pez-infra/ansible/roles/common/tasks/main.yml
Rasmus Wejlgaard 1b3cf7401f Remove stale cloudflared service from copenhagen-a (PESO-138)
cloudflared was retired in #56 when Caddy + Authelia replaced Cloudflare
Tunnels, but copenhagen-a was unreachable at the time so its
cloudflared.service was never stopped and is still running.

Add a cleanup task to the common role that stops, disables and purges
cloudflared wherever the unit lingers. Gated on the unit file existing so
it self-targets copenhagen-a and is a no-op everywhere else, and explicitly
excludes copenhagen-c, which legitimately runs a hand-configured tunnel.
2026-06-07 11:43:58 +01:00

164 lines
4.5 KiB
YAML

---
# Common baseline for all Linux hosts.
# Installs core packages, configures SSH, sets up the shell environment.
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
- name: Install baseline packages
ansible.builtin.apt:
name:
- curl
- wget
- git
- htop
- tmux
- vim
- jq
- unzip
- fish
- rsync
- fail2ban
- ufw
state: present
- name: Get fish shell path
ansible.builtin.command: which fish
changed_when: false
register: common_fish_path
when: inventory_hostname != 'london-a'
- name: Set fish as default shell
ansible.builtin.user:
name: root
shell: "{{ common_fish_path.stdout }}"
when: inventory_hostname != 'london-a'
- name: Ensure SSH directory exists
ansible.builtin.file:
path: /root/.ssh
state: directory
mode: '0700'
- name: Harden SSH config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
loop:
- {regexp: '^#?PermitRootLogin', line: 'PermitRootLogin prohibit-password'}
- {regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no'}
- {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}
notify: Restart sshd
- name: Enable fail2ban
ansible.builtin.service:
name: fail2ban
state: started
enabled: true
# --- UFW firewall ---
- name: Set UFW default deny incoming
community.general.ufw:
direction: incoming
default: deny
when: common_ufw_enabled | bool
notify: Reload ufw
- name: Set UFW default allow outgoing
community.general.ufw:
direction: outgoing
default: allow
when: common_ufw_enabled | bool
notify: Reload ufw
- name: Allow all traffic on Tailscale interface
community.general.ufw:
rule: allow
direction: in
interface: tailscale0
comment: "Tailscale mesh - allow all"
when: common_ufw_enabled | bool
notify: Reload ufw
- name: Allow SSH (safety net)
community.general.ufw:
rule: allow
port: '22'
proto: tcp
comment: "SSH"
when: common_ufw_enabled | bool
notify: Reload ufw
- name: Allow host-specific ports
community.general.ufw:
rule: allow
port: "{{ item.port | string }}"
proto: "{{ item.proto | default('tcp') }}"
from_ip: "{{ item.from_ip | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
loop: "{{ common_ufw_allowed_ports }}"
when:
- common_ufw_enabled | bool
- common_ufw_allowed_ports | length > 0
notify: Reload ufw
# When a port is restricted to a source (from_ip), make sure the older
# unrestricted "allow from anywhere" variant of the same rule isn't left
# lingering on the host — UFW keeps it otherwise, which would defeat the
# source restriction. Deleting an absent rule is a no-op, so this is safe
# on hosts that never had the broad rule.
- name: Remove superseded world-open rules for source-restricted ports
community.general.ufw:
rule: allow
port: "{{ item.port | string }}"
proto: "{{ item.proto | default('tcp') }}"
delete: true
loop: "{{ common_ufw_allowed_ports | selectattr('from_ip', 'defined') | list }}"
when: common_ufw_enabled | bool
notify: Reload ufw
- name: Enable UFW
community.general.ufw:
state: enabled
when: common_ufw_enabled | bool
# --- Cleanup: orphaned cloudflared (PESO-138) ---
# Cloudflare Tunnels were retired in favour of Caddy + Authelia (PESO-134, #56),
# which removed cloudflared from ansible config. copenhagen-a was unreachable at
# the time, so its cloudflared.service was never actually stopped and is still
# running. Remove it wherever the unit lingers. copenhagen-c legitimately runs a
# hand-configured cloudflared tunnel — never touch it.
- name: Detect lingering cloudflared unit
ansible.builtin.stat:
path: /etc/systemd/system/cloudflared.service
register: common_cloudflared_unit
when: inventory_hostname != 'copenhagen-c'
- name: Remove orphaned cloudflared
when:
- inventory_hostname != 'copenhagen-c'
- common_cloudflared_unit.stat.exists | default(false)
block:
- name: Stop and disable cloudflared
ansible.builtin.systemd:
name: cloudflared
state: stopped
enabled: false
failed_when: false
- name: Remove cloudflared systemd unit
ansible.builtin.file:
path: /etc/systemd/system/cloudflared.service
state: absent
notify: Reload systemd daemon
- name: Uninstall cloudflared package
ansible.builtin.apt:
name: cloudflared
state: absent
purge: true