init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates

.gitignore

@@ -0,0 +1,4 @@
+inventory/*
+host_vars/*
+Dockerfile
+docker-compose.yml

Dockerfile.example

@@ -0,0 +1,21 @@
+FROM       ubuntu
+
+RUN apt-get update
+
+RUN apt-get install -y openssh-server
+RUN mkdir /var/run/sshd
+
+RUN echo 'root:root' |chpasswd
+
+RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config
+RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config
+
+RUN mkdir /root/.ssh
+RUN echo 'YOUR PUB KEY' > /root/.ssh/authorized_keys
+
+RUN apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+EXPOSE 22
+
+CMD    ["/usr/sbin/sshd", "-D"]

docker-compose.yml.example

@@ -0,0 +1,10 @@
+version: '3'
+
+services:
+  target:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: ansible-test
+    ports:
+      - "2222:22"

handbook.yml

@@ -0,0 +1,23 @@
+---
+
+- name: "Setup a GNU/Linux server"
+  hosts: "{{ target if target is defined else 'planets' }}"
+
+  roles:
+    - role: iptables-persistent
+      tags: [firewall]
+    - role: iptables-basic
+      tags: [firewall]
+    - role: iptables-webserver
+      tags: [firewall, webserver]
+    - role: iptables-ipfs
+      tags: [firewall, ipfs]
+
+    - fail2ban-basic
+    - hardening-basic
+    - yggdrasil
+    - role: snort-community
+      tags: snort
+
+    - role: pi-hole
+      tags: pi-hole

os-update.yml

@@ -0,0 +1,5 @@
+- name: "Update OS of the target"
+  hosts: "{{ target if target is defined else 'planets' }}"
+
+  roles:
+    - role: os-updates

roles/fail2ban-basic/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/fail2ban-basic/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/fail2ban-basic/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for fail2ban-basic
+
+fail2ban_package_name_by_os_family:
+  Debian: fail2ban

roles/fail2ban-basic/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for fail2ban-basic

roles/fail2ban-basic/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/fail2ban-basic/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+# tasks file for fail2ban-basic
+#
+- name: Fail2ban Configuration
+  block:
+    - name: Install Fail2ban
+      ansible.builtin.package:
+        name: "{{ fail2ban_package_name_by_os_family[ansible_os_family] }}"
+
+    - name: Enable Fail2ban service
+      when: "is_docker is not true"
+      ansible.builtin.systemd:
+        name: fail2ban
+        enabled: yes
+        state: started
+        masked: no

roles/fail2ban-basic/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/fail2ban-basic/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - fail2ban-basic

roles/fail2ban-basic/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for fail2ban-basic

roles/hardening-basic/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/hardening-basic/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/hardening-basic/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for hardening-basic
+
+hardening_sshd_enabled: true
+hardening_sshd_tcp_forward: false
+hardening_sshd_permissions_set_sticky_bit: true
+
+hardening_modprobe_files:
+  - /etc/modprobe.d/disable-network-filesystems.conf
+  - /etc/modprobe.d/disable-rare-filesystems.conf
+  - /etc/modprobe.d/disable-rare-protocols.conf
+  - /etc/modprobe.d/disable-vivid.conf

roles/hardening-basic/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for hardening-basic

roles/hardening-basic/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/hardening-basic/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+# tasks file for hardening-basic
+
+- name: Basic Hardening
+  block:
+    - name: Harden SSH Config
+      when: 'hardening_sshd_enabled is true'
+      block:
+      - name: Check if sshd_config/99-hardening exists
+        stat:
+          path: /etc/ssh/sshd_config.d/99-hardening.conf
+        register: file_name
+
+      - name: Download sshd_config
+        when: not file_name.stat.exists
+        ansible.builtin.get_url:
+          url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config
+          dest: /etc/ssh/sshd_config.d/99-hardening.conf
+
+      - name: Enable TCP SSH Forwarding
+        when: 'hardening_sshd_tcp_forward is true'
+        replace:
+          path: /etc/ssh/sshd_config.d/99-hardening.conf
+          regexp: 'AllowTcpForwarding no'
+          replace: 'AllowTcpForwarding yes'
+          backup: yes
+
+      - name: Give 1700 permissions to .ssh folder
+        ansible.builtin.file:
+          path: /root/.ssh
+          owner: root
+          group: root
+          mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
+
+      - name: Give 1600 permissions to .ssh/authorized_keys file
+        ansible.builtin.file:
+          path: /root/.ssh/authorized_keys
+          owner: root
+          group: root
+          mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
+
+      - name: Restart sshd
+        when: "is_docker is not true"
+        ansible.builtin.systemd:
+          state: restarted
+          name: sshd
+
+    - name: Create if not exists /etc/modprobe.d
+      file:
+        path: /etc/modprobe.d
+        state: directory
+
+    - name: modprobe.d setup
+      include_tasks: modprobe.yml
+      loop: "{{ hardening_modprobe_files }}"
+      loop_control:
+        loop_var: file
+
+    - name: Create if not exists /etc/sysctl.d
+      file:
+        path: /etc/sysctl.d
+        state: directory
+
+    - name: Check if sysctl/99-hardening exists
+      stat:
+        path: /etc/sysctl.d/99-hardening.conf
+      register: file_name
+
+    - name: Download sysctl.conf
+      when: not file_name.stat.exists
+      ansible.builtin.get_url:
+        url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf
+        dest: /etc/sysctl.d/99-hardening.conf

roles/hardening-basic/tasks/modprobe.yml

@@ -0,0 +1,10 @@
+- name: Check if {{ file }} exists
+  stat:
+    path: "{{ file }}"
+  register: file_name
+
+- name: Download {{ file }}
+  when: not file_name.stat.exists
+  ansible.builtin.get_url:
+    url: "https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/{{file}}"
+    dest: "{{ file }}"

roles/hardening-basic/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/hardening-basic/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - hardening-basic

roles/hardening-basic/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for hardening-basic

roles/iptables-basic/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/iptables-basic/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/iptables-basic/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# defaults file for firewall
+
+iptables_basic_enabled: true
+iptables_basic_reset_enabled: false
+iptables_basic_ssh_port: 22
+iptables_basic_drop_unencrypted_smtp_port: true

roles/iptables-basic/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for firewall

roles/iptables-basic/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/iptables-basic/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+# tasks file for firewall
+
+- name: Setup iptables to standard configuration
+  when:
+    - "is_docker is not true"
+    - "iptables_basic_enabled is true"
+  block:
+    - name: Reset configuration if requested
+      when:
+        - "iptables_basic_reset_enabled is true"
+      block:
+        - name: Open Firewall just for a moment to flush iptables rules
+          ansible.builtin.iptables:
+            chain: INPUT
+            policy: ACCEPT
+
+        - name: Iptables flush filter
+          ansible.builtin.iptables:
+            chain: "{{ item }}"
+            flush: yes
+          with_items:  [ 'INPUT', 'FORWARD', 'OUTPUT' ]
+
+    - name: Allow related and established connections
+      ansible.builtin.iptables:
+        chain: INPUT
+        ctstate: ESTABLISHED,RELATED
+        jump: ACCEPT
+
+    - name: Drop invalid connections
+      ansible.builtin.iptables:
+        chain: INPUT
+        ctstate: INVALID
+        jump: DROP
+
+    - name: Allow lo incoming connections
+      ansible.builtin.iptables:
+        chain: INPUT
+        in_interface: lo
+        jump: ACCEPT
+
+    - name: Allow new incoming SYN packets on TCP port 22 (SSH)
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ iptables_basic_ssh_port }}"
+        ctstate: NEW
+        syn: match
+        jump: ACCEPT
+        comment: Accept new SSH connections.
+
+    - name: Set the policy for the INPUT chain to DROP
+      ansible.builtin.iptables:
+        chain: INPUT
+        policy: DROP
+
+    - name: Set the policy for the FORWARD chain to DROP
+      ansible.builtin.iptables:
+        chain: FORWARD
+        policy: DROP
+
+    - name: Drop unencrypted port 25 in output
+      when: "iptables_basic_drop_unencrypted_smtp_port is true"
+      ansible.builtin.iptables:
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 25
+        jump: REJECT
+        reject_with: icmp-port-unreachable
+
+    - name: iptables-persistent
+      ansible.builtin.include_role:
+        name: iptables-persistent

roles/iptables-basic/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/iptables-basic/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - firewall

roles/iptables-basic/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for firewall

roles/iptables-ipfs/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/iptables-ipfs/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/iptables-ipfs/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for iptables-ipfs
+
+iptables_ipfs_enabled: false
+iptables_ipfs_port: 4001

roles/iptables-ipfs/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for iptables-ipfs

roles/iptables-ipfs/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/iptables-ipfs/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+# tasks file for iptables-ipfs
+
+- name: setup iptables for IPFS
+  when:
+    - "is_docker is not true"
+    - "iptables_ipfs_enabled is true"
+  block:
+    - name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ iptables_ipfs_port }}"
+        ctstate: NEW,ESTABLISHED
+        jump: ACCEPT
+        comment: IPFS dedicated port
+
+    - name: iptables-persistent
+      ansible.builtin.include_role:
+        name: iptables-persistent

roles/iptables-ipfs/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/iptables-ipfs/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - iptables-ipfs

roles/iptables-ipfs/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for iptables-ipfs

roles/iptables-persistent/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/iptables-persistent/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/iptables-persistent/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# defaults file for iptables-persistent
+
+iptables_persistent_package_name_by_os_family:
+  Debian: iptables-persistent
+
+iptables_persistent_save_to_file: true

roles/iptables-persistent/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for iptables-persistent

roles/iptables-persistent/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/iptables-persistent/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Handle iptables-persistent
+  when:
+    - "is_docker is not true"
+  block:
+    - name: Install iptables-persistent package
+      ansible.builtin.package:
+        name: "{{ iptables_persistent_package_name_by_os_family[ansible_os_family] }}"
+
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: Save iptables rules into /etc/iptables folder
+      when:
+        - "'iptables-persistent' in ansible_facts.packages"
+      block:
+        - include_tasks: "save_rules_for_{{ ansible_os_family }}.yml"

roles/iptables-persistent/tasks/save_rules_for_Debian.yml

@@ -0,0 +1,8 @@
+- name: Save iptables rules
+  when: "iptables_persistent_save_to_file is true"
+  block:
+    - name: Save rules with iptables-persistent v4
+      ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
+
+    - name: Save rules with iptables-persistent v6
+      ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6

roles/iptables-persistent/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/iptables-persistent/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - iptables-persistent

roles/iptables-persistent/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for iptables-persistent

roles/iptables-webserver/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/iptables-webserver/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/iptables-webserver/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for iptables-webserver
+
+iptables_webserver_enabled: false
+iptables_webserver_ports: [80,443]

roles/iptables-webserver/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for iptables-webserver

roles/iptables-webserver/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/iptables-webserver/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+# tasks file for iptables-webserver
+
+- name: Setup iptables for webserver 80 and 443
+  when:
+    - "is_docker is not true"
+    - "iptables_webserver_enabled is true"
+  block:
+    - name: Allow new, established packets on TCP ports 80/443 (Webserver)
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ port }}"
+        ctstate: NEW,ESTABLISHED
+        jump: ACCEPT
+        comment: Webserver dedicated port
+      loop: "{{ iptables_webserver_ports }}"
+
+    - name: iptables-persistent
+      ansible.builtin.include_role:
+        name: iptables-persistent

roles/iptables-webserver/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/iptables-webserver/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - iptables-webserver

roles/iptables-webserver/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for iptables-webserver

roles/os-updates/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/os-updates/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/os-updates/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+# defaults file for os-updates
+
+os_update_auto_reboot: false
+os_update_reboot_delay: 60
+
+os_update_auto_shutdown: false
+os_update_shutdown_delay: 60

roles/os-updates/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for os-updates

roles/os-updates/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/os-updates/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+# tasks file for os-updates
+
+- name: Update all installed packages
+  block:
+    - include_tasks: "update_{{ ansible_os_family }}.yml"

roles/os-updates/tasks/update_Debian.yml

@@ -0,0 +1,25 @@
+- name: Update all installed packages
+  apt:
+    name: '*'
+    state: latest
+    update_cache: yes
+    only_upgrade: yes
+  register: apt_update_status
+
+- name: Remove packages not needed anymore
+  apt:
+    autoremove: yes
+
+- name: Reboot when packages were updated
+  reboot:
+    post_reboot_delay: "{{ os_update_reboot_delay }}"
+  when:
+    - apt_update_status.changed
+    - "os_update_auto_reboot is true"
+
+- name: Shutdown when packages were updated
+  community.general.shutdown:
+    delay: "{{ os_update_shutdown_delay }}"
+  when:
+    - apt_update_status.changed
+    - "os_update_auto_shutdown is true"

roles/os-updates/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/os-updates/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - os-updates

roles/os-updates/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for os-updates

roles/pi-hole/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/pi-hole/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/pi-hole/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults file for pi-hole
+
+pihole_enabled: false

roles/pi-hole/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for pi-hole

roles/pi-hole/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/pi-hole/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+# tasks file for pi-hole
+
+- name: Pi-Hole setup
+  when:
+    - 'pihole_enabled is true'
+  block:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Start install process for pihole if service not found
+      when: "ansible_facts.services['pihole-FTL.service'] is not defined"
+      block:
+        - name: Install cURL if not present
+          ansible.builtin.package:
+            name: curl
+
+        - name: Execute manually the automated install and follow instructions
+          ansible.builtin.debug:
+            msg: "curl -sSL https://install.pi-hole.net | bash"

roles/pi-hole/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/pi-hole/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - pi-hole

roles/pi-hole/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for pi-hole

roles/snort-community/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/snort-community/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/snort-community/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+# defaults file for snort-community
+
+snort_community_enabled: false
+
+snort_package_name_by_os_family:
+  Debian: snort
+
+snort_community_group: snort
+snort_community_user: snort
+
+snort_symlink_dest: /usr/sbin/snort
+snort_home_net_address: 192.168.1.0/24

roles/snort-community/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for snort-community

roles/snort-community/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/snort-community/tasks/main.yml

@@ -0,0 +1,75 @@
+---
+# tasks file for snort-community
+
+- name: Snort Community Edition setup
+  when:
+    - "snort_community_enabled is true"
+  block:
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: First time snort setup
+      when: "'snort_package_name_by_os_family[ansible_os_family]' not in ansible_facts.packages"
+      block:
+        - name: Install snort package
+          ansible.builtin.package:
+            name: "{{ snort_package_name_by_os_family[ansible_os_family] }}"
+
+        - name: Check if snort symlink exists
+          stat:
+            path: "{{ snort_symlink_dest }}"
+          register: symlink_name
+
+        - name: Symlink snort to /usr/sbin
+          when: not symlink_name.stat.exists
+          ansible.builtin.file:
+            src: /usr/local/bin/snort
+            dest: "{{ snort_symlink_dest }}"
+            state: link
+
+        - name: Create snort group
+          group:
+            name: "{{ snort_community_group }}"
+            state: present
+
+        - name: Create snort user
+          user:
+            name: "{{ snort_community_user }}"
+            state: present
+            shell: /sbin/nologin
+            group: "{{ snort_community_group }}"
+
+        - name: Create config directory
+          ansible.builtin.file:
+            path: "{{ item }}"
+            state: directory
+            owner: "{{ snort_community_user }}"
+            group: "{{ snort_community_group }}"
+            mode: '5775'
+          loop:
+            - /etc/snort/rules
+            - /var/log/snort
+            - /usr/local/lib/snort_dynamicrules
+
+        - name: Create file for local.rules
+          ansible.builtin.file:
+            path: /etc/snort/rules/local.rules
+
+        - name: Configure snort with defaults
+          # when: "'snort_package_name_by_os_family[ansible_os_family]' not in ansible_facts.packages"
+          block:
+            - name: Set HOME_NET
+              ansible.builtin.replace:
+                path: /etc/snort/snort.conf
+                regexp: 'ipvar HOME_NET any'
+                replace: 'ipvar HOME_NET {{ snort_home_net_address }}'
+
+        - name: Validate snort configuration
+          ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
+          register: snort_output
+
+        - name: Check successful state validation
+          failed_when: "snort_output is not search('Snort successfully validated')"
+          ansible.builtin.debug:
+            msg: "Snort configuration end"

roles/snort-community/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/snort-community/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - snort-community

roles/snort-community/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for snort-community

roles/yggdrasil/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/yggdrasil/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/yggdrasil/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for yggdrasil
+
+yggdrasil_enabled: false
+yggdrasil_sshd_enabled: false

roles/yggdrasil/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for yggdrasil

roles/yggdrasil/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/yggdrasil/tasks/install_Debian.yml

@@ -0,0 +1,35 @@
+- name: Create /usr/local/apt-keys directory
+  ansible.builtin.file:
+    path: /usr/local/apt-keys
+    state: directory
+    mode: '0755'
+
+- name: Download GPG key
+  ansible.builtin.shell: gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
+
+- name: Install GPG key
+  ansible.builtin.shell: gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null
+
+- name: Add specified repository into sources list using specified filename
+  ansible.builtin.apt_repository:
+    repo: deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil
+    state: present
+    filename: yggdrasil
+
+- name: Update repositories cache and install "yggdrasil" package
+  ansible.builtin.apt:
+    name: yggdrasil
+    update_cache: yes
+
+- name: Update yggdrasil.conf with peers
+  replace:
+    path: /etc/yggdrasil.conf
+    regexp: 'Peers:\s\[\]'
+    replace: 'Peers: [\n\ttls://[2001:470:1f13:e56::64]:39575\n\ttls://s2.i2pd.xyz:39575\n\ttls://51.255.223.60:54232\n\ttls://45.147.198.155:6010\n\ttls://ygg1.ezdomain.ru:11130\n\ttls://ygg.mkg20001.io:443\n  ]'
+
+- name: Enable Yggdrasil service
+  ansible.builtin.systemd:
+    name: yggdrasil
+    enabled: yes
+    state: started
+    masked: no

roles/yggdrasil/tasks/main.yml

@@ -0,0 +1,73 @@
+- name: Install and configure yggdrasil
+  when: "yggdrasil_enabled is true"
+  block:
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: Install yggdrasil if not present
+      when: "'yggdrasil' not in ansible_facts.packages"
+      block:
+        - include_tasks: "install_{{ ansible_os_family }}.yml"
+
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Configure iptables
+      when: "ansible_facts.services['iptables.service'] is defined"
+      block:
+        - name: Allow related and established connections
+          ansible.builtin.iptables:
+            chain: INPUT
+            ctstate: ESTABLISHED,RELATED
+            jump: ACCEPT
+            in_interface: tun0
+            ip_version: ipv6
+
+        - name: Drop invalid connections
+          ansible.builtin.iptables:
+            chain: INPUT
+            ctstate: INVALID
+            jump: DROP
+            in_interface: tun0
+            ip_version: ipv6
+
+        - name: Allow new incoming SYN packets on TCP port 22 (SSH)
+          when: 'yggdrasil_sshd_enabled is true'
+          ansible.builtin.iptables:
+            chain: INPUT
+            protocol: tcp
+            destination_port: 22
+            ctstate: NEW
+            syn: match
+            jump: ACCEPT
+            ip_version: ipv6
+            comment: Accept new SSH connections.
+
+        - name: Set the policy for the INPUT chain to DROP
+          ansible.builtin.iptables:
+            chain: INPUT
+            policy: DROP
+            ip_version: ipv6
+
+        - name: Set the policy for the FORWARD chain to DROP
+          ansible.builtin.iptables:
+            chain: FORWARD
+            policy: DROP
+            ip_version: ipv6
+
+        - name: Save rules with iptables-persistent v6
+          ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
+
+- name: Remove yggdrasil if not enabled
+  when: "yggdrasil_enabled is false"
+  block:
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: Remove yggdrasil if present
+      when: "'yggdrasil' in ansible_facts.packages"
+      ansible.builtin.apt:
+        name: yggdrasil
+        state: absent

roles/yggdrasil/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/yggdrasil/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - yggdrasil

roles/yggdrasil/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for yggdrasil