diff --git a/roles/backuphost/tasks/main.yaml b/roles/backuphost/tasks/main.yaml index a424e67..050eb03 100644 --- a/roles/backuphost/tasks/main.yaml +++ b/roles/backuphost/tasks/main.yaml @@ -1,18 +1,18 @@ # TODO: Make backup user part of AD --- - name: "Add backup user" - ansible.builtin.user: + user: name: backup comment: Backup user shell: /bin/bash - name: Create .ssh directory of backup user - ansible.builtin.file: + file: path: /home/backup/.ssh state: directory - name: Copy authorized_keys - ansible.builtin.copy: + copy: src: authorized_keys dest: /home/backup/.ssh/authorized_keys mode: 0600 @@ -20,7 +20,7 @@ group: backup - name: Copy ssh config - ansible.builtin.copy: + copy: src: ssh_config dest: /home/backup/.ssh/config mode: 0600 diff --git a/roles/backupscript/tasks/main.yaml b/roles/backupscript/tasks/main.yaml index a394464..0920e03 100644 --- a/roles/backupscript/tasks/main.yaml +++ b/roles/backupscript/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: "Generate backupscript" - ansible.builtin.template: + template: src: backupscript.sh dest: /etc/cron.weekly/backupscript owner: root @@ -8,12 +8,12 @@ mode: '0700' - name: Create .ssh directory of root user - ansible.builtin.file: + file: path: /root/.ssh state: directory - name: Copy ssh config - ansible.builtin.copy: + copy: src: ssh_config dest: /root/.ssh/config mode: 0600 diff --git a/roles/common/tasks/apt.yaml b/roles/common/tasks/apt.yaml index be8a630..189c723 100644 --- a/roles/common/tasks/apt.yaml +++ b/roles/common/tasks/apt.yaml @@ -1,26 +1,26 @@ --- - name: "Use custom Ubuntu mirror" - ansible.builtin.replace: + replace: path: /etc/apt/sources.list regexp: 'http://hu.archive.ubuntu.com' replace: 'https://mirror.niif.hu' backup: yes - name: "Remove Ubuntu bloatware" - ansible.builtin.apt: + apt: state: absent name: ubutu-server autoremove: yes - name: "Update machine" - ansible.builtin.apt: + apt: update_cache: yes upgrade: "yes" autoclean: yes autoremove: yes - name: "Install my favourite applications" - ansible.builtin.apt: + apt: update_cache: yes state: present name: diff --git a/roles/common/tasks/clean-motd.yaml b/roles/common/tasks/clean-motd.yaml index e691b6b..0bee66c 100644 --- a/roles/common/tasks/clean-motd.yaml +++ b/roles/common/tasks/clean-motd.yaml @@ -1,6 +1,6 @@ --- - name: clean motd - ansible.builtin.file: + file: state: touch owner: tormakris@intra.tormakris.dev group: domain users@intra.tormakris.dev diff --git a/roles/common/tasks/disable-cloudinit.yaml b/roles/common/tasks/disable-cloudinit.yaml index 032878e..5b87ed4 100644 --- a/roles/common/tasks/disable-cloudinit.yaml +++ b/roles/common/tasks/disable-cloudinit.yaml @@ -1,12 +1,12 @@ --- - name: disable cloudinit - ansible.builtin.copy: + copy: content: "" dest: /etc/cloud/cloud-init.disabled force: no - name: disable network autoconfig - ansible.builtin.copy: + copy: content: "network: {config: disabled}" dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg force: no diff --git a/roles/common/tasks/node-exporter.yaml b/roles/common/tasks/node-exporter.yaml index d7d07b5..e00d1e3 100644 --- a/roles/common/tasks/node-exporter.yaml +++ b/roles/common/tasks/node-exporter.yaml @@ -1,6 +1,6 @@ --- - name: "Install node exporter" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -14,7 +14,7 @@ src: 192.168.69.0/24 - name: Enable and restart exporter daemon - ansible.builtin.service: + service: name: prometheus-node-exporter state: restarted enabled: yes diff --git a/roles/common/tasks/remove-snap.yaml b/roles/common/tasks/remove-snap.yaml index 2f7b59e..3a9f163 100644 --- a/roles/common/tasks/remove-snap.yaml +++ b/roles/common/tasks/remove-snap.yaml @@ -1,13 +1,13 @@ --- - name: Remove snapd from Ubuntu - ansible.builtin.apt: + apt: name: snapd state: absent purge: yes when: ansible_distribution == "Ubuntu" - name: Remove snapd-related directories - ansible.builtin.file: + file: path: "{{ item }}" state: absent with_items: diff --git a/roles/common/tasks/ssh-security-settings.yaml b/roles/common/tasks/ssh-security-settings.yaml index adfee6c..f047ee7 100644 --- a/roles/common/tasks/ssh-security-settings.yaml +++ b/roles/common/tasks/ssh-security-settings.yaml @@ -1,24 +1,24 @@ --- - name: Disable root authentication - ansible.builtin.replace: + replace: path: /etc/ssh/sshd_config regexp: '#PermitRootLogin prohibit-password' replace: 'PermitRootLogin no' - name: Disable X11 forwarding - ansible.builtin.replace: + replace: path: /etc/ssh/sshd_config regexp: 'X11Forwarding yes' replace: 'X11Forwarding no' - name: Explicitly only listen on ipv4 - ansible.builtin.replace: + replace: path: /etc/ssh/sshd_config regexp: '#AddressFamily any' replace: 'AddressFamily inet' - name: "Restart sshd" - ansible.builtin.service: + service: name: sshd state: restarted ... diff --git a/roles/common/tasks/timesync.yaml b/roles/common/tasks/timesync.yaml index f9d6c38..3bae0b6 100644 --- a/roles/common/tasks/timesync.yaml +++ b/roles/common/tasks/timesync.yaml @@ -1,18 +1,18 @@ --- - name: Setup timesync config - ansible.builtin.template: + template: src: timesyncd.conf.template dest: /etc/systemd/timesyncd.conf notify: run Timedatectl when: ansible_service_mgr == "systemd" - name: set Timezone - ansible.builtin.timezone: name={{ timedatectl_timezone }} + timezone: name={{ timedatectl_timezone }} when: ansible_service_mgr == "systemd" - name: Reastart timesyncd to apply changes when: ansible_service_mgr == "systemd" - ansible.builtin.systemd: + systemd: state: restarted daemon_reload: yes name: systemd-timesyncd diff --git a/roles/common/tasks/ufw.yaml b/roles/common/tasks/ufw.yaml index f35ef19..6e226eb 100644 --- a/roles/common/tasks/ufw.yaml +++ b/roles/common/tasks/ufw.yaml @@ -1,6 +1,6 @@ --- - name: "Install ufw via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: diff --git a/roles/common/tasks/user-ops.yaml b/roles/common/tasks/user-ops.yaml index 91dd14b..bbe32fd 100644 --- a/roles/common/tasks/user-ops.yaml +++ b/roles/common/tasks/user-ops.yaml @@ -1,13 +1,13 @@ --- - name: Create .ssh directory of ansible user - ansible.builtin.file: + file: path: /home/ansible@intra.tormakris.dev/.ssh state: directory owner: ansible@intra.tormakris.dev group: domain users@intra.tormakris.dev - name: Copy authorized_keys - ansible.builtin.copy: + copy: src: authorized_keys dest: /home/ansible@intra.tormakris.dev/.ssh/authorized_keys mode: 0600 @@ -15,7 +15,7 @@ group: domain users@intra.tormakris.dev - name: Check if group is present in sudoers - ansible.builtin.lineinfile: + lineinfile: state: absent path: /etc/sudoers regexp: "^%linuxadmins" @@ -24,7 +24,7 @@ register: checksudoers - name: Define group in sudoers - ansible.builtin.lineinfile: + lineinfile: state: present path: /etc/sudoers line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL" diff --git a/roles/docker/tasks/main.yaml b/roles/docker/tasks/main.yaml index 55d95bb..7dcfab4 100644 --- a/roles/docker/tasks/main.yaml +++ b/roles/docker/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: "Install Docker via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -8,7 +8,7 @@ - docker-compose - name: Disable userland proxy - ansible.builtin.copy: + copy: src: daemon.json dest: /etc/docker/daemon.json mode: 644 @@ -16,13 +16,13 @@ group: backup - name: Enable and restart Docker daemon - ansible.builtin.service: + service: name: docker state: restarted enabled: yes - name: "Add service user to docker group" - ansible.builtin.user: + user: name: service-user@intra.tormakris.dev groups: docker append: yes diff --git a/roles/internalsmtp/tasks/main.yaml b/roles/internalsmtp/tasks/main.yaml index 61585bc..ceb7d1e 100644 --- a/roles/internalsmtp/tasks/main.yaml +++ b/roles/internalsmtp/tasks/main.yaml @@ -1,31 +1,31 @@ --- - name: "Install Postfix via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: - postfix - name: Install Postfix forwarder config - ansible.builtin.template: + template: src: templates/main.cf dest: /etc/postfix/main.cf - name: Restart Postfix - ansible.builtin.service: + service: name: postfix state: restarted enabled: yes - name: "Install postfix exporter" - ansible.builtin.apt: + apt: update_cache: yes state: present name: - prometheus-postfix-exporter - name: Copy postfix exporter config - ansible.builtin.copy: + copy: src: prometheus-postfix-exporter dest: /etc/default/prometheus-postfix-exporter owner: root @@ -33,13 +33,13 @@ mode: '0644' - name: Add the prometheus user to postdrop group - ansible.builtin.user: + user: name: prometheus groups: postdrop append: yes - name: Enable and restart exporter daemon - ansible.builtin.service: + service: name: prometheus-postfix-exporter state: restarted enabled: yes diff --git a/roles/netplan/tasks/main.yaml b/roles/netplan/tasks/main.yaml index 3f71eca..7fb07d8 100644 --- a/roles/netplan/tasks/main.yaml +++ b/roles/netplan/tasks/main.yaml @@ -1,16 +1,16 @@ --- - name: "remove cloudinit config" - ansible.builtin.file: + file: path: /etc/netplan/50-cloud-init.yaml state: absent - name: "remove installer config" - ansible.builtin.file: + file: path: /etc/netplan/00-installer-config.yaml state: absent - name: "install static config" - ansible.builtin.template: + template: src: templates/netplan.yaml dest: /etc/netplan/00-static.yaml notify: netplanapply diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml index 66dcdd8..7d0e27f 100644 --- a/roles/openvpn/tasks/main.yaml +++ b/roles/openvpn/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: "Install openvpn-server via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -15,13 +15,13 @@ reload: yes - name: Enable and restart openvpn daemon - ansible.builtin.service: + service: name: openvpn-server@stargate state: restarted enabled: yes - name: Check if AllowUsers is defined - ansible.builtin.lineinfile: + lineinfile: state: absent path: /etc/ufw/before.rules regexp: "^# START OPENVPN" @@ -30,7 +30,7 @@ register: checkufwrules - name: Insert openvpn iptables rules - ansible.builtin.blockinfile: + blockinfile: path: /etc/ufw/before.rules block: | # START OPENVPN RULES diff --git a/roles/realmd/tasks/main.yaml b/roles/realmd/tasks/main.yaml index 20b47fd..c7a7021 100644 --- a/roles/realmd/tasks/main.yaml +++ b/roles/realmd/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: "Install realmd and dependencies" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -16,7 +16,7 @@ - packagekit - name: Check if computer is joined to domain - ansible.builtin.lineinfile: + lineinfile: state: absent path: /etc/sssd/sssd.conf line: "^ad_access_filter" @@ -25,22 +25,22 @@ register: checkjoined - name: "Get join password from local environment variable" - ansible.builtin.set_fact: + set_fact: join_passw: "{{ lookup('env', 'JOIN_PASSW') }}" delegate_to: localhost when: checkjoined.found == 0 - name: Join to AD with realmd - ansible.builtin.shell: + shell: cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev when: checkjoined.found == 0 - name: Enable pam homedir create on first logon - ansible.builtin.command: + command: cmd: pam-auth-update --enable mkhomedir - name: Check if ad_gpo_access_control is disabled - ansible.builtin.lineinfile: + lineinfile: state: absent path: /etc/sssd/sssd.conf regexp: "^ad_gpo_access_control" @@ -49,14 +49,14 @@ register: checkadgpoac - name: Set ad_gpo_access_control to disabled - ansible.builtin.lineinfile: + lineinfile: state: present path: /etc/sssd/sssd.conf line: "ad_gpo_access_control = disabled" when: checkadgpoac.found == 0 - name: Check if ad_access_filter is set - ansible.builtin.lineinfile: + lineinfile: state: absent path: /etc/sssd/sssd.conf regexp: "^ad_access_filter" @@ -65,19 +65,19 @@ register: checkadaf - name: Set ad_gpo_access_control to disabled - ansible.builtin.lineinfile: + lineinfile: state: present path: /etc/sssd/sssd.conf line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev" when: checkadaf.found == 0 - name: "Restart sssd" - ansible.builtin.service: + service: name: sssd state: restarted - name: Check if group is presend in sudoers - ansible.builtin.lineinfile: + lineinfile: state: absent path: /etc/sudoers regexp: "^%linuxadmins" @@ -86,7 +86,7 @@ register: checksudoers - name: Define group in sudoers - ansible.builtin.lineinfile: + lineinfile: state: present path: /etc/sudoers line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL" diff --git a/roles/smtpgateway/tasks/main.yaml b/roles/smtpgateway/tasks/main.yaml index 532eca1..6a17271 100644 --- a/roles/smtpgateway/tasks/main.yaml +++ b/roles/smtpgateway/tasks/main.yaml @@ -1,22 +1,22 @@ --- - name: "Install Postfix via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: - postfix - name: Install Postfix mail gateway config - ansible.builtin.template: + template: src: templates/main.cf dest: /etc/postfix/main.cf - name: Build /etc/mailname - ansible.builtin.shell: + shell: cmd: "hostname --fqdn > /etc/mailname" - name: Restart Postfix - ansible.builtin.service: + service: name: postfix state: restarted enabled: yes @@ -28,14 +28,14 @@ src: 192.168.69.0/24 - name: "Install postfix exporter" - ansible.builtin.apt: + apt: update_cache: yes state: present name: - prometheus-postfix-exporter - name: Copy exporter config - ansible.builtin.copy: + copy: src: prometheus-postfix-exporter dest: /etc/default/prometheus-postfix-exporter owner: root @@ -43,13 +43,13 @@ mode: '0644' - name: Add the prometheus user to postdrop group - ansible.builtin.user: + user: name: prometheus groups: postdrop append: yes - name: Enable and restart exporter daemon - ansible.builtin.service: + service: name: prometheus-postfix-exporter state: restarted enabled: yes diff --git a/roles/webgateway/tasks/main.yaml b/roles/webgateway/tasks/main.yaml index 8f11802..e5c2223 100644 --- a/roles/webgateway/tasks/main.yaml +++ b/roles/webgateway/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: "Install nginx via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -19,7 +19,7 @@ port: https - name: Copy default nginx config - ansible.builtin.copy: + copy: src: nginx.conf dest: /etc/nginx/nginx.conf owner: root @@ -27,28 +27,28 @@ mode: '0644' - name: Enable and restart nginx daemon - ansible.builtin.service: + service: name: nginx state: restarted enabled: yes - name: Generate certificate for all proxied domains - ansible.builtin.command: + command: cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} with_items: "{{ proxy }}" - name: Generate certificate for all static sites - ansible.builtin.command: + command: cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} with_items: "{{ static }}" - name: Generate certificate for all redirect sites - ansible.builtin.command: + command: cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} with_items: "{{ redirect }}" - name: "Generate certbot script" - ansible.builtin.template: + template: src: certbot.sh dest: /etc/cron.weekly/certbot owner: root @@ -56,7 +56,7 @@ mode: '0700' - name: "Generate nginx configuration" - ansible.builtin.template: + template: src: nginx.conf dest: /etc/nginx/nginx.conf owner: root @@ -64,41 +64,41 @@ mode: '0644' - name: Validate nginx configuration - ansible.builtin.command: + command: cmd: nginx -t - name: Reload nginx after configuration change - ansible.builtin.service: + service: name: nginx state: reloaded - name: "Remove any existing static file directories" - ansible.builtin.file: + file: path: "{{ item.directory }}" state: absent with_items: "{{ static }}" - name: "Checkout static websites from git" - ansible.builtin.git: + git: repo: "{{ item.repo }}" dest: "{{ item.directory }}" with_items: "{{ static }}" - name: "Remove .git directory from static websites" - ansible.builtin.file: + file: path: "{{ item.directory }}/.git" state: absent with_items: "{{ static }}" - name: "Install nginx exporter" - ansible.builtin.apt: + apt: update_cache: yes state: present name: - prometheus-nginx-exporter - name: Copy nginx exporter config - ansible.builtin.copy: + copy: src: prometheus-nginx-exporter dest: /etc/default/prometheus-nginx-exporter owner: root @@ -106,7 +106,7 @@ mode: '0644' - name: Enable and restart exporter daemon - ansible.builtin.service: + service: name: prometheus-nginx-exporter state: restarted enabled: yes diff --git a/roles/webserver/tasks/main.yaml b/roles/webserver/tasks/main.yaml index 12e7ee8..49cea53 100644 --- a/roles/webserver/tasks/main.yaml +++ b/roles/webserver/tasks/main.yaml @@ -7,7 +7,7 @@ with_items: "{{ allowedranges }}" - name: "Install Nginx via apt" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -16,7 +16,7 @@ - python3-certbot-dns-cloudflare - name: Copy default nginx config - ansible.builtin.copy: + copy: src: nginx.conf dest: /etc/nginx/nginx.conf owner: root @@ -24,18 +24,18 @@ mode: '0644' - name: Enable and restart nginx daemon - ansible.builtin.service: + service: name: nginx state: restarted enabled: yes - name: "Get Cloudflare token from local environment variable" - ansible.builtin.set_fact: + set_fact: cloudflare_token: "{{ lookup('env', 'CLOUDFLARE_TOKEN') }}" delegate_to: localhost - name: "Render Cloudflare Certbot plugin configuration" - ansible.builtin.template: + template: src: cf-creds.ini dest: /root/cf-creds.ini owner: root @@ -43,12 +43,12 @@ mode: 0600 - name: Generate certificate for all server instances - ansible.builtin.shell: + shell: cmd: certbot certonly --non-interactive --agree-tos -m iam@tormakristof.eu --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini -d {{item.domain}} with_items: "{{ webserver }}" - name: "Generate certbot script" - ansible.builtin.template: + template: src: certbot.sh dest: /etc/cron.weekly/certbot owner: root @@ -56,7 +56,7 @@ mode: '0700' - name: "Generate nginx configuration" - ansible.builtin.template: + template: src: nginx.conf dest: /etc/nginx/nginx.conf owner: root @@ -64,12 +64,12 @@ mode: '0644' - name: Reload nginx daemon - ansible.builtin.service: + service: name: nginx state: reloaded - name: "Install nginx exporter" - ansible.builtin.apt: + apt: update_cache: yes state: present name: @@ -83,7 +83,7 @@ src: 192.168.69.0/24 - name: Copy nginx exporter config - ansible.builtin.copy: + copy: src: prometheus-nginx-exporter dest: /etc/default/prometheus-nginx-exporter owner: root @@ -91,7 +91,7 @@ mode: '0644' - name: Enable and restart exporter daemon - ansible.builtin.service: + service: name: prometheus-nginx-exporter state: restarted enabled: yes