ansible/common
ansible/common
1
0
Fork 0
Code Issues Pull requests Releases Activity

feat: move to dedicated repo

Browse source
This commit is contained in:
Simon Cornet 2024-11-22 11:13:16 +01:00
commit 4a88a5b28d
54 changed files with 1524 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
.ansible-lint Normal file
View file

@ -0,0 +1,16 @@
---
kinds:
- playbook: '**/*.{yml,yaml}'
skip_list:
- 'command-shell'
- 'experimental'
- 'git-latest'
- 'no-changed-when'
- 'no-handler'
- 'name[casing]'
- 'name[template]'
- 'risky-file-permissions'
- 'schema[tasks]'
- 'var-naming[no-role-prefix]'

30
.yamllint Normal file
View file

@ -0,0 +1,30 @@
---
extends: 'default'
rules:
braces:
max-spaces-inside: 1
forbid: true
comments:
min-spaces-from-content: 1
comments-indentation: false
empty-lines:
max: 2
indentation:
spaces: 2
check-multi-line-strings: true
line-length:
max: 130
allow-non-breakable-words: true
allow-non-breakable-inline-mappings: true
new-line-at-end-of-file: 'enable'
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
truthy:
allowed-values:
- 'true'
- 'false'
quoted-strings:
quote-type: 'any'
required: true

56
handlers/main.yaml Normal file
View file

@ -0,0 +1,56 @@
---
# apt
- name: "apt force cache update"
ansible.builtin.apt:
update_cache: true
# chrony
- name: "restart chrony"
ansible.builtin.service:
name: "chrony"
enabled: true
state: "restarted"
# collectd
- name: "restart collectd"
ansible.builtin.service:
name: "collectd"
enabled: true
state: "restarted"
# fstrim.timer
- name: "daemon-reload fstrim.timer"
ansible.builtin.service:
name: "fstrim.timer"
enabled: true
state: "restarted"
daemon_reload: true
# journald
- name: "restart journald"
ansible.builtin.service:
name: "systemd-journald.service"
enabled: true
state: "restarted"
# lldpd
- name: "restart lldpd"
ansible.builtin.service:
name: "lldpd"
enabled: true
state: "restarted"
# rsyslog
- name: "restart rsyslog"
ansible.builtin.service:
name: "rsyslog"
enabled: true
state: "restarted"
# sshd
- name: "restart sshd"
ansible.builtin.systemd:
name: "sshd.service"
state: "restarted"
enabled: true

9
readme.md Normal file
View file

@ -0,0 +1,9 @@
# Overview
This role manages the build-in 'core' Operating System components and defaults tailored for Siempie.
# Supported Operating Systems
| Operating System | Version |
| --- | ----- |
| Debian | 12
| Ubuntu | 22 LTS
| Ubuntu | 24 LTS

24
tasks/apt/config.yaml Normal file
View file

@ -0,0 +1,24 @@
---
# configure apt auto update
- name: "apt - config - configure apt periodic"
ansible.builtin.template:
src: "templates/apt/conf.d/10periodic.j2"
dest: "/etc/apt/apt.conf.d/10periodic"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_os_family == "Debian"'
tags:
- "apt"
- name: "apt - config - configure apt unatteded updates"
ansible.builtin.template:
src: "templates/apt/conf.d/50unattended-upgrades.{{ ansible_distribution }}.j2"
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_os_family == "Debian"'
tags:
- "apt"

27
tasks/apt/packages.yaml Normal file
View file

@ -0,0 +1,27 @@
---
# install packages
- name: "apt - install - packages"
ansible.builtin.apt:
name: "{{ apt_default_install }}"
state: "present"
update_cache: true
when: 'ansible_os_family == "Debian"'
loop: "{{ apt_default_packages_install }}"
loop_control:
loop_var: "apt_default_install"
tags:
- "apt"
# purge packages
- name: "apt - delete - packages"
ansible.builtin.apt:
name: "{{ apt_default_delete }}"
state: "absent"
purge: true
when: 'ansible_os_family == "Debian"'
loop: "{{ apt_default_packages_delete }}"
loop_control:
loop_var: "apt_default_delete"
tags:
- "apt"

42
tasks/apt/sources.yaml Normal file
View file

@ -0,0 +1,42 @@
---
# configure apt sources
- name: "apt - config - configure apt sources"
ansible.builtin.template:
src: "templates/apt/sources.d/sources.list.{{ ansible_distribution }}.j2"
dest: "/etc/apt/sources.list"
owner: "root"
group: "root"
mode: "0644"
when:
- 'ansible_os_family == "Debian"'
- 'ansible_distribution_major_version <= "23"'
notify: "apt force cache update"
tags:
- "apt"
# configure apt sources
- name: "apt - config - configure apt sources"
ansible.builtin.template:
src: "templates/apt/sources.d/{{ ansible_distribution }}.sources.j2"
dest: "/etc/apt/sources.list.d/ubuntu.sources"
owner: "root"
group: "root"
mode: "0644"
when:
- 'ansible_distribution == "Ubuntu"'
- 'ansible_distribution_major_version >= "24"'
notify: "apt force cache update"
tags:
- "apt"
# delete unused sources.list
- name: "apt - config - remove old sources.list"
ansible.builtin.file:
path: "/etc/apt/sources.list"
state: "absent"
when:
- 'ansible_distribution == "Ubuntu"'
- 'ansible_distribution_major_version >= "24"'
tags:
- "apt"

13
tasks/cron.yaml Normal file
View file

@ -0,0 +1,13 @@
---
# configure cron
- name: "cron - config - zfs kstat"
ansible.builtin.template:
src: "templates/cron/mount_zfs_kstat.j2"
dest: "/etc/cron.d/mount_zfs_kstat"
owner: "root"
group: "root"
mode: "0644"
when: 'type == "lxc"'
tags:
- "cron"

42
tasks/crowdsec.yaml Normal file
View file

@ -0,0 +1,42 @@
---
# install crowdsec signing key
- name: "install signing key"
ansible.builtin.get_url:
url: "https://packagecloud.io/crowdsec/crowdsec/gpgkey"
dest: "/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg"
mode: "0644"
register: "install_crowdsec_key"
tags:
- "crowdsec"
# update apt cache if required
- name: "update apt cache"
ansible.builtin.apt:
update_cache: true
when:
- 'ansible_os_family == "Debian"'
- "install_crowdsec_key.changed"
tags:
- "crowdsec"
# install crowdsec security engine
- name: "install crowdsec security engine"
ansible.builtin.apt:
name: "crowdsec"
state: "present"
cache_valid_time: "120"
when: 'ansible_os_family == "Debian"'
register: "crowdsec_installed"
tags:
- "crowdsec"
# install crowdsec firewall bouncer
- name: "install crowdsec firewall bouncer"
ansible.builtin.apt:
name: "crowdsec-firewall-bouncer"
state: "present"
cache_valid_time: "120"
when: 'ansible_os_family == "Debian"'
tags:
- "crowdsec"

13
tasks/environment.yaml Normal file
View file

@ -0,0 +1,13 @@
---
# set environment file
- name: "set environment file"
ansible.builtin.template:
src: "templates/environment/environment.j2"
dest: "/etc/environment"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_distribution == "Ubuntu"'
tags:
- "environment-file"

11
tasks/firewall/firewall-general.yaml Normal file
View file

@ -0,0 +1,11 @@
---
# generic settings
- name: "firewall - set default policy and enable logging"
community.general.ufw:
state: "enabled"
direction: "incoming"
policy: "deny"
logging: "on"
tags:
- "firewall"

26
tasks/firewall/firewall-rules-routed.yaml Normal file
View file

@ -0,0 +1,26 @@
---
# basic firewall rules
- name: "firewall - allow incoming routed traffic"
community.general.ufw:
rule: "allow"
route: "yes"
src: "{{ item[0] }}"
dest: "{{ item[1] }}"
with_nested:
- "{{ __rule['source_nets'] }}"
- "{{ __rule['destination_nets'] }}"
tags:
- "firewall"
- name: "firewall - allow outgoing routed traffic"
community.general.ufw:
rule: "allow"
route: "yes"
src: "{{ item[1] }}"
dest: "{{ item[0] }}"
with_nested:
- "{{ __rule['source_nets'] }}"
- "{{ __rule['destination_nets'] }}"
tags:
- "firewall"

12
tasks/firewall/firewall-rules.yaml Normal file
View file

@ -0,0 +1,12 @@
---
# create firewall rule
- name: "firewall - allow {{ __rule['to_port'] }} from {{ __rule['from_ip'] }}"
community.general.ufw:
rule: "allow"
direction: "in"
proto: "{{ __rule['proto'] | default('tcp') }}"
from_ip: "{{ __rule['from_ip'] }}"
to_port: "{{ __rule['to_port'] }}"
tags:
- "firewall"

9
tasks/hostname.yaml Normal file
View file

@ -0,0 +1,9 @@
---
# set hostname
- name: "set hostname"
ansible.builtin.hostname:
name: "{{ set_hostname | default(inventory_hostname) }}"
use: "{{ hostname_use_method }}"
tags:
- "hostname"

14
tasks/journald.yaml Normal file
View file

@ -0,0 +1,14 @@
---
# configure journald
- name: "syslog - config - configure journald"
ansible.builtin.template:
src: "templates/journald/journald.conf.j2"
dest: "/etc/systemd/journald.conf"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_distribution == "Ubuntu"'
notify: "restart journald"
tags:
- "journald"

12
tasks/lldpd.yaml Normal file
View file

@ -0,0 +1,12 @@
---
# install lldpd
- name: "lldpd - installation package"
ansible.builtin.apt:
name: "lldpd"
state: "present"
cache_valid_time: "3600"
when: 'ansible_os_family == "Debian"'
notify: "restart lldpd"
tags:
- "lldp"

9
tasks/locale.yaml Normal file
View file

@ -0,0 +1,9 @@
---
# set locale
- name: "set locale"
community.general.locale_gen:
name: "en_US.UTF-8"
state: "present"
tags:
- "locale"

