refactor task files, ensure network iface naming

5a88755f · Lars Beckers · 3c2c2f20 · 5a88755f · 3c2c2f20 · 5a88755f
Commit 5a88755f authored Oct 14, 2017 by Lars Beckers
--- a/basic-system/handlers/main.yml
+++ b/basic-system/handlers/main.yml
@@ -6,3 +6,6 @@
 - name: configure journal directory
  command: systemd-tmpfiles --create --prefix /var/log/journal
+- name: update initramfs
+  command: update-initramfs -u
--- a/basic-system/tasks/filesystem.yml
+++ b/basic-system/tasks/filesystem.yml
---
-# file: roles/common/tasks/filesystem.yml
- name: ensure /tmp is a tmpfs
-  mount: name=/tmp src=tmpfs fstype=tmpfs opts=nosuid,rw,noexec state=mounted
-  tags:
-    - config
-    - mount
--- a/basic-system/tasks/logging.yml
+++ b/basic-system/tasks/logging.yml
 ---
 # file: roles/common/task/logging.yml
+- name: restrict dmesg access to only root
+  sysctl: name=kernel.dmesg_restrict value=1 state=present sysctl_set=yes
+  tags: 
+    - security
+    - sysctl
+    - config
 - name: ensure systemd journal is presistent
  file: path=/var/log/journal state=directory
  notify:

--- a/basic-system/tasks/main.yml
+++ b/basic-system/tasks/main.yml
 ---
- include: filesystem.yml
+- name: ensure /tmp is a tmpfs
- meta: flush_handlers
+  mount: name=/tmp src=tmpfs fstype=tmpfs opts=nosuid,rw,noexec state=mounted
+  tags:
+    - config
+    - mount
 - include: logging.yml
 - meta: flush_handlers
- include: sysctl.yml
+- include: network.yml
- meta: flush_handlers
- include: dns.yml
- meta: flush_handlers
- include: tls.yml      
 - meta: flush_handlers
--- a/basic-system/tasks/dns.yml
+++ b/basic-system/tasks/dns.yml
@@ -29,3 +29,39 @@
    - dns
    - network
    - config
+- name: ensure deactivation of tcp_timestamps
+  sysctl: name=net.ipv4.tcp_timestamps value=0 state=present sysctl_set=yes
+  tags: 
+    - security
+    - sysctl
+    - config
+- name: ensure deactivation of ipv6 tempaddr (all)
+  sysctl: name=net.ipv6.conf.all.use_tempaddr value=0 state=present sysctl_set=yes
+  tags:
+    - security
+    - sysctl
+    - config
+- name: ensure deactivation of ipv6 tempaddr (default)
+  sysctl: name=net.ipv6.conf.default.use_tempaddr value=0 state=present sysctl_set=yes
+  tags:
+    - security
+    - sysctl
+    - config
+- name: ensure openssl is installed
+  apt: name=openssl state=latest
+  tags:
+    - packages
+    - tls
+- name: ensure reasonable network interface naming
+  file: state=link src=/dev/null dest=/etc/systemd/network/99-default.link
+  notify:
+    - update initramfs
+  tags:
+    - config
+    - network
--- a/basic-system/tasks/sysctl.yml
+++ b/basic-system/tasks/sysctl.yml
---
-# file: roles/common/tasks/sysctl.yml
- name: ensure deactivation of tcp_timestamps
-  sysctl: name=net.ipv4.tcp_timestamps value=0 state=present sysctl_set=yes
-  tags: 
-    - security
-    - sysctl
-    - config
- name: ensure deactivation of ipv6 tempaddr (all)
-  sysctl: name=net.ipv6.conf.all.use_tempaddr value=0 state=present sysctl_set=yes
-  tags:
-    - security
-    - sysctl
-    - config
- name: ensure deactivation of ipv6 tempaddr (default)
-  sysctl: name=net.ipv6.conf.default.use_tempaddr value=0 state=present sysctl_set=yes
-  tags:
-    - security
-    - sysctl
-    - config
- name: restrict dmesg access to only root
-  sysctl: name=kernel.dmesg_restrict value=1 state=present sysctl_set=yes
-  tags: 
-    - security
-    - sysctl
-    - config
--- a/basic-system/tasks/tls.yml
+++ b/basic-system/tasks/tls.yml
---
-# file: roles/common/tasks/tls.yml
- name: ensure openssl is installed
-  apt: name=openssl state=latest
-  tags:
-    - packages
-    - tls