basics.yml aktualisiert
This commit is contained in:
parent
c0fd6a1f3e
commit
9e241cf0fd
132
basics.yml
132
basics.yml
@ -188,11 +188,6 @@
|
|||||||
name: "{{inventory_hostname}}"
|
name: "{{inventory_hostname}}"
|
||||||
when: nocontainer.stat.exists == true
|
when: nocontainer.stat.exists == true
|
||||||
|
|
||||||
- name: Set timezone to Europe/Berlin
|
|
||||||
community.general.timezone:
|
|
||||||
name: Europe/Berlin
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
- name: Allow the hostnameadm User all sudo commands
|
- name: Allow the hostnameadm User all sudo commands
|
||||||
community.general.sudoers:
|
community.general.sudoers:
|
||||||
name: ALL
|
name: ALL
|
||||||
@ -201,30 +196,6 @@
|
|||||||
commands: ALL
|
commands: ALL
|
||||||
when: nocontainer.stat.exists == true
|
when: nocontainer.stat.exists == true
|
||||||
|
|
||||||
- name: Remove root-Password
|
|
||||||
user:
|
|
||||||
name: root
|
|
||||||
password: '*'
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
- name: German keyboard layout
|
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: /etc/default/keyboard
|
|
||||||
regexp: '^XKBLAYOUT=".+$'
|
|
||||||
line: 'XKBLAYOUT="de"'
|
|
||||||
backup: yes
|
|
||||||
notify: setupcon
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
- name: nodeadkeys
|
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: /etc/default/keyboard
|
|
||||||
regexp: '^XKBVARIANT=".+$'
|
|
||||||
line: 'XKBVARIANT="nodeadkeys"'
|
|
||||||
backup: yes
|
|
||||||
notify: setupcon
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
|
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/gai.conf
|
path: /etc/gai.conf
|
||||||
@ -242,69 +213,11 @@
|
|||||||
name: en_GB.UTF-8
|
name: en_GB.UTF-8
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Ensure de_DE.UTF-8 locale exists
|
|
||||||
community.general.locale_gen:
|
|
||||||
name: de_DE.UTF-8
|
|
||||||
state: present
|
|
||||||
notify: localectl
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
## NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
|
|
||||||
#- name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship
|
|
||||||
# blockinfile:
|
|
||||||
# path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
|
|
||||||
# mode: "0444"
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
# create: yes
|
|
||||||
# insertbefore: BOF # Beginning of the file
|
|
||||||
# marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
||||||
# block: |
|
|
||||||
# [Resolve]
|
|
||||||
# DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de
|
|
||||||
# DNSOverTLS=opportunistic
|
|
||||||
# backup: yes
|
|
||||||
# when: nocontainer.stat.exists == true
|
|
||||||
- name: NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
|
- name: NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
state: absent
|
state: absent
|
||||||
path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
|
path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
|
||||||
|
|
||||||
- name: SSHD hardening
|
|
||||||
blockinfile:
|
|
||||||
path: /etc/ssh/sshd_config.d/hardening.conf
|
|
||||||
mode: "0444"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
create: yes
|
|
||||||
insertbefore: BOF # Beginning of the file
|
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
||||||
block: |
|
|
||||||
Port 22
|
|
||||||
Port 33
|
|
||||||
PermitRootLogin prohibit-password
|
|
||||||
PermitUserRC no
|
|
||||||
PermitUserEnvironment no
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
X11Forwarding no
|
|
||||||
AllowAgentForwarding no
|
|
||||||
AllowTcpForwarding yes
|
|
||||||
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
|
|
||||||
## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
|
|
||||||
# nmap -p22 -n -sV --script ssh2-enum-algos localhost
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org
|
|
||||||
HostKeyAlgorithms ssh-ed25519
|
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|
|
||||||
IgnoreRhosts yes
|
|
||||||
LogLevel VERBOSE
|
|
||||||
AddressFamily any
|
|
||||||
backup: yes
|
|
||||||
validate: /usr/sbin/sshd -T -f %s
|
|
||||||
notify:
|
|
||||||
- Restart sshd
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
- name: SSH client settings
|
- name: SSH client settings
|
||||||
blockinfile:
|
blockinfile:
|
||||||
path: /etc/ssh/ssh_config.d/settings.conf
|
path: /etc/ssh/ssh_config.d/settings.conf
|
||||||
@ -316,20 +229,9 @@
|
|||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
block: |
|
block: |
|
||||||
Host *
|
Host *
|
||||||
StrictHostKeyChecking=accept-new
|
StrictHostKeyChecking=accept-new
|
||||||
backup: yes
|
backup: yes
|
||||||
|
|
||||||
- name: Disable external sftp-Subsystem
|
|
||||||
replace:
|
|
||||||
path: /etc/ssh/sshd_config
|
|
||||||
regexp: '(^Subsystem.*sftp.*)'
|
|
||||||
replace: '#\1'
|
|
||||||
validate: /usr/sbin/sshd -T -f %s
|
|
||||||
backup: yes
|
|
||||||
notify:
|
|
||||||
- Restart sshd
|
|
||||||
when: nocontainer.stat.exists == true
|
|
||||||
|
|
||||||
- name: Create .ssh dir
|
- name: Create .ssh dir
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /root/.ssh
