diff options
Diffstat (limited to 'roles/common/tasks')
| -rw-r--r-- | roles/common/tasks/firewall.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/logging.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 4 |
3 files changed, 4 insertions, 4 deletions
diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index fd1ad92..30f4fa9 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -1,27 +1,27 @@ - name: Install nftables apt: pkg=nftables - name: Copy /usr/local/sbin/update-firewall copy: src=usr/local/sbin/update-firewall dest=/usr/local/sbin/update-firewall owner=root group=staff mode=0755 - name: Copy /etc/nftables.conf template: src=etc/nftables.conf.j2 dest=/etc/nftables.conf owner=root group=root mode=0644 - name: Ensure the firewall is up to date command: /usr/local/sbin/update-firewall -c register: rv # A non-zero return value will make ansible stop and show stderr. This # is what we want. - changed_when: rv.rc + changed_when: rv.rc != 0 - name: Enable nftables.service service: name=nftables enabled=yes - name: Start nftables.service service: name=nftables state=started diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index aaea63f..699c6e3 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -43,41 +43,41 @@ owner=root group=root mode=0644 with_items: - logcheck.conf - ignore.d.server/common-local - ignore.d.server/dovecot-local - ignore.d.server/postfix-local - ignore.d.server/strongswan-local # logcheck-sudo already exists, but changing the filename for our # local modifications would defeat the ruleset - violations.ignore.d/logcheck-sudo tags: - logcheck - name: Configure logcheck (2) lineinfile: dest=/etc/logcheck/logcheck.logfiles line={{ item }} state=present create=yes owner=root group=root - mode=0640 + mode=0644 with_items: - /var/log/syslog - /var/log/auth.log - /var/log/mail.log tags: - logcheck - name: Minimal logging policy (1) lineinfile: dest=/etc/logrotate.d/rsyslog regexp="^/var/log/mail\\.(log|info|sasl)$" state=absent owner=root group=root mode=0644 - name: Minimal logging policy (2) copy: src=etc/logrotate.d/fripost-mail dest=/etc/logrotate.d/fripost-mail owner=root group=root mode=0644 tags: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1dc286e..293d22b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,41 +1,41 @@ --- - import_tasks: sysctl.yml tags: sysctl - import_tasks: hosts.yml - import_tasks: apt.yml tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" tags: intel - import_tasks: firewall.yml tags: - firewall - iptables - nftables - import_tasks: stunnel.yml tags: stunnel when: "'webmail' in group_names and 'LDAP_provider' not in group_names" -- import_tasks: auditd.yml - tags: auditd +#- import_tasks: auditd.yml +# tags: auditd - import_tasks: resolved.yml tags: - resolv - resolved - dns - import_tasks: unbound.yml tags: - unbound - dns when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" - import_tasks: rkhunter.yml tags: rkhunter - import_tasks: clamav.yml tags: clamav - import_tasks: fail2ban.yml tags: fail2ban - import_tasks: smart.yml tags: - smartmontools - smart |