220 lines
6.3 KiB
YAML
220 lines
6.3 KiB
YAML
---
|
|
- name: Basic Debian Linux Setup for Containers
|
|
hosts: all
|
|
tasks:
|
|
#- name: Print all available facts
|
|
# ansible.builtin.debug:
|
|
# var: ansible_facts
|
|
|
|
- name: Install Basic Packages
|
|
apt:
|
|
name:
|
|
- bc
|
|
- psutils
|
|
- psmisc
|
|
- procps
|
|
- htop
|
|
- iotop
|
|
- sysstat
|
|
- strace
|
|
- net-tools
|
|
- vim
|
|
- git
|
|
- man-db
|
|
- netcat
|
|
- debconf-utils
|
|
- iputils-ping
|
|
- lsof
|
|
- inotify-tools
|
|
- rsync
|
|
- dos2unix
|
|
- locales
|
|
- iproute2
|
|
- cryptsetup
|
|
- curl
|
|
- moreutils
|
|
- ffmpeg
|
|
- mediainfo
|
|
- telnet
|
|
- libstring-approx-perl
|
|
- postfix
|
|
- zip
|
|
- nmap
|
|
- whois
|
|
- libfile-readbackwards-perl
|
|
- libcrypt-cbc-perl
|
|
- libcrypt-des-perl
|
|
- pwgen
|
|
- certbot
|
|
- jq
|
|
- cifs-utils
|
|
- apt-transport-https
|
|
- golang
|
|
- make
|
|
- sshfs
|
|
- imagemagick
|
|
- libimage-exiftool-perl
|
|
- sqlite3
|
|
- html-xml-utils
|
|
- ldmtool
|
|
- openssh-server
|
|
update_cache: yes
|
|
install_recommends: no
|
|
|
|
- name: Set a hostname
|
|
ansible.builtin.hostname:
|
|
name: "{{inventory_hostname}}"
|
|
|
|
- name: Remove root-Password
|
|
user:
|
|
name: root
|
|
password: '*'
|
|
|
|
- name: Prefer ipv4 over ipv6 to avoid problems and waiting times
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/gai.conf
|
|
regexp: '^#precedence ::ffff:0:0/96 100'
|
|
line: "precedence ::ffff:0:0/96 100 # CHANGED BY ANSIBLE"
|
|
backup: yes
|
|
|
|
- name: Ensure en_US.UTF-8 locale exists
|
|
community.general.locale_gen:
|
|
name: en_US.UTF-8
|
|
state: present
|
|
- name: Ensure en_GB.UTF-8 locale exists
|
|
community.general.locale_gen:
|
|
name: en_GB.UTF-8
|
|
state: present
|
|
- name: Ensure de_DE.UTF-8 locale exists
|
|
community.general.locale_gen:
|
|
name: de_DE.UTF-8
|
|
state: present
|
|
notify: localectl
|
|
|
|
- name: SSHD hardening
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config.d/hardening.conf
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
create: yes
|
|
insertbefore: BOF # Beginning of the file
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
Port 22
|
|
Port 33
|
|
PermitRootLogin prohibit-password
|
|
PermitUserRC no
|
|
PermitUserEnvironment no
|
|
PubkeyAuthentication yes
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding yes
|
|
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
|
|
## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
|
|
# nmap -p22 -n -sV --script ssh2-enum-algos localhost
|
|
KexAlgorithms curve25519-sha256@libssh.org
|
|
HostKeyAlgorithms ssh-ed25519
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|
|
IgnoreRhosts yes
|
|
LogLevel VERBOSE
|
|
AddressFamily any
|
|
backup: yes
|
|
validate: /usr/sbin/sshd -T -f %s
|
|
|
|
- name: Disable external sftp-Subsystem
|
|
replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '(^Subsystem.*sftp.*)'
|
|
replace: '#\1'
|
|
validate: /usr/sbin/sshd -T -f %s
|
|
backup: yes
|
|
|
|
- name: Create .ssh dir
|
|
ansible.builtin.file:
|
|
path: /root/.ssh
|
|
owner: root
|
|
group: root
|
|
state: directory
|
|
mode: '0550'
|
|
|
|
- name: Generate an OpenSSH keypair ed25519
|
|
community.crypto.openssh_keypair:
|
|
path: /root/.ssh/id_ed25519
|
|
type: ed25519
|
|
|
|
- name: shell profile
|
|
blockinfile:
|
|
path: /etc/profile.d/settings-from-ansible.sh
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
if ${use_color} ; then
|
|
if [[ ${EUID} == 0 ]] ; then
|
|
PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] '
|
|
else
|
|
PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
|
|
fi
|
|
export EDITOR="/usr/bin/vim"
|
|
export HISTSIZE=
|
|
export HISTFILESIZE=
|
|
export HISTTIMEFORMAT="[%F %T] "
|
|
if [ -f /etc/debian_version ]
|
|
then
|
|
export DEBIAN_FRONTEND='noninteractive'
|
|
export LANG="en_US.UTF-8"
|
|
alias ls='ls --color=auto'
|
|
alias grep='grep --colour=auto'
|
|
alias egrep='egrep --colour=auto'
|
|
alias fgrep='fgrep --colour=auto'
|
|
fi
|
|
else
|
|
# show root@ when we don't have colors
|
|
PS1+='\u@\h \w \$'
|
|
fi
|
|
# execute for linuxmint
|
|
if [ -d /etc/linuxmint ]
|
|
then
|
|
grep -q /etc/profile.d/settings-from-ansible.sh ~/.bashrc || echo '. /etc/profile.d/settings-from-ansible.sh' >> ~/.bashrc
|
|
export LANG="de_DE.UTF-8"
|
|
#for rc in ~/.bashrc /etc/skel/.bashrc
|
|
#do
|
|
# grep -q /etc/profile.d/settings-from-ansible.sh $rc || echo '. /etc/profile.d/settings-from-ansible.sh' >> $rc
|
|
#done
|
|
fi
|
|
backup: yes
|
|
validate: /bin/bash -n %s
|
|
|
|
- name: vim settings
|
|
blockinfile:
|
|
path: /etc/vim/vimrc.local
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
create: yes
|
|
marker: "\" {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
:syntax on
|
|
let g:skip_defaults_vim = 1
|
|
set encoding=utf-8
|
|
set tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab
|
|
syntax match nonascii "[^[:alnum:][:punct:][:space:]]/"
|
|
highlight nonascii guibg=Red ctermbg=2
|
|
backup: yes
|
|
|
|
- name: gaboshlib from git
|
|
ansible.builtin.git:
|
|
repo: 'https://gitea.ds9.dedyn.io/olli/gaboshlib.git'
|
|
dest: /etc/bash
|
|
force: yes
|
|
|
|
handlers:
|
|
|
|
- name: localectl
|
|
ansible.builtin.shell: localectl set-locale LANG=de_DE.UTF-8
|
|
|