diff --git a/.drone.yml b/.drone.yml index d2c5b68..ebb113f 100644 --- a/.drone.yml +++ b/.drone.yml @@ -3,10 +3,6 @@ kind: pipeline type: docker name: default -platform: - os: linux - arch: arm - steps: - name: lint image: bdebyl/yamllint @@ -19,6 +15,6 @@ trigger: - pull_request --- kind: signature -hmac: 4280c0f368f066e7c24573ae80777b3a7f8f6483a643f7843388a50529379c71 +hmac: 7e505a3615347898a4858753d4bcc19295548c84278e48eb68cfff38dfe1eed6 ... diff --git a/Makefile b/Makefile index 40350c7..cdef268 100644 --- a/Makefile +++ b/Makefile @@ -6,9 +6,6 @@ # Author: bdebyl (Bastian de Byl) all: lint -# Default to all ansible tags to run (passed via 'make deploy TAGS=sometag') -TAGS?=all - PASS_SRC=./.pass.sh # Setup Definitions VENV=.venv @@ -27,6 +24,10 @@ VAULT_FILE=ansible/vars/vault.yml ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible +# Default to all ansible tags to run (passed via 'make deploy TAGS=sometag') +TAGS?=all +TARGET?=all + ${VENV}: virtualenv -p python3 ${VENV} ${PIP}: ${VENV} @@ -50,10 +51,16 @@ SKIP_FILE=./.lint-vars.sh # Targets deploy: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + +list-tags: ${ANSIBLE} ${VAULT_FILE} + ${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + +list-tasks: ${ANSIBLE} ${VAULT_FILE} + ${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml check: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml vault: ${ANSIBLE_VAULT} ${VAULT_FILE} ${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE} diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml index 96c7263..bd62b40 100644 --- a/ansible/roles/common/defaults/main.yml +++ b/ansible/roles/common/defaults/main.yml @@ -1,12 +1,21 @@ --- deps: [ + cronie, docker, - git, fail2ban, - python-docker + git, + python-docker, + tmux, + weechat ] fail2ban_jails: [ sshd.local, nginx.local ] + +services: + - docker + - fail2ban + - iptables + - nginx diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 05e767d..73a2b03 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -1,3 +1,4 @@ --- - import_tasks: deps.yml - import_tasks: security.yml +- import_tasks: service.yml diff --git a/ansible/roles/common/tasks/service.yml b/ansible/roles/common/tasks/service.yml new file mode 100644 index 0000000..198671d --- /dev/null +++ b/ansible/roles/common/tasks/service.yml @@ -0,0 +1,9 @@ +--- +- name: ensure desired services are started and enabled + become: true + service: + name: "{{ item }}" + state: started + enabled: true + loop: "{{ services }}" + tags: security, service diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml index fd8ca1e..580d4b6 100644 --- a/ansible/roles/http/tasks/http.yml +++ b/ansible/roles/http/tasks/http.yml @@ -28,15 +28,6 @@ recurse: true tags: http -- name: touch nginx logs, enable jail - become: true - file: - path: "/var/log/nginx/error.log" - state: file - mode: 0644 - notify: restart_fail2ban - tags: http, security - - name: template nginx http sites-available become: true template: diff --git a/ansible/roles/http/tasks/main.yml b/ansible/roles/http/tasks/main.yml index 68ecafb..5e7613b 100644 --- a/ansible/roles/http/tasks/main.yml +++ b/ansible/roles/http/tasks/main.yml @@ -1,5 +1,6 @@ --- - import_tasks: deps.yml +- import_tasks: security.yml - import_tasks: modsec.yml - import_tasks: http.yml - import_tasks: https.yml diff --git a/ansible/roles/http/tasks/security.yml b/ansible/roles/http/tasks/security.yml new file mode 100644 index 0000000..17f94a5 --- /dev/null +++ b/ansible/roles/http/tasks/security.yml @@ -0,0 +1,12 @@ +--- +- name: touch nginx logs, enable jail + become: true + file: + path: "/var/log/nginx/{{ item }}.log" + state: touch + mode: 0644 + loop: + - access + - error + notify: restart_fail2ban + tags: http, security diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index e5c8ce6..34afbfa 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -2,7 +2,7 @@ - name: generate openssl dhparam for nginx become: true command: | - openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048 + openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 args: creates: /etc/ssl/certs/dhparam.pem tags: ssl