better pihole role; change update_only and uninstall from variable to global tag; update accordingly dependent roles

2023-01-11 17:44:16 +01:00 · 2023-01-11 17:44:16 +01:00 · 082d6ed47e
commit 082d6ed47e
parent 6aa6e080dd
16 changed files with 76 additions and 49 deletions
--- a/README.md
+++ b/README.md
@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
 The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
-## Global variables
+## Global tags
- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example)
+- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
 - **global.uninstall**: activate the uninstall phase for specified tags and targets
 ## Authors & contributors
--- a/handbook.yml
+++ b/handbook.yml
@ -9,8 +9,8 @@
    - { role: hardening-basic, tags: [hardening, ips, ids] }
    - { role: iptables-basic, tags: [firewall, ips, ids] }
-    - { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
+    - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
-    - { role: auditd, tags: [auditd] }
+    - { role: auditd, tags: [hardening, auditd] }
    - { role: iptables-webserver, tags: [firewall, webserver] }
    - { role: iptables-kdeconnect, tags: [firewall] }
--- a/roles/auditd/meta/main.yml
+++ b/roles/auditd/meta/main.yml
@ -39,7 +39,9 @@ galaxy_info:
  #   - 7
  #   - 99.99
-  galaxy_tags: []
+  galaxy_tags:
    - hardening
    - auditd
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/auditd/tasks/main.yml
+++ b/roles/auditd/tasks/main.yml
@ -2,7 +2,9 @@
 # tasks file for auditd
 - name: Install and setup rules Auditd if enabled
-  when: 'auditd_enabled is true'
+  when:
    - 'auditd_enabled is true'
    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Install auditd
      ansible.builtin.package:
--- a/roles/dns-filter/meta/main.yml
+++ b/roles/dns-filter/meta/main.yml
@ -39,7 +39,8 @@ galaxy_info:
  #   - 7
  #   - 99.99
-  galaxy_tags: []
+  galaxy_tags:
    - dns_filter
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/dns-filter/tasks/main.yml
+++ b/roles/dns-filter/tasks/main.yml
@ -5,7 +5,5 @@
  when:
    - "dns_filter_enabled is true"
    - "dns_filter_selected in dns_filter_list"
  block:
    - name: Call DNS filter role
  ansible.builtin.include_role:
    name: "{{ dns_filter_selected }}"
--- a/roles/fail2ban-basic/meta/main.yml
+++ b/roles/fail2ban-basic/meta/main.yml
@ -39,7 +39,11 @@ galaxy_info:
  #   - 7
  #   - 99.99
-  galaxy_tags: []
+  galaxy_tags:
    - hardening
    - fail2ban
    - ips
    - ids
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/fail2ban-basic/tasks/main.yml
+++ b/roles/fail2ban-basic/tasks/main.yml
@ -2,7 +2,9 @@
 # tasks file for fail2ban-basic
 #
 - name: Fail2ban Configuration
-  when: fail2ban_enabled is true
+  when:
    - fail2ban_enabled is true
    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Install Fail2ban
      ansible.builtin.package:
--- a/roles/pi-hole/README.md
+++ b/roles/pi-hole/README.md
@ -11,19 +11,25 @@ Requirements
 Role Variables
 --------------
 - **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
 - **pihole_update_gravity** (boolean): If true the dns database will be updated
 - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
 - **pihole_install_custom_list**: If present will install custom list into the pi-hole database
 Role Tags
 --------------
 - **global.update_only**: `pihole -up`
 - **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
 Dependencies
 ------------
-.
+- curl
 - sqlite3 required by `pihole.install_custom_list`
 Example Playbook
 ----------------
-`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
 License
 -------
--- a/roles/pi-hole/meta/main.yml
+++ b/roles/pi-hole/meta/main.yml
@ -39,7 +39,8 @@ galaxy_info:
  #   - 7
  #   - 99.99
-  galaxy_tags: []
+  galaxy_tags:
    - dns_filter
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@ -2,6 +2,7 @@
 # tasks file for pi-hole
 - name: Pi-Hole setup
  when: "'global.update_only' not in ansible_run_tags"
  block:
    - name: Populate service facts
      ansible.builtin.service_facts:
@ -17,28 +18,6 @@
          ansible.builtin.debug:
            msg: "curl -sSL https://install.pi-hole.net | bash"
    - name: Check if can install custom list
      when: 'pihole_install_custom_list is true'
      block:
        - name: Check if pi-hole db exists
          stat:
            path: /etc/pihole/gravity.db
          register: pihole_db
        - name: Install sqlite3 package
          ansible.builtin.package:
            name: sqlite3
        - name: Install more lists than default
          when: pihole_db.stat.exists
          ansible.builtin.shell:
            cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
          loop: "{{ pihole_custom_list }}"
    - name: Update Gravity
      when: 'pihole_update_gravity is true'
      ansible.builtin.shell: pihole updateGravity
    - name: iptables-webserver
      ansible.builtin.include_role:
        name: iptables-webserver
@ -55,3 +34,31 @@
    - name: iptables-persistent
      ansible.builtin.include_role:
        name: iptables-persistent
 - name: Update pihole FTL
  when: "'global.update_only' in ansible_run_tags"
  ansible.builtin.shell: pihole -up
 - block:
  - name: Check if pi-hole db exists
    stat:
      path: /etc/pihole/gravity.db
    register: pihole_db
  - name: Install sqlite3 package
    ansible.builtin.package:
      name: sqlite3
  - name: Install more lists than default
    when: pihole_db.stat.exists
    ansible.builtin.shell:
      cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
    loop: "{{ pihole_custom_list }}"
  when: "pihole_install_custom_list is true"
 - name: Update Gravity
  ansible.builtin.shell: pihole updateGravity
  when: "
    (pihole_install_custom_list is true) or
    ('pihole.update_gravity' in ansible_run_tags)
    "
--- a/roles/wakeonlan/README.md
+++ b/roles/wakeonlan/README.md
@ -1,7 +1,7 @@
 wakeonlan
 =========
-This role install/ uninstall Wake on LAN support for target
+This role install Wake on LAN support for target
 Requirements
 ------------
--- a/roles/yggdrasil/README.md
+++ b/roles/yggdrasil/README.md
@ -12,13 +12,16 @@ Role Variables
 --------------
 Respond to:
 - **update_only** (boolean)
 - **yggdrasil_enabled** (boolean): If true install yggdrasil
 - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
 - **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
 - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
 Role Tags
 --------------
 - **global.update_only**: If present will update only the peers
 - **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
 Dependencies
 ------------
--- a/roles/yggdrasil/defaults/main.yml
+++ b/roles/yggdrasil/defaults/main.yml
@ -3,5 +3,4 @@
 yggdrasil_enabled: false
 yggdrasil_sshd_enabled: false
 yggdrasil_uninstall: false
 yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
--- a/roles/yggdrasil/meta/main.yml
+++ b/roles/yggdrasil/meta/main.yml
@ -39,7 +39,8 @@ galaxy_info:
  #   - 7
  #   - 99.99
-  galaxy_tags: []
+  galaxy_tags:
    - yggdrasil
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/yggdrasil/tasks/main.yml
+++ b/roles/yggdrasil/tasks/main.yml
@ -1,7 +1,7 @@
 - name: Install and configure yggdrasil
  when:
    - "yggdrasil_enabled is true"
-    - "update_only is false"
+    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Gather package facts
      package_facts:
@ -64,8 +64,8 @@
 - name: Remove yggdrasil if not enabled
  when:
    - "yggdrasil_enabled is false"
-    - "yggdrasil_uninstall is true"
+    - "'global.uninstall' in ansible_run_tags"
-    - "update_only is false"
+    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Gather package facts
      package_facts: