olli/debian.ansible.basics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

„basics-container.yml“ hinzufügen

Browse Source
This commit is contained in:
olli 2023-04-28 15:36:39 +02:00
parent 866e62600d
commit 7cf59050d6
1 changed files with 219 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

219
basics-container.yml Normal file
View File

@ -0,0 +1,219 @@
---
- name: Basic Debian Linux Setup for Containers
hosts: all
tasks:
#- name: Print all available facts
# ansible.builtin.debug:
# var: ansible_facts
- name: Install Basic Packages
apt:
name:
- bc
- psutils
- psmisc
- procps
- htop
- iotop
- sysstat
- strace
- net-tools
- vim
- git
- man-db
- netcat
- debconf-utils
- iputils-ping
- lsof
- inotify-tools
- rsync
- dos2unix
- locales
- iproute2
- cryptsetup
- curl
- moreutils
- ffmpeg
- mediainfo
- telnet
- libstring-approx-perl
- postfix
- zip
- nmap
- whois
- libfile-readbackwards-perl
- libcrypt-cbc-perl
- libcrypt-des-perl
- pwgen
- certbot
- jq
- cifs-utils
- apt-transport-https
- golang
- make
- sshfs
- imagemagick
- libimage-exiftool-perl
- sqlite3
- html-xml-utils
- ldmtool
- openssh-server
update_cache: yes
install_recommends: no
- name: Set a hostname
ansible.builtin.hostname:
name: "{{inventory_hostname}}"
- name: Remove root-Password
user:
name: root
password: '*'
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
ansible.builtin.lineinfile:
path: /etc/gai.conf
regexp: '^#precedence ::ffff:0:0/96 100'
line: "precedence ::ffff:0:0/96 100 # CHANGED BY ANSIBLE"
backup: yes
- name: Ensure en_US.UTF-8 locale exists
community.general.locale_gen:
name: en_US.UTF-8
state: present
- name: Ensure en_GB.UTF-8 locale exists
community.general.locale_gen:
name: en_GB.UTF-8
state: present
- name: Ensure de_DE.UTF-8 locale exists
community.general.locale_gen:
name: de_DE.UTF-8
state: present
notify: localectl
- name: SSHD hardening
blockinfile:
path: /etc/ssh/sshd_config.d/hardening.conf
mode: "0444"
owner: root
group: root
create: yes
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
Port 22
Port 33
PermitRootLogin prohibit-password
PermitUserRC no
PermitUserEnvironment no
PubkeyAuthentication yes
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding yes
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
# nmap -p22 -n -sV --script ssh2-enum-algos localhost
KexAlgorithms curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
IgnoreRhosts yes
LogLevel VERBOSE
AddressFamily any
backup: yes
validate: /usr/sbin/sshd -T -f %s
- name: Disable external sftp-Subsystem
replace:
path: /etc/ssh/sshd_config
regexp: '(^Subsystem.*sftp.*)'
replace: '#\1'
validate: /usr/sbin/sshd -T -f %s
backup: yes
- name: Create .ssh dir
ansible.builtin.file:
path: /root/.ssh
owner: root
group: root
state: directory
mode: '0550'
- name: Generate an OpenSSH keypair ed25519
community.crypto.openssh_keypair:
path: /root/.ssh/id_ed25519
type: ed25519
- name: shell profile
blockinfile:
path: /etc/profile.d/settings-from-ansible.sh
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
if ${use_color} ; then
if [[ ${EUID} == 0 ]] ; then
PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] '
else
PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
fi
export EDITOR="/usr/bin/vim"
export HISTSIZE=
export HISTFILESIZE=
export HISTTIMEFORMAT="[%F %T] "
if [ -f /etc/debian_version ]
then
export DEBIAN_FRONTEND='noninteractive'
export LANG="en_US.UTF-8"
alias ls='ls --color=auto'
alias grep='grep --colour=auto'
alias egrep='egrep --colour=auto'
alias fgrep='fgrep --colour=auto'
fi
else
# show root@ when we don't have colors
PS1+='\u@\h \w \$'
fi
# execute for linuxmint
if [ -d /etc/linuxmint ]
then
grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc
export LANG="de_DE.UTF-8"
#for rc in ~/.bashrc /etc/skel/.bashrc
#do
# grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc
#done
fi
backup: yes
validate: /bin/bash -n %s
- name: vim settings
blockinfile:
path: /etc/vim/vimrc.local
mode: "0444"
owner: root
group: root
create: yes
marker: "\" {mark} ANSIBLE MANAGED BLOCK"
block: |
:syntax on
let g:skip_defaults_vim = 1
set encoding=utf-8
set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab
syntax match nonascii "[^[:alnum:][:punct:][:space:]]/"
highlight nonascii guibg=Red ctermbg=2
backup: yes
- name: gaboshlib from git
ansible.builtin.git:
repo: 'https://gitea.ds9.dedyn.io/olli/gaboshlib.git'
dest: /etc/bash
force: yes
handlers:
- name: localectl
ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8