update! #7

Merged
claudiomaradonna merged 3 commits from :master into master 2023-01-13 18:06:04 +01:00
41 changed files with 435 additions and 179 deletions

View file

@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :) The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
## Global variables ## Global tags
- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example) - **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
- **global.uninstall**: activate the uninstall phase for specified tags and targets
## Authors & contributors ## Authors & contributors

View file

@ -1,21 +1,23 @@
--- ---
- name: "Setup a GNU/Linux target with standards or defined tags" - name: "Unitoo Handbook"
hosts: "{{ target if target is defined else 'planets' }}" hosts: "{{ target if target is defined else 'planets' }}"
tags: always
roles: roles:
# --- Hardening --- # --- Hardening ---
# Basic rules or good practises to apply # Basic rules or good practises to apply
- { role: hardening-basic, tags: [hardening, ips, ids] } - { role: hardening-basic, tags: [hardening, ips, ids] }
- { role: iptables-basic, tags: [firewall, ips, ids] } - { role: iptables-basic, tags: [firewall, ips, ids] }
- { role: fail2ban-basic, tags: [fail2ban, ips, ids] } - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
- { role: auditd, tags: [auditd] } - { role: auditd, tags: [hardening, auditd] }
- { role: iptables-webserver, tags: [firewall, webserver] } - { role: iptables-webserver, tags: [firewall, webserver] }
- { role: iptables-kdeconnect, tags: [firewall] } - { role: iptables-kdeconnect, tags: [firewall] }
# --- Sysadmin --- # --- Sysadmin ---
- { role: sysadmin-tools, tags: [sysadmin] } - { role: sysadmin-tools, tags: [sysadmin] }
- { role: wakeonlan, tags: [wol] }
# --- Services --- # --- Services ---
# Role relative to services, applications and so on # Role relative to services, applications and so on

View file

@ -39,7 +39,9 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- hardening
- auditd
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -1,8 +1,12 @@
--- ---
# tasks file for auditd # tasks file for auditd
- name: Install and setup rules Auditd if enabled - ansible.builtin.debug:
when: 'auditd_enabled is true' msg: "ENABLED = {{ auditd_enabled }}; auditd role"
- when:
- 'auditd_enabled is true'
- "'global.update_only' not in ansible_run_tags"
block: block:
- name: Install auditd - name: Install auditd
ansible.builtin.package: ansible.builtin.package:

View file

@ -39,7 +39,8 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- dns_filter
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -1,11 +1,25 @@
--- ---
# tasks file for dns-filter # tasks file for dns-filter
- name: Install selected DNS filter if enabled - ansible.builtin.debug:
when: msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server"
- when:
- "dns_filter_enabled is true" - "dns_filter_enabled is true"
- "dns_filter_selected in dns_filter_list" - "dns_filter_selected in dns_filter_list"
block: ansible.builtin.include_role:
- name: Call DNS filter role name: "{{ dns_filter_selected }}"
ansible.builtin.include_role:
name: "{{ dns_filter_selected }}" - name: Allow/ disallow port 53 for DNS querying
ansible.builtin.iptables:
chain: INPUT
state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}"
protocol: '{{ item }}'
destination_port: 53
jump: ACCEPT
comment: Accept DNS connections
loop: [tcp,udp]
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent

View file

@ -39,7 +39,11 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- hardening
- fail2ban
- ips
- ids
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -1,8 +1,12 @@
--- ---
# tasks file for fail2ban-basic # tasks file for fail2ban-basic
#
- name: Fail2ban Configuration - ansible.builtin.debug:
when: fail2ban_enabled is true msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role"
- when:
- 'fail2ban_enabled is true'
- "'global.update_only' not in ansible_run_tags"
block: block:
- name: Install Fail2ban - name: Install Fail2ban
ansible.builtin.package: ansible.builtin.package:

View file

@ -1,61 +1,61 @@
--- ---
# tasks file for hardening-basic # tasks file for hardening-basic
- name: Basic Hardening - ansible.builtin.debug:
msg: "hardening-basic role"
- name: Create directory structure
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'file'
- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
when: 'hardening_sshd_enabled is true'
block: block:
- name: Create directory structure - name: Create directory structure
ansible.builtin.file: ansible.builtin.file:
path: '/etc/{{ item.path }}' path: '/etc/{{ item.path }}'
state: directory state: directory
mode: '{{ item.mode }}' mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/basic/etc/' with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'directory' when: item.state == 'directory'
- name: Create and copy hardening files - name: Create and copy hardening files
ansible.builtin.template: ansible.builtin.template:
src: '{{ item.src }}' src: '{{ item.src }}'
dest: '/etc/{{ item.path }}' dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/basic/etc/' with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'file' when: item.state == 'file'
- name: Harden SSH Config - name: Give 1700 permissions to .ssh folder
when: 'hardening_sshd_enabled is true' ansible.builtin.file:
block: path: /root/.ssh
- name: Create directory structure owner: root
ansible.builtin.file: group: root
path: '/etc/{{ item.path }}' mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'directory'
- name: Create and copy hardening files - name: Give 1600 permissions to .ssh/authorized_keys file
ansible.builtin.template: ansible.builtin.file:
src: '{{ item.src }}' path: /root/.ssh/authorized_keys
dest: '/etc/{{ item.path }}' owner: root
with_community.general.filetree: '../templates/ssh/etc/' group: root
when: item.state == 'file' mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
- name: Give 1700 permissions to .ssh folder - name: Restart sshd
ansible.builtin.file: when: "is_docker is not true"
path: /root/.ssh ansible.builtin.systemd:
owner: root state: restarted
group: root name: sshd
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
- name: Give 1600 permissions to .ssh/authorized_keys file - name: Harden Service Manager (like Systemd)
ansible.builtin.file: include_tasks: "harden_{{ ansible_service_mgr }}.yml"
path: /root/.ssh/authorized_keys
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
- name: Restart sshd
when: "is_docker is not true"
ansible.builtin.systemd:
state: restarted
name: sshd
- name: Harden Service Manager (like Systemd)
block:
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"

View file

@ -1,12 +1,16 @@
--- ---
# tasks file for ipfs # tasks file for ipfs
- name: Install IPFS if enabled - ansible.builtin.debug:
when: msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node"
- when:
- 'ipfs_enabled is true' - 'ipfs_enabled is true'
block: block:
- name: Setup ipfs-update - name: Setup ipfs-update
when: 'ipfs_setup is true' when:
- 'ipfs_setup is true'
- "'global.update_only' not in ansible_run_tags"
block: block:
- name: Create ipfs group - name: Create ipfs group
group: group:
@ -72,6 +76,6 @@
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml" - include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
- name: Setup firewall - name: Setup IPFS firewall
ansible.builtin.include_role: ansible.builtin.include_role:
name: iptables-ipfs name: iptables-ipfs

View file

@ -1,14 +1,16 @@
--- ---
# tasks file for firewall # tasks file for firewall
- name: Setup iptables to standard configuration - ansible.builtin.debug:
when: msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration"
- when:
- "is_docker is not true" - "is_docker is not true"
- "iptables_basic_enabled is true" - "iptables_basic_enabled is true"
block: block:
- name: Reset configuration if requested - name: Reset configuration if requested
when: when:
- "iptables_basic_reset_enabled is true" - "'global.uninstall' in ansible_run_tags"
block: block:
- name: Open Firewall just for a moment to flush iptables rules - name: Open Firewall just for a moment to flush iptables rules
ansible.builtin.iptables: ansible.builtin.iptables:

View file

@ -1,14 +1,17 @@
--- ---
# tasks file for iptables-ipfs # tasks file for iptables-ipfs
- name: setup iptables for IPFS - ansible.builtin.debug:
when: msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role"
- when:
- "is_docker is not true" - "is_docker is not true"
block: block:
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS) - name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS)
ansible.builtin.iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
state: "{{ 'present' if ipfs_enabled is true else 'absent' }}"
destination_port: "{{ ipfs_port }}" destination_port: "{{ ipfs_port }}"
ctstate: NEW,ESTABLISHED ctstate: NEW,ESTABLISHED
jump: ACCEPT jump: ACCEPT

