#####################################
### someone's ansible provisioner ###
#####################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2025 by someone <someone@somenet.org>
#
---
- name: install networking tools
apt:
pkg:
- ethtool
- fail2ban
- ifupdown
- nftables
- python3-pyinotify
- python3-systemd
- vlan
- vnstat
state: present
policy_rc_d: 101
tags: "online"
ignore_errors: "{{ignore_online_errors | bool}}"
- name: copy interfaces config
copy:
src: "{{item}}"
dest: "/etc/network/interfaces"
mode: 0644
owner: "root"
group: "root"
with_first_found:
- "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/interfaces"
- "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/interfaces"
- "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/interfaces"
- "default/interfaces"
notify: restart networking.service
- name: copy nftables config
copy:
src: "{{item}}"
dest: "/etc/nftables.conf"
mode: 0644
owner: "root"
group: "root"
validate: "nft --check --file %s"
with_first_found:
- "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nftables.conf"
- "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nftables.conf"
- "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nftables.conf"
- "default/nftables.conf"
notify:
- restart nftables.service
- restart fail2ban.service
- name: copy fail2ban jail config
copy:
src: "{{item}}"
dest: "/etc/fail2ban/jail.local"
mode: 0644
owner: "root"
group: "root"
with_first_found:
- "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.jail.local"
- "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.jail.local"
- "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.jail.local"
- "default/fail2ban.jail.local"
notify: restart fail2ban.service
- name: copy fail2ban/action.d/nftables-common.local
copy:
src: "{{item}}"
dest: "/etc/fail2ban/action.d/nftables-common.local"
mode: 0644
owner: "root"
group: "root"
with_first_found:
- "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.nftables-common.local"
- "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.nftables-common.local"
- "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.nftables-common.local"
- "default/fail2ban.nftables-common.local"
notify: restart fail2ban.service
- name: copy fail2ban/filter.d/repeated-offenders.conf
copy:
src: "{{item}}"
dest: "/etc/fail2ban/filter.d/repeated-offenders.conf"
mode: 0644
owner: "root"
group: "root"
with_first_found:
- "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.filter.repeated-offenders.conf"
- "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.filter.repeated-offenders.conf"
- "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.filter.repeated-offenders.conf"
- "default/fail2ban.filter.repeated-offenders.conf"
notify: restart fail2ban.service
- name: copy vnstat.conf
copy:
src: "{{item}}"
dest: "/etc/vnstat.conf"
mode: 0644
owner: "root"
group: "root"
with_first_found:
- "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vnstat.conf"
- "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vnstat.conf"
- "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vnstat.conf"
- "default/vnstat.conf"
notify: restart vnstat.service
- name: enable and start nftables.service
include_role: name="base/systemd/enable-and-start"
vars:
service_name: nftables.service
- name: enable and start fail2ban.service
include_role: name="base/systemd/enable-and-start"
vars:
service_name: fail2ban.service
# maybe the system is not fully setup yet.
ignore_errors: yes
- name: enable and start vnstat.service
include_role: name="base/systemd/enable-and-start"
vars:
service_name: vnstat.service
# maybe the system is not fully setup yet.
ignore_errors: yes