From 3beb52ad22b62a66d35f1701d4fd1cb79eceafaa Mon Sep 17 00:00:00 2001 From: Denis Knauf Date: Sat, 10 Apr 2021 22:11:19 +0200 Subject: [PATCH] init --- .gitignore | 24 +++ README.adoc | 81 +++++++++ defaults/main.yml | 3 + files/cron-apt/action.d/6-upgrade | 1 + files/defaults.sudoers | 1 + files/nf.zsh-theme | 33 ++++ files/rsyslog.conf | 30 ++++ files/syslog-ng.conf | 54 ++++++ files/systemd/system/logcompress.service | 6 + files/systemd/system/logcompress.timer | 8 + files/timer-mail | 62 +++++++ files/vimrc.local | 89 ++++++++++ handlers/debian.yml | 2 + handlers/main.yml | 25 +++ meta/main.yml | 16 ++ tasks/main.yml | 67 +++++++ tasks/ohmyzsh.yml | 28 +++ tasks/os-alpine.yml | 89 ++++++++++ tasks/os-debian.yml | 214 +++++++++++++++++++++++ tasks/os-redhat.yml | 57 ++++++ tasks/sshd_config.yml | 46 +++++ tasks/systemd.yml | 65 +++++++ templates/cron-apt/config.j2 | 6 + templates/dotzshrc | 65 +++++++ templates/krb5.conf.j2 | 23 +++ templates/msmtprc.j2 | 5 + templates/sshd_config.j2 | 93 ++++++++++ templates/tmux.conf.j2 | 22 +++ tests/inventory | 2 + tests/test.yml | 5 + vars/main.yml | 2 + 31 files changed, 1224 insertions(+) create mode 100644 .gitignore create mode 100644 README.adoc create mode 100644 defaults/main.yml create mode 100644 files/cron-apt/action.d/6-upgrade create mode 100644 files/defaults.sudoers create mode 100644 files/nf.zsh-theme create mode 100644 files/rsyslog.conf create mode 100644 files/syslog-ng.conf create mode 100644 files/systemd/system/logcompress.service create mode 100644 files/systemd/system/logcompress.timer create mode 100755 files/timer-mail create mode 100644 files/vimrc.local create mode 100644 handlers/debian.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 tasks/ohmyzsh.yml create mode 100644 tasks/os-alpine.yml create mode 100644 tasks/os-debian.yml create mode 100644 tasks/os-redhat.yml create mode 100644 tasks/sshd_config.yml create mode 100644 tasks/systemd.yml create mode 100644 templates/cron-apt/config.j2 create mode 100644 templates/dotzshrc create mode 100644 templates/krb5.conf.j2 create mode 100644 templates/msmtprc.j2 create mode 100644 templates/sshd_config.j2 create mode 100644 templates/tmux.conf.j2 create mode 100644 tests/inventory create mode 100644 tests/test.yml create mode 100644 vars/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d2c649f --- /dev/null +++ b/.gitignore @@ -0,0 +1,24 @@ +# ---> Ansible +*.retry + +# ---> Vim +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + diff --git a/README.adoc b/README.adoc new file mode 100644 index 0000000..7a06399 --- /dev/null +++ b/README.adoc @@ -0,0 +1,81 @@ +System-template +=============== + +Configures the base for all servers for real administrators. +Any needed tools (vim, network-tools, progress, zsh, etc-keeper, ...). +Removes pains (vim-tiny, snap, ubuntu-adverts, ...). +Defines a standard for syslog (everything to `/var/log/%Y-%m-%d`). + +Requirements +------------ + +Debian-/Fedora-based distribution and a network-connection. +It needs the devices.facts, which cannot be installed by a role, so use the example below. + +Role Variables +-------------- + +TODO + +Example Playbook +---------------- + +---- +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +- name: ansible facts + hosts: all + remote_user: root + gather_facts: no + become: no + tasks: + - name: ansible-facts directory + file: + path: /etc/ansible/facts.d + state: directory + - name: devices.facts + copy: + content: | + #!/usr/bin/env sh + + check() { + v="$1" + shift + if "$@" >/dev/null + then + echo -n "\"$v\": true, " + else + echo -n "\"$v\": false, " + fi + } + + echo -n '{' + check random dd count=1 of=/dev/null status=none if=/dev/random + check urandom dd count=1 of=/dev/null status=none if=/dev/urandom + check hwrng dd count=1 of=/dev/null status=none if=/dev/hwrng + check hwclock hwclock --test 2>/dev/null + echo '"checked": true}' + dest: /etc/ansible/facts.d/devices.fact + mode: 0755 + owner: root + group: root + +- hosts: all + remote_user: root + become: false + + tasks: + - import_role: + name: denkn.system +---- + +License +------- + +AGPLv3 + +Author Information +------------------ + +Denis Knauf - https://git.denkn.at/deac/ansible-role-system diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..7fb6abf --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +has_hwrng: '{{ansible_virtualization_role != "guest" and ansible_local.devices.hwrng }}' +is_virt_guest: '{{ansible_virtualization_role == "guest"}}' +is_container: '{{ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc"}}' diff --git a/files/cron-apt/action.d/6-upgrade b/files/cron-apt/action.d/6-upgrade new file mode 100644 index 0000000..68b3528 --- /dev/null +++ b/files/cron-apt/action.d/6-upgrade @@ -0,0 +1 @@ +safe-upgrade -y diff --git a/files/defaults.sudoers b/files/defaults.sudoers new file mode 100644 index 0000000..a008467 --- /dev/null +++ b/files/defaults.sudoers @@ -0,0 +1 @@ +Defaults mailto="root@denkn.at" diff --git a/files/nf.zsh-theme b/files/nf.zsh-theme new file mode 100644 index 0000000..d026aad --- /dev/null +++ b/files/nf.zsh-theme @@ -0,0 +1,33 @@ +# vim: ftype=zsh: +local return_code="%(?..%{$fg[red]%}%? ↵%{$reset_color%})" + +if [[ $UID -eq 0 ]] +then + local user_name='%{$terminfo[bold]$fg[red]%}%n%{$reset_color%}' + local user_symbol='#' +else + local user_name='%{$terminfo[bold]$fg[green]%}%n%{$reset_color%}' + local user_symbol='$' +fi + +local current_dir='%{$terminfo[bold]$fg[blue]%}%~ %{$reset_color%}' +local git_branch='$(git_prompt_info)' +local rvm_ruby='$(ruby_prompt_info)' +local venv_prompt='$(virtualenv_prompt_info)' +local host_name="%{$prompt_host_color%}%m %{$reset_color%}" + +ZSH_THEME_RVM_PROMPT_OPTIONS="i v g" + +PROMPT="${prompt_host_color}╭─${user_name}@${host_name}${current_dir}${rvm_ruby}${git_branch}${venv_prompt}%B${return_code}%b +${prompt_host_color}╰─%B${user_symbol}%b " + +ZSH_THEME_GIT_PROMPT_PREFIX="%{$fg[yellow]%}‹" +ZSH_THEME_GIT_PROMPT_SUFFIX="› %{$reset_color%}" + +ZSH_THEME_RUBY_PROMPT_PREFIX="%{$fg[red]%}‹" +ZSH_THEME_RUBY_PROMPT_SUFFIX="› %{$reset_color%}" + +ZSH_THEME_VIRTUAL_ENV_PROMPT_PREFIX="%{$fg[green]%}‹" +ZSH_THEME_VIRTUAL_ENV_PROMPT_SUFFIX="› %{$reset_color%}" +ZSH_THEME_VIRTUALENV_PREFIX=$ZSH_THEME_VIRTUAL_ENV_PROMPT_PREFIX +ZSH_THEME_VIRTUALENV_SUFFIX=$ZSH_THEME_VIRTUAL_ENV_PROMPT_SUFFIX diff --git a/files/rsyslog.conf b/files/rsyslog.conf new file mode 100644 index 0000000..41ebd57 --- /dev/null +++ b/files/rsyslog.conf @@ -0,0 +1,30 @@ +$umask 0027 + +$WorkDirectory /var/spool/rsyslog + +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support +module(load="builtin:omfile" fileOwner="root" fileGroup="syslog" fileCreateMode="0640") + +template(name="logline" type="list") { + property(name="timestamp" dateFormat="rfc3339") + constant(value="\t") + property(name="syslogseverity-text") + constant(value="\t") + property(name="syslogfacility-text") + constant(value="\t") + property(name="programname") + constant(value="\t") + property(name="procid") + constant(value="\t") + property(name="structured-data") + constant(value="\t") + property(name="msg") + constant(value="\n") +} + +template(name="logpath" type="string" string="/var/log/%$year%/%$now%") + +action(type="omfile" dynaFile="logpath" template="logline") + +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/files/syslog-ng.conf b/files/syslog-ng.conf new file mode 100644 index 0000000..a24ec0d --- /dev/null +++ b/files/syslog-ng.conf @@ -0,0 +1,54 @@ +@version: 3.19 +@include "scl.conf" + +# First, set some global options. +options { + chain_hostnames(off); + flush_lines(0); + use_dns(no); + use_fqdn(no); + owner("root"); + group("adm"); + perm(0640); + stats_freq(0); + bad_hostname("^gconfd$"); + ts_format(iso); + frac_digits(6); +}; + +######################## +# Sources +######################## +# This is the default behavior of sysklogd package +# Logs may come from unix stream, but not from another machine. +# +source s_src { + system(); + internal(); +}; + +# If you wish to get logs from remote machine you should uncomment +# this and comment the above source line. +# +#source s_net { tcp(ip(127.0.0.1) port(1000)); }; + +######################## +# Destinations +######################## + +destination d_local { + file("/var/log/$YEAR/$YEAR-$MONTH-$DAY" + template( "$R_ISODATE\t$PRIORITY\t$FACILITY\t$FACILITY_NUM\t$PROGRAM\t$PID\t$MSG\n") + create_dirs(yes) dir_group("syslog") dir_perm(0750) group("syslog") perm(0640) + ); +}; +log { + source( s_src); + #destination( d_net); + destination( d_local); +}; + +### +# Include all config files in /etc/syslog-ng/conf.d/ +### +@include "/etc/syslog-ng/conf.d/*.conf" diff --git a/files/systemd/system/logcompress.service b/files/systemd/system/logcompress.service new file mode 100644 index 0000000..a70542b --- /dev/null +++ b/files/systemd/system/logcompress.service @@ -0,0 +1,6 @@ +[Unit] +Description=Compress old logs in /var/log/%%Y + +[Service] +Type=oneshot +ExecStart=/usr/bin/find /var/log/ -regex '/var/log/2[0-9][0-9][0-9]/2[0-9][0-9][0-9]-[01][0-9]-[0-3][0-9]' -mtime +0 -exec xz {} + diff --git a/files/systemd/system/logcompress.timer b/files/systemd/system/logcompress.timer new file mode 100644 index 0000000..1c2c14f --- /dev/null +++ b/files/systemd/system/logcompress.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Compress old logs in /var/log/%%Y daily + +[Install] +WantedBy=timers.target + +[Timer] +OnCalendar=2:00 diff --git a/files/timer-mail b/files/timer-mail new file mode 100755 index 0000000..977b4d9 --- /dev/null +++ b/files/timer-mail @@ -0,0 +1,62 @@ +#!/usr/bin/env sh + +help() { + [ 0 -lt $# ] && >&2 echo "$*" + >&2 cat <&1 "$@" | tee $output + r=$? +else + >$output 2>&1 "$@" + r=$? +fi + +if [ always = $on ] || [ error = $on -a 0 -lt $r ] || [ output = $on -a -s $output ] +then + <$output mail -s "$subject" -r "$from" -- "$to" || exit 97 +fi + +exit $r diff --git a/files/vimrc.local b/files/vimrc.local new file mode 100644 index 0000000..2c0ab60 --- /dev/null +++ b/files/vimrc.local @@ -0,0 +1,89 @@ +"execute pathogen#infect() + +if has("autocmd") + au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$") + \| exe "normal g'\"" | endif +endif +if has("autocmd") + filetype indent on +endif +set background=dark +set showcmd +set showmatch +set smartcase +set incsearch +syntax on +" Einrücken immer um ein Tab der Breite 2 +set ts=2 +set sts=2 +set sw=2 +set noexpandtab +set modeline +set modelines=5 + +set listchars=tab:>.,trail:.,eol:$ +"set list + +"paste-mode" +map :set paste! +imap :set paste! +map ,p :set paste! +"Zeilenenden aufräumen" +map :%s/\s\+$// +"list-mode (Am Ende der Zeile ein $)" +map ,l :set list! +"Wrap (automatischer Zeilenumbruch)" +map ,w :set wrap! +"Zeilennummern" +map ,n :set number! +"Cursor durch vert-/hori-linien über den ganzen Puffer anzeugen" +map ,c :set cuc! cul! + +function! ToggleVirtualedit() + if &virtualedit == '' + set virtualedit=all + else + set virtualedit= + endif +endfunction +map ,v :call ToggleVirtualedit() + +" +" Philips Erweiterungen: +" + +highlight TabHighlight ctermbg=darkgrey +highlight TooLongLines ctermbg=darkred ctermfg=yellow + +" Coding standard window addition function +function! AddCodingStandard() + if !exists("w:cs_lines_id") + let w:cs_lines_id = matchadd("TooLongLines", "^.\\{101,}") + endif + + if !exists("w:cs_tab_id") + let w:cs_tab_id = matchadd("TabHighlight", "\t") + endif +endfunction + +" Coding standard removal function +function! RemoveCodingStandard() + if exists("w:cs_lines_id") + call matchdelete(w:cs_lines_id) + unlet w:cs_lines_id + endif + + if exists("w:cs_tab_id") + call matchdelete(w:cs_tab_id) + unlet w:cs_tab_id + endif +endfunction + +autocmd BufWinEnter * call AddCodingStandard() +autocmd BufWinLeave * call RemoveCodingStandard() + +" tags (Welches Wort steht wo (in welcher Datei ...)) +set tags=./tags + +" gnuplot (highlighting) +au BufNewFile,BufRead *.plt,.gnuplot setf gnuplot diff --git a/handlers/debian.yml b/handlers/debian.yml new file mode 100644 index 0000000..894cfbb --- /dev/null +++ b/handlers/debian.yml @@ -0,0 +1,2 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..5278a29 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,25 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: +- name: restart services + systemd: + state: restarted + name: "{{item}}" + daemon-reload: yes + with_items: + - rsyslog + - ssh +- name: restart chrony + systemd: + state: restarted + name: chrony + daemon-reload: yes +- name: restart rng-tools + systemd: + state: restarted + name: rng-tools + daemon-reload: yes +- name: restart nullmailer + systemd: + state: restarted + name: nullmailer + daemon-reload: yes diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..f3e529c --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,16 @@ +galaxy_info: + author: Denis Knauf + description: System-template with stable, usable and needable configs + license: AGPL-3.0-or-later + min_ansible_version: 2.9 + platforms: + - name: CentOS + versions: [7] + - name: RHEL + versions: [7] + - name: Debian + versions: [9,10,11] + - name: Ubuntu + version: [18.04,20.04] + galaxy_tags: [] +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..20d7f7d --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,67 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +- name: directories + file: + state: directory + path: '{{item}}' + with_items: + - /etc/vim + #- /etc/syslog-ng + - /etc/sudoers.d + +- name: configs + copy: + src: "{{item.key}}" + dest: "{{item.value}}" + owner: root + group: root + mode: 0644 + backup: yes + with_dict: + vimrc.local: /etc/vim/vimrc.local + rsyslog.conf: /etc/rsyslog.conf + +- name: 'configs (templates)' + template: + src: "{{item.key}}" + dest: "{{item.value}}" + owner: root + group: root + mode: 0644 + backup: yes + with_dict: + tmux.conf.j2: /etc/tmux.conf + krb5.conf.j2: /etc/krb5.conf + +- name: sudoers defaults + copy: + src: defaults.sudoers + dest: /etc/sudoers.d/defaults + owner: root + group: root + mode: 0440 + +- name: timer-mail + copy: + src: timer-mail + dest: /usr/local/bin/timer-mail + owner: root + group: root + mode: 0755 + +- include_tasks: 'os-{{ansible_facts["os_family"]|lower}}.yml' + +- name: motd + copy: + content: '{{motd}}' + dest: /etc/motd + mode: 0644 + owner: root + group: root + +- name: post etckeeper commit + shell: | + set -e + dd if=/dev/urandom of=/etc/.etckeeper_random count=1 + etckeeper commit 'post ansible sys' diff --git a/tasks/ohmyzsh.yml b/tasks/ohmyzsh.yml new file mode 100644 index 0000000..fa3c745 --- /dev/null +++ b/tasks/ohmyzsh.yml @@ -0,0 +1,28 @@ +- name: oh my zsh + tags: ohmyzsh + git: + repo: https://github.com/ohmyzsh/ohmyzsh + dest: /usr/share/oh-my-zsh + +- name: oh my zsh theme + tags: ohmyzsh + copy: + src: nf.zsh-theme + dest: /usr/share/oh-my-zsh/custom/themes/nf.zsh-theme + +- name: ".zshrc in user skeleton" + tags: ohmyzsh + template: + src: dotzshrc + dest: "/etc/skel/.zshrc" +- name: 'setup default user(s)' + tags: ohmyzsh + with_items: '{{sys_default_users}}' + user: + name: '{{item.name}}' + home: '{{item.home | default("/home/"+item.name)}}' + shell: '{{item.shell | default("/usr/bin/zsh")}}' + groups: [users] + createhome: yes + move_home: yes + append: yes diff --git a/tasks/os-alpine.yml b/tasks/os-alpine.yml new file mode 100644 index 0000000..6516a9c --- /dev/null +++ b/tasks/os-alpine.yml @@ -0,0 +1,89 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +- name: packages + apk: + update_cache: yes + name: + - vim + - ncdu + - htop + - tmux + - etckeeper + - syslog-ng + - zsh + - curl + - lsof + - knot-utils + - krb5 + - apk-cron + - msmtp + - openssh-sftp-server + - python3 +- name: upgrade + apk: + upgrade: yes + +- include_tasks: sshd_config.yml + +- name: create user syslog + register: _cruser + shell: | + getent passwd syslog + case $? in + 0) exit 42 ;; + 2) ;; + esac + adduser -S syslog + failed_when: '_cruser.rc not in [0,42]' + changed_when: '_cruser.rc == 0' + +- name: create group syslog + register: _crgroup + shell: | + getent group syslog + case $? in + 0) exit 42 ;; + 2) ;; + esac + addgroup -S syslog + failed_when: '_crgroup.rc not in [0,42]' + changed_when: '_crgroup.rc == 0' + +- name: Set timezone variables + file: + src: '/etc/zoneinfo/{{timezone}}' + dest: /etc/localtime + state: link + force: yes + +- name: setup msmtp + template: + dest: /etc/msmtprc + src: msmtprc.j2 + owner: root + group: root + mode: 0644 + +- name: 'vi -> vim' + file: + dest: /usr/bin/vi + src: vim + state: link + force: yes + +- name: 'python -> python3' + file: + dest: /usr/bin/python + src: python3 + state: link + force: yes + +- name: enable services + service: + name: '{{item}}' + enabled: yes + state: restarted + with_items: + - sshd + - syslog-ng diff --git a/tasks/os-debian.yml b/tasks/os-debian.yml new file mode 100644 index 0000000..11f9bfe --- /dev/null +++ b/tasks/os-debian.yml @@ -0,0 +1,214 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +# pre dependencies: + +- name: install packages + apt: + force: no + name: + - aptitude +- set_fact: + crap_packages: + - cloud-init + - vim-tiny + - landscape-common + - snapd + - ubuntu-advantage-tools + - unattended-upgrades +- name: remove unwanted packages + apt: + state: absent + name: '{{crap_packages}}' +- name: stay away packages + dpkg_selections: + selection: hold + name: '{{item}}' + with_items: '{{crap_packages}}' +- name: safe-upgrade + apt: + upgrade: safe + update_cache: yes + +# check capabilities: + +- name: check mailer + shell: | + aptitude search '~Pmail-transport-agent' | sed -ne '/^i/{s/^i *//;s/^ *.*//;s/ *.*//;p}' | grep \\S + register: mailer + failed_when: "mailer.rc != 1 and mailer.rc != 0" + changed_when: 'false' + +- set_fact: + has_nullmailer: '{{mailer.rc == 1 or mailer.stdout=="nullmailer"}}' + +# installation packages: + +- name: install packages + apt: + force: no + name: '{{lookup("flattened", items)}}' + update_cache: yes + vars: + items: + - '{{ [] if is_virt_guest else ["chrony", "smartmontools"] }}' + - cron-apt + - curl + - etckeeper + - file + - fizsh + - git + - haveged + - htop + - inetutils-ping + - knot-dnsutils + - krb5-user + - ldap-utils + - locales + - lsof + - lvm2 + - mosh + - mtr-tiny + - ncdu + - net-tools + - '{{ ["nullmailer"] if has_nullmailer else [] }}' + - openssh-server + - progress + - pv + - '{{ ["rng-tools"] if has_hwrng else [] }}' + - rsync + - socat + - sudo + - rsyslog + - systemd + - systemd-sysv + - tmux + - inetutils-traceroute + - tzdata + - usrmerge + - vim-nox + - '{{ [] if is_container else ["xfsdump", "xfsprogs"] }}' + - '{{ needed_debs if needed_debs is defined else [] }}' + +# remove garbage: + +- name: 'no ubuntu adverts' + when: '"ubuntu" == ansible_distribution' + block: + - name: no ubuntu-motd-adverts + lineinfile: + path: /etc/default/motd-news + line: ENABLED=0 + regexp: '^ENABLED=' + create: yes + - name: no ubuntu-cloudguest-adverts + file: + path: /etc/update-motd.d/51-cloudguest + state: absent + - name: 'no ubuntu-"documentation"-adverts' + copy: + dest: /etc/update-motd.d/10-help-text + mode: 0644 + content: '' + +# configure system: + +- name: set alternatives + alternatives: + name: "{{item.key}}" + path: "{{item.value}}" + with_dict: + editor: /usr/bin/vim.nox + vim: /usr/bin/vim.nox + vimdiff: /usr/bin/vim.nox + vi: /usr/bin/vim.nox + view: /usr/bin/vim.nox + +- name: copy configs + copy: + src: "{{item.key}}" + dest: "{{item.value}}" + owner: root + group: root + mode: 0644 + with_dict: + cron-apt/action.d/6-upgrade: /etc/cron-apt/action.d/6-upgrade + notify: + - restart services + +- name: copy configs + template: + src: "{{item.key}}" + dest: "{{item.value}}" + owner: root + group: root + mode: 0644 + with_dict: + cron-apt/config.j2: /etc/cron-apt/config + notify: + - restart services + +- name: generates locales + locale_gen: + name: "{{item}}" + state: present + with_items: '{{locales}}' +- name: default locale + copy: + dest: /etc/default/locale + content: | + LANG=de_AT.UTF-8 + owner: root + group: root + mode: 0644 + +- include_tasks: sshd_config.yml +- include_tasks: ohmyzsh.yml +- include_tasks: systemd.yml + +- name: update timezone + command: dpkg-reconfigure --frontend noninteractive tzdata + +- name: setup mailname + copy: + dest: /etc/mailname + content: | + {{sys_mailname | default(ansible_fqdn) | mandatory}} + owner: root + group: root + mode: 0644 +- name: setup nullmailer remote + when: "mailer.changed" + copy: + dest: /etc/nullmailer/remotes + content: | + {{mail_relay_host}} smtp + owner: root + group: mail + mode: 0640 + notify: + - restart nullmailer + +- name: setup nullmailer domain + when: "mailer.changed" + copy: + dest: /etc/nullmailer/defaultdomain + content: 'denkn.at' + owner: root + group: mail + mode: 0640 + notify: + - restart nullmailer + +- name: 'dig -> kdig and other knot-utils' + file: + state: link + path: '/usr/local/bin/{{item}}' + src: '../../bin/k{{item}}' + with_items: [dig, nsupdate] + +- name: enable ssh + systemd: + name: ssh + enabled: yes + state: started diff --git a/tasks/os-redhat.yml b/tasks/os-redhat.yml new file mode 100644 index 0000000..9e92f42 --- /dev/null +++ b/tasks/os-redhat.yml @@ -0,0 +1,57 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +# installation packages: + +- name: install packages + yum: + lock_timeout: 30 + name: '{{lookup("flattened", items)}}' + vars: + items: + - '{{ [] if is_virt_guest else ["chrony", "smartmontools"] }}' + - yum-cron + - curl + - file + - etckeeper + - git + - '{{ [] if is_container else ["haveged", "lvm2"] }}' + - htop + #- inetutils-ping + #- knot-dnsutils + #- ldap-utils + - lsof + - net-tools + #- '{{ ["nullmailer"] if has_nullmailer else [] }}' + #- progress + - pv + - '{{ ["rng-tools"] if has_hwrng else [] }}' + - rsync + - socat + - sudo + - rsyslog + - systemd + - tmux + - tzdata + - vim + - '{{ [] if is_container else ["xfsdump", "xfsprogs"] }}' + - zsh + +- include_tasks: sshd_config.yml +- include_tasks: systemd.yml +- include_tasks: ohmyzsh.yml + +- name: setup mailname + copy: + dest: /etc/mailname + content: | + {{sys_mailname | default(ansible_fqdn) | mandatory}} + owner: root + group: root + mode: 0644 + +- name: enable ssh + systemd: + name: sshd + enabled: yes + state: started diff --git a/tasks/sshd_config.yml b/tasks/sshd_config.yml new file mode 100644 index 0000000..6d387ca --- /dev/null +++ b/tasks/sshd_config.yml @@ -0,0 +1,46 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +- name: sshd_config + lineinfile: + path: /etc/ssh/sshd_config + insertafter: '^\s*#\s*{{item.key}}\s+' + regexp: '^\s*{{item.key}}\s' + line: '{{item.key}} {{item.value}}' + with_dict: + Port: '{{ssh_port|default(22)}}' + PermitRootLogin: 'prohibit-password' + StrictModes: 'yes' + PubkeyAuthentication: 'yes' + KerberosAuthentication: 'no' + GSSAPIAuthentication: 'yes' + TCPKeepAlive: 'yes' + Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' + MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' + KexAlgorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256' +- name: sshd_config + lineinfile: + path: /etc/ssh/sshd_config + insertbefore: '\s*#?\s*HostKey\s+' + regexp: '^# HostKeys for protocol' + line: '# HostKeys for protocol' +- name: sshd_config - prefer ed25519 + lineinfile: + path: /etc/ssh/sshd_config + insertafter: '^# HostKeys for protocol' + regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$' + line: 'HostKey /etc/ssh/ssh_host_ed25519_key' +- name: sshd_config - fallback rsa + lineinfile: + path: /etc/ssh/sshd_config + insertafter: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$' + regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$' + line: 'HostKey /etc/ssh/ssh_host_rsa_key' +- name: 'sshd_config - absent dsa / ecdsa' + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regexp: '{{item}}' + with_list: + - '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$' + - '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$' diff --git a/tasks/systemd.yml b/tasks/systemd.yml new file mode 100644 index 0000000..95036b4 --- /dev/null +++ b/tasks/systemd.yml @@ -0,0 +1,65 @@ +--- +# vim: set expandtab tabstop=2 shiftwidth=2: + +- name: etckeeper initialized + shell: | + set -e + [ -f /etc/.git/config ] && exit 42 + echo "Need to init" + etckeeper init + register: etckeeper_init + changed_when: 'etckeeper_init.rc == 0' + failed_when: 'etckeeper_init.rc not in [0,42]' + +- name: set git-defaults + git_config: + name: '{{item.key}}' + repo: /etc + scope: local + value: '{{item.value}}' + with_dict: + user.email: '{{etckeeper.email}}' + user.name: '{{etckeeper.name}}' +- name: pre etckeeper commit + shell: | + set -e + dd if=/dev/urandom of=/etc/.etckeeper_random count=1 + etckeeper commit 'pre ansible sys' + +- name: create group syslog + group: {name: syslog, system: yes} + +- name: enable rng-tools + when: has_hwrng + systemd: + name: rng-tools + enabled: yes + +- name: Set timezone variables + file: + src: '/usr/share/zoneinfo/{{timezone}}' + dest: /etc/localtime + state: link + force: yes + owner: root + group: root + mode: 0644 + +- name: install systemd-logcompress-jobs + copy: + src: "{{item}}" + dest: /etc/systemd/system + owner: root + group: root + mode: 0644 + with_fileglob: + - "systemd/system/*" + +- name: enable services + systemd: + name: "{{item}}" + enabled: yes + state: started + with_items: + - rsyslog + - logcompress.timer diff --git a/templates/cron-apt/config.j2 b/templates/cron-apt/config.j2 new file mode 100644 index 0000000..91b6849 --- /dev/null +++ b/templates/cron-apt/config.j2 @@ -0,0 +1,6 @@ +# Configuration for cron-apt. For further information about the possible +# configuration settings see /usr/share/doc/cron-apt/README.gz. + +MAILTO="{{cron_apt_mailto | default('admin@denkn.at')}}" +MAILON=upgrade +APTCOMMAND=/usr/bin/aptitude diff --git a/templates/dotzshrc b/templates/dotzshrc new file mode 100644 index 0000000..939adf3 --- /dev/null +++ b/templates/dotzshrc @@ -0,0 +1,65 @@ +# Path to your oh-my-zsh installation. +export ZSH="/usr/share/oh-my-zsh" + +# Set name of the theme to load. +# Look in ~/.oh-my-zsh/themes/ +# Optionally, if you set this to "random", it'll load a random theme each +# time that oh-my-zsh is loaded. +ZSH_THEME="nf" + +# Uncomment the following line to use case-sensitive completion. +CASE_SENSITIVE="true" + +# Uncomment the following line to disable bi-weekly auto-update checks. +DISABLE_AUTO_UPDATE="true" + +# Uncomment the following line to change how often to auto-update (in days). +# export UPDATE_ZSH_DAYS=13 + +# Uncomment the following line to disable colors in ls. +# DISABLE_LS_COLORS="true" + +# Uncomment the following line to disable auto-setting terminal title. +# DISABLE_AUTO_TITLE="true" + +# Uncomment the following line to enable command auto-correction. +ENABLE_CORRECTION="true" + +# Uncomment the following line to display red dots whilst waiting for completion. +COMPLETION_WAITING_DOTS="true" + +# Uncomment the following line if you want to disable marking untracked files +# under VCS as dirty. This makes repository status check for large repositories +# much, much faster. +DISABLE_UNTRACKED_FILES_DIRTY="true" + +# Uncomment the following line if you want to change the command execution time +# stamp shown in the history command output. +# The optional three formats: "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd" +HIST_STAMPS="yyyy-mm-dd" + +# Would you like to use another custom folder than $ZSH/custom? +# ZSH_CUSTOM=/path/to/new-custom-folder + +# Which plugins would you like to load? (plugins can be found in ~/.oh-my-zsh/plugins/*) +# Custom plugins may be added to ~/.oh-my-zsh/custom/plugins/ +# Example format: plugins=(rails git textmate ruby lighthouse) +# Add wisely, as too many plugins slow down shell startup. +plugins=(bundler coffee common-aliases compleat encode64 extract gem git github gitignore gpg-agent history-substring-search mosh nmap perl postgres rails rake-fast rake rsync ruby safe-paste screen singlechar sudo) + +prompt_host_color='%{$terminfo[bold]$fg[{{prompt_host_color}}]%}' +source "$ZSH/oh-my-zsh.sh" + +# User configuration + +export PATH="$PATH:$HOME/bin" EDITOR=vim +>/dev/null where keychain && eval `keychain --eval --quiet` + +alias ip='command ip --color=auto' + +zmodload zsh/terminfo +#bindkey -v +#bindkey -M vicmd 'v' edit-command-line +bindkey "\e[H" beginning-of-line +bindkey "\e[F" end-of-line +bindkey "$terminfo[kich1]" overwrite-mode diff --git a/templates/krb5.conf.j2 b/templates/krb5.conf.j2 new file mode 100644 index 0000000..b17be4b --- /dev/null +++ b/templates/krb5.conf.j2 @@ -0,0 +1,23 @@ +[libdefaults] +{%if krb5_default_realm is defined%} +default_realm = {{krb5_default_realm|mandatory()}} +{%endif%} +allow_weak_crypto = false +permitted_enctypes = aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac +default_tkt_enctypes = aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac +default_tgs_enctypes = aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac + +[realms] +{% for realm, cfg in krb5_realms.items() %} +{{realm}} = { +{% for key, val in cfg.items() %} + {{key}} = {{val}} +{% endfor %} +} +{% endfor %} + +[domain_realm] +{% for domain, realm in krb5_domains.items() %} +{{domain}} = {{realm}} +.{{domain}} = {{realm}} +{% endfor %} diff --git a/templates/msmtprc.j2 b/templates/msmtprc.j2 new file mode 100644 index 0000000..7b2b8de --- /dev/null +++ b/templates/msmtprc.j2 @@ -0,0 +1,5 @@ +account default +host {{mail_relay_host}} +tls on +tls_starttls on +syslog LOG_MAIL diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 new file mode 100644 index 0000000..d5a2a75 --- /dev/null +++ b/templates/sshd_config.j2 @@ -0,0 +1,93 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port {{ssh_port|default(22)}} +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#Privilege Separation is turned on for security +#UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 3600 +#ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin prohibit-password +StrictModes yes + +#RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes + +# Kerberos options +KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# Ciphers +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 diff --git a/templates/tmux.conf.j2 b/templates/tmux.conf.j2 new file mode 100644 index 0000000..eb11e5a --- /dev/null +++ b/templates/tmux.conf.j2 @@ -0,0 +1,22 @@ +bind C-s send-prefix +bind a last-window +bind C-a last-window +bind Space next-window +bind C-Space next-window +bind Bspace previous-window +bind C-Bspace previous-window +bind ` select-window -t0 +bind 1 select-window -t1 +bind 2 select-window -t2 +bind 3 select-window -t3 +bind 4 select-window -t4 +bind 5 select-window -t5 +bind 6 select-window -t6 +bind 7 select-window -t7 +bind 8 select-window -t8 +bind 9 select-window -t9 +bind 0 select-window -t10 +bind Escape copy-mode +set -g status-keys vi +setw -g mode-keys vi +set -g status-style {{tmux_status_style}} diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..fd10173 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - system \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..ac79143 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for system \ No newline at end of file