diff options
Diffstat (limited to 'roles/common')
| -rw-r--r-- | roles/common/tasks/bacula.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/mail.yml | 6 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 57 | ||||
| -rw-r--r-- | roles/common/tasks/munin-node.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 |
5 files changed, 48 insertions, 21 deletions
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 248d47d..91b37c8 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula FD command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula FD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula Dir X.509 certificates assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no dest=/etc/stunnel/certs/bacula-dirs.pem owner=root group=root mode=0644 register: r2 when: "'bacula-dir' not in group_names" notify: - Restart stunnel - name: Copy Bacula SD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem dest=/etc/stunnel/certs/ diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index c8e2495..273dc5c 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -51,52 +51,52 @@ mode=0755 tags: - genkey - name: Generate a private key and a X.509 certificate for Postfix command: genkeypair.sh x509 --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key --ou=Postfix --cn={{ ansible_fqdn }} -t rsa -b 4096 -h sha512 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 notify: - Restart Postfix tags: - genkey - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem dest=certs/postfix/ fail_on_missing=yes flat=yes tags: - genkey - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes - regexp="^root:"" " - line="root:"" root@fripost.org" + regexp="^root{{':'}} " + line="root{{':'}} root@fripost.org" - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb owner=root group=root mode=0644 # We're using CDB - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent - name: Copy the Postfix TLS policy map template: src=etc/postfix/tls_policy.j2 dest=/etc/postfix/tls_policy owner=root group=root mode=0644 when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy - name: Compile the Postfix TLS policy map diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b95c92..3e6a4a8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,47 +1,74 @@ --- -- include: sysctl.yml tags=sysctl +- include: sysctl.yml + tags: sysctl - include: hosts.yml -- include: apt.yml tags=apt +- include: apt.yml + tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel -- include: firewall.yml tags=firewall,iptables -- include: samhain.yml tags=samhain -- include: auditd.yml tags=auditd -- include: rkhunter.yml tags=rkhunter -- include: clamav.yml tags=clamav -- include: fail2ban.yml tags=fail2ban -- include: smart.yml tags=smartmontools,smart +- include: firewall.yml + tags: + - firewall + - iptables +- include: samhain.yml + tags: samhain +- include: auditd.yml + tags: auditd +- include: rkhunter.yml + tags: rkhunter +- include: clamav.yml + tags: clamav +- include: fail2ban.yml + tags: fail2ban +- include: smart.yml + tags: + - smartmontools + - smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" -- include: haveged.yml tags=haveged,entropy +- include: haveged.yml + tags: + - haveged + - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey -- include: logging.yml tags=logging -- include: ntp.yml tags=ntp -- include: mail.yml tags=mail,postfix -- include: bacula.yml tags=bacula-fd,bacula -- include: munin-node.yml tags=munin-node,munin +- include: logging.yml + tags: logging +- include: ntp.yml + tags: ntp +- include: mail.yml + tags: + - mail + - postfix +- include: bacula.yml + tags: + - bacula-fd + - bacula +- include: munin-node.yml + tags: + - munin-node + - munin - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - telnet-ssl diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index 9e5d8f4..c585d60 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -155,41 +155,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for munin-node command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Munin X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem dest=certs/munin/{{ inventory_hostname }}.pem fail_on_missing=yes flat=yes tags: - genkey - name: Copy munin-master X.509 certificates assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no dest=/etc/stunnel/certs/munin-master.pem owner=root group=root mode=0644 register: r2 when: "'munin-master' not in group_names" notify: - Restart stunnel - name: Configure stunnel template: src=etc/stunnel/munin-node.conf.j2 dest=/etc/stunnel/munin-node.conf diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 6ac7feb..d3ae86f 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,21 +1,21 @@ -- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes +- sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } # Networking. See # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Enable Spoof protection (reverse-path filter). Turn on Source # Address Verification in all interfaces to prevent some spoofing # attacks. - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We # rate-limit not only the default ICMP types 3, 4, 11 and 12 # (0x1818), but also types 0 and 8. See icmp(7). - { name: 'net.ipv4.tcp_syncookies', value: 1 } - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } # Disable paquet forwarding between interfaces (we are not a router). |