fscotto/infra
1
0
Fork 0
mirror of https://github.com/fscotto/infra.git synced 2026-05-30 15:39:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d045299f59e7d1eff710d4e01379bb66a16f8a61
infra/ansible/roles/profile_server/tasks/main.yml
Fabio Scotto di Santolo d045299f59 Generalize UFW rule inventory inputs
2026-04-10 18:55:46 +02:00

101 lines
3.4 KiB
YAML
Raw Blame History

---
- name: Copy server dotfiles
tags: [dotfiles, dotfiles:server]
ansible.builtin.copy:
src: "{{ playbook_dir }}/../dotfiles/server/{{ item.src }}"
dest: "{{ server_user_home }}/{{ item.dest }}"
owner: "{{ server_username }}"
group: "{{ server_user_group }}"
mode: "{{ item.mode }}"
loop: "{{ server_dotfiles | default([]) }}"
loop_control:
label: "{{ item.dest }}"
- name: Require server container secret variables
tags: [dotfiles, dotfiles:server, services]
ansible.builtin.assert:
that:
- (vault_navidrome_db_password | default('')) | length > 0
- (vault_postgres_root_password | default('')) | length > 0
fail_msg: >-
Server container secrets are missing. Define vault_navidrome_db_password and
vault_postgres_root_password in secrets/vault.yml or another vars source.
- name: Ensure server directories exist
tags: [dotfiles, services]
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
loop: "{{ server_directories | default([]) }}"
loop_control:
label: "{{ item.path }}"
- name: Render server templates
tags: [dotfiles, dotfiles:server]
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest if item.dest.startswith('/') else server_user_home ~ '/' ~ item.dest }}"
owner: "{{ item.owner | default(server_username) }}"
group: "{{ item.group | default(server_user_group) }}"
mode: "{{ item.mode }}"
loop: "{{ server_templates | default([]) }}"
loop_control:
label: "{{ item.dest }}"
no_log: "{{ item.no_log | default(false) }}"
- name: Disable SSH root login on server
tags: [services]
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*PermitRootLogin\s+'
line: "PermitRootLogin {{ server_sshd_settings.PermitRootLogin }}"
state: present
validate: "sshd -t -f %s"
notify: Reload SSH service
- name: Restrict SSH login to allowed users on server
tags: [services]
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*AllowUsers\s+'
line: "AllowUsers {{ server_sshd_allow_users | join(' ') }}"
state: present
validate: "sshd -t -f %s"
notify: Reload SSH service
when: (server_sshd_allow_users | default([])) | length > 0
- name: Define effective server UFW rules
tags: [services, packages]
ansible.builtin.set_fact:
server_ufw_rules_effective: "{{ server_ufw_rules | default([]) }}"
- name: Apply server UFW rules
tags: [services, packages]
community.general.ufw:
rule: "{{ item.rule }}"
name: "{{ item.name | default(omit) }}"
port: "{{ item.port | default(omit) }}"
proto: "{{ item.proto | default(omit) }}"
from_ip: "{{ item.src | default(omit) }}"
to_ip: "{{ item.dest | default(omit) }}"
from_port: "{{ item.from_port | default(omit) }}"
direction: "{{ item.direction | default(omit) }}"
interface: "{{ item.interface | default(omit) }}"
interface_in: "{{ item.interface_in | default(omit) }}"
interface_out: "{{ item.interface_out | default(omit) }}"
route: "{{ item.route | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
loop: "{{ server_ufw_rules_effective }}"
loop_control:
label: "{{ item.name | default(item.port) }}"
- name: Enable UFW firewall on server
tags: [services, packages]
community.general.ufw:
state: enabled
when: (server_ufw_rules_effective | default([])) | length > 0
Reference in New Issue View Git Blame Copy Permalink