deac/ansible-role-system
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

init

Browse source
This commit is contained in:
Denis Knauf 2021-04-10 22:11:19 +02:00
commit 3beb52ad22
31 changed files with 1224 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

67
tasks/main.yml Normal file
View file

@ -0,0 +1,67 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: directories
file:
state: directory
path: '{{item}}'
with_items:
- /etc/vim
#- /etc/syslog-ng
- /etc/sudoers.d
- name: configs
copy:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
backup: yes
with_dict:
vimrc.local: /etc/vim/vimrc.local
rsyslog.conf: /etc/rsyslog.conf
- name: 'configs (templates)'
template:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
backup: yes
with_dict:
tmux.conf.j2: /etc/tmux.conf
krb5.conf.j2: /etc/krb5.conf
- name: sudoers defaults
copy:
src: defaults.sudoers
dest: /etc/sudoers.d/defaults
owner: root
group: root
mode: 0440
- name: timer-mail
copy:
src: timer-mail
dest: /usr/local/bin/timer-mail
owner: root
group: root
mode: 0755
- include_tasks: 'os-{{ansible_facts["os_family"]|lower}}.yml'
- name: motd
copy:
content: '{{motd}}'
dest: /etc/motd
mode: 0644
owner: root
group: root
- name: post etckeeper commit
shell: |
set -e
dd if=/dev/urandom of=/etc/.etckeeper_random count=1
etckeeper commit 'post ansible sys'

28
tasks/ohmyzsh.yml Normal file
View file

@ -0,0 +1,28 @@
- name: oh my zsh
tags: ohmyzsh
git:
repo: https://github.com/ohmyzsh/ohmyzsh
dest: /usr/share/oh-my-zsh
- name: oh my zsh theme
tags: ohmyzsh
copy:
src: nf.zsh-theme
dest: /usr/share/oh-my-zsh/custom/themes/nf.zsh-theme
- name: ".zshrc in user skeleton"
tags: ohmyzsh
template:
src: dotzshrc
dest: "/etc/skel/.zshrc"
- name: 'setup default user(s)'
tags: ohmyzsh
with_items: '{{sys_default_users}}'
user:
name: '{{item.name}}'
home: '{{item.home | default("/home/"+item.name)}}'
shell: '{{item.shell | default("/usr/bin/zsh")}}'
groups: [users]
createhome: yes
move_home: yes
append: yes

89
tasks/os-alpine.yml Normal file
View file

@ -0,0 +1,89 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: packages
apk:
update_cache: yes
name:
- vim
- ncdu
- htop
- tmux
- etckeeper
- syslog-ng
- zsh
- curl
- lsof
- knot-utils
- krb5
- apk-cron
- msmtp
- openssh-sftp-server
- python3
- name: upgrade
apk:
upgrade: yes
- include_tasks: sshd_config.yml
- name: create user syslog
register: _cruser
shell: |
getent passwd syslog
case $? in
0) exit 42 ;;
2) ;;
esac
adduser -S syslog
failed_when: '_cruser.rc not in [0,42]'
changed_when: '_cruser.rc == 0'
- name: create group syslog
register: _crgroup
shell: |
getent group syslog
case $? in
0) exit 42 ;;
2) ;;
esac
addgroup -S syslog
failed_when: '_crgroup.rc not in [0,42]'
changed_when: '_crgroup.rc == 0'
- name: Set timezone variables
file:
src: '/etc/zoneinfo/{{timezone}}'
dest: /etc/localtime
state: link
force: yes
- name: setup msmtp
template:
dest: /etc/msmtprc
src: msmtprc.j2
owner: root
group: root
mode: 0644
- name: 'vi -> vim'
file:
dest: /usr/bin/vi
src: vim
state: link
force: yes
- name: 'python -> python3'
file:
dest: /usr/bin/python
src: python3
state: link
force: yes
- name: enable services
service:
name: '{{item}}'
enabled: yes
state: restarted
with_items:
- sshd
- syslog-ng

214
tasks/os-debian.yml Normal file
View file

@ -0,0 +1,214 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
# pre dependencies:
- name: install packages
apt:
force: no
name:
- aptitude
- set_fact:
crap_packages:
- cloud-init
- vim-tiny
- landscape-common
- snapd
- ubuntu-advantage-tools
- unattended-upgrades
- name: remove unwanted packages
apt:
state: absent
name: '{{crap_packages}}'
- name: stay away packages
dpkg_selections:
selection: hold
name: '{{item}}'
with_items: '{{crap_packages}}'
- name: safe-upgrade
apt:
upgrade: safe
update_cache: yes
# check capabilities:
- name: check mailer
shell: |
aptitude search '~Pmail-transport-agent' | sed -ne '/^i/{s/^i *//;s/^ *.*//;s/ *.*//;p}' | grep \\S
register: mailer
failed_when: "mailer.rc != 1 and mailer.rc != 0"
changed_when: 'false'
- set_fact:
has_nullmailer: '{{mailer.rc == 1 or mailer.stdout=="nullmailer"}}'
# installation packages:
- name: install packages
apt:
force: no
name: '{{lookup("flattened", items)}}'
update_cache: yes
vars:
items:
- '{{ [] if is_virt_guest else ["chrony", "smartmontools"] }}'
- cron-apt
- curl
- etckeeper
- file
- fizsh
- git
- haveged
- htop
- inetutils-ping
- knot-dnsutils
- krb5-user
- ldap-utils
- locales
- lsof
- lvm2
- mosh
- mtr-tiny
- ncdu
- net-tools
- '{{ ["nullmailer"] if has_nullmailer else [] }}'
- openssh-server
- progress
- pv
- '{{ ["rng-tools"] if has_hwrng else [] }}'
- rsync
- socat
- sudo
- rsyslog
- systemd
- systemd-sysv
- tmux
- inetutils-traceroute
- tzdata
- usrmerge
- vim-nox
- '{{ [] if is_container else ["xfsdump", "xfsprogs"] }}'
- '{{ needed_debs if needed_debs is defined else [] }}'
# remove garbage:
- name: 'no ubuntu adverts'
when: '"ubuntu" == ansible_distribution'
block:
- name: no ubuntu-motd-adverts
lineinfile:
path: /etc/default/motd-news
line: ENABLED=0
regexp: '^ENABLED='
create: yes
- name: no ubuntu-cloudguest-adverts
file:
path: /etc/update-motd.d/51-cloudguest
state: absent
- name: 'no ubuntu-"documentation"-adverts'
copy:
dest: /etc/update-motd.d/10-help-text
mode: 0644
content: ''
# configure system:
- name: set alternatives
alternatives:
name: "{{item.key}}"
path: "{{item.value}}"
with_dict:
editor: /usr/bin/vim.nox
vim: /usr/bin/vim.nox
vimdiff: /usr/bin/vim.nox
vi: /usr/bin/vim.nox
view: /usr/bin/vim.nox
- name: copy configs
copy:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
with_dict:
cron-apt/action.d/6-upgrade: /etc/cron-apt/action.d/6-upgrade
notify:
- restart services
- name: copy configs
template:
src: "{{item.key}}"
dest: "{{item.value}}"
owner: root
group: root
mode: 0644
with_dict:
cron-apt/config.j2: /etc/cron-apt/config
notify:
- restart services
- name: generates locales
locale_gen:
name: "{{item}}"
state: present
with_items: '{{locales}}'
- name: default locale
copy:
dest: /etc/default/locale
content: |
LANG=de_AT.UTF-8
owner: root
group: root
mode: 0644
- include_tasks: sshd_config.yml
- include_tasks: ohmyzsh.yml
- include_tasks: systemd.yml
- name: update timezone
command: dpkg-reconfigure --frontend noninteractive tzdata
- name: setup mailname
copy:
dest: /etc/mailname
content: |
{{sys_mailname | default(ansible_fqdn) | mandatory}}
owner: root
group: root
mode: 0644
- name: setup nullmailer remote
when: "mailer.changed"
copy:
dest: /etc/nullmailer/remotes
content: |
{{mail_relay_host}} smtp
owner: root
group: mail
mode: 0640
notify:
- restart nullmailer
- name: setup nullmailer domain
when: "mailer.changed"
copy:
dest: /etc/nullmailer/defaultdomain
content: 'denkn.at'
owner: root
group: mail
mode: 0640
notify:
- restart nullmailer
- name: 'dig -> kdig and other knot-utils'
file:
state: link
path: '/usr/local/bin/{{item}}'
src: '../../bin/k{{item}}'
with_items: [dig, nsupdate]
- name: enable ssh
systemd:
name: ssh
enabled: yes
state: started