11
tasks/lxd.yaml Normal file
View file

@ -0,0 +1,11 @@
---
# remove lxd
- name: "lxd - purge package"
ansible.builtin.apt:
name: "lxd"
state: "absent"
purge: "yes"
when: 'ansible_os_family == "Debian"'
tags:
- "lxd"

321
tasks/main.yaml Normal file
View file

@ -0,0 +1,321 @@
---
# check os support
- name: "check for os support"
ansible.builtin.import_tasks: "ossupport.yaml"
tags:
- "apt"
- "cron"
- "crowdsec"
- "environment-file"
- "hostname"
- "firewall"
- "journald"
- "locale"
- "lldp"
- "lxd"
- "motd"
- "ntp"
- "telemetry"
- "snap"
- "sshd"
- "swap"
- "sysctl"
- "systemctl"
- "syslog"
- "timezone"
- "usermanagement"
# load os variables
- name: "include os specific vars"
ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml"
when: "os_support"
tags:
- "apt"
- "cron"
- "crowdsec"
- "environment-file"
- "hostname"
- "firewall"
- "journald"
- "locale"
- "lldp"
- "lxd"
- "motd"
- "ntp"
- "telemetry"
- "snap"
- "sshd"
- "sysctl"
- "systemctl"
- "syslog"
- "timezone"
- "usermanagement"
# set hostname
- name: "set hostname"
ansible.builtin.import_tasks: "hostname.yaml"
when: "os_support"
tags: "hostname"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# set locale
- name: "set locale"
ansible.builtin.import_tasks: "locale.yaml"
when: "os_support"
tags: "locale"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# environment
- name: "environment"
ansible.builtin.import_tasks: "environment.yaml"
when: "os_support"
tags: "environment-file"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# motd
- name: "motd"
ansible.builtin.import_tasks: "motd.yaml"
when: "os_support"
tags: "motd"
# cron jobs
- name: "cron jobs"
ansible.builtin.import_tasks: "cron.yaml"
when: "os_support"
tags: "cron"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# swap
- name: "swap"
ansible.builtin.import_tasks: "swap.yaml"
when:
- "os_support"
- 'type == "vm"'
tags: "swap"
# apt
- name: "apt"
ansible.builtin.import_tasks: "apt/sources.yaml"
when: "os_support"
tags: "apt"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
- name: "apt - packages"
ansible.builtin.import_tasks: "apt/packages.yaml"
when: "os_support"
tags: "apt"
- name: "apt - config"
ansible.builtin.import_tasks: "apt/config.yaml"
when: "os_support"
tags: "apt"
# telemetry
- name: "telemetry"
ansible.builtin.import_tasks: "telemetry.yaml"
when: "os_support"
tags: "telemetry"
# service
- name: "service"
ansible.builtin.include_tasks: "service.yaml"
loop: "{{ service }}"
loop_control:
loop_var: "__service"
when:
- "os_support"
- "service is defined"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# chrony
- name: "ntp"
ansible.builtin.import_tasks: "ntp.yaml"
when:
- "os_support"
- 'type == "vm" or type == "hw"'
tags: "ntp"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# snap
- name: "snap - daemon"
ansible.builtin.import_tasks: "snap/snap_daemon.yaml"
when: "os_support"
tags: "snap"
- name: "snap - package"
ansible.builtin.import_tasks: "snap/snap_package.yaml"
when:
- "os_support"
- "snap_package is defined"
tags: "snap"
# llpd
- name: "lldpd"
ansible.builtin.import_tasks: "lldpd.yaml"
when:
- "os_support"
- 'type == "vm" or type == "hw"'
tags: "lldp"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# lxd
- name: "lxd"
ansible.builtin.import_tasks: "lxd.yaml"
when:
- "os_support"
- 'type == "vm"'
tags: "lxd"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# sysctl
- name: "sysctl - set sysctl"
ansible.builtin.include_tasks: "sysctl.yaml"
loop: "{{ sysctl }}"
loop_control:
loop_var: "__sysctl"
when:
- "os_support"
- 'type == "vm" or type == "hw"'
tags: "sysctl"
# systemctl
- name: "sysctl - set systemctl"
ansible.builtin.include_tasks: "systemctl.yaml"
loop: "{{ systemctl }}"
loop_control:
loop_var: "__systemctl"
when:
- "os_support"
- 'type == "vm"'
tags: "systemctl"
# syslog
- name: "syslog - install"
ansible.builtin.import_tasks: "syslog/install.yaml"
when:
- "os_support"
- "syslog_enable"
tags: "syslog"
- name: "syslog - config"
ansible.builtin.import_tasks: "syslog/config.yaml"
when:
- "os_support"
- "syslog_enable"
tags: "syslog"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# journald
- name: "journald"
ansible.builtin.import_tasks: "journald.yaml"
when: "os_support"
tags: "journald"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# timezone
- name: "timezone"
ansible.builtin.import_tasks: "timezone.yaml"
when: "os_support"
tags: "timezone"
# sshd
- name: "sshd"
ansible.builtin.import_tasks: "sshd.yaml"
when: "os_support"
tags: "sshd"
# flush handler
- name: "flush handlers"
ansible.builtin.meta: "flush_handlers"
# user
- name: "user - create users"
ansible.builtin.include_tasks: "user.yaml"
loop: "{{ user }}"
loop_control:
loop_var: "__user"
when: "os_support"
tags: "usermanagement"
# crowdsec
- name: "crowdsec security engine"
ansible.builtin.include_tasks: "crowdsec.yaml"
when:
- "os_support"
- "crowdsec_enable"
tags: "crowdsec"
# firewall
- name: "firewall"
ansible.builtin.import_tasks: "firewall/firewall-general.yaml"
when:
- "os_support"
- "firewall_enabled"
tags: "firewall"
# firewall common rules
- name: "create firewall rules"
ansible.builtin.include_tasks: "firewall/firewall-rules.yaml"
loop: "{{ firewall_rules_common }}"
loop_control:
loop_var: "__rule"
when:
- "os_support"
- "firewall_rules_common is defined and firewall_enabled"
tags: "firewall"
# firewall routed rules
- name: "create routed firewall rules"
ansible.builtin.include_tasks: "firewall/firewall-rules-routed.yaml"
loop: "{{ firewall_rules_routed }}"
loop_control:
loop_var: "__rule"
when:
- "os_support"
- "firewall_rules_routed is defined and firewall_enabled"
tags: "firewall"
# firewall host rules
- name: "create firewall rules"
ansible.builtin.include_tasks: "firewall/firewall-rules.yaml"
loop: "{{ firewall_rules }}"
loop_control:
loop_var: "__rule"
when:
- "os_support"
- "firewall_rules is defined and firewall_enabled"
tags: "firewall"

43
tasks/motd.yaml Normal file
View file

@ -0,0 +1,43 @@
---
# find old motd files
- name: "motd - find old scripts"
ansible.builtin.find:
paths: "/etc/update-motd.d/"
file_type: "file"
excludes:
- "10-custom-motd"
register: "old_motd"
tags:
- "motd"
# remove old custom motd files
- name: "motd - cleanup directory"
ansible.builtin.file:
path: "{{ item.path }}"
state: "absent"
loop: "{{ old_motd.files }}"
when: "old_motd.files|length > 0"
tags:
- "motd"
# remove old motd files
- name: "motd - cleanup main file"
ansible.builtin.file:
path: "/etc/motd"
state: "absent"
when: "inventory_hostname != 'bastion.siempie.internal'"
tags:
- "motd"
# configure motd
- name: "motd - siempie"
ansible.builtin.template:
src: "templates/motd/motd.sh.j2"
dest: "/etc/update-motd.d/10-custom-motd"
owner: "root"
group: "root"
mode: "0755"
when: 'ansible_os_family == "Debian"'
tags:
- "motd"

23
tasks/ntp.yaml Normal file
View file

@ -0,0 +1,23 @@
---
# install chrony
- name: "ntp - install - chrony debian"
ansible.builtin.apt:
name: "chrony"
state: "present"
when: 'ansible_os_family == "Debian"'
tags:
- "ntp"
# configure chrony
- name: "ntp - config - configure chrony"
ansible.builtin.template:
src: "templates/chrony/chrony.conf.j2"
dest: "/etc/chrony/chrony.conf"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_os_family == "Debian"'
notify: "restart chrony"
tags:
- "ntp"

32
tasks/ossupport.yaml Normal file
View file

@ -0,0 +1,32 @@
---
# support debian 12
- name: "check for os support"
ansible.builtin.set_fact:
os_support: true
when:
- 'ansible_distribution == "Debian"'
- 'ansible_distribution_major_version == "12"'
# support ubuntu 22
- name: "check for os support"
ansible.builtin.set_fact:
os_support: true
when:
- 'ansible_distribution == "Ubuntu"'
- 'ansible_distribution_major_version == "22"'
# support ubuntu 24
- name: "check for os support"
ansible.builtin.set_fact:
os_support: true
when:
- 'ansible_distribution == "Ubuntu"'
- 'ansible_distribution_major_version == "24"'
# fail role when not supported
- name: "unsupported role"
ansible.builtin.fail:
msg: "This role not supported on this Operating System."
when:
- "os_support is not defined"

8
tasks/service.yaml Normal file
View file

@ -0,0 +1,8 @@
---
# manage service
- name: "service - {{ __service['name'] }}"
ansible.builtin.service:
name: "{{ __service['name'] }}"
enabled: "{{ __service['enabled'] }}"
state: "{{ __service['state'] }}"

38
tasks/snap/snap_daemon.yaml Normal file
View file

@ -0,0 +1,38 @@
---
# set defaults
- name: "set facts"
ansible.builtin.set_fact:
__snapd_service: "{{ snapd_service | default('false') }}"
tags:
- "snap"
# purge snapd
- name: "snapd - purge - package"
ansible.builtin.apt:
name: "snapd"
state: "absent"
purge: "yes"
when: "not __snapd_service"
tags:
- "snap"
# install snapd
- name: "snapd - install - package"
ansible.builtin.apt:
name: "snapd"
state: "present"
cache_valid_time: "120"
when: "__snapd_service"
tags:
- "snap"
# enable snapd
- name: "snapd - enable snapd service"
ansible.builtin.service:
name: "snapd"
state: "started"
enabled: true
when: "__snapd_service"
tags:
- "snap"

13
tasks/snap/snap_package.yaml Normal file
View file

@ -0,0 +1,13 @@
---
# install snap
- name: "snap - install - packages"
community.general.snap:
name: "{{ __snap_package['name'] }}"
state: "present"
channel: "{{ __snap_package['channel'] | default('stable') }}"
loop: "{{ snap_package }}"
loop_control:
loop_var: "__snap_package"
tags:
- "snap"

13
tasks/sshd.yaml Normal file
View file

@ -0,0 +1,13 @@
---
# configure sshd
- name: "config - sshd"
ansible.builtin.template:
src: "templates/sshd/sshd_config.j2"
dest: "/etc/ssh/sshd_config"
owner: "root"
group: "root"
mode: "0644"
notify: "restart sshd"
tags:
- "sshd"

94
tasks/swap.yaml Normal file
View file

@ -0,0 +1,94 @@
---
# enable or disable swap
- name: "swap - set variable"
ansible.builtin.set_fact:
__swap: "{{ swap | default('true') }}"
tags:
- "swap"
# verify swapfile
- name: "swap - verify swapfile"
ansible.builtin.stat:
path: "{{ swap_file_location | default('/swapfile') }}"
register: "swap_file_check"
tags:
- "swap"
## create swap
# create swap file
- name: "swap - create swap file"
ansible.builtin.command: "fallocate -l {{ swap_file_size }} {{ swap_file_location }}"
when: "not swap_file_check.stat.exists and __swap"
tags:
- "swap"
# set swap file permissions
- name: "swap - set permissions "
ansible.builtin.file:
path: "{{ swap_file_location }}"
owner: "root"
group: "root"
mode: "0600"
when: "__swap"
tags:
- "swap"
# 'format' swapfile
- name: "swap - format swap file"
ansible.builtin.command: "mkswap {{ swap_file_location }}"
when: "not swap_file_check.stat.exists and __swap"
tags:
- "swap"
# configure fstab
- name: "swap - configure fstab"
ansible.posix.mount:
name: "swapfile"
src: "{{ swap_file_location | default('/swapfile') }}"
fstype: "swap"
opts: "sw"
passno: "0"
dump: "0"
state: "present"
when: "__swap"
tags:
- "swap"
# enable swap
- name: "swap - enable swap"
ansible.builtin.command: "swapon -a"
when: "not swap_file_check.stat.exists and __swap"
tags:
- "swap"
## delete swap
# disable swap
- name: "swap - disable swap"
ansible.builtin.command: "swapoff -a"
when: "swap_file_check.stat.exists and not __swap"
tags:
- "swap"
# delete swap file
- name: "swap - delete swap file"
ansible.builtin.file:
path: "{{ swap_file_location }}"
state: "absent"
when: "swap_file_check.stat.exists and not __swap"
tags:
- "swap"
# configure fstab
- name: "swap - configure fstab"
ansible.posix.mount:
name: "swapfile"
src: "{{ swap_file_location | default('/swapfile') }}"
fstype: "swap"
opts: "sw"
passno: "0"
dump: "0"
state: "absent"
when: "not __swap"
tags:
- "swap"

10
tasks/sysctl.yaml Normal file
View file

@ -0,0 +1,10 @@
---
# configure sysctl
- name: "sysctl - set {{ __sysctl['name'] }}"
ansible.posix.sysctl:
name: "{{ __sysctl['name'] }}"
value: "{{ __sysctl['value'] }}"
sysctl_set: "yes"
tags:
- "sysctl"

53
tasks/syslog/config.yaml Normal file
View file

@ -0,0 +1,53 @@
---
# configure rsyslogd - debian
- name: "syslog - config - rsyslog - debian"
ansible.builtin.template:
src: "templates/syslog/rsyslog/rsyslog.debian.conf.j2"
dest: "/etc/rsyslog.conf"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_distribution == "Debian"'
notify: "restart rsyslog"
tags:
- "syslog"
# configure rsyslogd - ubuntu
- name: "syslog - config - rsyslog - ubuntu"
ansible.builtin.template:
src: "templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2"
dest: "/etc/rsyslog.conf"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_distribution == "Ubuntu"'
notify: "restart rsyslog"
tags:
- "syslog"
# configure rsyslogd - apt
- name: "syslog - config - apt"
ansible.builtin.template:
src: "templates/syslog/rsyslog.d/apt.conf.j2"
dest: "/etc/rsyslog.d/apt.conf"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_os_family == "Debian"'
notify: "restart rsyslog"
tags:
- "syslog"
# configure rsyslogd - observium
- name: "syslog - config - remote-logging"
ansible.builtin.template:
src: "templates/syslog/rsyslog.d/remote-logging.j2"
dest: "/etc/rsyslog.d/remote-logging.conf"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_os_family == "Debian"'
notify: "restart rsyslog"
tags:
- "syslog"

