diff options
Diffstat (limited to 'roles/common/tasks/main.yml')
| -rw-r--r-- | roles/common/tasks/main.yml | 114 |
1 files changed, 73 insertions, 41 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 470a6b2..1dc286e 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,70 +1,102 @@ --- -- include: sysctl.yml tags=sysctl -- include: hosts.yml -- include: apt.yml tags=apt +- import_tasks: sysctl.yml + tags: sysctl +- import_tasks: hosts.yml +- import_tasks: apt.yml + tags: apt - name: Install intel-microcode apt: pkg=intel-microcode - when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" + when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" tags: intel -- include: firewall.yml tags=firewall,iptables -- include: samhain.yml tags=samhain -- include: auditd.yml tags=auditd -- include: rkhunter.yml tags=rkhunter -- include: clamav.yml tags=clamav -- include: fail2ban.yml tags=fail2ban -- include: smart.yml tags=smartmontools,smart - when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" -- include: haveged.yml tags=haveged,entropy +- import_tasks: firewall.yml + tags: + - firewall + - iptables + - nftables + +- import_tasks: stunnel.yml + tags: stunnel + when: "'webmail' in group_names and 'LDAP_provider' not in group_names" +- import_tasks: auditd.yml + tags: auditd +- import_tasks: resolved.yml + tags: + - resolv + - resolved + - dns +- import_tasks: unbound.yml + tags: + - unbound + - dns + when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" +- import_tasks: rkhunter.yml + tags: rkhunter +- import_tasks: clamav.yml + tags: clamav +- import_tasks: fail2ban.yml + tags: fail2ban +- import_tasks: smart.yml + tags: + - smartmontools + - smart + when: "not ansible_virtualization_role == 'guest'" - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} - owner=root group=root + owner=root group=staff mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters - command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem + command: gendhparam.sh /etc/ssl/dhparams.pem 2048 + creates=/etc/ssl/dhparams.pem tags: genkey -- include: logging.yml tags=logging -- include: ntp.yml tags=ntp -- include: mail.yml tags=mail,postfix -- include: bacula.yml tags=bacula-fd,bacula -- include: munin-node.yml tags=munin-node,munin +- import_tasks: ipsec.yml + tags: + - strongswan + - ipsec + when: "groups.all | length > 1" +- import_tasks: logging.yml + tags: logging +- import_tasks: ntp.yml + tags: ntp +- import_tasks: mail.yml + tags: + - mail + - postfix +- import_tasks: bacula.yml + tags: + - bacula-fd + - bacula +- import_tasks: munin-node.yml + tags: + - munin-node + - munin - name: Install common packages - apt: pkg={{ item }} - with_items: + apt: pkg={{ packages }} + vars: + packages: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - - telnet-ssl - -# XXX: this is a workaround the CAcert root CAs not being present in -# Jessie. In stretch, we would merely install the 'ca-cacert' package. -- name: Create directory /usr/local/share/ca-certificates/CAcert - file: path=/usr/local/share/ca-certificates/CAcert - state=directory - owner=root group=root - mode=0755 - tags: - - certs + - bind9-dnsutils -- name: Copy CAcert root CAs - copy: src=certs/CAcert/{{ item }} - dest=/usr/local/share/ca-certificates/CAcert/{{ item }} +- name: Disable resume device + # Cf. initramfs-tools(7) and initramfs.conf(5). + copy: src=etc/initramfs-tools/conf.d/resume + dest=/etc/initramfs-tools/conf.d/resume owner=root group=root mode=0644 - with_items: - - root.crt - - class3.crt tags: - - certs + - initramfs + - resume notify: - - Update certificate + - Update initramfs |