First commit

.gitignore

@@ -0,0 +1,5 @@
+group_vars/all/vault.yml
+host_vars/*.wirebrass.fr
+inventory_wirebrass.yml
+.vault-password
+*.retry

README.md

@@ -0,0 +1,153 @@
+# ansible-base
+
+## Introduction
+
+This document describes how to use ansible-base to deploy basic infrastructures.
+
+The main parts of this document are :
+
+* Ansible "server" (or local machine) preparation
+* Nodes preparation
+* Deployment
+
+## Ansible "server" (or local machine) preparation
+
+Update and install Ansible and GIT on your system.
+
+Clone this repo (ssh pubkey needs to be authorized for this repo) and go into the cloned directory :
+
+```bash
+git clone git@git.grifon.fr:nemo/ansible-base.git
+cd ansible-core
+```
+
+Download roles dependecies (currenty not used) :
+
+```ansible-galaxy install -r requirements.yml -p ./roles/```
+
+Copy the template inventory and edit the new file to add your node(s) in the corresponding `function` section and `os` section :
+
+```bash
+cp inventory_template.yml inventory_yourInventoryName.yml
+vi inventory_yourInventoryName.yml
+```
+
+Example with template values :
+
+```bash
+all:
+  vars:
+    ansible_user: ansible
+    ansible_become: yes
+  children:
+    function:
+      children:
+        backup_server:
+          hosts:
+            myFirstGentooHost.example.org:
+	    ...
+	...
+    os:
+      children:
+        os_gentoo:
+          hosts:
+            myFirstGentooHost.example.org:
+            mySecondGentooHost.anotherexample.org:
+        os_debian:
+          hosts:
+            myFirstDebianHost.example.org:
+            mySecondDebianHost.anotherexample.org:
+	    ...
+        ...
+```
+
+> Note : the node's name needs to be reachable, you can use IP address or FQDN (recommended).
+> WARNING : if you don't want to publish your inventory in the SCM system, add the filename in your .gitignore file (if you're using GIT).
+
+Create a vault file for all nodes using the vault template file and define all values :
+
+```bash
+cp group_vars/all/vault.yml.template group_vars/all/vault.yml
+vim group_vars/all/vault.yml
+```
+
+Encrypt the vault file and check if edit function works. A prompt will ask you a password :
+
+```bash
+ansible-vault encrypt group_vars/all/vault.yml
+ansible-vault edit group_vars/all/vault.yml
+```
+
+> Note : if you version your code, don't forget to exclude this vault file of versionning (with .`gitignorefile` if you are using GIT).
+
+According to your needs, you can edit all variables in `group_vars` directory and subdirectories.
+
+You can also define host-specific variables (reboot/upgrade enable/disabe, cron hours, specific config, ...) in the host_vars directory (host.example.org is a commented example). Don't forget to update .gitignore if you don't want to publish some host vars.
+
+## Nodes preparation
+
+On the node, with the root account (or sudo) :
+
+* Install SSH, sudo and gentoolkit (if Gentoo) OR python-apt (if Debian) OR python-yum (if CentOS) ...
+* Enable and start SSH service.
+* Configure the ansible user :
+
+```bash
+# Create an ansible user
+useradd -m -s /bin/bash ansible
+
+# Add sudoers rights to ansible user
+echo "ansible ALL=(ALL:ALL) NOPASSWD: ALL
+" >  /etc/sudoers.d/ansible
+
+# Check the sudo configuration
+su - ansible
+sudo -i # If OK, you're root here
+exit
+exit
+
+# Add SSH public key of the account used on the Ansible server (or local machine) to the ansible user on the remote node to deploy
+su - ansible
+mkdir -p .ssh
+vi .ssh/authorized_keys # Here add pubkey
+```
+
+> Note : this procedure can vary slightly if you're not using a Debian or  CentOS node.
+
+On the Ansible server (or local machine), check the SSH connection :
+
+```bash
+ssh ansible@<YOUR_MANAGED_NODE>
+exit
+```
+
+## Deployment
+
+From the Ansible server (or your local machine), you can deploy specific playbooks using the following command :
+
+```bash
+ansible-playbook -i inventory_yourInventoryName.yml <playbook_name> --ask-vault-pass
+```
+
+> Notes :
+>
+> * --diff option can be added to see the difference applied.
+> * --check option can be added to test the deployment without really do any action on the remote node (in some cases it fails even if the deployment will go well).
+
+Playbook deployment :
+
+* playbook_general_deploy.yml
+* playbook_build_deploy.yml
+* playbook_backup_deploy.yml
+
+### playbook_general_deploy.yml
+
+This playbook deploys general configuration : tools (useful packages), auto reboot, auto upgrade, sudo users, NTP client and DNS resolvers.
+
+### playbook_build_deploy.yml
+
+This playbook deploys a build node which needs Docker.
+
+### playbook_backup_deploy.yml
+
+This playbook deploys a backup server which use borgbackup to manage backup rotation.

ToDoList.md

@@ -0,0 +1,8 @@
+# ToDoList (not exhaustive)
+
+* Complete iptables roles and use it (maybe only for non-firewalld systems).
+* Create backup roles (server and clients) + git clone --mirror of the GIT repositories to backup them.
+* Create monitoring roles (server and clients) : Icinga and Munin.
+* Add a pre-task which can install python-apt, gentoolkit or python-yum if not installed (with shell module).
+* Add roles for different function (DNS resolvers, VPN server, BGP router, ...)
+

group_vars/all/all.yml

@@ -0,0 +1,21 @@
+---
+# Sudo users on all servers
+sudo_users:
+  - john
+
+# Hash of default password to use when a user is created
+default_user_password: "{{ vault_default_user_password }}"
+
+# Map users' public key
+public_key:
+  john: "{{ vault_public_key_john }}"
+
+# Default DNS resolvers to use (here it's FDN and LDN)
+resolvers:
+  - 2001:910:800::40
+  - 80.67.169.12
+  - 2001:913::8
+  - 80.67.188.188
+
+# Domain to use in the DNS "search" resolver field
+main_domain: wirebrass.fr

group_vars/all/vault.yml.template

@@ -0,0 +1,9 @@
+vault_default_user_password: HASH_OF_DEFAULT_GNU_LINUX_USER_PASSWORD
+
+vault_public_key_<USER>: |
+  SSH_PUBKEY01_OF_<USER>
+  SSH_PUBKEY02_OF_<USER>
+
+vault_private_key_backup_ser_host: |
+  SSH_PRIV_KEY_OF_backup_user_USER_ON_USER_HOST
+vault_public_key_backup_user_host: SSH_PUBKEY_OF_backup_user_USER_ON_BACKUP_HOST

group_vars/backup.yml

@@ -0,0 +1,11 @@
+# Private/Public SSH keys of backup user to access GIT repositories in Read-Only mode
+private_key_backup_user_host: "{{ vault_private_key_backup_user_host }}"
+public_key_backup_user_host: "{{ vault_public_key_backup_user_host }}"
+
+# All GIT repositories to backup
+git_repo_to_backup:
+  - ansible-base
+
+# Ports allowed by iptables
+tcp_authorized_ports:
+  - 22

group_vars/os_debian.yml

@@ -0,0 +1,25 @@
+# Service and package's name of NTP client on Debian
+ntp_service_name: ntp
+ntp_package: ntp
+
+# Package's name of sudo package on Debian
+sudo_package: sudo
+
+# Service and package's name of CRON on Debian
+cron_service_name: cron
+cron_package: cron
+
+# Sudoers' group name on Debian
+sudo_group: sudo
+
+# Command to run to execute a Debian update
+cron_upgrade_job: export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin; export TERM=rxvt-unicode-256color; apt-get -q update && apt-get -q -y upgrade && apt-get -q -y autoremove
+
+# Tools to install on Debian hosts
+tools_package:
+  - sudo
+  - curl
+  - sed
+  - grep
+  - net-tools
+

group_vars/os_gentoo.yml

@@ -0,0 +1,32 @@
+# Service and package's name of NTP client on Gentoo
+ntp_service_name: ntpd
+ntp_package: ntp
+
+# Package's name of sudo package on Gentoo
+sudo_package: sudo
+
+# Service and package's name of CRON on Gentoo
+cron_service_name: cronie
+cron_package: cronie
+
+# Sudoers' group name on Gentoo
+sudo_group: wheel
+
+# Command to run to execute a Gentoo update
+cron_upgrade_job: emerge --sync --quiet && emerge --quiet-build -uvDN @world && emerge --quiet-build @preserved-rebuild && emerge --depclean && eselect news read
+
+# Tools to install on Gentoo hosts
+tools_package:
+  - bind-tools
+  - vim
+  - tcpdump
+  - gentoolkit
+  - tmux
+  - htop
+  - sudo
+  - curl
+  - sed
+  - awk
+  - grep
+  - jq
+  - mailutils

