From 7c2c5e06b2c5e08f6df61acca97295c50abcda5e Mon Sep 17 00:00:00 2001 From: Tobias Petrich Date: Fri, 26 Dec 2025 19:59:39 +0100 Subject: [PATCH] move to recommended file and directory structure --- .gitignore | 3 + ansible/README.md | 51 ++++++----- ansible/allow_privileged_ports_rootless.yml | 18 ---- ansible/automate_backup.yml | 52 ----------- ansible/common_programs.yml | 17 ---- ansible/custom_hardening.yml | 67 -------------- ansible/deploy_traefik_config.yml | 11 --- ansible/hardening.yml | 89 ------------------- .../group_vars/podman_hosts/vault.yml | 13 +++ .../production/host_vars/io/.gitkeep | 0 ansible/inventories/production/hosts.yml | 4 + ansible/main.yml | 23 +++-- ansible/roles/backup/tasks/main.yml | 48 ++++++++++ .../backup/templates/backup.bash.j2} | 8 +- .../backup/templates/check_backup.bash.j2} | 8 +- ansible/roles/common/tasks/main.yml | 3 + ansible/roles/common/tasks/programs.yml | 13 +++ ansible/roles/hardening/handlers/main.yml | 6 ++ ansible/roles/hardening/tasks/main.yml | 3 + ansible/roles/hardening/tasks/ssh.yml | 59 ++++++++++++ ansible/roles/rootless_host/tasks/main.yml | 3 + .../rootless_host/tasks/rootless_ports.yml | 14 +++ .../traefik/files}/dynamic.yml | 0 .../traefik/files}/traefik.yml | 0 ansible/roles/traefik/tasks/main.yml | 7 ++ 25 files changed, 222 insertions(+), 298 deletions(-) delete mode 100644 ansible/allow_privileged_ports_rootless.yml delete mode 100644 ansible/automate_backup.yml delete mode 100644 ansible/common_programs.yml delete mode 100644 ansible/custom_hardening.yml delete mode 100644 ansible/deploy_traefik_config.yml delete mode 100644 ansible/hardening.yml create mode 100644 ansible/inventories/production/group_vars/podman_hosts/vault.yml create mode 100644 ansible/inventories/production/host_vars/io/.gitkeep create mode 100644 ansible/inventories/production/hosts.yml create mode 100644 ansible/roles/backup/tasks/main.yml rename ansible/{borg_scripts/backup.bash => roles/backup/templates/backup.bash.j2} (76%) rename ansible/{borg_scripts/check_backup.bash => roles/backup/templates/check_backup.bash.j2} (74%) create mode 100644 ansible/roles/common/tasks/main.yml create mode 100644 ansible/roles/common/tasks/programs.yml create mode 100644 ansible/roles/hardening/handlers/main.yml create mode 100644 ansible/roles/hardening/tasks/main.yml create mode 100644 ansible/roles/hardening/tasks/ssh.yml create mode 100644 ansible/roles/rootless_host/tasks/main.yml create mode 100644 ansible/roles/rootless_host/tasks/rootless_ports.yml rename ansible/{traefik_config => roles/traefik/files}/dynamic.yml (100%) rename ansible/{traefik_config => roles/traefik/files}/traefik.yml (100%) create mode 100644 ansible/roles/traefik/tasks/main.yml diff --git a/.gitignore b/.gitignore index 2bdc85b..773d481 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,6 @@ bookstack-db.container bookstack-srv.container sgnarva-srv.container sgnarva-db.container + +ansible/inventories/production/host_vars/*/vars.yml +ansible/inventories/production/host_vars/*/vault.yml diff --git a/ansible/README.md b/ansible/README.md index 68f449a..53949b8 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -1,31 +1,34 @@ # Ansible MicroOS VM setup - -4. Run the custom_hardening playbook. This mostly sets SSH parameters to best practice values. + +## Usage + ```shell -ansible-playbook -i inventory.txt custom_hardening.yml -``` -5. Run the allow_privileged_ports_rootless playbook. This allows a rootless traefik container to use ports 80 and 443. -```shell -ansible-playbook -i inventory.txt allow_privileged_ports_rootless.yml -``` -6. Run the deploy_services playbook. This creates groups and users for each service, creates a btrfs subvolume for data and copies the quadlet files to the correct location, then activates the service. -```shell -ansible-playbook -i inventory.txt deploy_services.yml -``` -7. Run the deploy_traefik_config playbool. This copies the traefik configuration to the correct location. -```shell -ansible-playbook -i inventory.txt deploy_traefik_config.yml +ansible-playbook main.yml ``` diff --git a/ansible/allow_privileged_ports_rootless.yml b/ansible/allow_privileged_ports_rootless.yml deleted file mode 100644 index 8532bcb..0000000 --- a/ansible/allow_privileged_ports_rootless.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Allow normal users to bind to port 80 - hosts: all - become: yes - tasks: - - name: Set sysctl to allow normal users to bind to ports starting from 80 - sysctl: - name: net.ipv4.ip_unprivileged_port_start - value: 80 - state: present - reload: yes - - - name: Verify the sysctl setting - command: sysctl net.ipv4.ip_unprivileged_port_start - register: sysctl_result - - - debug: - msg: "net.ipv4.ip_unprivileged_port_start: {{ sysctl_result.stdout }}" diff --git a/ansible/automate_backup.yml b/ansible/automate_backup.yml deleted file mode 100644 index 7978591..0000000 --- a/ansible/automate_backup.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: Automate borg backup - hosts: all - become: yes - tasks: - - name: Check if Borg backup script exist - stat: - path: /usr/local/sbin/backup.bash - register: backup_status - - name: Check if Borg check script exists - stat: - path: /usr/local/sbin/check_backup.bash - register: check_status - - name: Synchronize Borg scripts - when: backup_status.stat.exists == False or check_status.stat.exists == False - synchronize: - src: ./borg_scripts/ - dest: /usr/local/sbin/ - rsync_opts: - - "--chown=root:root" - - "--chmod=0700" - - name: Create borg backup systemd service - copy: - content: | - [Unit] - Description=Borg backup - After=network.target - - [Service] - Type=oneshot - ExecStart=/usr/local/sbin/borg_backup.sh - User=root - Group=root - dest: /etc/systemd/system/borg_backup.service - - name: Create borg backup systemd timer - copy: - content: | - [Unit] - Description=Borg backup timer - - [Timer] - OnCalendar=*-*-* 05:00:00 - Persistent=true - - [Install] - WantedBy=timers.target - dest: /etc/systemd/system/borg_backup.timer - - name: Start and enable borg backup timer - systemd: - name: borg_backup.timer - enabled: yes - state: started \ No newline at end of file diff --git a/ansible/common_programs.yml b/ansible/common_programs.yml deleted file mode 100644 index 7404ada..0000000 --- a/ansible/common_programs.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: install commonly used programs - hosts: all - become: yes - tasks: - - name: install common programs with zypper and transactional-update - community.general.zypper: - pkg: - - borgbackup - - tmux - - lynis - - toolbox - state: present - register: zypper_result - - name: reboot if software needed to be installed - ansible.builtin.reboot: - when: zypper_result.changed diff --git a/ansible/custom_hardening.yml b/ansible/custom_hardening.yml deleted file mode 100644 index c255cea..0000000 --- a/ansible/custom_hardening.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -- name: Apply SSH best practices configuration - hosts: all - become: yes - tasks: - - name: Ensure the sshd_config.d directory exists - file: - path: /etc/ssh/sshd_config.d - state: directory - owner: root - group: root - mode: '0755' - - - name: Create a configuration file to apply SSH best practices - copy: - content: | - # Disable password authentication - PasswordAuthentication no - - # Disable challenge-response authentication - ChallengeResponseAuthentication no - - # Allow root login - PermitRootLogin yes - - # Disable empty passwords - PermitEmptyPasswords no - - # Disable X11 forwarding - X11Forwarding no - - # Use only protocol 2 - Protocol 2 - - # Log more verbosely - LogLevel VERBOSE - - # Keep-alive packets to ensure connection stability - TCPKeepAlive yes - ClientAliveInterval 60 - ClientAliveCountMax 10 - dest: /etc/ssh/sshd_config.d/best_practices.conf - owner: root - group: root - mode: '0644' - - - name: Restart SSH service to apply changes - service: - name: sshd - state: restarted - - - name: Verify SSH configuration settings - shell: "sshd -T" - register: ssh_config_result - - - name: Check specific SSH settings - debug: - msg: "{{ ssh_config_result.stdout_lines | select('search', 'passwordauthentication no') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'challengeresponseauthentication no') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'permitrootlogin yes') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'permitemptypasswords no') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'x11forwarding no') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'protocol 2') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'loglevel verbose') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'clientaliveinterval 60') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'clientalivecountmax 3') | list }}\n - {{ ssh_config_result.stdout_lines | select('search', 'tcpkeepalive yes') | list }}" diff --git a/ansible/deploy_traefik_config.yml b/ansible/deploy_traefik_config.yml deleted file mode 100644 index ab5e728..0000000 --- a/ansible/deploy_traefik_config.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Copy Traefik configuration files to the server - hosts: all - become: yes - tasks: - - name: Synchronize Traefik configuration files - synchronize: - src: ./traefik_config/ - dest: /var/vol/traefik/ - rsync_opts: - - "--chown=traefik:traefik" diff --git a/ansible/hardening.yml b/ansible/hardening.yml deleted file mode 100644 index 97b949a..0000000 --- a/ansible/hardening.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: Apply DevSec hardening - hosts: all - become: yes - vars: - sysctl_overwrite: - # Enable IPv4 traffic forwarding. Needed for containers. - net.ipv4.ip_forward: 1 - os_security_users_allow: - - "change_user" # Ensure this user is allowed to avoid modifying /bin/su (does not work on read-only filesystems) - os_family: "Suse" - os_release: "Tumbleweed" # Treat MicroOS as Tumbleweed - os_version: "{{ ansible_distribution_version }}" - os_vars: - packages: - - sudo - - openssh - ignore_fs_types: - - squashfs - - iso9660 - - vfat - auth_pam: - - common-password - - common-auth - - common-account - - common-session - pam_passwords: - - password requisite pam_pwquality.so retry=3 - - password required pam_unix.so use_authtok remember=5 sha512 shadow - securetty: [console, tty1, tty2, tty3, tty4, tty5, tty6] - sshd: - package: openssh - service: sshd - config: /etc/ssh/sshd_config - kernel_modules_disabled: - - cramfs - - freevxfs - - jffs2 - - hfs - - hfsplus - - squashfs - - udf - - vfat - auditd_package: audit # This is the correct package name for auditd in openSUSE - os_env_umask: "027" # Setting a default umask value - os_auth_uid_min: "1000" # Setting the minimum user ID for non-system users - os_auth_uid_max: "60000" # Setting the maximum user ID for non-system users - os_auth_gid_min: 1000 - os_auth_gid_max: 60000 - os_auth_sys_uid_min: "100" # Setting the minimum user ID for system users - os_auth_sys_uid_max: "499" # Setting the maximum user ID for system users - os_auth_sys_gid_min: 100 - os_auth_sys_gid_max: 499 - os_auth_sub_uid_min: 100000 - os_auth_sub_uid_max: 600100000 - os_auth_sub_uid_count: 65536 - os_auth_sub_gid_min: 100000 - os_auth_sub_gid_max: 600100000 - os_auth_sub_gid_count: 65536 - os_shadow_perms: - owner: root - group: shadow - mode: "0640" - os_passwd_perms: - owner: root - group: root - mode: "0644" - hidepid_option: "2" # allowed values: 0, 1, 2 - os_mnt_boot_group: 'root' - os_mnt_boot_owner: 'root' - os_mnt_dev_group: 'root' - os_mnt_dev_owner: 'root' - os_mnt_dev_shm_group: 'root' - os_mnt_dev_shm_owner: 'root' - os_mnt_home_group: 'root' - os_mnt_home_owner: 'root' - os_mnt_run_group: 'root' - os_mnt_run_owner: 'root' - os_mnt_tmp_group: 'root' - os_mnt_tmp_owner: 'root' - os_mnt_var_group: 'root' - os_mnt_var_owner: 'root' - os_mnt_var_log_group: 'root' - os_mnt_var_log_owner: 'root' - os_mnt_var_log_audit_group: 'root' - os_mnt_var_log_audit_owner: 'root' - os_mnt_var_tmp_group: 'root' - os_mnt_var_tmp_owner: 'root' - roles: - - devsec.hardening.os_hardening diff --git a/ansible/inventories/production/group_vars/podman_hosts/vault.yml b/ansible/inventories/production/group_vars/podman_hosts/vault.yml new file mode 100644 index 0000000..5ff2608 --- /dev/null +++ b/ansible/inventories/production/group_vars/podman_hosts/vault.yml @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256;podman_hosts +34396465333337346339653661356338373861326337663939616531623866336233653963353739 +6264653732373635336563333732303735653532393865350a313135343361633034623239643339 +31326238316333326166366638623963653635623533623833333862646462333363353066663434 +6536343138643462320a393638643763633433363861326139326536663439633566386664393964 +37366533323633376436396431383231346438643136326138643565343239393734643662386232 +31373630376164623663333361323531626165646236393732353031313636623434323931633434 +33343834356237376264383064393135663435323134373561306166306561356431656434633834 +66653039633833643930303331323236633532343731613137383835643338373364633834653264 +34643861366665336638656261373531343233353735353435643431303835376635356331373437 +38306537643730646131666665396466366161303165303539663438666461623335366532376666 +34356161383031353939343531333062623064353865636437633436613334663866346163316664 +32383134333464663133 diff --git a/ansible/inventories/production/host_vars/io/.gitkeep b/ansible/inventories/production/host_vars/io/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/ansible/inventories/production/hosts.yml b/ansible/inventories/production/hosts.yml new file mode 100644 index 0000000..a1bc1fb --- /dev/null +++ b/ansible/inventories/production/hosts.yml @@ -0,0 +1,4 @@ +podman_hosts: + hosts: + io: + ansible_host: io.rohrschacht.de \ No newline at end of file diff --git a/ansible/main.yml b/ansible/main.yml index c1dfc0c..31138b5 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -1,13 +1,12 @@ --- -- name: apply custom hardening for ssh - import_playbook: custom_hardening.yml -- name: install commonly used programs - import_playbook: common_programs.yml -- name: allow privileged ports for rootless containers - import_playbook: allow_privileged_ports_rootless.yml -- name: deploy services - import_playbook: deploy_services.yml -- name: deploy traefik configuration - import_playbook: deploy_traefik_config.yml -- name: automate backup - import_playbook: automate_backup.yml +- name: podman host setup + hosts: podman_hosts + roles: + - common + - hardening + - rootless_host + - traefik + - backup + +#- name: deploy services +# import_playbook: deploy_services.yml diff --git a/ansible/roles/backup/tasks/main.yml b/ansible/roles/backup/tasks/main.yml new file mode 100644 index 0000000..c0fed67 --- /dev/null +++ b/ansible/roles/backup/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- name: Deploy backup.bash script + ansible.builtin.template: + src: backup.bash.j2 + dest: /usr/local/sbin/backup.bash + owner: root + group: root + mode: '0700' + +- name: Deploy check_backup.bash script + ansible.builtin.template: + src: check_backup.bash.j2 + dest: /usr/local/sbin/check_backup.bash + owner: root + group: root + mode: '0700' + +- name: Create borg backup systemd service + copy: + content: | + [Unit] + Description=Borg backup + After=network.target + + [Service] + Type=oneshot + ExecStart=/usr/local/sbin/borg_backup.sh + User=root + Group=root + dest: /etc/systemd/system/borg_backup.service +- name: Create borg backup systemd timer + copy: + content: | + [Unit] + Description=Borg backup timer + + [Timer] + OnCalendar=*-*-* 05:00:00 + Persistent=true + + [Install] + WantedBy=timers.target + dest: /etc/systemd/system/borg_backup.timer +- name: Start and enable borg backup timer + systemd: + name: borg_backup.timer + enabled: yes + state: started \ No newline at end of file diff --git a/ansible/borg_scripts/backup.bash b/ansible/roles/backup/templates/backup.bash.j2 similarity index 76% rename from ansible/borg_scripts/backup.bash rename to ansible/roles/backup/templates/backup.bash.j2 index dece870..b22a522 100644 --- a/ansible/borg_scripts/backup.bash +++ b/ansible/roles/backup/templates/backup.bash.j2 @@ -1,10 +1,10 @@ #!/bin/bash # Configuration -BACKUP_USER="your_remote_user" # Remote SSH username -BACKUP_HOST="your_remote_host" # Remote SSH server -BACKUP_PATH="/path/to/remote/backup/folder" # Remote backup folder -BORG_PASSPHRASE="your_encryption_password" # Encryption password (in plain text) +BACKUP_USER="{{ backup.user }}" # Remote SSH username +BACKUP_HOST="{{ backup.host }}" # Remote SSH server +BACKUP_PATH="{{ backup.path }}" # Remote backup folder +BORG_PASSPHRASE="{{ backup.passphrase }}" # Encryption password (in plain text) BACKUP_NAME="backup-$(date +'%Y-%m-%d')" # Name of the backup archive BACKUP_REPO="ssh://$BACKUP_USER@$BACKUP_HOST/$BACKUP_PATH" # Borg repository location diff --git a/ansible/borg_scripts/check_backup.bash b/ansible/roles/backup/templates/check_backup.bash.j2 similarity index 74% rename from ansible/borg_scripts/check_backup.bash rename to ansible/roles/backup/templates/check_backup.bash.j2 index cf5e77e..c3c65d9 100644 --- a/ansible/borg_scripts/check_backup.bash +++ b/ansible/roles/backup/templates/check_backup.bash.j2 @@ -1,10 +1,10 @@ #!/bin/bash # Configuration -BACKUP_USER="your_remote_user" # Remote SSH username -BACKUP_HOST="your_remote_host" # Remote SSH server -BACKUP_PATH="/path/ro/remote/backup/folder" # Remote backup folder -BORG_PASSPHRASE="your_encryption_password" # Encryption password (in plain text) +BACKUP_USER="{{ backup.user }}" # Remote SSH username +BACKUP_HOST="{{ backup.host }}" # Remote SSH server +BACKUP_PATH="{{ backup.path }}" # Remote backup folder +BORG_PASSPHRASE="{{ backup.passphrase }}" # Encryption password (in plain text) BACKUP_NAME="backup-$(date +'%Y-%m-%d')" # Name of the backup archive BACKUP_REPO="ssh://$BACKUP_USER@$BACKUP_HOST/$BACKUP_PATH" # Borg repository location diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml new file mode 100644 index 0000000..a3b752a --- /dev/null +++ b/ansible/roles/common/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- name: Install common programs + include_tasks: programs.yml \ No newline at end of file diff --git a/ansible/roles/common/tasks/programs.yml b/ansible/roles/common/tasks/programs.yml new file mode 100644 index 0000000..17b5952 --- /dev/null +++ b/ansible/roles/common/tasks/programs.yml @@ -0,0 +1,13 @@ +--- +- name: install common programs with zypper and transactional-update + community.general.zypper: + pkg: + - borgbackup + - tmux + - lynis + - toolbox + state: present + register: zypper_result +- name: reboot if software needed to be installed + ansible.builtin.reboot: + when: zypper_result.changed diff --git a/ansible/roles/hardening/handlers/main.yml b/ansible/roles/hardening/handlers/main.yml new file mode 100644 index 0000000..e1e57d2 --- /dev/null +++ b/ansible/roles/hardening/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart sshd + ansible.builtin.service: + name: sshd + state: restarted \ No newline at end of file diff --git a/ansible/roles/hardening/tasks/main.yml b/ansible/roles/hardening/tasks/main.yml new file mode 100644 index 0000000..6e6b1cb --- /dev/null +++ b/ansible/roles/hardening/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- name: SSH hardening + include_tasks: ssh.yml \ No newline at end of file diff --git a/ansible/roles/hardening/tasks/ssh.yml b/ansible/roles/hardening/tasks/ssh.yml new file mode 100644 index 0000000..d809468 --- /dev/null +++ b/ansible/roles/hardening/tasks/ssh.yml @@ -0,0 +1,59 @@ +--- +- name: Ensure the sshd_config.d directory exists + file: + path: /etc/ssh/sshd_config.d + state: directory + owner: root + group: root + mode: '0755' + +- name: Create a configuration file to apply SSH best practices + copy: + content: | + # Disable password authentication + PasswordAuthentication no + + # Disable challenge-response authentication + ChallengeResponseAuthentication no + + # Allow root login + PermitRootLogin yes + + # Disable empty passwords + PermitEmptyPasswords no + + # Disable X11 forwarding + X11Forwarding no + + # Use only protocol 2 + Protocol 2 + + # Log more verbosely + LogLevel VERBOSE + + # Keep-alive packets to ensure connection stability + TCPKeepAlive yes + ClientAliveInterval 60 + ClientAliveCountMax 10 + dest: /etc/ssh/sshd_config.d/best_practices.conf + owner: root + group: root + mode: '0644' + notify: Restart sshd + +- name: Verify SSH configuration settings + shell: "sshd -T" + register: ssh_config_result + +- name: Check specific SSH settings + debug: + msg: "{{ ssh_config_result.stdout_lines | select('search', 'passwordauthentication no') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'challengeresponseauthentication no') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'permitrootlogin yes') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'permitemptypasswords no') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'x11forwarding no') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'protocol 2') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'loglevel verbose') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'clientaliveinterval 60') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'clientalivecountmax 3') | list }}\n + {{ ssh_config_result.stdout_lines | select('search', 'tcpkeepalive yes') | list }}" diff --git a/ansible/roles/rootless_host/tasks/main.yml b/ansible/roles/rootless_host/tasks/main.yml new file mode 100644 index 0000000..c0776da --- /dev/null +++ b/ansible/roles/rootless_host/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- name: Allow rootless ports for podman + include_tasks: rootless_ports.yml \ No newline at end of file diff --git a/ansible/roles/rootless_host/tasks/rootless_ports.yml b/ansible/roles/rootless_host/tasks/rootless_ports.yml new file mode 100644 index 0000000..1995f9c --- /dev/null +++ b/ansible/roles/rootless_host/tasks/rootless_ports.yml @@ -0,0 +1,14 @@ +--- +- name: Set sysctl to allow normal users to bind to ports starting from 80 + sysctl: + name: net.ipv4.ip_unprivileged_port_start + value: 80 + state: present + reload: yes + +- name: Verify the sysctl setting + command: sysctl net.ipv4.ip_unprivileged_port_start + register: sysctl_result + +- debug: + msg: "net.ipv4.ip_unprivileged_port_start: {{ sysctl_result.stdout }}" diff --git a/ansible/traefik_config/dynamic.yml b/ansible/roles/traefik/files/dynamic.yml similarity index 100% rename from ansible/traefik_config/dynamic.yml rename to ansible/roles/traefik/files/dynamic.yml diff --git a/ansible/traefik_config/traefik.yml b/ansible/roles/traefik/files/traefik.yml similarity index 100% rename from ansible/traefik_config/traefik.yml rename to ansible/roles/traefik/files/traefik.yml diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml new file mode 100644 index 0000000..9bf4fc8 --- /dev/null +++ b/ansible/roles/traefik/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Synchronize Traefik configuration files + synchronize: + src: ./ + dest: /var/vol/traefik/ + rsync_opts: + - "--chown=traefik:traefik"