Added auto-update task, moved hetzner cloud server default values to …

…group_vars, added missing distributions (#4) * added auto-update task * moved hetzner cloud server defaults to group_vars, added more distributions * updated submodules
secshellnet · Aug 27, 2023 · 9596f10 · 9596f10
1 parent d4f27ef
commit 9596f10
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -4,11 +4,6 @@ This repository template provides a ansible inventory to manage cloud server in
 hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, 
 ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need.
 
-## Supported Images
-- Ubuntu (18.04, 20.04, 22.04)
-- Debian (10, 11, 12)
-- Fedora (37, 38)
-
 ## Getting started
 1. Create a reporitory from this template repository and clone it:
    ```shell

diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
@@ -1,5 +1,12 @@
 ---
-worker_user: "worker"
+worker_user: worker
+
+# hcloud defaults for cloud server
+server_type: cx11
+location: hel1
+image: ubuntu-22.04
+enable_ipv4: false
+enable_ipv6: true
 
 # features / roles to install
 install_nginx: false
diff --git a/inventory.yaml b/inventory.yaml
@@ -0,0 +1,3 @@
+---
+all:
+  hosts:
diff --git a/playbook.yaml b/playbook.yaml
@@ -10,9 +10,6 @@
   tasks:
     - ansible.builtin.include_tasks: "tasks/create-worker-user.yaml"
 
-    - ansible.builtin.include_role:
-        name: "roles/ansible-role-sshd"
-
     - name: "Remove labels from cloud server {{ inventory_hostname }}"
       hetzner.hcloud.hcloud_server:
         api_token: "{{ hcloud_api_token }}"
@@ -24,17 +21,29 @@
       when: new_server
       delegate_to: localhost
 
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-sshd"
+
     - name: "Update repositories cache on systems using apt"
       ansible.builtin.apt:
         update_cache: yes
       when: ansible_pkg_mgr == 'apt'
       changed_when: false
       become: true
 
+    - name: "Install extra packages for enterprise linux"
+      ansible.builtin.package:
+        name: epel-release
+        state: present
+      when: "ansible_distribution in ['CentOS', 'AlmaLinux', 'Rocky']"
+      become: true
+
     - ansible.builtin.include_role:
         name: "roles/ansible-role-fail2ban"
 
-    #- name: "Install tools and requirements"
+    - ansible.builtin.include_tasks: "tasks/auto-update.yaml"
+
+    #- name: "Install unattended upgrades"
     #  ansible.builtin.apt:
     #    name:
     #      - python3-requests
@@ -48,12 +57,11 @@
     #      - jq
     #      - iptables
     #      - iptables-persistent
-    #      - unattended-upgrades
     #    state: present
     #  become: true
 
     - ansible.builtin.include_role:
         name: "roles/ansible-role-nginx"
-      when: 
+      when:
         - enable_ipv4  # otherwise acme.sh cannot be installed
         - install_nginx
diff --git a/roles/ansible-role-fail2ban b/roles/ansible-role-fail2ban
diff --git a/roles/ansible-role-nginx b/roles/ansible-role-nginx
diff --git a/tasks/auto-update.yaml b/tasks/auto-update.yaml
@@ -0,0 +1,29 @@
+---
+- name: "Install unattended upgrades"
+  ansible.builtin.package:
+    name: unattended-upgrades
+    state: present
+  when: ansible_pkg_mgr == 'apt'
+  become: true
+
+- name: "Install dnf-automatic"
+  when: ansible_pkg_mgr == 'dnf'
+  block:
+    - name: "Install dnf-automatic"
+      ansible.builtin.package:
+        name: dnf-automatic
+        state: present
+      become: true
+
+    - name: "Create dnf-automatic configuration file"
+      ansible.builtin.template:
+        src: ../templates/dnf-automatic.conf.j2
+        dest: /etc/dnf/dnf-automatic.conf
+      become: true
+
+    - name: "Enable and start dnf-automatic timer"
+      ansible.builtin.systemd:
+        name: dnf-automatic.timer
+        enabled: yes
+        state: started
+      become: true
diff --git a/tasks/hetzner-cloud.yaml b/tasks/hetzner-cloud.yaml
@@ -43,12 +43,12 @@
     api_token: "{{ hcloud_api_token }}"
 
     name: "{{ inventory_hostname }}"
-    server_type: "{{ server_type | default('cx11') }}"
-    location: "{{ location | default('hel1') }}"
-    image: "{{ image | default('ubuntu-22.04') }}"
+    server_type: "{{ server_type }}"
+    location: "{{ location }}"
+    image: "{{ image }}"
     ssh_keys: ["ansible"]
-    enable_ipv4: "{{ enable_ipv4 | default('false') }}"
-    enable_ipv6: "{{ enable_ipv6 | default('true') }}"
+    enable_ipv4: "{{ enable_ipv4 }}"
+    enable_ipv6: "{{ enable_ipv6 }}"
     labels: {"new": ""}
 
     state: present

diff --git a/templates/dnf-automatic.conf.j2 b/templates/dnf-automatic.conf.j2
@@ -0,0 +1,3 @@
+[commands]
+apply_updates = yes
+download_updates = yes