host_vars/host.example.org

@@ -0,0 +1,26 @@
+# Enable auto reboot
+#auto_reboot: true
+
+# Cron task scheduling for auto reboot
+#cron_reboot_minute: "50"
+#cron_reboot_hour: "0"
+#cron_reboot_day: "*"
+#cron_reboot_month: "*"
+#cron_reboot_weekday: "1"
+
+# Set to true if you want to enable auto upgrade
+#auto_upgrade: true
+
+# Cron task scheduling for auto upgrade
+#cron_upgrade_minute: "25"
+#cron_upgrade_hour: "0"
+#cron_upgrade_day: "*"
+#cron_upgrade_month: "*"
+#cron_upgrade_weekday: "*"
+
+# All authorized TCP ports
+#tcp_authorized_ports:
+#  - 22
+
+# All incoming authorized IP (all ports and all protocols)
+#ip_authorized: []

inventory_template.yml

@@ -0,0 +1,20 @@
+all:
+  vars:
+    ansible_user: ansible
+    ansible_become: yes
+  children:
+    function:
+      children:
+        backup_server:
+          hosts:
+            myFirstGentooHost.example.org:
+    os:
+      children:
+        os_gentoo:
+          hosts:
+            myFirstGentooHost.example.org:
+            mySecondGentooHost.anotherexample.org:
+        os_debian:
+          hosts:
+            myFirstDebianHost.example.org:
+            mySecondDebianHost.anotherexample.org:

playbook_general_deploy.yml

@@ -0,0 +1,10 @@
+---
+- hosts: all
+  roles:
+    - auto_reboot
+    - auto_upgrade
+    #- client_iptables # Role not well defined now
+    - client_ntp
+    - client_resolvers
+    - client_tools
+    - users_sudo

requirements.yml

@@ -0,0 +1 @@
+---

roles/auto_reboot/README.md

@@ -0,0 +1,50 @@
+Ansible Role: auto reboot
+=========
+
+This role defines a contask to auto-reboot a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # Cron task scheduling for auto reboot
+    cron_reboot_minute: "0"
+    cron_reboot_hour: "3"
+    cron_reboot_day: "*"
+    cron_reboot_month: "*"
+    cron_reboot_weekday: "*"
+
+    # Set to true if you want to enable auto reboot
+    auto_reboot: false
+
+    # Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...)
+    cron_service_name: cron
+    cron_package: cron
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - auto_reboot
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/auto_reboot/defaults/main.yml

@@ -0,0 +1,16 @@
+---
+# defaults file for client_reboot
+
+# Cron task scheduling for auto reboot
+cron_reboot_minute: "0"
+cron_reboot_hour: "3"
+cron_reboot_day: "*"
+cron_reboot_month: "*"
+cron_reboot_weekday: "*"
+
+# Set to true if you want to enable auto reboot
+auto_reboot: false
+
+# Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...)
+cron_service_name: cron
+cron_package: cron

roles/auto_reboot/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for client_reboot
+
+- name: "restart cron"
+  service:
+    name: "{{ cron_service_name }}"
+    enabled: yes
+    state: restarted

roles/auto_reboot/meta/main.yml

@@ -0,0 +1,29 @@
+galaxy_info:
+  author: nemo
+  description: Auto reboot for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+    - name: EL
+      versions:
+        - 7
+
+  galaxy_tags:
+    - reboot
+    - system
+    - server
+    - cron
+    - auto
+
+dependencies: []

roles/auto_reboot/tasks/crontask.yml

@@ -0,0 +1,13 @@
+---
+- name: crontask configured
+  cron:
+    name: "Auto reboot"
+    user: root
+    minute: "{{ cron_reboot_minute }}"
+    hour: "{{ cron_reboot_hour }}"
+    day: "{{ cron_reboot_day }}"
+    month: "{{ cron_reboot_month }}"
+    weekday: "{{ cron_reboot_weekday }}"
+    job: /sbin/reboot
+  notify: restart cron
+  when: auto_reboot # Only if auto reboot is enabled for this host or group of hosts

roles/auto_reboot/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+# Main tasks file for auto_reboot
+
+- import_tasks: package.yml
+- import_tasks: crontask.yml

roles/auto_reboot/tasks/package.yml

@@ -0,0 +1,7 @@
+---
+- name: Cron installed
+  package:
+    name: "{{ cron_package }}"
+    state: present
+  notify: restart cron
+  when: auto_reboot # Only if auto reboot is enabled for this host or group of hosts

roles/auto_upgrade/README.md

@@ -0,0 +1,55 @@
+Ansible Role: auto upgrade
+=========
+
+This role defines a contask to auto-upgrade a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # Cron task scheduling for auto upgrade
+    cron_upgrade_minute: "0"
+    cron_upgrade_hour: "2"
+    cron_upgrade_day: "*"
+    cron_upgrade_month: "*"
+    cron_upgrade_weekday: "*"
+    
+    # Set to true if you want to enable auto upgrade
+    auto_upgrade: false
+    
+    # Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...)
+    cron_service_name: cron
+    cron_package: cron
+    
+    # Default upgrade task configured for Debian
+    cron_upgrade_job: export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin; export TERM=rxvt-unicode-256color; apt-get -q update && apt-get -q -y upgrade && apt-get -q -y autoremove
+
+*WARNING :* by default, the `cron_upgrade_job` is configured for Debian family distribution, you need to change the value if you are using another OS.
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - auto_upgrade
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/auto_upgrade/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+# defaults file for auto_upgrade
+
+# Cron task scheduling for auto upgrade
+cron_upgrade_minute: "0"
+cron_upgrade_hour: "2"
+cron_upgrade_day: "*"
+cron_upgrade_month: "*"
+cron_upgrade_weekday: "*"
+
+# Set to true if you want to enable auto upgrade
+auto_upgrade: false
+
+# Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...)
+cron_service_name: cron
+cron_package: cron
+
+# Default upgrade task configured for Debian
+cron_upgrade_job: export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin; export TERM=rxvt-unicode-256color; apt-get -q update && apt-get -q -y upgrade && apt-get -q -y autoremove

roles/auto_upgrade/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for auto_upgrade
+
+- name: "restart cron"
+  service:
+    name: "{{ cron_service_name }}"
+    enabled: yes
+    state: restarted

roles/auto_upgrade/meta/main.yml

@@ -0,0 +1,29 @@
+galaxy_info:
+  author: nemo
+  description: Auto upgrade crontask for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+    - name: EL
+      versions:
+        - 7
+
+  galaxy_tags:
+    - upgrade
+    - system
+    - server
+    - cron
+    - auto
+
+dependencies: []

roles/auto_upgrade/tasks/crontask.yml

@@ -0,0 +1,13 @@
+---
+- name: crontask configured
+  cron:
+    name: "Auto upgrade"
+    user: root
+    minute: "{{ cron_upgrade_minute }}"
+    hour: "{{ cron_upgrade_hour }}"
+    day: "{{ cron_upgrade_day }}"
+    month: "{{ cron_upgrade_month }}"
+    weekday: "{{ cron_upgrade_weekday }}"
+    job: "{{ cron_upgrade_job }}"
+  notify: restart cron
+  when: auto_upgrade # Only if auto upgrade is enabled for this host or group of hosts

roles/auto_upgrade/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+# Main tasks file for auto_upgrade
+
+- import_tasks: package.yml
+- import_tasks: crontask.yml

roles/auto_upgrade/tasks/package.yml

@@ -0,0 +1,7 @@
+---
+- name: Cron installed
+  package:
+    name: "{{ cron_package }}"
+    state: present
+  notify: restart cron
+  when: auto_upgrade # Only if auto upgrade is enabled for this host or group of hosts

roles/client_iptables/README.md

@@ -0,0 +1,43 @@
+Ansible Role: client iptables
+=========
+
+This role defines iptables rules for a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # All authorized TCP ports
+    tcp_authorized_ports:
+      - 22
+    
+    # All incoming authorized IP
+    ip_authorized: []
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - client_iptables
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/client_iptables/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+# defaults file for client_reboot
+
+# All authorized TCP ports
+tcp_authorized_ports:
+  - 22
+
+# All incoming authorized IP (all ports and all protocols)
+ip_authorized: []

roles/client_iptables/files/iptables

@@ -0,0 +1,2 @@
+#!/bin/sh
+/sbin/iptables-restore < /etc/iptables.up.rules

roles/client_iptables/meta/main.yml

@@ -0,0 +1,26 @@
+galaxy_info:
+  author: nemo
+  description: Set iptables for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+
+  galaxy_tags:
+    - iptables
+    - firewall
+    - system
+    - server
+    - security
+
+dependencies: []

roles/client_iptables/tasks/boot.yml

@@ -0,0 +1,9 @@
+---
+- name: Add load rules at boot
+  copy:
+    src: iptables
+    dest: /etc/network/if-pre-up.d/iptables
+    owner: root
+    group: root
+    mode: 0755
+

roles/client_iptables/tasks/iptables.yml

@@ -0,0 +1,60 @@
+---
+- name: Iptables installed
+  package:
+    name: "iptables"
+    state: present
+
+- name: Allow related and established connections
+  iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+- name: Allow incoming on localhost interface
+  iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+
+- name: Allow incoming ICMP
+  iptables:
+    chain: INPUT
+    protocol: icmp
+    jump: ACCEPT
+
+- name: Allow new incoming connections on TCP port 22 (SSH).
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 22
+    jump: ACCEPT
+    comment: Accept new connections on port "22".
+
+- name: Allow new incoming connections on TCP port (dynamic list).
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections on port "{{ item }}".
+  loop: "{{ tcp_authorized_ports }}"
+  when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
+
+- name: Allow new incoming connections from specific IP (dynamic list).
+  iptables:
+    chain: INPUT
+    source: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections from IP "{{ item }}".
+  loop: "{{ ip_authorized }}"
+  when: ip_authorized is defined and (ip_authorized|length>0)
+
+- name: Set the policy for the FORWARD chain to DROP
+  iptables:
+    chain: FORWARD
+    policy: DROP
+
+- name: Set the policy for the INPUT chain to DROP
+  iptables:
+    chain: INPUT
+    policy: DROP

roles/client_iptables/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+# Main tasks file for client_iptables
+
+- import_tasks: package.yml
+- import_tasks: iptables.yml
+- import_tasks: save.yml
+- import_tasks: boot.yml

roles/client_iptables/tasks/package.yml

@@ -0,0 +1,5 @@
+---
+- name: Iptables installed
+  package:
+    name: "iptables"
+    state: present

roles/client_iptables/tasks/save.yml

@@ -0,0 +1,3 @@
+---
+- name: Save iptables rules
+  shell: iptables-save > /etc/iptables.up.rules

roles/client_ntp/README.md

@@ -0,0 +1,40 @@
+Ansible Role: client ntp
+=========
+
+This role set up NTP client for a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # Name of the ntp service and ntp package (depends on your OS, can be ntp, ntpd...)
+    ntp_service_name: ntpd
+    ntp_package: ntp
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - client_ntp
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/client_ntp/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for client_ntp
+
+# Name of the ntp service and ntp package (depends on your OS, can be ntp, ntpd...)
+ntp_service_name: ntpd
+ntp_package: ntp

roles/client_ntp/meta/main.yml

@@ -0,0 +1,25 @@
+galaxy_info:
+  author: nemo
+  description: Set up NTP client service for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+
+  galaxy_tags:
+    - ntp
+    - system
+    - server
+    - auto
+
+dependencies: []

roles/client_ntp/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+# Main tasks file for client_ntp
+
+- import_tasks: package.yml
+- import_tasks: service.yml

roles/client_ntp/tasks/package.yml

@@ -0,0 +1,5 @@
+---
+- name: NTP client installed
+  package:
+    name: "{{ ntp_package }}"
+    state: present

roles/client_ntp/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+- name: NTP client enabled
+  service:
+    name: "{{ ntp_service_name }}"
+    state: started
+    enabled: yes

roles/client_resolvers/README.md

@@ -0,0 +1,46 @@
+Ansible Role: client resolvers
+=========
+
+This role defines DNS resolvers to use for a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # DNS resolvers to use
+    resolvers:
+      - 2001:910:800::40
+      - 80.67.169.12
+      - 2001:913::8
+      - 80.67.188.188
+    
+    # Domain to use in the DNS "search" resolver field
+    main_domain: wirebrass.fr 
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - client_resolvers
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/client_resolvers/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for client_resolvers
+
+# DNS resolvers to use
+resolvers:
+  - 2001:910:800::40
+  - 80.67.169.12
+  - 2001:913::8
+  - 80.67.188.188
+
+# Domain to use in the DNS "search" resolver field
+main_domain: wirebrass.fr

roles/client_resolvers/meta/main.yml

@@ -0,0 +1,26 @@
+galaxy_info:
+  author: nemo
+  description: Defines DNS resolvers to use for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+
+  galaxy_tags:
+    - dns
+    - system
+    - server
+    - resolvers
+    - resolv
+
+dependencies: []

roles/client_resolvers/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+# Main tasks file for client_resolvers
+
+- import_tasks: resolv_conf.yml

roles/client_resolvers/tasks/resolv_conf.yml

@@ -0,0 +1,5 @@
+---
+- name: configure resolvers
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf

roles/client_resolvers/templates/resolv.conf.j2

@@ -0,0 +1,4 @@
+search {{ main_domain }}
+{% for resolver in resolvers %}
+nameserver {{ resolver }}
+{% endfor %}

roles/client_tools/README.md

@@ -0,0 +1,44 @@
+Ansible Role: client tools
+=========
+
+This role install packages (tools) on a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # All packages (tools) to install on the server
+    tools_package:
+      - sudo
+      - curl
+      - sed
+      - grep
+      - net-tools
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - client_tools
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/client_tools/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+# defaults file for client_tools
+
+# All packages (tools) to install on the server
+tools_package:
+  - sudo
+  - curl
+  - sed
+  - grep
+  - net-tools

roles/client_tools/meta/main.yml

@@ -0,0 +1,26 @@
+galaxy_info:
+  author: nemo
+  description: Install tools on a GNU/Linux host.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+
+  galaxy_tags:
+    - tools
+    - system
+    - server
+    - install
+    - package
+
+dependencies: []

roles/client_tools/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+# Main tasks file for client_tools
+
+- import_tasks: package.yml

roles/client_tools/tasks/package.yml

@@ -0,0 +1,9 @@
+---
+# Install tools task
+- name: Tools installed
+  package:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ tools_package }}"
+  when: tools_package is defined and (tools_package|length>0)
+

roles/users_sudo/README.md

@@ -0,0 +1,47 @@
+Ansible Role: users sudo
+=========
+
+This role defines users in sudo group on a GNU/Linux server.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # HASH of Default user password when a new user is created
+    default_user_password: ""
+    
+    # Liste of all sudo users
+    sudo_users: []
+    
+    # SSH public key of users to allow SSH connection witk SSH priv/pub keys
+    public_key: []
+
+**WARNING :** all of these variables must be defined, else you may have some errors (use vault).
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - users_sudo
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.

roles/users_sudo/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+# defaults file for docker_registry
+
+# Name of the sudo package (depends on the OS)
+sudo_package: sudo
+
+# Sudoers' group name
+sudo_group: sudo
+
+# HASH of Default user password when a new user is created
+default_user_password: ""
+
+# Liste of all sudo users
+sudo_users: []
+
+# SSH public key of users to allow SSH connection witk SSH priv/pub keys
+public_key: []

roles/users_sudo/meta/main.yml

@@ -0,0 +1,26 @@
+galaxy_info:
+  author: nemo
+  description: Condigure sudo users for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+
+  galaxy_tags:
+    - sudo
+    - system
+    - server
+    - users
+    - sudoers
+
+dependencies: []

roles/users_sudo/tasks/group.yml

@@ -0,0 +1,6 @@
+---
+- name: Group sudo created
+  group:
+    name: "{{ sudo_group }}"
+    state: present
+

roles/users_sudo/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+# Main tasks file for users_sudo
+
+- import_tasks: package.yml
+- import_tasks: group.yml
+- import_tasks: users.yml
+

roles/users_sudo/tasks/package.yml

@@ -0,0 +1,6 @@
+---
+- name: Sudo installed
+  package:
+    name: "{{ sudo_package }}"
+    state: present
+

roles/users_sudo/tasks/users.yml

@@ -0,0 +1,20 @@
+---
+- name: Privileged users in group sudo
+  user:
+    name: "{{ item }}"
+    groups: "{{ sudo_group }}"
+    shell: /bin/bash
+    append: yes
+    password: "{{ default_user_password }}"
+    update_password: on_create
+  loop: "{{ sudo_users }}"
+  when: sudo_users is defined and (sudo_users|length>0)
+
+- name: Set up authorized key for users
+  authorized_key:
+    user: "{{ item }}"
+    state: present
+    key: "{{ public_key[item] }}"
+  loop: "{{ sudo_users }}"
+  when: sudo_users is defined and (sudo_users|length>0) and public_key[item] is defined
+