11
tasks/syslog/install.yaml Normal file
View file

@ -0,0 +1,11 @@
---
# install rsyslog
- name: "syslog - install - rsyslog"
ansible.builtin.apt:
name: "rsyslog"
state: "present"
cache_valid_time: "3600"
when: 'ansible_os_family == "Debian"'
tags:
- "syslog"

14
tasks/systemctl.yaml Normal file
View file

@ -0,0 +1,14 @@
---
# configure fstrim.timer
- name: "systemctl - config - fstrim.timer"
ansible.builtin.template:
src: "templates/systemctl/fstrim.timer.j2"
dest: "/usr/lib/systemd/system/fstrim.timer"
owner: "root"
group: "root"
mode: "0644"
when: 'ansible_os_family == "Debian"'
notify: "daemon-reload fstrim.timer"
tags:
- "systemctl"

10
tasks/telemetry.yaml Normal file
View file

@ -0,0 +1,10 @@
---
# delete daily popularity contest cronjob
- name: "telemetry - delete popularity-contest cron"
ansible.builtin.file:
path: "/etc/cron.daily/popularity-contest"
state: "absent"
when: 'ansible_distribution == "Ubuntu"'
tags:
- "telemetry"

8
tasks/timezone.yaml Normal file
View file

@ -0,0 +1,8 @@
---
# set timezone
- name: "timezone - set {{ timezone }}"
community.general.timezone:
name: "{{ timezone }}"
tags:
- "timezone"

81
tasks/user.yaml Normal file
View file

@ -0,0 +1,81 @@
---
# manage facts
- name: "user - set default facts for {{ __user['username'] }}"
ansible.builtin.set_fact:
sudo_hosts: "{{ __user['hosts'] | default('all') }}"
sudo_file: "{{ __user['sudo'] | default('False') }}"
sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}"
user_state: "{{ __user['state'] | default('present') }}"
tags:
- "usermanagement"
# create users
- name: "user - create users with password - {{ __user['username'] }}"
ansible.builtin.user:
name: "{{ __user['username'] }}"
comment: "{{ __user['name'] }}"
password: "{{ __user['password'] }}"
shell: "{{ __user['shell'] | default('/bin/bash') }}"
state: "present"
when:
- "__user['password'] is defined"
- "user_state == 'present'"
tags:
- "usermanagement"
- name: "user - create users withouth password - {{ __user['username'] }}"
ansible.builtin.user:
name: "{{ __user['username'] }}"
comment: "{{ __user['name'] }}"
shell: "{{ __user['shell'] | default('/bin/bash') }}"
state: "state"
when:
- "__user['password'] is not defined"
- "user_state == 'present'"
tags:
- "usermanagement"
# manage authorized_keys
- name: "user - manage authorized_keys - {{ __user['username'] }}"
ansible.posix.authorized_key:
user: "{{ __user['username'] }}"
key: "{{ __user['publickey'] }}"
state: "present"
manage_dir: "true"
when:
- "__user['publickey'] is defined"
tags:
- "usermanagement"
# delete users
- name: "user - delete users - {{ __user['username'] }}"
ansible.builtin.user:
name: "{{ __user['username'] }}"
state: "absent"
remove: "yes"
when: "user_state == 'absent'"
tags:
- "usermanagement"
# manage sudoers file
- name: "user - create sudoers file - {{ __user['username'] }}"
ansible.builtin.template:
src: "templates/usermanagement/sudoers.d/sudoers.j2"
dest: "/etc/sudoers.d/{{ __user['username'] }}"
owner: "root"
group: "root"
mode: "0644"
when:
- "sudo_file"
tags:
- "usermanagement"
- name: "user - delete sudoers file - {{ __user['username'] }}"
ansible.builtin.file:
state: "absent"
path: "/etc/sudoers.d/{{ __user['username'] }}"
when:
- "not sudo_file"
tags:
- "usermanagement"

3
templates/apt/conf.d/10periodic.j2 Normal file
View file

@ -0,0 +1,3 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "1";

44
templates/apt/conf.d/50unattended-upgrades.Debian.j2 Normal file
View file

@ -0,0 +1,44 @@
Unattended-Upgrade::Origins-Pattern {
# debian
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-security";
# crowdsec
"origin=packagecloud.io/crowdsec/crowdsec,label=crowdsec";
# tailscale updates
"origin=Tailscale,codename=${distro_codename},label=Tailscale";
# zabbix
"origin=Zabbix,codename=${distro_codename},label=zabbix";
"origin=zabbix,codename=${distro_codename},label=zabbix";
};
Unattended-Upgrade::Package-Blacklist {
};
# dpkg | default > old
Dpkg::Options {
"--force-confdef";
"--force-confold";
};
# auto upgrade packages
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::DevRelease "{{ apt_devrelease | default('false') }}";
Unattended-Upgrade::AutoFixInterruptedDpkg "{{ apt_autofix_interrupted_dpkg | default('true') }}";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ apt_remove_unused_kernel_packages | default('true') }}";
Unattended-Upgrade::Remove-New-Unused-Dependencies "{{ apt_remove_new_unused_dependancies | default('true') }}";
Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_remove_unused_dependancies | default('true') }}";
# auto reboot
Unattended-Upgrade::Automatic-Reboot "{{ apt_automatic_reboot }}";
Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_automatic_reboot_with_users | default('true') }}";
Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_automatic_reboot_time }}";
# syslog
Unattended-Upgrade::SyslogEnable "{{ apt_syslog_enable | default('true') }}";
Unattended-Upgrade::SyslogFacility "{{ apt_syslog_facility | default('daemon') }}";

