diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 47ddfef2..57488351 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,4 +1,5 @@ --- - include: fail2ban.yml - when: is_trusty + when: ( is_trusty ) or ( is_debian8 ) + diff --git a/iptables/defaults/main.yml b/iptables/defaults/main.yml index 2bda3e68..b569ae84 100644 --- a/iptables/defaults/main.yml +++ b/iptables/defaults/main.yml @@ -40,4 +40,3 @@ #iptables_default_policy: REJECT iptables_default_policy: ACCEPT -iptables_open_all_to_isti_nets: False diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index aff26b18..150bdd77 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -20,3 +20,6 @@ when: is_trusty +- name: Start the netfilter service + service: name=netfilter-persistent state=started + notify: Restart fail2ban diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml index 7e5e8150..4843c710 100644 --- a/iptables/tasks/main.yml +++ b/iptables/tasks/main.yml @@ -12,8 +12,7 @@ with_items: - rules.v4 when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - notify: - - Start the iptables service on Ubuntu < 12.04 + notify: Start the iptables service on Ubuntu < 12.04 tags: - iptables - iptables_rules @@ -23,9 +22,21 @@ with_items: - rules.v4 - rules.v6 - when: ( is_not_ubuntu_less_than_precise ) or ( is_debian7) - notify: - - Start the iptables service + when: + - is_not_ubuntu_less_than_precise + - is_debian7 + notify: Start the iptables service + tags: + - iptables + - iptables_rules + +- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_debian8 + notify: Start the netfilter service tags: - iptables - iptables_rules diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2 index 03dc4444..5de5308e 100644 --- a/iptables/templates/iptables-rules.v4.j2 +++ b/iptables/templates/iptables-rules.v4.j2 @@ -20,7 +20,7 @@ # ssh is always open. We use denyhosts to prevent unauthorized accesses -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT {% endif %} -{% if iptables_open_all_to_isti_nets %} +{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %} # Permit all traffic from our networks -A INPUT -s {{ network.isti }} -j ACCEPT -A INPUT -s {{ network.nmis }} -j ACCEPT diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index be8156e3..1c89a4ca 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -103,11 +103,13 @@ has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution is_debian: "'{{ ansible_distribution }}' == 'Debian'" #is_debian7: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 7" +is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'" is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'" is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)" is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5" is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4" is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6" +is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} <= 7" is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} < 6" is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)" diff --git a/ubuntu-deb-general/tasks/denyhost.yml b/ubuntu-deb-general/tasks/denyhost.yml index f8be3b08..8c834d45 100644 --- a/ubuntu-deb-general/tasks/denyhost.yml +++ b/ubuntu-deb-general/tasks/denyhost.yml @@ -1,34 +1,35 @@ --- - name: install denyhosts on debian <=7 and ubuntu <= 12.04 apt: pkg={{ item }} state=installed - when: is_ubuntu_less_than_trusty with_items: - denyhosts - when: is_not_trusty - tags: - - denyhosts + when: + - is_debian_7_or_older + - is_ubuntu_less_than_trusty + tags: denyhosts - name: ensure CM can access the VMs action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18" - when: is_not_trusty - tags: - - denyhosts + when: + - is_debian_7_or_older + - is_ubuntu_less_than_trusty + tags: denyhosts - name: ensure Monitoring can connect via ssh action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23" - when: is_not_trusty - tags: - - denyhosts - - monitoring + when: + - is_debian_7_or_older + - is_ubuntu_less_than_trusty + tags: denyhosts - name: Set the treshold for root on the denyhosts config file lineinfile: | name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5" - when: is_not_trusty - tags: - - denyhosts - notify: - - Restart denyhosts + when: + - is_debian_7_or_older + - is_ubuntu_less_than_trusty + notify: Restart denyhosts + tags: denyhosts diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 86fc67e6..2ba84e34 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -9,7 +9,9 @@ - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: is_not_trusty + when: + - is_debian_7_or_older + - is_ubuntu_less_than_trusty - include: munin.yml when: configure_munin - include: pubkeys.yml diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 82956e1c..952e29aa 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -45,6 +45,13 @@ tags: - wheezy-backports +- name: Install the backports repository on debian 8 + apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present + register: update_apt_cache + when: is_debian8 + tags: + - wheezy-backports + - name: apt key for the internal ppa repository apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present when: is_ubuntu diff --git a/varnish-cache/defaults/main.yml b/varnish-cache/defaults/main.yml index 8df54a2b..bd519c7b 100644 --- a/varnish-cache/defaults/main.yml +++ b/varnish-cache/defaults/main.yml @@ -3,7 +3,7 @@ varnish_version: 4.0 varnish_repo: True varnish_repo_requirements: - apt-transport-https -varnish_repo_url: "https://repo.varnish-cache.org/debian/ wheezy varnish-{{ varnish_version }}" +varnish_repo_url: "https://repo.varnish-cache.org/debian/ {{ ansible_distribution_release }} varnish-{{ varnish_version }}" varnish_pkg_name: varnish varnish_pkg_state: present varnish_enabled: True diff --git a/yii/defaults/main.yml b/yii/defaults/main.yml index 394ead1a..eac31789 100644 --- a/yii/defaults/main.yml +++ b/yii/defaults/main.yml @@ -16,7 +16,6 @@ yii_framework_dir: '{{ yii_install_dir }}/yii-{{ yii_version }}' yii_php_modules: - php-xml-dtd - php-xml-parser - - php-xml-serializer - php5-imagick - php5-memcache - php5-xcache