olli/debian.ansible.basics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

„basics.yml“ ändern

Browse Source
This commit is contained in:
olli 2023-05-01 18:52:49 +02:00
parent 7abdaa1207
commit 6347125ec2
1 changed files with 91 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
basics.yml
View File

@ -6,6 +6,11 @@
# ansible.builtin.debug: # ansible.builtin.debug:
# var: ansible_facts # var: ansible_facts
- name: check if we are in an container env by existing systemd
stat:
path: /usr/bin/systemd
register: nocontainer
- name: Install Basic Packages - name: Install Basic Packages
apt: apt:
name: name:
@ -74,16 +79,73 @@
- ldmtool - ldmtool
update_cache: yes update_cache: yes
install_recommends: no install_recommends: no
when: nocontainer.stat.exists == true
- name: Install Basic Packages
apt:
name:
- bc
- psutils
- psmisc
- procps
- htop
- iotop
- sysstat
- strace
- net-tools
- vim
- git
- man-db
- netcat
- debconf-utils
- iputils-ping
- lsof
- inotify-tools
- rsync
- dos2unix
- locales
- iproute2
- cryptsetup
- curl
- moreutils
- ffmpeg
- mediainfo
- telnet
- libstring-approx-perl
- postfix
- zip
- nmap
- whois
- libfile-readbackwards-perl
- libcrypt-cbc-perl
- libcrypt-des-perl
- pwgen
- jq
- cifs-utils
- apt-transport-https
- golang
- make
- sshfs
- imagemagick
- libimage-exiftool-perl
- sqlite3
- html-xml-utils
- openssh-server
update_cache: yes
install_recommends: no
when: nocontainer.stat.exists == false
- name: add dhcpcd to startup - name: add dhcpcd to startup
command: systemctl enable dhcpcd command: systemctl enable dhcpcd
args: args:
creates: /etc/systemd/system/multi-user.target.wants/dhcpcd.service creates: /etc/systemd/system/multi-user.target.wants/dhcpcd.service
when: nocontainer.stat.exists == true
- name: No DHCPcd for internal interfaces - name: No DHCPcd for internal interfaces
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/dhcpcd.conf path: /etc/dhcpcd.conf
line: denyinterfaces docker0 virbr0 tornet0 veth* br* line: denyinterfaces docker0 virbr0 tornet0 veth* br*
when: nocontainer.stat.exists == true
- name: Check weather /etc/network/interfaces exists - name: Check weather /etc/network/interfaces exists
stat: stat:
@ -114,10 +176,12 @@
- name: Set a hostname - name: Set a hostname
ansible.builtin.hostname: ansible.builtin.hostname:
name: "{{inventory_hostname}}" name: "{{inventory_hostname}}"
when: nocontainer.stat.exists == true
- name: Set timezone to Europe/Berlin - name: Set timezone to Europe/Berlin
community.general.timezone: community.general.timezone:
name: Europe/Berlin name: Europe/Berlin
when: nocontainer.stat.exists == true
# - name: Create {{ ansible_facts['hostname'] }}adm User # - name: Create {{ ansible_facts['hostname'] }}adm User
# ansible.builtin.user: # ansible.builtin.user:
@ -133,11 +197,13 @@
state: present state: present
user: "{{ ansible_facts['hostname'] }}adm" user: "{{ ansible_facts['hostname'] }}adm"
commands: ALL commands: ALL
when: nocontainer.stat.exists == true
- name: Remove root-Password - name: Remove root-Password
user: user:
name: root name: root
password: '*' password: '*'
when: nocontainer.stat.exists == true
- name: German keyboard layout - name: German keyboard layout
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -146,6 +212,7 @@
line: 'XKBLAYOUT="de"' line: 'XKBLAYOUT="de"'
backup: yes backup: yes
notify: setupcon notify: setupcon
when: nocontainer.stat.exists == true
- name: nodeadkeys - name: nodeadkeys
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -154,6 +221,7 @@
line: 'XKBVARIANT="nodeadkeys"' line: 'XKBVARIANT="nodeadkeys"'
backup: yes backup: yes
notify: setupcon notify: setupcon
when: nocontainer.stat.exists == true
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times - name: Prefer ipv4 over ipv6 to avoid problems and waiting times
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -166,15 +234,20 @@
community.general.locale_gen: community.general.locale_gen:
name: en_US.UTF-8 name: en_US.UTF-8
state: present state: present
when: nocontainer.stat.exists == true
- name: Ensure en_GB.UTF-8 locale exists - name: Ensure en_GB.UTF-8 locale exists
community.general.locale_gen: community.general.locale_gen:
name: en_GB.UTF-8 name: en_GB.UTF-8
state: present state: present
when: nocontainer.stat.exists == true
- name: Ensure de_DE.UTF-8 locale exists - name: Ensure de_DE.UTF-8 locale exists
community.general.locale_gen: community.general.locale_gen:
name: de_DE.UTF-8 name: de_DE.UTF-8
state: present state: present
notify: localectl notify: localectl
when: nocontainer.stat.exists == true
- name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship - name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship
blockinfile: blockinfile:
@ -190,6 +263,7 @@
DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de
DNSOverTLS=opportunistic DNSOverTLS=opportunistic
backup: yes backup: yes
when: nocontainer.stat.exists == true
- name: SSHD hardening - name: SSHD hardening
blockinfile: blockinfile:
@ -224,6 +298,7 @@
validate: /usr/sbin/sshd -T -f %s validate: /usr/sbin/sshd -T -f %s
notify: notify:
- Restart sshd - Restart sshd
when: nocontainer.stat.exists == true
- name: Disable external sftp-Subsystem - name: Disable external sftp-Subsystem
replace: replace:
@ -234,6 +309,7 @@
backup: yes backup: yes
notify: notify:
- Restart sshd - Restart sshd
when: nocontainer.stat.exists == true
- name: Create .ssh dir - name: Create .ssh dir
ansible.builtin.file: ansible.builtin.file:
@ -242,16 +318,19 @@
group: root group: root
state: directory state: directory
mode: '0550' mode: '0550'
when: nocontainer.stat.exists == true
- name: Generate an OpenSSH keypair ed25519 - name: Generate an OpenSSH keypair ed25519
community.crypto.openssh_keypair: community.crypto.openssh_keypair:
path: /root/.ssh/id_ed25519 path: /root/.ssh/id_ed25519
type: ed25519 type: ed25519
when: nocontainer.stat.exists == true
- ansible.posix.sysctl: - ansible.posix.sysctl:
name: vm.swappiness name: vm.swappiness
value: '1' value: '1'
state: present state: present
when: nocontainer.stat.exists == true
- name: shell profile - name: shell profile
blockinfile: blockinfile:
@ -348,6 +427,7 @@
backup: yes backup: yes
notify: notify:
- Restart journald - Restart journald
when: nocontainer.stat.exists == true
- name: /etc/rsyslog.d/00-services-remote.conf - name: /etc/rsyslog.d/00-services-remote.conf
blockinfile: blockinfile:
@ -385,7 +465,7 @@
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop
backup: yes backup: yes
when: nocontainer.stat.exists == true
notify: notify:
- Restart rsyslog - Restart rsyslog
@ -577,6 +657,7 @@
backup: yes backup: yes
notify: notify:
- Restart rsyslog - Restart rsyslog
when: nocontainer.stat.exists == true
- name: hd-idle for spinning down disks after XXX seconds idle - name: hd-idle for spinning down disks after XXX seconds idle
blockinfile: blockinfile:
@ -591,6 +672,7 @@
backup: yes backup: yes
notify: notify:
- Restart hd-idle - Restart hd-idle
when: nocontainer.stat.exists == true
- name: /etc/default/btrfsmaintenance - name: /etc/default/btrfsmaintenance
blockinfile: blockinfile:
@ -608,6 +690,7 @@
BTRFS_SCRUB_MOUNTPOINTS="auto" BTRFS_SCRUB_MOUNTPOINTS="auto"
BTRFS_SCRUB_PERIOD="monthly" BTRFS_SCRUB_PERIOD="monthly"
backup: yes backup: yes
when: nocontainer.stat.exists == true
- name: /etc/logrotate.conf (weekly->daily) - name: /etc/logrotate.conf (weekly->daily)
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -615,12 +698,14 @@
regexp: '^weekly$' regexp: '^weekly$'
line: 'daily' line: 'daily'
backup: yes backup: yes
when: nocontainer.stat.exists == true
- name: /etc/logrotate.d/apache2 (remove delaycompress) - name: /etc/logrotate.d/apache2 (remove delaycompress)
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/logrotate.d/apache2 path: /etc/logrotate.d/apache2
regexp: '.*delaycompress$' regexp: '.*delaycompress$'
state: absent state: absent
when: nocontainer.stat.exists == true
- name: /etc/logrotate.d/00-local - name: /etc/logrotate.d/00-local
blockinfile: blockinfile:
@ -646,22 +731,25 @@
/usr/lib/rsyslog/rsyslog-rotate /usr/lib/rsyslog/rsyslog-rotate
endscript endscript
} }
when: nocontainer.stat.exists == true
- name: Remove logrotates - name: Remove logrotates
ansible.builtin.file: ansible.builtin.file:
path: /etc/logrotate.d/alternatives path: /etc/logrotate.d/alternatives
state: absent state: absent
when: nocontainer.stat.exists == true
- name: Remove logrotates - name: Remove logrotates
ansible.builtin.file: ansible.builtin.file:
path: /etc/logrotate.d/dpkg path: /etc/logrotate.d/dpkg
state: absent state: absent
when: nocontainer.stat.exists == true
- name: Remove logrotates - name: Remove logrotates
ansible.builtin.file: ansible.builtin.file:
path: /etc/logrotate.d/rsyslog path: /etc/logrotate.d/rsyslog
state: absent state: absent
when: nocontainer.stat.exists == true
handlers: handlers: