From 9e241cf0fd79e49ac1a308c4a8fa088fd55eb3ef Mon Sep 17 00:00:00 2001 From: olli Date: Mon, 21 Aug 2023 11:49:35 +0200 Subject: [PATCH] basics.yml aktualisiert --- basics.yml | 132 +++++------------------------------------------------ 1 file changed, 11 insertions(+), 121 deletions(-) diff --git a/basics.yml b/basics.yml index 34258cc..fc55b05 100644 --- a/basics.yml +++ b/basics.yml @@ -188,11 +188,6 @@ name: "{{inventory_hostname}}" when: nocontainer.stat.exists == true - - name: Set timezone to Europe/Berlin - community.general.timezone: - name: Europe/Berlin - when: nocontainer.stat.exists == true - - name: Allow the hostnameadm User all sudo commands community.general.sudoers: name: ALL @@ -201,30 +196,6 @@ commands: ALL when: nocontainer.stat.exists == true - - name: Remove root-Password - user: - name: root - password: '*' - when: nocontainer.stat.exists == true - - - name: German keyboard layout - ansible.builtin.lineinfile: - path: /etc/default/keyboard - regexp: '^XKBLAYOUT=".+$' - line: 'XKBLAYOUT="de"' - backup: yes - notify: setupcon - when: nocontainer.stat.exists == true - - - name: nodeadkeys - ansible.builtin.lineinfile: - path: /etc/default/keyboard - regexp: '^XKBVARIANT=".+$' - line: 'XKBVARIANT="nodeadkeys"' - backup: yes - notify: setupcon - when: nocontainer.stat.exists == true - - name: Prefer ipv4 over ipv6 to avoid problems and waiting times ansible.builtin.lineinfile: path: /etc/gai.conf @@ -242,69 +213,11 @@ name: en_GB.UTF-8 state: present - - name: Ensure de_DE.UTF-8 locale exists - community.general.locale_gen: - name: de_DE.UTF-8 - state: present - notify: localectl - when: nocontainer.stat.exists == true - - ## NOW WITH DoH OVER DNSCRYPT-DNS-Proxy - #- name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship - # blockinfile: - # path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf - # mode: "0444" - # owner: root - # group: root - # create: yes - # insertbefore: BOF # Beginning of the file - # marker: "# {mark} ANSIBLE MANAGED BLOCK" - # block: | - # [Resolve] - # DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de - # DNSOverTLS=opportunistic - # backup: yes - # when: nocontainer.stat.exists == true - name: NOW WITH DoH OVER DNSCRYPT-DNS-Proxy ansible.builtin.file: state: absent path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf - - name: SSHD hardening - blockinfile: - path: /etc/ssh/sshd_config.d/hardening.conf - mode: "0444" - owner: root - group: root - create: yes - insertbefore: BOF # Beginning of the file - marker: "# {mark} ANSIBLE MANAGED BLOCK" - block: | - Port 22 - Port 33 - PermitRootLogin prohibit-password - PermitUserRC no - PermitUserEnvironment no - PubkeyAuthentication yes - X11Forwarding no - AllowAgentForwarding no - AllowTcpForwarding yes - Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007 - ## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/ - # nmap -p22 -n -sV --script ssh2-enum-algos localhost - KexAlgorithms curve25519-sha256@libssh.org - HostKeyAlgorithms ssh-ed25519 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com - IgnoreRhosts yes - LogLevel VERBOSE - AddressFamily any - backup: yes - validate: /usr/sbin/sshd -T -f %s - notify: - - Restart sshd - when: nocontainer.stat.exists == true - - name: SSH client settings blockinfile: path: /etc/ssh/ssh_config.d/settings.conf @@ -316,20 +229,9 @@ marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | Host * - StrictHostKeyChecking=accept-new + StrictHostKeyChecking=accept-new backup: yes - - name: Disable external sftp-Subsystem - replace: - path: /etc/ssh/sshd_config - regexp: '(^Subsystem.*sftp.*)' - replace: '#\1' - validate: /usr/sbin/sshd -T -f %s - backup: yes - notify: - - Restart sshd - when: nocontainer.stat.exists == true - - name: Create .ssh dir ansible.builtin.file: path: /root/.ssh @@ -383,12 +285,12 @@ if [ -d /etc/linuxmint ] then grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc - export LANG="de_DE.UTF-8" + export LANG="de_DE.UTF-8" #for rc in ~/.bashrc /etc/skel/.bashrc #do # grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc #done - fi + fi backup: yes validate: /bin/bash -n %s @@ -406,7 +308,7 @@ set encoding=utf-8 set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab syntax match nonascii "[^[:alnum:][:punct:][:space:]]/" - highlight nonascii guibg=Red ctermbg=2 + highlight nonascii guibg=Red ctermbg=2 backup: yes - name: gaboshlib from git @@ -427,7 +329,7 @@ [Journal] Storage=persistent SystemMaxUse=30M - ForwardToSyslog=yes + ForwardToSyslog=yes backup: yes notify: - Restart journald @@ -467,7 +369,7 @@ if $hostname == 'xgabosh' then /var/log/xgabosh.log if $hostname == 'xgabosh' then stop if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log - if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop + if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop backup: yes when: nocontainer.stat.exists == true notify: @@ -657,7 +559,7 @@ if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log if $programname contains 'g_bash-script' then stop # Rest in messages - *.* /var/log/messages + *.* /var/log/messages backup: yes notify: - Restart rsyslog @@ -672,7 +574,7 @@ group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | - HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log" + HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log" backup: yes notify: - Restart hd-idle @@ -692,7 +594,7 @@ BTRFS_BALANCE_MOUNTPOINTS="auto" BTRFS_BALANCE_PERIOD="monthly" BTRFS_SCRUB_MOUNTPOINTS="auto" - BTRFS_SCRUB_PERIOD="monthly" + BTRFS_SCRUB_PERIOD="monthly" backup: yes when: nocontainer.stat.exists == true @@ -734,7 +636,7 @@ postrotate /usr/lib/rsyslog/rsyslog-rotate endscript - } + } when: nocontainer.stat.exists == true - name: Remove logrotates @@ -863,7 +765,7 @@ then # Sent to a single Number via dbus dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendMessage string:"${message}" array:string: string:${to} | egrep -v '^method return time=|^ int64 ' - fi + fi backup: yes validate: /bin/bash -n %s @@ -877,17 +779,6 @@ handlers: - - name: setupcon - ansible.builtin.shell: setupcon - - - name: localectl - ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8 - - - name: Restart sshd - service: - name: sshd - state: restarted - - name: Restart journald service: name: systemd-journald @@ -903,4 +794,3 @@ name: hd-idle state: restarted -