Merge pull request 'update!' (#7) from claudiomaradonna/configurations-ansible:master into master
Reviewed-on: #7
This commit is contained in:
commit
f067b49ef1
41 changed files with 435 additions and 179 deletions
|
@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
|
||||||
|
|
||||||
The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
|
The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
|
||||||
|
|
||||||
## Global variables
|
## Global tags
|
||||||
|
|
||||||
- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example)
|
- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
|
||||||
|
- **global.uninstall**: activate the uninstall phase for specified tags and targets
|
||||||
|
|
||||||
## Authors & contributors
|
## Authors & contributors
|
||||||
|
|
||||||
|
|
|
@ -1,21 +1,23 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Setup a GNU/Linux target with standards or defined tags"
|
- name: "Unitoo Handbook"
|
||||||
hosts: "{{ target if target is defined else 'planets' }}"
|
hosts: "{{ target if target is defined else 'planets' }}"
|
||||||
|
|
||||||
|
tags: always
|
||||||
roles:
|
roles:
|
||||||
# --- Hardening ---
|
# --- Hardening ---
|
||||||
# Basic rules or good practises to apply
|
# Basic rules or good practises to apply
|
||||||
|
|
||||||
- { role: hardening-basic, tags: [hardening, ips, ids] }
|
- { role: hardening-basic, tags: [hardening, ips, ids] }
|
||||||
- { role: iptables-basic, tags: [firewall, ips, ids] }
|
- { role: iptables-basic, tags: [firewall, ips, ids] }
|
||||||
- { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
|
- { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
|
||||||
- { role: auditd, tags: [auditd] }
|
- { role: auditd, tags: [hardening, auditd] }
|
||||||
- { role: iptables-webserver, tags: [firewall, webserver] }
|
- { role: iptables-webserver, tags: [firewall, webserver] }
|
||||||
- { role: iptables-kdeconnect, tags: [firewall] }
|
- { role: iptables-kdeconnect, tags: [firewall] }
|
||||||
|
|
||||||
# --- Sysadmin ---
|
# --- Sysadmin ---
|
||||||
- { role: sysadmin-tools, tags: [sysadmin] }
|
- { role: sysadmin-tools, tags: [sysadmin] }
|
||||||
|
- { role: wakeonlan, tags: [wol] }
|
||||||
|
|
||||||
# --- Services ---
|
# --- Services ---
|
||||||
# Role relative to services, applications and so on
|
# Role relative to services, applications and so on
|
||||||
|
|
|
@ -39,7 +39,9 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- hardening
|
||||||
|
- auditd
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -1,8 +1,12 @@
|
||||||
---
|
---
|
||||||
# tasks file for auditd
|
# tasks file for auditd
|
||||||
|
|
||||||
- name: Install and setup rules Auditd if enabled
|
- ansible.builtin.debug:
|
||||||
when: 'auditd_enabled is true'
|
msg: "ENABLED = {{ auditd_enabled }}; auditd role"
|
||||||
|
|
||||||
|
- when:
|
||||||
|
- 'auditd_enabled is true'
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Install auditd
|
- name: Install auditd
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
|
|
|
@ -39,7 +39,8 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- dns_filter
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -1,11 +1,25 @@
|
||||||
---
|
---
|
||||||
# tasks file for dns-filter
|
# tasks file for dns-filter
|
||||||
|
|
||||||
- name: Install selected DNS filter if enabled
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "dns_filter_enabled is true"
|
- "dns_filter_enabled is true"
|
||||||
- "dns_filter_selected in dns_filter_list"
|
- "dns_filter_selected in dns_filter_list"
|
||||||
block:
|
ansible.builtin.include_role:
|
||||||
- name: Call DNS filter role
|
name: "{{ dns_filter_selected }}"
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: "{{ dns_filter_selected }}"
|
- name: Allow/ disallow port 53 for DNS querying
|
||||||
|
ansible.builtin.iptables:
|
||||||
|
chain: INPUT
|
||||||
|
state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}"
|
||||||
|
protocol: '{{ item }}'
|
||||||
|
destination_port: 53
|
||||||
|
jump: ACCEPT
|
||||||
|
comment: Accept DNS connections
|
||||||
