algo/roles/common/tasks/ubuntu.yml

---
- name: Cloud only tasks
  block:
  - name: Install software updates
    apt:
      update_cache: true
      install_recommends: true
      upgrade: dist

  - name: Upgrade the ca certificates
    apt:
      name: ca-certificates
      state: latest

  - name: Check if reboot is required
    shell: >
      if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
    args:
      executable: /bin/bash
    register: reboot_required

  - name: Reboot
    shell: sleep 2 && shutdown -r now "Ansible updates triggered"
    async: 1
    poll: 0
    when: reboot_required is defined and reboot_required.stdout == 'required'
    ignore_errors: true

  - name: Wait until SSH becomes ready...
    local_action:
      module: wait_for
      port: 22
      host: "{{ inventory_hostname }}"
      search_regex: OpenSSH
      delay: 10
      timeout: 320
    when: reboot_required is defined and reboot_required.stdout == 'required'
    become: false

  - name: Include unatteded upgrades configuration
    include_tasks: unattended-upgrades.yml

  - name: Disable MOTD on login and SSHD
    replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
    with_items:
      - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
      - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
  tags:
    - cloud

- name: Loopback for services configured
  template:
    src: 10-algo-lo100.network.j2
    dest: /etc/systemd/network/10-algo-lo100.network
  notify:
    - restart systemd-networkd
  tags:
    - always

- name: systemd services enabled and started
  systemd:
    name: "{{ item }}"
    state: started
    enabled: true
    daemon_reload: true
  with_items:
    - systemd-networkd
    - systemd-resolved
  tags:
    - always

- meta: flush_handlers
  tags:
    - always

- name: Check apparmor support
  shell: apparmor_status
  ignore_errors: yes
  register: apparmor_status

- set_fact:
    apparmor_enabled: true
  when: '"profiles are in enforce mode" in apparmor_status.stdout'

- set_fact:
    tools:
      - git
      - screen
      - apparmor-utils
      - uuid-runtime
      - coreutils
      - iptables-persistent
      - cgroup-tools
      - "openssl{% if install_headers|default(true)|bool %},linux-headers-{{ ansible_kernel }}{% endif %}"
    sysctl:
      - item: net.ipv4.ip_forward
        value: 1
      - item: net.ipv4.conf.all.forwarding
        value: 1
      - item: net.ipv6.conf.all.forwarding
        value: 1
  tags:
    - always
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`---`
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) * Move to ansible-2.4.3 * Add Lightsail support #623 * Fixing the EC2 deployment * Scaleway integration #623 * OpenStack cloud provider (DreamCompute optimised) #623 * Remove the security role * Enable unattended-upgrades for clouds * New requirements to make Azure and GCE work 6 years ago			`- name: Cloud only tasks`
			`block:`
			`- name: Install software updates`
DNS-over-HTTPS (#875) 6 years ago			`apt:`
			`update_cache: true`
			`install_recommends: true`
			`upgrade: dist`

			`- name: Upgrade the ca certificates`
			`apt:`
			`name: ca-certificates`
			`state: latest`
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) * Move to ansible-2.4.3 * Add Lightsail support #623 * Fixing the EC2 deployment * Scaleway integration #623 * OpenStack cloud provider (DreamCompute optimised) #623 * Remove the security role * Enable unattended-upgrades for clouds * New requirements to make Azure and GCE work 6 years ago
			`- name: Check if reboot is required`
			`shell: >`
			`if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi`
			`args:`
			`executable: /bin/bash`
			`register: reboot_required`

			`- name: Reboot`
			`shell: sleep 2 && shutdown -r now "Ansible updates triggered"`
			`async: 1`
			`poll: 0`
			`when: reboot_required is defined and reboot_required.stdout == 'required'`
			`ignore_errors: true`

			`- name: Wait until SSH becomes ready...`
			`local_action:`
			`module: wait_for`
			`port: 22`
			`host: "{{ inventory_hostname }}"`
			`search_regex: OpenSSH`
			`delay: 10`
			`timeout: 320`
			`when: reboot_required is defined and reboot_required.stdout == 'required'`
			`become: false`

