initial common setup

2 files changed, 128 insertions, 0 deletions

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..d3bf8b9
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+
+# apt cache
+- name: update apt cache
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: 3600
+
+# SSH
+- name: Copy sshd_config
+  copy:
+    src: ../templates/sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: restart sshd
+  service: name=sshd state=restarted
+
+# FIREWALL
+- name: install UFW
+  apt: name=ufw state=latest
+
+- name: allow ssh from everywhere
+  ufw:
+    rule: allow
+    name: OpenSSH
+
+- name: restart ufw
+  service: name=ufw state=restarted
+
+# FAIL2BAN
+- name: install fail2ban
+  apt: name=fail2ban state=latest
+
+- name: Copy jail.conf
+  copy:
+    src: ../templates/jail.conf
+    dest: /etc/fail2ban/jail.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: restart fail2ban
+  service: name=fail2ban state=restarted
+
+# DNS
+- name: install systemd-resolved
+  apt: name=systemd-resolved state=latest
+
+- name: Check if systemd-resolved config exists
+  ansible.builtin.stat:
+    path: /etc/systemd/resolved.conf
+  register: systemd_resolved_config
+  check_mode: false
+
+- name: Update DNS servers for systemd-resolvd
+  ansible.builtin.include_tasks:
+    file: 'systemd-resolved.yml'
+  when: systemd_resolved_config.stat.exists | bool
+
+- name: Check if systemd-resolved runs
+  ansible.builtin.shell: pgrep systemd-resolve
+  failed_when: false
+  changed_when: false
+  register: systemd_resolved_running
+  check_mode: false
diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml
new file mode 100644
index 0000000..43cb132
--- /dev/null
+++ b/roles/common/tasks/systemd-resolved.yml
@@ -0,0 +1,60 @@
+---
+- name: Add DNS servers
+  community.general.ini_file:
+    path: /etc/systemd/resolved.conf
+    section: Resolve
+    option: DNS
+    value: '{{ dns_servers[0] }}'
+    mode: '0644'
+    no_extra_spaces: true
+  register: conf_dns
+  when: dns_servers | length > 0
+
+- name: Add DNS fallback server
+  community.general.ini_file:
+    path: /etc/systemd/resolved.conf
+    section: Resolve
+    option: FallbackDNS
+    value: '{{ dns_servers[1] }}'
+    mode: '0644'
+    no_extra_spaces: true
+  register: conf_fallbackdns
+  when: dns_servers | length > 1
+
+- name: Enable DNSSEC
+  community.general.ini_file:
+    path: /etc/systemd/resolved.conf
+    section: Resolve
+    option: DNSSEC
+    value: '{{ "yes" if dns_dnssec else "no" }}'
+    mode: '0644'
+    no_extra_spaces: true
+  register: conf_dnssec
+
+- name: Add search domains
+  community.general.ini_file:
+    path: /etc/systemd/resolved.conf
+    section: Resolve
+    option: Domains
+    value: '{{ dns_domains | join(" ") }}'
+    mode: '0644'
+    no_extra_spaces: true
+  register: conf_domains
+
+- name: Check if network manager runs
+  ansible.builtin.shell: pgrep systemd-resolve
+  failed_when: false
+  changed_when: false
+  register: systemd_resolved_running
+  check_mode: false
+
+- name: Reload systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    state: restarted
+  when:
+    - conf_dns is changed or
+      conf_fallbackdns is changed or
+      conf_dnssec is changed or
+      conf_domains is changed
+    - systemd_resolved_running.rc == 0