better pihole role; change update_only and uninstall from variable to global tag; update accordingly dependent roles

This commit is contained in:
Claudio Maradonna 2023-01-11 17:44:16 +01:00
parent 6aa6e080dd
commit 082d6ed47e
Signed by untrusted user who does not match committer: claudiomaradonna
GPG key ID: 0CBA58694C5680D9
16 changed files with 76 additions and 49 deletions

View file

@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :) The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
## Global variables ## Global tags
- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example) - **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
- **global.uninstall**: activate the uninstall phase for specified tags and targets
## Authors & contributors ## Authors & contributors

View file

@ -9,8 +9,8 @@
- { role: hardening-basic, tags: [hardening, ips, ids] } - { role: hardening-basic, tags: [hardening, ips, ids] }
- { role: iptables-basic, tags: [firewall, ips, ids] } - { role: iptables-basic, tags: [firewall, ips, ids] }
- { role: fail2ban-basic, tags: [fail2ban, ips, ids] } - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
- { role: auditd, tags: [auditd] } - { role: auditd, tags: [hardening, auditd] }
- { role: iptables-webserver, tags: [firewall, webserver] } - { role: iptables-webserver, tags: [firewall, webserver] }
- { role: iptables-kdeconnect, tags: [firewall] } - { role: iptables-kdeconnect, tags: [firewall] }

View file

@ -39,7 +39,9 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- hardening
- auditd
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -2,7 +2,9 @@
# tasks file for auditd # tasks file for auditd
- name: Install and setup rules Auditd if enabled - name: Install and setup rules Auditd if enabled
when: 'auditd_enabled is true' when:
- 'auditd_enabled is true'
- "'global.update_only' not in ansible_run_tags"
block: block:
- name: Install auditd - name: Install auditd
ansible.builtin.package: ansible.builtin.package:

View file

@ -39,7 +39,8 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- dns_filter
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -5,7 +5,5 @@
when: when:
- "dns_filter_enabled is true" - "dns_filter_enabled is true"
- "dns_filter_selected in dns_filter_list" - "dns_filter_selected in dns_filter_list"
block: ansible.builtin.include_role:
- name: Call DNS filter role name: "{{ dns_filter_selected }}"
ansible.builtin.include_role:
name: "{{ dns_filter_selected }}"

View file

@ -39,7 +39,11 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- hardening
- fail2ban
- ips
- ids
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -2,7 +2,9 @@
# tasks file for fail2ban-basic # tasks file for fail2ban-basic
# #
- name: Fail2ban Configuration - name: Fail2ban Configuration
when: fail2ban_enabled is true when:
- fail2ban_enabled is true
- "'global.update_only' not in ansible_run_tags"
block: block:
- name: Install Fail2ban - name: Install Fail2ban
ansible.builtin.package: ansible.builtin.package:

View file

@ -11,19 +11,25 @@ Requirements
Role Variables Role Variables
-------------- --------------
- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
- **pihole_update_gravity** (boolean): If true the dns database will be updated
- **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!** - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
Role Tags
--------------
- **global.update_only**: `pihole -up`
- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
Dependencies Dependencies
------------ ------------
. - curl
- sqlite3 required by `pihole.install_custom_list`
Example Playbook Example Playbook
---------------- ----------------
`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"` `ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
License License
------- -------

View file

@ -39,7 +39,8 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- dns_filter
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -2,6 +2,7 @@
# tasks file for pi-hole # tasks file for pi-hole
- name: Pi-Hole setup - name: Pi-Hole setup
when: "'global.update_only' not in ansible_run_tags"
block: block:
- name: Populate service facts - name: Populate service facts
ansible.builtin.service_facts: ansible.builtin.service_facts:
@ -17,28 +18,6 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "curl -sSL https://install.pi-hole.net | bash" msg: "curl -sSL https://install.pi-hole.net | bash"
- name: Check if can install custom list
when: 'pihole_install_custom_list is true'
block:
- name: Check if pi-hole db exists
stat:
path: /etc/pihole/gravity.db
register: pihole_db
- name: Install sqlite3 package
ansible.builtin.package:
name: sqlite3
- name: Install more lists than default
when: pihole_db.stat.exists
ansible.builtin.shell:
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
loop: "{{ pihole_custom_list }}"
- name: Update Gravity
when: 'pihole_update_gravity is true'
ansible.builtin.shell: pihole updateGravity
- name: iptables-webserver - name: iptables-webserver
ansible.builtin.include_role: ansible.builtin.include_role:
name: iptables-webserver name: iptables-webserver
@ -55,3 +34,31 @@
- name: iptables-persistent - name: iptables-persistent
ansible.builtin.include_role: ansible.builtin.include_role:
name: iptables-persistent name: iptables-persistent
- name: Update pihole FTL
when: "'global.update_only' in ansible_run_tags"
ansible.builtin.shell: pihole -up
- block:
- name: Check if pi-hole db exists
stat:
path: /etc/pihole/gravity.db
register: pihole_db
- name: Install sqlite3 package
ansible.builtin.package:
name: sqlite3
- name: Install more lists than default
when: pihole_db.stat.exists
ansible.builtin.shell:
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
loop: "{{ pihole_custom_list }}"
when: "pihole_install_custom_list is true"
- name: Update Gravity
ansible.builtin.shell: pihole updateGravity
when: "
(pihole_install_custom_list is true) or
('pihole.update_gravity' in ansible_run_tags)
"

View file

@ -1,7 +1,7 @@
wakeonlan wakeonlan
========= =========
This role install/ uninstall Wake on LAN support for target This role install Wake on LAN support for target
Requirements Requirements
------------ ------------

View file

@ -12,13 +12,16 @@ Role Variables
-------------- --------------
Respond to: Respond to:
- **update_only** (boolean)
- **yggdrasil_enabled** (boolean): If true install yggdrasil - **yggdrasil_enabled** (boolean): If true install yggdrasil
- **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
Role Tags
--------------
- **global.update_only**: If present will update only the peers
- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
Dependencies Dependencies
------------ ------------

View file

@ -3,5 +3,4 @@
yggdrasil_enabled: false yggdrasil_enabled: false
yggdrasil_sshd_enabled: false yggdrasil_sshd_enabled: false
yggdrasil_uninstall: false
yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf

View file

@ -39,7 +39,8 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- yggdrasil
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -1,7 +1,7 @@
- name: Install and configure yggdrasil - name: Install and configure yggdrasil
when: when:
- "yggdrasil_enabled is true" - "yggdrasil_enabled is true"
- "update_only is false" - "'global.update_only' not in ansible_run_tags"
block: block:
- name: Gather package facts - name: Gather package facts
package_facts: package_facts:
@ -64,8 +64,8 @@
- name: Remove yggdrasil if not enabled - name: Remove yggdrasil if not enabled
when: when:
- "yggdrasil_enabled is false" - "yggdrasil_enabled is false"
- "yggdrasil_uninstall is true" - "'global.uninstall' in ansible_run_tags"
- "update_only is false" - "'global.update_only' not in ansible_run_tags"
block: block:
- name: Gather package facts - name: Gather package facts
package_facts: package_facts: