From 6aa6e080ddb97d59b415c86b35f35e0621c9458a Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Thu, 5 Jan 2023 16:01:31 +0100 Subject: [PATCH 1/3] add Wake on LAN dedicated role --- handbook.yml | 1 + roles/wakeonlan/.travis.yml | 29 +++++++++++ roles/wakeonlan/README.md | 37 +++++++++++++ roles/wakeonlan/defaults/main.yml | 6 +++ roles/wakeonlan/handlers/main.yml | 2 + roles/wakeonlan/meta/main.yml | 52 +++++++++++++++++++ roles/wakeonlan/tasks/install_Debian.yml | 3 ++ .../tasks/install_systemd_service.yml | 19 +++++++ roles/wakeonlan/tasks/main.yml | 18 +++++++ .../etc/systemd/system/wol-enable.service | 9 ++++ roles/wakeonlan/tests/inventory | 2 + roles/wakeonlan/tests/test.yml | 5 ++ roles/wakeonlan/vars/main.yml | 2 + 13 files changed, 185 insertions(+) create mode 100644 roles/wakeonlan/.travis.yml create mode 100644 roles/wakeonlan/README.md create mode 100644 roles/wakeonlan/defaults/main.yml create mode 100644 roles/wakeonlan/handlers/main.yml create mode 100644 roles/wakeonlan/meta/main.yml create mode 100644 roles/wakeonlan/tasks/install_Debian.yml create mode 100644 roles/wakeonlan/tasks/install_systemd_service.yml create mode 100644 roles/wakeonlan/tasks/main.yml create mode 100644 roles/wakeonlan/templates/systemd/etc/systemd/system/wol-enable.service create mode 100644 roles/wakeonlan/tests/inventory create mode 100644 roles/wakeonlan/tests/test.yml create mode 100644 roles/wakeonlan/vars/main.yml diff --git a/handbook.yml b/handbook.yml index 53cb9f7..c245d0d 100644 --- a/handbook.yml +++ b/handbook.yml @@ -16,6 +16,7 @@ # --- Sysadmin --- - { role: sysadmin-tools, tags: [sysadmin] } + - { role: wakeonlan, tags: [wol] } # --- Services --- # Role relative to services, applications and so on diff --git a/roles/wakeonlan/.travis.yml b/roles/wakeonlan/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/wakeonlan/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/wakeonlan/README.md b/roles/wakeonlan/README.md new file mode 100644 index 0000000..8505d1e --- /dev/null +++ b/roles/wakeonlan/README.md @@ -0,0 +1,37 @@ +wakeonlan +========= + +This role install/ uninstall Wake on LAN support for target + +Requirements +------------ + +. + +Role Variables +-------------- + +Respond to: +- **wakeonlan_enabled** (boolean): If true install and configure WoL +- **wakeonlan_interface** (string): the interface to setup for WoL +- **wakeonlan_mode** (string): the mode selected for WoL, default to `g` + +Dependencies +------------ + +- ethtool + +Example Playbook +---------------- + +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags wol` + +License +------- + +GPLv3 + +Author Information +------------------ + +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/wakeonlan/defaults/main.yml b/roles/wakeonlan/defaults/main.yml new file mode 100644 index 0000000..0eb554b --- /dev/null +++ b/roles/wakeonlan/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# defaults file for wakeonlan + +wakeonlan_enabled: false +wakeonlan_interface: enp2s0 +wakeonlan_mode: g diff --git a/roles/wakeonlan/handlers/main.yml b/roles/wakeonlan/handlers/main.yml new file mode 100644 index 0000000..fc4012b --- /dev/null +++ b/roles/wakeonlan/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for wakeonlan diff --git a/roles/wakeonlan/meta/main.yml b/roles/wakeonlan/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/wakeonlan/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/wakeonlan/tasks/install_Debian.yml b/roles/wakeonlan/tasks/install_Debian.yml new file mode 100644 index 0000000..edbb0f0 --- /dev/null +++ b/roles/wakeonlan/tasks/install_Debian.yml @@ -0,0 +1,3 @@ +- name: Install ethtool + ansible.builtin.package: + name: ethtool diff --git a/roles/wakeonlan/tasks/install_systemd_service.yml b/roles/wakeonlan/tasks/install_systemd_service.yml new file mode 100644 index 0000000..953c9fc --- /dev/null +++ b/roles/wakeonlan/tasks/install_systemd_service.yml @@ -0,0 +1,19 @@ +- name: Setup systemd + when: 'is_docker is not true' + block: + - name: Install systemd files + ansible.builtin.template: + src: '{{ item.src }}' + dest: '/{{ item.path }}' + with_community.general.filetree: '../templates/systemd/' + vars: + interface: "{{ wakeonlan_interface }}" + mode: "{{ wakeonlan_mode }}" + when: item.state == 'file' + + - name: Enable service + ansible.builtin.systemd: + name: wol-enable + state: started + enabled: true + daemon_reload: yes diff --git a/roles/wakeonlan/tasks/main.yml b/roles/wakeonlan/tasks/main.yml new file mode 100644 index 0000000..205b3a6 --- /dev/null +++ b/roles/wakeonlan/tasks/main.yml @@ -0,0 +1,18 @@ +--- +# tasks file for wakeonlan + +- name: Install and configure wakeonlan + when: + - "wakeonlan_enabled is true" + block: + - name: Gather package facts + package_facts: + manager: auto + + - name: Install yggdrasil if not present + when: "'ethtool' not in ansible_facts.packages" + block: + - include_tasks: "install_{{ ansible_os_family }}.yml" + + - include_tasks: "install_{{ ansible_service_mgr }}_service.yml" + ignore_errors: true diff --git a/roles/wakeonlan/templates/systemd/etc/systemd/system/wol-enable.service b/roles/wakeonlan/templates/systemd/etc/systemd/system/wol-enable.service new file mode 100644 index 0000000..00a5ce8 --- /dev/null +++ b/roles/wakeonlan/templates/systemd/etc/systemd/system/wol-enable.service @@ -0,0 +1,9 @@ +[Unit] +Description=Enable Wake-up on LAN + +[Service] +Type=oneshot +ExecStart=/sbin/ethtool -s {{ interface }} wol {{ mode }} + +[Install] +WantedBy=basic.target diff --git a/roles/wakeonlan/tests/inventory b/roles/wakeonlan/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/wakeonlan/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/wakeonlan/tests/test.yml b/roles/wakeonlan/tests/test.yml new file mode 100644 index 0000000..2ea1839 --- /dev/null +++ b/roles/wakeonlan/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - wakeonlan diff --git a/roles/wakeonlan/vars/main.yml b/roles/wakeonlan/vars/main.yml new file mode 100644 index 0000000..b4879b8 --- /dev/null +++ b/roles/wakeonlan/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for wakeonlan -- 2.45.2 From 082d6ed47e4c291c3c317fee8d883269a36e43ae Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Wed, 11 Jan 2023 17:44:16 +0100 Subject: [PATCH 2/3] better pihole role; change update_only and uninstall from variable to global tag; update accordingly dependent roles --- README.md | 5 +-- handbook.yml | 4 +-- roles/auditd/meta/main.yml | 4 ++- roles/auditd/tasks/main.yml | 4 ++- roles/dns-filter/meta/main.yml | 3 +- roles/dns-filter/tasks/main.yml | 6 ++-- roles/fail2ban-basic/meta/main.yml | 6 +++- roles/fail2ban-basic/tasks/main.yml | 4 ++- roles/pi-hole/README.md | 14 +++++--- roles/pi-hole/meta/main.yml | 3 +- roles/pi-hole/tasks/main.yml | 51 ++++++++++++++++------------- roles/wakeonlan/README.md | 2 +- roles/yggdrasil/README.md | 9 +++-- roles/yggdrasil/defaults/main.yml | 1 - roles/yggdrasil/meta/main.yml | 3 +- roles/yggdrasil/tasks/main.yml | 6 ++-- 16 files changed, 76 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 6e85d17..009a16a 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :) -## Global variables +## Global tags -- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example) +- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this. +- **global.uninstall**: activate the uninstall phase for specified tags and targets ## Authors & contributors diff --git a/handbook.yml b/handbook.yml index c245d0d..5e2468f 100644 --- a/handbook.yml +++ b/handbook.yml @@ -9,8 +9,8 @@ - { role: hardening-basic, tags: [hardening, ips, ids] } - { role: iptables-basic, tags: [firewall, ips, ids] } - - { role: fail2ban-basic, tags: [fail2ban, ips, ids] } - - { role: auditd, tags: [auditd] } + - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] } + - { role: auditd, tags: [hardening, auditd] } - { role: iptables-webserver, tags: [firewall, webserver] } - { role: iptables-kdeconnect, tags: [firewall] } diff --git a/roles/auditd/meta/main.yml b/roles/auditd/meta/main.yml index c572acc..f4841c8 100644 --- a/roles/auditd/meta/main.yml +++ b/roles/auditd/meta/main.yml @@ -39,7 +39,9 @@ galaxy_info: # - 7 # - 99.99 - galaxy_tags: [] + galaxy_tags: + - hardening + - auditd # List tags for your role here, one per line. A tag is a keyword that describes # and categorizes the role. Users find roles by searching for tags. Be sure to # remove the '[]' above, if you add tags to this list. diff --git a/roles/auditd/tasks/main.yml b/roles/auditd/tasks/main.yml index 7dbe918..f018420 