--- - include: sysctl.yml tags=sysctl - include: hosts.yml - include: apt.yml tags=apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain - include: auditd.yml tags=auditd - include: rkhunter.yml tags=rkhunter - include: clamav.yml tags=clamav - include: fail2ban.yml tags=fail2ban - include: smart.yml tags=smartmontools,smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" - include: haveged.yml tags=haveged,entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix - include: bacula.yml tags=bacula-fd,bacula - include: munin-node.yml tags=munin-node,munin - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - telnet-ssl # XXX: this is a workaround the CAcert root CAs not being present in # Jessie. In stretch, we would merely install the 'ca-cacert' package. - name: Create directory /usr/local/share/ca-certificates/CAcert file: path=/usr/local/share/ca-certificates/CAcert state=directory owner=root group=root mode=0755 tags: - certs - name: Copy CAcert root CAs copy: src=certs/CAcert/{{ item }} dest=/usr/local/share/ca-certificates/CAcert/{{ item }} owner=root group=root mode=0644 with_items: - root.crt - class3.crt tags: - certs notify: - Update certificate