| # |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| --- |
| #Tasks file can include smaller files if wanted |
| #All commons tasks goes here |
| - name: Create a new user group "{{ group }}" |
| group: name={{ group }} |
| become: yes |
| |
| - name: Create a new user "{{ user }}" |
| user: name={{ user }} group={{ group }} |
| become: yes |
| |
| - name: Install Firewalld (RedHat) |
| yum: name=firewalld state=latest update_cache=yes |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| - name: Install Firewalld (Debian) |
| apt: name=firewalld state=latest update_cache=yes |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| |
| # TODO: stop iptables service, can't have both iptables and firewalld on same host |
| # firewalld is just a frontend for iptables - so we can't remove it |
| # if we try to stop non existing service ansible fails. |
| # - name: Stop iptables, ip6tables services |
| # service: name="{{ item }}" state=stopped |
| # with_items: |
| # - iptables |
| # - ip6tables |
| |
| - name: Start firewalld service |
| service: name=firewalld state=started |
| become: yes |
| |
| - name: open firewall port 22 for SSH connections |
| firewalld: port="22/tcp" |
| zone=public permanent=true state=enabled immediate=yes |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| # Issues with firewalld module on Ubuntu https://github.com/ansible/ansible/issues/24855 |
| # So as workaround, just calling firewall-cmd directly for now |
| - name: open firewall port 22 for SSH connections (Debian) |
| command: firewall-cmd --zone=public --add-port=22/tcp |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| - name: open firewall port 22 for SSH connections permanently (Debian) |
| command: firewall-cmd --zone=public --permanent --add-port=22/tcp |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| # Automatic security updates installation |
| |
| # TODO: switch to dnf-automatic for Rocky Linux |
| # - name: Install yum-cron, yum-utils (RedHat) |
| # yum: name={{ item }} state=latest update_cache=yes |
| # become: yes |
| # when: ansible_os_family == "RedHat" |
| # with_items: |
| # - yum-cron |
| # - yum-utils |
| |
| # - name: Copy yum-cron.conf config file |
| # copy: |
| # src: yum-cron.conf |
| # dest: /etc/yum/yum-cron.conf |
| # backup: yes |
| # become: yes |
| # when: ansible_os_family == "RedHat" |
| |
| # - name: Enable and start yum-cron |
| # service: name=yum-cron state=started enabled=yes daemon_reload=yes |
| # become: yes |
| # when: ansible_os_family == "RedHat" |
| ... |