diff --git a/.gitignore b/.gitignore index 86413b8..bf83407 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,6 @@ .vault-pass .vault.yml .passbolt.yml +inventories/local venv inventories/local diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index 5a3dad5..4a04185 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -12,7 +12,6 @@ main_dns_server: ns1.domain.local ldap_uri: ldap://ldap.domain.local ldap_base: dc=domain,dc=local dc_net: "10.0.0.0/16" -resolv_domain: domain.local resolvers: - '8.8.8.8' - '8.8.4.4' diff --git a/playbooks/debian.yml b/playbooks/debian.yml index ac68e94..bbf97bb 100644 --- a/playbooks/debian.yml +++ b/playbooks/debian.yml @@ -1,13 +1,13 @@ - name: Configure base Debian host hosts: all tasks: - - name: Configure virtual machine or host + - name: Configure virtual machine or host (not LXC) import_role: name: debian-host when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm' - - name: Configure base system + - name: Configure base system (all) import_role: - name: debian-base + name: debian-base - name: Configure guest import_role: name: debian-guest @@ -15,4 +15,4 @@ - name: Configure virtual machine import_role: name: debian-qemu - when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm' + when: ansible_virtualization_type == 'kvm' diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 6bd18b1..c9428f9 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -5,3 +5,55 @@ fail2ban: bantime: 600 maxretry: 4 ignore: "127.0.0.0/8 {{ dc_net }}" + logpath: "/var/log/auth.log" +fail2ban_base_packages: + - fail2ban + - rsyslog +vn_host: + url: http://apt.verdnatura.es/pool/main/v/vn-host + package: vn-host_2.0.2_all.deb + name: vn-host +time_server_spain: ntp.roa.es +nagios_packages: + - nagios-nrpe-server + - nagios-plugins-contrib + - monitoring-plugins-basic +base_packages: + - htop + - psmisc + - bash-completion + - screen + - aptitude + - tree + - btop + - ncdu + - debconf-utils + - net-tools +locales_present: + - en_US.UTF-8 + - es_ES.UTF-8 +master_cert_content: | + -----BEGIN CERTIFICATE----- + MIID6zCCAtOgAwIBAgIUDwR1QkWYb73hAeNnphytR1tGE0swDQYJKoZIhvcNAQEL + BQAwgYQxCzAJBgNVBAYTAkVTMQ4wDAYDVQQIDAVTcGFpbjERMA8GA1UEBwwIVmFs + ZW5jaWExHjAcBgNVBAoMFVZlcmRuYXR1cmEgTGV2YW50ZSBTTDETMBEGA1UECwwK + TWFzdGVyIEtleTEdMBsGA1UEAwwUYmFjdWxhLnZlcmRuYXR1cmEuZXMwHhcNMjMx + MDAxMTc1MzQyWhcNMzMwOTI4MTc1MzQyWjCBhDELMAkGA1UEBhMCRVMxDjAMBgNV + BAgMBVNwYWluMREwDwYDVQQHDAhWYWxlbmNpYTEeMBwGA1UECgwVVmVyZG5hdHVy + YSBMZXZhbnRlIFNMMRMwEQYDVQQLDApNYXN0ZXIgS2V5MR0wGwYDVQQDDBRiYWN1 + bGEudmVyZG5hdHVyYS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AJr2D9thvNVxmMyNO8wvFYZJeWLyc8RcNfjiKaY53RadMgXgsiAl4BlSNxc9ngqA + 2z7ef4SK50pU9Pl6w1Ljua4lFnZqW9Ow6J9nT6wbdkkuilVoao+0wZBQCX19ToJg + LtgJ00KU2SH7KCi+mYdEY1oW/BsZy+QTJ6HYbOOjb/yISUp4crGE5h+vph1tyhC1 + Vfj17wACmFjtZ52cQMWyQRT3kSrxTp4Y+xAsFUE9lTQaoBQ5XcRO5tmDnxEVKZIR + B5ZNatpY8em4CFUQ2B+9XPoXYY3KAzAh8U7fEqcZQ8x44LTVZjHvjXOlHwrcgYoh + P0Rbtv7uRbGBn9EviFW6lrUCAwEAAaNTMFEwHQYDVR0OBBYEFM1UYUBPXj82hm+W + UCXVSisi4bv6MB8GA1UdIwQYMBaAFM1UYUBPXj82hm+WUCXVSisi4bv6MA8GA1Ud + EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC2gpGcsT2v2OfdxMaL9oI+B + EqHPrNM4UblRCyLF21JCEhYg3Ow9lseO3ObMz/cOJGsMgrvipUgxUNDuS+DpyG5E + tKO6895t30TIjICm9udVTyNzC3SyyP/kojNqA9mU8QU+fRdale+ruAJ/A0nbmP/v + uETeqHg49PfH98ce2pMpIiIm+UyvLDjH6KMcnt7KlxtSMxAD9ihK19M7m0CKL3PL + iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK + vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= + -----END CERTIFICATE----- +vn_witness: false diff --git a/roles/debian-base/files/set-timezone.sh b/roles/debian-base/files/set-timezone.sh deleted file mode 100644 index 9e17f1c..0000000 --- a/roles/debian-base/files/set-timezone.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -echo 'tzdata tzdata/Areas select Europe' | debconf-set-selections -echo 'tzdata tzdata/Zones/Europe select Madrid' | debconf-set-selections -echo 'tzdata tzdata/Zones/Etc select UTC' | debconf-set-selections -rm /etc/timezone -rm /etc/localtime -dpkg-reconfigure -f noninteractive tzdata diff --git a/roles/debian-base/handlers/main.yml b/roles/debian-base/handlers/main.yml index 524348c..e2ee81e 100644 --- a/roles/debian-base/handlers/main.yml +++ b/roles/debian-base/handlers/main.yml @@ -1,21 +1,26 @@ -- name: restart-timesyncd - service: +- name: restart systemd-timesyncd + systemd: name: systemd-timesyncd state: restarted -- name: restart-exim - service: - name: exim4 - state: restarted - name: restart-ssh - service: + systemd: name: ssh state: restarted -- name: restart-fail2ban - service: +- name: restart fail2ban + systemd: name: fail2ban state: restarted - name: restart-nrpe - service: + systemd: name: nagios-nrpe-server state: restarted - +- name: restart sshd + systemd: + name: sshd + state: restarted +- name: generate locales + command: /usr/sbin/locale-gen +- name: reconfigure tzdata + command: dpkg-reconfigure -f noninteractive tzdata +- name: update exim configuration + command: /usr/sbin/update-exim4.conf diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index ef04a37..c42026c 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -2,19 +2,49 @@ apt: name: bacula-fd state: present -- name: Load Bacula default passwords +- name: Read content file in base64 slurp: src: /etc/bacula/common_default_passwords - register: bacula_passwords + register: file_content +- name: Going to text plane + set_fact: + file_content_decoded: "{{ file_content.content | b64decode }}" +- name: Extracting passwords + set_fact: + passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}" +- name: Initialize password dictionary + set_fact: + bacula_passwords: {} +- name: Convert lines to individual variables generating a new dict + set_fact: + bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}" + loop: "{{ passwords }}" + when: "'FDPASSWD' in item or 'FDMPASSWD' in item" - name: Configure Bacula FD template: src: bacula-fd.conf dest: /etc/bacula/bacula-fd.conf owner: root group: bacula - mode: '0640' + mode: u=rw,g=r,o= backup: true + register: bacula_config +- name: Configure master cert + copy: + content: "{{ master_cert_content }}" + dest: /etc/bacula/master-cert.pem + owner: root + group: root + mode: u=rw,g=r,o=r +- name: Configure master cert + copy: + content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" + dest: /etc/bacula/fd-cert.pem + owner: root + group: bacula + mode: u=rw,g=r,o= - name: Restart Bacula FD service service: name: bacula-fd state: restarted + when: bacula_config.changed \ No newline at end of file diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 709bafe..b0123d3 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -1,15 +1,32 @@ -- name: Install fail2ban packages +- name: Install fail2ban and rsyslog packages apt: - name: fail2ban + name: "{{ fail2ban_base_packages }}" state: present - loop: - - fail2ban - - rsyslog +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + SyslogFacility AUTH + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd - name: Configure fail2ban service template: src: jail.local dest: /etc/fail2ban/jail.local owner: root group: root - mode: '0644' - notify: restart-fail2ban + mode: u=rw,g=r,o=r + notify: restart fail2ban + register: jail +- name: Ensure file for auth sshd custom log exists + file: + path: /var/log/auth.log + state: touch + owner: root + group: adm + mode: u=rw,g=r,o= + when: jail.changed diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml index e02d485..396832c 100644 --- a/roles/debian-base/tasks/install.yml +++ b/roles/debian-base/tasks/install.yml @@ -1,10 +1,4 @@ - name: Install base packages apt: - name: "{{ item }}" + name: "{{ base_packages }}" state: present - with_items: - - htop - - psmisc - - bash-completion - - screen - - aptitude \ No newline at end of file diff --git a/roles/debian-base/tasks/locale.yml b/roles/debian-base/tasks/locale.yml index 218c067..9063486 100644 --- a/roles/debian-base/tasks/locale.yml +++ b/roles/debian-base/tasks/locale.yml @@ -1,15 +1,6 @@ -- name: Enable locale languages - lineinfile: - dest: /etc/locale.gen - regexp: "{{item.regexp}}" - line: "{{item.line}}" +- name: make sure locales in variable are generated + locale_gen: + name: "{{ item }}" state: present - with_items: - - regexp: "^# es_ES.UTF-8 UTF-8" - line: "es_ES.UTF-8 UTF-8" - - regexp: "^# en_US.UTF-8 UTF-8" - line: "en_US.UTF-8 UTF-8" -- name: Generate locale - command: locale-gen -- name: Update locale - command: update-locale LANG=en_US.UTF-8 + with_items: "{{ locales_present }}" + notify: generate locales diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 405ee97..4db5680 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,3 +1,11 @@ +- import_tasks: witness.yml + tags: witness +- import_tasks: resolv.yml + tags: resolv +- import_tasks: timesync.yml + tags: timesync +- import_tasks: ssh.yml + tags: ssh - import_tasks: defuser.yml tags: defuser - import_tasks: install.yml @@ -16,3 +24,9 @@ tags: vim - import_tasks: nrpe.yml tags: nrpe +- import_tasks: fail2ban.yml + tags: fail2ban +- import_tasks: bacula.yml + tags: bacula +- import_tasks: vn-repo.yml + tags: vn-repo diff --git a/roles/debian-base/tasks/motd.yml b/roles/debian-base/tasks/motd.yml index a51f73b..486e705 100644 --- a/roles/debian-base/tasks/motd.yml +++ b/roles/debian-base/tasks/motd.yml @@ -2,6 +2,6 @@ copy: src: motd dest: /etc/update-motd.d/90-vn - mode: '755' + mode: u=rwx,g=rx,o=rx owner: root group: root diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index 57ab588..b0aaf5e 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -1,10 +1,8 @@ - name: Install NRPE packages apt: - name: "{{ item }}" + name: "{{ nagios_packages }}" state: present - loop: - - nagios-nrpe-server - - nagios-plugins-contrib + install_recommends: no - name: Set NRPE generic configuration template: src: nrpe.cfg diff --git a/roles/debian-base/tasks/profile.yml b/roles/debian-base/tasks/profile.yml index 7b02471..e8df993 100644 --- a/roles/debian-base/tasks/profile.yml +++ b/roles/debian-base/tasks/profile.yml @@ -2,6 +2,6 @@ copy: src: profile.sh dest: /etc/profile.d/vn.sh - mode: '644' + mode: u=rw,g=r,o=r owner: root group: root diff --git a/roles/debian-base/tasks/relayhost.yml b/roles/debian-base/tasks/relayhost.yml index 88ee3e2..dc04fe1 100644 --- a/roles/debian-base/tasks/relayhost.yml +++ b/roles/debian-base/tasks/relayhost.yml @@ -3,46 +3,27 @@ name: exim4 state: present - name: Prepare exim configuration - lineinfile: - dest: /etc/exim4/update-exim4.conf.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + blockinfile: + path: /etc/exim4/update-exim4.conf.conf + marker_begin: '--- BEGIN VN ---' + marker_end: '--- END VN ---' + marker: "# {mark}" + block: | + dc_eximconfig_configtype='satellite' + dc_other_hostnames='{{ ansible_fqdn }}' + dc_local_interfaces='127.0.0.1' + dc_readhost='{{ ansible_fqdn }}' + dc_smarthost='{{ smtp_server }}' + dc_hide_mailname='true' state: present - mode: 0644 - with_items: - - regexp: '^dc_eximconfig_configtype' - line: "dc_eximconfig_configtype='satellite'" - - regexp: '^dc_other_hostnames' - line: "dc_other_hostnames='{{ ansible_fqdn }}'" - - regexp: '^dc_local_interfaces' - line: "dc_local_interfaces='127.0.0.1'" - - regexp: '^dc_readhost' - line: "dc_readhost='{{ ansible_fqdn }}'" - - regexp: '^dc_relay_domains' - line: "dc_relay_domains=''" - - regexp: '^dc_minimaldns' - line: "dc_minimaldns='false'" - - regexp: '^dc_relay_nets' - line: "dc_relay_nets=''" - - regexp: '^dc_smarthost' - line: "dc_smarthost='{{ smtp_server }}'" - - regexp: '^CFILEMODE' - line: "CFILEMODE='644'" - - regexp: '^dc_use_split_config' - line: "dc_use_split_config='false'" - - regexp: '^dc_hide_mailname' - line: "dc_hide_mailname='true'" - - regexp: '^dc_mailname_in_oh' - line: "dc_mailname_in_oh='true'" - - regexp: '^dc_localdelivery' - line: "dc_localdelivery='mail_spool'" - notify: restart-exim + create: yes + mode: u=rw,g=r,o=r + notify: update exim configuration register: exim_config -- name: Update exim configuration - command: update-exim4.conf - when: exim_config.changed +- name: Force execution of handlers immediately + meta: flush_handlers - name: Sending mail to verify relay host configuration works shell: > - echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ + sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" when: exim_config.changed diff --git a/roles/debian-base/tasks/resolv.yml b/roles/debian-base/tasks/resolv.yml new file mode 100644 index 0000000..1ee5af7 --- /dev/null +++ b/roles/debian-base/tasks/resolv.yml @@ -0,0 +1,22 @@ +- name: Check if DNS is already configured + stat: + path: /etc/resolv.conf + register: resolv_conf +- name: Read /etc/resolv.conf + slurp: + path: /etc/resolv.conf + register: resolv_conf_content + when: resolv_conf.stat.exists +- name: Check if DNS servers are already present + set_fact: + dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}" + when: resolv_conf.stat.exists +- name: Apply resolv.conf template only if DNS is not configured + template: + src: templates/resolv.conf + dest: /etc/resolv.conf + owner: root + group: root + mode: u=rw,g=r,o=r + backup: true + when: not resolv_conf.stat.exists or not dns_configured diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml new file mode 100644 index 0000000..da7bca2 --- /dev/null +++ b/roles/debian-base/tasks/ssh.yml @@ -0,0 +1,22 @@ +- name: Generate SSH key pairs + openssh_keypair: + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + when: vn_witness + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + notify: restart sshd +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + ListenAddress 0.0.0.0 + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd \ No newline at end of file diff --git a/roles/debian-base/tasks/timesync.yml b/roles/debian-base/tasks/timesync.yml index 708a409..57974cf 100644 --- a/roles/debian-base/tasks/timesync.yml +++ b/roles/debian-base/tasks/timesync.yml @@ -1,21 +1,23 @@ -- name: Configure /etc/systemd/timesyncd.conf - lineinfile: - path: /etc/systemd/timesyncd.conf - regexp: '^#NTP' - line: "NTP={{ time_server }}" +- name: Ensure directory for timesyncd custom configuration exists + file: + path: /etc/systemd/timesyncd.conf.d/ + state: directory owner: root group: root - mode: '0644' -- name: Configure /etc/systemd/timesyncd.conf - lineinfile: - path: /etc/systemd/timesyncd.conf - regexp: '^#?FallbackNTP=' - line: "FallbackNTP=ntp.roa.es" + mode: u=rwx,g=rx,o=rx +- name: Configure NTP settings in /etc/systemd/timesyncd.conf.d/vn-ntp.conf + copy: + dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf + content: | + [Time] + NTP={{ time_server }} + FallbackNTP={{ time_server_spain }} owner: root group: root - mode: '0644' + mode: u=rw,g=r,o=r notify: restart systemd-timesyncd -- name: Service should start on boot +- name: Ensure systemd-timesyncd service is enabled and started service: name: systemd-timesyncd enabled: yes + state: started diff --git a/roles/debian-base/tasks/tzdata.yml b/roles/debian-base/tasks/tzdata.yml index f5e34a8..3f9bf17 100644 --- a/roles/debian-base/tasks/tzdata.yml +++ b/roles/debian-base/tasks/tzdata.yml @@ -1,2 +1,11 @@ -- name: Configure the time zone - script: set-timezone.sh +- name: Configure debconf for tzdata + debconf: + name: tzdata + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "string" + loop: + - { question: "tzdata/Areas", value: "Europe" } + - { question: "tzdata/Zones/Europe", value: "Madrid" } + - { question: "tzdata/Zones/Etc", value: "UTC" } + notify: reconfigure tzdata diff --git a/roles/debian-base/tasks/vim.yml b/roles/debian-base/tasks/vim.yml index d89ef6f..2d40113 100644 --- a/roles/debian-base/tasks/vim.yml +++ b/roles/debian-base/tasks/vim.yml @@ -6,6 +6,6 @@ copy: src: vimrc.local dest: /etc/vim/ - mode: '644' + mode: u=rw,g=r,o=r owner: root group: root \ No newline at end of file diff --git a/roles/debian-base/tasks/vn-repo.yml b/roles/debian-base/tasks/vn-repo.yml index c0fdfff..2c63da7 100644 --- a/roles/debian-base/tasks/vn-repo.yml +++ b/roles/debian-base/tasks/vn-repo.yml @@ -1,12 +1,3 @@ -- name: Download vn-host Debian package - get_url: - url: "{{ vn_host.url }}/{{ vn_host.package }}" - dest: "/tmp/{{ vn_host.package }}" - mode: '0644' - name: Install package apt: - deb: "/tmp/{{ vn_host.package }}" -- name: Delete package - file: - path: "/tmp/{{ vn_host.package }}" - state: absent + deb: "{{ vn_host.url }}/{{ vn_host.package }}" diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml new file mode 100644 index 0000000..26129d8 --- /dev/null +++ b/roles/debian-base/tasks/witness.yml @@ -0,0 +1,12 @@ +- name: Check if witness have been generated + stat: + path: /etc/vn.witness + register: keys_generated_marker +- name: Generate variable if not exists + set_fact: + vn_witness: "{{ not keys_generated_marker.stat.exists }}" +- name: Create marker file to indicate vn happends + file: + path: /etc/vn.witness + state: touch + when: vn_witness \ No newline at end of file diff --git a/roles/debian-base/templates/bacula-fd.conf b/roles/debian-base/templates/bacula-fd.conf index e205166..0e2d00a 100644 --- a/roles/debian-base/templates/bacula-fd.conf +++ b/roles/debian-base/templates/bacula-fd.conf @@ -1,10 +1,10 @@ Director { Name = bacula-dir - Password = "{{ FDPASSWD }}" + Password = "{{ bacula_passwords.fdpasswd }}" } Director { Name = bacula-mon - Password = "{{ FDMPASSWD }}" + Password = "{{ bacula_passwords.fdmpasswd }}" Monitor = yes } FileDaemon { diff --git a/roles/debian-base/templates/jail.local b/roles/debian-base/templates/jail.local index 838b4ed..d3840df 100644 --- a/roles/debian-base/templates/jail.local +++ b/roles/debian-base/templates/jail.local @@ -14,7 +14,9 @@ action = %(action_)s #+++++++++++++++ Jails [sshd] +ignoreip = 127.0.0.1/8 enabled = true port = 0:65535 filter = sshd -logpath = %(sshd_log)s +logpath = {{ fail2ban.logpath }} +action = %(action_mwl)s diff --git a/roles/debian-base/templates/nrpe.cfg b/roles/debian-base/templates/nrpe.cfg index 7efab1f..99329fd 100644 --- a/roles/debian-base/templates/nrpe.cfg +++ b/roles/debian-base/templates/nrpe.cfg @@ -1,4 +1,5 @@ allowed_hosts={{ nagios_server }} +server_address={{ ansible_default_ipv4.address }} command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var diff --git a/roles/debian-host/templates/resolv.conf b/roles/debian-base/templates/resolv.conf similarity index 60% rename from roles/debian-host/templates/resolv.conf rename to roles/debian-base/templates/resolv.conf index cce81b4..52a1891 100644 --- a/roles/debian-host/templates/resolv.conf +++ b/roles/debian-base/templates/resolv.conf @@ -1,5 +1,5 @@ -domain {{ resolv_domain }} -search {{ resolv_domain }} +domain {{ host_domain }} +search {{ host_domain }} {% if resolvers is defined %} {% for resolver in resolvers %} nameserver {{resolver}} diff --git a/roles/debian-base/vars/main.yml b/roles/debian-base/vars/main.yml deleted file mode 100644 index 17fe0d6..0000000 --- a/roles/debian-base/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -vn_host: - url: http://apt.verdnatura.es/pool/main/v/vn-host - package: vn-host_2.0.2_all.deb diff --git a/roles/debian-guest/handlers/main.yml b/roles/debian-guest/handlers/main.yml index 1764d05..2da7a1c 100644 --- a/roles/debian-guest/handlers/main.yml +++ b/roles/debian-guest/handlers/main.yml @@ -2,5 +2,3 @@ service: name: nslcd state: restarted -- name: pam-update-ldap - shell: pam-auth-update --enable ldap diff --git a/roles/debian-guest/tasks/auth.yml b/roles/debian-guest/tasks/auth.yml index 7930b91..62506be 100644 --- a/roles/debian-guest/tasks/auth.yml +++ b/roles/debian-guest/tasks/auth.yml @@ -11,7 +11,7 @@ mode: '0640' notify: - restart-nslcd - - pam-update-ldap + register: nslcd - name: Configure nsswitch to use NSLCD lineinfile: dest: /etc/nsswitch.conf diff --git a/roles/debian-host/handlers/main.yml b/roles/debian-host/handlers/main.yml index 35f2de4..45b25b1 100644 --- a/roles/debian-host/handlers/main.yml +++ b/roles/debian-host/handlers/main.yml @@ -1,4 +1,4 @@ - name: restart-sysctl - service: + systemd: name: systemd-sysctl - state: restarted + state: restarted \ No newline at end of file diff --git a/roles/debian-host/tasks/apparmor.yml b/roles/debian-host/tasks/apparmor.yml index 38a2e8f..a239254 100644 --- a/roles/debian-host/tasks/apparmor.yml +++ b/roles/debian-host/tasks/apparmor.yml @@ -1,5 +1,12 @@ -- name: Disable AppArmor - service: +- name: Stop AppArmor + systemd: name: apparmor state: stopped +- name: Disable AppArmor service + systemd: + name: apparmor enabled: no +- name: Mask AppArmor service + systemd: + name: apparmor + masked: yes \ No newline at end of file diff --git a/roles/debian-host/tasks/hostname.yml b/roles/debian-host/tasks/hostname.yml index ee8fceb..e1ed68b 100644 --- a/roles/debian-host/tasks/hostname.yml +++ b/roles/debian-host/tasks/hostname.yml @@ -2,11 +2,8 @@ hostname: name: "{{ inventory_hostname_short }}" use: debian -- name: Configure hosts file - blockinfile: +- name: Populating hosts file with hostname + lineinfile: path: /etc/hosts - marker_begin: '--- BEGIN VN ---' - marker_end: '--- END VN ---' - marker: "# {mark}" - block: | - {{ ansible_default_ipv4.address }} {{ hostname_fqdn }} {{ inventory_hostname_short }} + regexp: '^127\.0\.1\.1' + line: '127.0.1.1 {{ hostname_fqdn }} {{ inventory_hostname_short }}' diff --git a/roles/debian-host/tasks/resolv.yml b/roles/debian-host/tasks/resolv.yml deleted file mode 100644 index 9aeb5a4..0000000 --- a/roles/debian-host/tasks/resolv.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Replace /etc/resolv.conf - template: - src: resolv.conf - dest: /etc/ - owner: root - group: root - mode: '0644' - backup: true - when: resolv_enabled diff --git a/roles/debian-host/tasks/sysctl.yml b/roles/debian-host/tasks/sysctl.yml index be8eaf7..aab1e57 100644 --- a/roles/debian-host/tasks/sysctl.yml +++ b/roles/debian-host/tasks/sysctl.yml @@ -1,4 +1,4 @@ -- name: Set systctl configuration +- name: Set systctl custom vn configuration copy: src: sysctl/ dest: /etc/sysctl.d/ diff --git a/roles/debian-once/tasks/main.yml b/roles/debian-once/tasks/main.yml index b77c6fc..e5da03c 100644 --- a/roles/debian-once/tasks/main.yml +++ b/roles/debian-once/tasks/main.yml @@ -1,4 +1,2 @@ -- import_tasks: ssh.yml - tags: ssh - import_tasks: root.yml tags: root diff --git a/roles/debian-once/tasks/ssh.yml b/roles/debian-once/tasks/ssh.yml deleted file mode 100644 index 84877cc..0000000 --- a/roles/debian-once/tasks/ssh.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: Delete old host SSH keys - file: - path: "{{ item }}" - state: absent - with_items: - - /etc/ssh/ssh_host_ecdsa_key - - /etc/ssh/ssh_host_ed25519_key - - /etc/ssh/ssh_host_rsa_key -- name: Regenerate host SSH keys - command: dpkg-reconfigure openssh-server