diff --git a/ansible-checkmode-command-unhb4.sh b/ansible-checkmode-command-unhb4.sh new file mode 100755 index 0000000..76eadab --- /dev/null +++ b/ansible-checkmode-command-unhb4.sh @@ -0,0 +1,2 @@ +#!/bin/bash +ansible-playbook site.yml -i inventory.yml --limit unhb4 diff --git a/ansible-deploy-command-unhb4.sh b/ansible-deploy-command-unhb4.sh new file mode 100755 index 0000000..2f22dd0 --- /dev/null +++ b/ansible-deploy-command-unhb4.sh @@ -0,0 +1,2 @@ +#!/bin/bash +ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..bce79b8 --- /dev/null +++ b/inventory.yml @@ -0,0 +1,7 @@ +--- + +all: + children: + debianservers: + hosts: + unhb4 diff --git a/roles/apt-update-upgrade/tasks/main.yml b/roles/apt-update-upgrade/tasks/main.yml new file mode 100644 index 0000000..5b069b0 --- /dev/null +++ b/roles/apt-update-upgrade/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Update and upgrade apt packages + become: "true" + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 3600 #an hour diff --git a/roles/apt/handlers/main.yml b/roles/apt/handlers/main.yml new file mode 100644 index 0000000..114a59b --- /dev/null +++ b/roles/apt/handlers/main.yml @@ -0,0 +1,9 @@ +--- +# handlers file for matrix_synapse + +- name: restart-unattendedupgrades + ansible.builtin.service: + state: restarted + daemon_reload: yes + name: unattended-upgrades + tags: molecule-notest diff --git a/roles/apt/tasks/apt.yml b/roles/apt/tasks/apt.yml new file mode 100644 index 0000000..e347896 --- /dev/null +++ b/roles/apt/tasks/apt.yml @@ -0,0 +1,17 @@ +--- + +- name: Install packages if Debian based + apt: + name: unattended-upgrades + state: present + update_cache: true + become: true + +- name: Apt Config (/etc/apt.conf.d/10periodic) + ansible.builtin.template: + src: ../templates/10periodic.j2 + dest: /etc/apt/apt.conf.d/10periodic + owner: root + group: root + mode: '0644' + notify: restart-unattendedupgrades diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml new file mode 100644 index 0000000..88727c0 --- /dev/null +++ b/roles/apt/tasks/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Include other yaml files + include_tasks: "{{ item }}" + with_fileglob: + - apt.yml diff --git a/roles/apt/templates/10periodic.j2 b/roles/apt/templates/10periodic.j2 new file mode 100644 index 0000000..70a2993 --- /dev/null +++ b/roles/apt/templates/10periodic.j2 @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "{{ APT_Periodic_Update_Package_Lists }}"; +APT::Periodic::Download-Upgradeable-Packages "{{ APT_Periodic_Download_Upgradeable_Packages }}"; +APT::Periodic::AutocleanInterval "{{ APT_Periodic_AutocleanInterval }}"; +APT::Periodic::Unattended-Upgrade "{{ APT_Periodic_Unattended_Upgrade }}"; diff --git a/roles/apt_listchanges/files/listchanges.conf b/roles/apt_listchanges/files/listchanges.conf new file mode 100644 index 0000000..cf889ab --- /dev/null +++ b/roles/apt_listchanges/files/listchanges.conf @@ -0,0 +1,9 @@ +[apt] +frontend=pager +which=news +email_address=none +email_format=text +confirm=false +headers=false +reverse=true +save_seen=/var/lib/apt/listchanges.db diff --git a/roles/apt_listchanges/tasks/apt-listchanges-conf.yml b/roles/apt_listchanges/tasks/apt-listchanges-conf.yml new file mode 100644 index 0000000..585974b --- /dev/null +++ b/roles/apt_listchanges/tasks/apt-listchanges-conf.yml @@ -0,0 +1,17 @@ +--- + +- name: apt-listchanges Config (/etc/apt/listchanges.conf) + ansible.builtin.template: + src: ../files/listchanges.conf + dest: /etc/apt/listchanges.conf + owner: root + group: root + mode: '0644' + +- name: Install packages if Debian based + apt: + name: "apt-listchanges" + state: present + update_cache: true + become: true + when: ansible_os_family == 'Debian' diff --git a/roles/apt_listchanges/tasks/main.yml b/roles/apt_listchanges/tasks/main.yml new file mode 100644 index 