diff --git a/defaults/main.yml b/defaults/main.yml index 692193d..040b08d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -101,3 +101,9 @@ common_rcfiles: True common_tty: True common_git: True common_sysctl: False +common_logrotate: True +common_iptables: True +common_iptables_v4: "iptables_default_v4.j2" +common_iptables_v6: "iptables_default_v6.j2" +common_snapper: False +common_smartd: False diff --git a/handlers/.main.yml.swp b/handlers/.main.yml.swp new file mode 100644 index 0000000..297bfd4 Binary files /dev/null and b/handlers/.main.yml.swp differ diff --git a/handlers/main.yml b/handlers/main.yml index 07f4e20..9f65822 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -16,13 +16,22 @@ service: name=resolvconf state=restarted - name: reload mailer - service: name="{{ common_mailer_mailer }}" state=reloaded + service: "name={{ common_mailer_mailer }} state=reloaded" - name: restart mailer - service: name="{{ common_mailer_mailer }}" state=restarted + service: "name={{ common_mailer_mailer }} state=restarted" - name: newaliases command: newaliases - name: apt-get update apt: update_cache=yes + +- name: iptables restore + command: iptables-restore /etc/iptables/rules.v4 && iptables-restore /etc/iptables/rules.v6 + +- name: snapper - reload fstab + command: mount -a + +- name: restart smartd + service: name=smartd state=restarted diff --git a/tasks/iptables.yml b/tasks/iptables.yml new file mode 100644 index 0000000..9b791a4 --- /dev/null +++ b/tasks/iptables.yml @@ -0,0 +1,13 @@ +--- +- name: iptables - install iptables-persistent + package: name=iptables-persistent + +- name: /etc/iptables/rules.v4 + template: "dest=/etc/iptables/rules.v4 src={{ common_iptables_v4 }} owner=root group=root mode=0644" + notify: + iptables restore + +- name: /etc/iptables/rules.v6 + template: "dest=/etc/iptables/rules.v6 src={{ common_iptables_v6 }} owner=root group=root mode=0644" + notify: + iptables restore diff --git a/tasks/logrotate.yml b/tasks/logrotate.yml new file mode 100644 index 0000000..d8e3b72 --- /dev/null +++ b/tasks/logrotate.yml @@ -0,0 +1,6 @@ +--- +- name: logrotate - set backlog + lineinfile: + path: /etc/logrotate.conf + regexp: '^rotate ' + line: 'rotate 52' diff --git a/tasks/main.yml b/tasks/main.yml index 986c3e6..db08dbb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -56,3 +56,20 @@ - import_tasks: sysctl.yml when: common_sysctl tags: ['common', 'sysctl'] + +- import_tasks: logrotate.yml + when: common_logrotate + tags: ['common', 'logrotate'] + +- import_tasks: iptables.yml + when: common_iptables + tags: ['common', 'iptables'] + +- import_tasks: snapper.yml + when: common_snapper + tags: ['common', 'snapper'] + +- import_tasks: smartd.yml + when: common_smartd + tags: ['common', 'smartd'] + diff --git a/tasks/smartd.yml b/tasks/smartd.yml new file mode 100644 index 0000000..433d90f --- /dev/null +++ b/tasks/smartd.yml @@ -0,0 +1,16 @@ +--- +- name: smartd - install smartmontools + package: name=smartmontools + +- name: smartd - /etc/default/smartmontools + replace: + path: /etc/default/smartmontools + regexp: "^#start_smartd=.*" + replace: "start_smartd=yes" + notify: restart smartd + +- name: smartd - /etc/smartd.conf + copy: + dest: /etc/smartd.conf + content: "DEVICESCAN -a -d nvme -d sat -o on -s (S/../.././01) -n standby -R 5 -I 9 -R 194 -m root -M exec /usr/share/smartmontools/smartd-runner\n" + notify: restart smartd diff --git a/tasks/snapper.yml b/tasks/snapper.yml new file mode 100644 index 0000000..29479ee --- /dev/null +++ b/tasks/snapper.yml @@ -0,0 +1,20 @@ +--- +- name: snapper - install snapper + package: name=snapper + +- name: snapper - create-config + command: snapper create-config / + args: + creates: /etc/snapper/configs/root + +- name: snapper - get rootfs blkid + shell: "blkid -s UUID|grep `mount|grep '/ '|cut -d' ' -f1`|cut -d' ' -f 2" + register: snapper_blkid + changed_when: False + +- name: snapper - /etc/fstab + lineinfile: + path: /etc/fstab + line: "{{ snapper_blkid.stdout_lines[0] }} /.snapshots btrfs subvol=.snapshots 0 1" + when: snapper_blkid.stdout_lines is defined + notify: snapper - reload fstab diff --git a/templates/iptables_default_v4.j2 b/templates/iptables_default_v4.j2 new file mode 100644 index 0000000..72b9469 --- /dev/null +++ b/templates/iptables_default_v4.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/templates/iptables_default_v6.j2 b/templates/iptables_default_v6.j2 new file mode 100644 index 0000000..72b9469 --- /dev/null +++ b/templates/iptables_default_v6.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT