diff --git a/roles/common/tasks/cron-apt.yml b/roles/common/tasks/cron-apt.yml index 91627ff..303dd8f 100644 --- a/roles/common/tasks/cron-apt.yml +++ b/roles/common/tasks/cron-apt.yml @@ -1,10 +1,9 @@ --- - - name: Configure cron-apt (config) ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} loop: - - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } + - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root } + - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root } - name: Configure cron-apt (security) ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index 511fdc6..45dd3a4 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -4,7 +4,7 @@ src: etc/fail2ban/jail.d/sshd.local.j2 dest: /etc/fail2ban/jail.d/sshd.local owner: root - mode: 0644 + mode: "0644" notify: restart fail2ban - name: Configure fail2ban nginx filter @@ -15,7 +15,7 @@ src: etc/fail2ban/jail.d/nginx.local.j2 dest: /etc/fail2ban/jail.d/nginx.local owner: root - mode: 0644 + mode: "0644" notify: restart fail2ban - name: Create fail2ban service override directory @@ -23,7 +23,7 @@ path: /etc/systemd/system/fail2ban.service.d state: directory owner: root - mode: 0755 + mode: "0755" # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban - name: Configure fail2ban service override @@ -31,7 +31,7 @@ src: etc/systemd/system/fail2ban.service.d/override.conf.j2 dest: /etc/systemd/system/fail2ban.service.d/override.conf owner: root - mode: 0644 + mode: "0644" notify: - reload systemd - restart fail2ban diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index aa0fd96..ba28aec 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -2,115 +2,115 @@ # Debian 11+ will use nftables directly, with no firewalld. - block: - - name: Install Debian firewall packages - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.package: - name: - - fail2ban - - libnet-ip-perl # for aggregate-cidr-addresses.pl - - nftables - - python3-systemd - - curl # for nftables update scripts - state: present - cache_valid_time: 3600 + - name: Install Debian firewall packages + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.package: + name: + - fail2ban + - libnet-ip-perl # for aggregate-cidr-addresses.pl + - nftables + - python3-systemd + - curl # for nftables update scripts + state: present + cache_valid_time: 3600 - - name: Remove iptables on newer Debian - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.apt: - pkg: iptables - state: absent + - name: Remove iptables on newer Debian + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.apt: + pkg: iptables + state: absent - - name: Copy nftables.conf - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.template: - src: nftables.conf.j2 - dest: /etc/nftables.conf - owner: root - mode: 0644 - notify: - - restart nftables - - restart fail2ban + - name: Copy nftables.conf + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.template: + src: nftables.conf.j2 + dest: /etc/nftables.conf + owner: root + mode: "0644" + notify: + - restart nftables + - restart fail2ban - - name: Create /etc/nftables extra config directory - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.file: - path: /etc/nftables - state: directory - owner: root - mode: 0755 + - name: Create /etc/nftables extra config directory + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.file: + path: /etc/nftables + state: directory + owner: root + mode: "0755" - - name: Copy extra nftables configuration files - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item.src }}" - dest: "/etc/nftables/{{ item.src }}" - owner: root - group: root - mode: 0644 - force: "{{ item.force }}" - loop: - - { src: "spamhaus-ipv4.nft", force: "no" } - - { src: "spamhaus-ipv6.nft", force: "no" } - - { src: "abusech-ipv4.nft", force: "no" } - - { src: "abuseipdb-ipv4.nft", force: "yes" } - - { src: "abuseipdb-ipv6.nft", force: "yes" } - notify: - - restart nftables - - restart fail2ban + - name: Copy extra nftables configuration files + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.copy: + src: "{{ item.src }}" + dest: /etc/nftables/{{ item.src }} + owner: root + group: root + mode: "0644" + force: "{{ item.force }}" + loop: + - { src: spamhaus-ipv4.nft, force: "no" } + - { src: spamhaus-ipv6.nft, force: "no" } + - { src: abusech-ipv4.nft, force: "no" } + - { src: abuseipdb-ipv4.nft, force: "yes" } + - { src: abuseipdb-ipv6.nft, force: "yes" } + notify: + - restart nftables + - restart fail2ban - - name: Copy nftables update scripts - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: "/usr/local/bin/{{ item }}" - mode: 0755 - owner: root - group: root - loop: - - update-spamhaus-nftables.sh - - aggregate-cidr-addresses.pl - - update-abusech-nftables.sh + - name: Copy nftables update scripts + when: ansible_distribution_version is version('11', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /usr/local/bin/{{ item }} + mode: "0755" + owner: root + group: root + loop: + - update-spamhaus-nftables.sh + - aggregate-cidr-addresses.pl + - update-abusech-nftables.sh - - name: Copy nftables systemd units - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: "/etc/systemd/system/{{ item }}" - mode: 0644 - owner: root - group: root - loop: - - update-spamhaus-nftables.service - - update-spamhaus-nftables.timer - - update-abusech-nftables.service - - update-abusech-nftables.timer - register: nftables_systemd_units + - name: Copy nftables systemd units + when: ansible_distribution_version is version('11', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/systemd/system/{{ item }} + mode: "0644" + owner: root + group: root + loop: + - update-spamhaus-nftables.service + - update-spamhaus-nftables.timer + - update-abusech-nftables.service + - update-abusech-nftables.timer + register: nftables_systemd_units - # need to reload to pick up service/timer/environment changes - - name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - when: nftables_systemd_units is changed + # need to reload to pick up service/timer/environment changes + - name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true + when: nftables_systemd_units is changed - - name: Start and enable nftables update timers - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - loop: - - update-spamhaus-nftables.timer - - update-abusech-nftables.timer + - name: Start and enable nftables update timers + when: ansible_distribution_version is version('11', '>=') + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + loop: + - update-spamhaus-nftables.timer + - update-abusech-nftables.timer - - name: Start and enable nftables - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.systemd: - name: nftables - state: started - enabled: true + - name: Start and enable nftables + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.systemd: + name: nftables + state: started + enabled: true - - ansible.builtin.include_tasks: fail2ban.yml - when: ansible_distribution_major_version is version('9', '>=') + - ansible.builtin.include_tasks: fail2ban.yml + when: ansible_distribution_major_version is version('9', '>=') tags: firewall # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 92bd7be..f30af1e 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -2,113 +2,113 @@ # Ubuntu 20.04 will use nftables directly, with no firewalld. - block: - - name: Install Ubuntu firewall packages - ansible.builtin.package: - name: - - fail2ban - - libnet-ip-perl # for aggregate-cidr-addresses.pl - - nftables - - python3-systemd - - curl # for nftables update scripts - state: present - cache_valid_time: 3600 + - name: Install Ubuntu firewall packages + ansible.builtin.package: + name: + - fail2ban + - libnet-ip-perl # for aggregate-cidr-addresses.pl + - nftables + - python3-systemd + - curl # for nftables update scripts + state: present + cache_valid_time: 3600 - - name: Remove ufw - ansible.builtin.package: - name: ufw - state: absent + - name: Remove ufw + ansible.builtin.package: + name: ufw + state: absent - - name: Copy nftables.conf - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.template: - src: nftables.conf.j2 - dest: /etc/nftables.conf - owner: root - mode: 0644 - notify: - - restart nftables - - restart fail2ban + - name: Copy nftables.conf + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.template: + src: nftables.conf.j2 + dest: /etc/nftables.conf + owner: root + mode: "0644" + notify: + - restart nftables + - restart fail2ban - - name: Create /etc/nftables extra config directory - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.file: - path: /etc/nftables - state: directory - owner: root - mode: 0755 + - name: Create /etc/nftables extra config directory + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.file: + path: /etc/nftables + state: directory + owner: root + mode: "0755" - - name: Copy extra nftables configuration files - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item.src }}" - dest: "/etc/nftables/{{ item.src }}" - owner: root - group: root - mode: 0644 - force: "{{ item.force }}" - loop: - - { src: "spamhaus-ipv4.nft", force: "no" } - - { src: "spamhaus-ipv6.nft", force: "no" } - - { src: "abusech-ipv4.nft", force: "no" } - - { src: "abuseipdb-ipv4.nft", force: "yes" } - - { src: "abuseipdb-ipv6.nft", force: "yes" } - notify: - - restart nftables - - restart fail2ban + - name: Copy extra nftables configuration files + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.copy: + src: "{{ item.src }}" + dest: /etc/nftables/{{ item.src }} + owner: root + group: root + mode: "0644" + force: "{{ item.force }}" + loop: + - { src: spamhaus-ipv4.nft, force: "no" } + - { src: spamhaus-ipv6.nft, force: "no" } + - { src: abusech-ipv4.nft, force: "no" } + - { src: abuseipdb-ipv4.nft, force: "yes" } + - { src: abuseipdb-ipv6.nft, force: "yes" } + notify: + - restart nftables + - restart fail2ban - - name: Copy nftables update scripts - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: "/usr/local/bin/{{ item }}" - mode: 0755 - owner: root - group: root - loop: - - update-spamhaus-nftables.sh - - aggregate-cidr-addresses.pl - - update-abusech-nftables.sh + - name: Copy nftables update scripts + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /usr/local/bin/{{ item }} + mode: "0755" + owner: root + group: root + loop: + - update-spamhaus-nftables.sh + - aggregate-cidr-addresses.pl + - update-abusech-nftables.sh - - name: Copy nftables systemd units - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: "/etc/systemd/system/{{ item }}" - mode: 0644 - owner: root - group: root - loop: + - name: Copy nftables systemd units + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/systemd/system/{{ item }} + mode: "0644" + owner: root + group: root + loop: - update-spamhaus-nftables.service - update-spamhaus-nftables.timer - update-abusech-nftables.service - update-abusech-nftables.timer - register: nftables_systemd_units + register: nftables_systemd_units - # need to reload to pick up service/timer/environment changes - - name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - when: nftables_systemd_units is changed + # need to reload to pick up service/timer/environment changes + - name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true + when: nftables_systemd_units is changed - - name: Start and enable nftables