ctucx.git: ansible-configs

common: more dynamic system configuration

diff --git a/config-files/ssh/sshd_config.patch b/config-files/ssh/sshd_config.patch
@@ -13,7 +13,7 @@
  #IgnoreRhosts yes
 
  # To disable tunneled clear text passwords, change to no here!
--PasswordAuthentication yes
+-#PasswordAuthentication yes
 +PasswordAuthentication no
  #PermitEmptyPasswords no
 

diff --git a/inventory b/inventory
@@ -9,4 +9,4 @@ taurus.ctu.cx
 wanderduene.ctu.cx
 
 [lollo]
-lollo-
\ No newline at end of file
+192.168.178.116+
\ No newline at end of file

diff --git a/playbooks.yml b/playbooks.yml
@@ -28,6 +28,7 @@
 #    - frps
 #    - backup 
   vars:
+    alpineVersion: edge
     network:
       hostname: wanderduene
       domain: ctu.cx

@@ -36,6 +37,8 @@
         - 8.8.8.8
       awall:
         wan: eth0
+      vlanSupport: false
+      natSupport: false
       interfaces:
         - name: lo
           loopback: true

@@ -214,6 +217,7 @@
 #    - websites
 #    - rest-server
   vars:
+    alpineVersion: edge
     network:
       hostname: taurus
       domain: ctu.cx

@@ -222,6 +226,8 @@
         - 8.8.8.8
       awall:
         wan: eth0
+      vlanSupport: false
+      natSupport: false
       interfaces:
         - name: lo
           loopback: true

@@ -286,9 +292,10 @@
 - hosts: lollo
   name: Install lollo
   roles:
-#    - common
+    - common
     - syncthing
   vars:
+    alpineVersion: v3.12
     network:
       hostname: lollo
       domain: ctu.cx

@@ -296,7 +303,32 @@
         - 1.1.1.1
         - 8.8.8.8
       awall:
-        wan: eth0
+        zones:
+          WAN:
+            - iface: eth0
+        policys:
+          - in: _fw
+            action: accept
+          - in: _fw
+            out:  WAN
+            action: accept
+          - in: WAN
+            action: drop
+        filters:
+          - in: _fw
+            out: WAN
+            service:
+              - dns
+              - http
+              - https
+              - ssh
+          - in: WAN
+            out: _fw
+            service: 
+              - ping
+            action: accept
+      vlanSupport: true
+      natSupport: true
       interfaces:
         - name: lo
           loopback: true

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -12,3 +12,4 @@
 - include: firewall.yml
 
 - include: node-exporter.yml
+  when: alpineVersion == "edge"

diff --git a/roles/common/tasks/network.yml b/roles/common/tasks/network.yml
@@ -1,28 +1,62 @@
 ---
 
-- name: create network-config
+- name: create /etc/network/interfaces
   template:
     src: interfaces.conf.j2
     dest: /etc/network/interfaces
     mode: 0755
 
-- name: create hosts-config
+- name: create /etc/hosts
   template:
     src: hosts.conf.j2
     dest: /etc/hosts
     mode: 0755
 
-- name: create hosts-config
+- name: create /etc/resolv.conf
   template:
     src: resolv.conf.j2
     dest: /etc/resolv.conf
     mode: 0755
 
 - name: set hostname
-  copy:
-    content: "{{ network.hostname }}"
+  hostname:
+    name: "{{network.hostname}}"
+    use: alpine
+
+- copy:
+    content: "{{network.hostname}}"
     dest: /etc/hostname
-    mode: 0755
+
+- name: enable NAT support
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: network.natSupport is true
+
+- name: disable NAT support
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '0'
+    sysctl_set: yes
+    state: absent
+    reload: yes
+  when: network.natSupport is false
+
+- name: install vlan package
+  apk:
+    name: vlan
+    update_cache: yes
+  when: network.vlanSupport is true
+
+- name: deinstall vlan package
+  apk:
+    name: vlan
+    state: absent
+    update_cache: yes
+  when: network.vlanSupport is false  
 
 - name: restart networking service
   service:

diff --git a/roles/common/tasks/packages.yml b/roles/common/tasks/packages.yml
@@ -4,9 +4,9 @@
     url: http://home.f2k1.de:8080/leah-5f817de5.rsa.pub
     dest: /etc/apk/keys/leah-5f817de5.rsa.pub
 
-- name: switch to edge repos
-  copy:
-    content: "http://home.f2k1.de:8080/alpine-pkgs\nhttp://dl-cdn.alpinelinux.org/alpine/edge/main\nhttp://dl-cdn.alpinelinux.org/alpine/edge/community\nhttp://dl-cdn.alpinelinux.org/alpine/edge/testing"
+- name: set repositories
+  template:
+    src: repositories.j2
     dest: /etc/apk/repositories
 
 - name: update system

diff --git a/roles/common/templates/repositories.j2 b/roles/common/templates/repositories.j2
@@ -0,0 +1,6 @@
+http://home.f2k1.de:8080/alpine-pkgs
+https://dl-cdn.alpinelinux.org/alpine/{{alpineVersion}}/main
+https://dl-cdn.alpinelinux.org/alpine/{{alpineVersion}}/community
+{% if alpineVersion == "edge" %}
+https://dl-cdn.alpinelinux.org/alpine/{{alpineVersion}}/testing
+{% endif %}+
\ No newline at end of file