Merge pull request #6 from bdebyl/noticket_newserv

noticket Changes from redeploy to new server

.drone.yml

@@ -3,10 +3,6 @@ kind: pipeline
 type: docker
 name: default
 
-platform:
-  os: linux
-  arch: arm
-
 steps:
   - name: lint
     image: bdebyl/yamllint
@@ -19,6 +15,6 @@ trigger:
     - pull_request
 ---
 kind: signature
-hmac: 4280c0f368f066e7c24573ae80777b3a7f8f6483a643f7843388a50529379c71
+hmac: 7e505a3615347898a4858753d4bcc19295548c84278e48eb68cfff38dfe1eed6
 
 ...

Makefile

@@ -6,9 +6,6 @@
 # Author: bdebyl (Bastian de Byl)
 all: lint
 
-# Default to all ansible tags to run (passed via 'make deploy TAGS=sometag')
-TAGS?=all
-
 PASS_SRC=./.pass.sh
 # Setup Definitions
 VENV=.venv
@@ -27,6 +24,10 @@ VAULT_FILE=ansible/vars/vault.yml
 ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml
 SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible
 
+# Default to all ansible tags to run (passed via 'make deploy TAGS=sometag')
+TAGS?=all
+TARGET?=all
+
 ${VENV}:
 	virtualenv -p python3 ${VENV}
 ${PIP}: ${VENV}
@@ -50,10 +51,16 @@ SKIP_FILE=./.lint-vars.sh
 
 # Targets
 deploy: ${ANSIBLE} ${VAULT_FILE}
-	${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
+	${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
+
+list-tags: ${ANSIBLE} ${VAULT_FILE}
+	${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
+
+list-tasks: ${ANSIBLE} ${VAULT_FILE}
+	${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
 
 check: ${ANSIBLE} ${VAULT_FILE}
-	${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
+	${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
 
 vault: ${ANSIBLE_VAULT} ${VAULT_FILE}
 	${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE}

ansible/roles/common/defaults/main.yml

@@ -1,12 +1,21 @@
 ---
 deps: [
+  cronie,
   docker,
-  git,
   fail2ban,
-  python-docker
+  git,
+  python-docker,
+  tmux,
+  weechat
 ]
 
 fail2ban_jails: [
   sshd.local,
   nginx.local
 ]
+
+services:
+  - docker
+  - fail2ban
+  - iptables
+  - nginx

ansible/roles/common/tasks/main.yml

@@ -1,3 +1,4 @@
 ---
 - import_tasks: deps.yml
 - import_tasks: security.yml
+- import_tasks: service.yml

ansible/roles/common/tasks/service.yml

@@ -0,0 +1,9 @@
+---
+- name: ensure desired services are started and enabled
+  become: true
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop: "{{ services }}"
+  tags: security, service

ansible/roles/http/tasks/http.yml

@@ -28,15 +28,6 @@
     recurse: true
   tags: http
 
-- name: touch nginx logs, enable jail
-  become: true
-  file:
-    path: "/var/log/nginx/error.log"
-    state: file
-    mode: 0644
-  notify: restart_fail2ban
-  tags: http, security
-
 - name: template nginx http sites-available
   become: true
   template:

ansible/roles/http/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - import_tasks: deps.yml
+- import_tasks: security.yml
 - import_tasks: modsec.yml
 - import_tasks: http.yml
 - import_tasks: https.yml

ansible/roles/http/tasks/security.yml

@@ -0,0 +1,12 @@
+---
+- name: touch nginx logs, enable jail
+  become: true
+  file:
+    path: "/var/log/nginx/{{ item }}.log"
+    state: touch
+    mode: 0644
+  loop:
+    - access
+    - error
+  notify: restart_fail2ban
+  tags: http, security

ansible/roles/ssl/tasks/certbot.yml

@@ -2,7 +2,7 @@
 - name: generate openssl dhparam for nginx
   become: true
   command: |
-    openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
+    openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
   args:
     creates: /etc/ssl/certs/dhparam.pem
   tags: ssl