add zram service role

README.md

@@ -15,6 +15,11 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
 
 The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
 
+## Global tags
+
+- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
+- **global.uninstall**: activate the uninstall phase for specified tags and targets
+
 ## Authors & contributors
 
 - [Claudio Maradonna](https://social.unitoo.it/claudio)

group_vars/all.yml

@@ -2,3 +2,12 @@ architecture_mapping: { "armv6l": "armhf", "armv7l": "armhf", "aarch64": "arm64"
 
 sshd_port: 22
 ipfs_port: 4001
+
+active_services:
+  - wakeonlan
+  - ipfs
+  - yggdrasil
+  - snort-community
+  - dns-filter
+  - samba
+  - zram

handbook.yml

@@ -1,22 +1,20 @@
 ---
 
-- name: "Setup a GNU/Linux target with standards or defined tags"
+- name: "Unitoo Handbook"
   hosts: "{{ target if target is defined else 'planets' }}"
 
+  tags: always
   roles:
     # --- Hardening ---
     # Basic rules or good practises to apply
 
-    - { role: hardening-basic, tags: [hardening, ips, ids] }
-    - { role: iptables-basic, tags: [firewall, ips, ids] }
-    - { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
-    - { role: auditd, tags: [auditd] }
-    - { role: iptables-webserver, tags: [firewall, webserver] }
+    - hardening-basic
+    - iptables-basic
+    - fail2ban-basic
+    - auditd
 
     # --- Services ---
-    # Role relative to services, applications and so on
-    - { role: ipfs, tags: [ipfs] }
-    - { role: yggdrasil, tags: [yggdrasil] }
-    - { role: snort-community, tags: [snort, ips, ids] }
-    - { role: dns-filter, tags: [dns_filter] }
-    - { role: samba, tags: [samba, smb] }
+    - service-role-loader
+
+    # --- Sysadmin ---
+    - sysadmin-tools

roles/auditd/meta/main.yml

@@ -39,7 +39,9 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - auditd
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/auditd/tasks/main.yml

@@ -1,8 +1,12 @@
 ---
 # tasks file for auditd
 
-- name: Install and setup rules Auditd if enabled
-  when: 'auditd_enabled is true'
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ auditd_enabled }}; auditd role"
+
+- when:
+    - 'auditd_enabled is true'
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Install auditd
       ansible.builtin.package:

roles/dns-filter/README.md

@@ -22,7 +22,7 @@ Dependencies
 Example Playbook
 ----------------
 
-`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target go_path=/opt/go/bin" --tags dns_filter`
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target go_path=/opt/go/bin"`
 
 License
 -------

roles/dns-filter/meta/main.yml

@@ -39,7 +39,7 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/dns-filter/tasks/main.yml

@@ -1,11 +1,25 @@
 ---
 # tasks file for dns-filter
 
-- name: Install selected DNS filter if enabled
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server"
+
+- when:
     - "dns_filter_enabled is true"
     - "dns_filter_selected in dns_filter_list"
-  block:
-    - name: Call DNS filter role
-      ansible.builtin.include_role:
-        name: "{{ dns_filter_selected }}"
+  ansible.builtin.include_role:
+    name: "{{ dns_filter_selected }}"
+
+- name: Allow/ disallow port 53 for DNS querying
+  ansible.builtin.iptables:
+    chain: INPUT
+    state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}"
+    protocol: '{{ item }}'
+    destination_port: 53
+    jump: ACCEPT
+    comment: Accept DNS connections
+  loop: [tcp,udp]
+
+- name: iptables-persistent
+  ansible.builtin.include_role:
+    name: iptables-persistent

roles/fail2ban-basic/meta/main.yml

@@ -39,7 +39,11 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - fail2ban
+    - ips
+    - ids
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/fail2ban-basic/tasks/main.yml

@@ -1,8 +1,12 @@
 ---
 # tasks file for fail2ban-basic
-#
-- name: Fail2ban Configuration
-  when: fail2ban_enabled is true
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role"
+
+- when:
+    - 'fail2ban_enabled is true'
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Install Fail2ban
       ansible.builtin.package:

roles/hardening-basic/tasks/main.yml

@@ -1,61 +1,61 @@
 ---
 # tasks file for hardening-basic
 
-- name: Basic Hardening
+- ansible.builtin.debug:
+    msg: "hardening-basic role"
+
+- name: Create directory structure
+  ansible.builtin.file:
+    path: '/etc/{{ item.path }}'
+    state: directory
+    mode: '{{ item.mode }}'
+  with_community.general.filetree: '../templates/basic/etc/'
+  when: item.state == 'directory'
+
+- name: Create and copy hardening files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '/etc/{{ item.path }}'
+  with_community.general.filetree: '../templates/basic/etc/'
+  when: item.state == 'file'
+
+- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
+  when: 'hardening_sshd_enabled is true'
   block:
     - name: Create directory structure
       ansible.builtin.file:
         path: '/etc/{{ item.path }}'
         state: directory
         mode: '{{ item.mode }}'
-      with_community.general.filetree: '../templates/basic/etc/'
+      with_community.general.filetree: '../templates/ssh/etc/'
       when: item.state == 'directory'
 
     - name: Create and copy hardening files
       ansible.builtin.template:
         src: '{{ item.src }}'
         dest: '/etc/{{ item.path }}'
-      with_community.general.filetree: '../templates/basic/etc/'
+      with_community.general.filetree: '../templates/ssh/etc/'
       when: item.state == 'file'
 
-    - name: Harden SSH Config
-      when: 'hardening_sshd_enabled is true'
-      block:
-        - name: Create directory structure
-          ansible.builtin.file:
-            path: '/etc/{{ item.path }}'
-            state: directory
-            mode: '{{ item.mode }}'
-          with_community.general.filetree: '../templates/ssh/etc/'
-          when: item.state == 'directory'
+    - name: Give 1700 permissions to .ssh folder
+      ansible.builtin.file:
+        path: /root/.ssh
+        owner: root
+        group: root
+        mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
 
-        - name: Create and copy hardening files
-          ansible.builtin.template:
-            src: '{{ item.src }}'
-            dest: '/etc/{{ item.path }}'
-          with_community.general.filetree: '../templates/ssh/etc/'
-          when: item.state == 'file'
+    - name: Give 1600 permissions to .ssh/authorized_keys file
+      ansible.builtin.file:
+        path: /root/.ssh/authorized_keys
+        owner: root
+        group: root
+        mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
 
-        - name: Give 1700 permissions to .ssh folder
-          ansible.builtin.file:
-            path: /root/.ssh
-            owner: root
-            group: root
-            mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
+    - name: Restart sshd
+      when: "is_docker is not true"
+      ansible.builtin.systemd:
+        state: restarted
+        name: sshd
 
-        - name: Give 1600 permissions to .ssh/authorized_keys file
-          ansible.builtin.file:
-            path: /root/.ssh/authorized_keys
-            owner: root
-            group: root
-            mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
-
-        - name: Restart sshd
-          when: "is_docker is not true"
-          ansible.builtin.systemd:
-            state: restarted
-            name: sshd
-
-    - name: Harden Service Manager (like Systemd)
-      block:
-        - include_tasks: "harden_{{ ansible_service_mgr }}.yml"
+- name: Harden Service Manager (like Systemd)
+  include_tasks: "harden_{{ ansible_service_mgr }}.yml"

roles/ipfs/tasks/main.yml

@@ -1,12 +1,16 @@
 ---
 # tasks file for ipfs
 
-- name: Install IPFS if enabled
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node"
+
+- when:
     - 'ipfs_enabled is true'
   block:
     - name: Setup ipfs-update
-      when: 'ipfs_setup is true'
+      when:
+        - 'ipfs_setup is true'
+        - "'global.update_only' not in ansible_run_tags"
       block:
         - name: Create ipfs group
           group:
@@ -72,6 +76,6 @@
 
         - include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
 
-    - name: Setup firewall
-      ansible.builtin.include_role:
-        name: iptables-ipfs
+- name: Setup IPFS firewall
+  ansible.builtin.include_role:
+    name: iptables-ipfs

roles/iptables-basic/tasks/main.yml

@@ -1,14 +1,16 @@
 ---
 # tasks file for firewall
 
-- name: Setup iptables to standard configuration
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration"
+
+- when:
     - "is_docker is not true"
     - "iptables_basic_enabled is true"
   block:
     - name: Reset configuration if requested
       when:
-        - "iptables_basic_reset_enabled is true"
+        - "'global.uninstall' in ansible_run_tags"
       block:
         - name: Open Firewall just for a moment to flush iptables rules
           ansible.builtin.iptables:

roles/iptables-ipfs/tasks/main.yml

@@ -1,14 +1,17 @@
 ---
 # tasks file for iptables-ipfs
 
-- name: setup iptables for IPFS
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role"
+
+- when:
     - "is_docker is not true"
   block:
-    - name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
+    - name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS)
       ansible.builtin.iptables:
         chain: INPUT
         protocol: tcp
+        state: "{{ 'present' if ipfs_enabled is true else 'absent' }}"
         destination_port: "{{ ipfs_port }}"
         ctstate: NEW,ESTABLISHED
         jump: ACCEPT

roles/iptables-kdeconnect/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/iptables-kdeconnect/README.md

@@ -0,0 +1,34 @@
+iptables-kdeconnect
+=========
+
+This role setup iptables for kdeconnect
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+- **kdeconnect_ports** (array): List of ports to enable for TCP/UDP
+
+Dependencies
+------------
+
+.
+
+Example Playbook
+----------------
+
+
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)

roles/iptables-kdeconnect/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for iptables-kdeconnect
+
+kdeconnect_enabled: false
+kdeconnect_ports: "1714:1764"

roles/iptables-kdeconnect/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for iptables-kdeconnect

roles/iptables-kdeconnect/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/iptables-kdeconnect/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+# tasks file for iptables-kdeconnect
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role"
+
+- name: Allow/ disallow new, established packets on TCP Kdeconnect ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
+    destination_port: "{{ kdeconnect_ports }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+
+- name: Allow/ disallow new, established packets on UDP Kdeconnect ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
+    destination_port: "{{ kdeconnect_ports }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+
+- name: iptables-persistent
+  ansible.builtin.include_role:
+    name: iptables-persistent

roles/iptables-kdeconnect/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/iptables-kdeconnect/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - iptables-kdeconnect

roles/iptables-kdeconnect/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for iptables-kdeconnect

roles/iptables-persistent/tasks/main.yml

@@ -1,5 +1,9 @@
-- name: Handle iptables-persistent
-  when:
+---
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role"
+
+- when:
     - "is_docker is not true"
     - "iptables_persistent_save_to_file is true"
   block:

roles/iptables-persistent/tasks/save_rules_for_Debian.yml

@@ -1,3 +1,5 @@
+---
+
 - name: Save iptables rules
   block:
     - name: Save rules with iptables-persistent v4

roles/iptables-samba/tasks/main.yml

@@ -1,26 +1,29 @@
 ---
 # tasks file for iptables-samba
-- name: Setup iptables for Samba
-  when: 'samba_enabled is true'
-  block:
-    - name: Allow new, established packets on TCP Samba ports
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: "{{ item }}"
-        ctstate: NEW,ESTABLISHED
-        jump: ACCEPT
-      with_items: '{{ samba_ports }}'
 
-    - name: Allow new, established packets on UDP Samba ports
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: udp
-        destination_port: "{{ item }}"
-        ctstate: NEW,ESTABLISHED
-        jump: ACCEPT
-      with_items: '{{ samba_ports }}'
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ samba_enabled }}; iptables-samba role"
 
-    - name: iptables-persistent
-      ansible.builtin.include_role:
-        name: iptables-persistent
+- name: Allow/ disallow new, established packets on TCP Samba ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    state: "{{ 'present' if samba_enabled is true else 'absent' }}"
+    destination_port: "{{ item }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+  with_items: '{{ samba_ports }}'
+
+- name: Allow/ disallow new, established packets on UDP Samba ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    state: "{{ 'present' if samba_enabled is true else 'absent' }}"
+    destination_port: "{{ item }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+  with_items: '{{ samba_ports }}'
+
+- name: iptables-persistent
+  ansible.builtin.include_role:
+    name: iptables-persistent

roles/iptables-webserver/tasks/main.yml

@@ -1,15 +1,17 @@
 ---
 # tasks file for iptables-webserver
 
-- name: Setup iptables for webserver 80 and 443
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role"
+
+- when:
     - "is_docker is not true"
-    - "iptables_webserver_enabled is true"
   block:
     - name: Allow new, established packets on TCP ports 80/443 (Webserver)
       ansible.builtin.iptables:
         chain: INPUT
         protocol: tcp
+        state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}"
         destination_port: "{{ item }}"
         ctstate: NEW,ESTABLISHED
         jump: ACCEPT

roles/pi-hole/README.md

@@ -11,19 +11,25 @@ Requirements
 Role Variables
 --------------
 
-- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
-- **pihole_update_gravity** (boolean): If true the dns database will be updated
 - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
+- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
+
+Role Tags
+--------------
+
+- **global.update_only**: `pihole -up`
+- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
 
 Dependencies
 ------------
 
-.
+- curl
+- sqlite3 required by `pihole.install_custom_list`
 
 Example Playbook
 ----------------
 
-`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
 
 License
 -------

roles/pi-hole/meta/main.yml

@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/pi-hole/tasks/main.yml

@@ -1,7 +1,8 @@
 ---
 # tasks file for pi-hole
 
-- name: Pi-Hole setup
+- name: pi-hole role; setup the target as DNS server with Pi-Hole
+  when: "'global.update_only' not in ansible_run_tags"
   block:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -17,41 +18,38 @@
           ansible.builtin.debug:
             msg: "curl -sSL https://install.pi-hole.net | bash"
 
-    - name: Check if can install custom list
-      when: 'pihole_install_custom_list is true'
-      block:
-        - name: Check if pi-hole db exists
-          stat:
-            path: /etc/pihole/gravity.db
-          register: pihole_db
-
-        - name: Install sqlite3 package
-          ansible.builtin.package:
-            name: sqlite3
-
-        - name: Install more lists than default
-          when: pihole_db.stat.exists
-          ansible.builtin.shell:
-            cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
-          loop: "{{ pihole_custom_list }}"
-
-    - name: Update Gravity
-      when: 'pihole_update_gravity is true'
-      ansible.builtin.shell: pihole updateGravity
-
     - name: iptables-webserver
       ansible.builtin.include_role:
         name: iptables-webserver
 
-    - name: Setup iptables rules
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: '{{ item }}'
-        destination_port: 53
-        jump: ACCEPT
-        comment: Accept DNS connections
-      loop: [tcp,udp]
-
     - name: iptables-persistent
       ansible.builtin.include_role:
         name: iptables-persistent
+
+- name: Update pihole FTL
+  when: "'global.update_only' in ansible_run_tags"
+  ansible.builtin.shell: pihole -up
+
+- block:
+  - name: Check if pi-hole db exists
+    stat:
+      path: /etc/pihole/gravity.db
+    register: pihole_db
+
+  - name: Install sqlite3 package
+    ansible.builtin.package:
+      name: sqlite3
+
+  - name: Install more lists than default
+    when: pihole_db.stat.exists
+    ansible.builtin.shell:
+      cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
+    loop: "{{ pihole_custom_list }}"
+  when: "pihole_install_custom_list is true"
+
+- name: Update Gravity
+  ansible.builtin.shell: pihole updateGravity
+  when: "
+    (pihole_install_custom_list is true) or
+    ('pihole.update_gravity' in ansible_run_tags)
+    "

roles/samba/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Setup target as a Samba server
+- name: samba role; setup the target as SMB server using an external role
   when: 'samba_enabled is true'
   include_role:
     name: vladgh.samba.server

roles/service-role-loader/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/service-role-loader/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults file for service-role-loader
+
+active_services: []

roles/service-role-loader/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for service-role-loader

roles/service-role-loader/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/service-role-loader/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+# tasks file for service-role-loader
+
+- name: Load each service role
+  when:
+    - active_services is defined
+  ansible.builtin.include_role:
+    name: '{{ item }}'
+  loop: "{{ active_services }}"

roles/service-role-loader/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/service-role-loader/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - service-role-loader

roles/service-role-loader/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for service-role-loader

roles/snort-community/tasks/main.yml

@@ -1,8 +1,10 @@
 ---
 # tasks file for snort-community
 
-- name: Snort Community Edition setup
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup"
+
+- when:
     - "snort_community_enabled is true"
   block:
     - name: Gather package facts

roles/sysadmin-tools/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/sysadmin-tools/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/sysadmin-tools/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for sysadmin-tools

roles/sysadmin-tools/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for sysadmin-tools

roles/sysadmin-tools/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/sysadmin-tools/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: "Setup the hostname of the target"
+  when: "new_hostname is defined"
+  block:
+    - ansible.builtin.hostname:
+        name: "{{ new_hostname }}"
+
+    - name: "Replace /etc/hosts old entries"
+      ansible.builtin.replace:
+        path: /etc/hosts
+        regexp: '^.*127\.0\.1\.1.*$'
+        replace: "127.0.1.1 {{ new_hostname }}"

roles/sysadmin-tools/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/sysadmin-tools/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - sysadmin-tools

roles/sysadmin-tools/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for sysadmin-tools

roles/unattended-upgrades/tasks/main.yml

@@ -1,9 +1,7 @@
 ---
 # tasks file for unattended-upgrades
 
-- name: Check if host need unattended-upgrades
+- name: Check if host need unattended-upgrades and install package
   when: "unattended_upgrades_enabled is true"
-  block:
-    - name: Install unattended-upgrades
-      ansible.builtin.package:
-        name: unattended-upgrades
+  ansible.builtin.package:
+    name: unattended-upgrades

roles/wakeonlan/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/wakeonlan/README.md

@@ -0,0 +1,37 @@
+wakeonlan
+=========
+
+This role install Wake on LAN support for target
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+Respond to:
+- **wakeonlan_enabled** (boolean): If true install and configure WoL
+- **wakeonlan_interface** (string): the interface to setup for WoL
+- **wakeonlan_mode** (string): the mode selected for WoL, default to `g`
+
+Dependencies
+------------
+
+- ethtool
+
+Example Playbook
+----------------
+
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags wol`
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)

roles/wakeonlan/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for wakeonlan
+
+wakeonlan_enabled: false
+wakeonlan_interface: enp2s0
+wakeonlan_mode: g

roles/wakeonlan/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for wakeonlan

roles/wakeonlan/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/wakeonlan/tasks/install_Debian.yml

@@ -0,0 +1,3 @@
+- name: Install ethtool
+  ansible.builtin.package:
+    name: ethtool

roles/wakeonlan/tasks/install_systemd_service.yml

@@ -0,0 +1,19 @@
+- name: Setup systemd
+  when: 'is_docker is not true'
+  block:
+    - name: Install systemd files
+      ansible.builtin.template:
+        src: '{{ item.src }}'
+        dest: '/{{ item.path }}'
+      with_community.general.filetree: '../templates/systemd/'
+      vars:
+        interface: "{{ wakeonlan_interface }}"
+        mode: "{{ wakeonlan_mode }}"
+      when: item.state == 'file'
+
+    - name: Enable service
+      ansible.builtin.systemd:
+        name: wol-enable
+        state: started
+        enabled: true
+        daemon_reload: yes

roles/wakeonlan/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+# tasks file for wakeonlan
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself"
+
+- when:
+    - "wakeonlan_enabled is true"
+  block:
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: Install yggdrasil if not present
+      when: "'ethtool' not in ansible_facts.packages"
+      block:
+        - include_tasks: "install_{{ ansible_os_family }}.yml"
+
+    - include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
+      ignore_errors: true

roles/wakeonlan/templates/systemd/etc/systemd/system/wol-enable.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Enable Wake-up on LAN
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ethtool -s {{ interface }} wol {{ mode }}
+
+[Install]
+WantedBy=basic.target

roles/wakeonlan/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/wakeonlan/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - wakeonlan

roles/wakeonlan/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for wakeonlan

roles/yggdrasil/README.md

@@ -11,9 +11,16 @@ Requirements
 Role Variables
 --------------
 
+Respond to:
 - **yggdrasil_enabled** (boolean): If true install yggdrasil
 - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
-- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
+- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
+
+Role Tags
+--------------
+
+- **global.update_only**: If present will update only the peers
+- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
 
 Dependencies
 ------------

roles/yggdrasil/defaults/main.yml

@@ -3,4 +3,4 @@
 
 yggdrasil_enabled: false
 yggdrasil_sshd_enabled: false
-yggdrasil_uninstall: false
+yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf

roles/yggdrasil/meta/main.yml

@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - yggdrasil
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/yggdrasil/tasks/install_Debian.yml

@@ -1,3 +1,7 @@
+- name: Install cURL if not present
+  ansible.builtin.package:
+    name: curl
+
 - name: Create /usr/local/apt-keys directory
   ansible.builtin.file:
     path: /usr/local/apt-keys
@@ -21,11 +25,8 @@
     name: yggdrasil
     update_cache: yes
 
-- name: Update yggdrasil.conf with peers
-  replace:
-    path: /etc/yggdrasil.conf
-    regexp: 'Peers:\s\[\]'
-    replace: 'Peers: [\n\ttls://[2001:470:1f13:e56::64]:39575\n\ttls://s2.i2pd.xyz:39575\n\ttls://51.255.223.60:54232\n\ttls://45.147.198.155:6010\n\ttls://ygg1.ezdomain.ru:11130\n\ttls://ygg.mkg20001.io:443\n  ]'
+- block:
+    - include_tasks: "update_peers.yml"
 
 - name: Enable Yggdrasil service
   ansible.builtin.systemd:

roles/yggdrasil/tasks/main.yml

@@ -1,5 +1,11 @@
-- name: Install and configure yggdrasil
-  when: "yggdrasil_enabled is true"
+---
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network"
+
+- when:
+    - "yggdrasil_enabled is true"
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Gather package facts
       package_facts:
@@ -62,7 +68,9 @@
 - name: Remove yggdrasil if not enabled
   when:
     - "yggdrasil_enabled is false"
-    - "yggdrasil_uninstall is true"
+    - "'yggdrasil' in ansible_run_tags"
+    - "'global.uninstall' in ansible_run_tags"
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Gather package facts
       package_facts:
@@ -73,3 +81,7 @@
       ansible.builtin.apt:
         name: yggdrasil
         state: absent
+
+- when:
+    - "yggdrasil_enabled is true"
+  include_tasks: "update_peers.yml"

roles/yggdrasil/tasks/update_peers.yml

@@ -0,0 +1,21 @@
+- name: Download new peers file from remote url
+  ansible.builtin.get_url:
+    url: "{{yggdrasil_peers_list_url}}"
+    dest: /tmp/yggdrasil_peers.conf
+    mode: '0500'
+    force: true
+
+- name: Get peers from remote file list
+  ansible.builtin.slurp:
+    src: "/tmp/yggdrasil_peers.conf"
+  register: yggdrasil_peers_encoded
+
+- name: Decode remote peers content
+  set_fact:
+    yggdrasil_peers: "{{yggdrasil_peers_encoded.content | b64decode}}"
+
+- name: Update yggdrasil.conf with peers
+  replace:
+    path: /etc/yggdrasil.conf
+    regexp: '\bPeers:\s*((?:(?!\bPeers\b).|\n)+?)\](?!:)'
+    replace: "{{yggdrasil_peers}}"

roles/zabov/README.md

@@ -1,16 +1,19 @@
 zabov
 =========
 
-This role setup Zabov DNS filter
+This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov
+
 
 Requirements
 ------------
 
-.
+- golang >= 1.13
 
 Role Variables
 --------------
 
+- **go_path** (string)
+
 - **zabov_git_url** (string): Git valid url of Zabov
 - **zabov_git_branch** (string): Zabov Git branch
 - **zabov_installation_path** (string): Zabov installation path

roles/zabov/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 # tasks file for zabov
 
-- name: Install zabov from sources
+- name: zabov role; install zabov from sources
   when: 'go_path is defined'
   block:
     - name: Install git if needed

roles/zram/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/zram/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for zram
+
+zram_enabled: true
+zram_algo: zstd
+zram_percent: 60

roles/zram/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for zram

roles/zram/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/zram/tasks/install_Debian.yml

@@ -0,0 +1,11 @@
+
+- name: Install zram-tools if needed
+  ansible.builtin.package:
+    name: zram-tools
+
+- name: Enable zramswap service
+  ansible.builtin.systemd:
+    name: zramswap
+    enabled: yes
+    state: started
+    masked: no

roles/zram/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+# tasks file for zram
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ zram_enabled }}; zram-role; install and configure zram"
+
+- when:
+    - "zram_enabled is true"
+    - "'global.update_only' not in ansible_run_tags"
+
+  block:
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: Install zram-tools if not present
+      when: "'zram-tools' not in ansible_facts.packages"
+      block:
+        - include_tasks: "install_{{ ansible_os_family }}.yml"
+
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Configure zram-tools
+      when: "ansible_facts.services['zramswap.service'] is defined"
+      block:
+        - name: Update /etc/default/zramswap ALGO
+          replace:
+            path: /etc/default/zramswap
+            regexp: '^[#]?\s*ALGO=[A-Za-z0-9]+$'
+            replace: "ALGO={{zram_algo}}"
+
+        - name: Update /etc/default/zramswap PERCENT
+          replace:
+            path: /etc/default/zramswap
+            regexp: '^[#]?\s*PERCENT=[A-Za-z0-9]+$'
+            replace: "PERCENT={{zram_percent}}"

roles/zram/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/zram/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - zram

roles/zram/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for zram