View file

@ -1,24 +1,27 @@
--- ---
# tasks file for iptables-kdeconnect # tasks file for iptables-kdeconnect
- name: Setup iptables for kdeconnect
when: 'kdeconnect_enabled is true'
block:
- name: Allow new, established packets on TCP Kdeconnect ports
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ kdeconnect_ports }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
- name: Allow new, established packets on UDP Kdeconnect ports - ansible.builtin.debug:
ansible.builtin.iptables: msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role"
chain: INPUT
protocol: udp
destination_port: "{{ kdeconnect_ports }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
- name: iptables-persistent - name: Allow/ disallow new, established packets on TCP Kdeconnect ports
ansible.builtin.include_role: ansible.builtin.iptables:
name: iptables-persistent chain: INPUT
protocol: tcp
state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
destination_port: "{{ kdeconnect_ports }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
- name: Allow/ disallow new, established packets on UDP Kdeconnect ports
ansible.builtin.iptables:
chain: INPUT
protocol: udp
state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
destination_port: "{{ kdeconnect_ports }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent

View file

@ -1,5 +1,9 @@
- name: Handle iptables-persistent ---
when:
- ansible.builtin.debug:
msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role"
- when:
- "is_docker is not true" - "is_docker is not true"
- "iptables_persistent_save_to_file is true" - "iptables_persistent_save_to_file is true"
block: block:

View file

@ -1,3 +1,5 @@
---
- name: Save iptables rules - name: Save iptables rules
block: block:
- name: Save rules with iptables-persistent v4 - name: Save rules with iptables-persistent v4

View file

@ -1,26 +1,29 @@
--- ---
# tasks file for iptables-samba # tasks file for iptables-samba
- name: Setup iptables for Samba
when: 'samba_enabled is true'
block:
- name: Allow new, established packets on TCP Samba ports
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
with_items: '{{ samba_ports }}'
- name: Allow new, established packets on UDP Samba ports - ansible.builtin.debug:
ansible.builtin.iptables: msg: "ENABLED = {{ samba_enabled }}; iptables-samba role"
chain: INPUT
protocol: udp
destination_port: "{{ item }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
with_items: '{{ samba_ports }}'
- name: iptables-persistent - name: Allow/ disallow new, established packets on TCP Samba ports
ansible.builtin.include_role: ansible.builtin.iptables:
name: iptables-persistent chain: INPUT
protocol: tcp
state: "{{ 'present' if samba_enabled is true else 'absent' }}"
destination_port: "{{ item }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
with_items: '{{ samba_ports }}'
- name: Allow/ disallow new, established packets on UDP Samba ports
ansible.builtin.iptables:
chain: INPUT
protocol: udp
state: "{{ 'present' if samba_enabled is true else 'absent' }}"
destination_port: "{{ item }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
with_items: '{{ samba_ports }}'
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent

View file

@ -1,15 +1,17 @@
--- ---
# tasks file for iptables-webserver # tasks file for iptables-webserver
- name: Setup iptables for webserver 80 and 443 - ansible.builtin.debug:
when: msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role"
- when:
- "is_docker is not true" - "is_docker is not true"
- "iptables_webserver_enabled is true"
block: block:
- name: Allow new, established packets on TCP ports 80/443 (Webserver) - name: Allow new, established packets on TCP ports 80/443 (Webserver)
ansible.builtin.iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}"
destination_port: "{{ item }}" destination_port: "{{ item }}"
ctstate: NEW,ESTABLISHED ctstate: NEW,ESTABLISHED
jump: ACCEPT jump: ACCEPT

View file

@ -11,19 +11,25 @@ Requirements
Role Variables Role Variables
-------------- --------------
- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
- **pihole_update_gravity** (boolean): If true the dns database will be updated
- **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!** - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
Role Tags
--------------
- **global.update_only**: `pihole -up`
- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
Dependencies Dependencies
------------ ------------
. - curl
- sqlite3 required by `pihole.install_custom_list`
Example Playbook Example Playbook
---------------- ----------------
`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"` `ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
License License
------- -------

