diff options
Diffstat (limited to 'playbooks/roles/common/tasks')
| -rw-r--r-- | playbooks/roles/common/tasks/main.yml | 76 | ||||
| -rw-r--r-- | playbooks/roles/common/tasks/systemd-resolved.yml | 64 |
2 files changed, 140 insertions, 0 deletions
diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml new file mode 100644 index 0000000..f32893a --- /dev/null +++ b/playbooks/roles/common/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +- name: Apt upgrade, update + ansible.builtin.apt: + update_cache: true + upgrade: "dist" + +- name: Set a hostname specifying strategy + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + use: systemd + +- name: Install dependencies + ansible.builtin.apt: + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg-agent + - software-properties-common + - systemd-timesyncd + - systemd-resolved + - vim + - git + - rsync + state: latest + update_cache: true + notify: + - Enable systemd-timesyncd + +## DNS +- name: Configure systemd-resolved + ansible.builtin.include_tasks: + file: "systemd-resolved.yml" + +## SSH +- name: Copy sshd_config + ansible.builtin.copy: + src: files/sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: u=rw,g=r,o=r + notify: + - Restart sshd + +- name: Copy authorized keys + ansible.builtin.copy: + src: files/authorized_keys + dest: /root/.ssh/authorized_keys + owner: root + group: root + +## FAIL2BAN +- name: Install Fail2Ban + ansible.builtin.apt: + name: fail2ban + state: present + notify: + - Enable fail2ban + +## FIREWALL +- name: Install ufw + ansible.builtin.apt: + name: ufw + state: present + +- name: Allow ssh from rfc1918 networks + loop: "{{ rfc1918_networks }}" + community.general.ufw: + rule: allow + name: "OpenSSH" + from: "{{ item }}" + state: "enabled" + notify: + - Reload ufw diff --git a/playbooks/roles/common/tasks/systemd-resolved.yml b/playbooks/roles/common/tasks/systemd-resolved.yml new file mode 100644 index 0000000..f0f7163 --- /dev/null +++ b/playbooks/roles/common/tasks/systemd-resolved.yml @@ -0,0 +1,64 @@ +--- + +- name: Add dns servers + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: DNS + value: '{{ dns_servers[0] }}' + mode: '0644' + no_extra_spaces: true + register: conf_dns + when: dns_servers | length > 0 + +- name: Add dns fallback server + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: FallbackDNS + value: '{{ dns_servers[1] }}' + mode: '0644' + no_extra_spaces: true + register: conf_fallbackdns + when: dns_servers | length > 1 + +- name: Enable dnssec + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: DNSSEC + value: '{{ "yes" if dns_dnssec else "no" }}' + mode: '0644' + no_extra_spaces: true + register: conf_dnssec + +- name: Add search domains + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: Domains + value: '{{ dns_domains | join(" ") }}' + mode: '0644' + no_extra_spaces: true + register: conf_domains + +- name: Stub listener + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: DNSStubListener + value: '{{ "yes" if dns_stub_listener else "no" }}' + mode: '0644' + no_extra_spaces: true + register: conf_domains + +- name: Reload systemd-resolved + ansible.builtin.service: + name: systemd-resolved + state: restarted + enabled: true + when: + - conf_dns is changed or + conf_fallbackdns is changed or + conf_dnssec is changed or + conf_domains is changed |