diff options
Diffstat (limited to 'roles/common/tasks')
| -rw-r--r-- | roles/common/tasks/bacula.yml | 8 | ||||
| -rw-r--r-- | roles/common/tasks/fail2ban.yml | 4 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 1 | ||||
| -rw-r--r-- | roles/common/tasks/munin-node.yml | 26 |
5 files changed, 35 insertions, 6 deletions
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 73a2fa1..fb37b5b 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -46,27 +46,35 @@ tags: - genkey - name: Copy the master public key for data encryption copy: src=certs/bacula/data-master.pem dest=/etc/bacula/ssl/master.pem owner=root group=root mode=0644 tags: - genkey - name: Copy bacula-fd.service copy: src=etc/systemd/system/bacula-fd.service dest=/etc/systemd/system/bacula-fd.service owner=root group=root mode=0644 notify: - systemctl daemon-reload - Restart bacula-fd +# We use RuntimeDirectory in our service unit to avoid permission issues +# caused by the restrictive Capability Bounding Set +- name: Mask /usr/lib/tmpfiles.d/bacula.conf + file: src=/dev/null + dest=/etc/tmpfiles.d/bacula.conf + owner=root group=root + state=link + - meta: flush_handlers - name: Enable bacula-fd service: name=bacula-fd enabled=yes - name: Start bacula-fd service: name=bacula-fd state=started diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index 89427ea..e56deaf 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -36,44 +36,44 @@ - Restart fail2ban - name: Configure fail2ban (action.d/nftables-allports.local) copy: src=etc/fail2ban/action.d/nftables-allports.local dest=/etc/fail2ban/action.d/nftables-allports.local owner=root group=root mode=0644 register: r3 notify: - Restart fail2ban - name: Copy filters copy: src=etc/fail2ban/filter.d/ dest=/etc/fail2ban/filter.d/ owner=root group=root mode=0644 register: r4 notify: - Restart fail2ban -- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf +- name: Create directory /etc/systemd/system/fail2ban.service.d file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root group=root - mode=0750 + mode=0755 - name: Harden fail2ban.service copy: src=etc/systemd/system/fail2ban.service.d/override.conf dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root group=root mode=0644 register: r5 notify: - systemctl daemon-reload - Restart fail2ban - name: Start fail2ban service: name=fail2ban state=started when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed) - meta: flush_handlers - name: Delete /var/lib/fail2ban/fail2ban.sqlite3 file: path=/var/lib/fail2ban/fail2ban.sqlite3 state=absent diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 989541b..30bb481 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -1,38 +1,36 @@ - name: Install strongSwan apt: pkg={{ packages }} vars: packages: - strongswan-charon # for the GCM and openssl plugins - libstrongswan-standard-plugins notify: - Update firewall - Restart IPsec - name: Auto-create a dedicated virtual subnet for IPsec template: src=etc/network/if-up.d/ipsec.j2 dest=/etc/network/if-up.d/ipsec owner=root group=root mode=0755 - notify: - - Reload networking - name: Auto-deactivate the dedicated virtual subnet for IPsec file: src=../if-up.d/ipsec dest=/etc/network/if-down.d/ipsec owner=root group=root state=link force=yes - meta: flush_handlers - name: Configure IPsec template: src=etc/ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 register: r1 notify: - Restart IPsec - name: Configure IPsec's secrets template: src=etc/ipsec.secrets.j2 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 02a745c..55c1489 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -65,33 +65,32 @@ tags: - bacula-fd - bacula - import_tasks: munin-node.yml tags: - munin-node - munin - name: Install common packages apt: pkg={{ packages }} vars: packages: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - - telnet-ssl - name: Disable resume device # Cf. initramfs-tools(7) and initramfs.conf(5). copy: src=etc/initramfs-tools/conf.d/resume dest=/etc/initramfs-tools/conf.d/resume owner=root group=root mode=0644 tags: - initramfs - resume notify: - Update initramfs diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index f43094a..a713f08 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -116,25 +116,49 @@ dest=/etc/munin/plugins/postfix_mailqueue_postfix owner=root group=root state=link force=yes register: r6 notify: - Restart munin-node - name: Install 'postfix_stats_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_stats_ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix owner=root group=root state=link force=yes register: r7 with_items: - smtpd - qmgr - smtp notify: - Restart munin-node +- name: Create directory /etc/systemd/system/munin-node.service.d + file: path=/etc/systemd/system/munin-node.service.d + state=directory + owner=root group=root + mode=0755 + +- name: Copy munin-node.service override + copy: src=etc/systemd/system/munin-node.service.d/override.conf + dest=/etc/systemd/system/munin-node.service.d/override.conf + owner=root group=root + mode=0644 + register: r8 + notify: + - systemctl daemon-reload + - Restart munin-node + +# We use RuntimeDirectory in our overrride unit to avoid permission +# issues caused by the restrictive Capability Bounding Set +- name: Mask /usr/lib/tmpfiles.d/munin-common.conf + file: src=/dev/null + dest=/etc/tmpfiles.d/munin-common.conf + owner=root group=root + state=link + - name: Start munin-node service: name=munin-node state=started - when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed) + when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed or r8.changed) - meta: flush_handlers |