0000000..e6ce9d9 --- /dev/null +++ b/roles/apt_listchanges/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +# to do list: + +- name: Include other yaml files + include_tasks: "{{ item }}" + with_fileglob: + - apt-listchanges-conf.yml diff --git a/roles/basic_common_settings/files/97-update.conf b/roles/basic_common_settings/files/97-update.conf new file mode 100644 index 0000000..fd2c714 --- /dev/null +++ b/roles/basic_common_settings/files/97-update.conf @@ -0,0 +1 @@ +%sudo ALL = NOPASSWD: /opt/scripts/update.sh diff --git a/roles/basic_common_settings/files/debian_earlyoom b/roles/basic_common_settings/files/debian_earlyoom new file mode 100644 index 0000000..bce2998 --- /dev/null +++ b/roles/basic_common_settings/files/debian_earlyoom @@ -0,0 +1,28 @@ +# Default settings for earlyoom. This file is sourced by /bin/sh from +# /etc/init.d/earlyoom or by systemd from earlyoom.service. + +# Options to pass to earlyoom +#EARLYOOM_ARGS="-r 60" + +# Examples: + +# Print memory report every second instead of every minute +# EARLYOOM_ARGS="-r 1" + +# Available minimum memory 5% +#EARLYOOM_ARGS="-m 5" + +# Available minimum memory 15% and free minimum swap 5% +#EARLYOOM_ARGS="-m 15 -s 5" + +# Avoid killing processes whose name matches this regexp +#EARLYOOM_ARGS="--avoid '(^|/)(init|X|sshd|firefox)$'" + +#prefer: +#EARLYOOM_ARGS="--prefer '(^|/)(telegram-desktop|element-desktop)$'" + +# See more at `earlyoom -h' +# +# +# +EARLYOOM_ARGS="-r 60 -m 3 --avoid '(^|/)(init|X|sshd|firefox)$' --prefer '(^|/)(signal-desktop|element-desktop)$'" diff --git a/roles/basic_common_settings/handlers/main.yml b/roles/basic_common_settings/handlers/main.yml new file mode 100644 index 0000000..ca7b901 --- /dev/null +++ b/roles/basic_common_settings/handlers/main.yml @@ -0,0 +1,8 @@ +--- + +- name: restart-earlyoom + ansible.builtin.service: + state: restarted + daemon_reload: yes + name: earlyoom + tags: molecule-notest diff --git a/roles/basic_common_settings/tasks/earlyoom.yml b/roles/basic_common_settings/tasks/earlyoom.yml new file mode 100644 index 0000000..deca055 --- /dev/null +++ b/roles/basic_common_settings/tasks/earlyoom.yml @@ -0,0 +1,17 @@ +--- + +- name: Install earlyoom if OS is based on Debian + ansible.builtin.package: + name: earlyoom + when: ansible_os_family == 'Debian' + +- name: Create earlyoom config + ansible.builtin.template: + src: ../files/debian_earlyoom + dest: /etc/default/earlyoom + owner: root + group: root + mode: '0644' + force: true + when: ansible_os_family == 'Debian' + notify: restart-earlyoom diff --git a/roles/basic_common_settings/tasks/main.yml b/roles/basic_common_settings/tasks/main.yml new file mode 100644 index 0000000..c714739 --- /dev/null +++ b/roles/basic_common_settings/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Install useful packages + include_tasks: "useful_packages.yml" + +- name: Set up sudo (FreeBSD/OpenBSD) + include_tasks: "sudo.yml" + +- name: Set up earlyoom (Debian) + include_tasks: "sudo.yml" + +- name: Deploy update script + include_tasks: "update_script.yml" + +- name: Deploy ZSH config to /etc/skel + include_tasks: "zsh_skel.yml" diff --git a/roles/basic_common_settings/tasks/sudo.yml b/roles/basic_common_settings/tasks/sudo.yml new file mode 100644 index 0000000..75281f9 --- /dev/null +++ b/roles/basic_common_settings/tasks/sudo.yml @@ -0,0 +1,17 @@ +--- + +- name: "Install security/sudo (FreeBSD)" + ansible.builtin.package: + name: security/sudo + state: present + when: ansible_os_family == 'FreeBSD' + +- name: "Allow group wheel to use sudo (FreeBSD)" + ansible.builtin.lineinfile: + path: /usr/local/etc/sudoers + regexp: '%wheel ALL=\(ALL\) ALL' + line: '%wheel ALL=(ALL) ALL' + owner: root + group: wheel + mode: '0440' + when: ansible_os_family == 'FreeBSD' diff --git a/roles/basic_common_settings/tasks/update_script.yml b/roles/basic_common_settings/tasks/update_script.yml new file mode 100644 index 0000000..cec62a2 --- /dev/null +++ b/roles/basic_common_settings/tasks/update_script.yml @@ -0,0 +1,42 @@ +--- + +- name: "Ensure /opt/scripts/ exists" + ansible.builtin.file: + path: /opt/scripts + state: directory + mode: '0755' + +- name: "Create directory (/etc/sudoers.d)" + ansible.builtin.file: + path: /etc/sudoers.d + state: directory + owner: root + group: root + mode: '0755' + +- name: "Sudoers (/etc/sudoers.d/97-update.conf)" + ansible.builtin.template: + src: ../files/97-update.conf + dest: /etc/sudoers.d/97-update-conf + owner: root + group: root + mode: '0440' + when: ansible_os_family != 'OpenBSD' # sudo Installation must be fixed first for OpenBSD + +- name: "Template Update Script" + ansible.builtin.template: + src: ../templates/update.sh.j2 + dest: /opt/scripts/update.sh + owner: root + group: root + mode: u+rwx + when: ansible_os_family == 'Debian' + +- name: "Template Update Script" + ansible.builtin.template: + src: ../templates/update.sh.j2 + dest: /opt/scripts/update.sh + owner: root + group: wheel + mode: u+rwx + when: ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD' diff --git a/roles/basic_common_settings/tasks/useful_packages.yml b/roles/basic_common_settings/tasks/useful_packages.yml new file mode 100644 index 0000000..cb46b1a --- /dev/null +++ b/roles/basic_common_settings/tasks/useful_packages.yml @@ -0,0 +1,26 @@ +--- + +- name: Install useful packages for servers if Debian-based + apt: + pkg: + - whois + - curl + - nmap + - traceroute + - zsh + - vim + - git + - net-tools + - wget + - apt-transport-https + - earlyoom + - gpg + - gpg-agent + - htop + #- duf #currently not in Debian stable, change when it is + - at + - pwgen + state: present + update_cache: true + become: true + when: ansible_os_family == 'Debian' diff --git a/roles/basic_common_settings/tasks/zsh_skel.yml b/roles/basic_common_settings/tasks/zsh_skel.yml new file mode 100644 index 0000000..2fa2653 --- /dev/null +++ b/roles/basic_common_settings/tasks/zsh_skel.yml @@ -0,0 +1,44 @@ +--- + +- name: Create ZSH config dir (/etc/zsh) + file: + path: /etc/zsh/ + owner: root + group: root + state: directory + when: ansible_os_family == 'Debian' + +- name: Create ZSH config dir (/etc/zsh) + file: + path: /etc/zsh/ + owner: root + group: wheel + state: directory + when: ansible_os_family == 'OpenBSD' + +- name: Download GRML ZSH config + get_url: + url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master + dest: /etc/zsh/zshrc + mode: '0644' + retries: 10 + delay: 3 + when: ansible_os_family == 'Debian' or ansible_os_family == 'OpenBSD' + +- name: Copy ZSH config to /etc/skel/.zshrc + get_url: + url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master + dest: /etc/skel/.zshrc + owner: root + group: root + mode: '0644' + when: ansible_os_family == 'Debian' + +- name: Copy ZSH config to /etc/skel/.zshrc + get_url: + url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master + dest: /etc/skel/.zshrc + owner: root + group: wheel + mode: '0644' + when: ansible_os_family == 'OpenBSD' diff --git a/roles/basic_common_settings/templates/update.sh.j2 b/roles/basic_common_settings/templates/update.sh.j2 new file mode 100755 index 0000000..0f65c1f --- /dev/null +++ b/roles/basic_common_settings/templates/update.sh.j2 @@ -0,0 +1,23 @@ +#!/bin/sh +{% if ansible_os_family == "Debian" %} +export DEBIAN_FRONTEND=noninteractive +apt update +apt upgrade -y +apt autoremove -y +apt clean +{% endif %} +{% if ansible_os_family == "FreeBSD" %} +freebsd-update fetch +freebsd-update install +pkg upgrade +# Upgrades the Release to the latest updates +pkg-static install -f pkg +pkg bootstrap -f +pkg update +pkg upgrade +# Updates all packages +# Following this How To: https://www.cyberciti.biz/open-source/freebsd-13-released-how-to-update-upgrade-freebsd-12-to-13/ +{% endif %} +{% if ansible_os_family == "OpenBSD" %} +pkg_add -u && syspatch +{% endif %} diff --git a/roles/firewalld/.yamllint b/roles/firewalld/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/roles/firewalld/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/roles/firewalld/README.md b/roles/firewalld/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/firewalld/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/firewalld/handlers/main.yml b/roles/firewalld/handlers/main.yml new file mode 100644 index 0000000..9149a44 --- /dev/null +++ b/roles/firewalld/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for example_role diff --git a/roles/firewalld/meta/main.yml b/roles/firewalld/meta/main.yml new file mode 100644 index 0000000..952566f --- /dev/null +++ b/roles/firewalld/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + namespace: firewalld + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/firewalld/molecule/default/Dockerfile.j2 b/roles/firewalld/molecule/default/Dockerfile.j2 new file mode 100644 index 0000000..19e7f6a --- /dev/null +++ b/roles/firewalld/molecule/default/Dockerfile.j2 @@ -0,0 +1,2 @@ +FROM debian:stable +RUN apt-get update && apt-get install python3-pip python-is-python3 sudo lsb-release -y diff --git a/roles/firewalld/molecule/default/converge.yml b/roles/firewalld/molecule/default/converge.yml new file mode 100644 index 0000000..8a63227 --- /dev/null +++ b/roles/firewalld/molecule/default/converge.yml @@ -0,0 +1,8 @@ +--- + +- name: Converge + hosts: all + tasks: + - name: "Include firewalld" + include_role: + name: "firewalld" diff --git a/roles/firewalld/molecule/default/molecule.yml b/roles/firewalld/molecule/default/molecule.yml new file mode 100644 index 0000000..c321303 --- /dev/null +++ b/roles/firewalld/molecule/default/molecule.yml @@ -0,0 +1,13 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: molecule + image: debian:stable + #pre_build_image: true +provisioner: + name: ansible +verifier: + name: ansible diff --git a/roles/firewalld/molecule/default/verify.yml b/roles/firewalld/molecule/default/verify.yml new file mode 100644 index 0000000..79044cd --- /dev/null +++ b/roles/firewalld/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + assert: + that: true diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml new file mode 100644 index 0000000..714d917 --- /dev/null +++ b/roles/firewalld/tasks/main.yml @@ -0,0 +1,37 @@ +--- + +- name: install firewalld + package: + name: firewalld + state: present + +- name: "Make sure FirewallD is running" + ansible.builtin.service: + name: firewalld + enabled: yes + state: started + +- name: Open SSH port in firewall + ansible.posix.firewalld: + service: ssh + permanent: yes + state: enabled + immediate: yes +#this is seperate so you don't accidentally remove it + +- name: Open services in firewall + ansible.posix.firewalld: + service: "{{ item }}" + permanent: yes + state: enabled + immediate: yes + with_items: "{{ firewall_services }}" + +- name: Open ports in firewall + ansible.posix.firewalld: + port: "{{ item }}" + permanent: yes + state: enabled + immediate: yes + with_items: "{{ firewall_ports }}" + when: firewall_ports is defined diff --git a/roles/firewalld/tests/inventory b/roles/firewalld/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/firewalld/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/firewalld/tests/test.yml b/roles/firewalld/tests/test.yml new file mode 100644 index 0000000..cc7201e --- /dev/null +++ b/roles/firewalld/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - example_role diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..fb8a4c0 --- /dev/null +++ b/site.yml @@ -0,0 +1,8 @@ +--- + +- name: Set up user account on all hosts + hosts: all + remote_user: root + + roles: + - basic_common_settings