rroethof · August 20, 2018 18:55
diff --git a/gistfile1.txt b/gistfile1.txt
 # Installs a FreeBSD server
 #
 # Playbook Ver. 1.1
 #
 # This playbook will setup a freshly installed FreeBSD server as a ZFS enabled
 # server which can be used in the backup server pool.
 #
 #
 # CHANGES:
 #
 # 1.1 (2018-08-20) Full rewrite for FreeBSD.
 #
 #
 # REQUIREMENTS:
 #
 # Minimal requirements for a FreeBSD ansible powered server are:
 # - pkg install sudo
 # - pkg install python36
 # - ln -s /usr/local/bin/python /usr/bin/python
 #
 #
 # USAGE:
 #
 # ansible-playbook -e "HOSTS=backupxx" backupserver.yml
 #
 ---

 - name: backupserver
  hosts: "{{HOSTS}}"
  become: true
  vars:
    cpus:  []    # System cores/threads
    ram:   []    # Ammount of ram (for zfs arc data)
    disks: []    # list of disks
  tasks:
    # Check Operating System
    - fail:
        msg: "backupserver.yml can only be used on a FreeBSD host."
      when:  ansible_os_family != "FreeBSD"

 # Packages
    - name: "[Packages] Add packages on FreeBSD"
      pkgng:
        name: "{{item}}"
        state: present
      with_items: 
        - rsync
        - bash
        - most
        - bash-completion
        - vnstat
        - htop
        - wget
        - curl
        - ca_root_nss
        - git
        - tmux
        - vim-console
        - dmidecode
        - ipmitool
        - smartmontools

    - name: "[Packages] [Security] Set auto update to daily"
      lineinfile:
        dest: /etc/crontab
        regexp: freebsd-update cron
        line: "@daily                                  root    freebsd-update cron"

    - name: "[Security] [SysLog] Install syslog-ng"
      pkgng: name=syslog-ng state=present

    - name: "[Security] [SysLog] Enable syslog-ng"
      lineinfile:
        dest: /etc/rc.conf
        regexp: ^syslog_ng_enable
        line: syslog_ng_enable="YES"

    - name: "[Security] [SysLog] Disable syslog"
      lineinfile:
        dest: /etc/rc.conf
        regexp: ^syslogd_enable
        line: syslogd_enable="NO"

    - name: "[Security] [SysLog] Stop syslog"
      service: name=syslogd state=stopped

    - name: "[Security] [SysLog] Start syslog-ng"
      service: name=syslog-ng state=restarted

    - name: "[Security] Disable sendmail"
      lineinfile:
        path: /etc/rc.conf
        regexp: '^sendmail='
        line: 'sendmail="NO"'

    - name: "[Security] Stop sendmail"
      service: name=sendmail state=stopped

    - name: "[Security] create certs dir"
      file:
        path: /etc/ssl/certs
        state: directory

    - name: "[Security] create private certs dir"
      file:
        path: /etc/ssl/private
        mode: 0700
        state: directory

    - name: "[Security] Set clear temp in /etc/rc.conf"
      lineinfile:
        path: /etc/rc.conf
        regexp: '^clear_tmp_enable='
        line: 'clear_tmp_enable="YES"'

 # Ipfw firewalling
    - name: "[Security] Create firewall (ipfw) script in /etc/ipfw.rules"
      template:
        src: ipfw.rules.j2
        dest: /etc/ipfw.rules
        mode: 0700
        validate: sh -n %s

    - name: "[Security] Enable firewall (ipfw) in /etc/rc.conf"
      lineinfile:
        path: /etc/rc.conf
        regexp: '^firewall_enable='
        line: 'firewall_enable="YES"'

    - name: "[Security] Set firewall_script (ipfw) in /etc/rc.conf"
      lineinfile:
        path: /etc/rc.conf
        regexp: '^firewall_script='
        line: 'firewall_script="/etc/ipfw.rules"'

    - name: "[Security] Enable ipfw_extra_enables"
      lineinfile:
        path: /etc/rc.conf
        regexp: '^{{ item }}='
        line: '{{ item }}="YES"'
      with_items: 
        - dummynet_enable
        - firewall_nat_enable
        - firewall_logif
        - firewall_logging

    - name: "[Security] Start ipfw"
      service:
        name: "{{ ipfw_service }}"
        state: started

 #ZFS
    - name: "[ZFS] Enable ZFS in /etc/rc.conf"
      sysrc:
        name: zfs_enable
        value: "YES"

    - name: "[ZFS] Set vfs.zfs.min_auto_ashift in /etc/sysctl.conf"
      lineinfile:
        dest: /etc/sysctl.conf
        regexp: '^([\s]*)\#?([\s]*)vfs\.zfs\.min_auto_ashift([\s]*)='
        line: 'vfs.zfs.min_auto_ashift="12"'
        owner: root
        group: wheel
        mode: 0644
	# Installs a FreeBSD server
	#
	# Playbook Ver. 1.1
	#
	# This playbook will setup a freshly installed FreeBSD server as a ZFS enabled
	# server which can be used in the backup server pool.
	#
	#
	# CHANGES:
	#
	# 1.1 (2018-08-20) Full rewrite for FreeBSD.
	#
	#
	# REQUIREMENTS:
	#
	# Minimal requirements for a FreeBSD ansible powered server are:
	# - pkg install sudo
	# - pkg install python36
	# - ln -s /usr/local/bin/python /usr/bin/python
	#
	#
	# USAGE:
	#
	# ansible-playbook -e "HOSTS=backupxx" backupserver.yml
	#
	---

	- name: backupserver
	hosts: "{{HOSTS}}"
	become: true
	vars:
	cpus: [] # System cores/threads
	ram: [] # Ammount of ram (for zfs arc data)
	disks: [] # list of disks
	tasks:
	# Check Operating System
	- fail:
	msg: "backupserver.yml can only be used on a FreeBSD host."
	when: ansible_os_family != "FreeBSD"

	# Packages
	- name: "[Packages] Add packages on FreeBSD"
	pkgng:
	name: "{{item}}"
	state: present
	with_items:
	- rsync
	- bash
	- most
	- bash-completion
	- vnstat
	- htop
	- wget
	- curl
	- ca_root_nss
	- git
	- tmux
	- vim-console
	- dmidecode
	- ipmitool
	- smartmontools

	- name: "[Packages] [Security] Set auto update to daily"
	lineinfile:
	dest: /etc/crontab
	regexp: freebsd-update cron
	line: "@daily root freebsd-update cron"

	- name: "[Security] [SysLog] Install syslog-ng"
	pkgng: name=syslog-ng state=present

	- name: "[Security] [SysLog] Enable syslog-ng"
	lineinfile:
	dest: /etc/rc.conf
	regexp: ^syslog_ng_enable
	line: syslog_ng_enable="YES"

	- name: "[Security] [SysLog] Disable syslog"
	lineinfile:
	dest: /etc/rc.conf
	regexp: ^syslogd_enable
	line: syslogd_enable="NO"

	- name: "[Security] [SysLog] Stop syslog"
	service: name=syslogd state=stopped

	- name: "[Security] [SysLog] Start syslog-ng"
	service: name=syslog-ng state=restarted

	- name: "[Security] Disable sendmail"
	lineinfile:
	path: /etc/rc.conf
	regexp: '^sendmail='
	line: 'sendmail="NO"'

	- name: "[Security] Stop sendmail"
	service: name=sendmail state=stopped

	- name: "[Security] create certs dir"
	file:
	path: /etc/ssl/certs
	state: directory

	- name: "[Security] create private certs dir"
	file:
	path: /etc/ssl/private
	mode: 0700
	state: directory

	- name: "[Security] Set clear temp in /etc/rc.conf"
	lineinfile:
	path: /etc/rc.conf
	regexp: '^clear_tmp_enable='
	line: 'clear_tmp_enable="YES"'

	# Ipfw firewalling
	- name: "[Security] Create firewall (ipfw) script in /etc/ipfw.rules"
	template:
	src: ipfw.rules.j2
	dest: /etc/ipfw.rules
	mode: 0700
	validate: sh -n %s

	- name: "[Security] Enable firewall (ipfw) in /etc/rc.conf"
	lineinfile:
	path: /etc/rc.conf
	regexp: '^firewall_enable='
	line: 'firewall_enable="YES"'

	- name: "[Security] Set firewall_script (ipfw) in /etc/rc.conf"
	lineinfile:
	path: /etc/rc.conf
	regexp: '^firewall_script='
	line: 'firewall_script="/etc/ipfw.rules"'

	- name: "[Security] Enable ipfw_extra_enables"
	lineinfile:
	path: /etc/rc.conf
	regexp: '^{{ item }}='
	line: '{{ item }}="YES"'
	with_items:
	- dummynet_enable
	- firewall_nat_enable
	- firewall_logif
	- firewall_logging

	- name: "[Security] Start ipfw"
	service:
	name: "{{ ipfw_service }}"
	state: started

	#ZFS
	- name: "[ZFS] Enable ZFS in /etc/rc.conf"
	sysrc:
	name: zfs_enable
	value: "YES"

	- name: "[ZFS] Set vfs.zfs.min_auto_ashift in /etc/sysctl.conf"
	lineinfile:
	dest: /etc/sysctl.conf
	regexp: '^([\s])\#?([\s])vfs\.zfs\.min_auto_ashift([\s]*)='
	line: 'vfs.zfs.min_auto_ashift="12"'
	owner: root
	group: wheel
	mode: 0644