9 files changed, 70 insertions, 50 deletions

diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index fb37b5b..308e358 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -10,7 +10,7 @@
 - name: Delete /etc/bacula/common_default_passwords
   file: path=/etc/bacula/common_default_passwords state=absent
 
-# Create with:
+# Populate with:
 #   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-fd
 - name: Ensure /etc/bacula/passwords-fd exists
   file: path=/etc/bacula/passwords-fd
@@ -54,23 +54,21 @@
   tags:
     - genkey
 
-- name: Copy bacula-fd.service
-  copy: src=etc/systemd/system/bacula-fd.service
-        dest=/etc/systemd/system/bacula-fd.service
+- name: Create /etc/systemd/system/bacula-fd.service.d
+  file: path=/etc/systemd/system/bacula-fd.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-fd.service override
+  copy: src=etc/systemd/system/bacula-fd.service.d/override.conf
+        dest=/etc/systemd/system/bacula-fd.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
     - systemctl daemon-reload
     - Restart bacula-fd
 
-# We use RuntimeDirectory in our service unit to avoid permission issues
-# caused by the restrictive Capability Bounding Set
-- name: Mask /usr/lib/tmpfiles.d/bacula.conf
-  file: src=/dev/null
-        dest=/etc/tmpfiles.d/bacula.conf
-        owner=root group=root
-        state=link
-
 - meta: flush_handlers
 
 - name: Enable bacula-fd
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index e56deaf..563075f 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,22 +1,6 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
-# Log into a dedicate directory so we can use ReadWriteDirectories in
-# the .service file
-- name: Create directory /var/log/fail2ban
-  file: path=/var/log/fail2ban
-        state=directory
-        owner=root group=adm
-        mode=0750
-
-- name: Fix fail2ban logrotate snippet
-  lineinfile: dest=/etc/logrotate.d/fail2ban
-              state=present
-              line="/var/log/fail2ban/*.log"
-              insertbefore="^[^#]*\\s{$"
-  tags:
-    - logrotate
-
 - name: Configure fail2ban (fail2ban.local)
   copy: src=etc/fail2ban/fail2ban.local
         dest=/etc/fail2ban/fail2ban.local
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 4fc2ef7..917c687 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -3,6 +3,7 @@
   vars:
     packages:
     - strongswan-charon
+    - strongswan-starter
       # for the GCM and openssl plugins
     - libstrongswan-standard-plugins
   notify:
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index b602a49..2b4a42a 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -3,7 +3,6 @@
   vars:
     packages:
     - rsyslog
-    - syslog-summary
     - logcheck
     - logcheck-database
     - logrotate
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index fc692fa..a6795ba 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -82,6 +82,7 @@
     - molly-guard
     - rsync
     - screen
+    - bind9-dnsutils
 
 - name: Disable resume device
   # Cf. initramfs-tools(7) and initramfs.conf(5).
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index a713f08..2411b59 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -62,10 +62,6 @@
     - load
     - memory
     - netstat
-    - ntp_kernel_err
-    - ntp_kernel_pll_freq
-    - ntp_kernel_pll_off
-    - ntp_offset
     - open_files
     - open_inodes
     - processes
@@ -78,6 +74,20 @@
   notify:
     - Restart munin-node
 
+- name: Install Munin plugins
+  file: src=/usr/share/munin/plugins/{{ item }}
+        dest=/etc/munin/plugins/{{ item }}
+        owner=root group=root
+        state=link force=yes
+  with_items:
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+  when: "'NTP_master' in group_names"
+  notify:
+    - Restart munin-node
+
 - name: Delete unnecessary Munin plugins
   file: path=/etc/munin/plugins/{{ item }}
         state=absent
@@ -90,6 +100,18 @@
   notify:
     - Restart munin-node
 
+- name: Delete unnecessary Munin plugins
+  file: path=/etc/munin/plugins/{{ item }}
+        state=absent
+  with_items:
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+  when: "'NTP_master' not in group_names"
+  notify:
+    - Restart munin-node
+
 - name: Install 'if_' Munin wildcard plugin
   file: src=/usr/share/munin/plugins/{{ item.0 }}_
         dest=/etc/munin/plugins/{{ item.0 }}_{{ item.1 }}
diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml
index f9a01c8..2ff9e49 100644
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -1,15 +1,33 @@
-- name: Install ntp
-  apt: pkg=ntp
+- name: Remove ntp package
+  apt: pkg=ntp state={{ state }} purge=yes
+  vars:
+    state: "{{ ('NTP_master' in group_names) | ternary('present', 'absent') }}"
+
+- name: Install systemd-timesyncd package
+  apt: pkg=systemd-timesyncd state=present purge=yes
+  when: "'NTP_master' not in group_names"
+
+- name: Create /etc/systemd/timesyncd.conf.d
+  file: path=/etc/systemd/timesyncd.conf.d
+        state=directory
+        owner=root group=root
+        mode=0755
+  when: "'NTP_master' not in group_names"
 
 - name: Configure ntp
-  template: src=etc/ntp.conf.j2
-            dest=/etc/ntp.conf
+  template: src=etc/{{ conf }}.j2
+            dest=/etc/{{ conf }}
             owner=root group=root
             mode=0644
+  vars:
+    conf: "{{ ('NTP_master' in group_names) | ternary('ntp.conf', 'systemd/timesyncd.conf.d/fripost.conf') }}"
+    service: "{{ ('NTP_master' in group_names) | ternary('ntp', 'systemd-timesyncd') }}"
   notify:
-    - Restart ntp
+    - Restart {{ service }}
 
 - meta: flush_handlers
 
-- name: Start ntp
-  service: name=ntp state=started
+- name: Start and enable ntp
+  service: name={{ service }}.service state=started enabled=true
+  vars:
+    service: "{{ ('NTP_master' in group_names) | ternary('ntp', 'systemd-timesyncd') }}"
diff --git a/roles/common/tasks/smart.yml b/roles/common/tasks/smart.yml
index 8d35d9f..68e507f 100644
--- a/roles/common/tasks/smart.yml
+++ b/roles/common/tasks/smart.yml
@@ -1,12 +1,5 @@
 - name: Install smartmontools
   apt: pkg=smartmontools
 
-- name: Auto-enable smartmontools
-  lineinfile: dest=/etc/default/smartmontools
-              regexp='^(\s*#)?\s*start_smartd='
-              line='start_smartd=yes'
-              owner=root group=root
-              mode=0644
-
 - name: Start smartd
   service: name=smartmontools state=started
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index 3bf3b4f..08a1b13 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -11,10 +11,14 @@
     - { name: 'net.ipv4.conf.default.rp_filter', value: 1 }
     - { name: 'net.ipv4.conf.all.rp_filter',     value: 1 }
 
-      # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We
-      # rate-limit not only the default ICMP types 3, 4, 11 and 12
+      # Disable SYN cookies and improve SYN backlog handling, see tcp(7) and
+      # https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a
+    - { name: 'net.ipv4.tcp_syncookies',      value: 0     }
+    - { name: 'net.ipv4.tcp_synack_retries',  value: 1     }
+    - { name: 'net.ipv4.tcp_max_syn_backlog', value: 32768 }
+
+      # We rate-limit not only the default ICMP types 3, 4, 11 and 12
       # (0x1818), but also types 0 and 8. See icmp(7).
-    - { name: 'net.ipv4.tcp_syncookies',  value: 1 }
     - { name: 'net.ipv4.icmp_ratemask',   value: 6425 }
     - { name: 'net.ipv4.icmp_ratelimit',  value: 1000 }