From 6347125ec2a33a263aa2a9af0d0b2e0d46794f94 Mon Sep 17 00:00:00 2001 From: olli Date: Mon, 1 May 2023 18:52:49 +0200 Subject: [PATCH] =?UTF-8?q?=E2=80=9Ebasics.yml=E2=80=9C=20=C3=A4ndern?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- basics.yml | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 3 deletions(-) diff --git a/basics.yml b/basics.yml index 77b661a..5a861ac 100644 --- a/basics.yml +++ b/basics.yml @@ -6,6 +6,11 @@ # ansible.builtin.debug: # var: ansible_facts + - name: check if we are in an container env by existing systemd + stat: + path: /usr/bin/systemd + register: nocontainer + - name: Install Basic Packages apt: name: @@ -74,16 +79,73 @@ - ldmtool update_cache: yes install_recommends: no + when: nocontainer.stat.exists == true + + - name: Install Basic Packages + apt: + name: + - bc + - psutils + - psmisc + - procps + - htop + - iotop + - sysstat + - strace + - net-tools + - vim + - git + - man-db + - netcat + - debconf-utils + - iputils-ping + - lsof + - inotify-tools + - rsync + - dos2unix + - locales + - iproute2 + - cryptsetup + - curl + - moreutils + - ffmpeg + - mediainfo + - telnet + - libstring-approx-perl + - postfix + - zip + - nmap + - whois + - libfile-readbackwards-perl + - libcrypt-cbc-perl + - libcrypt-des-perl + - pwgen + - jq + - cifs-utils + - apt-transport-https + - golang + - make + - sshfs + - imagemagick + - libimage-exiftool-perl + - sqlite3 + - html-xml-utils + - openssh-server + update_cache: yes + install_recommends: no + when: nocontainer.stat.exists == false - name: add dhcpcd to startup command: systemctl enable dhcpcd args: creates: /etc/systemd/system/multi-user.target.wants/dhcpcd.service + when: nocontainer.stat.exists == true - name: No DHCPcd for internal interfaces ansible.builtin.lineinfile: path: /etc/dhcpcd.conf line: denyinterfaces docker0 virbr0 tornet0 veth* br* + when: nocontainer.stat.exists == true - name: Check weather /etc/network/interfaces exists stat: @@ -114,11 +176,13 @@ - name: Set a hostname ansible.builtin.hostname: name: "{{inventory_hostname}}" + when: nocontainer.stat.exists == true - name: Set timezone to Europe/Berlin community.general.timezone: name: Europe/Berlin - + when: nocontainer.stat.exists == true + # - name: Create {{ ansible_facts['hostname'] }}adm User # ansible.builtin.user: # name: "{{ ansible_facts['hostname'] }}adm" @@ -133,11 +197,13 @@ state: present user: "{{ ansible_facts['hostname'] }}adm" commands: ALL + when: nocontainer.stat.exists == true - name: Remove root-Password user: name: root password: '*' + when: nocontainer.stat.exists == true - name: German keyboard layout ansible.builtin.lineinfile: @@ -146,6 +212,7 @@ line: 'XKBLAYOUT="de"' backup: yes notify: setupcon + when: nocontainer.stat.exists == true - name: nodeadkeys ansible.builtin.lineinfile: @@ -154,6 +221,7 @@ line: 'XKBVARIANT="nodeadkeys"' backup: yes notify: setupcon + when: nocontainer.stat.exists == true - name: Prefer ipv4 over ipv6 to avoid problems and waiting times ansible.builtin.lineinfile: @@ -166,15 +234,20 @@ community.general.locale_gen: name: en_US.UTF-8 state: present + when: nocontainer.stat.exists == true + - name: Ensure en_GB.UTF-8 locale exists community.general.locale_gen: name: en_GB.UTF-8 state: present + when: nocontainer.stat.exists == true + - name: Ensure de_DE.UTF-8 locale exists community.general.locale_gen: name: de_DE.UTF-8 state: present notify: localectl + when: nocontainer.stat.exists == true - name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship blockinfile: @@ -190,6 +263,7 @@ DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de DNSOverTLS=opportunistic backup: yes + when: nocontainer.stat.exists == true - name: SSHD hardening blockinfile: @@ -224,6 +298,7 @@ validate: /usr/sbin/sshd -T -f %s notify: - Restart sshd + when: nocontainer.stat.exists == true - name: Disable external sftp-Subsystem replace: @@ -234,6 +309,7 @@ backup: yes notify: - Restart sshd + when: nocontainer.stat.exists == true - name: Create .ssh dir ansible.builtin.file: @@ -242,16 +318,19 @@ group: root state: directory mode: '0550' + when: nocontainer.stat.exists == true - name: Generate an OpenSSH keypair ed25519 community.crypto.openssh_keypair: path: /root/.ssh/id_ed25519 type: ed25519 + when: nocontainer.stat.exists == true - ansible.posix.sysctl: name: vm.swappiness value: '1' state: present + when: nocontainer.stat.exists == true - name: shell profile blockinfile: @@ -348,6 +427,7 @@ backup: yes notify: - Restart journald + when: nocontainer.stat.exists == true - name: /etc/rsyslog.d/00-services-remote.conf blockinfile: @@ -385,7 +465,7 @@ if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop backup: yes - + when: nocontainer.stat.exists == true notify: - Restart rsyslog @@ -577,6 +657,7 @@ backup: yes notify: - Restart rsyslog + when: nocontainer.stat.exists == true - name: hd-idle for spinning down disks after XXX seconds idle blockinfile: @@ -591,6 +672,7 @@ backup: yes notify: - Restart hd-idle + when: nocontainer.stat.exists == true - name: /etc/default/btrfsmaintenance blockinfile: @@ -608,6 +690,7 @@ BTRFS_SCRUB_MOUNTPOINTS="auto" BTRFS_SCRUB_PERIOD="monthly" backup: yes + when: nocontainer.stat.exists == true - name: /etc/logrotate.conf (weekly->daily) ansible.builtin.lineinfile: @@ -615,12 +698,14 @@ regexp: '^weekly$' line: 'daily' backup: yes + when: nocontainer.stat.exists == true - name: /etc/logrotate.d/apache2 (remove delaycompress) ansible.builtin.lineinfile: path: /etc/logrotate.d/apache2 regexp: '.*delaycompress$' state: absent + when: nocontainer.stat.exists == true - name: /etc/logrotate.d/00-local blockinfile: @@ -646,22 +731,25 @@ /usr/lib/rsyslog/rsyslog-rotate endscript } + when: nocontainer.stat.exists == true - name: Remove logrotates ansible.builtin.file: path: /etc/logrotate.d/alternatives state: absent + when: nocontainer.stat.exists == true - name: Remove logrotates ansible.builtin.file: path: /etc/logrotate.d/dpkg state: absent + when: nocontainer.stat.exists == true - name: Remove logrotates ansible.builtin.file: path: /etc/logrotate.d/rsyslog state: absent - + when: nocontainer.stat.exists == true handlers: