Add roles to router Playbook

router/roles/router/handlers/main.yml

@@ -0,0 +1,13 @@
+- name: Apply netplan configuration
+  ansible.builtin.command:
+    cmd: netplan apply
+
+- name: Restart dnsmasq
+  ansible.builtin.service:
+    name: dnsmasq.service
+    state: restarted
+
+- name: Restart nftables
+  ansible.builtin.service:
+    name: nftables.service
+    state: restarted

router/roles/router/tasks/main.yml

@@ -0,0 +1,63 @@
+# Configure netplan
+- name: Copy armbian.yaml file
+  ansible.builtin.copy:
+    src: armbian.yaml
+    dest: /etc/netplan/armbian.yaml
+    mode: '0644'
+    owner: root
+    group: root
+  notify:
+    - Apply netplan configuration
+
+# Configure dnsmasq
+- name: Ensure that dnsmasq is installed
+  ansible.builtin.apt:
+    name: dnsmasq
+    state: present
+    update_cache: yes
+- name: Copy lan.conf file
+  ansible.builtin.copy:
+    src: lan.conf
+    dest: /etc/dnsmasq.d/lan.conf
+    mode: '0644'
+    owner: root
+    group: root
+  notify:
+    - Restart dnsmasq
+
+# Configure nftables
+- name: Ensure that nftables is installed
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    update_cache: yes
+- name: Copy nftables.conf file
+  ansible.builtin.copy:
+    src: nftables.conf
+    dest: /etc/nftables.conf
+    mode: '0644'
+    owner: root
+    group: root
+  notify:
+    - Restart nftables
+
+# Configure ip forwarding
+- name: Copy 99-router.conf file
+  ansible.builtin.copy:
+    src: 99-router.conf
+    dest: /etc/sysctl.d/99-router.conf
+    mode: '0644'
+    owner: root
+    group: root
+  notify:
+    - Apply sysctl configuration
+
+# Ensure services are enabled
+- name: Ensure dnsmasq service is enabled
+  ansible.builtin.service:
+    name: dnsmasq.service
+    enabled: true
+- name: Ensure nftables service is enabled
+  ansible.builtin.service:
+    name: nftables.service
+    enabled: true

router/roles/secure_conf/tasks/main.yml

@@ -0,0 +1,27 @@
+# Enable unattended-upgrades
+- name: Install unattended-upgrades and apt-list changes
+  ansible.builtin.apt:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+    state: present
+    update_cache: yes
+
+- name: Enable auto updates
+  ansible.builtin.shell: echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
+
+- name: DPKG reconfigure
+  ansible.builtin.command: dpkg-reconfigure -f noninteractive unattended-upgrades
+
+# Secure configuration in /etc/ssh/ssh_config file
+- name: sshd secure configuration
+  ansible.builtin.blockinfile:
+    name: /etc/ssh/sshd_config
+    block: |
+      Port 22
+      PermitRootLogin no
+      PasswordAuthentication no
+      PubkeyAuthentication yes
+      X11Forwarding no
+    marker: "# {mark} sshd configuration"
+    insertafter: EOF

router/roles/vpn/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart wireguard
+  ansible.builtin.service:
+    name: [email protected]
+    state: restarted

router/roles/vpn/tasks/main.yml

@@ -0,0 +1,28 @@
+# Configure WireGuard
+- name: Ensure that wireguard-tools is installed
+  ansible.builtin.apt:
+    name: wireguard-tools
+    state: present
+    update_cache: yes
+- name: Create wireguard directory
+  ansible.builtin.file:
+    path: /etc/wireguard
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+- name: Copy wg0.conf file
+  ansible.builtin.copy:
+    src: wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: '0600'
+    owner: root
+    group: root
+  notify:
+    - Restart wireguard
+
+# Ensure wireguard is enabled
+- name: Ensure wireguard service is enabled
+  ansible.builtin.service:
+    name: [email protected]
+    enabled: true

router/router.yml

@@ -2,122 +2,12 @@
   hosts: routers
   become: true
 
-  tasks:
-    # Apply basic configuration
-    - ansible.builtin.import_tasks: tasks/unattended-upgrades.yml
-    - ansible.builtin.import_tasks: tasks/sshd.yml
-
-    # Configure netplan
-    - name: Copy armbian.yaml file
-      ansible.builtin.copy:
-        src: files/armbian.yaml
-        dest: /etc/netplan/armbian.yaml
-        mode: '0644'
-        owner: root
-        group: root
-      notify:
-        - Apply netplan configuration
-
-    # Configure dnsmasq
-    - name: Ensure that dnsmasq is installed
-      ansible.builtin.apt:
-        name: dnsmasq
-        state: present
-        update_cache: yes
-    - name: Copy lan.conf file
-      ansible.builtin.copy:
-        src: files/lan.conf
-        dest: /etc/dnsmasq.d/lan.conf
-        mode: '0644'
-        owner: root
-        group: root
-      notify:
-        - Restart dnsmasq
-
-    # Configure nftables
-    - name: Ensure that nftables is installed
-      ansible.builtin.apt:
-        name: nftables
-        state: present
-        update_cache: yes
-    - name: Copy nftables.conf file
-      ansible.builtin.copy:
-        src: files/nftables.conf
-        dest: /etc/nftables.conf
-        mode: '0644'
-        owner: root
-        group: root
-      notify:
-        - Restart nftables
-
-    # Configure ip forwarding
-    - name: Copy 99-router.conf file
-      ansible.builtin.copy:
-        src: files/99-router.conf
-        dest: /etc/sysctl.d/99-router.conf
-        mode: '0644'
-        owner: root
-        group: root
-      notify:
-        - Apply sysctl configuration
-
-    # Configure WireGuard
-    - name: Ensure that wireguard-tools is installed
-      ansible.builtin.apt:
-        name: wireguard-tools
-        state: present
-        update_cache: yes
-    - name: Create wireguard directory
-      ansible.builtin.file:
-        path: /etc/wireguard
-        state: directory
-        mode: '0700'
-        owner: root
-        group: root
-    - name: Copy wg0.conf file
-      ansible.builtin.copy:
-        src: files/wg0.conf
-        dest: /etc/wireguard/wg0.conf
-        mode: '0600'
-        owner: root
-        group: root
-      notify:
-        - Restart wireguard
-
-    # Ensure services are enabled
-    - name: Ensure dnsmasq service is enabled
-      ansible.builtin.service:
-        name: dnsmasq.service
-        enabled: true
-    - name: Ensure nftables service is enabled
-      ansible.builtin.service:
-        name: nftables.service
-        enabled: true
-    - name: Ensure wireguard service is enabled
-      ansible.builtin.service:
-        name: [email protected]
-        enabled: true
+  roles:
+    - secure_conf # Apply basic configuration
+    - vpn # VPN configuration
+    - router # Router configuration
 
   handlers:
-    - name: Apply netplan configuration
-      ansible.builtin.command:
-        cmd: netplan apply
-
-    - name: Restart dnsmasq
-      ansible.builtin.service:
-        name: dnsmasq.service
-        state: restarted
-
-    - name: Restart wireguard
-      ansible.builtin.service:
-        name: [email protected]
-        state: restarted
-
-    - name: Restart nftables
-      ansible.builtin.service:
-        name: nftables.service
-        state: restarted
-
     - name: Apply sysctl configuration
       ansible.builtin.command:
         cmd: sysctl --system