add lua, add python packages

umask is not supported in an action

roles/firewall/templates/ip6tables.j2

@@ -48,6 +48,13 @@
 -A ICMP_FLOOD -j ACCEPT
 {% endif %}
 
+{% if firewall_dns_whitelist is defined %}
+-N ACCEPT_DNS
+-A ACCEPT_DNS -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp6" -j LOG_ACCEPT
+-A ACCEPT_DNS -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp6" -j LOG_ACCEPT
+-A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop inet6" -j LOG_DROP
+{% endif %}
+
 -A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT
 
 {% if firewall_ssh_whitelist | length %}
@@ -60,6 +67,14 @@
 -A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v6 src -m comment --comment "accept mgmt ssh 22/tcp6" -j ACCEPT
 {% endif %}
 
+{% if firewall_dns_whitelist is defined and
+      firewall_dns_whitelist | length %}
+{% for ip in firewall_dns_whitelist | ipv6 %}
+-A INPUT -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp6" -j ACCEPT_DNS
+-A INPUT -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp6" -j ACCEPT_DNS
+{% endfor %}
+{% endif %}
+
 -A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP
 
 {% if firewall_ipset_blacklist | length %}

roles/firewall/templates/iptables.j2

@@ -48,6 +48,13 @@
 -A ICMP_FLOOD -j ACCEPT
 {% endif %}
 
+{% if firewall_dns_whitelist is defined %}
+-N ACCEPT_DNS
+-A ACCEPT_DNS -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j LOG_ACCEPT
+-A ACCEPT_DNS -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j LOG_ACCEPT
+-A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop" -j LOG_DROP
+{% endif %}
+
 -A INPUT -i lo -m comment --comment "lo accept all" -j ACCEPT
 
 {% if firewall_ssh_whitelist | length %}
@@ -60,6 +67,14 @@
 -A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v4 src -m comment --comment "accept mgmt ssh 22/tcp" -j ACCEPT
 {% endif %}
 
+{% if firewall_dns_whitelist is defined and
+      firewall_dns_whitelist | length %}
+{% for ip in firewall_dns_whitelist | ipv4 %}
+-A INPUT -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j ACCEPT_DNS
+-A INPUT -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j ACCEPT_DNS
+{% endfor %}
+{% endif %}
+
 -A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP
 
 {% if firewall_ipset_blacklist | length %}

roles/gitea/defaults/main.yaml

@@ -54,6 +54,7 @@ gitea_var_tree:
   - "{{ gitea_var_path }}/custom"
   - "{{ gitea_var_path }}/data"
   - "{{ gitea_var_path }}/log"
+  - "{{ gitea_var_path }}/backup"
 
 gitea_ssl_enabled: yes
 gitea_ssl_certificate: "/etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem"

roles/nsd/defaults/main.yaml

@@ -0,0 +1,17 @@
+---
+nsd_package_name: nsd
+nsd_package_state: present
+
+nsd_service_name: nsd
+nsd_service_state: started
+nsd_service_enabled: yes
+
+nsd_etc_path: /etc/nsd
+nsd_zone_path: "{{ nsd_etc_path }}/zones"
+
+nsd_server_config:
+  verbosity: 2
+  zonesdir: "{{ nsd_zone_path }}"
+  ip-address:
+    - "{{ ansible_default_ipv4.address }}"
+    - "{{ ansible_default_ipv6.address }}"

roles/nsd/handlers/main.yaml

@@ -0,0 +1,10 @@
+---
+- name: reload nsd
+  service:
+    name: "{{ nsd_service_name }}"
+    state: reloaded
+
+- name: restart nsd
+  service:
+    name: "{{ nsd_service_name }}"
+    state: restarted

roles/nsd/tasks/main.yaml

@@ -0,0 +1,36 @@
+---
+- name: install package
+  package:
+    name: "{{ nsd_package_name }}"
+    state: "{{ nsd_package_state }}"
+
+- name: create zone directory
+  file:
+    path: "{{ nsd_zone_path }}"
+    state: directory
+
+- name: configure
+  template:
+    src: nsd.conf.j2
+    dest: "{{ nsd_etc_path }}/nsd.conf"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nsd
+
+- name: configure zones
+  copy:
+    src: "files/nsd/zones/{{ item.filename | default(item.name + '.zone') }}"
+    dest: "{{ nsd_zone_path }}/{{ item.name }}.zone"
+    owner: root
+    group: nsd
+    mode: 0640
+    validate: "nsd-checkzone {{ item.name }} %s"
+  loop: "{{ nsd_zones | default([]) }}"
+  notify: reload nsd
+
+- name: manage service
+  service:
+    name: "{{ nsd_service_name }}"
+    state: "{{ nsd_service_state }}"
+    enabled: "{{ nsd_service_enabled }}"

roles/nsd/templates/nsd.conf.j2

@@ -0,0 +1,34 @@
+# {{ ansible_managed }}
+
+{% if nsd_server_config is defined and
+      nsd_server_config is mapping %}
+server:
+{% for k, v in nsd_server_config.items() %}
+{% if v is string or v is number %}
+    {{ k }}: {{ v }}
+{% elif v is sequence %}
+{% for vv in v %}
+    {{ k }}: {{ vv }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if nsd_zones is defined and
+      nsd_zones is sequence %}
+{% for zone in nsd_zones %}
+{% if zone is defined and
+      zone is mapping %}
+zone:
+{% for k, v in zone.items() %}
+{% if v is string %}
+    {{ k }}: {{ v }}
+{% elif v is sequence %}
+{% for vv in v %}
+    {{ k }}: {{ vv }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}

roles/rsyslog/templates/archival.conf.j2

@@ -31,5 +31,4 @@ template(
     fileGroup="{{ rsyslog_file_group }}"
     dirOwner="{{ rsyslog_file_owner }}"
     dirGroup="{{ rsyslog_file_group }}"
-    umask="{{ rsyslog_umask }}"
 )

roles/util/defaults/main.yaml

@@ -37,3 +37,10 @@ util_packages:
   text:
     - jq
     - crudini
+  interpreters:
+    - lua5.3
+  python:
+    - python-pip
+    - python3-pip
+    - python-requests
+    - python3-requests