From 9596f10f0e43f2e4bc98148f2fa7e7359d21590b Mon Sep 17 00:00:00 2001 From: Nico Felbinger <26925347+felbinger@users.noreply.github.com> Date: Sun, 27 Aug 2023 23:01:30 +0200 Subject: [PATCH] Added auto-update task, moved hetzner cloud server default values to group_vars, added missing distributions (#4) * added auto-update task * moved hetzner cloud server defaults to group_vars, added more distributions * updated submodules --- README.md | 5 ----- group_vars/all/vars.yaml | 9 ++++++++- inventory.yaml | 3 +++ playbook.yaml | 20 ++++++++++++++------ roles/ansible-role-fail2ban | 2 +- roles/ansible-role-nginx | 2 +- tasks/auto-update.yaml | 29 +++++++++++++++++++++++++++++ tasks/hetzner-cloud.yaml | 10 +++++----- templates/dnf-automatic.conf.j2 | 3 +++ 9 files changed, 64 insertions(+), 19 deletions(-) create mode 100644 inventory.yaml create mode 100644 tasks/auto-update.yaml create mode 100644 templates/dnf-automatic.conf.j2 diff --git a/README.md b/README.md index 42794d3..7c9f058 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,6 @@ This repository template provides a ansible inventory to manage cloud server in hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need. -## Supported Images -- Ubuntu (18.04, 20.04, 22.04) -- Debian (10, 11, 12) -- Fedora (37, 38) - ## Getting started 1. Create a reporitory from this template repository and clone it: ```shell diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index e583f49..25c5e2f 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -1,5 +1,12 @@ --- -worker_user: "worker" +worker_user: worker + +# hcloud defaults for cloud server +server_type: cx11 +location: hel1 +image: ubuntu-22.04 +enable_ipv4: false +enable_ipv6: true # features / roles to install install_nginx: false diff --git a/inventory.yaml b/inventory.yaml new file mode 100644 index 0000000..811484a --- /dev/null +++ b/inventory.yaml @@ -0,0 +1,3 @@ +--- +all: + hosts: \ No newline at end of file diff --git a/playbook.yaml b/playbook.yaml index bbceedd..c156bad 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -10,9 +10,6 @@ tasks: - ansible.builtin.include_tasks: "tasks/create-worker-user.yaml" - - ansible.builtin.include_role: - name: "roles/ansible-role-sshd" - - name: "Remove labels from cloud server {{ inventory_hostname }}" hetzner.hcloud.hcloud_server: api_token: "{{ hcloud_api_token }}" @@ -24,6 +21,9 @@ when: new_server delegate_to: localhost + - ansible.builtin.include_role: + name: "roles/ansible-role-sshd" + - name: "Update repositories cache on systems using apt" ansible.builtin.apt: update_cache: yes @@ -31,10 +31,19 @@ changed_when: false become: true + - name: "Install extra packages for enterprise linux" + ansible.builtin.package: + name: epel-release + state: present + when: "ansible_distribution in ['CentOS', 'AlmaLinux', 'Rocky']" + become: true + - ansible.builtin.include_role: name: "roles/ansible-role-fail2ban" - #- name: "Install tools and requirements" + - ansible.builtin.include_tasks: "tasks/auto-update.yaml" + + #- name: "Install unattended upgrades" # ansible.builtin.apt: # name: # - python3-requests @@ -48,12 +57,11 @@ # - jq # - iptables # - iptables-persistent - # - unattended-upgrades # state: present # become: true - ansible.builtin.include_role: name: "roles/ansible-role-nginx" - when: + when: - enable_ipv4 # otherwise acme.sh cannot be installed - install_nginx diff --git a/roles/ansible-role-fail2ban b/roles/ansible-role-fail2ban index f6883a9..e050d9c 160000 --- a/roles/ansible-role-fail2ban +++ b/roles/ansible-role-fail2ban @@ -1 +1 @@ -Subproject commit f6883a9cfa0358db66cbc6fc004e623dcadfbd8e +Subproject commit e050d9c7d3d5fb8d569236c15e8a6a747f1c131f diff --git a/roles/ansible-role-nginx b/roles/ansible-role-nginx index b7b6907..f2c78e5 160000 --- a/roles/ansible-role-nginx +++ b/roles/ansible-role-nginx @@ -1 +1 @@ -Subproject commit b7b690778c1cbc79d7d912605b332191da063c0f +Subproject commit f2c78e58d108cedc7994b73f5a6d07b20d76b1b1 diff --git a/tasks/auto-update.yaml b/tasks/auto-update.yaml new file mode 100644 index 0000000..da3f71b --- /dev/null +++ b/tasks/auto-update.yaml @@ -0,0 +1,29 @@ +--- +- name: "Install unattended upgrades" + ansible.builtin.package: + name: unattended-upgrades + state: present + when: ansible_pkg_mgr == 'apt' + become: true + +- name: "Install dnf-automatic" + when: ansible_pkg_mgr == 'dnf' + block: + - name: "Install dnf-automatic" + ansible.builtin.package: + name: dnf-automatic + state: present + become: true + + - name: "Create dnf-automatic configuration file" + ansible.builtin.template: + src: ../templates/dnf-automatic.conf.j2 + dest: /etc/dnf/dnf-automatic.conf + become: true + + - name: "Enable and start dnf-automatic timer" + ansible.builtin.systemd: + name: dnf-automatic.timer + enabled: yes + state: started + become: true diff --git a/tasks/hetzner-cloud.yaml b/tasks/hetzner-cloud.yaml index a2c437e..b285b6c 100644 --- a/tasks/hetzner-cloud.yaml +++ b/tasks/hetzner-cloud.yaml @@ -43,12 +43,12 @@ api_token: "{{ hcloud_api_token }}" name: "{{ inventory_hostname }}" - server_type: "{{ server_type | default('cx11') }}" - location: "{{ location | default('hel1') }}" - image: "{{ image | default('ubuntu-22.04') }}" + server_type: "{{ server_type }}" + location: "{{ location }}" + image: "{{ image }}" ssh_keys: ["ansible"] - enable_ipv4: "{{ enable_ipv4 | default('false') }}" - enable_ipv6: "{{ enable_ipv6 | default('true') }}" + enable_ipv4: "{{ enable_ipv4 }}" + enable_ipv6: "{{ enable_ipv6 }}" labels: {"new": ""} state: present diff --git a/templates/dnf-automatic.conf.j2 b/templates/dnf-automatic.conf.j2 new file mode 100644 index 0000000..80d59a2 --- /dev/null +++ b/templates/dnf-automatic.conf.j2 @@ -0,0 +1,3 @@ +[commands] +apply_updates = yes +download_updates = yes