first changes after completing tier1 and tier2

roles/dns/tasks/main.yml

-- name: DNS | Autoremove unneeded packages installed as dependencies
-  dnf:
-    autoremove: yes
+#- name: DNS | Autoremove unneeded packages installed as dependencies
+#  dnf:
+#    autoremove: yes
 
 - name: Disable IPv6
   copy:
@@ -40,6 +40,18 @@
     group: root
     mode: '0644'
 
+- name: Add port 53 udp
+  ansible.posix.firewalld:
+    port: 53/udp
+    permanent: true
+    state: enabled
+
+- name: Add port 53 tcp
+  ansible.posix.firewalld:
+    port: 53/tcp
+    permanent: true
+    state: enabled
+
 - name: Add port 8301 udp
   ansible.posix.firewalld:
     port: 8301/udp
@@ -57,15 +69,15 @@
     name: firewalld
     state: reloaded
 
-- name: Install bind
-  dnf:
-    name: bind
-    state: latest
+      #- name: Install bind
+      #  dnf:
+      #    name: bind
+      #    state: latest
 
-- name: Install bind-utils
-  dnf:
-    name: bind-utils
-    state: latest
+      #- name: Install bind-utils
+      #  dnf:
+      #    name: bind-utils
+      #    state: latest
 
 - name: ensure user named is present
   user:
@@ -142,9 +154,9 @@
     group: root
     mode: '0640'
 
-- name: Reboot a machine  
-  ansible.builtin.reboot:
-    reboot_timeout: 300
+      #- name: Reboot a machine  
+      #  ansible.builtin.reboot:
+      #    reboot_timeout: 300
 
 - name: Create a zone file
   template:

roles/dns/templates/zone.j2

 $TTL    15M
 @       IN      SOA     ns1.{{ hostname }}.{{ domain_name }}. root.{{ hostname }}.{{ domain_name }}. (
-		     2012020201         ; Serial
+		     2012020207         ; Serial
                             15M         ; Refresh
                              5M         ; Retry
                            120M         ; Expire

roles/email/tasks/main.yml

@@ -5,8 +5,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart postfix
 
 - name: Add port 25 tcp
   ansible.posix.firewalld:
@@ -43,8 +41,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
 
 - name: edit dovecot conf to allow imap
   copy:
@@ -53,8 +49,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
 
 - name: change dovecot's auth conf to allow plain and login methods
   copy:
@@ -63,8 +57,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
 
 - name: change mail location to ~/mail through 10-mail.conf
   copy:
@@ -73,8 +65,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
 
 - name: make a mail dir in ~/
   file:
@@ -97,8 +87,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
 
 - name: set dovecot's ss to No in 10-ssl.conf
   copy:
@@ -107,8 +95,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
 
 - name: set dovecot's lmtp listener to not let just anyone send emails
   copy:
@@ -117,9 +103,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart dovecot
-      - restart postfix
 
 - name: set postfix to listen on submission port 587
   copy:
@@ -128,8 +111,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart postfix
 
 - name: Ensure packages are installed
   dnf:
@@ -227,6 +208,13 @@
     group: apache
     mode: '0755'
 
+- name: set permissions for /var/www/html
+  file:
+    path: /var/www/html
+    owner: apache
+    group: apache
+    mode: '0551'
+
 - name: Set recursive ownership and permissions for Roundcube
   file:
     path: /var/www/html/roundcubemail
@@ -249,8 +237,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: create mail-errors.log file
   file:

roles/etais/tasks/main.yml

+- name: firewalld permissons
+  file:
+    path: /etc/firewalld/zones
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
 - name: Add user scoring
   user:
     name: scoring
@@ -18,6 +26,13 @@
     group: scoring
     mode: '0600'
 
+- name: Set permissions on authorized_keys file
+  file:
+    path: /home/scoring/.ssh/authorized_keys
+    owner: scoring
+    group: scoring
+    mode: '0600'
+
 - name: Create the /etc/sudoers.d/scoring file
   lineinfile:
     dest: /etc/sudoers.d/scoring

roles/tls/tasks/main.yml

@@ -31,6 +31,69 @@
     permanent: true
     state: enabled
 
+- name: add port 465 tcp
+  ansible.posix.firewalld:
+    port: 465/tcp
+    permanent: true
+    state: enabled
+
+- name: add port 587 tcp
+  ansible.posix.firewalld:
+    port: 587/tcp
+    permanent: true
+    state: enabled      
+
+# jargmised on filesystems pordid (nfs ja smb)
+- name: add port 2049 tcp
+  ansible.posix.firewalld:
+    port: 2049/tcp
+    permanent: true
+    state: enabled
+
+- name: add port 139 tcp
+  ansible.posix.firewalld:
+    port: 139/tcp
+    permanent: true
+    state: enabled
+
+# dockeri port 5005 ja 10.labi devops pordid
+- name: add port 5005 tcp
+  ansible.posix.firewalld:
+    port: 5005/tcp
+    permanent: true
+    state: enabled
+
+- name: add port 58080 tcp
+  ansible.posix.firewalld:
+    port: 58080/tcp
+    permanent: true
+    state: enabled
+      
+- name: add port 50080 tcp
+  ansible.posix.firewalld:
+    port: 50080/tcp
+    permanent: true
+    state: enabled
+
+- name: add port 6443 tcp
+  ansible.posix.firewalld:
+    port: 6443/tcp
+    permanent: true
+    state: enabled
+
+# kubernetes
+- name: add port 8080 tcp
+  ansible.posix.firewalld:
+    port: 8080/tcp
+    permanent: true
+    state: enabled
+
+- name: add port 514 tcp
+  ansible.posix.firewalld:
+    port: 514/tcp
+    permanent: true
+    state: enabled
+
 - name: reload firewall 
   ansible.builtin.service: 
     name: firewalld 
@@ -43,8 +106,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: virtual host for secure wordpress
   template:
@@ -53,8 +114,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: virtual host for secure mail 
   template:
@@ -63,8 +122,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: virtual host for secure proxy
   template:
@@ -73,8 +130,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: change postfix main.cf config file
   copy:
@@ -100,3 +155,7 @@
     group: root
     mode: '0644'
 
+- name: install cyrus-sasl-plain
+  dnf:
+    name: cyrus-sasl-plain
+    state: present

roles/web/tasks/main.yml

@@ -59,8 +59,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: Disable apache welcome page
   copy:
@@ -77,8 +75,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: install pip
   dnf:
@@ -141,8 +137,6 @@
     owner: proxy
     group: proxy
     mode: '0644'
-    notify:
-      - reload systemctl services
 
 - name: make a proxy service
   copy:
@@ -151,8 +145,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - reload systemctl services
 
 - name: start the proxy service
   systemd_service:
@@ -256,7 +248,7 @@
 
 - name: create www-php-errors.log file
   file:
-    path: /var/log/httpd/var/log/httpd/www-php-errors.log
+    path: /var/log/httpd/www-php-errors.log
     state: touch
     owner: root
     group: root
@@ -269,8 +261,6 @@
     owner: root
     group: root
     mode: '0644'
-    notify:
-      - restart httpd
 
 - name: start php-fpm
   ansible.builtin.systemd_service:
@@ -292,8 +282,6 @@
     dest: /etc/httpd/conf/httpd.conf
     owner: root
     group: root
-    notify:
-      - restart httpd
 
 - name: install modsecurity
   dnf:

testplaybook.yml

+- hosts: localhost
+  user: centos
+  become: yes
+  become_user: root
+  roles:
+    - tier2  # Change this to tier2 or tier3 as per the role you are preparing with