deac/ansible-role-system
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

init

Browse source
This commit is contained in:
Denis Knauf 2021-04-10 22:11:19 +02:00
commit 3beb52ad22
31 changed files with 1224 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
.gitignore vendored Normal file
View file

@ -0,0 +1,24 @@
# ---> Ansible
*.retry
# ---> Vim
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
Sessionx.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~

81
README.adoc Normal file
View file

@ -0,0 +1,81 @@
System-template
===============
Configures the base for all servers for real administrators.
Any needed tools (vim, network-tools, progress, zsh, etc-keeper, ...).
Removes pains (vim-tiny, snap, ubuntu-adverts, ...).
Defines a standard for syslog (everything to `/var/log/%Y-%m-%d`).
Requirements
------------
Debian-/Fedora-based distribution and a network-connection.
It needs the devices.facts, which cannot be installed by a role, so use the example below.
Role Variables
--------------
TODO
Example Playbook
----------------
----
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: ansible facts
hosts: all
remote_user: root
gather_facts: no
become: no
tasks:
- name: ansible-facts directory
file:
path: /etc/ansible/facts.d
state: directory
- name: devices.facts
copy:
content: |
#!/usr/bin/env sh
check() {
v="$1"
shift
if "$@" >/dev/null
then
echo -n "\"$v\": true, "
else
echo -n "\"$v\": false, "
fi
}
echo -n '{'
check random dd count=1 of=/dev/null status=none if=/dev/random
check urandom dd count=1 of=/dev/null status=none if=/dev/urandom
check hwrng dd count=1 of=/dev/null status=none if=/dev/hwrng
check hwclock hwclock --test 2>/dev/null
echo '"checked": true}'
dest: /etc/ansible/facts.d/devices.fact
mode: 0755
owner: root
group: root
- hosts: all
remote_user: root
become: false
tasks:
- import_role:
name: denkn.system
----
License
-------
AGPLv3
Author Information
------------------
Denis Knauf - https://git.denkn.at/deac/ansible-role-system

3
defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
has_hwrng: '{{ansible_virtualization_role != "guest" and ansible_local.devices.hwrng }}'
is_virt_guest: '{{ansible_virtualization_role == "guest"}}'
is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}'

1
files/cron-apt/action.d/6-upgrade Normal file
View file

@ -0,0 +1 @@
safe-upgrade -y

1
files/defaults.sudoers Normal file
View file

@ -0,0 +1 @@
Defaults mailto="root@denkn.at"

33
files/nf.zsh-theme Normal file
View file

@ -0,0 +1,33 @@
# vim: ftype=zsh:
local return_code="%(?..%{$fg[red]%}%? ↵%{$reset_color%})"
if [[ $UID -eq 0 ]]
then
local user_name='%{$terminfo[bold]$fg[red]%}%n%{$reset_color%}'
local user_symbol='#'
else
local user_name='%{$terminfo[bold]$fg[green]%}%n%{$reset_color%}'
local user_symbol='$'
fi
local current_dir='%{$terminfo[bold]$fg[blue]%}%~ %{$reset_color%}'
local git_branch='$(git_prompt_info)'
local rvm_ruby='$(ruby_prompt_info)'
local venv_prompt='$(virtualenv_prompt_info)'
local host_name="%{$prompt_host_color%}%m %{$reset_color%}"
ZSH_THEME_RVM_PROMPT_OPTIONS="i v g"
PROMPT="${prompt_host_color}╭─${user_name}@${host_name}${current_dir}${rvm_ruby}${git_branch}${venv_prompt}%B${return_code}%b
${prompt_host_color}╰─%B${user_symbol}%b "
ZSH_THEME_GIT_PROMPT_PREFIX="%{$fg[yellow]%}"
ZSH_THEME_GIT_PROMPT_SUFFIX=" %{$reset_color%}"
ZSH_THEME_RUBY_PROMPT_PREFIX="%{$fg[red]%}"
ZSH_THEME_RUBY_PROMPT_SUFFIX=" %{$reset_color%}"
ZSH_THEME_VIRTUAL_ENV_PROMPT_PREFIX="%{$fg[green]%}"
ZSH_THEME_VIRTUAL_ENV_PROMPT_SUFFIX=" %{$reset_color%}"
ZSH_THEME_VIRTUALENV_PREFIX=$ZSH_THEME_VIRTUAL_ENV_PROMPT_PREFIX
ZSH_THEME_VIRTUALENV_SUFFIX=$ZSH_THEME_VIRTUAL_ENV_PROMPT_SUFFIX

30
files/rsyslog.conf Normal file
View file

@ -0,0 +1,30 @@
$umask 0027
$WorkDirectory /var/spool/rsyslog
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
module(load="builtin:omfile" fileOwner="root" fileGroup="syslog" fileCreateMode="0640")
template(name="logline" type="list") {
property(name="timestamp" dateFormat="rfc3339")
constant(value="\t")
property(name="syslogseverity-text")
constant(value="\t")
property(name="syslogfacility-text")
constant(value="\t")
property(name="programname")
constant(value="\t")
property(name="procid")
constant(value="\t")
property(name="structured-data")
constant(value="\t")
property(name="msg")
constant(value="\n")
}
template(name="logpath" type="string" string="/var/log/%$year%/%$now%")
action(type="omfile" dynaFile="logpath" template="logline")
$IncludeConfig /etc/rsyslog.d/*.conf

54
files/syslog-ng.conf Normal file
View file

@ -0,0 +1,54 @@
@version: 3.19
@include "scl.conf"
# First, set some global options.
options {
chain_hostnames(off);
flush_lines(0);
use_dns(no);
use_fqdn(no);
owner("root");
group("adm");
perm(0640);
stats_freq(0);
bad_hostname("^gconfd$");
ts_format(iso);
frac_digits(6);
};
########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source s_src {
system();
internal();
};
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
#source s_net { tcp(ip(127.0.0.1) port(1000)); };
########################
# Destinations
########################
destination d_local {
file("/var/log/$YEAR/$YEAR-$MONTH-$DAY"
template( "$R_ISODATE\t$PRIORITY\t$FACILITY\t$FACILITY_NUM\t$PROGRAM\t$PID\t$MSG\n")
create_dirs(yes) dir_group("syslog") dir_perm(0750) group("syslog") perm(0640)
);
};
log {
source( s_src);
#destination( d_net);
destination( d_local);
};
###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/*.conf"

6
files/systemd/system/logcompress.service Normal file
View file

@ -0,0 +1,6 @@
[Unit]
Description=Compress old logs in /var/log/%%Y
[Service]
Type=oneshot
ExecStart=/usr/bin/find /var/log/ -regex '/var/log/2[0-9][0-9][0-9]/2[0-9][0-9][0-9]-[01][0-9]-[0-3][0-9]' -mtime +0 -exec xz {} +

8
files/systemd/system/logcompress.timer Normal file
View file

@ -0,0 +1,8 @@
[Unit]
Description=Compress old logs in /var/log/%%Y daily
[Install]
WantedBy=timers.target
[Timer]
OnCalendar=2:00

62
files/timer-mail Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/env sh
help() {
[ 0 -lt $# ] && >&2 echo "$*"
>&2 cat <<EOF
Usage: $0 [*options] command [*args]
Options:
-h
-t TO default: your login-user
-f FROM default: your login-user
-s SUBJECT default: "timer: [command *args]"
-v pipes output through
-e send email only on error (command exit-code != 0)
-o send email only if command writes on STDOUT or STDERR (default)
-a send always email
EOF
exit 1
}
eval set -- "$(getopt -n "$0" "ht:f:s:aev" "$@")"
while [ 0 -lt $# ]
do
case "$1" in
-h) help ;;
-s) shift ; subject="$1" ;;
-t) shift ; to="$1" ;;
-f) shift ; from="$1" ;;
-e) on=error ;;
-o) on=output ;;
-a) on=always ;;
-v) verbose=true ;;
--) shift ; break ;;
*) help "Unknown option: $1" ;;
esac
shift
done
subject="${subject:-timer: $*}"
on=${on:-output}
verbose=${verbose:-false}
to="${to:-${LOGNAME:-$USER}}"
from="${from:-${LOGNAME:-$USER}}"
output="$(mktemp)"
trap "rm -f -- $output" EXIT
if $verbose
then
2>&1 "$@" | tee $output
r=$?
else
>$output 2>&1 "$@"
r=$?
fi
if [ always = $on ] || [ error = $on -a 0 -lt $r ] || [ output = $on -a -s $output ]
then
<$output mail -s "$subject" -r "$from" -- "$to" || exit 97
fi
exit $r

89
files/vimrc.local Normal file
View file

@ -0,0 +1,89 @@
"execute pathogen#infect()
if has("autocmd")
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")
\| exe "normal g'\"" | endif
endif
if has("autocmd")
filetype indent on
endif
set background=dark
set showcmd
set showmatch
set smartcase
set incsearch
syntax on
" Einrücken immer um ein Tab der Breite 2
set ts=2
set sts=2
set sw=2
set noexpandtab
set modeline
set modelines=5
set listchars=tab:>.,trail:.,eol:$
"set list
"paste-mode"
map <f5> :set paste!<cr>
imap <f5> <c-o>:set paste!<cr>
map ,p :set paste!<cr>
"Zeilenenden aufräumen"
map <f9> :%s/\s\+$//<cr>
"list-mode (Am Ende der Zeile ein $)"
map ,l :set list!<cr>
"Wrap (automatischer Zeilenumbruch)"
map ,w :set wrap!<cr>
"Zeilennummern"
map ,n :set number!<cr>
"Cursor durch vert-/hori-linien über den ganzen Puffer anzeugen"
map ,c :set cuc! cul!<cr>
function! ToggleVirtualedit()
if &virtualedit == ''
set virtualedit=all
else
set virtualedit=
endif
endfunction
map ,v :call ToggleVirtualedit()<cr>
"
" Philips Erweiterungen:
"
highlight TabHighlight ctermbg=darkgrey
highlight TooLongLines ctermbg=darkred ctermfg=yellow
" Coding standard window addition function
function! AddCodingStandard()
if !exists("w:cs_lines_id")
let w:cs_lines_id = matchadd("TooLongLines", "^.\\{101,}")
endif
if !exists("w:cs_tab_id")
let w:cs_tab_id = matchadd("TabHighlight", "\t")
endif
endfunction
" Coding standard removal function
function! RemoveCodingStandard()
if exists("w:cs_lines_id")
call matchdelete(w:cs_lines_id)
unlet w:cs_lines_id
endif
if exists("w:cs_tab_id")
call matchdelete(w:cs_tab_id)
unlet w:cs_tab_id
endif
endfunction
autocmd BufWinEnter * call AddCodingStandard()
autocmd BufWinLeave * call RemoveCodingStandard()
" tags (Welches Wort steht wo (in welcher Datei ...))
set tags=./tags
" gnuplot (highlighting)
au BufNewFile,BufRead *.plt,.gnuplot setf gnuplot

2
handlers/debian.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:

25
handlers/main.yml Normal file
View file

@ -0,0 +1,25 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: restart services
systemd:
state: restarted
name: "{{item}}"
daemon-reload: yes
with_items:
- rsyslog
- ssh
- name: restart chrony
systemd:
state: restarted
name: chrony
daemon-reload: yes
- name: restart rng-tools
systemd:
state: restarted
name: rng-tools
daemon-reload: yes
- name: restart nullmailer
systemd:
state: restarted
name: nullmailer
daemon-reload: yes

16
meta/main.yml Normal file
View file

@ -0,0 +1,16 @@
galaxy_info:
author: Denis Knauf
description: System-template with stable, usable and needable configs
license: AGPL-3.0-or-later
min_ansible_version: 2.9
platforms:
- name: CentOS
versions: [7]
- name: RHEL
versions: [7]
- name: Debian
versions: [9,10,11]
- name: Ubuntu
version: [18.04,20.04]
galaxy_tags: []
dependencies: []

67
tasks/main.yml Normal file
View file

@ -0,0 +1,67 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: directories
file:
state: directory
path: '{{item}}'
with_items:
- /etc/vim
#- /etc/syslog-ng
- /etc/sudoers.d
- name: configs
copy:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
backup: yes
with_dict:
vimrc.local: /etc/vim/vimrc.local
rsyslog.conf: /etc/rsyslog.conf
- name: 'configs (templates)'
template:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
backup: yes
with_dict:
tmux.conf.j2: /etc/tmux.conf
krb5.conf.j2: /etc/krb5.conf
- name: sudoers defaults
copy:
src: defaults.sudoers
dest: /etc/sudoers.d/defaults
owner: root
group: root
mode: 0440
- name: timer-mail
copy:
src: timer-mail
dest: /usr/local/bin/timer-mail
owner: root
group: root
mode: 0755
- include_tasks: 'os-{{ansible_facts["os_family"]|lower}}.yml'
- name: motd
copy:
content: '{{motd}}'
dest: /etc/motd
mode: 0644
owner: root
group: root
- name: post etckeeper commit
shell: |
set -e
dd if=/dev/urandom of=/etc/.etckeeper_random count=1
etckeeper commit 'post ansible sys'

28
tasks/ohmyzsh.yml Normal file
View file

@ -0,0 +1,28 @@
- name: oh my zsh
tags: ohmyzsh
git:
repo: https://github.com/ohmyzsh/ohmyzsh
dest: /usr/share/oh-my-zsh
- name: oh my zsh theme
tags: ohmyzsh
copy:
src: nf.zsh-theme
dest: /usr/share/oh-my-zsh/custom/themes/nf.zsh-theme
- name: ".zshrc in user skeleton"
tags: ohmyzsh
template:
src: dotzshrc
dest: "/etc/skel/.zshrc"
- name: 'setup default user(s)'
tags: ohmyzsh
with_items: '{{sys_default_users}}'
user:
name: '{{item.name}}'
home: '{{item.home | default("/home/"+item.name)}}'
shell: '{{item.shell | default("/usr/bin/zsh")}}'
groups: [users]
createhome: yes
move_home: yes
append: yes

89
tasks/os-alpine.yml Normal file
View file

@ -0,0 +1,89 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: packages
apk:
update_cache: yes
name:
- vim
- ncdu
- htop
- tmux
- etckeeper
- syslog-ng
- zsh
- curl
- lsof
- knot-utils
- krb5
- apk-cron
- msmtp
- openssh-sftp-server
- python3
- name: upgrade
apk:
upgrade: yes
- include_tasks: sshd_config.yml
- name: create user syslog
register: _cruser
shell: |
getent passwd syslog
case $? in
0) exit 42 ;;
2) ;;
esac
adduser -S syslog
failed_when: '_cruser.rc not in [0,42]'
changed_when: '_cruser.rc == 0'
- name: create group syslog
register: _crgroup
shell: |
getent group syslog
case $? in
0) exit 42 ;;
2) ;;
esac
addgroup -S syslog
failed_when: '_crgroup.rc not in [0,42]'
changed_when: '_crgroup.rc == 0'
- name: Set timezone variables
file:
src: '/etc/zoneinfo/{{timezone}}'
dest: /etc/localtime
state: link
force: yes
- name: setup msmtp
template:
dest: /etc/msmtprc
src: msmtprc.j2
owner: root
group: root
mode: 0644
- name: 'vi -> vim'
file:
dest: /usr/bin/vi
src: vim
state: link
force: yes
- name: 'python -> python3'
file:
dest: /usr/bin/python
src: python3
state: link
force: yes
- name: enable services
service:
name: '{{item}}'
enabled: yes
state: restarted
with_items:
- sshd
- syslog-ng

214
tasks/os-debian.yml Normal file
View file

@ -0,0 +1,214 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
# pre dependencies:
- name: install packages
apt:
force: no
name:
- aptitude
- set_fact:
crap_packages:
- cloud-init
- vim-tiny
- landscape-common
- snapd
- ubuntu-advantage-tools
- unattended-upgrades
- name: remove unwanted packages
apt:
state: absent
name: '{{crap_packages}}'
- name: stay away packages
dpkg_selections:
selection: hold
name: '{{item}}'
with_items: '{{crap_packages}}'
- name: safe-upgrade
apt:
upgrade: safe
update_cache: yes
# check capabilities:
- name: check mailer
shell: |
aptitude search '~Pmail-transport-agent' | sed -ne '/^i/{s/^i *//;s/^ *.*//;s/ *.*//;p}' | grep \\S
register: mailer
failed_when: "mailer.rc != 1 and mailer.rc != 0"
changed_when: 'false'
- set_fact:
has_nullmailer: '{{mailer.rc == 1 or mailer.stdout=="nullmailer"}}'
# installation packages:
- name: install packages
apt:
force: no
name: '{{lookup("flattened", items)}}'
update_cache: yes
vars:
items:
- '{{ [] if is_virt_guest else ["chrony", "smartmontools"] }}'
- cron-apt
- curl
- etckeeper
- file
- fizsh
- git
- haveged
- htop
- inetutils-ping
- knot-dnsutils
- krb5-user
- ldap-utils
- locales
- lsof
- lvm2
- mosh
- mtr-tiny
- ncdu
- net-tools
- '{{ ["nullmailer"] if has_nullmailer else [] }}'
- openssh-server
- progress
- pv
- '{{ ["rng-tools"] if has_hwrng else [] }}'
- rsync
- socat
- sudo
- rsyslog
- systemd
- systemd-sysv
- tmux
- inetutils-traceroute
- tzdata
- usrmerge
- vim-nox
- '{{ [] if is_container else ["xfsdump", "xfsprogs"] }}'
- '{{ needed_debs if needed_debs is defined else [] }}'
# remove garbage:
- name: 'no ubuntu adverts'
when: '"ubuntu" == ansible_distribution'
block:
- name: no ubuntu-motd-adverts
lineinfile:
path: /etc/default/motd-news
line: ENABLED=0
regexp: '^ENABLED='
create: yes
- name: no ubuntu-cloudguest-adverts
file:
path: /etc/update-motd.d/51-cloudguest
state: absent
- name: 'no ubuntu-"documentation"-adverts'
copy:
dest: /etc/update-motd.d/10-help-text
mode: 0644
content: ''
# configure system:
- name: set alternatives
alternatives:
name: "{{item.key}}"
path: "{{item.value}}"
with_dict:
editor: /usr/bin/vim.nox
vim: /usr/bin/vim.nox
vimdiff: /usr/bin/vim.nox
vi: /usr/bin/vim.nox
view: /usr/bin/vim.nox
- name: copy configs
copy:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
with_dict:
cron-apt/action.d/6-upgrade: /etc/cron-apt/action.d/6-upgrade
notify:
- restart services
- name: copy configs
template:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
with_dict:
cron-apt/config.j2: /etc/cron-apt/config
notify:
- restart services
- name: generates locales
locale_gen:
name: "{{item}}"
state: present
with_items: '{{locales}}'
- name: default locale
copy:
dest: /etc/default/locale
content: |
LANG=de_AT.UTF-8
owner: root
group: root
mode: 0644
- include_tasks: sshd_config.yml
- include_tasks: ohmyzsh.yml
- include_tasks: systemd.yml
- name: update timezone
command: dpkg-reconfigure --frontend noninteractive tzdata
- name: setup mailname
copy:
dest: /etc/mailname
content: |
{{sys_mailname | default(ansible_fqdn) | mandatory}}
owner: root
group: root
mode: 0644
- name: setup nullmailer remote
when: "mailer.changed"
copy:
dest: /etc/nullmailer/remotes
content: |
{{mail_relay_host}} smtp
owner: root
group: mail
mode: 0640
notify:
- restart nullmailer
- name: setup nullmailer domain
when: "mailer.changed"
copy:
dest: /etc/nullmailer/defaultdomain
content: 'denkn.at'
owner: root
group: mail
mode: 0640
notify:
- restart nullmailer
- name: 'dig -> kdig and other knot-utils'
file:
state: link
path: '/usr/local/bin/{{item}}'
src: '../../bin/k{{item}}'
with_items: [dig, nsupdate]
- name: enable ssh
systemd:
name: ssh
enabled: yes
state: started

57
tasks/os-redhat.yml Normal file
View file

@ -0,0 +1,57 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
# installation packages:
- name: install packages
yum:
lock_timeout: 30
name: '{{lookup("flattened", items)}}'
vars:
items:
- '{{ [] if is_virt_guest else ["chrony", "smartmontools"] }}'
- yum-cron
- curl
- file
- etckeeper
- git
- '{{ [] if is_container else ["haveged", "lvm2"] }}'
- htop
#- inetutils-ping
#- knot-dnsutils
#- ldap-utils
- lsof
- net-tools
#- '{{ ["nullmailer"] if has_nullmailer else [] }}'
#- progress
- pv
- '{{ ["rng-tools"] if has_hwrng else [] }}'
- rsync
- socat
- sudo
- rsyslog
- systemd
- tmux
- tzdata
- vim
- '{{ [] if is_container else ["xfsdump", "xfsprogs"] }}'
- zsh
- include_tasks: sshd_config.yml
- include_tasks: systemd.yml
- include_tasks: ohmyzsh.yml
- name: setup mailname
copy:
dest: /etc/mailname
content: |
{{sys_mailname | default(ansible_fqdn) | mandatory}}
owner: root
group: root
mode: 0644
- name: enable ssh
systemd:
name: sshd
enabled: yes
state: started

46
tasks/sshd_config.yml Normal file
View file

@ -0,0 +1,46 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: sshd_config
lineinfile:
path: /etc/ssh/sshd_config
insertafter: '^\s*#\s*{{item.key}}\s+'
regexp: '^\s*{{item.key}}\s'
line: '{{item.key}} {{item.value}}'
with_dict:
Port: '{{ssh_port|default(22)}}'
PermitRootLogin: 'prohibit-password'
StrictModes: 'yes'
PubkeyAuthentication: 'yes'
KerberosAuthentication: 'no'
GSSAPIAuthentication: 'yes'
TCPKeepAlive: 'yes'
Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
KexAlgorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256'
- name: sshd_config
lineinfile:
path: /etc/ssh/sshd_config
insertbefore: '\s*#?\s*HostKey\s+'
regexp: '^# HostKeys for protocol'
line: '# HostKeys for protocol'
- name: sshd_config - prefer ed25519
lineinfile:
path: /etc/ssh/sshd_config
insertafter: '^# HostKeys for protocol'
regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
- name: sshd_config - fallback rsa
lineinfile:
path: /etc/ssh/sshd_config
insertafter: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$'
line: 'HostKey /etc/ssh/ssh_host_rsa_key'
- name: 'sshd_config - absent dsa / ecdsa'
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regexp: '{{item}}'
with_list:
- '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$'
- '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$'

65
tasks/systemd.yml Normal file
View file

@ -0,0 +1,65 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: etckeeper initialized
shell: |
set -e
[ -f /etc/.git/config ] && exit 42
echo "Need to init"
etckeeper init
register: etckeeper_init
changed_when: 'etckeeper_init.rc == 0'
failed_when: 'etckeeper_init.rc not in [0,42]'
- name: set git-defaults
git_config:
name: '{{item.key}}'
repo: /etc
scope: local
value: '{{item.value}}'
with_dict:
user.email: '{{etckeeper.email}}'
user.name: '{{etckeeper.name}}'
- name: pre etckeeper commit
shell: |
set -e
dd if=/dev/urandom of=/etc/.etckeeper_random count=1
etckeeper commit 'pre ansible sys'
- name: create group syslog
group: {name: syslog, system: yes}
- name: enable rng-tools
when: has_hwrng
systemd:
name: rng-tools
enabled: yes
- name: Set timezone variables
file:
src: '/usr/share/zoneinfo/{{timezone}}'
dest: /etc/localtime
state: link
force: yes
owner: root
group: root
mode: 0644
- name: install systemd-logcompress-jobs
copy:
src: "{{item}}"
dest: /etc/systemd/system
owner: root
group: root
mode: 0644
with_fileglob:
- "systemd/system/*"
- name: enable services
systemd:
name: "{{item}}"
enabled: yes
state: started
with_items:
- rsyslog
- logcompress.timer

6
templates/cron-apt/config.j2 Normal file
View file

@ -0,0 +1,6 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see /usr/share/doc/cron-apt/README.gz.
MAILTO="{{cron_apt_mailto | default('admin@denkn.at')}}"
MAILON=upgrade
APTCOMMAND=/usr/bin/aptitude

65
templates/dotzshrc Normal file
View file

@ -0,0 +1,65 @@
# Path to your oh-my-zsh installation.
export ZSH="/usr/share/oh-my-zsh"
# Set name of the theme to load.
# Look in ~/.oh-my-zsh/themes/
# Optionally, if you set this to "random", it'll load a random theme each
# time that oh-my-zsh is loaded.
ZSH_THEME="nf"
# Uncomment the following line to use case-sensitive completion.
CASE_SENSITIVE="true"
# Uncomment the following line to disable bi-weekly auto-update checks.
DISABLE_AUTO_UPDATE="true"
# Uncomment the following line to change how often to auto-update (in days).
# export UPDATE_ZSH_DAYS=13
# Uncomment the following line to disable colors in ls.
# DISABLE_LS_COLORS="true"
# Uncomment the following line to disable auto-setting terminal title.
# DISABLE_AUTO_TITLE="true"
# Uncomment the following line to enable command auto-correction.
ENABLE_CORRECTION="true"
# Uncomment the following line to display red dots whilst waiting for completion.
COMPLETION_WAITING_DOTS="true"
# Uncomment the following line if you want to disable marking untracked files
# under VCS as dirty. This makes repository status check for large repositories
# much, much faster.
DISABLE_UNTRACKED_FILES_DIRTY="true"
# Uncomment the following line if you want to change the command execution time
# stamp shown in the history command output.
# The optional three formats: "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
HIST_STAMPS="yyyy-mm-dd"
# Would you like to use another custom folder than $ZSH/custom?
# ZSH_CUSTOM=/path/to/new-custom-folder
# Which plugins would you like to load? (plugins can be found in ~/.oh-my-zsh/plugins/*)
# Custom plugins may be added to ~/.oh-my-zsh/custom/plugins/
# Example format: plugins=(rails git textmate ruby lighthouse)
# Add wisely, as too many plugins slow down shell startup.
plugins=(bundler coffee common-aliases compleat encode64 extract gem git github gitignore gpg-agent history-substring-search mosh nmap perl postgres rails rake-fast rake rsync ruby safe-paste screen singlechar sudo)
prompt_host_color='%{$terminfo[bold]$fg[{{prompt_host_color}}]%}'
source "$ZSH/oh-my-zsh.sh"
# User configuration
export PATH="$PATH:$HOME/bin" EDITOR=vim
>/dev/null where keychain && eval `keychain --eval --quiet`
alias ip='command ip --color=auto'
zmodload zsh/terminfo
#bindkey -v
#bindkey -M vicmd 'v' edit-command-line
bindkey "\e[H" beginning-of-line
bindkey "\e[F" end-of-line
bindkey "$terminfo[kich1]" overwrite-mode

23
templates/krb5.conf.j2 Normal file
View file

@ -0,0 +1,23 @@
[libdefaults]
{%if krb5_default_realm is defined%}
default_realm = {{krb5_default_realm|mandatory()}}
{%endif%}
allow_weak_crypto = false
permitted_enctypes = aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
default_tkt_enctypes = aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
[realms]
{% for realm, cfg in krb5_realms.items() %}
{{realm}} = {
{% for key, val in cfg.items() %}
{{key}} = {{val}}
{% endfor %}
}
{% endfor %}
[domain_realm]
{% for domain, realm in krb5_domains.items() %}
{{domain}} = {{realm}}
.{{domain}} = {{realm}}
{% endfor %}

5
templates/msmtprc.j2 Normal file
View file

@ -0,0 +1,5 @@
account default
host {{mail_relay_host}}
tls on
tls_starttls on
syslog LOG_MAIL

93
templates/sshd_config.j2 Normal file
View file

@ -0,0 +1,93 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port {{ssh_port|default(22)}}
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
#UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

22
templates/tmux.conf.j2 Normal file
View file

@ -0,0 +1,22 @@
bind C-s send-prefix
bind a last-window
bind C-a last-window
bind Space next-window
bind C-Space next-window
bind Bspace previous-window
bind C-Bspace previous-window
bind ` select-window -t0
bind 1 select-window -t1
bind 2 select-window -t2
bind 3 select-window -t3
bind 4 select-window -t4
bind 5 select-window -t5
bind 6 select-window -t6
bind 7 select-window -t7
bind 8 select-window -t8
bind 9 select-window -t9
bind 0 select-window -t10
bind Escape copy-mode
set -g status-keys vi
setw -g mode-keys vi
set -g status-style {{tmux_status_style}}

2
tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

5
tests/test.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- system

2
vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for system