upgrade to openhab 3

roles/raspberry/tasks/_attic/ntp.yml

@@ -1,28 +0,0 @@
----
-
-- name: update ntp.conf
-  lineinfile:
-    dest=/etc/ntp.conf
-    regexp="^server\s+.*debian.pool.ntp.org.*"
-    insertafter="^server\s.*"
-    state=absent
-  notify: restart ntp
-  tags:
-    - ntp
-    - ntpconfig
-
-- name: update ntp.conf
-  lineinfile:
-    dest=/etc/ntp.conf
-    insertafter="# pool:"
-    line="server {{item}} iburst"
-  with_items: "{{ntp}}"
-  notify: restart ntp
-  tags:
-    - ntp
-    - ntpconfig
-
-- name: Start the ntp service
-  service: name=ntp state=started enabled=true
-  tags: ntp
-

roles/raspberry/tasks/_attic/timezone.yml

@@ -1,22 +0,0 @@
----
-
-- name: fix /etc/localtime
-  file: 
-     state: link
-     path: "/etc/localtime"
-     src: "/usr/share/zoneinfo/{{timezone}}"
-     owner: root
-     group: root
-     force: true
-  tags:
-    - timezone
-
-- name: fix /etc/timezone
-  copy:
-     dest: "/etc/timezone"
-     content: "{{timezone}}"
-     owner: root
-     group: root
-     mode: "u=rw,g=r,o=r"
-  tags:
-    - timezone

roles/raspberry/tasks/collectd.yml

@@ -0,0 +1,17 @@
+- name: ensure packages are installed
+  apt: 
+    pkg:
+     - collectd
+    update_cache: "{{apt_config.update_cache}}"
+    cache_valid_time: "{{apt_config.cache_valid_time}}"
+
+- name: collectd config
+  template:
+    src: collectd.conf
+    dest: /etc/collectd/collectd.conf
+  notify: restart collectd
+
+- name: remove local rrd files
+  file:
+    dest: /var/lib/collectd/rrd
+    state: absent

roles/raspberry/tasks/main.yml

@@ -3,16 +3,20 @@
 - include: packages.yml
   tags:
   - packages
-- include: timedate.yml
-  tags: 
-  - ntp
-# - include: locale.yml
-#   tags:
-#   - locale
+
 - include: skeleton.yml
   tags:
   - skeleton
 
+- include: ufw.yml
+  tags:
+  - ufw
 
+- include: timedate.yml
+  tags:
+  - timedate
 
+- include: collectd.yml
+  tags:
+  - collectd
 

roles/raspberry/tasks/packages.yml

@@ -6,11 +6,19 @@
      - apt-transport-https
      - tmux
      - python3-pip
-     - git
-     - multitail
      - python3-requests
      - python3-websocket
+     - ufw
+     - docker-compose
+     - python-docker
+     - socat
+     - tcpdump
     update_cache: "{{apt_config.update_cache}}"
     cache_valid_time: "{{apt_config.cache_valid_time}}"
 
 
+- name: set to iptables to legacy
+  command: "update-alternatives --set iptables /usr/sbin/iptables-legacy"
+
+- name: set to ip6tables to legacy
+  command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy"

roles/raspberry/tasks/skeleton.yml

@@ -1,10 +1,19 @@
 ---
 
 - name: alias
-  copy:
+  template:
      src: alias
-     dest: "/home/pi/.bash_aliases"
-     owner: pi
-     group: pi
+     dest: "{{ item.homedir }}/.bash_aliases"
+     owner: "{{ item.name }}"
      mode: "u=rw,g=r,o=r"
+  loop:
+    - {name: "{{ user_name }}", homedir: "/home/{{ user_name }}" }
+    - {name: "root", homedir: "/root" }
 
+- name: root_bashrc
+  template:
+     src: root.bashrc
+     dest: "/root/.bashrc"
+     owner: root
+     group: root
+     mode: "u=rw,g=r,o=r"

roles/raspberry/tasks/ufw.yml

@@ -0,0 +1,37 @@
+---
+
+- name: "Allow SSH"
+  community.general.ufw:
+    rule: allow
+    name: OpenSSH
+
+- name: "Allow HTTP for letsencrypt"
+  community.general.ufw:
+    rule: allow
+    port: "80"
+    proto: tcp
+
+- name: "Allow HTTPS"
+  community.general.ufw:
+    rule: allow
+    port: "443"
+    proto: tcp
+
+- name: "Allow all private IPv4 networks"
+  community.general.ufw:
+    rule: allow
+    src: '{{ item }}'
+  with_items:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+
+- name: "Set logging" 
+  community.general.ufw:
+    logging: "on"
+
+- name: "Enable UFW"
+  community.general.ufw:
+    state: enabled
+    policy: deny
+