misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

[res]

Browse source
This commit is contained in:
roydfalk 2024-06-09 11:04:57 +02:00
commit 6fe4f5fd56
9 changed files with 237 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
roles/lighttpd/tasks/main.json
View file

@ -27,6 +27,35 @@
"dest": "/etc/lighttpd/conf-enabled/10-ssl-custom.conf"
}
},
{
"name": "ufw | check",
"check_mode": true,
"become": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port 80",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "80",
"proto": "tcp"
}
},
{
"name": "ufw | allow port 443",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "443",
"proto": "tcp"
}
},
{
"name": "restart service",
"become": true,

19
roles/murmur/tasks/main.json
View file

@ -25,6 +25,25 @@
"cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}"
}
},
{
"name": "ufw | check",
"check_mode": true,
"become": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "{{var_murmur_port | string}}",
"proto": "tcp"
}
},
{
"name": "service",
"become": true,

29
roles/nginx/tasks/main.json
View file

@ -25,6 +25,35 @@
"dest": "/etc/nginx/ssl-hardening.conf"
}
},
{
"name": "ufw | check",
"become": true,
"check_mode": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port 80",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "80",
"proto": "tcp"
}
},
{
"name": "ufw | allow port 443",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "443",
"proto": "tcp"
}
},
{
"name": "auto reload",
"when": "var_nginx_auto_reload_interval == None",

29
roles/proftpd/tasks/main.json
View file

@ -8,5 +8,34 @@
"proftpd-core"
]
}
},
{
"name": "ufw | check",
"check_mode": true,
"become": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port 20",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "20",
"proto": "tcp"
}
},
{
"name": "ufw | allow port 21",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "21",
"proto": "tcp"
}
}
]

19
roles/synapse/tasks/main.json
View file

@ -58,6 +58,25 @@
"dest": "/etc/matrix-synapse/homeserver.yaml"
}
},
{
"name": "ufw | check",
"become": true,
"check_mode": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "8448",
"proto": "tcp"
}
},
{
"name": "restart service",
"become": true,

17
roles/system_basics/handlers/main.json Normal file
View file

@ -0,0 +1,17 @@
[
{
"name": "restart sshd",
"ansible.builtin.service": {
"name": "sshd",
"state": "restarted"
}
},
{
"name": "restart journal",
"ansible.builtin.service": {
"name": "systemd-journald",
"state": "restarted",
"enabled": true
}
}
]

45
roles/ufw/tasks/main.json Normal file
View file

@ -0,0 +1,45 @@
[
{
"name": "install ufw",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"ufw"
]
}
},
{
"name": "ufw deny incoming",
"become": true,
"community.general.ufw": {
"direction": "incoming",
"proto": "any",
"policy": "deny"
}
},
{
"name": "ufw allow outgoing",
"become": true,
"community.general.ufw": {
"direction": "outgoing",
"proto": "any",
"policy": "allow"
}
},
{
"name": "ufw allow and rate-limit ssh",
"become": true,
"community.general.ufw": {
"rule": "limit",
"name": "ssh"
}
},
{
"name": "enable ufw service",
"become": true,
"community.general.ufw": {
"state": "enabled"
}
}
]

2
roles/unattended_upgrades/files/20auto-upgrades Normal file
View file

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

48
roles/unattended_upgrades/tasks/main.json Normal file
View file

@ -0,0 +1,48 @@
[
{
"name": "install packages",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"unattended-upgrades",
"apt-listchanges"
]
}
},
{
"name": "Allow unattended reboots (1)",
"become": true,
"ansible.builtin.lineinfile": {
"dest": "/etc/apt/apt.conf.d/50unattended-upgrades",
"regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ",
"line": "Unattended-Upgrade::Automatic-Reboot \"true\";"
}
},
{
"name": "Allow unattended reboots (2)",
"become": true,
"ansible.builtin.lineinfile": {
"dest": "/etc/apt/apt.conf.d/50unattended-upgrades",
"regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ",
"line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";"
}
},
{
"name": "Allow more origins for updates",
"become": true,
"ansible.builtin.lineinfile": {
"dest": "/etc/apt/apt.conf.d/50unattended-upgrades",
"regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";",
"line": "\"${distro_id}:${distro_codename}-updates\";"
}
},
{
"name": "Enable unattended upgrades",
"become": true,
"ansible.builtin.copy": {
"src": "20auto-upgrades",
"dest": "/etc/apt/apt.conf.d/20auto-upgrades"
}
}
]