From 3d87989f1a80b7ebdc817268e52a5147ed7e3fd3 Mon Sep 17 00:00:00 2001
From: Nico Felbinger <26925347+felbinger@users.noreply.github.com>
Date: Sun, 27 Aug 2023 18:36:53 +0200
Subject: [PATCH 1/3] added auto-update task

---
 playbook.yaml                   |  5 +++--
 tasks/auto-update.yaml          | 29 +++++++++++++++++++++++++++++
 templates/dnf-automatic.conf.j2 |  3 +++
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 tasks/auto-update.yaml
 create mode 100644 templates/dnf-automatic.conf.j2

diff --git a/playbook.yaml b/playbook.yaml
index bbceedd..ee86a3b 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -34,7 +34,9 @@
     - ansible.builtin.include_role:
         name: "roles/ansible-role-fail2ban"
 
-    #- name: "Install tools and requirements"
+    - ansible.builtin.include_tasks: "tasks/auto-update.yaml"
+
+    #- name: "Install unattended upgrades"
     #  ansible.builtin.apt:
     #    name:
     #      - python3-requests
@@ -48,7 +50,6 @@
     #      - jq
     #      - iptables
     #      - iptables-persistent
-    #      - unattended-upgrades
     #    state: present
     #  become: true
 
diff --git a/tasks/auto-update.yaml b/tasks/auto-update.yaml
new file mode 100644
index 0000000..da3f71b
--- /dev/null
+++ b/tasks/auto-update.yaml
@@ -0,0 +1,29 @@
+---
+- name: "Install unattended upgrades"
+  ansible.builtin.package:
+    name: unattended-upgrades
+    state: present
+  when: ansible_pkg_mgr == 'apt'
+  become: true
+
+- name: "Install dnf-automatic"
+  when: ansible_pkg_mgr == 'dnf'
+  block:
+    - name: "Install dnf-automatic"
+      ansible.builtin.package:
+        name: dnf-automatic
+        state: present
+      become: true
+
+    - name: "Create dnf-automatic configuration file"
+      ansible.builtin.template:
+        src: ../templates/dnf-automatic.conf.j2
+        dest: /etc/dnf/dnf-automatic.conf
+      become: true
+
+    - name: "Enable and start dnf-automatic timer"
+      ansible.builtin.systemd:
+        name: dnf-automatic.timer
+        enabled: yes
+        state: started
+      become: true
diff --git a/templates/dnf-automatic.conf.j2 b/templates/dnf-automatic.conf.j2
new file mode 100644
index 0000000..80d59a2
--- /dev/null
+++ b/templates/dnf-automatic.conf.j2
@@ -0,0 +1,3 @@
+[commands]
+apply_updates = yes
+download_updates = yes

From 21cb917c208d8309d908e87ed753bff3449e202c Mon Sep 17 00:00:00 2001
From: Nico Felbinger <26925347+felbinger@users.noreply.github.com>
Date: Sun, 27 Aug 2023 21:12:46 +0200
Subject: [PATCH 2/3] moved hetzner cloud server defaults to group_vars, added
 more distributions

---
 README.md                |  1 +
 group_vars/all/vars.yaml |  9 ++++++++-
 inventory.yaml           |  3 +++
 playbook.yaml            | 15 +++++++++++----
 tasks/hetzner-cloud.yaml | 10 +++++-----
 5 files changed, 28 insertions(+), 10 deletions(-)
 create mode 100644 inventory.yaml

diff --git a/README.md b/README.md
index 42794d3..0ff0f4f 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ ssh, fail2ban) and can be extended by roles or tasks to perform whatever you nee
 - Ubuntu (18.04, 20.04, 22.04)
 - Debian (10, 11, 12)
 - Fedora (37, 38)
+- CentOS (7, Stream 8, Stream 9)
 
 ## Getting started
 1. Create a reporitory from this template repository and clone it:
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index e583f49..25c5e2f 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -1,5 +1,12 @@
 ---
-worker_user: "worker"
+worker_user: worker
+
+# hcloud defaults for cloud server
+server_type: cx11
+location: hel1
+image: ubuntu-22.04
+enable_ipv4: false
+enable_ipv6: true
 
 # features / roles to install
 install_nginx: false
diff --git a/inventory.yaml b/inventory.yaml
new file mode 100644
index 0000000..811484a
--- /dev/null
+++ b/inventory.yaml
@@ -0,0 +1,3 @@
+---
+all:
+  hosts:
\ No newline at end of file
diff --git a/playbook.yaml b/playbook.yaml
index ee86a3b..bd64185 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -10,9 +10,6 @@
   tasks:
     - ansible.builtin.include_tasks: "tasks/create-worker-user.yaml"
 
-    - ansible.builtin.include_role:
-        name: "roles/ansible-role-sshd"
-
     - name: "Remove labels from cloud server {{ inventory_hostname }}"
       hetzner.hcloud.hcloud_server:
         api_token: "{{ hcloud_api_token }}"
@@ -24,6 +21,9 @@
       when: new_server
       delegate_to: localhost
 
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-sshd"
+
     - name: "Update repositories cache on systems using apt"
       ansible.builtin.apt:
         update_cache: yes
@@ -31,6 +31,13 @@
       changed_when: false
       become: true
 
+    - name: "Install extra packages for enterprise linux"
+      ansible.builtin.package:
+        name: epel-release
+        state: present
+      when: "ansible_distribution == 'CentOS'"
+      become: true
+
     - ansible.builtin.include_role:
         name: "roles/ansible-role-fail2ban"
 
@@ -55,6 +62,6 @@
 
     - ansible.builtin.include_role:
         name: "roles/ansible-role-nginx"
-      when: 
+      when:
         - enable_ipv4  # otherwise acme.sh cannot be installed
         - install_nginx
diff --git a/tasks/hetzner-cloud.yaml b/tasks/hetzner-cloud.yaml
index a2c437e..b285b6c 100644
--- a/tasks/hetzner-cloud.yaml
+++ b/tasks/hetzner-cloud.yaml
@@ -43,12 +43,12 @@
     api_token: "{{ hcloud_api_token }}"
 
     name: "{{ inventory_hostname }}"
-    server_type: "{{ server_type | default('cx11') }}"
-    location: "{{ location | default('hel1') }}"
-    image: "{{ image | default('ubuntu-22.04') }}"
+    server_type: "{{ server_type }}"
+    location: "{{ location }}"
+    image: "{{ image }}"
     ssh_keys: ["ansible"]
-    enable_ipv4: "{{ enable_ipv4 | default('false') }}"
-    enable_ipv6: "{{ enable_ipv6 | default('true') }}"
+    enable_ipv4: "{{ enable_ipv4 }}"
+    enable_ipv6: "{{ enable_ipv6 }}"
     labels: {"new": ""}
 
     state: present

From b72e9045b1861af651a77ecaf8feca89e132c197 Mon Sep 17 00:00:00 2001
From: Nico Felbinger <26925347+felbinger@users.noreply.github.com>
Date: Sun, 27 Aug 2023 21:13:17 +0200
Subject: [PATCH 3/3] updated submodules

---
 README.md                   | 6 ------
 playbook.yaml               | 2 +-
 roles/ansible-role-fail2ban | 2 +-
 roles/ansible-role-nginx    | 2 +-
 4 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 0ff0f4f..7c9f058 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,6 @@ This repository template provides a ansible inventory to manage cloud server in
 hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, 
 ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need.
 
-## Supported Images
-- Ubuntu (18.04, 20.04, 22.04)
-- Debian (10, 11, 12)
-- Fedora (37, 38)
-- CentOS (7, Stream 8, Stream 9)
-
 ## Getting started
 1. Create a reporitory from this template repository and clone it:
    ```shell
diff --git a/playbook.yaml b/playbook.yaml
index bd64185..c156bad 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -35,7 +35,7 @@
       ansible.builtin.package:
         name: epel-release
         state: present
-      when: "ansible_distribution == 'CentOS'"
+      when: "ansible_distribution in ['CentOS', 'AlmaLinux', 'Rocky']"
       become: true
 
     - ansible.builtin.include_role:
diff --git a/roles/ansible-role-fail2ban b/roles/ansible-role-fail2ban
index f6883a9..e050d9c 160000
--- a/roles/ansible-role-fail2ban
+++ b/roles/ansible-role-fail2ban
@@ -1 +1 @@
-Subproject commit f6883a9cfa0358db66cbc6fc004e623dcadfbd8e
+Subproject commit e050d9c7d3d5fb8d569236c15e8a6a747f1c131f
diff --git a/roles/ansible-role-nginx b/roles/ansible-role-nginx
index 62742af..f2c78e5 160000
--- a/roles/ansible-role-nginx
+++ b/roles/ansible-role-nginx
@@ -1 +1 @@
-Subproject commit 62742af004b9b5bc50efdbb10da6c029d3b5ae71
+Subproject commit f2c78e58d108cedc7994b73f5a6d07b20d76b1b1