|
path: /root/.ssh
|
||||||
@ -383,12 +285,12 @@
|
|||||||
if [ -d /etc/linuxmint ]
|
if [ -d /etc/linuxmint ]
|
||||||
then
|
then
|
||||||
grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc
|
grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc
|
||||||
export LANG="de_DE.UTF-8"
|
export LANG="de_DE.UTF-8"
|
||||||
#for rc in ~/.bashrc /etc/skel/.bashrc
|
#for rc in ~/.bashrc /etc/skel/.bashrc
|
||||||
#do
|
#do
|
||||||
# grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc
|
# grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc
|
||||||
#done
|
#done
|
||||||
fi
|
fi
|
||||||
backup: yes
|
backup: yes
|
||||||
validate: /bin/bash -n %s
|
validate: /bin/bash -n %s
|
||||||
|
|
||||||
@ -406,7 +308,7 @@
|
|||||||
set encoding=utf-8
|
set encoding=utf-8
|
||||||
set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab
|
set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab
|
||||||
syntax match nonascii "[^[:alnum:][:punct:][:space:]]/"
|
syntax match nonascii "[^[:alnum:][:punct:][:space:]]/"
|
||||||
highlight nonascii guibg=Red ctermbg=2
|
highlight nonascii guibg=Red ctermbg=2
|
||||||
backup: yes
|
backup: yes
|
||||||
|
|
||||||
- name: gaboshlib from git
|
- name: gaboshlib from git
|
||||||
@ -427,7 +329,7 @@
|
|||||||
[Journal]
|
[Journal]
|
||||||
Storage=persistent
|
Storage=persistent
|
||||||
SystemMaxUse=30M
|
SystemMaxUse=30M
|
||||||
ForwardToSyslog=yes
|
ForwardToSyslog=yes
|
||||||
backup: yes
|
backup: yes
|
||||||
notify:
|
notify:
|
||||||
- Restart journald
|
- Restart journald
|
||||||
@ -467,7 +369,7 @@
|
|||||||
if $hostname == 'xgabosh' then /var/log/xgabosh.log
|
if $hostname == 'xgabosh' then /var/log/xgabosh.log
|
||||||
if $hostname == 'xgabosh' then stop
|
if $hostname == 'xgabosh' then stop
|
||||||
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log
|
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log
|
||||||
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop
|
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop
|
||||||
backup: yes
|
backup: yes
|
||||||
when: nocontainer.stat.exists == true
|
when: nocontainer.stat.exists == true
|
||||||
notify:
|
notify:
|
||||||
@ -657,7 +559,7 @@
|
|||||||
if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log
|
if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log
|
||||||
if $programname contains 'g_bash-script' then stop
|
if $programname contains 'g_bash-script' then stop
|
||||||
# Rest in messages
|
# Rest in messages
|
||||||
*.* /var/log/messages
|
*.* /var/log/messages
|
||||||
backup: yes
|
backup: yes
|
||||||
notify:
|
notify:
|
||||||
- Restart rsyslog
|
- Restart rsyslog
|
||||||
@ -672,7 +574,7 @@
|
|||||||
group: root
|
group: root
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
block: |
|
block: |
|
||||||
HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log"
|
HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log"
|
||||||
backup: yes
|
backup: yes
|
||||||
notify:
|
notify:
|
||||||
- Restart hd-idle
|
- Restart hd-idle
|
||||||
@ -692,7 +594,7 @@
|
|||||||
BTRFS_BALANCE_MOUNTPOINTS="auto"
|
BTRFS_BALANCE_MOUNTPOINTS="auto"
|
||||||
BTRFS_BALANCE_PERIOD="monthly"
|
BTRFS_BALANCE_PERIOD="monthly"
|
||||||
BTRFS_SCRUB_MOUNTPOINTS="auto"
|
BTRFS_SCRUB_MOUNTPOINTS="auto"
|
||||||
BTRFS_SCRUB_PERIOD="monthly"
|
BTRFS_SCRUB_PERIOD="monthly"
|
||||||
backup: yes
|
backup: yes
|
||||||
when: nocontainer.stat.exists == true
|
when: nocontainer.stat.exists == true
|
||||||
|
|
||||||
@ -734,7 +636,7 @@
|
|||||||
postrotate
|
postrotate
|
||||||
/usr/lib/rsyslog/rsyslog-rotate
|
/usr/lib/rsyslog/rsyslog-rotate
|
||||||
endscript
|
endscript
|
||||||
}
|
}
|
||||||
when: nocontainer.stat.exists == true
|
when: nocontainer.stat.exists == true
|
||||||
|
|
||||||
- name: Remove logrotates
|
- name: Remove logrotates
|
||||||
@ -863,7 +765,7 @@
|
|||||||
then
|
then
|
||||||
# Sent to a single Number via dbus
|
# Sent to a single Number via dbus
|
||||||
dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendMessage string:"${message}" array:string: string:${to} | egrep -v '^method return time=|^ int64 '
|
dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendMessage string:"${message}" array:string: string:${to} | egrep -v '^method return time=|^ int64 '
|
||||||
fi
|
fi
|
||||||
|
|
||||||
backup: yes
|
backup: yes
|
||||||
validate: /bin/bash -n %s
|
validate: /bin/bash -n %s
|
||||||
@ -877,17 +779,6 @@
|
|||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
|
|
||||||
- name: setupcon
|
|
||||||
ansible.builtin.shell: setupcon
|
|
||||||
|
|
||||||
- name: localectl
|
|
||||||
ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8
|
|
||||||
|
|
||||||
- name: Restart sshd
|
|
||||||
service:
|
|
||||||
name: sshd
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: Restart journald
|
- name: Restart journald
|
||||||
service:
|
service:
|
||||||
name: systemd-journald
|
name: systemd-journald
|
||||||
@ -903,4 +794,3 @@
|
|||||||
name: hd-idle
|
name: hd-idle
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user