View file

@ -39,7 +39,8 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- dns_filter
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -1,7 +1,8 @@
--- ---
# tasks file for pi-hole # tasks file for pi-hole
- name: Pi-Hole setup - name: pi-hole role; setup the target as DNS server with Pi-Hole
when: "'global.update_only' not in ansible_run_tags"
block: block:
- name: Populate service facts - name: Populate service facts
ansible.builtin.service_facts: ansible.builtin.service_facts:
@ -17,41 +18,38 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: "curl -sSL https://install.pi-hole.net | bash" msg: "curl -sSL https://install.pi-hole.net | bash"
- name: Check if can install custom list
when: 'pihole_install_custom_list is true'
block:
- name: Check if pi-hole db exists
stat:
path: /etc/pihole/gravity.db
register: pihole_db
- name: Install sqlite3 package
ansible.builtin.package:
name: sqlite3
- name: Install more lists than default
when: pihole_db.stat.exists
ansible.builtin.shell:
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
loop: "{{ pihole_custom_list }}"
- name: Update Gravity
when: 'pihole_update_gravity is true'
ansible.builtin.shell: pihole updateGravity
- name: iptables-webserver - name: iptables-webserver
ansible.builtin.include_role: ansible.builtin.include_role:
name: iptables-webserver name: iptables-webserver
- name: Setup iptables rules
ansible.builtin.iptables:
chain: INPUT
protocol: '{{ item }}'
destination_port: 53
jump: ACCEPT
comment: Accept DNS connections
loop: [tcp,udp]
- name: iptables-persistent - name: iptables-persistent
ansible.builtin.include_role: ansible.builtin.include_role:
name: iptables-persistent name: iptables-persistent
- name: Update pihole FTL
when: "'global.update_only' in ansible_run_tags"
ansible.builtin.shell: pihole -up
- block:
- name: Check if pi-hole db exists
stat:
path: /etc/pihole/gravity.db
register: pihole_db
- name: Install sqlite3 package
ansible.builtin.package:
name: sqlite3
- name: Install more lists than default
when: pihole_db.stat.exists
ansible.builtin.shell:
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
loop: "{{ pihole_custom_list }}"
when: "pihole_install_custom_list is true"
- name: Update Gravity
ansible.builtin.shell: pihole updateGravity
when: "
(pihole_install_custom_list is true) or
('pihole.update_gravity' in ansible_run_tags)
"

View file

@ -1,6 +1,6 @@
--- ---
- name: Setup target as a Samba server - name: samba role; setup the target as SMB server using an external role
when: 'samba_enabled is true' when: 'samba_enabled is true'
include_role: include_role:
name: vladgh.samba.server name: vladgh.samba.server

View file

@ -1,8 +1,10 @@
--- ---
# tasks file for snort-community # tasks file for snort-community
- name: Snort Community Edition setup - ansible.builtin.debug:
when: msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup"
- when:
- "snort_community_enabled is true" - "snort_community_enabled is true"
block: block:
- name: Gather package facts - name: Gather package facts

View file

@ -1,9 +1,7 @@
--- ---
# tasks file for unattended-upgrades # tasks file for unattended-upgrades
- name: Check if host need unattended-upgrades - name: Check if host need unattended-upgrades and install package
when: "unattended_upgrades_enabled is true" when: "unattended_upgrades_enabled is true"
block: ansible.builtin.package:
- name: Install unattended-upgrades name: unattended-upgrades
ansible.builtin.package:
name: unattended-upgrades

View file

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

37
roles/wakeonlan/README.md Normal file
View file

@ -0,0 +1,37 @@
wakeonlan
=========
This role install Wake on LAN support for target
Requirements
------------
.
Role Variables
--------------
Respond to:
- **wakeonlan_enabled** (boolean): If true install and configure WoL
- **wakeonlan_interface** (string): the interface to setup for WoL
- **wakeonlan_mode** (string): the mode selected for WoL, default to `g`
Dependencies
------------
- ethtool
Example Playbook
----------------
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags wol`
License
-------
GPLv3
Author Information
------------------
- [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -0,0 +1,6 @@
---
# defaults file for wakeonlan
wakeonlan_enabled: false
wakeonlan_interface: enp2s0
wakeonlan_mode: g

View file

@ -0,0 +1,2 @@
---
# handlers file for wakeonlan

View file

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,3 @@
- name: Install ethtool
ansible.builtin.package:
name: ethtool

