secshellnet · felbinger · Aug 27, 2023 · Aug 27, 2023 · Aug 27, 2023 · Aug 27, 2023
diff --git a/README.md b/README.md
@@ -4,11 +4,6 @@ This repository template provides a ansible inventory to manage cloud server in
 hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, 
 ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need.
 
-## Supported Images
-- Ubuntu (18.04, 20.04, 22.04)
-- Debian (10, 11, 12)
-- Fedora (37, 38)
-
 ## Getting started
 1. Create a reporitory from this template repository and clone it:
    ```shell

diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
@@ -1,5 +1,12 @@
 ---
-worker_user: "worker"
+worker_user: worker
+
+# hcloud defaults for cloud server
+server_type: cx11
+location: hel1
+image: ubuntu-22.04
+enable_ipv4: false
+enable_ipv6: true
 
 # features / roles to install
 install_nginx: false
diff --git a/inventory.yaml b/inventory.yaml
@@ -0,0 +1,3 @@
+---
+all:
+  hosts:
diff --git a/playbook.yaml b/playbook.yaml
@@ -10,9 +10,6 @@
   tasks:
     - ansible.builtin.include_tasks: "tasks/create-worker-user.yaml"
 
-    - ansible.builtin.include_role:
-        name: "roles/ansible-role-sshd"
-
     - name: "Remove labels from cloud server {{ inventory_hostname }}"
       hetzner.hcloud.hcloud_server:
         api_token: "{{ hcloud_api_token }}"
@@ -24,17 +21,29 @@
       when: new_server
       delegate_to: localhost
 
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-sshd"
+
     - name: "Update repositories cache on systems using apt"
       ansible.builtin.apt:
         update_cache: yes
       when: ansible_pkg_mgr == 'apt'
       changed_when: false
       become: true
 
+    - name: "Install extra packages for enterprise linux"
+      ansible.builtin.package:
+        name: epel-release
+        state: present
+      when: "ansible_distribution in ['CentOS', 'AlmaLinux', 'Rocky']"
+      become: true
+
     - ansible.builtin.include_role:
         name: "roles/ansible-role-fail2ban"
 
-    #- name: "Install tools and requirements"
+    - ansible.builtin.include_tasks: "tasks/auto-update.yaml"
+
+    #- name: "Install unattended upgrades"
     #  ansible.builtin.apt:
     #    name:
     #      - python3-requests
@@ -48,12 +57,11 @@
     #      - jq
     #      - iptables
     #      - iptables-persistent
-    #      - unattended-upgrades
     #    state: present
     #  become: true
 
     - ansible.builtin.include_role:
         name: "roles/ansible-role-nginx"
-      when: 
+      when:
         - enable_ipv4  # otherwise acme.sh cannot be installed
         - install_nginx
diff --git a/roles/ansible-role-fail2ban b/roles/ansible-role-fail2ban
diff --git a/roles/ansible-role-nginx b/roles/ansible-role-nginx
diff --git a/tasks/auto-update.yaml b/tasks/auto-update.yaml
@@ -0,0 +1,29 @@
+---
+- name: "Install unattended upgrades"
+  ansible.builtin.package:
+    name: unattended-upgrades
+    state: present
+  when: ansible_pkg_mgr == 'apt'
+  become: true
+
+- name: "Install dnf-automatic"
+  when: ansible_pkg_mgr == 'dnf'
+  block:
+    - name: "Install dnf-automatic"
+      ansible.builtin.package:
+        name: dnf-automatic
+        state: present
+      become: true
+
+    - name: "Create dnf-automatic configuration file"
+      ansible.builtin.template:
+        src: ../templates/dnf-automatic.conf.j2
+        dest: /etc/dnf/dnf-automatic.conf
+      become: true
+
+    - name: "Enable and start dnf-automatic timer"
+      ansible.builtin.systemd:
+        name: dnf-automatic.timer
+        enabled: yes
+        state: started
+      become: true
diff --git a/tasks/hetzner-cloud.yaml b/tasks/hetzner-cloud.yaml
@@ -43,12 +43,12 @@
     api_token: "{{ hcloud_api_token }}"
 
     name: "{{ inventory_hostname }}"
-    server_type: "{{ server_type | default('cx11') }}"
-    location: "{{ location | default('hel1') }}"
-    image: "{{ image | default('ubuntu-22.04') }}"
+    server_type: "{{ server_type }}"
+    location: "{{ location }}"
+    image: "{{ image }}"
     ssh_keys: ["ansible"]
-    enable_ipv4: "{{ enable_ipv4 | default('false') }}"
-    enable_ipv6: "{{ enable_ipv6 | default('true') }}"
+    enable_ipv4: "{{ enable_ipv4 }}"
+    enable_ipv6: "{{ enable_ipv6 }}"
     labels: {"new": ""}
 
     state: present

diff --git a/templates/dnf-automatic.conf.j2 b/templates/dnf-automatic.conf.j2
@@ -0,0 +1,3 @@
+[commands]
+apply_updates = yes
+download_updates = yes