olli/debian.ansible.basics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

basics.yml aktualisiert

Browse Source
This commit is contained in:
olli 2023-08-21 11:49:35 +02:00
parent c0fd6a1f3e
commit 9e241cf0fd
1 changed files with 11 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
basics.yml
View File

@ -188,11 +188,6 @@
name: "{{inventory_hostname}}"
when: nocontainer.stat.exists == true
- name: Set timezone to Europe/Berlin
community.general.timezone:
name: Europe/Berlin
when: nocontainer.stat.exists == true
- name: Allow the hostnameadm User all sudo commands
community.general.sudoers:
name: ALL
@ -201,30 +196,6 @@
commands: ALL
when: nocontainer.stat.exists == true
- name: Remove root-Password
user:
name: root
password: '*'
when: nocontainer.stat.exists == true
- name: German keyboard layout
ansible.builtin.lineinfile:
path: /etc/default/keyboard
regexp: '^XKBLAYOUT=".+$'
line: 'XKBLAYOUT="de"'
backup: yes
notify: setupcon
when: nocontainer.stat.exists == true
- name: nodeadkeys
ansible.builtin.lineinfile:
path: /etc/default/keyboard
regexp: '^XKBVARIANT=".+$'
line: 'XKBVARIANT="nodeadkeys"'
backup: yes
notify: setupcon
when: nocontainer.stat.exists == true
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
ansible.builtin.lineinfile:
path: /etc/gai.conf
@ -242,69 +213,11 @@
name: en_GB.UTF-8
state: present
- name: Ensure de_DE.UTF-8 locale exists
community.general.locale_gen:
name: de_DE.UTF-8
state: present
notify: localectl
when: nocontainer.stat.exists == true
## NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
#- name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship
# blockinfile:
# path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
# mode: "0444"
# owner: root
# group: root
# create: yes
# insertbefore: BOF # Beginning of the file
# marker: "# {mark} ANSIBLE MANAGED BLOCK"
# block: |
# [Resolve]
# DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de
# DNSOverTLS=opportunistic
# backup: yes
# when: nocontainer.stat.exists == true
- name: NOW WITH DoH OVER DNSCRYPT-DNS-Proxy
ansible.builtin.file:
state: absent
path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
- name: SSHD hardening
blockinfile:
path: /etc/ssh/sshd_config.d/hardening.conf
mode: "0444"
owner: root
group: root
create: yes
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
Port 22
Port 33
PermitRootLogin prohibit-password
PermitUserRC no
PermitUserEnvironment no
PubkeyAuthentication yes
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding yes
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
# nmap -p22 -n -sV --script ssh2-enum-algos localhost
KexAlgorithms curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
IgnoreRhosts yes
LogLevel VERBOSE
AddressFamily any
backup: yes
validate: /usr/sbin/sshd -T -f %s
notify:
- Restart sshd
when: nocontainer.stat.exists == true
- name: SSH client settings
blockinfile:
path: /etc/ssh/ssh_config.d/settings.conf
@ -319,17 +232,6 @@
StrictHostKeyChecking=accept-new
backup: yes
- name: Disable external sftp-Subsystem
replace:
path: /etc/ssh/sshd_config
regexp: '(^Subsystem.*sftp.*)'
replace: '#\1'
validate: /usr/sbin/sshd -T -f %s
backup: yes
notify:
- Restart sshd
when: nocontainer.stat.exists == true
- name: Create .ssh dir
ansible.builtin.file:
path: /root/.ssh
@ -877,17 +779,6 @@
handlers:
- name: setupcon
ansible.builtin.shell: setupcon
- name: localectl
ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8
- name: Restart sshd
service:
name: sshd
state: restarted
- name: Restart journald
service:
name: systemd-journald
@ -903,4 +794,3 @@
name: hd-idle
state: restarted