100644 --- a/roles/auditd/tasks/main.yml +++ b/roles/auditd/tasks/main.yml @@ -2,7 +2,9 @@ # tasks file for auditd - name: Install and setup rules Auditd if enabled - when: 'auditd_enabled is true' + when: + - 'auditd_enabled is true' + - "'global.update_only' not in ansible_run_tags" block: - name: Install auditd ansible.builtin.package: diff --git a/roles/dns-filter/meta/main.yml b/roles/dns-filter/meta/main.yml index c572acc..67f6665 100644 --- a/roles/dns-filter/meta/main.yml +++ b/roles/dns-filter/meta/main.yml @@ -39,7 +39,8 @@ galaxy_info: # - 7 # - 99.99 - galaxy_tags: [] + galaxy_tags: + - dns_filter # List tags for your role here, one per line. A tag is a keyword that describes # and categorizes the role. Users find roles by searching for tags. Be sure to # remove the '[]' above, if you add tags to this list. diff --git a/roles/dns-filter/tasks/main.yml b/roles/dns-filter/tasks/main.yml index 64a0146..e719188 100644 --- a/roles/dns-filter/tasks/main.yml +++ b/roles/dns-filter/tasks/main.yml @@ -5,7 +5,5 @@ when: - "dns_filter_enabled is true" - "dns_filter_selected in dns_filter_list" - block: - - name: Call DNS filter role - ansible.builtin.include_role: - name: "{{ dns_filter_selected }}" + ansible.builtin.include_role: + name: "{{ dns_filter_selected }}" diff --git a/roles/fail2ban-basic/meta/main.yml b/roles/fail2ban-basic/meta/main.yml index c572acc..21baad9 100644 --- a/roles/fail2ban-basic/meta/main.yml +++ b/roles/fail2ban-basic/meta/main.yml @@ -39,7 +39,11 @@ galaxy_info: # - 7 # - 99.99 - galaxy_tags: [] + galaxy_tags: + - hardening + - fail2ban + - ips + - ids # List tags for your role here, one per line. A tag is a keyword that describes # and categorizes the role. Users find roles by searching for tags. Be sure to # remove the '[]' above, if you add tags to this list. diff --git a/roles/fail2ban-basic/tasks/main.yml b/roles/fail2ban-basic/tasks/main.yml index 9211aee..8a0961a 100644 --- a/roles/fail2ban-basic/tasks/main.yml +++ b/roles/fail2ban-basic/tasks/main.yml @@ -2,7 +2,9 @@ # tasks file for fail2ban-basic # - name: Fail2ban Configuration - when: fail2ban_enabled is true + when: + - fail2ban_enabled is true + - "'global.update_only' not in ansible_run_tags" block: - name: Install Fail2ban ansible.builtin.package: diff --git a/roles/pi-hole/README.md b/roles/pi-hole/README.md index 882e47a..3aaef0a 100644 --- a/roles/pi-hole/README.md +++ b/roles/pi-hole/README.md @@ -11,19 +11,25 @@ Requirements Role Variables -------------- -- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database -- **pihole_update_gravity** (boolean): If true the dns database will be updated - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!** +- **pihole_install_custom_list**: If present will install custom list into the pi-hole database + +Role Tags +-------------- + +- **global.update_only**: `pihole -up` +- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`) Dependencies ------------ -. +- curl +- sqlite3 required by `pihole.install_custom_list` Example Playbook ---------------- -`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"` +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter` License ------- diff --git a/roles/pi-hole/meta/main.yml b/roles/pi-hole/meta/main.yml index c572acc..67f6665 100644 --- a/roles/pi-hole/meta/main.yml +++ b/roles/pi-hole/meta/main.yml @@ -39,7 +39,8 @@ galaxy_info: # - 7 # - 99.99 - galaxy_tags: [] + galaxy_tags: + - dns_filter # List tags for your role here, one per line. A tag is a keyword that describes # and categorizes the role. Users find roles by searching for tags. Be sure to # remove the '[]' above, if you add tags to this list. diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml index 749b527..58e2a59 100644 --- a/roles/pi-hole/tasks/main.yml +++ b/roles/pi-hole/tasks/main.yml @@ -2,6 +2,7 @@ # tasks file for pi-hole - name: Pi-Hole setup + when: "'global.update_only' not in ansible_run_tags" block: - name: Populate service facts ansible.builtin.service_facts: @@ -17,28 +18,6 @@ ansible.builtin.debug: msg: "curl -sSL https://install.pi-hole.net | bash" - - name: Check if can install custom list - when: 'pihole_install_custom_list is true' - block: - - name: Check if pi-hole db exists - stat: - path: /etc/pihole/gravity.db - register: pihole_db - - - name: Install sqlite3 package - ansible.builtin.package: - name: sqlite3 - - - name: Install more lists than default - when: pihole_db.stat.exists - ansible.builtin.shell: - cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');" - loop: "{{ pihole_custom_list }}" - - - name: Update Gravity - when: 'pihole_update_gravity is true' - ansible.builtin.shell: pihole updateGravity - - name: iptables-webserver ansible.builtin.include_role: name: iptables-webserver @@ -55,3 +34,31 @@ - name: iptables-persistent ansible.builtin.include_role: name: iptables-persistent + +- name: Update pihole FTL + when: "'global.update_only' in ansible_run_tags" + ansible.builtin.shell: pihole -up + +- block: + - name: Check if pi-hole db exists + stat: + path: /etc/pihole/gravity.db + register: pihole_db + + - name: Install sqlite3 package + ansible.builtin.package: + name: sqlite3 + + - name: Install more lists than default + when: pihole_db.stat.exists + ansible.builtin.shell: + cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');" + loop: "{{ pihole_custom_list }}" + when: "pihole_install_custom_list is true" + +- name: Update Gravity + ansible.builtin.shell: pihole updateGravity + when: " + (pihole_install_custom_list is true) or + ('pihole.update_gravity' in ansible_run_tags) + " diff --git a/roles/wakeonlan/README.md b/roles/wakeonlan/README.md index 8505d1e..cf167db 100644 --- a/roles/wakeonlan/README.md +++ b/roles/wakeonlan/README.md @@ -1,7 +1,7 @@ wakeonlan ========= -This role install/ uninstall Wake on LAN support for target +This role install Wake on LAN support for target Requirements ------------ diff --git a/roles/yggdrasil/README.md b/roles/yggdrasil/README.md index 49d5b0e..b79dc26 100644 --- a/roles/yggdrasil/README.md +++ b/roles/yggdrasil/README.md @@ -12,13 +12,16 @@ Role Variables -------------- Respond to: -- **update_only** (boolean) - - **yggdrasil_enabled** (boolean): If true install yggdrasil - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil -- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*) - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration +Role Tags +-------------- + +- **global.update_only**: If present will update only the peers +- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*) + Dependencies ------------ diff --git a/roles/yggdrasil/defaults/main.yml b/roles/yggdrasil/defaults/main.yml index 433c8a8..bdacbcb 100644 --- a/roles/yggdrasil/defaults/main.yml +++ b/roles/yggdrasil/defaults/main.yml @@ -3,5 +3,4 @@ yggdrasil_enabled: false yggdrasil_sshd_enabled: false -yggdrasil_uninstall: false yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf diff --git a/roles/yggdrasil/meta/main.yml b/roles/yggdrasil/meta/main.yml index c572acc..b5bcf01 100644 --- a/roles/yggdrasil/meta/main.yml +++ b/roles/yggdrasil/meta/main.yml @@ -39,7 +39,8 @@ galaxy_info: # - 7 # - 99.99 - galaxy_tags: [] + galaxy_tags: + - yggdrasil # List tags for your role here, one per line. A tag is a keyword that describes # and categorizes the role. Users find roles by searching for tags. Be sure to # remove the '[]' above, if you add tags to this list. diff --git a/roles/yggdrasil/tasks/main.yml b/roles/yggdrasil/tasks/main.yml index e7dea70..81e46d7 100644 --- a/roles/yggdrasil/tasks/main.yml +++ b/roles/yggdrasil/tasks/main.yml @@ -1,7 +1,7 @@ - name: Install and configure yggdrasil when: - "yggdrasil_enabled is true" - - "update_only is false" + - "'global.update_only' not in ansible_run_tags" block: - name: Gather package facts package_facts: @@ -64,8 +64,8 @@ - name: Remove yggdrasil if not enabled when: - "yggdrasil_enabled is false" - - "yggdrasil_uninstall is true" - - "update_only is false" + - "'global.uninstall' in ansible_run_tags" + - "'global.update_only' not in ansible_run_tags" block: - name: Gather package facts package_facts: -- 2.45.2 From 4ddb7d334ad9d41007ae75c8b90f00dd36c48504 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Fri, 13 Jan 2023 18:01:41 +0100 Subject: [PATCH 3/3] add some debug messages; cleanup of some blocks; update some README with missing useful informations --- handbook.yml | 3 +- roles/auditd/tasks/main.yml | 6 +- roles/dns-filter/tasks/main.yml | 20 ++++- roles/fail2ban-basic/tasks/main.yml | 10 ++- roles/hardening-basic/tasks/main.yml | 82 +++++++++---------- roles/ipfs/tasks/main.yml | 16 ++-- roles/iptables-basic/tasks/main.yml | 8 +- roles/iptables-ipfs/tasks/main.yml | 9 +- roles/iptables-kdeconnect/tasks/main.yml | 43 +++++----- roles/iptables-persistent/tasks/main.yml | 8 +- .../tasks/save_rules_for_Debian.yml | 2 + roles/iptables-samba/tasks/main.yml | 47 ++++++----- roles/iptables-webserver/tasks/main.yml | 8 +- roles/pi-hole/tasks/main.yml | 11 +-- roles/samba/tasks/main.yml | 2 +- roles/snort-community/tasks/main.yml | 6 +- roles/unattended-upgrades/tasks/main.yml | 8 +- roles/wakeonlan/tasks/main.yml | 6 +- roles/yggdrasil/tasks/main.yml | 12 ++- roles/zabov/README.md | 7 +- roles/zabov/tasks/main.yml | 2 +- 21 files changed, 180 insertions(+), 136 deletions(-) diff --git a/handbook.yml b/handbook.yml index 5e2468f..9594505 100644 --- a/handbook.yml +++ b/handbook.yml @@ -1,8 +1,9 @@ --- -- name: "Setup a GNU/Linux target with standards or defined tags" +- name: "Unitoo Handbook" hosts: "{{ target if target is defined else 'planets' }}" + tags: always roles: # --- Hardening --- # Basic rules or good practises to apply diff --git a/roles/auditd/tasks/main.yml b/roles/auditd/tasks/main.yml index f018420..1cd2a8a 100644 --- a/roles/auditd/tasks/main.yml +++ b/roles/auditd/tasks/main.yml @@ -1,8 +1,10 @@ --- # tasks file for auditd -- name: Install and setup rules Auditd if enabled - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ auditd_enabled }}; auditd role" + +- when: - 'auditd_enabled is true' - "'global.update_only' not in ansible_run_tags" block: diff --git a/roles/dns-filter/tasks/main.yml b/roles/dns-filter/tasks/main.yml index e719188..add6d70 100644 --- a/roles/dns-filter/tasks/main.yml +++ b/roles/dns-filter/tasks/main.yml @@ -1,9 +1,25 @@ --- # tasks file for dns-filter -- name: Install selected DNS filter if enabled - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server" + +- when: - "dns_filter_enabled is true" - "dns_filter_selected in dns_filter_list" ansible.builtin.include_role: name: "{{ dns_filter_selected }}" + +- name: Allow/ disallow port 53 for DNS querying + ansible.builtin.iptables: + chain: INPUT + state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}" + protocol: '{{ item }}' + destination_port: 53 + jump: ACCEPT + comment: Accept DNS connections + loop: [tcp,udp] + +- name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/fail2ban-basic/tasks/main.yml b/roles/fail2ban-basic/tasks/main.yml index 8a0961a..16c47d9 100644 --- a/roles/fail2ban-basic/tasks/main.yml +++ b/roles/fail2ban-basic/tasks/main.yml @@ -1,9 +1,11 @@ --- # tasks file for fail2ban-basic -# -- name: Fail2ban Configuration - when: - - fail2ban_enabled is true + +- ansible.builtin.debug: + msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role" + +- when: + - 'fail2ban_enabled is true' - "'global.update_only' not in ansible_run_tags" block: - name: Install Fail2ban diff --git a/roles/hardening-basic/tasks/main.yml b/roles/hardening-basic/tasks/main.yml index f69a529..f64f958 100644 --- a/roles/hardening-basic/tasks/main.yml +++ b/roles/hardening-basic/tasks/main.yml @@ -1,61 +1,61 @@ --- # tasks file for hardening-basic -- name: Basic Hardening +- ansible.builtin.debug: + msg: "hardening-basic role" + +- name: Create directory structure + ansible.builtin.file: + path: '/etc/{{ item.path }}' + state: directory + mode: '{{ item.mode }}' + with_community.general.filetree: '../templates/basic/etc/' + when: item.state == 'directory' + +- name: Create and copy hardening files + ansible.builtin.template: + src: '{{ item.src }}' + dest: '/etc/{{ item.path }}' + with_community.general.filetree: '../templates/basic/etc/' + when: item.state == 'file' + +- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config + when: 'hardening_sshd_enabled is true' block: - name: Create directory structure ansible.builtin.file: path: '/etc/{{ item.path }}' state: directory mode: '{{ item.mode }}' - with_community.general.filetree: '../templates/basic/etc/' + with_community.general.filetree: '../templates/ssh/etc/' when: item.state == 'directory' - name: Create and copy hardening files ansible.builtin.template: src: '{{ item.src }}' dest: '/etc/{{ item.path }}' - with_community.general.filetree: '../templates/basic/etc/' + with_community.general.filetree: '../templates/ssh/etc/' when: item.state == 'file' - - name: Harden SSH Config - when: 'hardening_sshd_enabled is true' - block: - - name: Create directory structure - ansible.builtin.file: - path: '/etc/{{ item.path }}' - state: directory - mode: '{{ item.mode }}' - with_community.general.filetree: '../templates/ssh/etc/' - when: item.state == 'directory' + - name: Give 1700 permissions to .ssh folder + ansible.builtin.file: + path: /root/.ssh + owner: root + group: root + mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" - - name: Create and copy hardening files - ansible.builtin.template: - src: '{{ item.src }}' - dest: '/etc/{{ item.path }}' - with_community.general.filetree: '../templates/ssh/etc/' - when: item.state == 'file' + - name: Give 1600 permissions to .ssh/authorized_keys file + ansible.builtin.file: + path: /root/.ssh/authorized_keys + owner: root + group: root + mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" - - name: Give 1700 permissions to .ssh folder - ansible.builtin.file: - path: /root/.ssh - owner: root - group: root - mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" + - name: Restart sshd + when: "is_docker is not true" + ansible.builtin.systemd: + state: restarted + name: sshd - - name: Give 1600 permissions to .ssh/authorized_keys file - ansible.builtin.file: - path: /root/.ssh/authorized_keys - owner: root - group: root - mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" - - - name: Restart sshd - when: "is_docker is not true" - ansible.builtin.systemd: - state: restarted - name: sshd - - - name: Harden Service Manager (like Systemd) - block: - - include_tasks: "harden_{{ ansible_service_mgr }}.yml" +- name: Harden Service Manager (like Systemd) + include_tasks: "harden_{{ ansible_service_mgr }}.yml" diff --git a/roles/ipfs/tasks/main.yml b/roles/ipfs/tasks/main.yml index 0ba7ce1..b7de0af 100644 --- a/roles/ipfs/tasks/main.yml +++ b/roles/ipfs/tasks/main.yml @@ -1,12 +1,16 @@ --- # tasks file for ipfs -- name: Install IPFS if enabled - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node" + +- when: - 'ipfs_enabled is true' block: - name: Setup ipfs-update - when: 'ipfs_setup is true' + when: + - 'ipfs_setup is true' + - "'global.update_only' not in ansible_run_tags" block: - name: Create ipfs group group: @@ -72,6 +76,6 @@ - include_tasks: "install_{{ ansible_service_mgr }}_service.yml" - - name: Setup firewall - ansible.builtin.include_role: - name: iptables-ipfs +- name: Setup IPFS firewall + ansible.builtin.include_role: + name: iptables-ipfs diff --git a/roles/iptables-basic/tasks/main.yml b/roles/iptables-basic/tasks/main.yml index e3bf23d..c416bf6 100644 --- a/roles/iptables-basic/tasks/main.yml +++ b/roles/iptables-basic/tasks/main.yml @@ -1,14 +1,16 @@ --- # tasks file for firewall -- name: Setup iptables to standard configuration - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration" + +- when: - "is_docker is not true" - "iptables_basic_enabled is true" block: - name: Reset configuration if requested when: - - "iptables_basic_reset_enabled is true" + - "'global.uninstall' in ansible_run_tags" block: - name: Open Firewall just for a moment to flush iptables rules ansible.builtin.iptables: diff --git a/roles/iptables-ipfs/tasks/main.yml b/roles/iptables-ipfs/tasks/main.yml index ead1d32..1666991 100644 --- a/roles/iptables-ipfs/tasks/main.yml +++ b/roles/iptables-ipfs/tasks/main.yml @@ -1,14 +1,17 @@ --- # tasks file for iptables-ipfs -- name: setup iptables for IPFS - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role" + +- when: - "is_docker is not true" block: - - name: Allow new, established packets on TCP/UDP port 4001 (IPFS) + - name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS) ansible.builtin.iptables: chain: INPUT protocol: tcp + state: "{{ 'present' if ipfs_enabled is true else 'absent' }}" destination_port: "{{ ipfs_port }}" ctstate: NEW,ESTABLISHED jump: ACCEPT diff --git a/roles/iptables-kdeconnect/tasks/main.yml b/roles/iptables-kdeconnect/tasks/main.yml index cb14eb1..d5b7429 100644 --- a/roles/iptables-kdeconnect/tasks/main.yml +++ b/roles/iptables-kdeconnect/tasks/main.yml @@ -1,24 +1,27 @@ --- # tasks file for iptables-kdeconnect -- name: Setup iptables for kdeconnect - when: 'kdeconnect_enabled is true' - block: - - name: Allow new, established packets on TCP Kdeconnect ports - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ kdeconnect_ports }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT - - name: Allow new, established packets on UDP Kdeconnect ports - ansible.builtin.iptables: - chain: INPUT - protocol: udp - destination_port: "{{ kdeconnect_ports }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT +- ansible.builtin.debug: + msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role" - - name: iptables-persistent - ansible.builtin.include_role: - name: iptables-persistent +- name: Allow/ disallow new, established packets on TCP Kdeconnect ports + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}" + destination_port: "{{ kdeconnect_ports }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + +- name: Allow/ disallow new, established packets on UDP Kdeconnect ports + ansible.builtin.iptables: + chain: INPUT + protocol: udp + state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}" + destination_port: "{{ kdeconnect_ports }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + +- name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-persistent/tasks/main.yml b/roles/iptables-persistent/tasks/main.yml index 486db9c..be52ecf 100644 --- a/roles/iptables-persistent/tasks/main.yml +++ b/roles/iptables-persistent/tasks/main.yml @@ -1,5 +1,9 @@ -- name: Handle iptables-persistent - when: +--- + +- ansible.builtin.debug: + msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role" + +- when: - "is_docker is not true" - "iptables_persistent_save_to_file is true" block: diff --git a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml index cc24cc7..e830847 100644 --- a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml +++ b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml @@ -1,3 +1,5 @@ +--- + - name: Save iptables rules block: - name: Save rules with iptables-persistent v4 diff --git a/roles/iptables-samba/tasks/main.yml b/roles/iptables-samba/tasks/main.yml index a7274cc..2de5c1f 100644 --- a/roles/iptables-samba/tasks/main.yml +++ b/roles/iptables-samba/tasks/main.yml @@ -1,26 +1,29 @@ --- # tasks file for iptables-samba -- name: Setup iptables for Samba - when: 'samba_enabled is true' - block: - - name: Allow new, established packets on TCP Samba ports - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT - with_items: '{{ samba_ports }}' - - name: Allow new, established packets on UDP Samba ports - ansible.builtin.iptables: - chain: INPUT - protocol: udp - destination_port: "{{ item }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT - with_items: '{{ samba_ports }}' +- ansible.builtin.debug: + msg: "ENABLED = {{ samba_enabled }}; iptables-samba role" - - name: iptables-persistent - ansible.builtin.include_role: - name: iptables-persistent +- name: Allow/ disallow new, established packets on TCP Samba ports + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + state: "{{ 'present' if samba_enabled is true else 'absent' }}" + destination_port: "{{ item }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + with_items: '{{ samba_ports }}' + +- name: Allow/ disallow new, established packets on UDP Samba ports + ansible.builtin.iptables: + chain: INPUT + protocol: udp + state: "{{ 'present' if samba_enabled is true else 'absent' }}" + destination_port: "{{ item }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + with_items: '{{ samba_ports }}' + +- name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-webserver/tasks/main.yml b/roles/iptables-webserver/tasks/main.yml index 58e18ab..fb8d1ac 100644 --- a/roles/iptables-webserver/tasks/main.yml +++ b/roles/iptables-webserver/tasks/main.yml @@ -1,15 +1,17 @@ --- # tasks file for iptables-webserver -- name: Setup iptables for webserver 80 and 443 - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role" + +- when: - "is_docker is not true" - - "iptables_webserver_enabled is true" block: - name: Allow new, established packets on TCP ports 80/443 (Webserver) ansible.builtin.iptables: chain: INPUT protocol: tcp + state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}" destination_port: "{{ item }}" ctstate: NEW,ESTABLISHED jump: ACCEPT diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml index 58e2a59..19612ce 100644 --- a/roles/pi-hole/tasks/main.yml +++ b/roles/pi-hole/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for pi-hole -- name: Pi-Hole setup +- name: pi-hole role; setup the target as DNS server with Pi-Hole when: "'global.update_only' not in ansible_run_tags" block: - name: Populate service facts @@ -22,15 +22,6 @@ ansible.builtin.include_role: name: iptables-webserver - - name: Setup iptables rules - ansible.builtin.iptables: - chain: INPUT - protocol: '{{ item }}' - destination_port: 53 - jump: ACCEPT - comment: Accept DNS connections - loop: [tcp,udp] - - name: iptables-persistent ansible.builtin.include_role: name: iptables-persistent diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml index 05419ac..039afa3 100644 --- a/roles/samba/tasks/main.yml +++ b/roles/samba/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: Setup target as a Samba server +- name: samba role; setup the target as SMB server using an external role when: 'samba_enabled is true' include_role: name: vladgh.samba.server diff --git a/roles/snort-community/tasks/main.yml b/roles/snort-community/tasks/main.yml index 824b04b..28cf950 100644 --- a/roles/snort-community/tasks/main.yml +++ b/roles/snort-community/tasks/main.yml @@ -1,8 +1,10 @@ --- # tasks file for snort-community -- name: Snort Community Edition setup - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup" + +- when: - "snort_community_enabled is true" block: - name: Gather package facts diff --git a/roles/unattended-upgrades/tasks/main.yml b/roles/unattended-upgrades/tasks/main.yml index d888c46..b1141d8 100644 --- a/roles/unattended-upgrades/tasks/main.yml +++ b/roles/unattended-upgrades/tasks/main.yml @@ -1,9 +1,7 @@ --- # tasks file for unattended-upgrades -- name: Check if host need unattended-upgrades +- name: Check if host need unattended-upgrades and install package when: "unattended_upgrades_enabled is true" - block: - - name: Install unattended-upgrades - ansible.builtin.package: - name: unattended-upgrades + ansible.builtin.package: + name: unattended-upgrades diff --git a/roles/wakeonlan/tasks/main.yml b/roles/wakeonlan/tasks/main.yml index 205b3a6..67c9413 100644 --- a/roles/wakeonlan/tasks/main.yml +++ b/roles/wakeonlan/tasks/main.yml @@ -1,8 +1,10 @@ --- # tasks file for wakeonlan -- name: Install and configure wakeonlan - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself" + +- when: - "wakeonlan_enabled is true" block: - name: Gather package facts diff --git a/roles/yggdrasil/tasks/main.yml b/roles/yggdrasil/tasks/main.yml index 81e46d7..de5fee4 100644 --- a/roles/yggdrasil/tasks/main.yml +++ b/roles/yggdrasil/tasks/main.yml @@ -1,5 +1,9 @@ -- name: Install and configure yggdrasil - when: +--- + +- ansible.builtin.debug: + msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network" + +- when: - "yggdrasil_enabled is true" - "'global.update_only' not in ansible_run_tags" block: @@ -64,6 +68,7 @@ - name: Remove yggdrasil if not enabled when: - "yggdrasil_enabled is false" + - "'yggdrasil' in ansible_run_tags" - "'global.uninstall' in ansible_run_tags" - "'global.update_only' not in ansible_run_tags" block: @@ -79,5 +84,4 @@ - when: - "yggdrasil_enabled is true" - block: - - include_tasks: "update_peers.yml" + include_tasks: "update_peers.yml" diff --git a/roles/zabov/README.md b/roles/zabov/README.md index 7724743..06f699e 100644 --- a/roles/zabov/README.md +++ b/roles/zabov/README.md @@ -1,16 +1,19 @@ zabov ========= -This role setup Zabov DNS filter +This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov + Requirements ------------ -. +- golang >= 1.13 Role Variables -------------- +- **go_path** (string) + - **zabov_git_url** (string): Git valid url of Zabov - **zabov_git_branch** (string): Zabov Git branch - **zabov_installation_path** (string): Zabov installation path diff --git a/roles/zabov/tasks/main.yml b/roles/zabov/tasks/main.yml index 0ec0024..e0c4605 100644 --- a/roles/zabov/tasks/main.yml +++ b/roles/zabov/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for zabov -- name: Install zabov from sources +- name: zabov role; install zabov from sources when: 'go_path is defined' block: - name: Install git if needed -- 2.45.2