44
templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2 Normal file
View file

@ -0,0 +1,44 @@
Unattended-Upgrade::Allowed-Origins {
# ubuntu updates
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-proposed";
"${distro_id}:${distro_codename}-backports";
# crowdsec
"packagecloud.io/crowdsec/crowdsec:${distro_codename}";
# tailscale updates
"Tailscale:${distro_codename}";
# zabbix updates
"Zabbix:${distro_codename}";
"zabbix:${distro_codename}";
};
Unattended-Upgrade::Package-Blacklist {
};
# dpkg | default > old
Dpkg::Options {
"--force-confdef";
"--force-confold";
};
# auto upgrade packages
Unattended-Upgrade::DevRelease "{{ apt_devrelease | default('false') }}";
Unattended-Upgrade::AutoFixInterruptedDpkg "{{ apt_autofix_interrupted_dpkg | default('true') }}";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ apt_remove_unused_kernel_packages | default('true') }}";
Unattended-Upgrade::Remove-New-Unused-Dependencies "{{ apt_remove_new_unused_dependancies | default('true') }}";
Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_remove_unused_dependancies | default('true') }}";
# auto reboot
Unattended-Upgrade::Automatic-Reboot "{{ apt_automatic_reboot }}";
Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_automatic_reboot_with_users | default('true') }}";
Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_automatic_reboot_time }}";
# syslog
Unattended-Upgrade::SyslogEnable "{{ apt_syslog_enable | default('true') }}";
Unattended-Upgrade::SyslogFacility "{{ apt_syslog_facility | default('daemon') }}";

12
templates/apt/sources.d/Ubuntu.sources.j2 Normal file
View file

@ -0,0 +1,12 @@
Types: deb
URIs: {{ apt_repository_main }}
Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports
Components: main restricted {% if apt_enable_universe == True %}universe{% endif %} {% if apt_enable_multiverse == True %}multiverse{% endif %}
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: {{ apt_repository_security }}
Suites: {{ ansible_distribution_release }}-security
Components: main restricted {% if apt_enable_universe == True %}universe{% endif %} {% if apt_enable_multiverse == True %}multiverse{% endif %}
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

3
templates/apt/sources.d/sources.list.Debian.j2 Normal file
View file

@ -0,0 +1,3 @@
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb http://security.debian.org bookworm-security main contrib non-free non-free-firmware

21
templates/apt/sources.d/sources.list.Ubuntu.j2 Normal file
View file

@ -0,0 +1,21 @@
# main + restricted
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} main restricted
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates main restricted
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security main restricted
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports main restricted
{% if apt_enable_universe == True %}
# universe
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} universe
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates universe
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security universe
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports universe
{% endif %}
{% if apt_enable_multiverse == True %}
# multiverse
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} multiverse
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates multiverse
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security multiverse
deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports multiverse
{% endif %}

8
templates/chrony/chrony.conf.j2 Normal file
View file

@ -0,0 +1,8 @@
pool {{ ntp_server }} iburst
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
makestep 1 3
rtcsync

37
templates/collectd/collectd.conf.j2 Normal file
View file

@ -0,0 +1,37 @@
hostname "{{ inventory_hostname }}"
BaseDir "/var/lib/collectd"
PIDFile "/var/run/collectd.pid"
PluginDir "/usr/lib/collectd"
TypesDB "/usr/share/collectd/types.db"
LoadPlugin cpu
LoadPlugin df
LoadPlugin disk
LoadPlugin interface
LoadPlugin load
LoadPlugin memory
LoadPlugin network
LoadPlugin uptime
<Plugin cpu>
ReportByCpu false
ReportByState true
ValuesPercentage true
</Plugin>
<Plugin df>
MountPoint "/"
</Plugin>
<Plugin disk>
</Plugin>
<Plugin interface>
Interface "{{ collectd_network_interface }}"
IgnoreSelected false
</Plugin>
<Plugin network>
Server "{{ collectd_network_dest_address }}" "{{ collectd_network_dest_port }}"
</Plugin>

1
templates/cron/mount_zfs_kstat.j2 Normal file
View file

@ -0,0 +1 @@
@reboot root mount -t tmpfs tmpfs /proc/spl/kstat/zfs

4
templates/environment/environment.j2 Normal file
View file

@ -0,0 +1,4 @@
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
## Locale Fix
LC_ALL="en_US.UTF-8"

5
templates/journald/journald.conf.j2 Normal file
View file

@ -0,0 +1,5 @@
[Journal]
SystemMaxUse=25M
SystemMaxFileSize=1M
MaxRetentionSec=1h
MaxFileSec=1h

42
templates/motd/motd.sh.j2 Normal file
View file

@ -0,0 +1,42 @@
#!/bin/bash
# distribution information
if [ -f /etc/os-release ]; then
. /etc/os-release
if [ "$ID" = "ubuntu" ]; then
linux_distribution="\e[33m$PRETTY_NAME\e[0m"
elif [ "$ID" = "debian" ]; then
linux_distribution="\e[91m$PRETTY_NAME\e[0m"
else
linux_distribution="\e[94m$NAME\e[0m"
fi
else
linux_distribution="\e[94mUnknown Linux Distribution\e[0m"
fi
# disk usage
disk_usage=$(df -h / | awk 'NR==2 {print $3 " / " $2 " (" $5 ")"}')
# memory usage
memory_usage=$(free -m | awk 'NR==2 {print $3 " MB / " $2 " MB (" int($3/$2*100) "%)"}')
# pending updates
pending_updates=$(apt list --upgradable 2>/dev/null | grep -c 'upgradable')
# display motd
echo "Welcome to $(hostname)!"
echo ""
echo -e "$linux_distribution"
echo "Disk Usage: $disk_usage"
echo "Memory Usage: $memory_usage"
echo ""
if [ "$pending_updates" -eq 1 ]; then
echo "There is $pending_updates pending update."
elif [ "$pending_updates" -gt 1 ]; then
echo "There are $pending_updates pendinging updates."
else
echo "No pending updates."
fi

40
templates/sshd/sshd_config.j2 Normal file
View file

@ -0,0 +1,40 @@
# networking
Protocol 2
Port 22
AddressFamily inet
ListenAddress 0.0.0.0
# hostkey
HostKey /etc/ssh/ssh_host_ed25519_key
# Authentication
PermitRootLogin no
# Hardening
StrictModes yes
MaxAuthTries 2
MaxStartups 10:50:20
LoginGraceTime 15
MaxSessions 8
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers ansible drone hugo rundeck simon
VersionAddendum ""
IgnoreRhosts yes
UseDNS no
X11Forwarding no
ClientAliveCountMax 8
Compression no
AllowTcpForwarding yes
AllowAgentForwarding yes
UsePAM yes
PrintMotd no
PrintLastLog no
# The cryptos
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# sFTP
Subsystem sftp /usr/libexec/sftp-server

6
templates/syslog/rsyslog.d/apt.conf.j2 Normal file
View file

@ -0,0 +1,6 @@
$InputFileName /var/log/apt/history.log
$InputFileTag apt
$InputFileStateFile apt-history-log
$InputFileSeverity info
$InputFileFacility local3
$InputRunFileMonitor

1
templates/syslog/rsyslog.d/remote-logging.j2 Normal file
View file

@ -0,0 +1 @@
*.* @{{ rsyslog_destination }}:{{ rsyslog_port }}

25
templates/syslog/rsyslog/rsyslog.debian.conf.j2 Normal file
View file

@ -0,0 +1,25 @@
#################
#### MODULES ####
#################
module(load="imfile") # provides support for logfile polling
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
###########################
#### GLOBAL DIRECTIVES ####
###########################
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
# Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

27
templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2 Normal file
View file

@ -0,0 +1,27 @@
#################
#### MODULES ####
#################
module(load="imfile") # provides support for logfile polling
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
###########################
#### GLOBAL DIRECTIVES ####
###########################
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
# Set the default permissions for all log files.
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

12
templates/systemctl/fstrim.timer.j2 Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description={{ __systemctl['description'] }}
Documentation=man:fstrim
ConditionVirtualization=!container
[Timer]
OnCalendar={{ __systemctl['oncalendar'] | default('weekly') }}
AccuracySec=1h
Persistent=true
[Install]
WantedBy=timers.target

16
templates/usermanagement/sudoers.d/sudoers.j2 Normal file
View file

@ -0,0 +1,16 @@
{% if __user['username'] == 'drone' %}
# ansible.siempie.internal
drone ansible.siempie.internal=(root) NOPASSWD:/usr/bin/git -C /etc/ansible *
drone ansible.siempie.internal=(root) NOPASSWD:/usr/local/bin/ansible-galaxy install -r /etc/ansible/ansible_requirements.yaml
drone ansible.siempie.internal=(root) NOPASSWD:/usr/local/bin/ansible-playbook *
# mgmt01.siempie.local
drone mgmt01.siempie.internal=(simon) NOPASSWD:/usr/local/bin/kubectl *
{% else %}
{% if sudo_pwless == False %}
{{ __user['username'] }} ALL=(ALL) ALL
{% endif %}
{% if sudo_pwless == True %}
{{ __user['username'] }} ALL=(ALL) NOPASSWD: ALL
{% endif %}
{% endif %}

25
vars/Debian.yaml Normal file
View file

@ -0,0 +1,25 @@
---
# default packages to install
apt_default_packages_install:
- "aptitude"
- "apt-transport-https"
- "debian-archive-keyring"
- "btop"
- "curl"
- "gnupg"
- "htop"
- "mc"
- "net-tools"
- "nload"
- "python-apt-common"
- "software-properties-common"
- "unattended-upgrades"
- "ufw"
- "unzip"
- "vim"
# default packages to delete
apt_default_packages_delete:
- "popularity-contest"
- "ubuntu-report"