--- - name: Configure sysctl with_dict: net.inet.ip.forwarding: "1" ansible.posix.sysctl: name: '{{ item.key }}' value: '{{ item.value }}' tags: - sysctl - network - pf - name: Set hosts entries ansible.builtin.copy: dest: /etc/hosts mode: preserve src: hosts diff: true tags: - hosts - dns - network - pf - name: Set services entries loop: - line: 'wwwproxy 3129/tcp' # noqa 203 regexp: ' 3129/tcp' # noqa 203 - line: 'ftpproxy 8021/tcp' # noqa 203 regexp: ' 8021/tcp' # noqa 203 - line: 'bittorrent 51413/tcp' # noqa 203 regexp: ' 51413/tcp' # noqa 203 ansible.builtin.lineinfile: backup: true line: '{{ item.line }}' path: /etc/services regexp: '{{ item.regexp }}' state: present tags: - network - pf - name: Generate the Unbound root anchor file ansible.builtin.command: cmd: /usr/sbin/unbound-anchor -a /var/unbound/db/root.key creates: /var/unbound/db/root.key tags: - network - dns - unbound - name: Disable resolvd ansible.builtin.service: enabled: false name: resolvd state: stopped tags: - resolv - dns - network - name: Set DNS resolving ansible.builtin.copy: content: |- search shore.co.il nameserver 127.0.0.1 lookup file bind dest: /etc/resolv.conf mode: 0o0644 diff: true tags: - resolv - dns - network - name: Configure the network interfaces with_dict: # yamllint disable rule:line-length em1: | description "Connected to the fiber cable, used for PPPoE connection to the ISP." up # yamllint enable rule:line-length em5: | description "Connected to internal LAN." inet 192.168.3.1 255.255.255.0 group ingress up pppoe0: | description "The connection to the internet." inet 62.219.131.121 255.255.255.255 NONE \ pppoedev em1 authproto pap \ authname 'ns_nimadar@014' authkey '{{ bezeqint_password }}' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 62.219.131.121 ansible.builtin.copy: content: '{{ item.value }}' dest: /etc/hostname.{{ item.key }} owner: root group: wheel mode: 0o0600 diff: true notify: - Setup network interfaces tags: - interface - network - name: Configure the Unbound DNS resolver ansible.builtin.file: path: /var/unbound/etc/unbound.conf.d mode: 0o0755 state: directory tags: - unbound - dns - network - name: Configure Ubnound DNS resolver ansible.builtin.lineinfile: insertafter: EOF line: >- include: "/var/unbound/etc/unbound.conf.d/*.conf" path: /var/unbound/etc/unbound.conf validate: unbound-checkconf %s notify: - Restart Unbound tags: - unbound - dns - network - name: Configure the Unbound DNS resolver loop: - shore.co.il.conf ansible.builtin.copy: dest: '/var/unbound/etc/unbound.conf.d/{{ item }}' mode: preserve src: 'unbound/{{ item }}' validate: unbound-checkconf %s diff: true notify: - Restart Unbound tags: - unbound - dns - network - name: Enable the Unbound DNS resolver ansible.builtin.service: enabled: true name: unbound state: started tags: - unbound - dns - network - name: Configure PF ansible.builtin.copy: dest: /etc/pf.conf mode: 0o0600 src: pf.conf validate: pfctl -nf %s diff: true notify: - Reload PF tags: - pf - network - name: Enable the FTP proxy ansible.builtin.service: enabled: true name: ftpproxy state: started notify: Restart the FTP proxy tags: - ftpproxy - network - name: Apply changes (if needed) to properly setup networking ansible.builtin.meta: flush_handlers tags: - always - name: Install packages loop: - bash - curl - git - go - haproxy - rclone community.general.openbsd_pkg: name: '{{ item }}' state: present tags: - packages - name: Allow Bash as a login shell ansible.builtin.lineinfile: line: /usr/local/bin/bash path: /etc/shells tags: - bash - name: Set Bash as the login shell ansible.builtin.user: name: '{{ ansible_facts.env["DOAS_USER"] }}' shell: /usr/local/bin/bash tags: - bash - name: Set boot configuration ansible.builtin.copy: content: | stty com1 115200 set tty com1 mode: 0o0755 dest: /etc/boot.conf diff: true notify: - Message about restarting the machine tags: - boot - name: Configure the NSD DNS server ansible.builtin.file: path: /var/nsd/etc/nsd.conf.d mode: 0o0755 state: directory tags: - nsd - dns - network - name: Configure the NSD DNS server loop: - line: >- include: "/var/nsd/etc/nsd.conf.d/*.conf" insertafter: EOF - line: >- ip-address: 62.219.131.121 insertafter: 'server:' ansible.builtin.lineinfile: insertafter: '{{ item.insertafter }}' line: '{{ item.line }}' path: /var/nsd/etc/nsd.conf validate: nsd-checkconf %s notify: - Restart NSD tags: - nsd - dns - network - name: Configure the NSD DNS server loop: - shore.co.il.conf - nehe.sr.conf - nehes.co.conf ansible.builtin.copy: dest: '/var/nsd/etc/nsd.conf.d/{{ item }}' mode: preserve src: 'nsd/{{ item }}' validate: nsd-checkconf %s diff: true notify: - Restart NSD tags: - nsd - dns - network - name: Configure the NSD DNS server loop: - shore.co.il - nehe.sr - nehes.co ansible.builtin.copy: dest: '/var/nsd/zones/{{ item }}' mode: preserve src: 'nsd/{{ item }}' # validate: nsd-checkzone %s diff: true notify: - Restart NSD tags: - nsd - dns - network - name: Enable the NSD DNS server ansible.builtin.service: enabled: true name: nsd state: started tags: - nsd - dns - network - name: Configure the DHCP daemon ansible.builtin.copy: dest: /etc/dhcpd.conf mode: preserve src: dhcpd.conf validate: dhcpd -nc %s diff: true notify: - Restart the DHCP daemon tags: - dhcp - network - name: Enable the DHCP daemon ansible.builtin.service: enabled: true name: dhcpd state: started notify: - Restart the DHCP daemon tags: - dhcp - network - name: Configure HAProxy ansible.builtin.copy: backup: true dest: /etc/haproxy/haproxy.cfg mode: preserve src: haproxy.cfg validate: haproxy -c -f %s notify: - Restart HAProxy tags: - haproxy - web - network - name: Enable HAProxy ansible.builtin.service: enabled: true name: haproxy state: started tags: - haproxy - web - network - name: Configure mail relaying ansible.builtin.lineinfile: line: action "outbound" relay host host01.shore.co.il path: /etc/mail/smtpd.conf regexp: action "outbound" relay state: present validate: smtpd -nf %s notify: - Restart the SMTP daemon tags: - mail - name: Configure the spam deferral daemon ansible.builtin.copy: dest: /etc/mail/spamd.conf mode: preserve src: mail/spamd.conf diff: true notify: - Restart the spam deferral daemon tags: - spamd - mail - network - name: Enable the spam deferral daemon ansible.builtin.lineinfile: line: >- spamd_flags="-h smtp.shore.co.il -G25:12:864" path: /etc/rc.conf.local notify: - Restart the spam deferral daemon tags: - spamd - mail - network - name: Configure mail aliases loop: - root - nimrod ansible.builtin.lineinfile: line: '{{ item }}: {{ item }}@shore.co.il' path: /etc/mail/aliases state: present notify: - Rebuild mail aliases tags: - aliases - mail - network - name: Configure the BGP daemon ansible.builtin.copy: dest: /etc/bgpd.conf mode: 0o0600 src: bgpd.conf validate: bgpd -nf %s diff: true notify: - Restart the BGP daemon tags: - bgp - mail - network - name: Enable the BDP daemon ansible.builtin.service: enabled: true name: bgpd state: started notify: - Restart the BGP daemon tags: - bgp - mail - network - name: Configure the NTP daemon ansible.builtin.copy: content: | server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org dest: /etc/ntpd.conf mode: 0o0644 validate: ntpd -nf %s diff: true notify: - Restart the NTP daemon tags: - ntp - name: Enable the NTP daemon ansible.builtin.service: enabled: true name: ntpd state: started notify: - Restart the NTP daemon tags: - ntp - name: Set Cron jobs loop: - job: /sbin/pfctl -t brute -T expire 86400 2>&1 | logger name: PF brute table purge special_time: daily - job: >- { /usr/sbin/unbound-anchor -a /var/unbound/db/root.key || /etc/rc.d/unbound restart ; } | logger name: Update DNSSEC root anchor special_time: daily - job: |- { sleep $((RANDOM \% 1800)) && /usr/libexec/spamd-setup; } | logger name: idk special_time: daily state: absent ansible.builtin.cron: job: '{{ item.job }}' name: '{{ item.name }}' special_time: '{{ item.special_time }}' state: '{{ item.state|default("present") }}' user: root tags: - cron - unbound - pf - network - dns - name: Disable the audio server ansible.builtin.service: enabled: false name: sndiod state: stopped notify: - Stop the audio server tags: - sndiod - name: Configure the SSH daemon ansible.builtin.include_tasks: file: '{{ playbook_dir }}/tasks/sshd_config.yaml' tags: - always # yamllint disable-line rule:line-length - name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches). ansible.builtin.copy: # yamllint disable rule:line-length content: | VERBOSESTATUS=0 syspatch -c pkg_add -uInx | grep -v '^quirks' fw_update -an | grep -v '^fw_update: added none; updated none;' {{ "rcctl ls rogue" if ansible_distribution_version is version('7.1', '>=') }} # yamllint enable rule:line-length dest: /etc/daily.local group: wheel mode: 0o0444 owner: root tags: - cron - mail - name: Install beats loop: &beats - filebeat - metricbeat - packetbeat community.general.openbsd_pkg: name: '{{ item }}' state: present tags: - packages - beats - name: Configure beats loop: *beats ansible.builtin.copy: backup: true dest: '/etc/{{ item }}/{{ item }}.yml' group: wheel mode: 0o0644 owner: root src: '{{ item }}.yml' validate: '{{ item }} test config -c %s' notify: - Restart the {{ item }} daemon tags: - beats - name: Enable beats loop: *beats ansible.builtin.service: enabled: true name: '{{ item }}' state: started tags: - beats