diff --git a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/converge.yml b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/converge.yml index 63a14d7..270d7c0 100644 --- a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/converge.yml +++ b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/converge.yml @@ -24,6 +24,10 @@ - include_vars: ../../../../../../../inventory/group_vars/all/vars.yml - include_vars: ../../../../../../../inventory/group_vars/all/vault.yml - include_vars: ./platform_vars.yml + - name: Platform hostvars + ansible.builtin.debug: + msg: "{{ hostvars[inventory_hostname] }}" + verbosity: 1 - name: Enable guest console access become: true ansible.builtin.systemd_service: diff --git a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/molecule.yml b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/molecule.yml index eea7b58..ec81fbc 100644 --- a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/molecule.yml +++ b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/molecule.yml @@ -33,6 +33,9 @@ platforms: - molecule provisioner: name: ansible + config_options: + defaults: + vault_password_file: ${HOME}/.config/ansible/vault-id inventory: group_vars: molecule: diff --git a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml index 0843e4b..a3e65fa 100644 --- a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml +++ b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml @@ -1,8 +1,4 @@ custom_base_user_account: 'vagrant' -custom_security: - firewall: - mangle: - drop_privatenets: false -custom_common: - configure_resolv_conf: true -ip_dualstack: false +security_firewall_mangle_drop_privatenets: false +common_configure_resolve_conf: true +global_ip_dualstack: false diff --git a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/requirements.yml b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/requirements.yml index 256c83d..78b3f09 100644 --- a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/requirements.yml +++ b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/requirements.yml @@ -1,2 +1,3 @@ collections: - community.docker + - ansible.netcommon diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml index 6ef011c..5572842 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml @@ -1,20 +1,14 @@ --- -common: - apt: - source_components: ['contrib', 'non-free', 'non-free-firmware'] - packages: [] - deb822_format: false - git: - enable: false - username: "" - email: "" - force_sign: false - signing_key: "" - github_token: "{{ custom_github_token | default('') }}" - install_fonts: false - sysctl: {} - user_account: "{{ custom_base_user_account | default('root') }}" - configure_resolv_conf: false - -custom_common: {} -recursive_combine: true +common_apt_packages: [] +common_apt_source_components: ["contrib", "non-free", "non-free-firmware"] +common_apt_use_deb822_format: false +common_configure_resolve_conf: false +common_git_email: "" +common_git_enabled: false +common_git_force_sign: false +common_git_signing_key: "" +common_git_username: "" +common_github_token: "{{ custom_github_token | default('') }}" +common_install_fonts: false +common_sysctl_configuration: {} +common_user_account: "{{ custom_base_user_account }}" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml index 9756442..3d4051d 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml @@ -2,16 +2,16 @@ - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ common.user_account }}" + key: "{{ common_user_account }}" split: ":" changed_when: false - when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd'] + when: ansible_facts['getent_passwd'] is undefined or common_user_account not in ansible_facts['getent_passwd'] - name: '[home] create common directories' become: true - become_user: "{{ common.user_account }}" + become_user: "{{ common_user_account }}" ansible.builtin.file: - path: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}" + path: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/{{ item }}" state: directory mode: '0750' loop: @@ -22,19 +22,19 @@ - name: '[home] setup home files' become: true - become_user: "{{ common.user_account }}" + become_user: "{{ common_user_account }}" block: - name: '[home] git configuration' ansible.builtin.template: src: ../templates/home/.gitconfig.j2 - dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.gitconfig" + dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.gitconfig" mode: '0640' - when: common.git.enable is truthy + when: common_git_enabled is truthy - name: '[home] basic files' ansible.builtin.copy: src: "../templates/home/{{ item.name }}" - dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item.name }}" + dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/{{ item.name }}" mode: "{{ item.mode | default('0640') }}" loop: - { name: ".lessfilter", mode: '0750' } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml index 1da03d9..1f1ed53 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml @@ -1,9 +1,4 @@ --- -- name: '[setup] merge with custom vars' - ansible.builtin.set_fact: - common: "{{ common | combine(custom_common, recursive=recursive_combine) }}" - changed_when: false - - name: '[system] setup DNS server' block: - name: disable resolv.conf updates from dhclient @@ -25,7 +20,7 @@ owner: root group: root become: true - when: common.configure_resolv_conf is truthy + when: common_configure_resolve_conf is truthy - name: '[system] re-allow DHCP client to setup DNS resolvers' become: true @@ -33,7 +28,7 @@ path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate state: absent failed_when: false - when : common.configure_resolv_conf is falsy + when : common_configure_resolve_conf is falsy - name: '[apt] verify components of default sources' become: true @@ -43,15 +38,15 @@ path: '/etc/apt/sources.list' regexp: '^(deb((?!{{ item }}).)+)$' replace: '\1 {{ item }}' - when: not common.apt.deb822_format | bool - loop: '{{ common.apt.source_components }}' + loop: '{{ common_apt_source_components }}' + when: common_apt_use_deb822_format is falsy - name: '[apt] default deb822 debian.sources' ansible.builtin.replace: path: '/etc/apt/sources.list.d/debian.sources' regexp: '^(Components: ((?!{{ item }}).)+)$' replace: '\1 {{ item }}' - loop: '{{ common.apt.source_components }}' - when: common.apt.deb822_format | bool + loop: '{{ common_apt_source_components }}' + when: common_apt_use_deb822_format is truthy - name: '[apt] install dependencies and tools' become: true @@ -98,7 +93,7 @@ asset_type: "{{ item.asset_type }}" cmds: "{{ item.cmds | default([]) }}" creates: "{{ item.creates | default('') }}" - github_token: "{{ common.github_token }}" + github_token: "{{ common_github_token }}" repository: "{{ item.repository }}" version: "{{ item.version | default('') }}" loop: @@ -144,9 +139,9 @@ src: ../templates/system/sysctld.local.conf.j2 dest: /etc/sysctl.d/local.conf mode: '0644' - when: common.sysctl is truthy + when: common_sysctl_configuration is truthy vars: - sysctl_values: "{{ common.sysctl }}" + sysctl_values: "{{ common_sysctl_configuration }}" notify: - 'common : [system] reload sysctl configuration' @@ -156,8 +151,7 @@ update_cache: true force_apt_get: true cache_valid_time: 3600 - pkg: - "{{ common.apt.packages }}" + pkg: "{{ common_apt_packages }}" - include_tasks: home_setup.yml diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml index 49d713c..60cb9ec 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml @@ -2,10 +2,10 @@ - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ common.user_account }}" + key: "{{ common_user_account }}" split: ":" changed_when: false - when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd'] + when: ansible_facts['getent_passwd'] is undefined or common_user_account not in ansible_facts['getent_passwd'] - name: '[shell] install ZSH and dependencies' become: true @@ -20,7 +20,7 @@ - name: '[shell] install custom fonts' become: true - become_user: "{{ common.user_account }}" + become_user: "{{ common_user_account }}" block: - name: '[fonts] add fonts tooling' become_user: root @@ -34,18 +34,18 @@ - name: '[fonts] adding fonts' ansible.builtin.copy: src: ../assets/fonts/ - dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.local/share/fonts" + dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.local/share/fonts" mode: '0640' - name: '[fonts] refresh fonts cache' ansible.builtin.command: cmd: fc-cache changed_when: false - when: common.install_fonts is truthy + when: common_install_fonts is truthy - name: '[shell] install Oh-My-ZSH' become: true - become_user: "{{ common.user_account }}" + become_user: "{{ common_user_account }}" block: - name: '[omz] get install script' ansible.builtin.get_url: @@ -56,22 +56,22 @@ - name: '[omz] install OMZ' ansible.builtin.command: cmd: sh /tmp/zsh-install.sh --unattended - creates: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh" + creates: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.oh-my-zsh" - name: '[shell] install powerlevel10k customization for OMZ' become: true - become_user: "{{ common.user_account }}" + become_user: "{{ common_user_account }}" ansible.builtin.git: repo: https://github.com/romkatv/powerlevel10k.git - dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" + dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" depth: 1 - name: '[home] copy zsh files' become: true - become_user: "{{ common.user_account }}" + become_user: "{{ common_user_account }}" ansible.builtin.copy: src: "../templates/home/{{ item }}" - dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}" + dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/{{ item }}" mode: '0640' loop: - .p10k.zsh @@ -84,6 +84,6 @@ - name: '[shell] update user shell to ZSH' become: true ansible.builtin.user: - name: "{{ common.user_account }}" + name: "{{ common_user_account }}" shell: "/usr/bin/zsh" state: present diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 index fcc402f..c3a9179 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 @@ -1,22 +1,22 @@ [user] - name = {{ common.git.username }} - email = {{ common.git.email }} -{% if common.git.force_sign and common.git.signing_key %} - signingkey = {{ common.git.signing_key }} -{% endif %} + name = {{ common_git_username }} + email = {{ common_git_email }} + {%- if common_git_force_sign and common_git_signing_key +%} + signingkey = {{ common_git_signing_key }} + {%- endif +%} [commit] -{% if common.git.force_sign %} + {% if common_git_force_sign -%} gpgsign = true -{% else %} + {%- else -%} gpgsign = false -{% endif %} + {%- endif +%} [tag] -{% if common.git.force_sign %} + {% if common_git_force_sign -%} gpgsign = true -{% else %} + {%- else -%} gpgsign = false -{% endif -%} -{% raw %} + {%- endif +%} +{%- raw %} [alias] br = "branch" ci = "commit" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2 index e21ecaa..77cd723 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2 @@ -1,10 +1,12 @@ -{% if dns[dns.type].dns4 is defined and dns[dns.type].dns4 | length > 0 -%} -{% for server in dns[dns.type].dns4 -%} +{% set dns4_servers = hostvars[inventory_hostname]["global_dns_{}_dns4".format(global_dns_type)] | default([]) %} +{% set dns6_servers = hostvars[inventory_hostname]["global_dns_{}_dns6".format(global_dns_type)] | default([]) %} +{% if dns4_servers is defined and dns4_servers | length > 0 -%} +{% for server in dns4_servers -%} nameserver {{ server }} {% endfor %} {% endif %} -{% if ip_dualstack | default(false) and dns[dns.type].dns6 is defined and dns[dns.type].dns6 | length > 0 -%} -{% for server in dns[dns.type].dns6 -%} +{% if global_ip_dualstack | default(false) and dns6_servers is defined and dns6_servers | length > 0 -%} +{% for server in dns6_servers -%} nameserver {{ server }} {% endfor %} {% endif %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 index a7028fd..d11a652 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 @@ -1,3 +1,3 @@ -{% for item in sysctl_values.keys() -%} - {{ item }} = {{ sysctl_values[item] }} +{% for item in common_sysctl_configuration.keys() -%} + {{ item }} = {{ common_sysctl_configuration[item] }} {% endfor %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml index 74a2147..e892116 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml @@ -1,15 +1,9 @@ --- -development: - docker: - userns: true - remap_user: "{{ custom_base_user_account }}" - remap_group: "{{ custom_base_user_account }}" - systemd_slice: docker.slice - github_token: "{{ custom_github_token | default('') }}" - rust: - enable: true - user_account: "{{ custom_base_user_account }}" - virtualbox_version: "7.0" - -custom_development: {} -recursive_combine: true +development_user_account: "{{ custom_base_user_account }}" +development_github_token: "{{ custom_github_token | default('') }}" +development_virtualbox_version: "7.0" +development_docker_userns: true +development_rust_enabled: true +development_docker_remap_user: "{{ development_user_account }}" +development_docker_remap_group: "{{ development_user_account }}" +development_docker_systemd_slice: docker.slice diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml index 409b520..0066cde 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml @@ -7,18 +7,13 @@ - kernel - virtualization_type -- name: '[setup] merge with custom vars' - ansible.builtin.set_fact: - development: "{{ development | combine(custom_development, recursive=recursive_combine) }}" - changed_when: false - - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ development.user_account }}" + key: "{{ development_user_account }}" split: ":" changed_when: false - when: ansible_facts['getent_passwd'] is undefined or development.user_account not in ansible_facts['getent_passwd'] + when: ansible_facts['getent_passwd'] is undefined or development_user_account not in ansible_facts['getent_passwd'] - name: '[apt] install dependencies and tools' become: true @@ -82,7 +77,7 @@ - name: '[github] install tools' become: true nullified.infrastructure.github_artifact: - github_token: '{{ development.github_token }}' + github_token: '{{ development_github_token }}' asset_name: "{{ item.asset_name | default('') }}" asset_type: "{{ item.asset_type }}" cmds: "{{ item.cmds | default([]) }}" @@ -248,7 +243,7 @@ force_apt_get: true cache_valid_time: 3600 pkg: - - "virtualbox-{{ development.virtualbox_version }}" + - "virtualbox-{{ development_virtualbox_version }}" state: present - name: '[custom] install Docker CE repository' @@ -283,7 +278,7 @@ src: ../templates/docker-ce/daemon.json.j2 dest: /etc/docker/daemon.json mode: '0644' - when: development.docker.userns is truthy + when: development_docker_userns is truthy notify: - 'development : [docker] restart service' notify: @@ -291,21 +286,21 @@ - name: '[python] install tools' become: true - become_user: "{{ development.user_account }}" + become_user: "{{ development_user_account }}" ansible.builtin.command: cmd: "pipx install {{ item.cmd }}" - creates: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/bin/{{ item.creates }}" + creates: "{{ ansible_facts['getent_passwd'][development_user_account][4] }}/.local/bin/{{ item.creates }}" loop: - { "cmd": "black", "creates": "black" } - { "cmd": "flake8", "creates": "flake8" } - name: '[python] install pipx packages dependencies' become: true - become_user: "{{ development.user_account }}" + become_user: "{{ development_user_account }}" ansible.builtin.command: cmd: "pipx inject {{ item.venv }} {{ item.extension }}" creates: - "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" + "{{ ansible_facts['getent_passwd'][development_user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" loop: - venv: "flake8" extension: "flake8-annotations-complexity" @@ -367,33 +362,33 @@ - name: '[rust] check if rust is already installed' ansible.builtin.file: - path: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.cargo/bin/rustc" + path: "{{ ansible_facts['getent_passwd'][development_user_account][4] }}/.cargo/bin/rustc" register: rustc_stat changed_when: false failed_when: false - when: development.rust.enable is truthy + when: development_rust_enabled is truthy - name: '[rust] rust' become: true - when: development.rust.enable is truthy and rustc_stat.state is match("absent") + when: development_rust_enabled is truthy and rustc_stat.state is match("absent") block: - name: '[rust] download installer' ansible.builtin.get_url: url: https://sh.rustup.rs dest: /tmp/rustup.sh mode: '0750' - owner: "{{ development.user_account }}" - group: "{{ development.user_account }}" + owner: "{{ development_user_account }}" + group: "{{ development_user_account }}" - name: '[rust] install rust toolchain' - become_user: "{{ development.user_account }}" + become_user: "{{ development_user_account }}" ansible.builtin.command: cmd: /tmp/rustup.sh -qy - name: '[user] add default user to groups' become: true ansible.builtin.user: - name: "{{ development.user_account }}" + name: "{{ development_user_account }}" append: true groups: - docker diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 b/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 index b22251e..760d97b 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 @@ -1,4 +1,4 @@ { - "userns-remap": "{{ development.docker.remap_user }}:{{ development.docker.remap_group }}", - "cgroup-parent": "{{ development.docker.systemd_slice }}" + "userns-remap": "{{ development_docker_remap_user }}:{{ development_docker_remap_group }}", + "cgroup-parent": "{{ development_docker_systemd_slice }}" } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml index 403802a..c46a5ca 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml @@ -1,6 +1,3 @@ --- -gaming: - github_token: "{{ custom_github_token | default('') }}" - -custom_gaming: {} -recursive_combine: true +gaming_user_account: "{{ custom_base_user_account }}" +gaming_github_token: "{{ custom_github_token | default('') }}" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml index 29b60a1..cc52051 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml @@ -1,9 +1,4 @@ --- -- name: '[setup] merge with custom vars' - ansible.builtin.set_fact: - gaming: "{{ gaming | combine(custom_gaming, recursive=recursive_combine) }}" - changed_when: false - - name: '[games] install Steam' become: true block: @@ -52,7 +47,7 @@ block: - name: '[hgl] fetch assets from github' nullified.infrastructure.github_artifact: - github_token: '{{ gaming.github_token }}' + github_token: '{{ gaming_github_token }}' asset_name: heroic_{version}_amd64.deb asset_type: release repository: Heroic-Games-Launcher/HeroicGamesLauncher diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml index 623c296..5fcace9 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml @@ -1,30 +1,18 @@ --- -security: - apt: - force_https: true - https_ignore_list: [] - clamav: - version: 1.2.1 - firewall: - enable: true - nat: - policy: - prerouting: accept - input: accept - output: accept - postrouting: accept - mangle: - drop_privatenets: true - policy: - prerouting: accept - output: accept - forward: drop - postrouting: accept - filter: - policy: - input: drop - output: drop - forward: drop - -custom_security: {} -recursive_combine: true +security_apt_force_https: true +security_apt_https_ignore_list: [] +security_clamav_version: 1.2.1 +security_firewall_enabled: true +security_firewall_filter_policy_forward: drop +security_firewall_filter_policy_input: drop +security_firewall_filter_policy_output: drop +security_firewall_mangle_drop_privatenets: true +security_firewall_mangle_policy_forward: drop +security_firewall_mangle_policy_output: accept +security_firewall_mangle_policy_postrouting: accept +security_firewall_mangle_policy_prerouting: accept +security_firewall_nat_policy_input: accept +security_firewall_nat_policy_output: accept +security_firewall_nat_policy_postrouting: accept +security_firewall_nat_policy_prerouting: accept +security_ssh_port: 22 diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml index 3451c0d..4373220 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml @@ -8,16 +8,17 @@ - name: get supervisor IP address ansible.builtin.shell: "echo $SSH_CLIENT | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1" register: ssh_client + when: ansible_connection is not match("local") changed_when: false failed_when: ssh_client.stdout is falsy - name: set fact ansible.builtin.set_fact: - supervisor_ip: "{{ ssh_client.stdout }}" + security_firewall_supervisor_ip: "{{ ssh_client.get('stdout', None) }}" changed_when: false - name: install and configure nftables - when: security.firewall.enable is truthy + when: security_firewall_enabled is truthy become: true notify: - 'security : [firewall] restart service' @@ -39,6 +40,12 @@ mode: '0700' state: directory + - name: set firewall templates facts + ansible.builtin.set_fact: + security_firewall_dns4_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns4'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv4, true) }}" + security_firewall_dns6_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns6'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv6, true) }}" + security_firewall_supervisor_has_ip6: "{{ true if security_firewall_supervisor_ip is defined and security_firewall_supervisor_ip and security_firewall_supervisor_ip | ansible.utils.ipv6 else false }}" + - name: base config file ansible.builtin.template: src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2" @@ -50,8 +57,6 @@ src: "../templates/system/nftables/{{ item }}.table.j2" dest: "/etc/nftables.d/{{ item }}.table" mode: '0600' - vars: - firewall: "{{ security.firewall }}" loop: - 01-nat - 02-mangle diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml index 746fe67..d6d156b 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml @@ -4,16 +4,11 @@ gather_subset: - distribution -- name: '[setup] merge with custom vars' - ansible.builtin.set_fact: - security: "{{ security | combine(custom_security, recursive=recursive_combine) }}" - changed_when: false - - include_tasks: firewall.yml - name: '[apt] force HTTPS sources' become: true - when: security.apt.force_https is truthy + when: security_apt_force_https is truthy block: - name: '[apt] fetch apt information' ansible.builtin.command: @@ -25,7 +20,7 @@ path: "{{ item }}" regexp: 'http://' replace: 'https://' - loop: "{{ apt_source_files.stdout_lines | difference(security.apt.https_ignore_list) }}" + loop: "{{ apt_source_files.stdout_lines | difference(security_apt_https_ignore_list) }}" notify: - 'security : [apt] update sources' @@ -98,7 +93,7 @@ block: - name: '[clamav] retrieve and install clamav package' ansible.builtin.apt: - deb: https://www.clamav.net/downloads/production/clamav-{{ security.clamav.version }}.linux.x86_64.deb + deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb force_apt_get: true state: present - name: '[clamav] add clamav group' diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 index c08297d..e667450 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 @@ -2,14 +2,19 @@ flush ruleset -define ansible_controller_ip = {{ supervisor_ip | default('127.0.0.1', true) }} -define ansible_controller_ip6 = {{ supervisor_ip6 | default('fe80::', true) }} +{% if security_firewall_supervisor_ip -%} +define ansible_controller_ip = {{ security_firewall_supervisor_ip }} +{% endif -%} +{% if security_firewall_dns4_servers -%} define dns_servers = { - {{ dns[dns.type].dns4 | default(["9.9.9.9", "149.112.112.112"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }} + {{ security_firewall_dns4_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }} } +{% endif -%} +{% if security_firewall_dns6_servers -%} define dns_servers6 = { - {{ dns[dns.type].dns6 | default(["2620:fe::fe", "2620:fe::9"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }} + {{ security_firewall_dns6_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }} } +{% endif -%} define private_nets = { 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15 @@ -19,7 +24,7 @@ define reserved_nets = { 192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4 } -define ssh_localport = {{ ssh_localport | default(22, true) }} +define ssh_localport = {{ security_ssh_port }} include "/etc/nftables.d/01-nat.table" include "/etc/nftables.d/02-mangle.table" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2 index 20ff37a..2436a5c 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2 @@ -1,18 +1,18 @@ # Setup table inet nat { chain prerouting { - type nat hook prerouting priority -100; policy {{ firewall.nat.policy.prerouting }}; + type nat hook prerouting priority -100; policy {{ security_firewall_nat_policy_prerouting }}; } chain input { - type nat hook input priority 100; policy {{ firewall.nat.policy.input }}; + type nat hook input priority 100; policy {{ security_firewall_nat_policy_input }}; } chain output { - type nat hook output priority -100; policy {{ firewall.nat.policy.output }}; + type nat hook output priority -100; policy {{ security_firewall_nat_policy_output }}; } chain postrouting { - type nat hook postrouting priority 100; policy {{ firewall.nat.policy.postrouting }}; + type nat hook postrouting priority 100; policy {{ security_firewall_nat_policy_postrouting }}; } } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 index 3f05bfb..aff9a34 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 @@ -1,7 +1,7 @@ # Setup table inet mangle { chain prerouting { - type filter hook prerouting priority -150; policy {{ firewall.mangle.policy.prerouting }}; + type filter hook prerouting priority -150; policy {{ security_firewall_mangle_policy_prerouting }}; ip protocol icmp accept ip frag-off & 0x1fff != 0 counter drop ct state invalid counter drop @@ -22,12 +22,17 @@ table inet mangle { tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop + {% if security_firewall_supervisor_ip -%} + {% if security_firewall_supervisor_has_ip6 -%} + ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept + ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept + {% else -%} ip saddr $ansible_controller_ip tcp dport $ssh_localport accept - ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept ip daddr $ansible_controller_ip tcp sport $ssh_localport accept - ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept + {%- endif +%} + {% endif -%} - {% if firewall.mangle.drop_privatenets -%} + {% if security_firewall_mangle_drop_privatenets -%} ip saddr $private_nets counter drop {% endif -%} ip saddr $reserved_nets counter drop @@ -35,18 +40,24 @@ table inet mangle { } chain output { - type route hook output priority -150; policy {{ firewall.mangle.policy.output }}; + type route hook output priority -150; policy {{ security_firewall_mangle_policy_output }}; } chain forward { - type filter hook forward priority -150; policy {{ firewall.mangle.policy.forward }}; + type filter hook forward priority -150; policy {{ security_firewall_mangle_policy_forward }}; } chain postrouting { - type filter hook postrouting priority -150; policy {{ firewall.mangle.policy.postrouting }}; + type filter hook postrouting priority -150; policy {{ security_firewall_mangle_policy_postrouting }}; + + {% if security_firewall_supervisor_ip -%} + {% if security_firewall_supervisor_has_ip6 -%} + ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept + ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept + {%- else -%} ip saddr $ansible_controller_ip tcp dport $ssh_localport accept - ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept ip daddr $ansible_controller_ip tcp sport $ssh_localport accept - ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept + {%- endif +%} + {% endif -%} } } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 index ab2c3f3..fdac971 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 @@ -1,9 +1,15 @@ # Setup table inet filter { chain input { - type filter hook input priority 0; policy {{ firewall.filter.policy.input }}; + type filter hook input priority 0; policy {{ security_firewall_filter_policy_input }}; + + {% if security_firewall_supervisor_ip -%} + {% if security_firewall_supervisor_has_ip6 -%} + ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept + {%- else -%} ip saddr $ansible_controller_ip tcp dport $ssh_localport accept - ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept + {%- endif +%} + {% endif -%} iifname "lo" counter accept ct state related,established counter accept @@ -11,20 +17,29 @@ table inet filter { } chain output { - type filter hook output priority 0; policy {{ firewall.filter.policy.output }}; + type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }}; + {% if security_firewall_supervisor_ip -%} + {% if security_firewall_supervisor_has_ip6 -%} + ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept + {%- else -%} ip daddr $ansible_controller_ip tcp sport $ssh_localport accept - ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept + {%- endif +%} + {% endif -%} oifname "lo" counter accept ct state related,established counter accept tcp sport $ssh_localport counter accept # Allow DNS queries using UDP, DoT and DoH + {% if security_firewall_dns4_servers -%} ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept + {%- endif +%} + {% if security_firewall_dns6_servers -%} ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept + {%- endif +%} } chain forward { - type filter hook forward priority 0; policy {{ firewall.filter.policy.forward }}; + type filter hook forward priority 0; policy {{ security_firewall_filter_policy_forward }}; } } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml index 5924b81..3d372ef 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml @@ -1,7 +1,3 @@ --- -workstation: - github_token: "{{ custom_github_token | default('') }}" - user_account: "{{ custom_base_user_account | default('root') }}" - -custom_workstation: {} -recursive_combine: true +workstation_user_account: "{{ custom_base_user_account }}" +workstation_github_token: "{{ custom_github_token | default('') }}" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml index a7c36f9..851c347 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml @@ -1,24 +1,19 @@ --- -- name: '[setup] merge with custom vars' - ansible.builtin.set_fact: - workstation: "{{ workstation | combine(custom_workstation, recursive=recursive_combine) }}" - changed_when: false - - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ workstation.user_account }}" + key: "{{ workstation_user_account }}" split: ":" changed_when: false - when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd'] + when: ansible_facts['getent_passwd'] is undefined or workstation_user_account not in ansible_facts['getent_passwd'] - name: '[setup] ensure expected home directories exist' become: true ansible.builtin.file: - path: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/{{ item }}" + path: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/{{ item }}" state: directory - owner: "{{ workstation.user_account }}" - group: "{{ workstation.user_account }}" + owner: "{{ workstation_user_account }}" + group: "{{ workstation_user_account }}" mode: '0750' loop: - .local/bin @@ -78,14 +73,14 @@ - name: '[setup] add user to sudo group' become: true ansible.builtin.user: - name: "{{ workstation.user_account }}" + name: "{{ workstation_user_account }}" groups: - sudo append: true - name: '[setup] setup Flatpak' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" block: - name: '[flatpak] add flatpak repos' ansible.builtin.command: @@ -104,7 +99,7 @@ - name: '[github] install tools' become: true nullified.infrastructure.github_artifact: - github_token: '{{ workstation.github_token }}' + github_token: '{{ workstation_github_token }}' asset_name: "{{ item.asset_name | default('') }}" asset_type: "{{ item.asset_type }}" cmds: "{{ item.cmds | default([]) }}" @@ -142,8 +137,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ item.mode | default('0750') }}" - owner: "{{ item.owner | default(workstation.user_account) }}" - group: "{{ item.group | default(workstation.user_account) }}" + owner: "{{ item.owner | default(workstation_user_account) }}" + group: "{{ item.group | default(workstation_user_account) }}" state: directory loop: - { path: '/opt/git/foss' } @@ -153,22 +148,22 @@ - name: '[emacs] fetch emacs configuration files' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" ansible.builtin.git: repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git" - dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.emacs.d" + dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.emacs.d" force: false - name: '[config] set tools configuration' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode | default('0640') }}" loop: - - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" } - - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" } + - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } + - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - name: '[authenticator] find if binary is already installed' ansible.builtin.file: @@ -184,8 +179,8 @@ - name: '[yubico] prepare target directory' ansible.builtin.file: path: "{{ item }}" - owner: "{{ workstation.user_account }}" - group: "{{ workstation.user_account }}" + owner: "{{ workstation_user_account }}" + group: "{{ workstation_user_account }}" mode: '0750' state: directory loop: @@ -197,8 +192,8 @@ src: https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz remote_src: true dest: /tmp/yubico-unarchive - owner: "{{ workstation.user_account }}" - group: "{{ workstation.user_account }}" + owner: "{{ workstation_user_account }}" + group: "{{ workstation_user_account }}" - name: '[yubico] find extracted directory' ansible.builtin.command: @@ -211,8 +206,8 @@ remote_src: true src: "{{ yubico_extract_path.stdout }}/" dest: /opt/yubico-authenticator - owner: "{{ workstation.user_account }}" - group: "{{ workstation.user_account }}" + owner: "{{ workstation_user_account }}" + group: "{{ workstation_user_account }}" - name: '[yubico] cleanup' ansible.builtin.file: @@ -222,24 +217,24 @@ - name: '[yubico] create shell wrapper' ansible.builtin.template: src: ../templates/bin_wrapper.sh.j2 - dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator" + dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.local/bin/authenticator" mode: '0750' - owner: "{{ workstation.user_account }}" - group: "{{ workstation.user_account }}" + owner: "{{ workstation_user_account }}" + group: "{{ workstation_user_account }}" vars: application: "/opt/yubico-authenticator/authenticator" - name: '[yubico] create desktop entry' ansible.builtin.template: src: ../templates/desktop_app.j2 - dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/share/applications/authenticator.desktop" + dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.local/share/applications/authenticator.desktop" mode: '0600' - owner: "{{ workstation.user_account }}" - group: "{{ workstation.user_account }}" + owner: "{{ workstation_user_account }}" + group: "{{ workstation_user_account }}" vars: application: nodisplay: false - exec_cmd: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator" + exec_cmd: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.local/bin/authenticator" name: "Authenticator" - include_tasks: window_manager.yml diff --git a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml index e21069b..f322ef5 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml @@ -2,10 +2,10 @@ - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ workstation.user_account }}" + key: "{{ workstation_user_account }}" split: ":" changed_when: false - when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd'] + when: ansible_facts['getent_passwd'] is undefined or workstation_user_account not in ansible_facts['getent_passwd'] - name: '[awesomewm] install dependencies' become: true @@ -61,7 +61,7 @@ block: - name: '[lua-lgi] fetch source' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" ansible.builtin.git: repo: https://github.com/lgi-devs/lgi.git dest: /opt/git/foss/lua-lgi @@ -96,7 +96,7 @@ block: - name: '[awesomewm] fetch source' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" ansible.builtin.git: repo: https://github.com/awesomeWM/awesome.git dest: /opt/git/foss/awesomeWM @@ -108,7 +108,7 @@ - name: '[awesomewm] building project' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" ansible.builtin.command: chdir: /opt/git/foss/awesomeWM cmd: 'make' @@ -125,19 +125,19 @@ - name: '[awesomewm] setup configuration' become: true - become_user: "{{ workstation.user_account }}" + become_user: "{{ workstation_user_account }}" block: - name: '[awesomewm] fetch copycats base' ansible.builtin.git: repo: https://github.com/lcpz/awesome-copycats.git - dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome" + dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config/awesome" depth: 1 recursive: true force: false - name: '[awesomewm] copy customization' ansible.builtin.copy: src: ../templates/.config/awesome/ - dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome" + dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config/awesome" mode: '0640' - name: '[home] copy X related configuration' @@ -151,4 +151,4 @@ - name: '[x11] user .xsession' ansible.builtin.copy: src: ../templates/.xsession - dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.xsession" + dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.xsession" diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml index 97e276d..7c96535 100644 --- a/inventory/group_vars/all/vars.yml +++ b/inventory/group_vars/all/vars.yml @@ -1,9 +1,16 @@ -custom_base_user_account: '{{ vault_custom_base_user_account }}' -custom_github_token: '{{ vault_custom_github_token }}' -dns: - type: "dot" - udp: '{{ vault_groups.defaults.udp }}' - dot: '{{ vault_groups.defaults.dot }}' - doh: '{{ vault_groups.defaults.doh }}' -network: "external" -ip_dualstack: true +--- +# global parameters +custom_base_user_account: "{{ vault_custom_base_user_account }}" +custom_github_token: "{{ vault_custom_github_token | default('') }}" + +# global (hosts' system parameters) +## TODO: move to a CMDB +global_dns_type: "dot" +# empty values for dns{4,6} servers mean that servers will be retrieved dynamically from /etc/resolv.conf +global_dns_udp_dns4: "{{ vault_global_dns_udp_dns4 }}" +global_dns_udp_dns6: "{{ vault_global_dns_udp_dns6 }}" +global_dns_dot_dns4: "{{ vault_global_dns_dot_dns4 }}" +global_dns_dot_dns6: "{{ vault_global_dns_dot_dns6 }}" +global_dns_doh_dns4: "{{ vault_global_dns_doh_dns4 }}" +global_dns_doh_dns6: "{{ vault_global_dns_doh_dns6 }}" +global_ip_dualstack: true diff --git a/inventory/group_vars/internal/vars.yml b/inventory/group_vars/internal/vars.yml new file mode 100644 index 0000000..d8e1701 --- /dev/null +++ b/inventory/group_vars/internal/vars.yml @@ -0,0 +1,8 @@ +# global +global_dns_type: "udp" +global_dns_udp_dns4: "" # force usage of DHCP provided values +global_dns_udp_dns6: "" # force usage of DHCP provided values +global_ip_dualstack: false + +# security role +security_firewall_mangle_drop_privatenets: false diff --git a/inventory/host_vars/actinium/vars.yml b/inventory/host_vars/actinium/vars.yml index 7f2f649..f6f5a58 100644 --- a/inventory/host_vars/actinium/vars.yml +++ b/inventory/host_vars/actinium/vars.yml @@ -2,14 +2,5 @@ ansible_become_password: "{{ vault_root_pass }}" ansible_host: "{{ vault_ansible_host }}" ansible_user: "{{ vault_ssh_user }}" -custom_security: - firewall: - mangle: - drop_privatenets: false - policy: - forward: accept -dns: - type: "udp" - udp: "{{ vault_groups.network.internal }}" -network: "internal" -ip_dualstack: false +security_firewall_mangle_drop_privatenets: false +security_firewall_mangle_policy_forward: accept diff --git a/inventory/host_vars/lithium/vars.yml b/inventory/host_vars/lithium/vars.yml index 1fdb193..e7c8a02 100644 --- a/inventory/host_vars/lithium/vars.yml +++ b/inventory/host_vars/lithium/vars.yml @@ -1,5 +1,3 @@ ansible_become_password: "{{ vault_root_pass }}" ansible_host: "{{ vault_ansible_host }}" ansible_user: "{{ vault_ssh_user }}" -network: "external" -ip_dualstack: true diff --git a/inventory/host_vars/localhost/vars.yml b/inventory/host_vars/localhost/vars.yml deleted file mode 100644 index b6b6595..0000000 --- a/inventory/host_vars/localhost/vars.yml +++ /dev/null @@ -1,23 +0,0 @@ -ansible_become_password: "{{ vault_root_pass }}" -ansible_host: "{{ vault_ansible_host }}" -ansible_connection: local - -custom_development: - rust: - enable: true - -custom_common: - sysctl: - 'fs.inotify.max_user_watches': 1048576 - 'vm.swappiness': 1 - packages: - - pcscd - - pinentry-curses - - radeontop - git: - enable: true - username: "{{ vault_common_gitconfig_username }}" - email: "{{ vault_common_gitconfig_email }}" - force_sign: true - signing_key: "{{ vault_common_gitconfig_signingkey }}" - install_fonts: true diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index b8c13b4..b195a7d 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -2,41 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}" ansible_host: "{{ vault_ansible_host }}" ansible_connection: local -custom_development: - rust: - enable: true +# common role +common_apt_packages: + - pcscd + - pinentry-curses + - radeontop +common_git_enabled: true +common_git_username: "{{ vault_common_gitconfig_username }}" +common_git_email: "{{ vault_common_gitconfig_email }}" +common_git_force_sign: true +common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}" +common_install_fonts: true +common_sysctl_configuration: + 'fs.inotify.max_user_watches': 1048576 + 'vm.swappiness': 1 -custom_common: - sysctl: - 'fs.inotify.max_user_watches': 1048576 - 'vm.swappiness': 1 - packages: - - pcscd - - pinentry-curses - - radeontop - git: - enable: true - username: "{{ vault_common_gitconfig_username }}" - email: "{{ vault_common_gitconfig_email }}" - force_sign: true - signing_key: "{{ vault_common_gitconfig_signingkey }}" - install_fonts: true - -custom_security: - firewall: - filter: - policy: - output: accept - forward: accept - mangle: - drop_privatenets: false - policy: - forward: accept - -dns: - type: "udp" - udp: - dns4: "{{ vault_groups.network.internal.dns4 }}" - dns6: "{{ vault_groups.network.internal.dns6 }}" -network: "internal" -ip_dualstack: false +# security role +security_firewall_filter_policy_output: accept +security_firewall_filter_policy_forward: accept +security_firewall_mangle_policy_forward: accept diff --git a/requirements.txt b/requirements.txt index 72b89b2..3e641e7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,6 +7,7 @@ Jinja2==3.1.2 jsonschema==4.19.0 molecule==6.0.1 molecule-plugins==23.5.0 +netaddr==0.10.1 paramiko==3.3.1 pycurl==7.45.2 pylint==2.17.5