]> git.somenet.org - root/pub/somesible.git/blob - roles/base/network/tasks/main.yml
SomeNet / public repos / root / pub / somesible.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[roles/base/network] setup networking and firewall (nftables) and fail2ban
[root/pub/somesible.git] / roles / base / network / tasks / main.yml
1 #####################################
2 ### someone's ansible provisioner ###
3 #####################################
4 # Part of: https://git.somenet.org/root/pub/somesible.git
5 # 2017-2024 by someone <someone@somenet.org>
6 #
7 ---
8 - name: install networking tools
9   apt:
10     pkg:
11     - ethtool
12     - fail2ban
13     - ifupdown
14     - nftables
15     - python3-pyinotify
16     - python3-systemd
17     - vlan
18     - vnstat
19     state: present
20     policy_rc_d: 101
21   tags: "online"
22   ignore_errors: "{{ignore_online_errors | bool}}"
23
24
25 - name: copy interfaces config
26   copy:
27     src: "{{item}}"
28     dest: "/etc/network/interfaces"
29     mode: 0644
30     owner: "root"
31     group: "root"
32   with_first_found:
33     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/interfaces"
34     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/interfaces"
35     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/interfaces"
36     - "default/interfaces"
37   notify: restart networking.service
38
39
40 - name: copy nftables config
41   copy:
42     src: "{{item}}"
43     dest: "/etc/nftables.conf"
44     mode: 0644
45     owner: "root"
46     group: "root"
47   with_first_found:
48     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nftables.conf"
49     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nftables.conf"
50     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nftables.conf"
51     - "default/nftables.conf"
52   notify:
53     - restart nftables.service
54     - restart fail2ban.service
55
56
57 - name: copy fail2ban jail config
58   copy:
59     src: "{{item}}"
60     dest: "/etc/fail2ban/jail.local"
61     mode: 0644
62     owner: "root"
63     group: "root"
64   with_first_found:
65     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.jail.local"
66     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.jail.local"
67     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.jail.local"
68     - "default/fail2ban.jail.local"
69   notify: restart fail2ban.service
70
71
72 - name: copy fail2ban/action.d/nftables-common.local
73   copy:
74     src: "{{item}}"
75     dest: "/etc/fail2ban/action.d/nftables-common.local"
76     mode: 0644
77     owner: "root"
78     group: "root"
79   with_first_found:
80     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.nftables-common.local"
81     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.nftables-common.local"
82     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.nftables-common.local"
83     - "default/fail2ban.nftables-common.local"
84   notify: restart fail2ban.service
85
86
87 - name: copy fail2ban/filter.d/repeated-offenders.conf
88   copy:
89     src: "{{item}}"
90     dest: "/etc/fail2ban/filter.d/repeated-offenders.conf"
91     mode: 0644
92     owner: "root"
93     group: "root"
94   with_first_found:
95     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.filter.repeated-offenders.conf"
96     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.filter.repeated-offenders.conf"
97     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.filter.repeated-offenders.conf"
98     - "default/fail2ban.filter.repeated-offenders.conf"
99   notify: restart fail2ban.service
100
101
102 - name: copy vnstat.conf
103   copy:
104     src: "{{item}}"
105     dest: "/etc/vnstat.conf"
106     mode: 0644
107     owner: "root"
108     group: "root"
109   with_first_found:
110     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vnstat.conf"
111     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vnstat.conf"
112     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vnstat.conf"
113     - "default/vnstat.conf"
114   notify: restart vnstat.service
115
116
117 - name: enable and start nftables.service
118   include_role: name="base/systemd/enable-and-start"
119   vars:
120     service_name: nftables.service
121
122
123 - name: enable and start fail2ban.service
124   include_role: name="base/systemd/enable-and-start"
125   vars:
126     service_name: fail2ban.service
127   # maybe the system is not fully setup yet.
128   ignore_errors: yes
129
130
131 - name: enable and start vnstat.service
132   include_role: name="base/systemd/enable-and-start"
133   vars:
134     service_name: vnstat.service
135   # maybe the system is not fully setup yet.
136   ignore_errors: yes