--- - name: Basic Debian Linux Setup for Containers hosts: all tasks: #- name: Print all available facts # ansible.builtin.debug: # var: ansible_facts - name: Install Basic Packages apt: name: - bc - psutils - psmisc - procps - htop - iotop - sysstat - strace - net-tools - vim - git - man-db - netcat - debconf-utils - iputils-ping - lsof - inotify-tools - rsync - dos2unix - locales - iproute2 - cryptsetup - curl - moreutils - ffmpeg - mediainfo - telnet - libstring-approx-perl - postfix - zip - nmap - whois - libfile-readbackwards-perl - libcrypt-cbc-perl - libcrypt-des-perl - pwgen - certbot - jq - cifs-utils - apt-transport-https - golang - make - sshfs - imagemagick - libimage-exiftool-perl - sqlite3 - html-xml-utils - ldmtool - openssh-server update_cache: yes install_recommends: no - name: Set a hostname ansible.builtin.hostname: name: "{{inventory_hostname}}" - name: Remove root-Password user: name: root password: '*' - name: Prefer ipv4 over ipv6 to avoid problems and waiting times ansible.builtin.lineinfile: path: /etc/gai.conf regexp: '^#precedence ::ffff:0:0/96 100' line: "precedence ::ffff:0:0/96 100 # CHANGED BY ANSIBLE" backup: yes - name: Ensure en_US.UTF-8 locale exists community.general.locale_gen: name: en_US.UTF-8 state: present - name: Ensure en_GB.UTF-8 locale exists community.general.locale_gen: name: en_GB.UTF-8 state: present - name: Ensure de_DE.UTF-8 locale exists community.general.locale_gen: name: de_DE.UTF-8 state: present notify: localectl - name: SSHD hardening blockinfile: path: /etc/ssh/sshd_config.d/hardening.conf mode: "0444" owner: root group: root create: yes insertbefore: BOF # Beginning of the file marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | Port 22 Port 33 PermitRootLogin prohibit-password PermitUserRC no PermitUserEnvironment no PubkeyAuthentication yes X11Forwarding no AllowAgentForwarding no AllowTcpForwarding yes Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007 ## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/ # nmap -p22 -n -sV --script ssh2-enum-algos localhost KexAlgorithms curve25519-sha256@libssh.org HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com IgnoreRhosts yes LogLevel VERBOSE AddressFamily any backup: yes validate: /usr/sbin/sshd -T -f %s - name: Disable external sftp-Subsystem replace: path: /etc/ssh/sshd_config regexp: '(^Subsystem.*sftp.*)' replace: '#\1' validate: /usr/sbin/sshd -T -f %s backup: yes - name: Create .ssh dir ansible.builtin.file: path: /root/.ssh owner: root group: root state: directory mode: '0550' - name: Generate an OpenSSH keypair ed25519 community.crypto.openssh_keypair: path: /root/.ssh/id_ed25519 type: ed25519 - name: shell profile blockinfile: path: /etc/profile.d/settings-from-ansible.sh create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | if ${use_color} ; then if [[ ${EUID} == 0 ]] ; then PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] ' else PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] ' fi export EDITOR="/usr/bin/vim" export HISTSIZE= export HISTFILESIZE= export HISTTIMEFORMAT="[%F %T] " if [ -f /etc/debian_version ] then export DEBIAN_FRONTEND='noninteractive' export LANG="en_US.UTF-8" alias ls='ls --color=auto' alias grep='grep --colour=auto' alias egrep='egrep --colour=auto' alias fgrep='fgrep --colour=auto' fi else # show root@ when we don't have colors PS1+='\u@\h \w \$' fi # execute for linuxmint if [ -d /etc/linuxmint ] then grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc export LANG="de_DE.UTF-8" #for rc in ~/.bashrc /etc/skel/.bashrc #do # grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc #done fi backup: yes validate: /bin/bash -n %s - name: vim settings blockinfile: path: /etc/vim/vimrc.local mode: "0444" owner: root group: root create: yes marker: "\" {mark} ANSIBLE MANAGED BLOCK" block: | :syntax on let g:skip_defaults_vim = 1 set encoding=utf-8 set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab syntax match nonascii "[^[:alnum:][:punct:][:space:]]/" highlight nonascii guibg=Red ctermbg=2 backup: yes - name: gaboshlib from git ansible.builtin.git: repo: 'https://gitea.ds9.dedyn.io/olli/gaboshlib.git' dest: /etc/bash force: yes handlers: - name: localectl ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8