View file

@ -0,0 +1,19 @@
- name: Setup systemd
when: 'is_docker is not true'
block:
- name: Install systemd files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/{{ item.path }}'
with_community.general.filetree: '../templates/systemd/'
vars:
interface: "{{ wakeonlan_interface }}"
mode: "{{ wakeonlan_mode }}"
when: item.state == 'file'
- name: Enable service
ansible.builtin.systemd:
name: wol-enable
state: started
enabled: true
daemon_reload: yes

View file

@ -0,0 +1,20 @@
---
# tasks file for wakeonlan
- ansible.builtin.debug:
msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself"
- when:
- "wakeonlan_enabled is true"
block:
- name: Gather package facts
package_facts:
manager: auto
- name: Install yggdrasil if not present
when: "'ethtool' not in ansible_facts.packages"
block:
- include_tasks: "install_{{ ansible_os_family }}.yml"
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
ignore_errors: true

View file

@ -0,0 +1,9 @@
[Unit]
Description=Enable Wake-up on LAN
[Service]
Type=oneshot
ExecStart=/sbin/ethtool -s {{ interface }} wol {{ mode }}
[Install]
WantedBy=basic.target

View file

@ -0,0 +1,2 @@
localhost

View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- wakeonlan

View file

@ -0,0 +1,2 @@
---
# vars file for wakeonlan

View file

@ -12,13 +12,16 @@ Role Variables
-------------- --------------
Respond to: Respond to:
- **update_only** (boolean)
- **yggdrasil_enabled** (boolean): If true install yggdrasil - **yggdrasil_enabled** (boolean): If true install yggdrasil
- **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
- **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
Role Tags
--------------
- **global.update_only**: If present will update only the peers
- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
Dependencies Dependencies
------------ ------------

View file

@ -3,5 +3,4 @@
yggdrasil_enabled: false yggdrasil_enabled: false
yggdrasil_sshd_enabled: false yggdrasil_sshd_enabled: false
yggdrasil_uninstall: false
yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf

View file

@ -39,7 +39,8 @@ galaxy_info:
# - 7 # - 7
# - 99.99 # - 99.99
galaxy_tags: [] galaxy_tags:
- yggdrasil
# List tags for your role here, one per line. A tag is a keyword that describes # List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to # and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list. # remove the '[]' above, if you add tags to this list.

View file

@ -1,7 +1,11 @@
- name: Install and configure yggdrasil ---
when:
- ansible.builtin.debug:
msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network"
- when:
- "yggdrasil_enabled is true" - "yggdrasil_enabled is true"
- "update_only is false" - "'global.update_only' not in ansible_run_tags"
block: block:
- name: Gather package facts - name: Gather package facts
package_facts: package_facts:
@ -64,8 +68,9 @@
- name: Remove yggdrasil if not enabled - name: Remove yggdrasil if not enabled
when: when:
- "yggdrasil_enabled is false" - "yggdrasil_enabled is false"
- "yggdrasil_uninstall is true" - "'yggdrasil' in ansible_run_tags"
- "update_only is false" - "'global.uninstall' in ansible_run_tags"
- "'global.update_only' not in ansible_run_tags"
block: block:
- name: Gather package facts - name: Gather package facts
package_facts: package_facts:
@ -79,5 +84,4 @@
- when: - when:
- "yggdrasil_enabled is true" - "yggdrasil_enabled is true"
block: include_tasks: "update_peers.yml"
- include_tasks: "update_peers.yml"

View file

@ -1,16 +1,19 @@
zabov zabov
========= =========
This role setup Zabov DNS filter This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov
Requirements Requirements
------------ ------------
. - golang >= 1.13
Role Variables Role Variables
-------------- --------------
- **go_path** (string)
- **zabov_git_url** (string): Git valid url of Zabov - **zabov_git_url** (string): Git valid url of Zabov
- **zabov_git_branch** (string): Zabov Git branch - **zabov_git_branch** (string): Zabov Git branch
- **zabov_installation_path** (string): Zabov installation path - **zabov_installation_path** (string): Zabov installation path

View file

@ -1,7 +1,7 @@
--- ---
# tasks file for zabov # tasks file for zabov
- name: Install zabov from sources - name: zabov role; install zabov from sources
when: 'go_path is defined' when: 'go_path is defined'
block: block:
- name: Install git if needed - name: Install git if needed