diff --git a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml index a3e65fa..4025dba 100644 --- a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml +++ b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml @@ -1,4 +1,4 @@ custom_base_user_account: 'vagrant' security_firewall_mangle_drop_privatenets: false -common_configure_resolve_conf: true +security_configure_resolve_conf: true global_ip_dualstack: false diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml index 5572842..fcdbabb 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml @@ -2,7 +2,6 @@ common_apt_packages: [] common_apt_source_components: ["contrib", "non-free", "non-free-firmware"] common_apt_use_deb822_format: false -common_configure_resolve_conf: false common_git_email: "" common_git_enabled: false common_git_force_sign: false @@ -10,5 +9,4 @@ common_git_signing_key: "" common_git_username: "" common_github_token: "{{ custom_github_token | default('') }}" common_install_fonts: false -common_sysctl_configuration: {} common_user_account: "{{ custom_base_user_account }}" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/handlers/main.yml index b0f94ce..ed97d53 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/handlers/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/handlers/main.yml @@ -1,5 +1 @@ --- -- name: '[system] reload sysctl configuration' - become: true - ansible.builtin.command: - cmd: sysctl --system diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml index 03b20db..102ad8c 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml @@ -1,35 +1,4 @@ --- -- name: '[system] setup DNS server' - block: - - name: disable resolv.conf updates from dhclient - ansible.builtin.copy: - dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate - content: | - #!/bin/sh - make_resolv_conf(){ - : - } - owner: root - group: root - mode: '0755' - - name: update resolv.conf - ansible.builtin.template: - src: ../templates/system/resolv.conf.j2 - dest: /etc/resolv.conf - mode: '0644' - owner: root - group: root - become: true - when: common_configure_resolve_conf is truthy - -- name: '[system] re-allow DHCP client to setup DNS resolvers' - become: true - ansible.builtin.file: - path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate - state: absent - failed_when: false - when : common_configure_resolve_conf is falsy - - name: '[apt] verify components of default sources' become: true block: @@ -135,18 +104,6 @@ cmds: - dpkg -i {asset_dirname}/{asset_filename} -- name: '[system] add sysctl tweaks' - become: true - ansible.builtin.template: - src: ../templates/system/sysctld.local.conf.j2 - dest: /etc/sysctl.d/local.conf - mode: '0644' - when: common_sysctl_configuration is truthy - vars: - sysctl_values: "{{ common_sysctl_configuration }}" - notify: - - 'common : [system] reload sysctl configuration' - - name: '[apt] install custom packages' become: true ansible.builtin.apt: diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 deleted file mode 100644 index d11a652..0000000 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for item in common_sysctl_configuration.keys() -%} - {{ item }} = {{ common_sysctl_configuration[item] }} -{% endfor %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml index 8392685..dbb0499 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml @@ -2,6 +2,7 @@ security_apt_force_https: true security_apt_https_ignore_list: [] security_clamav_version: 1.3.1 +security_configure_resolve_conf: false security_firewall_enabled: true security_firewall_filter_policy_forward: drop security_firewall_filter_policy_input: drop @@ -16,3 +17,4 @@ security_firewall_nat_policy_output: accept security_firewall_nat_policy_postrouting: accept security_firewall_nat_policy_prerouting: accept security_ssh_port: 22 +security_sysctl_configuration: {} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml index 533c188..b9c60f7 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml @@ -44,3 +44,8 @@ ansible.builtin.apt: update_cache: true force_apt_get: true + +- name: '[system] reload sysctl configuration' + become: true + ansible.builtin.command: + cmd: sysctl --system diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml index 26e07dc..1e363b9 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml @@ -4,6 +4,49 @@ gather_subset: - distribution +- name: '[system] setup DNS server' + block: + - name: disable resolv.conf updates from dhclient + ansible.builtin.copy: + dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate + content: | + #!/bin/sh + make_resolv_conf(){ + : + } + owner: root + group: root + mode: '0755' + - name: update resolv.conf + ansible.builtin.template: + src: ../templates/system/debian/resolv.conf.j2 + dest: /etc/resolv.conf + mode: '0644' + owner: root + group: root + become: true + when: security_configure_resolve_conf is truthy + +- name: '[system] re-allow DHCP client to setup DNS resolvers' + become: true + ansible.builtin.file: + path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate + state: absent + failed_when: false + when : security_configure_resolve_conf is falsy + +- name: '[system] add sysctl tweaks' + become: true + ansible.builtin.template: + src: ../templates/system/debian/sysctld.local.conf.j2 + dest: /etc/sysctl.d/local.conf + mode: '0644' + when: security_sysctl_configuration is truthy + vars: + sysctl_values: "{{ security_sysctl_configuration }}" + notify: + - 'security : [system] reload sysctl configuration' + - ansible.builtin.include_tasks: file: firewall.yml apply: diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/resolv.conf.j2 similarity index 100% rename from collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2 rename to collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/resolv.conf.j2 diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/sysctld.local.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/sysctld.local.conf.j2 new file mode 100644 index 0000000..3735fe3 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/sysctld.local.conf.j2 @@ -0,0 +1,3 @@ +{% for item in security_sysctl_configuration.keys() -%} + {{ item }} = {{ security_sysctl_configuration[item] }} +{% endfor %} diff --git a/inventory/group_vars/external/vars.yml b/inventory/group_vars/external/vars.yml index 02f44e1..e9c6af8 100644 --- a/inventory/group_vars/external/vars.yml +++ b/inventory/group_vars/external/vars.yml @@ -2,3 +2,4 @@ security_firewall_mangle_drop_privatenets: false global_dns_domainname: "{{ vault_global_dns_domainname }}" external_provisioner_source_ips: '{{ vault_external_provisioner_source_ips }}' +security_configure_resolve_conf: true diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index 2218aa7..0e5d9ad 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -12,7 +12,7 @@ common_git_email: "{{ vault_common_gitconfig_email }}" common_git_force_sign: true common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}" common_install_fonts: true -common_sysctl_configuration: +security_sysctl_configuration: 'fs.inotify.max_user_watches': 1048576 'vm.swappiness': 1 diff --git a/inventory/host_vars/unsepttrium/vars.yml b/inventory/host_vars/unsepttrium/vars.yml index bacc2db..dc9fe7a 100644 --- a/inventory/host_vars/unsepttrium/vars.yml +++ b/inventory/host_vars/unsepttrium/vars.yml @@ -11,7 +11,7 @@ common_git_email: "{{ vault_common_gitconfig_email }}" common_git_force_sign: true common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}" common_install_fonts: true -common_sysctl_configuration: +security_sysctl_configuration: 'fs.inotify.max_user_watches': 1048576 'vm.swappiness': 1