|
loop: [tcp,udp]
|
||||||
|
|
||||||
|
- name: iptables-persistent
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-persistent
|
||||||
|
|
|
@ -39,7 +39,11 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- hardening
|
||||||
|
- fail2ban
|
||||||
|
- ips
|
||||||
|
- ids
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -1,8 +1,12 @@
|
||||||
---
|
---
|
||||||
# tasks file for fail2ban-basic
|
# tasks file for fail2ban-basic
|
||||||
#
|
|
||||||
- name: Fail2ban Configuration
|
- ansible.builtin.debug:
|
||||||
when: fail2ban_enabled is true
|
msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role"
|
||||||
|
|
||||||
|
- when:
|
||||||
|
- 'fail2ban_enabled is true'
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Install Fail2ban
|
- name: Install Fail2ban
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
|
|
|
@ -1,61 +1,61 @@
|
||||||
---
|
---
|
||||||
# tasks file for hardening-basic
|
# tasks file for hardening-basic
|
||||||
|
|
||||||
- name: Basic Hardening
|
- ansible.builtin.debug:
|
||||||
|
msg: "hardening-basic role"
|
||||||
|
|
||||||
|
- name: Create directory structure
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '/etc/{{ item.path }}'
|
||||||
|
state: directory
|
||||||
|
mode: '{{ item.mode }}'
|
||||||
|
with_community.general.filetree: '../templates/basic/etc/'
|
||||||
|
when: item.state == 'directory'
|
||||||
|
|
||||||
|
- name: Create and copy hardening files
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '/etc/{{ item.path }}'
|
||||||
|
with_community.general.filetree: '../templates/basic/etc/'
|
||||||
|
when: item.state == 'file'
|
||||||
|
|
||||||
|
- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
|
||||||
|
when: 'hardening_sshd_enabled is true'
|
||||||
block:
|
block:
|
||||||
- name: Create directory structure
|
- name: Create directory structure
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: '/etc/{{ item.path }}'
|
path: '/etc/{{ item.path }}'
|
||||||
state: directory
|
state: directory
|
||||||
mode: '{{ item.mode }}'
|
mode: '{{ item.mode }}'
|
||||||
with_community.general.filetree: '../templates/basic/etc/'
|
with_community.general.filetree: '../templates/ssh/etc/'
|
||||||
when: item.state == 'directory'
|
when: item.state == 'directory'
|
||||||
|
|
||||||
- name: Create and copy hardening files
|
- name: Create and copy hardening files
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: '{{ item.src }}'
|
src: '{{ item.src }}'
|
||||||
dest: '/etc/{{ item.path }}'
|
dest: '/etc/{{ item.path }}'
|
||||||
with_community.general.filetree: '../templates/basic/etc/'
|
with_community.general.filetree: '../templates/ssh/etc/'
|
||||||
when: item.state == 'file'
|
when: item.state == 'file'
|
||||||
|
|
||||||
- name: Harden SSH Config
|
- name: Give 1700 permissions to .ssh folder
|
||||||
when: 'hardening_sshd_enabled is true'
|
ansible.builtin.file:
|
||||||
block:
|
path: /root/.ssh
|
||||||
- name: Create directory structure
|
owner: root
|
||||||
ansible.builtin.file:
|
group: root
|
||||||
path: '/etc/{{ item.path }}'
|
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
|
||||||
state: directory
|
|
||||||
mode: '{{ item.mode }}'
|
|
||||||
with_community.general.filetree: '../templates/ssh/etc/'
|
|
||||||
when: item.state == 'directory'
|
|
||||||
|
|
||||||
- name: Create and copy hardening files
|
- name: Give 1600 permissions to .ssh/authorized_keys file
|
||||||
ansible.builtin.template:
|
ansible.builtin.file:
|
||||||
src: '{{ item.src }}'
|
path: /root/.ssh/authorized_keys
|
||||||
dest: '/etc/{{ item.path }}'
|
owner: root
|
||||||
with_community.general.filetree: '../templates/ssh/etc/'
|
group: root
|
||||||
when: item.state == 'file'
|
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
|
||||||
|
|
||||||
- name: Give 1700 permissions to .ssh folder
|
- name: Restart sshd
|
||||||
ansible.builtin.file:
|
when: "is_docker is not true"
|
||||||
path: /root/.ssh
|
ansible.builtin.systemd:
|
||||||
owner: root
|
state: restarted
|
||||||
group: root
|
name: sshd
|
||||||
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
|
|
||||||
|
|
||||||
- name: Give 1600 permissions to .ssh/authorized_keys file
|
- name: Harden Service Manager (like Systemd)
|
||||||
ansible.builtin.file:
|
include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
||||||
path: /root/.ssh/authorized_keys
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
|
|
||||||
|
|
||||||
- name: Restart sshd
|
|
||||||
when: "is_docker is not true"
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
state: restarted
|
|
||||||
name: sshd
|
|
||||||
|
|
||||||
- name: Harden Service Manager (like Systemd)
|
|
||||||
block:
|
|
||||||
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
|
||||||
|
|
|
@ -1,12 +1,16 @@
|
||||||
---
|
---
|
||||||
# tasks file for ipfs
|
# tasks file for ipfs
|
||||||
|
|
||||||
- name: Install IPFS if enabled
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node"
|
||||||
|
|
||||||
|
- when:
|
||||||
- 'ipfs_enabled is true'
|
- 'ipfs_enabled is true'
|
||||||
block:
|
block:
|
||||||
- name: Setup ipfs-update
|
- name: Setup ipfs-update
|
||||||
when: 'ipfs_setup is true'
|
when:
|
||||||
|
- 'ipfs_setup is true'
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Create ipfs group
|
- name: Create ipfs group
|
||||||
group:
|
group:
|
||||||
|
@ -72,6 +76,6 @@
|
||||||
|
|
||||||
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
||||||
|
|
||||||
- name: Setup firewall
|
- name: Setup IPFS firewall
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-ipfs
|
name: iptables-ipfs
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
---
|
---
|
||||||
# tasks file for firewall
|
# tasks file for firewall
|
||||||
|
|
||||||
- name: Setup iptables to standard configuration
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_basic_enabled is true"
|
- "iptables_basic_enabled is true"
|
||||||
block:
|
block:
|
||||||
- name: Reset configuration if requested
|
- name: Reset configuration if requested
|
||||||
when:
|
when:
|
||||||
- "iptables_basic_reset_enabled is true"
|
- "'global.uninstall' in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Open Firewall just for a moment to flush iptables rules
|
- name: Open Firewall just for a moment to flush iptables rules
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
|
|
|
@ -1,14 +1,17 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-ipfs
|
# tasks file for iptables-ipfs
|
||||||
|
|
||||||
- name: setup iptables for IPFS
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
block:
|
block:
|
||||||
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
|
- name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS)
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if ipfs_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ ipfs_port }}"
|
destination_port: "{{ ipfs_port }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -1,24 +1,27 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-kdeconnect
|
# tasks file for iptables-kdeconnect
|
||||||
- name: Setup iptables for kdeconnect
|
|
||||||
when: 'kdeconnect_enabled is true'
|
|
||||||
block:
|
|
||||||
- name: Allow new, established packets on TCP Kdeconnect ports
|
|
||||||
ansible.builtin.iptables:
|
|
||||||
chain: INPUT
|
|
||||||
protocol: tcp
|
|
||||||
destination_port: "{{ kdeconnect_ports }}"
|
|
||||||
ctstate: NEW,ESTABLISHED
|
|
||||||
jump: ACCEPT
|
|
||||||
|
|
||||||
- name: Allow new, established packets on UDP Kdeconnect ports
|
- ansible.builtin.debug:
|
||||||
ansible.builtin.iptables:
|
msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role"
|
||||||
chain: INPUT
|
|
||||||
protocol: udp
|
|
||||||
destination_port: "{{ kdeconnect_ports }}"
|
|
||||||
ctstate: NEW,ESTABLISHED
|
|
||||||
jump: ACCEPT
|
|
||||||
|
|
||||||
- name: iptables-persistent
|
- name: Allow/ disallow new, established packets on TCP Kdeconnect ports
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.iptables:
|
||||||
name: iptables-persistent
|
chain: INPUT
|
||||||
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
|
||||||
|
destination_port: "{{ kdeconnect_ports }}"
|
||||||
|
ctstate: NEW,ESTABLISHED
|
||||||
|
jump: ACCEPT
|
||||||
|
|
||||||
|
- name: Allow/ disallow new, established packets on UDP Kdeconnect ports
|
||||||
|
ansible.builtin.iptables:
|
||||||
|
chain: INPUT
|
||||||
|
protocol: udp
|
||||||
|
state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
|
||||||
|
destination_port: "{{ kdeconnect_ports }}"
|
||||||
|
ctstate: NEW,ESTABLISHED
|
||||||
|
jump: ACCEPT
|
||||||
|
|
||||||
|
- name: iptables-persistent
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-persistent
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
- name: Handle iptables-persistent
|
---
|
||||||
when:
|
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_persistent_save_to_file is true"
|
- "iptables_persistent_save_to_file is true"
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
- name: Save iptables rules
|
- name: Save iptables rules
|
||||||
block:
|
block:
|
||||||
- name: Save rules with iptables-persistent v4
|
- name: Save rules with iptables-persistent v4
|
||||||
|
|
|
@ -1,26 +1,29 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-samba
|
# tasks file for iptables-samba
|
||||||
- name: Setup iptables for Samba
|
|
||||||
when: 'samba_enabled is true'
|
|
||||||
block:
|
|
||||||
- name: Allow new, established packets on TCP Samba ports
|
|
||||||
ansible.builtin.iptables:
|
|
||||||
chain: INPUT
|
|
||||||
protocol: tcp
|
|
||||||
destination_port: "{{ item }}"
|
|
||||||
ctstate: NEW,ESTABLISHED
|
|
||||||
jump: ACCEPT
|
|
||||||
with_items: '{{ samba_ports }}'
|
|
||||||
|
|
||||||
- name: Allow new, established packets on UDP Samba ports
|
- ansible.builtin.debug:
|
||||||
ansible.builtin.iptables:
|
msg: "ENABLED = {{ samba_enabled }}; iptables-samba role"
|
||||||
chain: INPUT
|
|
||||||
protocol: udp
|
|
||||||
destination_port: "{{ item }}"
|
|
||||||
ctstate: NEW,ESTABLISHED
|
|
||||||
jump: ACCEPT
|
|
||||||
with_items: '{{ samba_ports }}'
|
|
||||||
|
|
||||||
- name: iptables-persistent
|
- name: Allow/ disallow new, established packets on TCP Samba ports
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.iptables:
|
||||||
name: iptables-persistent
|
chain: INPUT
|
||||||
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if samba_enabled is true else 'absent' }}"
|
||||||
|
destination_port: "{{ item }}"
|
||||||
|
ctstate: NEW,ESTABLISHED
|
||||||
|
jump: ACCEPT
|
||||||
|
with_items: '{{ samba_ports }}'
|
||||||
|
|
||||||
|
- name: Allow/ disallow new, established packets on UDP Samba ports
|
||||||
|
ansible.builtin.iptables:
|
||||||
|
chain: INPUT
|
||||||
|
protocol: udp
|
||||||
|
state: "{{ 'present' if samba_enabled is true else 'absent' }}"
|
||||||
|
destination_port: "{{ item }}"
|
||||||
|
ctstate: NEW,ESTABLISHED
|
||||||
|
jump: ACCEPT
|
||||||
|
with_items: '{{ samba_ports }}'
|
||||||
|
|
||||||
|
- name: iptables-persistent
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-persistent
|
||||||
|
|
|
@ -1,15 +1,17 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-webserver
|
# tasks file for iptables-webserver
|
||||||
|
|
||||||
- name: Setup iptables for webserver 80 and 443
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_webserver_enabled is true"
|
|
||||||
block:
|
block:
|
||||||
- name: Allow new, established packets on TCP ports 80/443 (Webserver)
|
- name: Allow new, established packets on TCP ports 80/443 (Webserver)
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ item }}"
|
destination_port: "{{ item }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -11,19 +11,25 @@ Requirements
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
|
|
||||||
- **pihole_update_gravity** (boolean): If true the dns database will be updated
|
|
||||||
- **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
|
- **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
|
||||||
|
- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
|
||||||
|
|
||||||
|
Role Tags
|
||||||
|
--------------
|
||||||
|
|
||||||
|
- **global.update_only**: `pihole -up`
|
||||||
|
- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
.
|
- curl
|
||||||
|
- sqlite3 required by `pihole.install_custom_list`
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
|
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
|
@ -39,7 +39,8 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- dns_filter
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
---
|
---
|
||||||
# tasks file for pi-hole
|
# tasks file for pi-hole
|
||||||
|
|
||||||
- name: Pi-Hole setup
|
- name: pi-hole role; setup the target as DNS server with Pi-Hole
|
||||||
|
when: "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Populate service facts
|
- name: Populate service facts
|
||||||
ansible.builtin.service_facts:
|
ansible.builtin.service_facts:
|
||||||
|
@ -17,41 +18,38 @@
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "curl -sSL https://install.pi-hole.net | bash"
|
msg: "curl -sSL https://install.pi-hole.net | bash"
|
||||||
|
|
||||||
- name: Check if can install custom list
|
|
||||||
when: 'pihole_install_custom_list is true'
|
|
||||||
block:
|
|
||||||
- name: Check if pi-hole db exists
|
|
||||||
stat:
|
|
||||||
path: /etc/pihole/gravity.db
|
|
||||||
register: pihole_db
|
|
||||||
|
|
||||||
- name: Install sqlite3 package
|
|
||||||
ansible.builtin.package:
|
|
||||||
name: sqlite3
|
|
||||||
|
|
||||||
- name: Install more lists than default
|
|
||||||
when: pihole_db.stat.exists
|
|
||||||
ansible.builtin.shell:
|
|
||||||
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
|
|
||||||
loop: "{{ pihole_custom_list }}"
|
|
||||||
|
|
||||||
- name: Update Gravity
|
|
||||||
when: 'pihole_update_gravity is true'
|
|
||||||
ansible.builtin.shell: pihole updateGravity
|
|
||||||
|
|
||||||
- name: iptables-webserver
|
- name: iptables-webserver
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-webserver
|
name: iptables-webserver
|
||||||
|
|
||||||
- name: Setup iptables rules
|
|
||||||
ansible.builtin.iptables:
|
|
||||||
chain: INPUT
|
|
||||||
protocol: '{{ item }}'
|
|
||||||
destination_port: 53
|
|
||||||
jump: ACCEPT
|
|
||||||
comment: Accept DNS connections
|
|
||||||
loop: [tcp,udp]
|
|
||||||
|
|
||||||
- name: iptables-persistent
|
- name: iptables-persistent
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-persistent
|
name: iptables-persistent
|
||||||
|
|
||||||
|
- name: Update pihole FTL
|
||||||
|
when: "'global.update_only' in ansible_run_tags"
|
||||||
|
ansible.builtin.shell: pihole -up
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Check if pi-hole db exists
|
||||||
|
stat:
|
||||||
|
path: /etc/pihole/gravity.db
|
||||||
|
register: pihole_db
|
||||||
|
|
||||||
|
- name: Install sqlite3 package
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: sqlite3
|
||||||
|
|
||||||
|
- name: Install more lists than default
|
||||||
|
when: pihole_db.stat.exists
|
||||||
|
ansible.builtin.shell:
|
||||||
|
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
|
||||||
|
loop: "{{ pihole_custom_list }}"
|
||||||
|
when: "pihole_install_custom_list is true"
|
||||||
|
|
||||||
|
- name: Update Gravity
|
||||||
|
ansible.builtin.shell: pihole updateGravity
|
||||||
|
when: "
|
||||||
|
(pihole_install_custom_list is true) or
|
||||||
|
('pihole.update_gravity' in ansible_run_tags)
|
||||||
|
"
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Setup target as a Samba server
|
- name: samba role; setup the target as SMB server using an external role
|
||||||
when: 'samba_enabled is true'
|
when: 'samba_enabled is true'
|
||||||
include_role:
|
include_role:
|
||||||
name: vladgh.samba.server
|
name: vladgh.samba.server
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
# tasks file for snort-community
|
# tasks file for snort-community
|
||||||
|
|
||||||
- name: Snort Community Edition setup
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "snort_community_enabled is true"
|
- "snort_community_enabled is true"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
|
|
|
@ -1,9 +1,7 @@
|
||||||
---
|
---
|
||||||
# tasks file for unattended-upgrades
|
# tasks file for unattended-upgrades
|
||||||
|
|
||||||
- name: Check if host need unattended-upgrades
|
- name: Check if host need unattended-upgrades and install package
|
||||||
when: "unattended_upgrades_enabled is true"
|
when: "unattended_upgrades_enabled is true"
|
||||||
block:
|
ansible.builtin.package:
|
||||||
- name: Install unattended-upgrades
|
name: unattended-upgrades
|
||||||
ansible.builtin.package:
|
|
||||||
name: unattended-upgrades
|
|
||||||
|
|
29
roles/wakeonlan/.travis.yml
Normal file
29
roles/wakeonlan/.travis.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
language: python
|
||||||
|
python: "2.7"
|
||||||
|
|
||||||
|
# Use the new container infrastructure
|
||||||
|
sudo: false
|
||||||
|
|
||||||
|
# Install ansible
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- python-pip
|
||||||
|
|
||||||
|
install:
|
||||||
|
# Install ansible
|
||||||
|
- pip install ansible
|
||||||
|
|
||||||
|
# Check ansible version
|
||||||
|
- ansible --version
|
||||||
|
|
||||||
|
# Create ansible.cfg with correct roles_path
|
||||||
|
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
||||||
|
|
||||||
|
script:
|
||||||
|
# Basic role syntax check
|
||||||
|
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
||||||
|
|
||||||
|
notifications:
|
||||||
|
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
37
roles/wakeonlan/README.md
Normal file
37
roles/wakeonlan/README.md
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
wakeonlan
|
||||||
|
=========
|
||||||
|
|
||||||
|
This role install Wake on LAN support for target
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
.
|
||||||
|
|
||||||
|
Role Variables
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Respond to:
|
||||||
|
- **wakeonlan_enabled** (boolean): If true install and configure WoL
|
||||||
|
- **wakeonlan_interface** (string): the interface to setup for WoL
|
||||||
|
- **wakeonlan_mode** (string): the mode selected for WoL, default to `g`
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
------------
|
||||||
|
|
||||||
|
- ethtool
|
||||||
|
|
||||||
|
Example Playbook
|
||||||
|
----------------
|
||||||
|
|
||||||
|
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags wol`
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
- [Claudio Maradonna](https://social.unitoo.it/claudio)
|
6
roles/wakeonlan/defaults/main.yml
Normal file
6
roles/wakeonlan/defaults/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
# defaults file for wakeonlan
|
||||||
|
|
||||||
|
wakeonlan_enabled: false
|
||||||
|
wakeonlan_interface: enp2s0
|
||||||
|
wakeonlan_mode: g
|
2
roles/wakeonlan/handlers/main.yml
Normal file
2
roles/wakeonlan/handlers/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# handlers file for wakeonlan
|
52
roles/wakeonlan/meta/main.yml
Normal file
52
roles/wakeonlan/meta/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: your name
|
||||||
|
description: your role description
|
||||||
|
company: your company (optional)
|
||||||
|
|
||||||
|
# If the issue tracker for your role is not on github, uncomment the
|
||||||
|
# next line and provide a value
|
||||||
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
|
|
||||||
|
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||||
|
# - BSD-3-Clause (default)
|
||||||
|
# - MIT
|
||||||
|
# - GPL-2.0-or-later
|
||||||
|
# - GPL-3.0-only
|
||||||
|
# - Apache-2.0
|
||||||
|
# - CC-BY-4.0
|
||||||
|
license: license (GPL-2.0-or-later, MIT, etc)
|
||||||
|
|
||||||
|
min_ansible_version: 2.1
|
||||||
|
|
||||||
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
#
|
||||||
|
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||||
|
# Maximum 20 tags per role.
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||||
|
# if you add dependencies to this list.
|
3
roles/wakeonlan/tasks/install_Debian.yml
Normal file
3
roles/wakeonlan/tasks/install_Debian.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
- name: Install ethtool
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: ethtool
|
19
roles/wakeonlan/tasks/install_systemd_service.yml
Normal file
19
roles/wakeonlan/tasks/install_systemd_service.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
- name: Setup systemd
|
||||||
|
when: 'is_docker is not true'
|
||||||
|
block:
|
||||||
|
- name: Install systemd files
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '/{{ item.path }}'
|
||||||
|
with_community.general.filetree: '../templates/systemd/'
|
||||||
|
vars:
|
||||||
|
interface: "{{ wakeonlan_interface }}"
|
||||||
|
mode: "{{ wakeonlan_mode }}"
|
||||||
|
when: item.state == 'file'
|
||||||
|
|
||||||
|
- name: Enable service
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: wol-enable
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
daemon_reload: yes
|
20
roles/wakeonlan/tasks/main.yml
Normal file
20
roles/wakeonlan/tasks/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
# tasks file for wakeonlan
|
||||||
|
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself"
|
||||||
|
|
||||||
|
- when:
|
||||||
|
- "wakeonlan_enabled is true"
|
||||||
|
block:
|
||||||
|
- name: Gather package facts
|
||||||
|
package_facts:
|
||||||
|
manager: auto
|
||||||
|
|
||||||
|
- name: Install yggdrasil if not present
|
||||||
|
when: "'ethtool' not in ansible_facts.packages"
|
||||||
|
block:
|
||||||
|
- include_tasks: "install_{{ ansible_os_family }}.yml"
|
||||||
|
|
||||||
|
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
||||||
|
ignore_errors: true
|
|
@ -0,0 +1,9 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Enable Wake-up on LAN
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/sbin/ethtool -s {{ interface }} wol {{ mode }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=basic.target
|
2
roles/wakeonlan/tests/inventory
Normal file
2
roles/wakeonlan/tests/inventory
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
localhost
|
||||||
|
|
5
roles/wakeonlan/tests/test.yml
Normal file
5
roles/wakeonlan/tests/test.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
remote_user: root
|
||||||
|
roles:
|
||||||
|
- wakeonlan
|
2
roles/wakeonlan/vars/main.yml
Normal file
2
roles/wakeonlan/vars/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# vars file for wakeonlan
|
|
@ -12,13 +12,16 @@ Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
Respond to:
|
Respond to:
|
||||||
- **update_only** (boolean)
|
|
||||||
|
|
||||||
- **yggdrasil_enabled** (boolean): If true install yggdrasil
|
- **yggdrasil_enabled** (boolean): If true install yggdrasil
|
||||||
- **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
|
- **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
|
||||||
- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
|
|
||||||
- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
|
- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
|
||||||
|
|
||||||
|
Role Tags
|
||||||
|
--------------
|
||||||
|
|
||||||
|
- **global.update_only**: If present will update only the peers
|
||||||
|
- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
|
|
|
@ -3,5 +3,4 @@
|
||||||
|
|
||||||
yggdrasil_enabled: false
|
yggdrasil_enabled: false
|
||||||
yggdrasil_sshd_enabled: false
|
yggdrasil_sshd_enabled: false
|
||||||
yggdrasil_uninstall: false
|
|
||||||
yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
|
yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
|
||||||
|
|
|
@ -39,7 +39,8 @@ galaxy_info:
|
||||||
# - 7
|
# - 7
|
||||||
# - 99.99
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags:
|
||||||
|
- yggdrasil
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
# remove the '[]' above, if you add tags to this list.
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
|
|
@ -1,7 +1,11 @@
|
||||||
- name: Install and configure yggdrasil
|
---
|
||||||
when:
|
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "yggdrasil_enabled is true"
|
- "yggdrasil_enabled is true"
|
||||||
- "update_only is false"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
package_facts:
|
package_facts:
|
||||||
|
@ -64,8 +68,9 @@
|
||||||
- name: Remove yggdrasil if not enabled
|
- name: Remove yggdrasil if not enabled
|
||||||
when:
|
when:
|
||||||
- "yggdrasil_enabled is false"
|
- "yggdrasil_enabled is false"
|
||||||
- "yggdrasil_uninstall is true"
|
- "'yggdrasil' in ansible_run_tags"
|
||||||
- "update_only is false"
|
- "'global.uninstall' in ansible_run_tags"
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
package_facts:
|
package_facts:
|
||||||
|
@ -79,5 +84,4 @@
|
||||||
|
|
||||||
- when:
|
- when:
|
||||||
- "yggdrasil_enabled is true"
|
- "yggdrasil_enabled is true"
|
||||||
block:
|
include_tasks: "update_peers.yml"
|
||||||
- include_tasks: "update_peers.yml"
|
|
||||||
|
|
|
@ -1,16 +1,19 @@
|
||||||
zabov
|
zabov
|
||||||
=========
|
=========
|
||||||
|
|
||||||
This role setup Zabov DNS filter
|
This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov
|
||||||
|
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
.
|
- golang >= 1.13
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
|
- **go_path** (string)
|
||||||
|
|
||||||
- **zabov_git_url** (string): Git valid url of Zabov
|
- **zabov_git_url** (string): Git valid url of Zabov
|
||||||
- **zabov_git_branch** (string): Zabov Git branch
|
- **zabov_git_branch** (string): Zabov Git branch
|
||||||
- **zabov_installation_path** (string): Zabov installation path
|
- **zabov_installation_path** (string): Zabov installation path
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
# tasks file for zabov
|
# tasks file for zabov
|
||||||
|
|
||||||
- name: Install zabov from sources
|
- name: zabov role; install zabov from sources
|
||||||
when: 'go_path is defined'
|
when: 'go_path is defined'
|
||||||
block:
|
block:
|
||||||
- name: Install git if needed
|
- name: Install git if needed
|
||||||
|
|
Loading…
Reference in a new issue