Completed 'services' role + tested on empty node. I also moved task from the main playbook to the 'common' role to better reflect the actions taken by each role

dnaclab_linux/ansible.cfg

@@ -1,2 +0,0 @@
-[defaults]
-private_key_file = /home/vlad/.ssh/id_rsa

dnaclab_linux/inventory.yml

@@ -22,3 +22,4 @@
           telemetry.dnaclab.net:
           developer.dnaclab.net:
           gitlab.dnaclab.net:
+          test.dnaclab.net:

dnaclab_linux/prestage.yml

@@ -1,6 +1,11 @@
+# This playbook is an example of how to manage linux servers with Ansible playbooks. It consists of multiple roles
+# which are read in sequence and run through their tasks (defined in the 'roles/xxxx/tasks/main.yml' file - 'xxxx' being the name of the role)
+# The playbook requires the target hosts to have a user with sudo privileges configured - add the credentials of this user to the encrypted
+# 'roles/common/vars/main.yml' file using the function 'ansible-vault edit'
+
 ---
-- name: Prestage server and install services [SYSLOG, FTP, TFTP, NTP]
-  hosts: services
+- name: Prestage server(s) with the following roles {{ ansible_play_role_names }}
+  hosts: test
   roles: 
     - common
     - services
@@ -8,26 +13,6 @@
 
   tasks:
 
-    - name: Update and upgrade current packages
-      apt:
-        update_cache: yes
-        upgrade: yes
-
-    - name: Create a new regular user with sudo privileges
-      user:
-        name: "{{ create_user }}"
-        state: present
-        groups: sudo
-        append: true
-        create_home: true
-        shell: /bin/bash
-
-    - name: Set authorized key for remote user
-      authorized_key:
-        user: "{{ create_user }}"
-        state: present
-        key: "{{ copy_local_key }}"
-
     - name: Send Webex Teams message via BOT to confirm playbook completion
       community.general.cisco_webex:
         recipient_type: toPersonEmail

dnaclab_linux/roles/common/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Update and upgrade current packages
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: yes
+
+- name: Create a user with sudo privileges which will be used for managing the host via SSH
+  ansible.builtin.user:
+    name: "{{ local_user }}"
+    state: present
+    groups: sudo
+    append: true
+    create_home: true
+    shell: /bin/bash
+    password: "{{ local_password }}"
+
+- name: Set authorized key for remote SSH access (passwordless login)
+  ansible.posix.authorized_key:
+    user: "{{ local_user }}"
+    state: present
+    key: "{{ local_key }}"

dnaclab_linux/roles/common/vars/main.yml

@@ -1,25 +1,29 @@
 $ANSIBLE_VAULT;1.1;AES256
-37306465323037623364336366393036643966666232653964313436383333633133353232636166
-3232373132386263633466643139313732656537383239310a303935333732353632383736356235
-61326134633862343632343035646637306135646532353264363533383233663034623162663263
-6235616361396435310a313862636162316238336237383938613139366534616537343638306237
-63616535313636303666616137336366626561393162336134656166313837633933326631363430
-39656335303261656637626663383065633265306438323839373239663634316439623730303532
-65383231393738633436356139633665316533383734316434313430393163396636613366373435
-30613839633164363032333434643738353335363666326430396461633331623532346465323361
-37356136306466663132383133653435666666383831646262356166633737656266376135653530
-31363531663366623539363963363766633264356363636133343938323738376630333664666535
-32386230633461623164373338373032313635393137366131336633366137396135343665633330
-33633336386633373437393939343430623164626534633264333031323633613666363738653764
-35373565636233336639393463306534326536383438656334343733333036346463613962643066
-36396634336366396533353038356361326437646538313464653438353231653636366334336437
-34313334326539326338343036633732666465653662373961653566663361396231666566343064
-37633133343463633833643735333637333531326161356263643261653462643362386336623961
-35623864346665633130306233356133346633646238353839393136353439383266343732666535
-63613634663962636436653639396266343166363362663161633562623136343363373037633437
-65386432333634343437313139323466666635313330323831313034616230636465353236383635
-35393138363462333839616261306361386466386662323835376436323462326238363161623339
-64636661623431336266356531373736636337316462333266623266643031613533343632643731
-65653337393562636635326262663639353037336231323332313364616438366362623238393262
-39633134313262616639633637386339353761343339646632356436303061613662643738323736
-36656337333134306363
+32623135623032666634373536313037663734313837316335613936383235393038373434366236
+3034643538666133396565626235616133646138613931660a383037323333373161616436613639
+61663131636637376531646438643166316439643339333433343665303438336163633638316364
+3534353732666636360a323866656461633461386130663263616132646631383736303864393532
+63346661653135313636646233396166323630633535643735653965313637353538393634336161
+39353736353262373139653763646539323030646432633730333334393562306361626637376163
+63343331646236323232393832373037616333333334643630633262333536323563623032373136
+35663333306264616564343263663930393562356465623232386536656434613664316335303933
+64623238323836336538303361663965316136383533666533306235373663646338313164633534
+32346632386164376630646662336436373036653330643137336233613236633335393939333839
+32313066316631366632386234323862386535343964346261633362386331653130396437643930
+61363265356236343639663931643835646261633038356133613964336466396532633436653939
+35363133343634383638363265636261393761653262353035376339333661386262393966343234
+32326136343233356534316562343132303963323862343038613734356436303865356334643031
+32326335633237353563383166666165373232653134643263386536386638633636336662336166
+37313464323961363237306331373132613962636162303561333836656361653732666563363563
+66376231306539613666363534656263366534303066636166336633656136313531333638386437
+33393462663161336630623532313934373535383130373735633632623032336366616164333233
+63366463623838363638613463633134353830353537636630343636333161616333303862623534
+62633134303939366339616530366634366339643935623265636639323533336530663030383031
+39313061626366656431636533643037323439663463653033343735306632333433663231393332
+32346539643064653662323766653765653235633935643530343031666637636563656339313137
+64316164636136666139393762336530373365616563306231396531373031633337383864643361
+66663539303532656335373139656634363539646533393932326462623163653034383036636333
+62343830343136306565303934383464333233633265386635313066646635663664326135663836
+32356433353832323736363939343165346130363031373731366532313137653435393534393030
+37326635656537366339326538653238353534313934303632343361383164633037353136613562
+37383166653735303330

dnaclab_linux/roles/services/files/ntp.conf

@@ -0,0 +1,60 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Leap seconds definition provided by tzdata
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Specify one or more NTP servers.
+
+# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
+# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
+# more information.
+pool pool.ntp.org
+server 0.uk.pool.ntp.org iburst
+server 1.uk.pool.ntp.org
+server 127.0.0.1
+
+# Use Ubuntu's ntp server as a fallback.
+pool ntp.ubuntu.com
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient

dnaclab_linux/roles/services/files/syslog-ng-network-devices.conf

@@ -0,0 +1,55 @@
+#Options
+
+options {
+        create-dirs(yes);
+        owner(administrator);
+        group(administrator);
+        perm(0640);
+        dir-owner(administrator);
+        dir-group(administrator);
+        dir-perm(0750);
+};
+
+#Sources
+
+source s_regular { tcp(port(5140)); };
+source s_cisco { tcp(port(5141) flags(no-parse,store-raw-message)); };
+source s_servers { tcp(port(5142) flags(no-parse,store-raw-message)); };
+
+#Templates
+
+template t_jsonfile {
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs --rekey .* --shift 1 --scope nv-pairs --key ISODATE)\n");
+};
+
+#Parsers
+
+parser p_cisco { cisco-parser(); };
+
+#Destinations
+
+destination d_raw {
+    file("/home/administrator/Desktop/SYSLOG/RAW_LOGS/$HOST-$YEAR-$MONTH-$DAY.log" template("${RAWMSG}\n"));
+};
+destination d_from_cisco {
+    file("/home/administrator/Desktop/SYSLOG/CISCO_DEVICES/$HOST-$YEAR-$MONTH-$DAY.log" template(t_jsonfile));
+};
+destination d_from_servers {
+    file("/home/administrator/Desktop/SYSLOG/SERVERS/$HOST-$YEAR-$MONTH-$DAY.log" );
+};
+
+#Loggers
+
+log {
+    source(s_regular);
+    destination(d_raw);
+};
+log {
+    source(s_cisco);
+    parser(p_cisco);
+    destination(d_from_cisco);
+};
+log {
+    source(s_servers);
+    destination(d_from_servers);
+};

dnaclab_linux/roles/services/files/tftpd-hpa

@@ -0,0 +1,6 @@
+# /etc/default/tftpd-hpa
+
+TFTP_USERNAME="tftp"
+TFTP_DIRECTORY="/home/administrator/Desktop/TFTP"
+TFTP_ADDRESS=":69"
+TFTP_OPTIONS="--secure --create"

dnaclab_linux/roles/services/files/vsftpd.conf

@@ -0,0 +1,46 @@
+listen=YES
+listen_ipv6=NO
+anonymous_enable=NO
+local_enable=YES
+write_enable=YES
+local_umask=022
+dirmessage_enable=YES
+use_localtime=YES
+xferlog_enable=YES
+connect_from_port_20=YES
+chroot_local_user=YES
+secure_chroot_dir=/var/run/vsftpd/empty
+pam_service_name=vsftpd
+rsa_cert_file=/etc/ssl/certs/sftp.ubuntu.dnaclab.net.pem
+rsa_private_key_file=/etc/ssl/private/sftp.ubuntu.dnaclab.net.key
+ssl_enable=NO
+pasv_enable=YES
+pasv_min_port=10000
+pasv_max_port=10100
+allow_writeable_chroot=YES
+
+# Below verbose log is for transfer/upload, formatted for common tools stats.
+# Use command: tail -f /var/log/xferlog
+xferlog_enable=YES
+xferlog_file=/var/log/xferlog
+xferlog_std_format=YES
+
+# Below verbose log is for FTP commands and responses.
+# By default, logs were written to syslog instead of file.
+# Use command: tail -f /var/log/vsftpd.log
+# Use command: logread -f
+
+log_ftp_protocol=YES
+vsftpd_log_file=/var/log/vsftpd.log
+syslog_enable=YES
+
+# Allow log 1 and 2 to be written simultaneously.
+
+dual_log_enable=YES
+
+#Directory configuration and user access
+
+local_root=/home/administrator/Desktop/SFTP
+userlist_enable=YES
+userlist_file=/etc/vsftpd.userlist
+userlist_deny=NO

dnaclab_linux/roles/services/tasks/main.yml

@@ -1,17 +1,17 @@
 ---
 - name: Install required packages
-  apt:
+  ansible.builtin.apt:
     name: "{{ item }}"
   loop:
     - curl
     - tree
+    - ufw
+    - ntp
+    - tftpd-hpa
     - syslog-ng
     - vsftpd
-    - tftpd-hpa
-    - ntp
-    - ufw
   
-- name: Configure UFW to allow inbound NTP, SSH, SYSLOG, FTP connections
+- name: Configure UFW to allow inbound NTP, SSH, SYSLOG, FTP and TFTP connections
   community.general.ufw:
     rule: allow
     direction: in
@@ -37,7 +37,7 @@
     - port: '5142'
       proto: tcp
 
-- name: UFW - Deny all other incoming traffic by default
+- name: Deny all other incoming IPv4 traffic
   community.general.ufw:
     state: enabled
     policy: deny
@@ -51,9 +51,54 @@
 
 - name: Apply NTP configuration file
   ansible.builtin.copy:
-    src: ./configuration_files/ntp.conf
+    src: ntp.conf
     dest: /etc/ntp.conf
     owner: root
     group: root
     mode: '0644'
     backup: yes
+
+- name: Apply TFTP configuration file
+  ansible.builtin.copy:
+    src: tftpd-hpa
+    dest: /etc/default/tftpd-hpa
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+
+- name: Create TFTP directory
+  ansible.builtin.file:
+    path: "/home/{{ ansible_user }}/Desktop/TFTP"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0777'
+
+- name: Apply SYSLOG configuration file
+  ansible.builtin.copy:
+    src: syslog-ng-network-devices.conf
+    dest: /etc/syslog-ng/conf.d/syslog-ng-network-devices.conf
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+
+- name: Apply FTP configuration file
+  ansible.builtin.copy:
+    src: vsftpd.conf
+    dest: /etc/vsftpd.conf
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+
+- name: Enable installed services
+  ansible.builtin.service:
+    name: "{{ item }}"
+    enabled: yes
+  loop:
+    - ntp
+    - tftpd-hpa
+    - syslog-ng
+    - vsftpd