summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/main.yml
blob: 470a6b2e5f6da5f7dd203b07f136a32457e7c6bb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
---
- include: sysctl.yml   tags=sysctl
- include: hosts.yml
- include: apt.yml      tags=apt
- name: Install intel-microcode
  apt: pkg=intel-microcode
  when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')"
  tags: intel
- include: firewall.yml tags=firewall,iptables
- include: samhain.yml  tags=samhain
- include: auditd.yml   tags=auditd
- include: rkhunter.yml tags=rkhunter
- include: clamav.yml   tags=clamav
- include: fail2ban.yml tags=fail2ban
- include: smart.yml    tags=smartmontools,smart
  when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
- include: haveged.yml  tags=haveged,entropy
- name: Copy genkeypair.sh and gendhparam.sh
  copy: src=usr/local/bin/{{ item }}
        dest=/usr/local/bin/{{ item }}
        owner=root group=root
        mode=0755
  tags: genkey
  with_items:
    - genkeypair.sh
    - gendhparam.sh
- name: Generate DH parameters
  command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
  tags: genkey
- include: logging.yml      tags=logging
- include: ntp.yml          tags=ntp
- include: mail.yml         tags=mail,postfix
- include: bacula.yml       tags=bacula-fd,bacula
- include: munin-node.yml   tags=munin-node,munin

- name: Install common packages
  apt: pkg={{ item }}
  with_items:
    - ca-certificates
    - etckeeper
    - ethtool
    - git
    - htop
    - molly-guard
    - rsync
    - screen
    - telnet-ssl

# XXX: this is a workaround the CAcert root CAs not being present in
# Jessie.  In stretch, we would merely install the 'ca-cacert' package.
- name: Create directory /usr/local/share/ca-certificates/CAcert
  file: path=/usr/local/share/ca-certificates/CAcert
        state=directory
        owner=root group=root
        mode=0755
  tags:
    - certs

- name: Copy CAcert root CAs
  copy: src=certs/CAcert/{{ item }}
        dest=/usr/local/share/ca-certificates/CAcert/{{ item }}
        owner=root group=root
        mode=0644
  with_items:
    - root.crt
    - class3.crt
  tags:
    - certs
  notify:
    - Update certificate