From 7cf59050d69740fb394213b340a82f6e7e77532b Mon Sep 17 00:00:00 2001 From: olli Date: Fri, 28 Apr 2023 15:36:39 +0200 Subject: [PATCH] =?UTF-8?q?=E2=80=9Ebasics-container.yml=E2=80=9C=20hinzuf?= =?UTF-8?q?=C3=BCgen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- basics-container.yml | 219 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 219 insertions(+) create mode 100644 basics-container.yml diff --git a/basics-container.yml b/basics-container.yml new file mode 100644 index 0000000..cdff1f5 --- /dev/null +++ b/basics-container.yml @@ -0,0 +1,219 @@ +--- +- name: Basic Debian Linux Setup for Containers + hosts: all + tasks: + #- name: Print all available facts + # ansible.builtin.debug: + # var: ansible_facts + + - name: Install Basic Packages + apt: + name: + - bc + - psutils + - psmisc + - procps + - htop + - iotop + - sysstat + - strace + - net-tools + - vim + - git + - man-db + - netcat + - debconf-utils + - iputils-ping + - lsof + - inotify-tools + - rsync + - dos2unix + - locales + - iproute2 + - cryptsetup + - curl + - moreutils + - ffmpeg + - mediainfo + - telnet + - libstring-approx-perl + - postfix + - zip + - nmap + - whois + - libfile-readbackwards-perl + - libcrypt-cbc-perl + - libcrypt-des-perl + - pwgen + - certbot + - jq + - cifs-utils + - apt-transport-https + - golang + - make + - sshfs + - imagemagick + - libimage-exiftool-perl + - sqlite3 + - html-xml-utils + - ldmtool + - openssh-server + update_cache: yes + install_recommends: no + + - name: Set a hostname + ansible.builtin.hostname: + name: "{{inventory_hostname}}" + + - name: Remove root-Password + user: + name: root + password: '*' + + - name: Prefer ipv4 over ipv6 to avoid problems and waiting times + ansible.builtin.lineinfile: + path: /etc/gai.conf + regexp: '^#precedence ::ffff:0:0/96 100' + line: "precedence ::ffff:0:0/96 100 # CHANGED BY ANSIBLE" + backup: yes + + - name: Ensure en_US.UTF-8 locale exists + community.general.locale_gen: + name: en_US.UTF-8 + state: present + - name: Ensure en_GB.UTF-8 locale exists + community.general.locale_gen: + name: en_GB.UTF-8 + state: present + - name: Ensure de_DE.UTF-8 locale exists + community.general.locale_gen: + name: de_DE.UTF-8 + state: present + notify: localectl + + - name: SSHD hardening + blockinfile: + path: /etc/ssh/sshd_config.d/hardening.conf + mode: "0444" + owner: root + group: root + create: yes + insertbefore: BOF # Beginning of the file + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + Port 22 + Port 33 + PermitRootLogin prohibit-password + PermitUserRC no + PermitUserEnvironment no + PubkeyAuthentication yes + X11Forwarding no + AllowAgentForwarding no + AllowTcpForwarding yes + Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007 + ## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/ + # nmap -p22 -n -sV --script ssh2-enum-algos localhost + KexAlgorithms curve25519-sha256@libssh.org + HostKeyAlgorithms ssh-ed25519 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com + IgnoreRhosts yes + LogLevel VERBOSE + AddressFamily any + backup: yes + validate: /usr/sbin/sshd -T -f %s + + - name: Disable external sftp-Subsystem + replace: + path: /etc/ssh/sshd_config + regexp: '(^Subsystem.*sftp.*)' + replace: '#\1' + validate: /usr/sbin/sshd -T -f %s + backup: yes + + - name: Create .ssh dir + ansible.builtin.file: + path: /root/.ssh + owner: root + group: root + state: directory + mode: '0550' + + - name: Generate an OpenSSH keypair ed25519 + community.crypto.openssh_keypair: + path: /root/.ssh/id_ed25519 + type: ed25519 + + - name: shell profile + blockinfile: + path: /etc/profile.d/settings-from-ansible.sh + create: yes + mode: "0444" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + if ${use_color} ; then + if [[ ${EUID} == 0 ]] ; then + PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] ' + else + PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] ' + fi + export EDITOR="/usr/bin/vim" + export HISTSIZE= + export HISTFILESIZE= + export HISTTIMEFORMAT="[%F %T] " + if [ -f /etc/debian_version ] + then + export DEBIAN_FRONTEND='noninteractive' + export LANG="en_US.UTF-8" + alias ls='ls --color=auto' + alias grep='grep --colour=auto' + alias egrep='egrep --colour=auto' + alias fgrep='fgrep --colour=auto' + fi + else + # show root@ when we don't have colors + PS1+='\u@\h \w \$' + fi + # execute for linuxmint + if [ -d /etc/linuxmint ] + then + grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc + export LANG="de_DE.UTF-8" + #for rc in ~/.bashrc /etc/skel/.bashrc + #do + # grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc + #done + fi + backup: yes + validate: /bin/bash -n %s + + - name: vim settings + blockinfile: + path: /etc/vim/vimrc.local + mode: "0444" + owner: root + group: root + create: yes + marker: "\" {mark} ANSIBLE MANAGED BLOCK" + block: | + :syntax on + let g:skip_defaults_vim = 1 + set encoding=utf-8 + set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab + syntax match nonascii "[^[:alnum:][:punct:][:space:]]/" + highlight nonascii guibg=Red ctermbg=2 + backup: yes + + - name: gaboshlib from git + ansible.builtin.git: + repo: 'https://gitea.ds9.dedyn.io/olli/gaboshlib.git' + dest: /etc/bash + force: yes + + handlers: + + - name: localectl + ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8 +