initial commit

ansible-checkmode-command-unhb4.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+ansible-playbook site.yml -i inventory.yml --limit unhb4

ansible-deploy-command-unhb4.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff

inventory.yml

@@ -0,0 +1,7 @@
+---
+
+all:
+  children:
+    debianservers:
+      hosts:
+        unhb4

roles/apt-update-upgrade/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Update and upgrade apt packages
+  become: "true"
+  apt:
+    upgrade: yes
+    update_cache: yes
+    cache_valid_time: 3600 #an hour

roles/apt/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+# handlers file for matrix_synapse
+
+- name: restart-unattendedupgrades
+  ansible.builtin.service:
+    state: restarted
+    daemon_reload: yes
+    name: unattended-upgrades
+  tags: molecule-notest

roles/apt/tasks/apt.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Install packages if Debian based
+  apt:
+    name: unattended-upgrades
+    state: present
+    update_cache: true
+  become: true
+
+- name: Apt Config (/etc/apt.conf.d/10periodic)
+  ansible.builtin.template:
+    src: ../templates/10periodic.j2
+    dest: /etc/apt/apt.conf.d/10periodic
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart-unattendedupgrades

roles/apt/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Include other yaml files
+  include_tasks: "{{ item }}"
+  with_fileglob:
+    - apt.yml

roles/apt/templates/10periodic.j2

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "{{ APT_Periodic_Update_Package_Lists }}";
+APT::Periodic::Download-Upgradeable-Packages "{{ APT_Periodic_Download_Upgradeable_Packages }}";
+APT::Periodic::AutocleanInterval "{{ APT_Periodic_AutocleanInterval }}";
+APT::Periodic::Unattended-Upgrade "{{ APT_Periodic_Unattended_Upgrade }}";

roles/apt_listchanges/files/listchanges.conf

@@ -0,0 +1,9 @@
+[apt]
+frontend=pager
+which=news
+email_address=none
+email_format=text
+confirm=false
+headers=false
+reverse=true
+save_seen=/var/lib/apt/listchanges.db

roles/apt_listchanges/tasks/apt-listchanges-conf.yml

@@ -0,0 +1,17 @@
+---
+
+- name: apt-listchanges Config (/etc/apt/listchanges.conf)
+  ansible.builtin.template:
+    src: ../files/listchanges.conf
+    dest: /etc/apt/listchanges.conf
+    owner: root
+    group: root
+    mode: '0644'
+    
+- name: Install packages if Debian based
+  apt:
+    name: "apt-listchanges"
+    state: present
+    update_cache: true
+  become: true
+  when: ansible_os_family == 'Debian'

roles/apt_listchanges/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+# to do list:
+
+- name: Include other yaml files
+  include_tasks: "{{ item }}"
+  with_fileglob:
+    - apt-listchanges-conf.yml

roles/basic_common_settings/files/97-update.conf

@@ -0,0 +1 @@
+%sudo   ALL = NOPASSWD: /opt/scripts/update.sh

roles/basic_common_settings/files/debian_earlyoom

@@ -0,0 +1,28 @@
+# Default settings for earlyoom. This file is sourced by /bin/sh from
+# /etc/init.d/earlyoom or by systemd from earlyoom.service.
+
+# Options to pass to earlyoom
+#EARLYOOM_ARGS="-r 60"
+
+# Examples:
+
+# Print memory report every second instead of every minute
+# EARLYOOM_ARGS="-r 1"
+
+# Available minimum memory 5%
+#EARLYOOM_ARGS="-m 5"
+
+# Available minimum memory 15% and free minimum swap 5%
+#EARLYOOM_ARGS="-m 15 -s 5"
+
+# Avoid killing processes whose name matches this regexp
+#EARLYOOM_ARGS="--avoid '(^|/)(init|X|sshd|firefox)$'"
+
+#prefer:
+#EARLYOOM_ARGS="--prefer '(^|/)(telegram-desktop|element-desktop)$'"
+
+# See more at `earlyoom -h'
+#
+#
+#
+EARLYOOM_ARGS="-r 60 -m 3 --avoid '(^|/)(init|X|sshd|firefox)$' --prefer '(^|/)(signal-desktop|element-desktop)$'"

roles/basic_common_settings/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: restart-earlyoom
+  ansible.builtin.service:
+    state: restarted
+    daemon_reload: yes
+    name: earlyoom
+  tags: molecule-notest

roles/basic_common_settings/tasks/earlyoom.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Install earlyoom if OS is based on Debian
+  ansible.builtin.package:
+    name: earlyoom
+  when: ansible_os_family == 'Debian'
+      
+- name: Create earlyoom config
+  ansible.builtin.template:
+   src: ../files/debian_earlyoom
+   dest: /etc/default/earlyoom
+   owner: root
+   group: root
+   mode: '0644'
+   force: true
+  when: ansible_os_family == 'Debian'
+  notify: restart-earlyoom

roles/basic_common_settings/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Install useful packages
+  include_tasks: "useful_packages.yml"
+  
+- name: Set up sudo (FreeBSD/OpenBSD)
+  include_tasks: "sudo.yml"
+  
+- name: Set up earlyoom (Debian)
+  include_tasks: "sudo.yml"
+
+- name: Deploy update script
+  include_tasks: "update_script.yml"
+
+- name: Deploy ZSH config to /etc/skel
+  include_tasks: "zsh_skel.yml"

roles/basic_common_settings/tasks/sudo.yml

@@ -0,0 +1,17 @@
+---
+
+- name: "Install security/sudo (FreeBSD)"
+  ansible.builtin.package:
+    name: security/sudo
+    state: present
+  when: ansible_os_family == 'FreeBSD'
+    
+- name: "Allow group wheel to use sudo (FreeBSD)"
+  ansible.builtin.lineinfile:
+    path: /usr/local/etc/sudoers
+    regexp: '%wheel ALL=\(ALL\) ALL'
+    line: '%wheel ALL=(ALL) ALL'
+    owner: root
+    group: wheel
+    mode: '0440'
+  when: ansible_os_family == 'FreeBSD'

roles/basic_common_settings/tasks/update_script.yml

@@ -0,0 +1,42 @@
+---
+
+- name: "Ensure /opt/scripts/ exists"
+  ansible.builtin.file:
+    path: /opt/scripts
+    state: directory
+    mode: '0755'
+
+- name: "Create directory (/etc/sudoers.d)"
+  ansible.builtin.file:
+    path: /etc/sudoers.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: "Sudoers (/etc/sudoers.d/97-update.conf)"
+  ansible.builtin.template:
+   src: ../files/97-update.conf
+   dest: /etc/sudoers.d/97-update-conf
+   owner: root
+   group: root
+   mode: '0440'
+  when: ansible_os_family != 'OpenBSD' # sudo Installation must be fixed first for OpenBSD
+   
+- name: "Template Update Script"
+  ansible.builtin.template:
+   src: ../templates/update.sh.j2
+   dest: /opt/scripts/update.sh
+   owner: root
+   group: root
+   mode:  u+rwx
+  when: ansible_os_family == 'Debian'
+
+- name: "Template Update Script"
+  ansible.builtin.template:
+   src: ../templates/update.sh.j2
+   dest: /opt/scripts/update.sh
+   owner: root
+   group: wheel
+   mode:  u+rwx
+  when: ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD'

roles/basic_common_settings/tasks/useful_packages.yml

@@ -0,0 +1,26 @@
+---
+   
+- name: Install useful packages for servers if Debian-based
+  apt:
+    pkg:
+      - whois
+      - curl
+      - nmap
+      - traceroute
+      - zsh
+      - vim
+      - git
+      - net-tools
+      - wget
+      - apt-transport-https
+      - earlyoom
+      - gpg
+      - gpg-agent
+      - htop
+      #- duf #currently not in Debian stable, change when it is
+      - at
+      - pwgen
+    state: present
+    update_cache: true
+  become: true
+  when: ansible_os_family == 'Debian'

roles/basic_common_settings/tasks/zsh_skel.yml

@@ -0,0 +1,44 @@
+---
+
+- name: Create ZSH config dir (/etc/zsh)
+  file:
+    path: /etc/zsh/
+    owner: root
+    group: root
+    state: directory
+  when: ansible_os_family == 'Debian'
+  
+- name: Create ZSH config dir (/etc/zsh)
+  file:
+    path: /etc/zsh/
+    owner: root
+    group: wheel
+    state: directory
+  when: ansible_os_family == 'OpenBSD'
+    
+- name: Download GRML ZSH config
+  get_url:
+    url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master
+    dest: /etc/zsh/zshrc
+    mode: '0644'
+  retries: 10
+  delay: 3
+  when: ansible_os_family == 'Debian' or ansible_os_family == 'OpenBSD'
+
+- name: Copy ZSH config to /etc/skel/.zshrc
+  get_url:
+    url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master
+    dest: /etc/skel/.zshrc
+    owner: root
+    group: root
+    mode: '0644'
+  when: ansible_os_family == 'Debian'
+  
+- name: Copy ZSH config to /etc/skel/.zshrc
+  get_url:
+    url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master
+    dest: /etc/skel/.zshrc
+    owner: root
+    group: wheel
+    mode: '0644'
+  when: ansible_os_family == 'OpenBSD'

roles/basic_common_settings/templates/update.sh.j2

@@ -0,0 +1,23 @@
+#!/bin/sh
+{% if ansible_os_family == "Debian" %}
+export DEBIAN_FRONTEND=noninteractive
+apt update
+apt upgrade -y
+apt autoremove -y
+apt clean
+{% endif %}
+{% if ansible_os_family == "FreeBSD" %}
+freebsd-update fetch
+freebsd-update install
+pkg upgrade
+# Upgrades the Release to the latest updates
+pkg-static install -f pkg
+pkg bootstrap -f
+pkg update
+pkg upgrade
+# Updates all packages
+# Following this How To: https://www.cyberciti.biz/open-source/freebsd-13-released-how-to-update-upgrade-freebsd-12-to-13/
+{% endif %}
+{% if ansible_os_family == "OpenBSD" %}
+pkg_add -u && syspatch
+{% endif %}

roles/firewalld/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

roles/firewalld/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/firewalld/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for example_role

roles/firewalld/meta/main.yml

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+  namespace: firewalld
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/firewalld/molecule/default/Dockerfile.j2

@@ -0,0 +1,2 @@
+FROM debian:stable
+RUN apt-get update && apt-get install python3-pip python-is-python3 sudo lsb-release -y

roles/firewalld/molecule/default/converge.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include firewalld"
+      include_role:
+        name: "firewalld"

roles/firewalld/molecule/default/molecule.yml

@@ -0,0 +1,13 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: molecule
+    image: debian:stable
+    #pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

roles/firewalld/molecule/default/verify.yml

@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Example assertion
+    assert:
+      that: true

roles/firewalld/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+
+- name: install firewalld
+  package:
+    name: firewalld
+    state: present
+
+- name: "Make sure FirewallD is running"
+  ansible.builtin.service:
+    name: firewalld
+    enabled: yes
+    state: started
+    
+- name: Open SSH port in firewall
+  ansible.posix.firewalld:
+    service: ssh
+    permanent: yes
+    state: enabled
+    immediate: yes
+#this is seperate so you don't accidentally remove it
+
+- name: Open services in firewall
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+    immediate: yes
+  with_items: "{{ firewall_services }}"
+
+- name: Open ports in firewall
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: yes
+    state: enabled
+    immediate: yes
+  with_items: "{{ firewall_ports }}"
+  when: firewall_ports is defined

roles/firewalld/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/firewalld/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - example_role

site.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Set up user account on all hosts
+  hosts: all
+  remote_user: root
+  
+  roles:
+    - basic_common_settings