olli/debian.ansible.basics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

„basics.yml“ ändern

Browse Source
This commit is contained in:
olli 2023-05-01 18:52:49 +02:00
parent 7abdaa1207
commit 6347125ec2
1 changed files with 91 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
basics.yml
View File

@ -6,6 +6,11 @@
# ansible.builtin.debug:
# var: ansible_facts
- name: check if we are in an container env by existing systemd
stat:
path: /usr/bin/systemd
register: nocontainer
- name: Install Basic Packages
apt:
name:
@ -74,16 +79,73 @@
- ldmtool
update_cache: yes
install_recommends: no
when: nocontainer.stat.exists == true
- name: Install Basic Packages
apt:
name:
- bc
- psutils
- psmisc
- procps
- htop
- iotop
- sysstat
- strace
- net-tools
- vim
- git
- man-db
- netcat
- debconf-utils
- iputils-ping
- lsof
- inotify-tools
- rsync
- dos2unix
- locales
- iproute2
- cryptsetup
- curl
- moreutils
- ffmpeg
- mediainfo
- telnet
- libstring-approx-perl
- postfix
- zip
- nmap
- whois
- libfile-readbackwards-perl
- libcrypt-cbc-perl
- libcrypt-des-perl
- pwgen
- jq
- cifs-utils
- apt-transport-https
- golang
- make
- sshfs
- imagemagick
- libimage-exiftool-perl
- sqlite3
- html-xml-utils
- openssh-server
update_cache: yes
install_recommends: no
when: nocontainer.stat.exists == false
- name: add dhcpcd to startup
command: systemctl enable dhcpcd
args:
creates: /etc/systemd/system/multi-user.target.wants/dhcpcd.service
when: nocontainer.stat.exists == true
- name: No DHCPcd for internal interfaces
ansible.builtin.lineinfile:
path: /etc/dhcpcd.conf
line: denyinterfaces docker0 virbr0 tornet0 veth* br*
when: nocontainer.stat.exists == true
- name: Check weather /etc/network/interfaces exists
stat:
@ -114,11 +176,13 @@
- name: Set a hostname
ansible.builtin.hostname:
name: "{{inventory_hostname}}"
when: nocontainer.stat.exists == true
- name: Set timezone to Europe/Berlin
community.general.timezone:
name: Europe/Berlin
when: nocontainer.stat.exists == true
# - name: Create {{ ansible_facts['hostname'] }}adm User
# ansible.builtin.user:
# name: "{{ ansible_facts['hostname'] }}adm"
@ -133,11 +197,13 @@
state: present
user: "{{ ansible_facts['hostname'] }}adm"
commands: ALL
when: nocontainer.stat.exists == true
- name: Remove root-Password
user:
name: root
password: '*'
when: nocontainer.stat.exists == true
- name: German keyboard layout
ansible.builtin.lineinfile:
@ -146,6 +212,7 @@
line: 'XKBLAYOUT="de"'
backup: yes
notify: setupcon
when: nocontainer.stat.exists == true
- name: nodeadkeys
ansible.builtin.lineinfile:
@ -154,6 +221,7 @@
line: 'XKBVARIANT="nodeadkeys"'
backup: yes
notify: setupcon
when: nocontainer.stat.exists == true
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
ansible.builtin.lineinfile:
@ -166,15 +234,20 @@
community.general.locale_gen:
name: en_US.UTF-8
state: present
when: nocontainer.stat.exists == true
- name: Ensure en_GB.UTF-8 locale exists
community.general.locale_gen:
name: en_GB.UTF-8
state: present
when: nocontainer.stat.exists == true
- name: Ensure de_DE.UTF-8 locale exists
community.general.locale_gen:
name: de_DE.UTF-8
state: present
notify: localectl
when: nocontainer.stat.exists == true
- name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship
blockinfile:
@ -190,6 +263,7 @@
DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de
DNSOverTLS=opportunistic
backup: yes
when: nocontainer.stat.exists == true
- name: SSHD hardening
blockinfile:
@ -224,6 +298,7 @@
validate: /usr/sbin/sshd -T -f %s
notify:
- Restart sshd
when: nocontainer.stat.exists == true
- name: Disable external sftp-Subsystem
replace:
@ -234,6 +309,7 @@
backup: yes
notify:
- Restart sshd
when: nocontainer.stat.exists == true
- name: Create .ssh dir
ansible.builtin.file:
@ -242,16 +318,19 @@
group: root
state: directory
mode: '0550'
when: nocontainer.stat.exists == true
- name: Generate an OpenSSH keypair ed25519
community.crypto.openssh_keypair:
path: /root/.ssh/id_ed25519
type: ed25519
when: nocontainer.stat.exists == true
- ansible.posix.sysctl:
name: vm.swappiness
value: '1'
state: present
when: nocontainer.stat.exists == true
- name: shell profile
blockinfile:
@ -348,6 +427,7 @@
backup: yes
notify:
- Restart journald
when: nocontainer.stat.exists == true
- name: /etc/rsyslog.d/00-services-remote.conf
blockinfile:
@ -385,7 +465,7 @@
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop
backup: yes
when: nocontainer.stat.exists == true
notify:
- Restart rsyslog
@ -577,6 +657,7 @@
backup: yes
notify:
- Restart rsyslog
when: nocontainer.stat.exists == true
- name: hd-idle for spinning down disks after XXX seconds idle
blockinfile:
@ -591,6 +672,7 @@
backup: yes
notify:
- Restart hd-idle
when: nocontainer.stat.exists == true
- name: /etc/default/btrfsmaintenance
blockinfile:
@ -608,6 +690,7 @@
BTRFS_SCRUB_MOUNTPOINTS="auto"
BTRFS_SCRUB_PERIOD="monthly"
backup: yes
when: nocontainer.stat.exists == true
- name: /etc/logrotate.conf (weekly->daily)
ansible.builtin.lineinfile:
@ -615,12 +698,14 @@
regexp: '^weekly$'
line: 'daily'
backup: yes
when: nocontainer.stat.exists == true
- name: /etc/logrotate.d/apache2 (remove delaycompress)
ansible.builtin.lineinfile:
path: /etc/logrotate.d/apache2
regexp: '.*delaycompress$'
state: absent
when: nocontainer.stat.exists == true
- name: /etc/logrotate.d/00-local
blockinfile:
@ -646,22 +731,25 @@
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
when: nocontainer.stat.exists == true
- name: Remove logrotates
ansible.builtin.file:
path: /etc/logrotate.d/alternatives
state: absent
when: nocontainer.stat.exists == true
- name: Remove logrotates
ansible.builtin.file:
path: /etc/logrotate.d/dpkg
state: absent
when: nocontainer.stat.exists == true
- name: Remove logrotates
ansible.builtin.file:
path: /etc/logrotate.d/rsyslog
state: absent
when: nocontainer.stat.exists == true
handlers: