better pihole role; change update_only and uninstall from variable to global tag; update accordingly dependent roles
This commit is contained in:
parent
6aa6e080dd
commit
082d6ed47e
16 changed files with 76 additions and 49 deletions
|
@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
|
||||||
|
|
||||||
The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
|
The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
|
||||||
|
|
||||||
## Global variables
|
## Global tags
|
||||||
|
|
||||||
- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example)
|
- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
|
||||||
|
- **global.uninstall**: activate the uninstall phase for specified tags and targets
|
||||||
|
|
||||||
## Authors & contributors
|
## Authors & contributors
|
||||||
|
|
||||||
|
|
|
@ -9,8 +9,8 @@
|
||||||
|
|
||||||
- { role: hardening-basic, tags: [hardening, ips, ids] }
|
- { role: hardening-basic, tags: [hardening, ips, ids] }
|
||||||
- { role: iptables-basic, tags: [firewall, ips, ids] }
|
- { role: iptables-basic, tags: [firewall, ips, ids] }
|
||||||
- { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
|
- { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
|
||||||
- { role: auditd, tags: [auditd] }
|
- { role: auditd, tags: [hardening, auditd] }
|
||||||
- { role: iptables-webserver, tags: [firewall, webserver] }
|
- { role: iptables-webserver, tags: [firewall, webserver] }
|
||||||
- { role: iptables-kdeconnect, tags: [firewall] }
|
- { role: iptables-kdeconnect, tags: [firewall] }
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,9 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- hardening
|
||||||
|
- auditd
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -2,7 +2,9 @@
|
||||||
# tasks file for auditd
|
# tasks file for auditd
|
||||||
|
|
||||||
- name: Install and setup rules Auditd if enabled
|
- name: Install and setup rules Auditd if enabled
|
||||||
when: 'auditd_enabled is true'
|
when:
|
||||||
|
- 'auditd_enabled is true'
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Install auditd
|
- name: Install auditd
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
|
|
|
@ -39,7 +39,8 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- dns_filter
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -5,7 +5,5 @@
|
||||||
when:
|
when:
|
||||||
- "dns_filter_enabled is true"
|
- "dns_filter_enabled is true"
|
||||||
- "dns_filter_selected in dns_filter_list"
|
- "dns_filter_selected in dns_filter_list"
|
||||||
block:
|
ansible.builtin.include_role:
|
||||||
- name: Call DNS filter role
|
name: "{{ dns_filter_selected }}"
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: "{{ dns_filter_selected }}"
|
|
||||||
|
|
|
@ -39,7 +39,11 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- hardening
|
||||||
|
- fail2ban
|
||||||
|
- ips
|
||||||
|
- ids
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -2,7 +2,9 @@
|
||||||
# tasks file for fail2ban-basic
|
# tasks file for fail2ban-basic
|
||||||
#
|
#
|
||||||
- name: Fail2ban Configuration
|
- name: Fail2ban Configuration
|
||||||
when: fail2ban_enabled is true
|
when:
|
||||||
|
- fail2ban_enabled is true
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Install Fail2ban
|
- name: Install Fail2ban
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
|
|
|
@ -11,19 +11,25 @@ Requirements
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
|
|
||||||
- **pihole_update_gravity** (boolean): If true the dns database will be updated
|
|
||||||
- **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
|
- **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
|
||||||
|
- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
|
||||||
|
|
||||||
|
Role Tags
|
||||||
|
--------------
|
||||||
|
|
||||||
|
- **global.update_only**: `pihole -up`
|
||||||
|
- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
.
|
- curl
|
||||||
|
- sqlite3 required by `pihole.install_custom_list`
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
|
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
|
@ -39,7 +39,8 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- dns_filter
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
# tasks file for pi-hole
|
# tasks file for pi-hole
|
||||||
|
|
||||||
- name: Pi-Hole setup
|
- name: Pi-Hole setup
|
||||||
|
when: "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Populate service facts
|
- name: Populate service facts
|
||||||
ansible.builtin.service_facts:
|
ansible.builtin.service_facts:
|
||||||
|
@ -17,28 +18,6 @@
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "curl -sSL https://install.pi-hole.net | bash"
|
msg: "curl -sSL https://install.pi-hole.net | bash"
|
||||||
|
|
||||||
- name: Check if can install custom list
|
|
||||||
when: 'pihole_install_custom_list is true'
|
|
||||||
block:
|
|
||||||
- name: Check if pi-hole db exists
|
|
||||||
stat:
|
|
||||||
path: /etc/pihole/gravity.db
|
|
||||||
register: pihole_db
|
|
||||||
|
|
||||||
- name: Install sqlite3 package
|
|
||||||
ansible.builtin.package:
|
|
||||||
name: sqlite3
|
|
||||||
|
|
||||||
- name: Install more lists than default
|
|
||||||
when: pihole_db.stat.exists
|
|
||||||
ansible.builtin.shell:
|
|
||||||
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
|
|
||||||
loop: "{{ pihole_custom_list }}"
|
|
||||||
|
|
||||||
- name: Update Gravity
|
|
||||||
when: 'pihole_update_gravity is true'
|
|
||||||
ansible.builtin.shell: pihole updateGravity
|
|
||||||
|
|
||||||
- name: iptables-webserver
|
- name: iptables-webserver
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-webserver
|
name: iptables-webserver
|
||||||
|
@ -55,3 +34,31 @@
|
||||||
- name: iptables-persistent
|
- name: iptables-persistent
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-persistent
|
name: iptables-persistent
|
||||||
|
|
||||||
|
- name: Update pihole FTL
|
||||||
|
when: "'global.update_only' in ansible_run_tags"
|
||||||
|
ansible.builtin.shell: pihole -up
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Check if pi-hole db exists
|
||||||
|
stat:
|
||||||
|
path: /etc/pihole/gravity.db
|
||||||
|
register: pihole_db
|
||||||
|
|
||||||
|
- name: Install sqlite3 package
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: sqlite3
|
||||||
|
|
||||||
|
- name: Install more lists than default
|
||||||
|
when: pihole_db.stat.exists
|
||||||
|
ansible.builtin.shell:
|
||||||
|
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
|
||||||
|
loop: "{{ pihole_custom_list }}"
|
||||||
|
when: "pihole_install_custom_list is true"
|
||||||
|
|
||||||
|
- name: Update Gravity
|
||||||
|
ansible.builtin.shell: pihole updateGravity
|
||||||
|
when: "
|
||||||
|
(pihole_install_custom_list is true) or
|
||||||
|
('pihole.update_gravity' in ansible_run_tags)
|
||||||
|
"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
wakeonlan
|
wakeonlan
|
||||||
=========
|
=========
|
||||||
|
|
||||||
This role install/ uninstall Wake on LAN support for target
|
This role install Wake on LAN support for target
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -12,13 +12,16 @@ Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
Respond to:
|
Respond to:
|
||||||
- **update_only** (boolean)
|
|
||||||
|
|
||||||
- **yggdrasil_enabled** (boolean): If true install yggdrasil
|
- **yggdrasil_enabled** (boolean): If true install yggdrasil
|
||||||
- **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
|
- **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
|
||||||
- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
|
|
||||||
- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
|
- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
|
||||||
|
|
||||||
|
Role Tags
|
||||||
|
--------------
|
||||||
|
|
||||||
|
- **global.update_only**: If present will update only the peers
|
||||||
|
- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
|
|
|
@ -3,5 +3,4 @@
|
||||||
|
|
||||||
yggdrasil_enabled: false
|
yggdrasil_enabled: false
|
||||||
yggdrasil_sshd_enabled: false
|
yggdrasil_sshd_enabled: false
|
||||||
yggdrasil_uninstall: false
|
|
||||||
yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
|
yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
|
||||||
|
|
|
@ -39,7 +39,8 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- yggdrasil
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
- name: Install and configure yggdrasil
|
- name: Install and configure yggdrasil
|
||||||
when:
|
when:
|
||||||
- "yggdrasil_enabled is true"
|
- "yggdrasil_enabled is true"
|
||||||
- "update_only is false"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
package_facts:
|
package_facts:
|
||||||
|
@ -64,8 +64,8 @@
|
||||||
- name: Remove yggdrasil if not enabled
|
- name: Remove yggdrasil if not enabled
|
||||||
when:
|
when:
|
||||||
- "yggdrasil_enabled is false"
|
- "yggdrasil_enabled is false"
|
||||||
- "yggdrasil_uninstall is true"
|
- "'global.uninstall' in ansible_run_tags"
|
||||||
- "update_only is false"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
package_facts:
|
package_facts:
|
||||||
|
|
Loading…
Reference in a new issue