10 files changed, 102 insertions, 59 deletions

diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index 73a2fa1..308e358 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -10,7 +10,7 @@
 - name: Delete /etc/bacula/common_default_passwords
   file: path=/etc/bacula/common_default_passwords state=absent
 
-# Create with:
+# Populate with:
 #   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-fd
 - name: Ensure /etc/bacula/passwords-fd exists
   file: path=/etc/bacula/passwords-fd
@@ -54,9 +54,15 @@
   tags:
     - genkey
 
-- name: Copy bacula-fd.service
-  copy: src=etc/systemd/system/bacula-fd.service
-        dest=/etc/systemd/system/bacula-fd.service
+- name: Create /etc/systemd/system/bacula-fd.service.d
+  file: path=/etc/systemd/system/bacula-fd.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-fd.service override
+  copy: src=etc/systemd/system/bacula-fd.service.d/override.conf
+        dest=/etc/systemd/system/bacula-fd.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 89427ea..563075f 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,22 +1,6 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
-# Log into a dedicate directory so we can use ReadWriteDirectories in
-# the .service file
-- name: Create directory /var/log/fail2ban
-  file: path=/var/log/fail2ban
-        state=directory
-        owner=root group=adm
-        mode=0750
-
-- name: Fix fail2ban logrotate snippet
-  lineinfile: dest=/etc/logrotate.d/fail2ban
-              state=present
-              line="/var/log/fail2ban/*.log"
-              insertbefore="^[^#]*\\s{$"
-  tags:
-    - logrotate
-
 - name: Configure fail2ban (fail2ban.local)
   copy: src=etc/fail2ban/fail2ban.local
         dest=/etc/fail2ban/fail2ban.local
@@ -53,11 +37,11 @@
   notify:
     - Restart fail2ban
 
-- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+- name: Create directory /etc/systemd/system/fail2ban.service.d
   file: path=/etc/systemd/system/fail2ban.service.d
         state=directory
         owner=root group=root
-        mode=0750
+        mode=0755
 
 - name: Harden fail2ban.service
   copy: src=etc/systemd/system/fail2ban.service.d/override.conf
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 989541b..917c687 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -3,6 +3,7 @@
   vars:
     packages:
     - strongswan-charon
+    - strongswan-starter
       # for the GCM and openssl plugins
     - libstrongswan-standard-plugins
   notify:
@@ -14,16 +15,12 @@
             dest=/etc/network/if-up.d/ipsec
             owner=root group=root
             mode=0755
-  notify:
-    - Reload networking
 
 - name: Auto-deactivate the dedicated virtual subnet for IPsec
   file: src=../if-up.d/ipsec
         dest=/etc/network/if-down.d/ipsec
         owner=root group=root state=link force=yes
 
-- meta: flush_handlers
-
 
 - name: Configure IPsec
   template: src=etc/ipsec.conf.j2
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index b602a49..2b4a42a 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -3,7 +3,6 @@
   vars:
     packages:
     - rsyslog
-    - syslog-summary
     - logcheck
     - logcheck-database
     - logrotate
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 02a745c..a6795ba 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -16,7 +16,7 @@
 
 - import_tasks: stunnel.yml
   tags: stunnel
-  when: "'webmail' in group_names and 'LDAP-provider' not in group_names"
+  when: "'webmail' in group_names and 'LDAP_provider' not in group_names"
 - import_tasks: auditd.yml
   tags: auditd
 - import_tasks: unbound.yml
@@ -82,7 +82,7 @@
     - molly-guard
     - rsync
     - screen
-    - telnet-ssl
+    - bind9-dnsutils
 
 - name: Disable resume device
   # Cf. initramfs-tools(7) and initramfs.conf(5).
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index f43094a..2411b59 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -62,10 +62,6 @@
     - load
     - memory
     - netstat
-    - ntp_kernel_err
-    - ntp_kernel_pll_freq
-    - ntp_kernel_pll_off
-    - ntp_offset
     - open_files
     - open_inodes
     - processes
@@ -78,6 +74,20 @@
   notify:
     - Restart munin-node
 
+- name: Install Munin plugins
+  file: src=/usr/share/munin/plugins/{{ item }}
+        dest=/etc/munin/plugins/{{ item }}
+        owner=root group=root
+        state=link force=yes
+  with_items:
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+  when: "'NTP_master' in group_names"
+  notify:
+    - Restart munin-node
+
 - name: Delete unnecessary Munin plugins
   file: path=/etc/munin/plugins/{{ item }}
         state=absent
@@ -90,6 +100,18 @@
   notify:
     - Restart munin-node
 
+- name: Delete unnecessary Munin plugins
+  file: path=/etc/munin/plugins/{{ item }}
+        state=absent
+  with_items:
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+  when: "'NTP_master' not in group_names"
+  notify:
+    - Restart munin-node
+
 - name: Install 'if_' Munin wildcard plugin
   file: src=/usr/share/munin/plugins/{{ item.0 }}_
         dest=/etc/munin/plugins/{{ item.0 }}_{{ item.1 }}
@@ -133,8 +155,32 @@
   notify:
     - Restart munin-node
 
+- name: Create directory /etc/systemd/system/munin-node.service.d
+  file: path=/etc/systemd/system/munin-node.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy munin-node.service override
+  copy: src=etc/systemd/system/munin-node.service.d/override.conf
+        dest=/etc/systemd/system/munin-node.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  register: r8
+  notify:
+    - systemctl daemon-reload
+    - Restart munin-node
+
+# We use RuntimeDirectory in our overrride unit to avoid permission
+# issues caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/munin-common.conf
+  file: src=/dev/null
+        dest=/etc/tmpfiles.d/munin-common.conf
+        owner=root group=root
+        state=link
+
 - name: Start munin-node
   service: name=munin-node state=started
-  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed or r8.changed)
 
 - meta: flush_handlers
diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml
index f9a01c8..2ff9e49 100644
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -1,15 +1,33 @@
-- name: Install ntp
-  apt: pkg=ntp
+- name: Remove ntp package
+  apt: pkg=ntp state={{ state }} purge=yes
+  vars:
+    state: "{{ ('NTP_master' in group_names) | ternary('present', 'absent') }}"
+
+- name: Install systemd-timesyncd package
+  apt: pkg=systemd-timesyncd state=present purge=yes
+  when: "'NTP_master' not in group_names"
+
+- name: Create /etc/systemd/timesyncd.conf.d
+  file: path=/etc/systemd/timesyncd.conf.d
+        state=directory
+        owner=root group=root
+        mode=0755
+  when: "'NTP_master' not in group_names"
 
 - name: Configure ntp
-  template: src=etc/ntp.conf.j2
-            dest=/etc/ntp.conf
+  template: src=etc/{{ conf }}.j2
+            dest=/etc/{{ conf }}
             owner=root group=root
             mode=0644
+  vars:
+    conf: "{{ ('NTP_master' in group_names) | ternary('ntp.conf', 'systemd/timesyncd.conf.d/fripost.conf') }}"
+    service: "{{ ('NTP_master' in group_names) | ternary('ntp', 'systemd-timesyncd') }}"
   notify:
-    - Restart ntp
+    - Restart {{ service }}
 
 - meta: flush_handlers
 
-- name: Start ntp
-  service: name=ntp state=started
+- name: Start and enable ntp
+  service: name={{ service }}.service state=started enabled=true
+  vars:
+    service: "{{ ('NTP_master' in group_names) | ternary('ntp', 'systemd-timesyncd') }}"
diff --git a/roles/common/tasks/smart.yml b/roles/common/tasks/smart.yml
index 8d35d9f..68e507f 100644
--- a/roles/common/tasks/smart.yml
+++ b/roles/common/tasks/smart.yml
@@ -1,12 +1,5 @@
 - name: Install smartmontools
   apt: pkg=smartmontools
 
-- name: Auto-enable smartmontools
-  lineinfile: dest=/etc/default/smartmontools
-              regexp='^(\s*#)?\s*start_smartd='
-              line='start_smartd=yes'
-              owner=root group=root
-              mode=0644
-
 - name: Start smartd
   service: name=smartmontools state=started
diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml
index 7cb8823..1522f1f 100644
--- a/roles/common/tasks/stunnel.yml
+++ b/roles/common/tasks/stunnel.yml
@@ -1,14 +1,7 @@
 - name: Install stunnel4
   apt: pkg=stunnel4
 
-- name: Set 'ENABLED=0' in /etc/default/stunnel4
-  lineinfile: dest=/etc/default/stunnel4
-              regexp='^(\s*#)?\s*ENABLED='
-              line='ENABLED=0'
-              owner=root group=root
-              mode=0644
-
-- name: Copy stunnel4 service file
+- name: Copy stunnel4 service files
   copy: src=etc/systemd/system/{{ item }}
         dest=/etc/systemd/system/{{ item }}
         owner=root group=root
@@ -18,3 +11,6 @@
   with_items:
     - stunnel4.service
     - stunnel4@.service
+
+- name: Disable stunnel4 service
+  service: name=stunnel4.service enabled=false
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index 3bf3b4f..08a1b13 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -11,10 +11,14 @@
     - { name: 'net.ipv4.conf.default.rp_filter', value: 1 }
     - { name: 'net.ipv4.conf.all.rp_filter',     value: 1 }
 
-      # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We
-      # rate-limit not only the default ICMP types 3, 4, 11 and 12
+      # Disable SYN cookies and improve SYN backlog handling, see tcp(7) and
+      # https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a
+    - { name: 'net.ipv4.tcp_syncookies',      value: 0     }
+    - { name: 'net.ipv4.tcp_synack_retries',  value: 1     }
+    - { name: 'net.ipv4.tcp_max_syn_backlog', value: 32768 }
+
+      # We rate-limit not only the default ICMP types 3, 4, 11 and 12
       # (0x1818), but also types 0 and 8. See icmp(7).
-    - { name: 'net.ipv4.tcp_syncookies',  value: 1 }
     - { name: 'net.ipv4.icmp_ratemask',   value: 6425 }
     - { name: 'net.ipv4.icmp_ratelimit',  value: 1000 }