Merge branch 'master' of github.com:ffdo/ffdo-ansible

ansible.cfg

@@ -2,8 +2,8 @@
 inventory=inventories/ffdo/hosts
 #vault_password_file=.vault-password
 
-#[privilege_escalation]
-#become=True
+[privilege_escalation]
+become=True
 
 [ssh_connection]
 pipelining=True

roles/common-auth/tasks/users.yml

@@ -6,15 +6,15 @@
     uid: "{{ item.uid }}"
     groups: adm,sudo,systemd-journal
     shell: /bin/bash
-  with_items: users
+  with_items: "{{ users }}"
 - name: Ensure users ssh keys exist
   authorized_key:
     user: "{{ item.name }}"
     key: "{{ item.authorized | default([]) | join('\n') }}"
-  with_items: users
+  with_items: "{{ users }}"
 - name: Ensure deprecated ssh keys are removed
   authorized_key:
     state: absent
     user: "{{ item.name }}"
     key: "{{ item.invalid | default([]) | join('\n') }}"
-  with_items: users
+  with_items: "{{ users }}"

roles/common-system/tasks/kernel.yml

@@ -1,4 +1,7 @@
 ---
 
 - name: Ensure latest backports kernel is installed
-  apt: name=linux-image-amd64 state=latest default_release={{ ansible_distribution_release }}-backports install_recommends=no
+  apt: name={{ item }} state=latest default_release={{ ansible_distribution_release }}-backports install_recommends=no
+  with_items:
+    - linux-image-amd64
+    - linux-base

roles/mesh-routing/files/sysctl.conf

@@ -1,6 +1,8 @@
 ## Networking
 # See https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
 
+net.nf_conntrack_max = 131072
+
 ## IPv4 tuning
 
 # Reset all configuration parameters to RFC1812

roles/mesh-vpn-fastd/files/fastd-blacklist.sh

@@ -2,7 +2,7 @@
 
 PEER_KEY=$1
 
-if /bin/grep -Fq $PEER_KEY /etc/fastd/fastd-blacklist.json; then
+if /bin/grep -Fq $PEER_KEY /etc/fastd/fastd-blacklist.json /etc/fastd/ffdo-blacklist.txt; then
   exit 1
 else
   exit 0

roles/mesh-vpn-fastd/files/ffdo-blacklist.txt

@@ -0,0 +1 @@
+

roles/mesh-vpn-fastd/tasks/blacklist.yml

@@ -1,12 +1,15 @@
 ---
 
-- name: Check if blacklist file exists
+- name: Check if global blacklist file exists
   stat: path=/etc/fastd/fastd-blacklist.json
   register: blacklist
 - name: Ensure blacklist file exists
   file: name=/etc/fastd/fastd-blacklist.json state=touch owner=fastd
   when: not blacklist.stat.exists
 
+- name: Ensure ffdo blacklist file exists
+  copy: src=ffdo-blacklist.txt dest=/etc/fastd/ffdo-blacklist.txt
+
 - name: Install crontab to update the blacklist
   cron:
     name: Update fastd blacklist

roles/mesh-vpn-fastd/templates/fastd.conf.j2

@@ -14,7 +14,7 @@ mtu 1280;
 secure handshakes yes;
 forward no;
 log to syslog level verbose;
-# status socket "/tmp/fastd-{{ item.name }}.sock";
+status socket "/tmp/fastd-{{ item.name }}.sock";
 user "fastd";
 
 on up "

site.yml

@@ -31,8 +31,6 @@
     - common-ntpclient
     - service-nginx
     # - service-map
-    # - service-wiki
-    # - service-gitolite
 
 - hosts: serviceservers
   roles: