debian.ansible.basics/basics.yml

869 lines
33 KiB
YAML
Raw Normal View History

2022-07-06 12:40:30 +02:00
---
- name: Basic Debian Linux Setup
hosts: all
tasks:
2023-08-22 14:09:43 +02:00
2023-08-22 20:12:38 +02:00
#- name: Print all available facts
# ansible.builtin.debug:
# var: ansible_facts
2022-07-06 12:40:30 +02:00
2023-05-01 18:52:49 +02:00
- name: check if we are in an container env by existing systemd
stat:
path: /usr/bin/systemd
register: nocontainer
2022-07-06 12:40:30 +02:00
- name: Install Basic Packages
apt:
name:
2024-05-27 09:57:56 +02:00
- file
2023-01-05 13:14:01 +01:00
- bc
2022-07-06 12:40:30 +02:00
- psutils
- psmisc
- procps
- htop
- iotop
- sysstat
- strace
2023-08-22 14:04:15 +02:00
- net-tools
2022-07-06 12:40:30 +02:00
- vim
- git
- man-db
2023-06-14 12:20:59 +02:00
- netcat-traditional
2022-07-06 12:40:30 +02:00
- debconf-utils
- iputils-ping
- lsof
- inotify-tools
- rsync
- dos2unix
- locales
- iproute2
2022-12-05 15:42:45 +01:00
- cryptsetup
2022-07-06 12:40:30 +02:00
- curl
- moreutils
- ffmpeg
- mediainfo
- telnet
- libstring-approx-perl
- postfix
- zip
- nmap
- whois
- libfile-readbackwards-perl
- libcrypt-cbc-perl
- libcrypt-des-perl
- pwgen
- jq
- cifs-utils
- apt-transport-https
- golang
- make
2022-08-16 20:33:05 +02:00
- sshfs
2022-08-25 11:40:08 +02:00
- imagemagick
2022-08-25 11:42:34 +02:00
- libimage-exiftool-perl
2022-10-10 11:06:30 +02:00
- sqlite3
2023-02-02 14:40:18 +01:00
- html-xml-utils
2023-08-22 14:04:15 +02:00
- openssh-server
2023-05-02 20:05:59 +02:00
- wget
2023-08-21 19:34:13 +02:00
- gpg
2023-08-22 11:39:41 +02:00
- crudini
2023-09-25 12:01:12 +02:00
- rblcheck
2024-02-08 09:37:00 +01:00
- bind9-host
2024-09-27 22:30:36 +02:00
- kpartx
2022-07-06 12:40:30 +02:00
update_cache: yes
install_recommends: no
2023-05-01 18:52:49 +02:00
2023-08-22 14:04:15 +02:00
- name: Install Basic Packages if not running in container
2023-05-01 18:52:49 +02:00
apt:
name:
2023-08-22 14:04:15 +02:00
- hd-idle
- jnettop
2023-05-01 18:52:49 +02:00
- strace
2023-08-22 14:04:15 +02:00
- tmux
- ethtool
- logrotate
- smartmontools
- at
- certbot
- btrfs-progs
- mdadm
- ufw
- btrfsmaintenance
- sudo
2023-05-01 18:52:49 +02:00
- golang
- make
- sshfs
2023-08-22 14:04:15 +02:00
- ldmtool
- traceroute
- mailutils
- rsyslog
2023-10-05 09:48:30 +02:00
- postgresql-client
2024-04-13 21:45:02 +02:00
- ntpdate
2023-05-01 18:52:49 +02:00
update_cache: yes
install_recommends: no
2023-08-22 14:04:15 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
2023-08-22 14:14:56 +02:00
- name: Install Basic Packages especially for Debian 12 - bookworm
apt:
name:
- systemd-resolved
update_cache: yes
install_recommends: no
2024-10-14 11:04:42 +02:00
when: ansible_distribution_release is match("bookworm") and (nocontainer.stat.exists == true)
2024-10-08 12:13:57 +02:00
register: resolved
- name: Restart systemd-resolved
service:
name: systemd-resolved
state: restarted
when: resolved.changed
2023-08-22 14:14:56 +02:00
2023-09-12 14:07:39 +02:00
- name: set testing repo pinning for Debian 12 - bookworm (needed by dnscrypt-proxy)
blockinfile:
path: /etc/apt/preferences.d/pinning.pref
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
Package: *
Pin: release a=stable
Pin-Priority: 900
Package: *
Pin: release a=testing
Pin-Priority: 100
2024-10-14 11:04:42 +02:00
when: ansible_distribution_release is match("bookworm") and (nocontainer.stat.exists == true)
2023-09-12 14:07:39 +02:00
2023-10-09 19:21:20 +02:00
#- name: add testing repo for Debian 12 - bookworm (needed by dnscrypt-proxy)
# ansible.builtin.apt_repository:
# repo: "deb https://deb.debian.org/debian/ testing main"
# state: present
# filename: testing
# when: ansible_distribution_release is match("bookworm")
2023-09-12 14:07:39 +02:00
- name: check if this is a Mint system
2023-05-02 10:34:13 +02:00
stat:
path: /etc/linuxmint/mintSystem.conf
register: mintpios
2023-05-02 10:34:13 +02:00
- name: check if we are in a RaspberryPiOS
stat:
path: /usr/bin/wayfire-pi
register: mintpios
- name: Install Basic Packages if not running in container/mint or PiOS
apt:
name:
- dhcpcd5
update_cache: yes
install_recommends: no
when: (nocontainer.stat.exists == true) and (mintpios.stat.exists == false)
- name: add dhcpcd to startup if not running in container/mint or PiOS
2022-07-06 12:40:30 +02:00
command: systemctl enable dhcpcd
args:
creates: /etc/systemd/system/multi-user.target.wants/dhcpcd.service
when: (nocontainer.stat.exists == true) and (mintpios.stat.exists == false)
2023-07-18 15:48:27 +02:00
- name: No DHCPcd for internal interfaces if not running in container/mint or PiOS
2022-07-06 12:40:30 +02:00
ansible.builtin.lineinfile:
path: /etc/dhcpcd.conf
2023-10-03 00:43:58 +02:00
line: denyinterfaces docker0 virbr0 tornet0 veth* br* eth1
when: (nocontainer.stat.exists == true) and (mintpios.stat.exists == false)
2023-08-23 11:58:30 +02:00
register: dhcpcd
2022-07-06 12:40:30 +02:00
2022-12-23 15:37:00 +01:00
- name: Check weather /etc/network/interfaces exists
2022-12-23 15:37:47 +01:00
stat:
path: /etc/network/interfaces
register: stat_result
2022-12-23 15:37:00 +01:00
2022-07-06 12:40:30 +02:00
- name: Disable all Network-config but source interfaces.d in /etc/network/interfaces because dhcpcd will do the job
replace:
path: /etc/network/interfaces
regexp: '(^iface .*)'
replace: '#\1'
2022-12-23 15:37:00 +01:00
when: stat_result.stat.exists
2022-07-06 12:40:30 +02:00
- name: Disable all Network-config but source interfaces.d in /etc/network/interfaces because dhcpcd will do the job
replace:
path: /etc/network/interfaces
regexp: '(^allow-hotplug .*)'
replace: '#\1'
2022-12-23 15:40:57 +01:00
when: stat_result.stat.exists
2022-07-06 12:40:30 +02:00
- name: Disable all Network-config but source interfaces.d in /etc/network/interfaces because dhcpcd will do the job
replace:
path: /etc/network/interfaces
regexp: '(^auto .*)'
replace: '#\1'
2022-12-23 15:40:57 +01:00
when: stat_result.stat.exists
2022-07-06 12:40:30 +02:00
2023-08-23 11:58:30 +02:00
- name: Restart dhcpcd
service:
name: dhcpcd
state: restarted
when: dhcpcd.changed
2023-08-23 12:13:18 +02:00
- name: Restart systemd-resolved
service:
name: systemd-resolved
state: restarted
when: dhcpcd.changed
2022-07-06 12:40:30 +02:00
- name: Set a hostname
ansible.builtin.hostname:
name: "{{inventory_hostname}}"
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: Allow the hostnameadm User all sudo commands
community.general.sudoers:
name: ALL
state: present
user: "{{ ansible_facts['hostname'] }}adm"
commands: ALL
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
ansible.builtin.lineinfile:
path: /etc/gai.conf
regexp: '^#precedence ::ffff:0:0/96 100'
line: "precedence ::ffff:0:0/96 100 # CHANGED BY ANSIBLE"
backup: yes
- name: Ensure en_US.UTF-8 locale exists
community.general.locale_gen:
name: en_US.UTF-8
state: present
2023-05-01 18:52:49 +02:00
2022-07-06 12:40:30 +02:00
- name: Ensure en_GB.UTF-8 locale exists
community.general.locale_gen:
name: en_GB.UTF-8
state: present
2023-05-01 18:52:49 +02:00
2023-07-18 16:11:47 +02:00
- name: SSH client settings
blockinfile:
path: /etc/ssh/ssh_config.d/settings.conf
mode: "0444"
owner: root
group: root
create: yes
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
Host *
2023-08-21 11:49:35 +02:00
StrictHostKeyChecking=accept-new
2023-07-18 16:11:47 +02:00
backup: yes
2022-07-06 15:21:23 +02:00
- name: Create .ssh dir
ansible.builtin.file:
path: /root/.ssh
owner: root
2022-07-06 15:23:30 +02:00
group: root
2022-07-06 15:21:23 +02:00
state: directory
mode: '0550'
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 15:21:23 +02:00
2022-07-06 12:40:30 +02:00
- name: Generate an OpenSSH keypair ed25519
community.crypto.openssh_keypair:
path: /root/.ssh/id_ed25519
type: ed25519
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2024-09-07 16:58:48 +02:00
notify:
- Restart ssh
2022-07-06 12:40:30 +02:00
- ansible.posix.sysctl:
name: vm.swappiness
value: '0'
2022-07-06 12:40:30 +02:00
state: present
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: shell profile
blockinfile:
path: /etc/profile.d/settings-from-ansible.sh
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
2023-05-04 10:57:27 +02:00
if [ "${USER}" = root ]
then
PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] '
2022-07-06 12:40:30 +02:00
else
2023-05-04 10:57:27 +02:00
PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
fi
export EDITOR="/usr/bin/vim"
export HISTSIZE=
export HISTFILESIZE=
export HISTTIMEFORMAT="[%F %T] "
if [ -f /etc/debian_version ]
then
export DEBIAN_FRONTEND='noninteractive'
export LANG="en_US.UTF-8"
alias ls='ls --color=auto'
alias grep='grep --colour=auto'
alias egrep='egrep --colour=auto'
alias fgrep='fgrep --colour=auto'
2022-07-06 12:40:30 +02:00
fi
2022-07-12 14:28:14 +02:00
# execute for linuxmint
if [ -d /etc/linuxmint ]
then
2022-07-29 17:03:00 +02:00
grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc
2023-08-21 11:49:35 +02:00
export LANG="de_DE.UTF-8"
2022-07-29 17:03:00 +02:00
#for rc in ~/.bashrc /etc/skel/.bashrc
#do
# grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc
#done
2023-08-21 11:49:35 +02:00
fi
2022-07-06 12:40:30 +02:00
backup: yes
validate: /bin/bash -n %s
- name: vim settings
blockinfile:
path: /etc/vim/vimrc.local
mode: "0444"
owner: root
group: root
create: yes
marker: "\" {mark} ANSIBLE MANAGED BLOCK"
block: |
:syntax on
let g:skip_defaults_vim = 1
set encoding=utf-8
2022-12-02 12:49:57 +01:00
set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab
2022-07-06 12:40:30 +02:00
syntax match nonascii "[^[:alnum:][:punct:][:space:]]/"
2023-08-21 11:49:35 +02:00
highlight nonascii guibg=Red ctermbg=2
2022-07-06 12:40:30 +02:00
backup: yes
2022-07-06 15:37:14 +02:00
- name: gaboshlib from git
ansible.builtin.git:
2022-07-09 16:39:13 +02:00
repo: 'https://gitea.ds9.dedyn.io/olli/gaboshlib.git'
2022-07-06 15:37:14 +02:00
dest: /etc/bash
2022-07-09 16:31:11 +02:00
force: yes
2022-07-06 12:40:30 +02:00
- name: systemd-journald settings
blockinfile:
path: /etc/systemd/journald.conf.d/journald.local.conf
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
[Journal]
Storage=persistent
SystemMaxUse=30M
2023-08-21 11:49:35 +02:00
ForwardToSyslog=yes
2022-07-06 12:40:30 +02:00
backup: yes
notify:
- Restart journald
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: /etc/rsyslog.d/00-services-remote.conf
blockinfile:
path: /etc/rsyslog.d/00-services-remote.conf
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
# Listen for remote Logging (UDP)
module(load="imudp")
input(type="imudp" port="514")
# Hosts
if $hostname startswith '192.168.1.1' and $msg contains 'User admin login from 192.168.1.2 successful' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $msg contains 'wdGetDidSendCredentials not implemented' and $programname contains 'citrix-wfica' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $msg contains 'CGPrecv: socket 0x' and $programname contains 'citrix-wfica' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $msg contains 'doEncryptData inbuffersize: ' and $programname contains 'citrix-wfica' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $msg contains 'SSLPutDataFn inbuffersize: ' and $programname contains 'citrix-wfica' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $msg contains 'SRC=192.168.' and $programname contains 'kernel' then stop
if $hostname startswith '192.168.1.1' then /var/log/zyxel.log
if $hostname startswith '192.168.1.1' then stop
if $hostname startswith 'raspberry-' then /var/log/Raspberrys.log
if $hostname startswith 'raspberry-' then stop
if $hostname startswith 'pi-' then /var/log/Raspberrys.log
if $hostname startswith 'pi-' then stop
if $hostname startswith 'raspi-' then /var/log/Raspberrys.log
if $hostname startswith 'raspi-' then stop
2023-09-18 20:38:09 +02:00
if $hostname startswith 'openwrt-' then /var/log/openwrt.log
if $hostname startswith 'openwrt-' then stop
2022-07-06 12:40:30 +02:00
# Auth success (for share-auth 2FA)
#if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log
#if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log
if $hostname == 'xgabosh' then /var/log/xgabosh.log
if $hostname == 'xgabosh' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log
2023-08-21 11:49:35 +02:00
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop
2022-07-06 12:40:30 +02:00
backup: yes
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
notify:
- Restart rsyslog
2022-07-06 15:47:33 +02:00
- name: /etc/rsyslog.d/01-services-local.conf
blockinfile:
2022-07-06 16:06:28 +02:00
path: /etc/rsyslog.d/01-services-local.conf
2022-07-06 15:47:33 +02:00
create: yes
mode: "0444"
2022-07-06 12:40:30 +02:00
owner: root
group: root
2022-07-06 15:47:33 +02:00
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
# Additional Socket from chroot
input(type="imuxsock" HostName="vpn-share" Socket="/data-crypt/dev/log" CreatePath="on")
input(type="imuxsock" HostName="share" Socket="/data-crypt/share/dev/log" CreatePath="on")
# Auth success (for share-auth 2FA)
if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log
if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log
# Nextcloud
if $msg contains '","level":0,"time":"' and $programname contains 'nextcloud' then stop
if $msg contains '","level":1,"time":"' and $programname contains 'nextcloud' then stop
if $programname == 'nextcloud' then /var/log/nextcloud.log
if $programname == 'nextcloud' then stop
if $programname == 'nextcloud-audit' then /var/log/nextcloud.log
if $programname == 'nextcloud-audit' then stop
if $programname == 'nextcloud-test' then /var/log/nextcloud-test.log
if $programname == 'nextcloud-test' then stop
if $programname == 'nextcloud-test-audit' then /var/log/nextcloud-test.log
if $programname == 'nextcloud-test-audit' then stop
# USV
if $programname == 'apcupsd' and $syslogseverity <= '6' then /var/log/usv-apcupsd.log
if $programname == 'apcupsd' then stop
# SMART HDD Überwachung
if $programname == 'smartd' and $syslogseverity <= '6' then /var/log/smartd.log
if $programname == 'smartd' then stop
# SSH TUNNEL
if $programname == 'sshd-tunnel' and $syslogseverity <= '6' then /var/log/sshd-tunnel.log
if $programname == 'sshd-tunnel' then stop
# SSH SFTP
if $programname == 'sshd-sftp' and $syslogseverity <= '6' then /var/log/sshd-sftp.log
if $programname == 'sshd-sftp' then stop
# SSH Share
if $programname == 'sshd' and $syslogfacility-text == 'local7' then /var/log/sshd-share.log
if $programname == 'sshd' and $syslogfacility-text == 'local7' then stop
# firewall
if $programname == 'kernel' and $msg contains 'PROTO' then /var/log/firewall.log
if $programname == 'kernel' and $msg contains 'PROTO' then stop
# SSH rsyncbackup
if $programname == 'sshd-rsyncbackup' and $syslogseverity <= '6' then /var/log/sshd-rsyncbackup.log
if $programname == 'sshd-rsyncbackup' then stop
# SSH
if $programname == 'sshd' and $syslogseverity <= '6' then /var/log/sshd.log
if $programname == 'sshd' then stop
# SFTP
if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop
if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop
if $programname == 'internal-sftp' and $msg contains '/.kodi/' then stop
if $programname == 'internal-sftp' then /var/log/sftpaccess.log
if $programname == 'internal-sftp' then stop
# Cron
if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'cron' then stop
2023-09-28 09:17:44 +02:00
if $programname == 'CRON' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'CRON' then stop
2022-07-06 15:47:33 +02:00
if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'run-crons' then stop
if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'crontab' then stop
# rsync
if $programname == 'rsyncd' and $syslogseverity <= '6' then /var/log/rsyncd.log
if $programname == 'rsyncd' then stop
# DNS
if $programname == 'named' and $msg contains ' 127.0.0.1#' then stop
if $programname == 'named' and $msg contains ': sending notifies' then stop
if $programname == 'named' and $msg contains ' loaded serial ' then stop
if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log
if $programname == 'named' then stop
# DHCP
if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log
if $programname == 'dhcpd' then stop
# NFS
if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.mountd' then stop
if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.idmapd' then stop
if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.statd' then stop
if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpcbind' then stop
# NTP
if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log
if $programname == 'ntpd' then stop
if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log
if $programname == 'ntpdate' then stop
# Mail
if $msg contains 'auxpropfunc error invalid parameter supplied' then stop
if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop
if $msg contains 'seen_db: user ' then stop
if $msg contains 'SQUAT ' then stop
if $msg contains 'indexing mailbox ' then stop
if $msg contains 'fetching user_deny.db' then stop
if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'lmtpunix' then stop
if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'imap' then stop
if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'imaps' then stop
if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'master' then stop
if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'ctl_cyrusdb' then stop
if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'pop3' then stop
if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'pop3s' then stop
if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'squatter' then stop
if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'tls_prune' then stop
if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'cyr_expire' then stop
if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'sieve' then stop
if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'deliver' then stop
if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'ipurge' then stop
if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'saslauthd' then stop
if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'amavis' then stop
if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'clamd' then stop
if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'freshclam' then stop
if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'fetchmail' then stop
if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'spamd' then stop
if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname contains 'postfix' then stop
if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'reconstruct' then stop
if $programname == 'policyd-spf' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'policyd-spf' then stop
# slapd
if $programname == 'slapd' then /var/log/slapd.log
if $programname == 'slapd' then stop
# PulseAudio
if $programname == 'pulseaudio' and $msg contains 'Denied access to client with invalid authentication data' then stop
if $programname == 'pulseaudio' then /var/log/pulseaudio.log
if $programname == 'pulseaudio' then stop
# hostapd
if $programname == 'hostapd' then /var/log/hostapd.log
if $programname == 'hostapd' then stop
# nscd
if $programname == 'nscd' then /var/log/nscd.log
if $programname == 'nscd' then stop
# arpwatch
if $programname == 'arpwatch' then /var/log/arpwatch.log
if $programname == 'arpwatch' then stop
# X
if $programname == 'mate-session' then /var/log/x.log
if $programname == 'mate-session' then stop
if $programname == 'Tor' then /var/log/x.log
if $programname == 'Tor' then stop
# xinetd
if $programname == 'xinetd' then /var/log/xinetd.log
if $programname == 'xinetd' then stop
# in.tftp
if $programname == 'in.tftpd' then /var/log/in.tftpd.log
if $programname == 'in.tftpd' then stop
# pppd
if $programname == 'dhcpcd' then /var/log/pppd.log
if $programname == 'dhcpcd' then stop
if $programname == 'radvd' then /var/log/pppd.log
if $programname == 'radvd' then stop
if $programname == 'pppd' then /var/log/pppd.log
if $programname == 'pppd' then stop
# wlan
if $programname == 'wpa_cli' then /var/log/messages
if $programname == 'wpa_cli' then stop
# cups
if $programname == 'cupsd' then /var/log/cupsd.log
if $programname == 'cupsd' then stop
# bash scripts using g-lib
if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log
if $programname contains 'g_bash-script' then stop
2023-09-28 09:17:44 +02:00
# runchecks.sh
2023-09-28 09:18:53 +02:00
if $programname == 'runchecks.sh' then /var/log/runchecks.sh.log
if $programname == 'runchecks.sh' then stop
2023-09-28 09:17:44 +02:00
# signal-cli.sh
2023-09-28 09:18:53 +02:00
if $programname == 'signal-cli' then /var/log/signal-cli.log
if $programname == 'signal-cli' then stop
2023-09-28 09:17:44 +02:00
# systemd
if $programname contains 'systemd' then /var/log/systemd.log
if $programname contains 'systemd' then stop
# kernel
2023-09-28 09:18:53 +02:00
if $programname == 'kernel' then /var/log/kernel.log
if $programname == 'kernel' then stop
2023-09-28 09:17:44 +02:00
# docker
2023-09-28 14:52:19 +02:00
if $programname contains 'docker' then /var/log/docker.log
if $programname contains 'docker' then stop
2023-09-28 09:18:53 +02:00
if $programname == 'containerd' then /var/log/docker.log
if $programname == 'containerd' then stop
2023-09-28 14:52:19 +02:00
# sudo
if $programname == 'sudo' then /var/log/sudo.log
if $programname == 'sudo' then stop
# dnscrypt-proxy
if $programname == 'dnscrypt-proxy' then /var/log/dnscrypt-proxy.log
if $programname == 'dnscrypt-proxy' then stop
# ansible
if $programname contains 'ansible' then /var/log/ansible.log
if $programname contains 'ansible' then stop
# passwd
if $programname contains 'passwd' then /var/log/passwd.log
if $programname contains 'passwd' then stop
2022-07-06 15:47:33 +02:00
# Rest in messages
2023-09-28 09:17:44 +02:00
*.* /var/log/messages
2022-07-06 12:40:30 +02:00
backup: yes
notify:
- Restart rsyslog
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: hd-idle for spinning down disks after XXX seconds idle
blockinfile:
path: /etc/default/hd-idle
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
2023-08-21 11:49:35 +02:00
HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log"
2022-07-06 12:40:30 +02:00
backup: yes
notify:
- Restart hd-idle
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: /etc/default/btrfsmaintenance
blockinfile:
path: /etc/default/btrfsmaintenance
mode: "0444"
owner: root
group: root
create: yes
insertbefore: EOF
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
BTRFS_LOG_OUTPUT="syslog"
BTRFS_BALANCE_MOUNTPOINTS="auto"
BTRFS_BALANCE_PERIOD="monthly"
BTRFS_SCRUB_MOUNTPOINTS="auto"
2023-08-21 11:49:35 +02:00
BTRFS_SCRUB_PERIOD="monthly"
2022-07-06 12:40:30 +02:00
backup: yes
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: /etc/logrotate.conf (weekly->daily)
ansible.builtin.lineinfile:
path: /etc/logrotate.conf
regexp: '^weekly$'
line: 'daily'
backup: yes
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: /etc/logrotate.d/apache2 (remove delaycompress)
ansible.builtin.lineinfile:
path: /etc/logrotate.d/apache2
regexp: '.*delaycompress$'
state: absent
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: /etc/logrotate.d/00-local
blockinfile:
path: /etc/logrotate.d/00-local
mode: "0444"
owner: root
group: root
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
/var/log/dmesgcron
/var/log/messages
2022-12-07 10:43:11 +01:00
/var/log/syslog
2022-07-06 12:40:30 +02:00
/var/log/*.log
{
rotate 7
daily
missingok
notifempty
copytruncate
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
2023-08-21 11:49:35 +02:00
}
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: Remove logrotates
ansible.builtin.file:
path: /etc/logrotate.d/alternatives
state: absent
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: Remove logrotates
ansible.builtin.file:
path: /etc/logrotate.d/dpkg
state: absent
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
- name: Remove logrotates
ansible.builtin.file:
path: /etc/logrotate.d/rsyslog
state: absent
2023-05-01 18:52:49 +02:00
when: nocontainer.stat.exists == true
2022-07-06 12:40:30 +02:00
2023-06-30 12:32:11 +02:00
- name: /usr/local/bin/notify.sh
blockinfile:
path: /usr/local/bin/notify.sh
mode: "0555"
owner: root
group: root
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
if [ -n "$SSH_ORIGINAL_COMMAND" ]
then
opts=$SSH_ORIGINAL_COMMAND
unset SSH_ORIGINAL_COMMAND
2024-08-19 22:25:38 +02:00
eval /usr/bin/bash $(printf '/usr/local/bin/notify.sh %q' "$opts" | sed 's#\\\\##g; s# \\ # #g; s# \\ # #g; s#\\ -# -#g')
2023-06-30 12:32:11 +02:00
exit $?
fi
. /etc/bash/gaboshlib.include
g_nice
g_lockfile
2023-07-01 17:06:35 +02:00
if [ -f /usr/local/etc/notify.conf ]
then
. /usr/local/etc/notify.conf
else
exit 1
fi
2023-06-30 12:32:11 +02:00
while getopts s:t:g:h:m: o
do
case $o in
s) subj="$OPTARG";;
t) to="$OPTARG";;
g) togroup="$OPTARG";;
h) tohost="$OPTARG";;
m) tomail="$OPTARG"
esac
done
2024-08-20 21:01:51 +02:00
[ -z "$to" ] && to="$default_to"
[ -z "$togroup" ] && togroup="$default_togroup"
2024-02-22 14:13:58 +01:00
message="$(cat)"
2024-08-18 17:07:13 +02:00
orig_message="$message"
2023-06-30 12:32:11 +02:00
[ "$message" = "''" ] && exit 0
[ -z "$message" ] && exit 0
2024-03-08 09:48:32 +01:00
# If message should be sent by another host
if [ -n "$tohost" ]
then
2024-08-20 22:50:37 +02:00
[[ $@ =~ -g ]] || group="-g $togroup"
2024-08-20 17:52:41 +02:00
[ -z "$togroup" ] && group="-g $(hostname)"
echo "$message" | ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new -p33 $tohost " $(printf ' %q' "$@ $group")"
2024-03-08 09:48:32 +01:00
fi
2024-02-21 17:37:31 +01:00
2024-08-19 15:51:06 +02:00
# Subject to message
if [ -n "$subj" ]
2023-06-30 12:32:11 +02:00
then
2024-08-19 15:51:06 +02:00
message=$(echo -e "$subj\n$message")
2023-06-30 12:32:11 +02:00
fi
2024-02-21 17:37:31 +01:00
## MAIL
2023-06-30 12:32:11 +02:00
if [ -n "$tomail" ]
then
echo "$message" | mail -s "notify.sh: $subj" $tomail
fi
2024-02-22 14:59:17 +01:00
2023-06-30 12:32:11 +02:00
2024-02-22 14:59:17 +01:00
## MATRIX
2024-02-22 14:13:58 +01:00
room=$(hostname)
[ -n "$togroup" ] && room=$togroup
2024-08-20 14:29:55 +02:00
room=${room// /}
2024-08-20 17:52:41 +02:00
room=${room//\\/}
2024-03-08 09:48:32 +01:00
if ps ax | grep -v grep | grep -q synapse.app.homeserver
2023-06-30 12:32:11 +02:00
then
2024-08-20 17:52:41 +02:00
if [ -p "/usr/local/share/matrix-room-$(hostname).fifo" ]
2024-08-18 16:35:28 +02:00
then
2024-08-19 16:53:23 +02:00
matrix_message=$(echo "<h3>${subj}</h3><pre>${orig_message}</pre>")
2024-08-20 14:29:55 +02:00
matrix_target="/usr/local/share/matrix-room-$(hostname).fifo"
[ -n "$togroup" ] && [ -p "/usr/local/share/matrix-room-${room}.fifo" ] && matrix_target="/usr/local/share/matrix-room-${room}.fifo"
2024-08-19 09:50:48 +02:00
echo "$matrix_message" | perl -pe 's/\n/<br>/' | perl -pe 's/\<br\>$/\n/; s/^\<br\>//;' >"$matrix_target"
2024-08-18 16:35:28 +02:00
else
2024-08-20 17:52:41 +02:00
echo "default group (/usr/local/share/matrix-room-$(hostname).fifo) seems not to exist"
2024-08-18 16:35:28 +02:00
fi
2023-06-30 12:32:11 +02:00
fi
2024-08-18 17:07:13 +02:00
2024-02-21 17:37:31 +01:00
## SIGNAL
if [ -f /home/signal/.local/share/signal-cli/data/accounts.json ]
2023-06-30 12:32:11 +02:00
then
2024-02-21 17:37:31 +01:00
account=$(cat /home/signal/.local/share/signal-cli/data/accounts.json | jq -r '.accounts[0].number' | sed 's/+/_/')
if [ -z "$account" ]
2023-06-30 12:32:11 +02:00
then
2024-02-21 17:37:31 +01:00
echo "Didn't get Signal account"
2023-06-30 12:32:11 +02:00
exit 1
fi
2024-02-21 17:37:31 +01:00
if [ -n "$togroup" ]
then
# Send to group via dbus
# Get group ID via dbus according to: https://github.com/AsamK/signal-cli/issues/1046
groupid=$(dbus-send --system --type=method_call --print-reply --dest='org.asamk.Signal' /org/asamk/Signal/${account} org.asamk.Signal.listGroups | grep "$togroup" -B3 | head -n2 | perl -pe 's/\n/ /g;' | perl -pe 's/ +/ /g; s/ $//; s/ /,0x/g; s/^,//')
if [ -z "$groupid" ]
then
g_echo_error "Group(ID) $togroup not found (id=$groupid). Does Group really exist? -- Groups $(dbus-send --system --type=method_call --print-reply --dest='org.asamk.Signal' /org/asamk/Signal/${account} org.asamk.Signal.listGroups)"
exit 1
fi
dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendGroupMessage string:"$message" array:string: array:byte:${groupid} | egrep -v '^method return time=|^ int64 '
fi
if [ -n "$to" ]
then
# Sent to a single Number via dbus
dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendMessage string:"${message}" array:string: string:${to} | egrep -v '^method return time=|^ int64 '
fi
2023-06-30 12:32:11 +02:00
fi
backup: yes
validate: /bin/bash -n %s
- name: /usr/local/bin/notify.sh shebang
lineinfile:
path: /usr/local/bin/notify.sh
insertbefore: BOF
line: "#!/bin/bash"
2022-07-06 12:40:30 +02:00
handlers:
- name: Restart journald
service:
name: systemd-journald
state: restarted
- name: Restart rsyslog
service:
name: rsyslog
state: restarted
- name: Restart hd-idle
service:
name: hd-idle
state: restarted
2024-09-07 16:58:48 +02:00
- name: Restart ssh
service:
name: ssh
state: restarted