diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 7770df42a45bff99215f5e61f7ccffccd5c9047a..c49435824c93fb71309d69da02972767abcffdfe 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -1,6 +1,6 @@
-- name: DNS | Autoremove unneeded packages installed as dependencies
- dnf:
- autoremove: yes
+#- name: DNS | Autoremove unneeded packages installed as dependencies
+# dnf:
+# autoremove: yes
- name: Disable IPv6
copy:
@@ -40,6 +40,18 @@
group: root
mode: '0644'
+- name: Add port 53 udp
+ ansible.posix.firewalld:
+ port: 53/udp
+ permanent: true
+ state: enabled
+
+- name: Add port 53 tcp
+ ansible.posix.firewalld:
+ port: 53/tcp
+ permanent: true
+ state: enabled
+
- name: Add port 8301 udp
ansible.posix.firewalld:
port: 8301/udp
@@ -57,15 +69,15 @@
name: firewalld
state: reloaded
-- name: Install bind
- dnf:
- name: bind
- state: latest
+ #- name: Install bind
+ # dnf:
+ # name: bind
+ # state: latest
-- name: Install bind-utils
- dnf:
- name: bind-utils
- state: latest
+ #- name: Install bind-utils
+ # dnf:
+ # name: bind-utils
+ # state: latest
- name: ensure user named is present
user:
@@ -142,9 +154,9 @@
group: root
mode: '0640'
-- name: Reboot a machine
- ansible.builtin.reboot:
- reboot_timeout: 300
+ #- name: Reboot a machine
+ # ansible.builtin.reboot:
+ # reboot_timeout: 300
- name: Create a zone file
template:
diff --git a/roles/dns/templates/zone.j2 b/roles/dns/templates/zone.j2
index 0c696e2658342eb55a06545e17561e2808c46517..ad4ea802a98a597a1d62983cab51b863c533c7b7 100644
--- a/roles/dns/templates/zone.j2
+++ b/roles/dns/templates/zone.j2
@@ -1,6 +1,6 @@
$TTL 15M
@ IN SOA ns1.{{ hostname }}.{{ domain_name }}. root.{{ hostname }}.{{ domain_name }}. (
- 2012020201 ; Serial
+ 2012020207 ; Serial
15M ; Refresh
5M ; Retry
120M ; Expire
diff --git a/roles/email/tasks/main.yml b/roles/email/tasks/main.yml
index 301b6cbb641dd24fd6f99f45bc68c99c3e394e3c..2a76c2512ad024251bd0eac5bb05de3d4357f27c 100644
--- a/roles/email/tasks/main.yml
+++ b/roles/email/tasks/main.yml
@@ -5,8 +5,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart postfix
- name: Add port 25 tcp
ansible.posix.firewalld:
@@ -43,8 +41,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- name: edit dovecot conf to allow imap
copy:
@@ -53,8 +49,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- name: change dovecot's auth conf to allow plain and login methods
copy:
@@ -63,8 +57,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- name: change mail location to ~/mail through 10-mail.conf
copy:
@@ -73,8 +65,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- name: make a mail dir in ~/
file:
@@ -97,8 +87,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- name: set dovecot's ss to No in 10-ssl.conf
copy:
@@ -107,8 +95,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- name: set dovecot's lmtp listener to not let just anyone send emails
copy:
@@ -117,9 +103,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart dovecot
- - restart postfix
- name: set postfix to listen on submission port 587
copy:
@@ -128,8 +111,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart postfix
- name: Ensure packages are installed
dnf:
@@ -227,6 +208,13 @@
group: apache
mode: '0755'
+- name: set permissions for /var/www/html
+ file:
+ path: /var/www/html
+ owner: apache
+ group: apache
+ mode: '0551'
+
- name: Set recursive ownership and permissions for Roundcube
file:
path: /var/www/html/roundcubemail
@@ -249,8 +237,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: create mail-errors.log file
file:
diff --git a/roles/etais/tasks/main.yml b/roles/etais/tasks/main.yml
index 818df7a348acc5aac9e6100fd38680d0c5c52f87..a51621f35ebcdc4198fe76de832c06eef758f44c 100644
--- a/roles/etais/tasks/main.yml
+++ b/roles/etais/tasks/main.yml
@@ -1,3 +1,11 @@
+- name: firewalld permissons
+ file:
+ path: /etc/firewalld/zones
+ state: directory
+ owner: root
+ group: root
+ mode: '0755'
+
- name: Add user scoring
user:
name: scoring
@@ -18,6 +26,13 @@
group: scoring
mode: '0600'
+- name: Set permissions on authorized_keys file
+ file:
+ path: /home/scoring/.ssh/authorized_keys
+ owner: scoring
+ group: scoring
+ mode: '0600'
+
- name: Create the /etc/sudoers.d/scoring file
lineinfile:
dest: /etc/sudoers.d/scoring
diff --git a/roles/tls/tasks/main.yml b/roles/tls/tasks/main.yml
index 763693712faaaf2dc6d418d60a12c2979d16c49c..377cda30535e6f9a0f50eca8e141a09568ea0ded 100644
--- a/roles/tls/tasks/main.yml
+++ b/roles/tls/tasks/main.yml
@@ -31,6 +31,69 @@
permanent: true
state: enabled
+- name: add port 465 tcp
+ ansible.posix.firewalld:
+ port: 465/tcp
+ permanent: true
+ state: enabled
+
+- name: add port 587 tcp
+ ansible.posix.firewalld:
+ port: 587/tcp
+ permanent: true
+ state: enabled
+
+# jargmised on filesystems pordid (nfs ja smb)
+- name: add port 2049 tcp
+ ansible.posix.firewalld:
+ port: 2049/tcp
+ permanent: true
+ state: enabled
+
+- name: add port 139 tcp
+ ansible.posix.firewalld:
+ port: 139/tcp
+ permanent: true
+ state: enabled
+
+# dockeri port 5005 ja 10.labi devops pordid
+- name: add port 5005 tcp
+ ansible.posix.firewalld:
+ port: 5005/tcp
+ permanent: true
+ state: enabled
+
+- name: add port 58080 tcp
+ ansible.posix.firewalld:
+ port: 58080/tcp
+ permanent: true
+ state: enabled
+
+- name: add port 50080 tcp
+ ansible.posix.firewalld:
+ port: 50080/tcp
+ permanent: true
+ state: enabled
+
+- name: add port 6443 tcp
+ ansible.posix.firewalld:
+ port: 6443/tcp
+ permanent: true
+ state: enabled
+
+# kubernetes
+- name: add port 8080 tcp
+ ansible.posix.firewalld:
+ port: 8080/tcp
+ permanent: true
+ state: enabled
+
+- name: add port 514 tcp
+ ansible.posix.firewalld:
+ port: 514/tcp
+ permanent: true
+ state: enabled
+
- name: reload firewall
ansible.builtin.service:
name: firewalld
@@ -43,8 +106,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: virtual host for secure wordpress
template:
@@ -53,8 +114,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: virtual host for secure mail
template:
@@ -63,8 +122,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: virtual host for secure proxy
template:
@@ -73,8 +130,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: change postfix main.cf config file
copy:
@@ -100,3 +155,7 @@
group: root
mode: '0644'
+- name: install cyrus-sasl-plain
+ dnf:
+ name: cyrus-sasl-plain
+ state: present
diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml
index 833748cae3784369c06a68c856dddfb1cd392e5b..bd2721f4b6be1a5297bf0831b1ec9263db15a650 100644
--- a/roles/web/tasks/main.yml
+++ b/roles/web/tasks/main.yml
@@ -59,8 +59,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: Disable apache welcome page
copy:
@@ -77,8 +75,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: install pip
dnf:
@@ -141,8 +137,6 @@
owner: proxy
group: proxy
mode: '0644'
- notify:
- - reload systemctl services
- name: make a proxy service
copy:
@@ -151,8 +145,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - reload systemctl services
- name: start the proxy service
systemd_service:
@@ -256,7 +248,7 @@
- name: create www-php-errors.log file
file:
- path: /var/log/httpd/var/log/httpd/www-php-errors.log
+ path: /var/log/httpd/www-php-errors.log
state: touch
owner: root
group: root
@@ -269,8 +261,6 @@
owner: root
group: root
mode: '0644'
- notify:
- - restart httpd
- name: start php-fpm
ansible.builtin.systemd_service:
@@ -292,8 +282,6 @@
dest: /etc/httpd/conf/httpd.conf
owner: root
group: root
- notify:
- - restart httpd
- name: install modsecurity
dnf:
diff --git a/testplaybook.yml b/testplaybook.yml
new file mode 100644
index 0000000000000000000000000000000000000000..575392b6e7688ea6e2649042d053cdee001e6702
--- /dev/null
+++ b/testplaybook.yml
@@ -0,0 +1,6 @@
+- hosts: localhost
+ user: centos
+ become: yes
+ become_user: root
+ roles:
+ - tier2 # Change this to tier2 or tier3 as per the role you are preparing with