Add logrotate,iptables,snapper and smartd

defaults/main.yml

@@ -101,3 +101,9 @@ common_rcfiles: True
 common_tty: True
 common_git: True
 common_sysctl: False
+common_logrotate: True
+common_iptables: True
+common_iptables_v4: "iptables_default_v4.j2"
+common_iptables_v6: "iptables_default_v6.j2"
+common_snapper: False
+common_smartd: False

handlers/main.yml

@@ -16,13 +16,22 @@
   service: name=resolvconf state=restarted
 
 - name: reload mailer
-  service: name="{{ common_mailer_mailer }}" state=reloaded
+  service: "name={{ common_mailer_mailer }} state=reloaded"
 
 - name: restart mailer
-  service: name="{{ common_mailer_mailer }}" state=restarted
+  service: "name={{ common_mailer_mailer }} state=restarted"
 
 - name: newaliases
   command: newaliases
 
 - name: apt-get update
   apt: update_cache=yes
+
+- name: iptables restore
+  command: iptables-restore /etc/iptables/rules.v4 && iptables-restore /etc/iptables/rules.v6
+
+- name: snapper - reload fstab
+  command: mount -a
+
+- name: restart smartd
+  service: name=smartd state=restarted

tasks/iptables.yml

@@ -0,0 +1,13 @@
+---
+- name: iptables - install iptables-persistent
+  package: name=iptables-persistent
+
+- name: /etc/iptables/rules.v4
+  template: "dest=/etc/iptables/rules.v4 src={{ common_iptables_v4 }} owner=root group=root mode=0644"
+  notify:
+    iptables restore
+
+- name: /etc/iptables/rules.v6
+  template: "dest=/etc/iptables/rules.v6 src={{ common_iptables_v6 }} owner=root group=root mode=0644"
+  notify:
+    iptables restore

tasks/logrotate.yml

@@ -0,0 +1,6 @@
+---
+- name: logrotate - set backlog
+  lineinfile:
+    path: /etc/logrotate.conf
+    regexp: '^rotate '
+    line: 'rotate 52'

tasks/main.yml

@@ -56,3 +56,20 @@
 - import_tasks: sysctl.yml
   when: common_sysctl
   tags: ['common', 'sysctl']
+
+- import_tasks: logrotate.yml
+  when: common_logrotate
+  tags: ['common', 'logrotate']
+
+- import_tasks: iptables.yml
+  when: common_iptables
+  tags: ['common', 'iptables']
+
+- import_tasks: snapper.yml
+  when: common_snapper
+  tags: ['common', 'snapper']
+
+- import_tasks: smartd.yml
+  when: common_smartd
+  tags: ['common', 'smartd']
+

tasks/smartd.yml

@@ -0,0 +1,16 @@
+---
+- name: smartd - install smartmontools
+  package: name=smartmontools
+
+- name: smartd - /etc/default/smartmontools
+  replace:
+    path: /etc/default/smartmontools
+    regexp: "^#start_smartd=.*"
+    replace: "start_smartd=yes"
+  notify: restart smartd
+
+- name: smartd - /etc/smartd.conf
+  copy:
+    dest: /etc/smartd.conf
+    content: "DEVICESCAN -a -d nvme -d sat -o on -s (S/../.././01) -n standby -R 5 -I 9 -R 194 -m root -M exec /usr/share/smartmontools/smartd-runner\n"
+  notify: restart smartd

tasks/snapper.yml

@@ -0,0 +1,20 @@
+---
+- name: snapper - install snapper
+  package: name=snapper
+
+- name: snapper - create-config
+  command: snapper create-config /
+  args:
+    creates: /etc/snapper/configs/root
+
+- name: snapper - get rootfs blkid
+  shell: "blkid -s UUID|grep `mount|grep '/ '|cut -d' ' -f1`|cut -d' ' -f 2"
+  register: snapper_blkid
+  changed_when: False
+
+- name: snapper - /etc/fstab
+  lineinfile:
+    path: /etc/fstab
+    line: "{{ snapper_blkid.stdout_lines[0] }} /.snapshots btrfs subvol=.snapshots 0 1"
+  when: snapper_blkid.stdout_lines is defined
+  notify: snapper - reload fstab

templates/iptables_default_v4.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT

templates/iptables_default_v6.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT