+  ansible.builtin.apt:
+    name: "snapd"
+    state: "absent"
+    purge: "yes"
+  when: "not __snapd_service"
+  tags:
+    - "snap"
+
+# install snapd
+- name: "snapd - install - package"
+  ansible.builtin.apt:
+    name: "snapd"
+    state: "present"
+    cache_valid_time: "120"
+  when: "__snapd_service"
+  tags:
+    - "snap"
+
+# enable snapd
+- name: "snapd - enable snapd service"
+  ansible.builtin.service:
+    name: "snapd"
+    state: "started"
+    enabled: true
+  when: "__snapd_service"
+  tags:
+    - "snap"
--- a/tasks/snap/snap_package.yaml
+++ b/tasks/snap/snap_package.yaml
@ -0,0 +1,13 @@
+---
+
+# install snap
+- name: "snap - install - packages"
+  community.general.snap:
+    name: "{{ __snap_package['name'] }}"
+    state: "present"
+    channel: "{{ __snap_package['channel'] | default('stable') }}"
+  loop: "{{ snap_package }}"
+  loop_control:
+    loop_var: "__snap_package"
+  tags:
+    - "snap"
--- a/tasks/sshd.yaml
+++ b/tasks/sshd.yaml
@ -0,0 +1,13 @@
+---
+
+# configure sshd
+- name: "config - sshd"
+  ansible.builtin.template:
+    src: "templates/sshd/sshd_config.j2"
+    dest: "/etc/ssh/sshd_config"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: "restart sshd"
+  tags:
+    - "sshd"
--- a/tasks/swap.yaml
+++ b/tasks/swap.yaml
@ -0,0 +1,94 @@
+---
+
+# enable or disable swap
+- name: "swap - set variable"
+  ansible.builtin.set_fact:
+    __swap: "{{ swap | default('true') }}"
+  tags:
+    - "swap"
+
+# verify swapfile
+- name: "swap - verify swapfile"
+  ansible.builtin.stat:
+    path: "{{ swap_file_location | default('/swapfile') }}"
+  register: "swap_file_check"
+  tags:
+    - "swap"
+
+## create swap
+# create swap file
+- name: "swap - create swap file"
+  ansible.builtin.command: "fallocate -l {{ swap_file_size }} {{ swap_file_location }}"
+  when: "not swap_file_check.stat.exists and __swap"
+  tags:
+    - "swap"
+
+# set swap file permissions
+- name: "swap - set permissions "
+  ansible.builtin.file:
+    path: "{{ swap_file_location }}"
+    owner: "root"
+    group: "root"
+    mode: "0600"
+  when: "__swap"
+  tags:
+    - "swap"
+
+# 'format' swapfile
+- name: "swap - format swap file"
+  ansible.builtin.command: "mkswap {{ swap_file_location }}"
+  when: "not swap_file_check.stat.exists and __swap"
+  tags:
+    - "swap"
+
+# configure fstab
+- name: "swap - configure fstab"
+  ansible.posix.mount:
+    name: "swapfile"
+    src: "{{ swap_file_location | default('/swapfile') }}"
+    fstype: "swap"
+    opts: "sw"
+    passno: "0"
+    dump: "0"
+    state: "present"
+  when: "__swap"
+  tags:
+    - "swap"
+
+# enable swap
+- name: "swap - enable swap"
+  ansible.builtin.command: "swapon -a"
+  when: "not swap_file_check.stat.exists and __swap"
+  tags:
+    - "swap"
+
+## delete swap
+# disable swap
+- name: "swap - disable swap"
+  ansible.builtin.command: "swapoff -a"
+  when: "swap_file_check.stat.exists and not __swap"
+  tags:
+    - "swap"
+
+# delete swap file
+- name: "swap - delete swap file"
+  ansible.builtin.file:
+    path: "{{ swap_file_location }}"
+    state: "absent"
+  when: "swap_file_check.stat.exists and not __swap"
+  tags:
+    - "swap"
+
+# configure fstab
+- name: "swap - configure fstab"
+  ansible.posix.mount:
+    name: "swapfile"
+    src: "{{ swap_file_location | default('/swapfile') }}"
+    fstype: "swap"
+    opts: "sw"
+    passno: "0"
+    dump: "0"
+    state: "absent"
+  when: "not __swap"
+  tags:
+    - "swap"
--- a/tasks/sysctl.yaml
+++ b/tasks/sysctl.yaml
@ -0,0 +1,10 @@
+---
+
+# configure sysctl
+- name: "sysctl - set {{ __sysctl['name'] }}"
+  ansible.posix.sysctl:
+    name: "{{ __sysctl['name'] }}"
+    value: "{{ __sysctl['value'] }}"
+    sysctl_set: "yes"
+  tags:
+    - "sysctl"
--- a/tasks/syslog/config.yaml
+++ b/tasks/syslog/config.yaml
@ -0,0 +1,53 @@
+---
+
+# configure rsyslogd - debian
+- name: "syslog - config - rsyslog - debian"
+  ansible.builtin.template:
+    src: "templates/syslog/rsyslog/rsyslog.debian.conf.j2"
+    dest: "/etc/rsyslog.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_distribution == "Debian"'
+  notify: "restart rsyslog"
+  tags:
+    - "syslog"
+
+# configure rsyslogd - ubuntu
+- name: "syslog - config - rsyslog - ubuntu"
+  ansible.builtin.template:
+    src: "templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2"
+    dest: "/etc/rsyslog.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_distribution == "Ubuntu"'
+  notify: "restart rsyslog"
+  tags:
+    - "syslog"
+
+# configure rsyslogd - apt
+- name: "syslog - config - apt"
+  ansible.builtin.template:
+    src: "templates/syslog/rsyslog.d/apt.conf.j2"
+    dest: "/etc/rsyslog.d/apt.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_os_family == "Debian"'
+  notify: "restart rsyslog"
+  tags:
+    - "syslog"
+
+# configure rsyslogd - observium
+- name: "syslog - config - remote-logging"
+  ansible.builtin.template:
+    src: "templates/syslog/rsyslog.d/remote-logging.j2"
+    dest: "/etc/rsyslog.d/remote-logging.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_os_family == "Debian"'
+  notify: "restart rsyslog"
+  tags:
+    - "syslog"
--- a/tasks/syslog/install.yaml
+++ b/tasks/syslog/install.yaml
@ -0,0 +1,11 @@
+---
+
+# install rsyslog
+- name: "syslog - install - rsyslog"
+  ansible.builtin.apt:
+    name: "rsyslog"
+    state: "present"
+    cache_valid_time: "3600"
+  when: 'ansible_os_family == "Debian"'
+  tags:
+    - "syslog"
--- a/tasks/systemctl.yaml
+++ b/tasks/systemctl.yaml
@ -0,0 +1,14 @@
+---
+
+# configure fstrim.timer
+- name: "systemctl - config - fstrim.timer"
+  ansible.builtin.template:
+    src: "templates/systemctl/fstrim.timer.j2"
+    dest: "/usr/lib/systemd/system/fstrim.timer"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: 'ansible_os_family == "Debian"'
+  notify: "daemon-reload fstrim.timer"
+  tags:
+    - "systemctl"
--- a/tasks/telemetry.yaml
+++ b/tasks/telemetry.yaml
@ -0,0 +1,10 @@
+---
+
+# delete daily popularity contest cronjob
+- name: "telemetry - delete popularity-contest cron"
+  ansible.builtin.file:
+    path: "/etc/cron.daily/popularity-contest"
+    state: "absent"
+  when: 'ansible_distribution == "Ubuntu"'
+  tags:
+    - "telemetry"
--- a/tasks/timezone.yaml
+++ b/tasks/timezone.yaml
@ -0,0 +1,8 @@
+---
+
+# set timezone
+- name: "timezone - set {{ timezone }}"
+  community.general.timezone:
+    name: "{{ timezone }}"
+  tags:
+    - "timezone"
--- a/tasks/user.yaml
+++ b/tasks/user.yaml
@ -0,0 +1,81 @@
+---
+
+# manage facts
+- name: "user - set default facts for {{ __user['username'] }}"
+  ansible.builtin.set_fact:
+    sudo_hosts: "{{ __user['hosts'] | default('all') }}"
+    sudo_file: "{{ __user['sudo'] | default('False') }}"
+    sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}"
+    user_state: "{{ __user['state'] | default('present') }}"
+  tags:
+    - "usermanagement"
+
+# create users
+- name: "user - create users with password - {{ __user['username'] }}"
+  ansible.builtin.user:
+    name: "{{ __user['username'] }}"
+    comment: "{{ __user['name'] }}"
+    password: "{{ __user['password'] }}"
+    shell: "{{ __user['shell'] | default('/bin/bash') }}"
+    state: "present"
+  when:
+    - "__user['password'] is defined"
+    - "user_state == 'present'"
+  tags:
+    - "usermanagement"
+
+- name: "user - create users withouth password - {{ __user['username'] }}"
+  ansible.builtin.user:
+    name: "{{ __user['username'] }}"
+    comment: "{{ __user['name'] }}"
+    shell: "{{ __user['shell'] | default('/bin/bash') }}"
+    state: "state"
+  when:
+    - "__user['password'] is not defined"
+    - "user_state == 'present'"
+  tags:
+    - "usermanagement"
+
+# manage authorized_keys
+- name: "user - manage authorized_keys - {{ __user['username'] }}"
+  ansible.posix.authorized_key:
+    user: "{{ __user['username'] }}"
+    key: "{{ __user['publickey'] }}"
+    state: "present"
+    manage_dir: "true"
+  when:
+    - "__user['publickey'] is defined"
+  tags:
+    - "usermanagement"
+
+# delete users
+- name: "user - delete users - {{ __user['username'] }}"
+  ansible.builtin.user:
+    name: "{{ __user['username'] }}"
+    state: "absent"
+    remove: "yes"
+  when: "user_state == 'absent'"
+  tags:
+    - "usermanagement"
+
+# manage sudoers file
+- name: "user - create sudoers file - {{ __user['username'] }}"
+  ansible.builtin.template:
+    src: "templates/usermanagement/sudoers.d/sudoers.j2"
+    dest: "/etc/sudoers.d/{{ __user['username'] }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when:
+    - "sudo_file"
+  tags:
+    - "usermanagement"
+
+- name: "user - delete sudoers file - {{ __user['username'] }}"
+  ansible.builtin.file:
+    state: "absent"
+    path: "/etc/sudoers.d/{{ __user['username'] }}"
+  when:
+    - "not sudo_file"
+  tags:
+    - "usermanagement"