olli/debian.ansible.basics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

basics.yml aktualisiert

Browse Source
This commit is contained in:
olli 2023-08-21 11:49:35 +02:00
parent c0fd6a1f3e
commit 9e241cf0fd
1 changed files with 11 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
basics.yml
View File

@ -188,11 +188,6 @@
name: "{{inventory_hostname}}" name: "{{inventory_hostname}}"
when: nocontainer.stat.exists == true when: nocontainer.stat.exists == true
- name: Set timezone to Europe/Berlin
community.general.timezone:
name: Europe/Berlin
when: nocontainer.stat.exists == true
- name: Allow the hostnameadm User all sudo commands - name: Allow the hostnameadm User all sudo commands
community.general.sudoers: community.general.sudoers:
name: ALL name: ALL
@ -201,30 +196,6 @@
commands: ALL commands: ALL
when: nocontainer.stat.exists == true when: nocontainer.stat.exists == true
- name: Remove root-Password
user:
name: root
password: '*'
when: nocontainer.stat.exists == true
- name: German keyboard layout
ansible.builtin.lineinfile:
path: /etc/default/keyboard
regexp: '^XKBLAYOUT=".+$'
line: 'XKBLAYOUT="de"'
backup: yes
notify: setupcon
when: nocontainer.stat.exists == true
- name: nodeadkeys
ansible.builtin.lineinfile:
path: /etc/default/keyboard
regexp: '^XKBVARIANT=".+$'
line: 'XKBVARIANT="nodeadkeys"'
backup: yes
notify: setupcon
when: nocontainer.stat.exists == true
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times - name: Prefer ipv4 over ipv6 to avoid problems and waiting times
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/gai.conf path: /etc/gai.conf
@ -242,69 +213,11 @@
name: en_GB.UTF-8 name: en_GB.UTF-8
state: present state: present
- name: Ensure de_DE.UTF-8 locale exists
community.general.locale_gen:
name: de_DE.UTF-8
state: present
notify: localectl
when: nocontainer.stat.exists == true
## NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
#- name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship
# blockinfile:
# path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
# mode: "0444"
# owner: root
# group: root
# create: yes
# insertbefore: BOF # Beginning of the file
# marker: "# {mark} ANSIBLE MANAGED BLOCK"
# block: |
# [Resolve]
# DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de
# DNSOverTLS=opportunistic
# backup: yes
# when: nocontainer.stat.exists == true
- name: NOW WITH DoH OVER DNSCRYPT-DNS-Proxy - name: NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
ansible.builtin.file: ansible.builtin.file:
state: absent state: absent
path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
- name: SSHD hardening
blockinfile:
path: /etc/ssh/sshd_config.d/hardening.conf
mode: "0444"
owner: root
group: root
create: yes
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
Port 22
Port 33
PermitRootLogin prohibit-password
PermitUserRC no
PermitUserEnvironment no
PubkeyAuthentication yes
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding yes
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
# nmap -p22 -n -sV --script ssh2-enum-algos localhost
KexAlgorithms curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
IgnoreRhosts yes
LogLevel VERBOSE
AddressFamily any
backup: yes
validate: /usr/sbin/sshd -T -f %s
notify:
- Restart sshd
when: nocontainer.stat.exists == true
- name: SSH client settings - name: SSH client settings
blockinfile: blockinfile:
path: /etc/ssh/ssh_config.d/settings.conf path: /etc/ssh/ssh_config.d/settings.conf
@ -316,20 +229,9 @@
marker: "# {mark} ANSIBLE MANAGED BLOCK" marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: | block: |
Host * Host *
StrictHostKeyChecking=accept-new StrictHostKeyChecking=accept-new
backup: yes backup: yes
- name: Disable external sftp-Subsystem
replace:
path: /etc/ssh/sshd_config
regexp: '(^Subsystem.*sftp.*)'
replace: '#\1'
validate: /usr/sbin/sshd -T -f %s
backup: yes
notify:
- Restart sshd
when: nocontainer.stat.exists == true
- name: Create .ssh dir - name: Create .ssh dir
ansible.builtin.file: ansible.builtin.file:
path: /root/.ssh path: /root/.ssh
@ -383,12 +285,12 @@
if [ -d /etc/linuxmint ] if [ -d /etc/linuxmint ]
then then
grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc
export LANG="de_DE.UTF-8" export LANG="de_DE.UTF-8"
#for rc in ~/.bashrc /etc/skel/.bashrc #for rc in ~/.bashrc /etc/skel/.bashrc
#do #do
# grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc # grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc
#done #done
fi fi
backup: yes backup: yes
validate: /bin/bash -n %s validate: /bin/bash -n %s
@ -406,7 +308,7 @@
set encoding=utf-8 set encoding=utf-8
set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab
syntax match nonascii "[^[:alnum:][:punct:][:space:]]/" syntax match nonascii "[^[:alnum:][:punct:][:space:]]/"
highlight nonascii guibg=Red ctermbg=2 highlight nonascii guibg=Red ctermbg=2
backup: yes backup: yes
- name: gaboshlib from git - name: gaboshlib from git
@ -427,7 +329,7 @@
[Journal] [Journal]
Storage=persistent Storage=persistent
SystemMaxUse=30M SystemMaxUse=30M
ForwardToSyslog=yes ForwardToSyslog=yes
backup: yes backup: yes
notify: notify:
- Restart journald - Restart journald
@ -467,7 +369,7 @@
if $hostname == 'xgabosh' then /var/log/xgabosh.log if $hostname == 'xgabosh' then /var/log/xgabosh.log
if $hostname == 'xgabosh' then stop if $hostname == 'xgabosh' then stop
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then /var/log/GTC-Hosts.log
if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop if $hostname != '{{ ansible_facts['hostname'] }}' and $hostname != 'share' and $hostname != 'backup-chroot' then stop
backup: yes backup: yes
when: nocontainer.stat.exists == true when: nocontainer.stat.exists == true
notify: notify:
@ -657,7 +559,7 @@
if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log
if $programname contains 'g_bash-script' then stop if $programname contains 'g_bash-script' then stop
# Rest in messages # Rest in messages
*.* /var/log/messages *.* /var/log/messages
backup: yes backup: yes
notify: notify:
- Restart rsyslog - Restart rsyslog
@ -672,7 +574,7 @@
group: root group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK" marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: | block: |
HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log" HD_IDLE_OPTS="-i 300 -l /var/log/hd-idle.log"
backup: yes backup: yes
notify: notify:
- Restart hd-idle - Restart hd-idle
@ -692,7 +594,7 @@
BTRFS_BALANCE_MOUNTPOINTS="auto" BTRFS_BALANCE_MOUNTPOINTS="auto"
BTRFS_BALANCE_PERIOD="monthly" BTRFS_BALANCE_PERIOD="monthly"
BTRFS_SCRUB_MOUNTPOINTS="auto" BTRFS_SCRUB_MOUNTPOINTS="auto"
BTRFS_SCRUB_PERIOD="monthly" BTRFS_SCRUB_PERIOD="monthly"
backup: yes backup: yes
when: nocontainer.stat.exists == true when: nocontainer.stat.exists == true
@ -734,7 +636,7 @@
postrotate postrotate
/usr/lib/rsyslog/rsyslog-rotate /usr/lib/rsyslog/rsyslog-rotate
endscript endscript
} }
when: nocontainer.stat.exists == true when: nocontainer.stat.exists == true
- name: Remove logrotates - name: Remove logrotates
@ -863,7 +765,7 @@
then then
# Sent to a single Number via dbus # Sent to a single Number via dbus
dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendMessage string:"${message}" array:string: string:${to} | egrep -v '^method return time=|^ int64 ' dbus-send --system --type=method_call --print-reply --dest="org.asamk.Signal" /org/asamk/Signal/${account} org.asamk.Signal.sendMessage string:"${message}" array:string: string:${to} | egrep -v '^method return time=|^ int64 '
fi fi
backup: yes backup: yes
validate: /bin/bash -n %s validate: /bin/bash -n %s
@ -877,17 +779,6 @@
handlers: handlers:
- name: setupcon
ansible.builtin.shell: setupcon
- name: localectl
ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8
- name: Restart sshd
service:
name: sshd
state: restarted
- name: Restart journald - name: Restart journald
service: service:
name: systemd-journald name: systemd-journald
@ -903,4 +794,3 @@
name: hd-idle name: hd-idle
state: restarted state: restarted