			`- name: Include unatteded upgrades configuration`
			`include_tasks: unattended-upgrades.yml`

			`- name: Disable MOTD on login and SSHD`
			`replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"`
			`with_items:`
			`- { regexp: '^session.optional.pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }`
			`- { regexp: '^session.optional.pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`tags:`
			`- cloud`

			`- name: Loopback for services configured`
Ubuntu1804 (#925) - Fixes #897 #944 #956 Work in progress. Lightsail is not ready for Ubuntu 18.04 yet - [x] DigitalOcean ~~- [ ] Amazon Lightsail~~ - [x] Amazon EC2 - [x] Microsoft Azure - [x] Google Compute Engine - [x] Scaleway - [x] OpenStack (DreamCompute optimised) 6 years ago			`template:`
			`src: 10-algo-lo100.network.j2`
			`dest: /etc/systemd/network/10-algo-lo100.network`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`notify:`
Ubuntu1804 (#925) - Fixes #897 #944 #956 Work in progress. Lightsail is not ready for Ubuntu 18.04 yet - [x] DigitalOcean ~~- [ ] Amazon Lightsail~~ - [x] Amazon EC2 - [x] Microsoft Azure - [x] Google Compute Engine - [x] Scaleway - [x] OpenStack (DreamCompute optimised) 6 years ago			`- restart systemd-networkd`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`tags:`
			`- always`

Move DNSCrypt proxy fallback_resolver to systemd resolved (#1011) 6 years ago			`- name: systemd services enabled and started`
Ubuntu1804 (#925) - Fixes #897 #944 #956 Work in progress. Lightsail is not ready for Ubuntu 18.04 yet - [x] DigitalOcean ~~- [ ] Amazon Lightsail~~ - [x] Amazon EC2 - [x] Microsoft Azure - [x] Google Compute Engine - [x] Scaleway - [x] OpenStack (DreamCompute optimised) 6 years ago			`systemd:`
Move DNSCrypt proxy fallback_resolver to systemd resolved (#1011) 6 years ago			`name: "{{ item }}"`
Ubuntu1804 (#925) - Fixes #897 #944 #956 Work in progress. Lightsail is not ready for Ubuntu 18.04 yet - [x] DigitalOcean ~~- [ ] Amazon Lightsail~~ - [x] Amazon EC2 - [x] Microsoft Azure - [x] Google Compute Engine - [x] Scaleway - [x] OpenStack (DreamCompute optimised) 6 years ago			`state: started`
			`enabled: true`
			`daemon_reload: true`
Move DNSCrypt proxy fallback_resolver to systemd resolved (#1011) 6 years ago			`with_items:`
			`- systemd-networkd`
			`- systemd-resolved`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`tags:`
			`- always`

			`- meta: flush_handlers`
			`tags:`
			`- always`

			`- name: Check apparmor support`
			`shell: apparmor_status`
			`ignore_errors: yes`
			`register: apparmor_status`

			`- set_fact:`
			`apparmor_enabled: true`
			`when: '"profiles are in enforce mode" in apparmor_status.stdout'`

			`- set_fact:`
			`tools:`
			`- git`
			`- screen`
			`- apparmor-utils`
			`- uuid-runtime`
			`- coreutils`
			`- iptables-persistent`
			`- cgroup-tools`
explicit installation of linux headers (#975) 6 years ago			`- "openssl{% if install_headers\|default(true)\|bool %},linux-headers-{{ ansible_kernel }}{% endif %}"`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`sysctl:`
rewrite the sysctl task 7 years ago			`- item: net.ipv4.ip_forward`
			`value: 1`
			`- item: net.ipv4.conf.all.forwarding`
			`value: 1`
			`- item: net.ipv6.conf.all.forwarding`
			`value: 1`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 7 years ago			`tags:`
			`- always`