diff options
author | Elizabeth Hunt <elizabeth.hunt@simponic.xyz> | 2024-01-01 00:36:31 -0500 |
---|---|---|
committer | Elizabeth Hunt <elizabeth.hunt@simponic.xyz> | 2024-01-01 00:36:31 -0500 |
commit | 3b818dc0b9c415124a6c16a85e757e45ebed7249 (patch) | |
tree | c0eb1b58c9fc8362b72136f17861e81c08bbf773 /roles/common/tasks | |
download | oldinfra-3b818dc0b9c415124a6c16a85e757e45ebed7249.tar.gz oldinfra-3b818dc0b9c415124a6c16a85e757e45ebed7249.zip |
initial common setup
Diffstat (limited to 'roles/common/tasks')
-rw-r--r-- | roles/common/tasks/main.yml | 68 | ||||
-rw-r--r-- | roles/common/tasks/systemd-resolved.yml | 60 |
2 files changed, 128 insertions, 0 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..d3bf8b9 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,68 @@ +--- + +# apt cache +- name: update apt cache + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 3600 + +# SSH +- name: Copy sshd_config + copy: + src: ../templates/sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: restart sshd + service: name=sshd state=restarted + +# FIREWALL +- name: install UFW + apt: name=ufw state=latest + +- name: allow ssh from everywhere + ufw: + rule: allow + name: OpenSSH + +- name: restart ufw + service: name=ufw state=restarted + +# FAIL2BAN +- name: install fail2ban + apt: name=fail2ban state=latest + +- name: Copy jail.conf + copy: + src: ../templates/jail.conf + dest: /etc/fail2ban/jail.conf + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: restart fail2ban + service: name=fail2ban state=restarted + +# DNS +- name: install systemd-resolved + apt: name=systemd-resolved state=latest + +- name: Check if systemd-resolved config exists + ansible.builtin.stat: + path: /etc/systemd/resolved.conf + register: systemd_resolved_config + check_mode: false + +- name: Update DNS servers for systemd-resolvd + ansible.builtin.include_tasks: + file: 'systemd-resolved.yml' + when: systemd_resolved_config.stat.exists | bool + +- name: Check if systemd-resolved runs + ansible.builtin.shell: pgrep systemd-resolve + failed_when: false + changed_when: false + register: systemd_resolved_running + check_mode: false diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml new file mode 100644 index 0000000..43cb132 --- /dev/null +++ b/roles/common/tasks/systemd-resolved.yml @@ -0,0 +1,60 @@ +--- +- name: Add DNS servers + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: DNS + value: '{{ dns_servers[0] }}' + mode: '0644' + no_extra_spaces: true + register: conf_dns + when: dns_servers | length > 0 + +- name: Add DNS fallback server + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: FallbackDNS + value: '{{ dns_servers[1] }}' + mode: '0644' + no_extra_spaces: true + register: conf_fallbackdns + when: dns_servers | length > 1 + +- name: Enable DNSSEC + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: DNSSEC + value: '{{ "yes" if dns_dnssec else "no" }}' + mode: '0644' + no_extra_spaces: true + register: conf_dnssec + +- name: Add search domains + community.general.ini_file: + path: /etc/systemd/resolved.conf + section: Resolve + option: Domains + value: '{{ dns_domains | join(" ") }}' + mode: '0644' + no_extra_spaces: true + register: conf_domains + +- name: Check if network manager runs + ansible.builtin.shell: pgrep systemd-resolve + failed_when: false + changed_when: false + register: systemd_resolved_running + check_mode: false + +- name: Reload systemd-resolved + ansible.builtin.systemd: + name: systemd-resolved + state: restarted + when: + - conf_dns is changed or + conf_fallbackdns is changed or + conf_dnssec is changed or + conf_domains is changed + - systemd_resolved_running.rc == 0 |