update timers - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - loop: - - update-spamhaus-nftables.timer - - update-abusech-nftables.timer + - name: Start and enable nftables update timers + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + loop: + - update-spamhaus-nftables.timer + - update-abusech-nftables.timer - - name: Start and enable nftables - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.systemd: - name: nftables - state: started - enabled: true + - name: Start and enable nftables + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.systemd: + name: nftables + state: started + enabled: true - - ansible.builtin.include_tasks: fail2ban.yml - when: ansible_distribution_version is version('16.04', '>=') + - ansible.builtin.include_tasks: fail2ban.yml + when: ansible_distribution_version is version('16.04', '>=') tags: firewall # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bfb9398..f09ca17 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Import OS-specific variables - ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml tags: always - name: Configure network time diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index 401c91c..2c97b4b 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -12,8 +12,8 @@ # I can see on existing servers, systemd-timesyncd is a standalone package on # Ubuntu 20.04 and Debian 11. - name: Install systemd-timesyncd - when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or - (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>=')) + when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version + is version('11', '>=')) ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600 - name: Start and enable systemd's NTP client diff --git a/roles/common/tasks/packages_Debian.yml b/roles/common/tasks/packages_Debian.yml index f0b08cd..b63e690 100644 --- a/roles/common/tasks/packages_Debian.yml +++ b/roles/common/tasks/packages_Debian.yml @@ -1,5 +1,4 @@ --- - - name: Configure Debian packages block: # Create directory for third-party package signing keys. Required on distros @@ -9,7 +8,7 @@ - name: Create /etc/apt/keyrings file: path: /etc/apt/keyrings - mode: 0755 + mode: "0755" owner: root group: root state: directory diff --git a/roles/common/tasks/packages_Ubuntu.yml b/roles/common/tasks/packages_Ubuntu.yml index a61bdae..0ed0d32 100644 --- a/roles/common/tasks/packages_Ubuntu.yml +++ b/roles/common/tasks/packages_Ubuntu.yml @@ -1,5 +1,4 @@ --- - - name: Configure Ubuntu packages block: # Create directory for third-party package signing keys. Required on distros @@ -9,7 +8,7 @@ - name: Create /etc/apt/keyrings file: path: /etc/apt/keyrings - mode: 0755 + mode: "0755" owner: root group: root state: directory @@ -25,23 +24,23 @@ - name: Set Ubuntu base packages ansible.builtin.set_fact: ubuntu_base_packages: - - git - - git-lfs - - tmux - - iotop - - htop - - strace - - cron-apt - - safe-rm - - debian-goodies - - mosh - - python-pycurl # for ansible's apt_repository - - vim - - unzip - - apt-transport-https # for https support in apt - - zstd - - rsync - - lsof + - git + - git-lfs + - tmux + - iotop + - htop + - strace + - cron-apt + - safe-rm + - debian-goodies + - mosh + - python-pycurl # for ansible's apt_repository + - vim + - unzip + - apt-transport-https # for https support in apt + - zstd + - rsync + - lsof - name: Install base packages ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600 @@ -67,7 +66,7 @@ ansible.builtin.set_fact: ubuntu_annoying_packages: - whoopsie # security (CIS 4.1) - - apport # security (CIS 4.1) + - apport # security (CIS 4.1) - command-not-found # annoying - command-not-found-data # annoying - python3-commandnotfound # annoying diff --git a/roles/common/tasks/ssh-keys.yml b/roles/common/tasks/ssh-keys.yml index e07b0eb..eb89f63 100644 --- a/roles/common/tasks/ssh-keys.yml +++ b/roles/common/tasks/ssh-keys.yml @@ -3,7 +3,7 @@ ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent - name: Add public keys to authorized_keys - ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } + ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" } with_fileglob: # use descriptive names for keys, like: aorth-mzito-rsa.pub - ssh-pub-keys/*.pub diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index ddb1f9f..32e5c29 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -1,8 +1,8 @@ --- - # SSH configs don't change in Debian minor versions - name: Reconfigure /etc/ssh/sshd_config - ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 + ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root + mode=0600 when: ansible_distribution == 'Debian' notify: reload sshd diff --git a/roles/common/tasks/tarsnap.yml b/roles/common/tasks/tarsnap.yml index 17db519..bc77ecf 100644 --- a/roles/common/tasks/tarsnap.yml +++ b/roles/common/tasks/tarsnap.yml @@ -10,7 +10,7 @@ dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc owner: root group: root - mode: 0644 + mode: "0644" register: download_tarsnap_signing_key when: not tarsnap_signing_key_stat.stat.exists @@ -20,16 +20,14 @@ dest: /etc/apt/sources.list.d/tarsnap.list owner: root group: root - mode: 0644 + mode: "0644" register: add_tarsnap_apt_repository when: ansible_architecture != 'armv7l' - name: Update apt cache ansible.builtin.apt: # noqa no-handler update_cache: true - when: - (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or - add_tarsnap_apt_repository is changed + when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed - name: Install tarsnap ansible.builtin.apt: @@ -42,6 +40,6 @@ dest: /root/.tarsnaprc owner: root group: root - mode: 0600 + mode: "0600" # vim: set sw=2 ts=2: