diff --git a/.ansible-lint b/.ansible-lint index 022cafb..f9e051a 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,4 @@ --- skip_list: - var-naming[no-role-prefix] + - no-handler # Sequential task flows require immediate execution, not end-of-play handlers diff --git a/playbooks/example.yml b/playbooks/example.yml index cbe27fd..dc35626 100644 --- a/playbooks/example.yml +++ b/playbooks/example.yml @@ -1,7 +1,7 @@ --- -- hosts: marge +- name: Sample of a playbook + hosts: marge become: true roles: - - role: ntpd - role: fail2ban - role: unbound diff --git a/requirements.yml b/requirements.yml index 9aacf14..72cf744 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,7 @@ --- collections: - name: ansible.netcommon + - name: ansible.posix - name: community.general - name: community.postgresql - name: containers.podman diff --git a/roles/archlinux/tasks/locales.yml b/roles/archlinux/tasks/locales.yml index fc83f7a..cb74f4b 100644 --- a/roles/archlinux/tasks/locales.yml +++ b/roles/archlinux/tasks/locales.yml @@ -1,15 +1,21 @@ --- - name: Configure locales block: - - name: Activate locale - ansible.builtin.command: - cmd: localectl set-locale LANG={{ arch_locale }} - name: Edit /etc/locale.gen ansible.builtin.lineinfile: dest: /etc/locale.gen state: present regexp: "{{ arch_locale }}" line: "{{ arch_locale }} UTF-8" + register: locale_gen_changed + - name: Regenerate locales ansible.builtin.command: cmd: locale-gen + when: locale_gen_changed is changed + changed_when: true + + - name: Activate locale + ansible.builtin.command: + cmd: localectl set-locale LANG={{ arch_locale }} + changed_when: false diff --git a/roles/archlinux/tasks/paru.yml b/roles/archlinux/tasks/paru.yml index b913f3a..e03d42e 100644 --- a/roles/archlinux/tasks/paru.yml +++ b/roles/archlinux/tasks/paru.yml @@ -77,12 +77,19 @@ mode: "0644" - name: Extract paru - ansible.builtin.command: - cmd: "tar -xf /tmp/paru-{{ os_arch }}.tar.zst paru -C /tmp" + ansible.builtin.unarchive: + src: "/tmp/paru-{{ os_arch }}.tar.zst" + dest: /tmp + remote_src: true + extra_opts: + - paru - name: Install paru binary - ansible.builtin.command: - cmd: "mv /tmp/paru /usr/bin/paru" + ansible.builtin.copy: + src: /tmp/paru + dest: /usr/bin/paru + remote_src: true + mode: "0755" - name: Ensure permissions ansible.builtin.file: diff --git a/roles/disks/handlers/main.yml b/roles/disks/handlers/main.yml new file mode 100644 index 0000000..02791ad --- /dev/null +++ b/roles/disks/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Systemd daemon reload + ansible.builtin.systemd: + daemon_reload: true diff --git a/roles/disks/tasks/trim-ssd.yml b/roles/disks/tasks/trim-ssd.yml index 49ce201..975301f 100644 --- a/roles/disks/tasks/trim-ssd.yml +++ b/roles/disks/tasks/trim-ssd.yml @@ -23,11 +23,7 @@ group: root mode: "0644" register: timer_config - -- name: Systemd daemon reload - ansible.builtin.systemd: - daemon_reload: true - when: timer_config.changed + notify: Systemd daemon reload - name: Enable periodic trim ansible.builtin.systemd: diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml new file mode 100644 index 0000000..440b996 --- /dev/null +++ b/roles/docker/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Inform user to relogin + ansible.builtin.debug: + msg: "Please logout and login again to make sure the user is added to the docker group" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 32768ff..d42db7b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -35,9 +35,4 @@ name: "{{ ansible_user }}" groups: docker append: true - register: docker_group - -- name: Inform the user that user needs to logout and login again - ansible.builtin.debug: - msg: "Please logout and login again to make sure the user is added to the docker group" - when: docker_group.changed + notify: Inform user to relogin diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml index 0570f75..1dcb19b 100644 --- a/roles/gitea/handlers/main.yml +++ b/roles/gitea/handlers/main.yml @@ -4,13 +4,18 @@ daemon_reload: true - name: Reload systemd user - ansible.builtin.command: "systemctl --user daemon-reload" - become: true + ansible.builtin.systemd: + daemon_reload: true + scope: user + become: false become_user: "{{ ansible_user }}" - name: Restart gitea - ansible.builtin.command: "systemctl --user restart gitea.service" - become: true + ansible.builtin.systemd: + name: gitea.service + state: restarted + scope: user + become: false become_user: "{{ ansible_user }}" - name: Reload nginx diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index e90e0b6..59640dd 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -14,6 +14,7 @@ name: "{{ gitea_postgres_user }}" password: "{{ gitea_postgres_password }}" state: present + become: false become_user: "{{ postgres_admin_user }}" - name: Create PostgreSQL database for Gitea @@ -21,6 +22,7 @@ name: "{{ gitea_postgres_db_name }}" owner: "{{ gitea_postgres_user }}" state: present + become: false become_user: "{{ postgres_admin_user }}" - name: Grant all privileges on database to Gitea user @@ -30,6 +32,7 @@ type: database privs: ALL state: present + become: false become_user: "{{ postgres_admin_user }}" - name: Ensure Gitea user has no superuser privileges @@ -37,6 +40,7 @@ name: "{{ gitea_postgres_user }}" role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Create PostgreSQL schema for Gitea @@ -45,6 +49,7 @@ database: "{{ gitea_postgres_db_name }}" owner: "{{ gitea_postgres_user }}" state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Grant schema permissions to Gitea user @@ -55,6 +60,7 @@ objs: "{{ gitea_postgres_schema }}" privs: CREATE,USAGE state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Create Gitea project directory @@ -113,7 +119,12 @@ when: ansible_user != 'root' - name: Enable and start Gitea service (user scope) - ansible.builtin.command: "systemctl --user enable --now gitea.service" + ansible.builtin.systemd: + name: gitea.service + enabled: true + state: started + scope: user + become: false become_user: "{{ ansible_user }}" - name: Deploy nginx vhost configuration for Gitea diff --git a/roles/immich/handlers/main.yml b/roles/immich/handlers/main.yml index 671ccc5..4bd2995 100644 --- a/roles/immich/handlers/main.yml +++ b/roles/immich/handlers/main.yml @@ -4,13 +4,18 @@ daemon_reload: true - name: Reload systemd user - ansible.builtin.command: "systemctl --user daemon-reload" - become: true + ansible.builtin.systemd: + daemon_reload: true + scope: user + become: false become_user: "{{ ansible_user }}" - name: Restart Immich - ansible.builtin.command: "systemctl --user restart immich.service" - become: true + ansible.builtin.systemd: + name: immich.service + state: restarted + scope: user + become: false become_user: "{{ ansible_user }}" - name: Reload nginx diff --git a/roles/immich/tasks/main.yml b/roles/immich/tasks/main.yml index f6e682e..861b483 100644 --- a/roles/immich/tasks/main.yml +++ b/roles/immich/tasks/main.yml @@ -16,6 +16,7 @@ name: "{{ immich_postgres_db_name }}" owner: "{{ immich_postgres_user }}" state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Create PostgreSQL user for Immich @@ -23,6 +24,7 @@ name: "{{ immich_postgres_user }}" password: "{{ immich_postgres_password }}" state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Grant all privileges on database to Immich user @@ -32,6 +34,7 @@ type: database privs: ALL state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Ensure Immich user has no superuser privileges @@ -39,6 +42,7 @@ name: "{{ immich_postgres_user }}" role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Enable required PostgreSQL extensions in Immich database @@ -46,6 +50,7 @@ name: "{{ item }}" login_db: "{{ immich_postgres_db_name }}" state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" loop: - cube @@ -60,6 +65,7 @@ objs: public privs: CREATE,USAGE state: present + become: false become_user: "{{ postgres_admin_user | default('postgres') }}" - name: Create Immich project directory @@ -120,7 +126,12 @@ when: ansible_user != 'root' - name: Enable and start Immich service (user scope) - ansible.builtin.command: "systemctl --user enable --now immich.service" + ansible.builtin.systemd: + name: immich.service + enabled: true + state: started + scope: user + become: false become_user: "{{ ansible_user }}" - name: Deploy nginx vhost configuration for Immich diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml index d12b294..3235e80 100644 --- a/roles/monitoring/tasks/main.yml +++ b/roles/monitoring/tasks/main.yml @@ -1,4 +1,5 @@ --- -- name: install oryx - cmd: paru -S oryx +- name: Install oryx + ansible.builtin.command: paru -S --noconfirm oryx when: ansible_facts['os_family'] == 'Archlinux' + changed_when: false diff --git a/roles/net-config/README.md b/roles/net_config/README.md similarity index 100% rename from roles/net-config/README.md rename to roles/net_config/README.md diff --git a/roles/net-config/meta/main.yml b/roles/net_config/meta/main.yml similarity index 100% rename from roles/net-config/meta/main.yml rename to roles/net_config/meta/main.yml diff --git a/roles/net-config/tasks/main.yml b/roles/net_config/tasks/main.yml similarity index 100% rename from roles/net-config/tasks/main.yml rename to roles/net_config/tasks/main.yml diff --git a/roles/net-config/templates/systemd.netdev.j2 b/roles/net_config/templates/systemd.netdev.j2 similarity index 100% rename from roles/net-config/templates/systemd.netdev.j2 rename to roles/net_config/templates/systemd.netdev.j2 diff --git a/roles/net-config/templates/systemd.network.j2 b/roles/net_config/templates/systemd.network.j2 similarity index 100% rename from roles/net-config/templates/systemd.network.j2 rename to roles/net_config/templates/systemd.network.j2 diff --git a/roles/net-persist/README.md b/roles/net_persist/README.md similarity index 100% rename from roles/net-persist/README.md rename to roles/net_persist/README.md diff --git a/roles/net-persist/meta/main.yml b/roles/net_persist/meta/main.yml similarity index 100% rename from roles/net-persist/meta/main.yml rename to roles/net_persist/meta/main.yml diff --git a/roles/net-persist/tasks/main.yml b/roles/net_persist/tasks/main.yml similarity index 94% rename from roles/net-persist/tasks/main.yml rename to roles/net_persist/tasks/main.yml index 1a1d0a5..fe49830 100644 --- a/roles/net-persist/tasks/main.yml +++ b/roles/net_persist/tasks/main.yml @@ -7,7 +7,7 @@ - name: Process ethernet interface persistence when: interface.type is not defined or interface.type == 'ethernet' block: - - name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule" + - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address }})" ansible.builtin.set_fact: interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}" diff --git a/roles/net-persist/templates/persistent-net.link.j2 b/roles/net_persist/templates/persistent-net.link.j2 similarity index 100% rename from roles/net-persist/templates/persistent-net.link.j2 rename to roles/net_persist/templates/persistent-net.link.j2 diff --git a/roles/networking/README.md b/roles/networking/README.md index 9dc17ed..8b8ac59 100644 --- a/roles/networking/README.md +++ b/roles/networking/README.md @@ -6,8 +6,8 @@ This role configures the networking on the target machine. Roles: -- net-persist -- net-config +- net_persist +- net_config ## Inventory Variables diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml index f425964..c59ed65 100644 --- a/roles/networking/tasks/main.yml +++ b/roles/networking/tasks/main.yml @@ -6,7 +6,7 @@ - name: Setup persistent network interface(s) ansible.builtin.include_role: - name: net-persist + name: net_persist public: true vars: interface: "{{ item }}" @@ -14,7 +14,7 @@ - name: Configure network interface(s) ansible.builtin.include_role: - name: net-config + name: net_config public: true vars: interface: "{{ item }}" diff --git a/roles/nfs-server/README.md b/roles/nfs_server/README.md similarity index 100% rename from roles/nfs-server/README.md rename to roles/nfs_server/README.md diff --git a/roles/nfs-server/defaults/main.yml b/roles/nfs_server/defaults/main.yml similarity index 100% rename from roles/nfs-server/defaults/main.yml rename to roles/nfs_server/defaults/main.yml diff --git a/roles/nfs-server/handlers/main.yml b/roles/nfs_server/handlers/main.yml similarity index 100% rename from roles/nfs-server/handlers/main.yml rename to roles/nfs_server/handlers/main.yml diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs_server/tasks/main.yml similarity index 100% rename from roles/nfs-server/tasks/main.yml rename to roles/nfs_server/tasks/main.yml diff --git a/roles/nfs-server/templates/exports.j2 b/roles/nfs_server/templates/exports.j2 similarity index 100% rename from roles/nfs-server/templates/exports.j2 rename to roles/nfs_server/templates/exports.j2 diff --git a/roles/nfs-server/templates/nfs.conf.j2 b/roles/nfs_server/templates/nfs.conf.j2 similarity index 100% rename from roles/nfs-server/templates/nfs.conf.j2 rename to roles/nfs_server/templates/nfs.conf.j2 diff --git a/roles/ntfy/handlers/main.yml b/roles/ntfy/handlers/main.yml index a6e2d98..b047f91 100644 --- a/roles/ntfy/handlers/main.yml +++ b/roles/ntfy/handlers/main.yml @@ -4,13 +4,18 @@ daemon_reload: true - name: Reload systemd user - ansible.builtin.command: "systemctl --user daemon-reload" - become: true + ansible.builtin.systemd: + daemon_reload: true + scope: user + become: false become_user: "{{ ansible_user }}" - name: Restart ntfy - ansible.builtin.command: "systemctl --user restart ntfy.service" - become: true + ansible.builtin.systemd: + name: ntfy.service + state: restarted + scope: user + become: false become_user: "{{ ansible_user }}" - name: Reload nginx diff --git a/roles/ntfy/tasks/main.yml b/roles/ntfy/tasks/main.yml index e48f161..34f9db1 100644 --- a/roles/ntfy/tasks/main.yml +++ b/roles/ntfy/tasks/main.yml @@ -77,7 +77,12 @@ when: ansible_user != 'root' - name: Enable and start ntfy service (user scope) - ansible.builtin.command: "systemctl --user enable --now ntfy.service" + ansible.builtin.systemd: + name: ntfy.service + enabled: true + state: started + scope: user + become: false become_user: "{{ ansible_user }}" - name: Wait for ntfy to be ready @@ -92,21 +97,26 @@ register: ntfy_user_list changed_when: false failed_when: false + become: false become_user: "{{ ansible_user }}" - name: Create admin user in ntfy ansible.builtin.shell: | + set -o pipefail printf '%s\n%s\n' '{{ ntfy_admin_password }}' '{{ ntfy_admin_password }}' | podman exec -i ntfy-server ntfy user add --role=admin {{ ntfy_admin_user }} when: ntfy_admin_user not in ntfy_user_list.stdout register: ntfy_user_create changed_when: ntfy_user_create.rc == 0 + become: false become_user: "{{ ansible_user }}" - name: Set admin user password ansible.builtin.shell: | + set -o pipefail printf '%s\n%s\n' '{{ ntfy_admin_password }}' '{{ ntfy_admin_password }}' | podman exec -i ntfy-server ntfy user change-pass {{ ntfy_admin_user }} when: ntfy_admin_user in ntfy_user_list.stdout changed_when: false + become: false become_user: "{{ ansible_user }}" - name: Deploy nginx vhost configuration for ntfy diff --git a/roles/ntp-chrony/README.md b/roles/ntp_chrony/README.md similarity index 100% rename from roles/ntp-chrony/README.md rename to roles/ntp_chrony/README.md diff --git a/roles/ntp-chrony/defaults/main.yml b/roles/ntp_chrony/defaults/main.yml similarity index 100% rename from roles/ntp-chrony/defaults/main.yml rename to roles/ntp_chrony/defaults/main.yml diff --git a/roles/ntp-chrony/handlers/main.yml b/roles/ntp_chrony/handlers/main.yml similarity index 100% rename from roles/ntp-chrony/handlers/main.yml rename to roles/ntp_chrony/handlers/main.yml diff --git a/roles/ntp-chrony/tasks/main.yml b/roles/ntp_chrony/tasks/main.yml similarity index 100% rename from roles/ntp-chrony/tasks/main.yml rename to roles/ntp_chrony/tasks/main.yml diff --git a/roles/ntp-chrony/templates/chrony.conf.j2 b/roles/ntp_chrony/templates/chrony.conf.j2 similarity index 100% rename from roles/ntp-chrony/templates/chrony.conf.j2 rename to roles/ntp_chrony/templates/chrony.conf.j2 diff --git a/roles/ntp-chrony/templates/logrotate.conf.j2 b/roles/ntp_chrony/templates/logrotate.conf.j2 similarity index 100% rename from roles/ntp-chrony/templates/logrotate.conf.j2 rename to roles/ntp_chrony/templates/logrotate.conf.j2 diff --git a/roles/ntp-chrony/vars/archlinux.yml b/roles/ntp_chrony/vars/archlinux.yml similarity index 100% rename from roles/ntp-chrony/vars/archlinux.yml rename to roles/ntp_chrony/vars/archlinux.yml diff --git a/roles/ntp-chrony/vars/debian.yml b/roles/ntp_chrony/vars/debian.yml similarity index 100% rename from roles/ntp-chrony/vars/debian.yml rename to roles/ntp_chrony/vars/debian.yml diff --git a/roles/postgres/tasks/archlinux.yml b/roles/postgres/tasks/archlinux.yml index e54b61c..4dd53af 100644 --- a/roles/postgres/tasks/archlinux.yml +++ b/roles/postgres/tasks/archlinux.yml @@ -35,4 +35,5 @@ ansible.builtin.command: cmd: initdb -D {{ postgres_data_dir }} creates: "{{ postgres_data_dir }}/PG_VERSION" + become: false become_user: "{{ postgres_admin_user }}" diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index d82f82c..bb5c917 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -97,4 +97,5 @@ name: "{{ postgres_admin_user }}" password: "{{ postgres_admin_password }}" state: present + become: false become_user: "{{ postgres_admin_user }}" diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index fc3fe21..8bba0b1 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -4,8 +4,8 @@ ssh_allowed_network: "192.168.1.0/24" ssh_allowed_vpn_network: "192.168.27.0/27" ssh_users: "jokester" # space separated if many ssh_config_dir: "/etc/ssh" -sshd_config: "{{ ssh_config_dir}}/sshd_config" -sshd_banner: "{{ ssh_config_dir}}/banner" +sshd_config: "{{ ssh_config_dir }}/sshd_config" +sshd_banner: "{{ ssh_config_dir }}/banner" sshd_binary: "/usr/sbin/sshd" ssh_authorized_keys_fallback_enabled: false ssh_authorized_keys_fallback_dir: "/etc/ssh/authorized_keys" diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..e92563f --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart SSH service + ansible.builtin.service: + name: "{{ ssh_service_name }}" + state: restarted diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 53d22aa..5a78a3c 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,26 +1,27 @@ --- -- include_vars: "{{ item }}" +- name: Load OS-specific variables + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "vars/{{ ansible_facts['os_family'] }}.yml" - "vars/debian.yml" - name: Install OpenSSH - package: + ansible.builtin.package: name: "{{ ssh_package_name }}" state: present - name: Install UFW - package: + ansible.builtin.package: name: ufw state: present - name: Enable SSH - service: + ansible.builtin.service: name: "{{ ssh_service_name }}" enabled: true - name: Allow local network incoming connection - ufw: + community.general.ufw: rule: allow port: "{{ ssh_port }}" proto: tcp @@ -29,7 +30,7 @@ comment: "SSH from local network" - name: Allow SSH VPN incoming connection - ufw: + community.general.ufw: rule: allow port: "{{ ssh_port }}" proto: tcp @@ -37,36 +38,41 @@ direction: in comment: "SSH from VPN network" -- name: Add SSH public key to authorized_keys - authorized_key: - user: "{{ item }}" - state: present - key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" - comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}" - loop: "{{ ssh_users.split() }}" +# TODO +# - name: Add SSH public key to authorized_keys +# authorized_key: +# user: "{{ item }}" +# state: present +# key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" +# comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}" +# loop: "{{ ssh_users.split() }}" -- name: Authorized keys fallback +- name: Authorized keys fallback (when home cannot be mounted) + when: ssh_authorized_keys_fallback_enabled block: - name: Create the directory - file: - path: "{{ssh_authorized_keys_fallback_dir}}" + ansible.builtin.file: + path: "{{ ssh_authorized_keys_fallback_dir }}" state: directory + owner: root + group: root + mode: "0755" - name: Backup authorized_keys out of HOME dir (if unavailable at startup) - command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}" + ansible.builtin.command: "cp /home/{{ item }}/.ssh/authorized_keys {{ ssh_authorized_keys_fallback_dir }}/{{ item }}" loop: "{{ ssh_users.split() }}" + changed_when: false - name: Fix ownership - file: - path: "{{ssh_authorized_keys_fallback_dir}}/{{ item }}" + ansible.builtin.file: + path: "{{ ssh_authorized_keys_fallback_dir }}/{{ item }}" owner: "{{ item }}" group: "{{ item }}" mode: "0600" loop: "{{ ssh_users.split() }}" - when: ssh_authorized_keys_fallback_enabled - name: Create an SSH banner - template: + ansible.builtin.template: src: templates/sshd_banner.j2 dest: "{{ sshd_banner }}" owner: root @@ -74,27 +80,33 @@ mode: "0644" - name: Remove motd on Debian - file: + ansible.builtin.file: path: /etc/motd state: absent when: ansible_facts['os_family'] == 'Debian' - name: Hardening sshd_config - template: + ansible.builtin.template: src: templates/sshd_config.j2 dest: "{{ sshd_config }}" owner: root group: root mode: "0600" validate: "{{ sshd_binary }} -t -f %s" - register: ssh_hardening_task - -- name: Restart SSH service - service: - name: "{{ ssh_service_name }}" - state: restarted - when: ssh_hardening_task.changed + notify: Restart SSH service - name: Enable UFW community.general.ufw: state: enabled + +- name: Enable UFW service at startup + ansible.builtin.systemd: + name: ufw + enabled: true + state: started + +- name: Start and enable fail2ban + ansible.builtin.service: + name: fail2ban + state: started + enabled: true diff --git a/roles/static-web/README.md b/roles/static_web/README.md similarity index 100% rename from roles/static-web/README.md rename to roles/static_web/README.md diff --git a/roles/static-web/defaults/main.yml b/roles/static_web/defaults/main.yml similarity index 100% rename from roles/static-web/defaults/main.yml rename to roles/static_web/defaults/main.yml diff --git a/roles/static-web/handlers/main.yml b/roles/static_web/handlers/main.yml similarity index 100% rename from roles/static-web/handlers/main.yml rename to roles/static_web/handlers/main.yml diff --git a/roles/static-web/meta/main.yml b/roles/static_web/meta/main.yml similarity index 100% rename from roles/static-web/meta/main.yml rename to roles/static_web/meta/main.yml diff --git a/roles/static-web/tasks/main.yml b/roles/static_web/tasks/main.yml similarity index 98% rename from roles/static-web/tasks/main.yml rename to roles/static_web/tasks/main.yml index b4fb50f..69ecb53 100644 --- a/roles/static-web/tasks/main.yml +++ b/roles/static_web/tasks/main.yml @@ -37,6 +37,7 @@ force: true loop: "{{ static_web_sites | dict2items }}" when: static_web_sites | length > 0 + become: false become_user: "{{ nginx_user }}" notify: Reload nginx @@ -49,6 +50,7 @@ - static_web_sites | length > 0 - item.value.build_command is defined - item.value.build_command | length > 0 + become: false become_user: "{{ nginx_user }}" changed_when: true diff --git a/roles/static-web/templates/nginx-vhost.conf.j2 b/roles/static_web/templates/nginx-vhost.conf.j2 similarity index 100% rename from roles/static-web/templates/nginx-vhost.conf.j2 rename to roles/static_web/templates/nginx-vhost.conf.j2 diff --git a/roles/tooling/tooling.yml b/roles/tooling/tooling.yml index 462bba2..5b00824 100644 --- a/roles/tooling/tooling.yml +++ b/roles/tooling/tooling.yml @@ -16,3 +16,9 @@ name: bottom state: present changed_when: false + +- name: Install wget + package: + name: wget + state: present + changed_when: false diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index f476703..7490b19 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -97,6 +97,7 @@ - name: Convert hosts file to unbound format ansible.builtin.shell: | + set -o pipefail grep '^0\.0\.0\.0' /tmp/hosts.txt | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > "{{ unbound_ad_servers_config_path }}" && chown unbound:unbound "{{ unbound_ad_servers_config_path }}" args: diff --git a/roles/uptime-kuma/README.md b/roles/uptime_kuma/README.md similarity index 100% rename from roles/uptime-kuma/README.md rename to roles/uptime_kuma/README.md diff --git a/roles/uptime-kuma/defaults/main.yml b/roles/uptime_kuma/defaults/main.yml similarity index 100% rename from roles/uptime-kuma/defaults/main.yml rename to roles/uptime_kuma/defaults/main.yml diff --git a/roles/uptime-kuma/handlers/main.yml b/roles/uptime_kuma/handlers/main.yml similarity index 60% rename from roles/uptime-kuma/handlers/main.yml rename to roles/uptime_kuma/handlers/main.yml index edbed7c..c147ab7 100644 --- a/roles/uptime-kuma/handlers/main.yml +++ b/roles/uptime_kuma/handlers/main.yml @@ -4,13 +4,18 @@ daemon_reload: true - name: Reload systemd user - ansible.builtin.command: "systemctl --user daemon-reload" - become: true + ansible.builtin.systemd: + daemon_reload: true + scope: user + become: false become_user: "{{ ansible_user }}" - name: Restart uptime-kuma - ansible.builtin.command: "systemctl --user restart uptime-kuma.service" - become: true + ansible.builtin.systemd: + name: uptime-kuma.service + state: restarted + scope: user + become: false become_user: "{{ ansible_user }}" - name: Reload nginx diff --git a/roles/uptime-kuma/meta/main.yml b/roles/uptime_kuma/meta/main.yml similarity index 100% rename from roles/uptime-kuma/meta/main.yml rename to roles/uptime_kuma/meta/main.yml diff --git a/roles/uptime-kuma/tasks/main.yml b/roles/uptime_kuma/tasks/main.yml similarity index 94% rename from roles/uptime-kuma/tasks/main.yml rename to roles/uptime_kuma/tasks/main.yml index f8756fb..42aba67 100644 --- a/roles/uptime-kuma/tasks/main.yml +++ b/roles/uptime_kuma/tasks/main.yml @@ -55,7 +55,12 @@ when: ansible_user != 'root' - name: Enable and start uptime-kuma service (user scope) - ansible.builtin.command: "systemctl --user enable --now uptime-kuma.service" + ansible.builtin.systemd: + name: uptime-kuma.service + enabled: true + state: started + scope: user + become: false become_user: "{{ ansible_user }}" - name: Deploy nginx vhost configuration for uptime-kuma diff --git a/roles/uptime-kuma/templates/docker-compose.yml.j2 b/roles/uptime_kuma/templates/docker-compose.yml.j2 similarity index 100% rename from roles/uptime-kuma/templates/docker-compose.yml.j2 rename to roles/uptime_kuma/templates/docker-compose.yml.j2 diff --git a/roles/uptime-kuma/templates/nginx-vhost.conf.j2 b/roles/uptime_kuma/templates/nginx-vhost.conf.j2 similarity index 100% rename from roles/uptime-kuma/templates/nginx-vhost.conf.j2 rename to roles/uptime_kuma/templates/nginx-vhost.conf.j2 diff --git a/roles/uptime-kuma/templates/uptime-kuma.service.j2 b/roles/uptime_kuma/templates/uptime-kuma.service.j2 similarity index 100% rename from roles/uptime-kuma/templates/uptime-kuma.service.j2 rename to roles/uptime_kuma/templates/uptime-kuma.service.j2 diff --git a/roles/uptime-kuma/templates/uptime-kuma.yaml.j2 b/roles/uptime_kuma/templates/uptime-kuma.yaml.j2 similarity index 100% rename from roles/uptime-kuma/templates/uptime-kuma.yaml.j2 rename to roles/uptime_kuma/templates/uptime-kuma.yaml.j2 diff --git a/roles/valkey/handlers/main.yml b/roles/valkey/handlers/main.yml index e99e479..1b55aaa 100644 --- a/roles/valkey/handlers/main.yml +++ b/roles/valkey/handlers/main.yml @@ -20,3 +20,10 @@ else grub-mkconfig -o /boot/grub/grub.cfg fi + +- name: Warn user about reboot requirement + ansible.builtin.debug: + msg: | + WARNING: GRUB configuration has been updated with transparent_hugepage=madvise + A REBOOT IS REQUIRED for this change to take effect permanently. + The setting has been applied at runtime temporarily. diff --git a/roles/valkey/tasks/kernel-tuning.yml b/roles/valkey/tasks/kernel-tuning.yml index fa80399..8d2436e 100644 --- a/roles/valkey/tasks/kernel-tuning.yml +++ b/roles/valkey/tasks/kernel-tuning.yml @@ -20,8 +20,9 @@ line: '\1 transparent_hugepage=madvise"' backrefs: true when: thp_check.rc != 0 - notify: Update GRUB - register: grub_updated + notify: + - Update GRUB + - Warn user about reboot requirement - name: Check current THP runtime setting ansible.builtin.shell: cat /sys/kernel/mm/transparent_hugepage/enabled @@ -33,11 +34,3 @@ echo madvise > /sys/kernel/mm/transparent_hugepage/enabled echo madvise > /sys/kernel/mm/transparent_hugepage/defrag when: "'[madvise]' not in current_thp.stdout" - -- name: Warn user about reboot requirement - ansible.builtin.debug: - msg: | - WARNING: GRUB configuration has been updated with transparent_hugepage=madvise - A REBOOT IS REQUIRED for this change to take effect permanently. - The setting has been applied at runtime temporarily. - when: grub_updated is changed diff --git a/roles/zfs/tasks/pools.yml b/roles/zfs/tasks/pools.yml index 5da98f7..eb80b1a 100644 --- a/roles/zfs/tasks/pools.yml +++ b/roles/zfs/tasks/pools.yml @@ -17,9 +17,7 @@ when: zfs_pools is defined - name: Creating basic zpool(s) - ansible.builtin.command: - "zpool create {{ '-o '+ item.options.items() |map('join', '=') | join (' -o ') if item.options is defined else '' }} {{ item.name }} {{ - item.devices|join (' ') }}" + ansible.builtin.command: "zpool create {{ '-o ' + item.options.items() | map('join', '=') | join(' -o ') if item.options is defined else '' }} {{ item.name }} {{ item.devices | join(' ') }}" with_items: "{{ zfs_pools }}" when: - zfs_pools is defined @@ -29,9 +27,7 @@ - item.devices[0] not in zpool_devices.stdout - name: Creating mirror/zraid zpool(s) - ansible.builtin.command: - "zpool create {{ '-o '+ item.options.items() |map('join', '=') | join (' -o ') if item.options is defined else '' }} {{ item.name }} {{ - item.type }} {{ item.devices|join (' ') }}" + ansible.builtin.command: "zpool create {{ '-o ' + item.options.items() | map('join', '=') | join(' -o ') if item.options is defined else '' }} {{ item.name }} {{ item.type }} {{ item.devices | join(' ') }}" with_items: "{{ zfs_pools }}" when: - zfs_pools is defined diff --git a/roles/zsh/tasks/plugins.yml b/roles/zsh/tasks/plugins.yml index aa6a356..7f31456 100644 --- a/roles/zsh/tasks/plugins.yml +++ b/roles/zsh/tasks/plugins.yml @@ -24,18 +24,12 @@ update: true version: master loop: - - { - repo: https://github.com/zsh-users/zsh-syntax-highlighting.git, - dest: "{{ zsh_plugins_path }}/zsh-syntax-highlighting", - } - - { - repo: https://github.com/zsh-users/zsh-autosuggestions.git, - dest: "{{ zsh_plugins_path }}/zsh-autosuggestions", - } - - { - repo: https://github.com/romkatv/powerlevel10k.git, - dest: "{{ zsh_plugins_path }}/powerlevel10k", - } + - repo: https://github.com/zsh-users/zsh-syntax-highlighting.git + dest: "{{ zsh_plugins_path }}/zsh-syntax-highlighting" + - repo: https://github.com/zsh-users/zsh-autosuggestions.git + dest: "{{ zsh_plugins_path }}/zsh-autosuggestions" + - repo: https://github.com/romkatv/powerlevel10k.git + dest: "{{ zsh_plugins_path }}/powerlevel10k" - name: Assert plugins are available for any user ansible.builtin.file: