blob: 55c1489b00f53ccd7f05ca5d3a1b6a7b2c10fbca (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
---
- import_tasks: sysctl.yml
tags: sysctl
- import_tasks: hosts.yml
- import_tasks: apt.yml
tags: apt
- name: Install intel-microcode
apt: pkg=intel-microcode
when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
tags: intel
- import_tasks: firewall.yml
tags:
- firewall
- iptables
- nftables
- import_tasks: stunnel.yml
tags: stunnel
when: "'webmail' in group_names and 'LDAP-provider' not in group_names"
- import_tasks: auditd.yml
tags: auditd
- import_tasks: unbound.yml
tags:
- unbound
- dns
when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
- import_tasks: rkhunter.yml
tags: rkhunter
- import_tasks: clamav.yml
tags: clamav
- import_tasks: fail2ban.yml
tags: fail2ban
- import_tasks: smart.yml
tags:
- smartmontools
- smart
when: "not ansible_virtualization_role == 'guest'"
- name: Copy genkeypair.sh and gendhparam.sh
copy: src=usr/local/bin/{{ item }}
dest=/usr/local/bin/{{ item }}
owner=root group=staff
mode=0755
tags: genkey
with_items:
- genkeypair.sh
- gendhparam.sh
- name: Generate DH parameters
command: gendhparam.sh /etc/ssl/dhparams.pem 2048
creates=/etc/ssl/dhparams.pem
tags: genkey
- import_tasks: ipsec.yml
tags:
- strongswan
- ipsec
when: "groups.all | length > 1"
- import_tasks: logging.yml
tags: logging
- import_tasks: ntp.yml
tags: ntp
- import_tasks: mail.yml
tags:
- mail
- postfix
- import_tasks: bacula.yml
tags:
- bacula-fd
- bacula
- import_tasks: munin-node.yml
tags:
- munin-node
- munin
- name: Install common packages
apt: pkg={{ packages }}
vars:
packages:
- ca-certificates
- etckeeper
- ethtool
- git
- htop
- molly-guard
- rsync
- screen
- name: Disable resume device
# Cf. initramfs-tools(7) and initramfs.conf(5).
copy: src=etc/initramfs-tools/conf.d/resume
dest=/etc/initramfs-tools/conf.d/resume
owner=root group=root
mode=0644
tags:
- initramfs
- resume
notify:
- Update initramfs
|