hetzner-dhcp/dhcp.yml

- hosts: h1-126
  tasks:
    - name: Install software
      become: yes
      package:
        name:
          - awall
          - dnsmasq
          - htop
          - vim
        state: present

    - name: enable dnsmasq service
      become: yes
      service:
        name: dnsmasq
        enabled: yes
        state: started

    - name: Configure SSHD
      become: yes
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: "PermitRootLogin"
        line: "PermitRootLogin yes"
        create: yes
      notify: restart SSHD service

    - name: add requirements in sysctl
      become: yes
      blockinfile:
        path: /etc/sysctl.conf
        insertafter: EOF
        block: |
          # Enable IPv4 forwarding
          net.ipv4.ip_forward = 1

    - name: configuring interfaces
      become: yes
      copy:
        src: 'config/interface-config'
        dest: '/etc/network/interfaces'
        mode: 0644

    - name: configure DNS
      become: yes
      copy: src={{ item.src }} dest={{ item.dest }} mode=0644
      with_items:
        - { src: 'config/dnsmasq/dnsmasq.conf', dest: '/etc/dnsmasq.conf'}
        - { src: 'config/dnsmasq/hosts', dest: '/etc/hosts'}
      notify: restart dnsmasq service

    - name: configure awall
      become: yes
      copy: src={{ item.src }} dest={{ item.dest }} mode=0644
      with_items:
        - { src: 'config/awall/private', dest: '/etc/awall'}
        - { src: 'config/awall/optional', dest: '/etc/awall'}

    - name: enable IPv4 forwarding
      become: yes
      lineinfile:
        path: /etc/conf.d/iptables
        state: present
        regexp: "IPFORWARD="
        line: 'IPFORWARD="yes"'
        create: yes

    - name: Enable awall policies
      awall:
        name:
          - main
          - ssh
          - icmp
        state: enabled
        activate: yes

    - name: enable iptables service
      become: yes
      service:
        name: iptables
        enabled: yes
        state: started

  handlers:
    - name: restart SSHD service
      become: yes
      service:
        name: sshd
        enabled: yes
        state: restarted

    - name: restart dnsmasq service
      become: yes
      service:
        name: dnsmasq
        enabled: yes
        state: restarted
first draft 2020-04-07 19:40:58 +00:00			`- hosts: h1-126`
			`tasks:`
			`- name: Install software`
			`become: yes`
			`package:`
			`name:`
			`- awall`
			`- dnsmasq`
			`- htop`
			`- vim`
			`state: present`

			`- name: enable dnsmasq service`
			`become: yes`
			`service:`
			`name: dnsmasq`
			`enabled: yes`
			`state: started`

			`- name: Configure SSHD`
			`become: yes`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`state: present`
			`regexp: "PermitRootLogin"`
			`line: "PermitRootLogin yes"`
			`create: yes`
			`notify: restart SSHD service`

			`- name: add requirements in sysctl`
			`become: yes`
			`blockinfile:`
			`path: /etc/sysctl.conf`
			`insertafter: EOF`
			`block: \|`
			`# Enable IPv4 forwarding`
			`net.ipv4.ip_forward = 1`

			`- name: configuring interfaces`
			`become: yes`
			`copy:`
			`src: 'config/interface-config'`
			`dest: '/etc/network/interfaces'`
			`mode: 0644`

			`- name: configure DNS`
			`become: yes`
			`copy: src={{ item.src }} dest={{ item.dest }} mode=0644`
			`with_items:`
			`- { src: 'config/dnsmasq/dnsmasq.conf', dest: '/etc/dnsmasq.conf'}`
			`- { src: 'config/dnsmasq/hosts', dest: '/etc/hosts'}`
			`notify: restart dnsmasq service`

			`- name: configure awall`
			`become: yes`
			`copy: src={{ item.src }} dest={{ item.dest }} mode=0644`
			`with_items:`
			`- { src: 'config/awall/private', dest: '/etc/awall'}`
			`- { src: 'config/awall/optional', dest: '/etc/awall'}`

			`- name: enable IPv4 forwarding`
			`become: yes`
			`lineinfile:`
			`path: /etc/conf.d/iptables`
			`state: present`
			`regexp: "IPFORWARD="`
			`line: 'IPFORWARD="yes"'`
			`create: yes`

			`- name: Enable awall policies`
			`awall:`
			`name:`
			`- main`
			`- ssh`
			`- icmp`
			`state: enabled`
			`activate: yes`

			`- name: enable iptables service`
			`become: yes`
			`service:`
			`name: iptables`
			`enabled: yes`
			`state: started`

			`handlers:`
			`- name: restart SSHD service`
			`become: yes`
			`service:`
			`name: sshd`
			`enabled: yes`
			`state: restarted`

			`- name: restart dnsmasq service`
			`become: yes`
			`service:`
			`name: dnsmasq`
			`enabled: yes`
			`state: restarted`