Commit Graph

39 Commits

Author SHA1 Message Date
53d574dd12 roles/common: Add Alpine packages 2021-02-13 12:18:58 +02:00
dd2f65947d
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

    $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
      confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
      -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
      -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-11-06 15:44:57 +02:00
ba3004ef2b roles/common: Don't run rc.local task on Ubuntu 20.04
We haven't actually used rc.local since Ubuntu 16.04. Now anything
that we need to run at boot we can do with systemd anyways.
2020-06-08 12:15:29 +03:00
ef6ce2335e roles/common: Remove systemd-journald drop-in
Older Ubuntus originally didn't use a persistent journal, which was
somewhat of a surprise when looking at logs after a few months. Now
this does not seem to be an issue since Ubuntu 18.04. As for CentOS
I do not use that distro here so I don't need to care.
2020-06-08 12:15:29 +03:00
691deb4fa7
roles/common: Use a persistent systemd journal
The default systemd journal configuration on CentOS 7 and Ubuntu
16.04 does not keep journal logs for multiple boots. This limits
the usefulness of the journal entirely (for example, try to see
sshd logs from even two or three months ago!).

Changing the storage to "persistent" makes systemd keep the logs
on disk in /var/log/journal for up to 2% of the partition size.
2018-12-07 23:46:18 +02:00
ab27caf877
roles/common: Use dynamic include_tasks for firewall
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 18:58:31 +03:00
8b660dcfbe
roles/common: Use dynamic include_tasks for packages
Basically, when using conditionals or variables in your tasks you should
use include_tasks instead of import_tasks. The down side is that you now
need to tag all included tasks individually or with a block, unlike when
using static imports (tags are applied to all imported child tasks).

I would actually like to reduce this task to a single one that uses the
host's ansible_distribution variable, but Ansible 2.5.1 currently gives
the following error: ansible_distribution is undefined.
2018-04-25 18:46:28 +03:00
a7eb04a152
Import OS-specific vars from task in common role
We stopped being able to do dynamic includes from the playbooks around
Ansible 2.4.0.0 if I recall correctly. Instead we can create a task to
include the variables and make it always run by using the special tag.

For now the Debian and Ubuntu vars files are the same, but I will keep
them separate so that it is more flexible in the future.
2018-04-25 18:04:29 +03:00
92fe57a4da
Revert "Revert "roles/common: Use static imports for tasks""
This reverts commit 63c5477f85.

I'm actually still seeing this problem on Ansible 2.4.0.0 with Python
2.7.14.
2017-11-05 01:51:49 +02:00
7b60e6d24f
Revert "Import OS-specific vars in tasks instead of play"
This reverts commit e30e4d4b1e.

I suspect this was a side effect of using Python 3 rather than an
issue in Ansible 2.4.0.0.
2017-11-04 23:53:38 +02:00
63c5477f85
Revert "roles/common: Use static imports for tasks"
This reverts commit 5147f4029b.

I think this was a side effect of using Python 3, not a regression in
Ansible 2.4.0.0.
2017-11-04 23:53:25 +02:00
5147f4029b
roles/common: Use static imports for tasks
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

In practice this achieves the same function, but without the "magic"
ability to use one task for different operating systems.
2017-11-01 01:25:46 +02:00
e30e4d4b1e
Import OS-specific vars in tasks instead of play
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

We make sure that this tasks always runs by using the special tag of
the same name.
2017-11-01 01:21:48 +02:00
5281d41445
Add names to include tasks
Raised by ansible-lint in the following rule:

[ANSIBLE0011] All tasks should be named
2017-10-03 15:03:09 +03:00
ff6253213a
roles/common: Rename "iptables" task to "firewall" 2017-09-26 14:32:21 +03:00
58245e3480
roles/common/tasks/main.yml: Remove comment 2017-09-22 15:53:01 +03:00
16a9ebf97f
Adjust playbooks for Ansible 2.4 import changes
Ansible 2.4 changes the way includes work. Now you have to use "import"
for playbooks and tasks that are static, and "include" for those that
are dynamic (ie, those that use variables, loops, etc).

See: http://docs.ansible.com/ansible/devel/playbooks_reuse_includes.html
2017-09-21 21:30:47 +03:00
4f22052afe
roles/common: Remove duplicate timezone task
We set it in the separate ntp.yml playbook now, as there are a few
different systems we cater to (systemd, old ntp, etc).
2017-06-18 09:30:05 +03:00
5f656285c0
roles/common: Add a dedicated playbook for ntp tasks
Hosts with systemd should use its NTP client and explicitly remove
the `ntp` packages. Hosts with older init systems should use `ntp`.
2016-08-25 14:19:51 +03:00
da6d1e05b9
roles/common: Don't use ansible facts when we don't need to
No use testing the distro version only to use an ansible fact to
find the correct template.
2016-08-24 10:11:13 +03:00
861b5c5413
roles/common: Remove old comment from main playbook 2016-08-22 16:35:02 +03:00
6c6ff1b112
roles/common: Use ansible facts to reduce includes 2016-08-22 16:34:05 +03:00
d3a6e71ab8
roles/common: Use service module to enable systemd NTP client instead of timedatectl
The `timedatectl set-ntp on` command is actually just enabling the
systemd service anyways, so it's better we use Ansible's service
module.
2016-08-22 12:49:00 +03:00
06034a8b8b
roles/common: Use systemd's timedatectl for time stuff
Debian 8 and Ubuntu 16.04 use systemd, so we can make use of its
NTP stuff rather than using the standalone `ntp` package.
2016-06-27 10:30:11 +03:00
9266d48c9f
roles/common: Separate firewalld tasks for Ubuntu and Debian
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 12:06:25 +03:00
18ca44193d
roles/common: Add sysctl template for Debian hosts
Note: I've only tested this on a Debian container, and you can't
set these sysctls on containers (the host controls them). To make
matters worse, there is no fact to make ansible skip this on hosts
that are running in containers. For now I will just skip it on
hosts that are "virtualization" servers... even though we actually
do have KVM running on Debian on real hardware. *sigh*

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:12:17 +03:00
e15d1be867 roles/common: Add playbook for Debian packages
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
8e0a292b1d
roles/common: Move sshd tasks to their own playbook
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:00:43 +03:00
3a5b50f941
roles/common: Set I/O scheduler via udev
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:52:05 +03:00
9fda345a24
roles/common: Fix one logic mistake in rc.local task
I think it was originally supposed to be `ansible_os_family` but
we don't have anything other than Ubuntu, so let's just use that.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:43:21 +03:00
4a1158e163
roles/common: Remove CentOS rclocal task
No CentOS hosts here!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:07 +03:00
891bd35171 roles/common: Move tags from subtask to main one
Child tasks inherit the tag of the parent.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:34:13 +03:00
4efb6edb7e
roles/common: Indent some yaml stuff in main.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:31:29 +03:00
b70ae58f48
roles/common: Simplify when logic in main template
Less syntax is more readable syntax.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:29:41 +03:00
19f5b60cb7
Remove references to provisioning.yml
We aren't managing the provisioning user anymore, it is just assumed
to be there.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:53:48 +03:00
171798c76d roles/common: Add DSA/ECDSA cleanup to ssh tasks
We don't want to support these signature algorithms!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-20 16:31:37 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
c53dd18181
roles/common: Add role to manage provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:11:44 +03:00
60b8ecdd4c
Initial commit
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00