bzoicas/personal_ansible_pub
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial

Browse Source
This commit is contained in:
bzoicas
2023-07-10 10:41:17 +03:00
commit dbb46eb92a
360 changed files with 13521 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/server/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
# Load distro-specific variables
- include_vars: "{{ ansible_distribution }}.yml"
tags: always
- block:
- import_tasks: nrpe.yml
- import_tasks: ufw.yml
- import_tasks: qemu-agent.yml
- include_tasks: unattended_upgrades.yml
when:
- ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]
- unattended_upgrades is defined
- unattended_upgrades == true
rescue:
- set_fact: task_failed=true

69
roles/server/tasks/nrpe.yml Normal file
View File

@@ -0,0 +1,69 @@
- name: nrpe | install nrpe package and plugins
tags: nagios,nrpe
package:
state: latest
name:
- "{{ monitoring_plugins_package }}"
- "{{ nrpe_package }}"
notify:
- restart_nrpe
- name: nrpe | generate nrpe.cfg file from template
tags: openssh,ssh,system,settings
template:
src: nrpe.cfg.j2
dest: "{{ nrpe_config_file_dest }}"
owner: root
group: root
mode: 0644
notify: restart_nrpe
- name: nrpe | enable and start nrpe service
tags: nagios,nrpe
service:
name: "{{ nrpe_service }}"
enabled: yes
state: started
- name: nrpe | copy additional plugins
tags: nagios,nrpe
copy:
src: nrpe/{{ item }}
dest: "{{ monitoring_plugins_path }}/{{ item }}"
owner: root
group: root
mode: 0755
with_items:
- check_hddtemp
- check_md_raid
- check_mem
- check_nfs
- name: nrpe | create log file
tags: ansible,ansible-setup
file:
path: /var/log/nrpe.log
owner: "{{ nrpe_user }}"
group: "{{ nrpe_group }}"
mode: 0664
state: touch
changed_when: False
- name: nrpe | add logrotate config for nrpe log file
tags: nrpe,server
copy:
src: nrpe/logrotate
dest: /etc/logrotate.d/nrpe
owner: root
group: root
mode: 0644
- name: nrpe | clean up unneeded files (debian, etc)
tags: nrpe,server
file:
path: /etc/nagios/{{ item }}
state: absent
with_items:
- nrpe_local.cfg
- nrpe.d
when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]

17
roles/server/tasks/qemu-agent.yml Normal file
View File

@@ -0,0 +1,17 @@
- name: qemu-agent | install package
tags: packages,qemu,qemu-agent
package:
state: latest
name:
- qemu-guest-agent
when: proxmox_instance is defined and proxmox_instance == true
notify:
- restart_qemu_agent
- name: qemu-agent | enable qemu agent daemon
tags: nagios,nrpe
service:
name: "{{ qemu_agent_service }}"
enabled: yes
state: started
when: proxmox_instance is defined and proxmox_instance == true

329
roles/server/tasks/ufw.yml Normal file
View File

@@ -0,0 +1,329 @@
- name: ufw | install package
tags: ufw
package:
state: latest
name: ufw
notify:
- restart_ufw
# dns
- name: ufw | dns | allow dns (tcp)
tags: ufw
ufw:
comment: dns
rule: allow
port: '53'
proto: tcp
when:
- dns_server is defined
- dns_server == true
- name: ufw | dns | allow dns (udp)
tags: ufw
ufw:
comment: dns
rule: allow
port: '53'
proto: udp
when:
- dns_server is defined
- dns_server == true
# k8s
- name: ufw | k8s | allow api server (master)
tags: ufw
ufw:
comment: k8s master api server
rule: allow
port: '6443'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_master is defined
- k8s_master == true
- name: ufw | k8s | allow etcd server client api (master)
tags: ufw
ufw:
comment: k8s master etcd server client api
rule: allow
port: 2379:2380
proto: tcp
src: 172.16.249.0/24
when:
- k8s_master is defined
- k8s_master == true
- name: ufw | k8s | allow kubelet api server (master)
tags: ufw
ufw:
comment: k8s master kubelet api server
rule: allow
port: '10250'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_master is defined
- k8s_master == true
- name: ufw | k8s | allow scheduler (master)
tags: ufw
ufw:
comment: k8s master scheduler
rule: allow
port: '10251'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_master is defined
- k8s_master == true
- name: ufw | k8s | allow controller manager (master)
tags: ufw
ufw:
comment: k8s master controller manager
rule: allow
port: '10252'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_master is defined
- k8s_master == true
- name: ufw | k8s | allow read-only kubelet API (master)
tags: ufw
ufw:
comment: k8s master read-only kubelet api
rule: allow
port: '10255'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_master is defined
- k8s_master == true
- name: ufw | k8s | allow nodeport services (master)
tags: ufw
ufw:
comment: k8s master read-only kubelet api
rule: allow
port: 30000:32767
proto: tcp
src: 172.16.249.0/24
when:
- k8s_worker is defined
- k8s_worker == true
- name: ufw | k8s | allow kubelet API (worker)
tags: ufw
ufw:
comment: k8s worker read-only kubelet api
rule: allow
port: '10250'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_worker is defined
- k8s_worker == true
- name: ufw | k8s | allow kubernetes read-only kubelet API (worker)
tags: ufw
ufw:
comment: k8s worker read-only kubelet api
rule: allow
port: '10255'
proto: tcp
src: 172.16.249.0/24
when:
- k8s_worker is defined
- k8s_worker == true
- name: ufw | k8s | allow kubernetes nodeport services (worker)
tags: ufw
ufw:
comment: k8s worker read-only kubelet api
rule: allow
port: 30000:32767
proto: tcp
src: 172.16.249.0/24
when:
- k8s_worker is defined
- k8s_worker == true
# minecraft
- name: ufw | minecraft | allow server
tags: ufw
ufw:
comment: minecraft
rule: allow
port: '25565'
proto: tcp
when:
- minecraft_server is defined
- minecraft_server == true
# nrpe
- name: ufw | nrpe | allow nrpe from utility server (internal)
tags: ufw
ufw:
comment: nrpe
rule: allow
port: '5666'
src: 172.16.249.9/32
when:
- proxmox_instance is defined and proxmox_instance == true or
raspberry_pi is defined and raspberry_pi == true
- name: ufw | nrpe | allow nrpe (external)
tags: ufw
ufw:
comment: nrpe
rule: allow
port: '5666'
src: 172.14.56.123/32
when:
- linode_instance is defined
- linode_instance == true
# openssh
- name: ufw | openssh | allow ssh (external)
tags: ufw
ufw:
comment: ssh from home network
rule: allow
port: ssh
src: 172.14.59.123/32
when:
- linode_instance is defined
- linode_instance == true
- name: ufw | openssh | allow ssh (internal)
tags: ufw
ufw:
comment: ssh
rule: allow
port: ssh
src: '{{ item }}'
loop:
- 10.10.10.10/24
- 172.16.248.0/24
- 172.16.249.0/24
- 172.16.250.0/24
- 172.16.251.0/24
when:
- linode_instance is defined
- linode_instance == false
# plex
- name: ufw | plex | allow plex
tags: ufw
ufw:
comment: plex
rule: allow
port: '32400'
proto: tcp
when:
- plex_server is defined
- plex_server == true
# unifi
- name: ufw | unifi | allow device discovery
tags: ufw
ufw:
comment: unifi controller device discovery
rule: allow
port: '10001'
proto: udp
src: 172.16.248.0/24
when:
- unifi_controller is defined
- unifi_controller == true
- name: ufw | unifi | allow http
tags: ufw
ufw:
comment: unifi controller http
rule: allow
port: '8080'
proto: tcp
src: 172.16.248.0/24
when:
- unifi_controller is defined
- unifi_controller == true
- name: ufw | unifi | allow https
tags: ufw
ufw:
comment: unifi controller https
rule: allow
port: '8443'
proto: tcp
src: 172.16.248.0/24
when:
- unifi_controller is defined
- unifi_controller == true
- name: ufw | unifi | allow speed test
tags: ufw
ufw:
comment: unifi controller speed test
rule: allow
port: '6789'
proto: tcp
src: 172.16.248.0/24
when:
- unifi_controller is defined
- unifi_controller == true
- name: ufw | unifi | allow stun
tags: ufw
ufw:
comment: unifi controller stun
rule: allow
port: '3478'
proto: udp
src: 172.16.248.0/24
when:
- unifi_controller is defined
- unifi_controller == true
# web server
- name: ufw | web server | allow http (80)
tags: ufw
ufw:
comment: http
rule: allow
port: '80'
proto: tcp
when:
- web_server is defined
- web_server == true
- name: ufw | web server | allow http (8080)
tags: ufw
ufw:
comment: http_8080
rule: allow
port: '8080'
proto: tcp
when:
- web_server_8080 is defined
- web_server_8080 == true
- name: ufw | web server | allow https
tags: ufw
ufw:
comment: https
rule: allow
port: '443'
proto: tcp
when:
- web_server is defined
- web_server == true
# all rules set, enable
- name: ufw | enable firewall
ufw:
state: enabled

37
roles/server/tasks/unattended_upgrades.yml Normal file
View File

@@ -0,0 +1,37 @@
- name: unattended upgrades | install unattended-upgrades for debian-based hosts
tags: packages,unattended,updates,upgrades
package:
state: latest
name:
- unattended-upgrades
when: ansible_distribution in ['Debian', 'Ubuntu']
- name: unattended upgrades | copy 20auto-upgrades file for debian-based hosts
tags: packages,unattended,updates,upgrades
copy:
src: unattended-upgrades/20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
owner: root
group: root
mode: 0644
when: ansible_distribution in ['Debian', 'Ubuntu']
- name: unattended upgrades | copy 50unattended-upgrades file (debian)
tags: debian,packages,unattended,updates,upgrades
copy:
src: unattended-upgrades/50unattended-upgrades_debian
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644
when: ansible_distribution == "Debian"
- name: unattended upgrades | copy 50unattended-upgrades file (ubuntu)
tags: packages,unattended,updates,ubuntu,upgrades
copy:
src: unattended-upgrades/50unattended-upgrades_ubuntu
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644
when: ansible_distribution == "Ubuntu"