Rearange existing roles to make more sense

README.md

@@ -53,6 +53,10 @@ When logged in the user will be prompted with the **zsh** configured with **[Oh
 ![zsh](./images/zsh.png)
 
 ## Other
+### Reinstalling the Pi
+It can be handy to reinstall the Pi. First shutdown the pi by running `sudo shutdown` from SSH. Next take out the memory card and follow all steps in [Raspberry Pi preperation](#raspberry-pi-preperation).
+For the next step remove the current *known_hosts* entry with: `ssh-keygen -R '192.168.50.27'` for all PCs that had SSH access to the Pi.
+
 ### Debugging users other than the main user
 The **user** role included in this repository makes it possible to create new users which will also have a fully configured
 ZSH environment. They can't be accessed via SSH because no SSH keys are added for them and password logins are disabled.

playbook.yml

@@ -9,25 +9,16 @@
   roles:
     # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
     # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
-    # - role: devsec.hardening.os_hardening
+    - role: devsec.hardening.ssh_hardening
-    #   become: true
+      become: true
-    # - role: devsec.hardening.ssh_hardening
+    - role: hostname
-    #   become: true
+    - role: basic-intalls
-    # - role: snapcraft
+    - role: user
-    # - role: user
+    - role: cloudflare-ddns
-    # - role: cloudflare-ddns
+    - role: reverse-proxy
-    # - role: reverse-proxy
+    - role: actual
-    # - role: actual
+    # - role: pi-hole
-    - role: pi-hole
   vars:
-    # devsec.hardening.os_hardening vars:
-    os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
-    os_cron_enabled: false # Cron isn't needed for the installation.
-    os_filesystem_whitelist:
-      - squashfs # Used by Snapcraft which is installed on the Raspberry Pi at some moment
-    sysctl_overwrite:
-      vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
-      net.ipv4.ip_forward: 1 # We're specifically going to allow ufw forwarding in the playbook.
     # devsec.hardening.ssh_hardening vars:
     ssh_allow_users: 'thomas'
     ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
@@ -40,23 +31,3 @@
     #     dest: './.ansible_facts.json'
     #     content: "{{ ansible_facts }}"
     #     mode: "0600"
-    - name: Add FQDN name in /etc/hosts
-      become: true
-      ansible.builtin.lineinfile:
-        path: /etc/hosts
-        line: "{{ ansible_facts['default_ipv4']['address'] }} {{ hostname }}.kleinendorst.info {{ hostname }}"
-    # For some reason sudo becomes very slow when this isn't correctly configured. Fixing the configuration as suggested
-    # here: https://www.linuxquestions.org/questions/linux-newbie-8/fedora-11-sudo-has-a-20-second-start-delay-732291/#post3575840
-    # fixed the problem for me. We could try to remove the default hostname variable which was added by using the "ansible_facts['hostname']"
-    # variable which is fetched in the special "Gathering facts" step.
-    - name: Configure hostname
-      become: true
-      ansible.builtin.hostname:
-        name: "{{ hostname }}"
-    # TODO: Replace this with setup that sets up unnattended updates on the machine itself.
-    - name: Update all packages to their latest version # noqa: package-latest
-      become: true
-      ansible.builtin.apt:
-        name: "*"
-        state: latest
-# TODO: install vim on the system

roles/actual/handlers/main.yml

@@ -4,3 +4,8 @@
   ansible.builtin.systemd:
     name: nginx.service
     state: restarted
+- name: Restart ufw
+  become: true
+  ansible.builtin.systemd:
+    name: ufw.service
+    state: restarted

roles/actual/tasks/main.yml

@@ -1,9 +1,4 @@
 ---
-- name: Install Podman
-  become: true
-  ansible.builtin.apt:
-    name: podman
-    state: present
 - name: Create a new user
   ansible.builtin.include_role:
     name: user
@@ -42,6 +37,13 @@
     dest: /etc/nginx/conf.d/actual.conf
     mode: '0644'
   notify: Restart Nginx
+- name: Allow https through firewall
+  become: true
+  community.general.ufw:
+    rule: allow
+    port: https
+    proto: tcp
+  notify: Restart ufw
 - name: Debug
   ansible.builtin.debug:
     msg: "Don't forget to manually add a DNS record for actual.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."

roles/basic-intalls/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart ufw
+  become: true
+  ansible.builtin.systemd:
+    name: ufw.service
+    state: restarted

roles/basic-intalls/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Install basic packages
+  become: true
+  ansible.builtin.apt:
+    pkg:
+      - git
+      - vim
+      - ufw
+      - podman
+      - snapd
+    state: present
+- name: Install Snap Core
+  become: true
+  community.general.snap:
+    name: core
+    state: present
+- name: Set default policy (incoming)
+  become: true
+  community.general.ufw:
+    direction: incoming
+    policy: deny
+  notify: Restart ufw
+- name: Set default policy (outgoing)
+  become: true
+  community.general.ufw:
+    direction: outgoing
+    policy: allow
+  notify: Restart ufw
+- name: Set default policy (routed)
+  become: true
+  community.general.ufw:
+    direction: routed
+    policy: allow
+  notify: Restart ufw
+- name: Allow forwarding in ufw
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/ufw/sysctl.conf
+    regexp: '^#net/ipv4/ip_forward=1$'
+    line: 'net/ipv4/ip_forward=1'
+  notify: Restart ufw
+- name: Allow all access to ssh
+  become: true
+  community.general.ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+  notify: Restart ufw
+- name: Enable ufw
+  become: true
+  community.general.ufw:
+    state: enabled
+- name: Install Snapcraft
+  become: true
+  ansible.builtin.apt:
+    name:
+    state: present

roles/cloudflare-ddns/tasks/main.yml

@@ -5,11 +5,11 @@
   vars:
     user_username: "{{ cloudflare_ddns_user }}"
     user_password: "{{ cloudflare_ddns_user_password }}"
-- name: Install Python dependencies # noqa: package-latest
+- name: Install Python dependencies
   become: true
   ansible.builtin.apt:
     pkg: python3-pip
-    state: latest
+    state: present
 - name: Copy over DDNS scripting
   become: true
   become_user: "{{ cloudflare_ddns_user }}"
@@ -27,7 +27,7 @@
     source ./venv/bin/activate
     pip3 install -r ./requirements.txt
   args:
-    executable: /bin/bash
+    executable: /usr/bin/zsh
     creates: ~/bin/cloudflare_ddns/venv
 - name: Create directory for storing public IP change logs and config
   become: true

roles/hostname/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure hostname
+  become: true
+  ansible.builtin.hostname:
+    name: "{{ hostname }}"
+- name: Remove existing /etc/hosts entry for hostname and add FQDN name
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    regexp: "^127.0.1.1.*$"
+    line: "{{ ansible_facts['default_ipv4']['address'] }} {{ hostname }}.kleinendorst.info {{ hostname }}"

roles/pi-hole/tasks/main.yml

@@ -1,9 +1,4 @@
 ---
-- name: Install Podman
-  become: true
-  ansible.builtin.apt:
-    name: podman
-    state: present
 - name: Create a user for running the pi-hole podman container
   ansible.builtin.include_role:
     name: user
@@ -79,34 +74,6 @@
 - name: Debug
   ansible.builtin.debug:
     msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
-- name: Install ufw
-  become: true
-  ansible.builtin.apt:
-    name: ufw
-    state: present
-- name: Set default policy (incoming)
-  become: true
-  community.general.ufw:
-    direction: incoming
-    policy: deny
-- name: Set default policy (outgoing)
-  become: true
-  community.general.ufw:
-    direction: outgoing
-    policy: allow
-- name: Allow forwarding in ufw
-  become: true
-  ansible.builtin.lineinfile:
-    path: /etc/ufw/sysctl.conf
-    regexp: '^#net/ipv4/ip_forward=1$'
-    line: 'net/ipv4/ip_forward=1'
-- name: Configure firewall to allow forward requests
-  become: true
-  ansible.builtin.lineinfile:
-    path: /etc/default/ufw
-    regexp: '^DEFAULT_FORWARD_POLICY="DROP"$'
-    line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
-  notify: Restart ufw
 - name: Add forwarding rules for ufw
   become: true
   ansible.builtin.blockinfile:
@@ -119,13 +86,6 @@
       -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5053
       COMMIT
   notify: Restart ufw
-- name: Allow all access to ssh
-  become: true
-  community.general.ufw:
-    rule: allow
-    port: ssh
-    proto: tcp
-  notify: Restart ufw
 - name: Allow all access to https
   become: true
   community.general.ufw:
@@ -147,7 +107,3 @@
     port: '53'
     proto: tcp
   notify: Restart ufw
-- name: Enable ufw
-  become: true
-  community.general.ufw:
-    state: enabled

roles/snapcraft/tasks/main.yml

@@ -1,11 +0,0 @@
----
-- name: Install Snapcraft
-  become: true
-  ansible.builtin.apt:
-    name: snapd
-    state: present
-- name: Install Snap Core
-  become: true
-  community.general.snap:
-    name: core
-    state: present

roles/user/tasks/main.yml

@@ -14,14 +14,13 @@
 - name: Set fact for defining the user which should run the next modules
   ansible.builtin.set_fact:
     target_user: "{{ ansible_facts['user_id'] if user_username is undefined else user_username }}"
-- name: Ensuring ZSH is installed # noqa: package-latest
+- name: Ensuring ZSH is installed
   become: true
   ansible.builtin.apt:
     pkg:
       - acl # Needed to prevent this error: https://stackoverflow.com/questions/46352173/ansible-failed-to-set-permissions-on-the-temporary
-      - git
       - zsh
-    state: latest
+    state: present
 - name: Install Oh My ZSH # noqa: command-instead-of-module   ignore error since we're removing the script after install.
   become: true
   become_user: "{{ target_user }}"