summaryrefslogtreecommitdiff
path: root/roles/common/tasks
diff options
context:
space:
mode:
authorElizabeth Hunt <elizabeth.hunt@simponic.xyz>2024-01-01 00:36:31 -0500
committerElizabeth Hunt <elizabeth.hunt@simponic.xyz>2024-01-01 00:36:31 -0500
commit3b818dc0b9c415124a6c16a85e757e45ebed7249 (patch)
treec0eb1b58c9fc8362b72136f17861e81c08bbf773 /roles/common/tasks
downloadoldinfra-3b818dc0b9c415124a6c16a85e757e45ebed7249.tar.gz
oldinfra-3b818dc0b9c415124a6c16a85e757e45ebed7249.zip
initial common setup
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/main.yml68
-rw-r--r--roles/common/tasks/systemd-resolved.yml60
2 files changed, 128 insertions, 0 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..d3bf8b9
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+
+# apt cache
+- name: update apt cache
+ ansible.builtin.apt:
+ update_cache: yes
+ cache_valid_time: 3600
+
+# SSH
+- name: Copy sshd_config
+ copy:
+ src: ../templates/sshd_config
+ dest: /etc/ssh/sshd_config
+ owner: root
+ group: root
+ mode: u=rw,g=r,o=r
+
+- name: restart sshd
+ service: name=sshd state=restarted
+
+# FIREWALL
+- name: install UFW
+ apt: name=ufw state=latest
+
+- name: allow ssh from everywhere
+ ufw:
+ rule: allow
+ name: OpenSSH
+
+- name: restart ufw
+ service: name=ufw state=restarted
+
+# FAIL2BAN
+- name: install fail2ban
+ apt: name=fail2ban state=latest
+
+- name: Copy jail.conf
+ copy:
+ src: ../templates/jail.conf
+ dest: /etc/fail2ban/jail.conf
+ owner: root
+ group: root
+ mode: u=rw,g=r,o=r
+
+- name: restart fail2ban
+ service: name=fail2ban state=restarted
+
+# DNS
+- name: install systemd-resolved
+ apt: name=systemd-resolved state=latest
+
+- name: Check if systemd-resolved config exists
+ ansible.builtin.stat:
+ path: /etc/systemd/resolved.conf
+ register: systemd_resolved_config
+ check_mode: false
+
+- name: Update DNS servers for systemd-resolvd
+ ansible.builtin.include_tasks:
+ file: 'systemd-resolved.yml'
+ when: systemd_resolved_config.stat.exists | bool
+
+- name: Check if systemd-resolved runs
+ ansible.builtin.shell: pgrep systemd-resolve
+ failed_when: false
+ changed_when: false
+ register: systemd_resolved_running
+ check_mode: false
diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml
new file mode 100644
index 0000000..43cb132
--- /dev/null
+++ b/roles/common/tasks/systemd-resolved.yml
@@ -0,0 +1,60 @@
+---
+- name: Add DNS servers
+ community.general.ini_file:
+ path: /etc/systemd/resolved.conf
+ section: Resolve
+ option: DNS
+ value: '{{ dns_servers[0] }}'
+ mode: '0644'
+ no_extra_spaces: true
+ register: conf_dns
+ when: dns_servers | length > 0
+
+- name: Add DNS fallback server
+ community.general.ini_file:
+ path: /etc/systemd/resolved.conf
+ section: Resolve
+ option: FallbackDNS
+ value: '{{ dns_servers[1] }}'
+ mode: '0644'
+ no_extra_spaces: true
+ register: conf_fallbackdns
+ when: dns_servers | length > 1
+
+- name: Enable DNSSEC
+ community.general.ini_file:
+ path: /etc/systemd/resolved.conf
+ section: Resolve
+ option: DNSSEC
+ value: '{{ "yes" if dns_dnssec else "no" }}'
+ mode: '0644'
+ no_extra_spaces: true
+ register: conf_dnssec
+
+- name: Add search domains
+ community.general.ini_file:
+ path: /etc/systemd/resolved.conf
+ section: Resolve
+ option: Domains
+ value: '{{ dns_domains | join(" ") }}'
+ mode: '0644'
+ no_extra_spaces: true
+ register: conf_domains
+
+- name: Check if network manager runs
+ ansible.builtin.shell: pgrep systemd-resolve
+ failed_when: false
+ changed_when: false
+ register: systemd_resolved_running
+ check_mode: false
+
+- name: Reload systemd-resolved
+ ansible.builtin.systemd:
+ name: systemd-resolved
+ state: restarted
+ when:
+ - conf_dns is changed or
+ conf_fallbackdns is changed or
+ conf_dnssec is changed or
+ conf_domains is changed
+ - systemd_resolved_running.rc == 0