57
tasks/os-redhat.yml Normal file
View file

@ -0,0 +1,57 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
# installation packages:
- name: install packages
yum:
lock_timeout: 30
name: '{{lookup("flattened", items)}}'
vars:
items:
- '{{ [] if is_virt_guest else ["chrony", "smartmontools"] }}'
- yum-cron
- curl
- file
- etckeeper
- git
- '{{ [] if is_container else ["haveged", "lvm2"] }}'
- htop
#- inetutils-ping
#- knot-dnsutils
#- ldap-utils
- lsof
- net-tools
#- '{{ ["nullmailer"] if has_nullmailer else [] }}'
#- progress
- pv
- '{{ ["rng-tools"] if has_hwrng else [] }}'
- rsync
- socat
- sudo
- rsyslog
- systemd
- tmux
- tzdata
- vim
- '{{ [] if is_container else ["xfsdump", "xfsprogs"] }}'
- zsh
- include_tasks: sshd_config.yml
- include_tasks: systemd.yml
- include_tasks: ohmyzsh.yml
- name: setup mailname
copy:
dest: /etc/mailname
content: |
{{sys_mailname | default(ansible_fqdn) | mandatory}}
owner: root
group: root
mode: 0644
- name: enable ssh
systemd:
name: sshd
enabled: yes
state: started

46
tasks/sshd_config.yml Normal file
View file

@ -0,0 +1,46 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: sshd_config
lineinfile:
path: /etc/ssh/sshd_config
insertafter: '^\s*#\s*{{item.key}}\s+'
regexp: '^\s*{{item.key}}\s'
line: '{{item.key}} {{item.value}}'
with_dict:
Port: '{{ssh_port|default(22)}}'
PermitRootLogin: 'prohibit-password'
StrictModes: 'yes'
PubkeyAuthentication: 'yes'
KerberosAuthentication: 'no'
GSSAPIAuthentication: 'yes'
TCPKeepAlive: 'yes'
Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
KexAlgorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256'
- name: sshd_config
lineinfile:
path: /etc/ssh/sshd_config
insertbefore: '\s*#?\s*HostKey\s+'
regexp: '^# HostKeys for protocol'
line: '# HostKeys for protocol'
- name: sshd_config - prefer ed25519
lineinfile:
path: /etc/ssh/sshd_config
insertafter: '^# HostKeys for protocol'
regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
- name: sshd_config - fallback rsa
lineinfile:
path: /etc/ssh/sshd_config
insertafter: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
regexp: '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$'
line: 'HostKey /etc/ssh/ssh_host_rsa_key'
- name: 'sshd_config - absent dsa / ecdsa'
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regexp: '{{item}}'
with_list:
- '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$'
- '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$'

65
tasks/systemd.yml Normal file
View file

@ -0,0 +1,65 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: etckeeper initialized
shell: |
set -e
[ -f /etc/.git/config ] && exit 42
echo "Need to init"
etckeeper init
register: etckeeper_init
changed_when: 'etckeeper_init.rc == 0'
failed_when: 'etckeeper_init.rc not in [0,42]'
- name: set git-defaults
git_config:
name: '{{item.key}}'
repo: /etc
scope: local
value: '{{item.value}}'
with_dict:
user.email: '{{etckeeper.email}}'
user.name: '{{etckeeper.name}}'
- name: pre etckeeper commit
shell: |
set -e
dd if=/dev/urandom of=/etc/.etckeeper_random count=1
etckeeper commit 'pre ansible sys'
- name: create group syslog
group: {name: syslog, system: yes}
- name: enable rng-tools
when: has_hwrng
systemd:
name: rng-tools
enabled: yes
- name: Set timezone variables
file:
src: '/usr/share/zoneinfo/{{timezone}}'
dest: /etc/localtime
state: link
force: yes
owner: root
group: root
mode: 0644
- name: install systemd-logcompress-jobs
copy:
src: "{{item}}"
dest: /etc/systemd/system
owner: root
group: root
mode: 0644
with_fileglob:
- "systemd/system/*"
- name: enable services
systemd:
name: "{{item}}"
enabled: yes
state: started
with_items:
- rsyslog
- logcompress.timer