ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/common-misc/tasks/common.yml

643 lines
13 KiB
YAML
Raw Permalink Blame History

---
- name: gather facts if needed
setup:
tags:
- always
when: ansible_facts == {}
- name: set hostname
hostname:
name: "{{ inventory_hostname }}"
use: systemd
tags:
- hostname
- name: set /etc/hosts
template:
src: hosts.j2
dest: /etc/hosts
owner: root
group: root
mode: "0644"
tags:
- etc-hosts
# - name: set image hostname
# hostname:
# name: "sensor-image"
# use: systemd
# tags:
# - never
# - image
- name: check if we have ssh host keys for this host
stat:
path: "private/ssh_host_keys/{{ inventory_hostname }}"
delegate_to: localhost
register: ssh_host_keys
tags:
- ssh
- hostkeys
- install-hostkeys
- name: install host keys if known
copy:
dest: "/etc/ssh/{{ item }}"
src: "private/ssh_host_keys/{{ inventory_hostname }}/etc/ssh/{{ item }}"
with_items:
# - ssh_host_dsa_key
# - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_ed25519_key
- ssh_host_ed25519_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
when:
- ssh_host_keys.stat.exists
tags:
- ssh
- hostkeys
- install-hostkeys
- meta: flush_handlers
- name: copy sensor-image keys when relevant
copy:
src: "{{ item }}"
dest: /etc/ssh/
with_fileglob: "private/ssh_host_keys/sensor-image/ssh_host_*"
notify: reload sshd
tags:
- never
- image
- hostkeys
- name: make dir for host keys
file:
state: directory
path: "private/ssh_host_keys/{{ inventory_hostname }}"
owner: "{{ myusername }}"
group: "{{ myusername }}"
delegate_to: localhost
tags:
- ssh
- hostkeys
- name: save hosts keys
fetch:
src: "/etc/ssh/{{ item }}"
dest: private/ssh_host_keys/
with_items:
# - ssh_host_dsa_key
# - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_ed25519_key
- ssh_host_ed25519_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
when:
- ssh_host_keys|default(true)
tags:
- ssh
- hostkeys
- save-hostkeys
- name: chown ssh_host_keys
file:
path: private/ssh_host_keys
owner: "{{ myusername }}"
group: "{{ myusername }}"
mode: 0700
recurse: yes
delegate_to: localhost
become: true
tags:
- ssh
- hostkeys
- name: Set timezone to UTC
timezone:
name: Etc/UTC
tags:
- timezone
- name: install vim
apt:
name:
- vim
update_cache: true
state: latest
tags:
- packages
- vim
- name: install python3
apt:
name:
- python3
- python3-pip
- python3-apt
- python3-setuptools
- python3-venv
- python3-dev
- python3-setuptools
- python3-requests
update_cache: true
state: latest
tags:
- packages
- python3
- python3-packages
- common-python3-packages
#when: ansible_distribution == "Ubuntu"
# - name: correct python3 version selected on ubuntu
# alternatives:
# name: python3
# path: /usr/bin/python{{ python3_version }}
# link: /usr/bin/python3
# tags:
# - packages
# - alternatives
# when: ansible_distribution == "Ubuntu"
# - name: remove packages that should only be on mainframe
# apt:
# state: absent
# purge: yes
# name:
# - autoconf # emacs-build
# - gnupg2
# - gnutls-bin # emacs-build
# - irssi
# - kpcli
# - libgnutls28-dev # emacs-build
# - libncurses-dev # emacs-build
# - pkg-config # emacs-build
# - texinfo # emacs-build
# - libffi-dev
# - libssl-dev
# - cmake # emacs vterm
# - libtool # emacs vterm
# - libtool-bin
# when: 'inventory_hostname != "mainframe.sudo.is"'
# tags:
# - remove-packages
# - packages
- name: install packages
apt:
state: latest
update_cache: true
name:
#- ntp
#- python-netaddr
- autoconf
- cmake
- libtool
- acl
- apt-transport-https
- aptitude
- at
- build-essential
- ca-certificates
- cron
# chrony is an alternative to ntpd/systemd-timesync
#- chrony
- cryptsetup
- cryptsetup-initramfs
- curl
- dnsutils
- ethtool
- file
- git
- gnupg
- haveged
- htop
- iotop
- ipcalc
- jq
- lm-sensors
- locales
- lsb-base
- lsb-release
- lshw
- lsof
- lvm2
- molly-guard
- mtr
- mtr
- nano
- ncdu
- mergerfs
- openssl
- procmail
- pciutils
- rsync
- smartmontools
- sshfs
- sudo
- tree
- tmux
- unzip
- whois
- zip
- zsh
# Netwok monitoring
- bmon
- cbm
- ifstat
- iputils-ping
- "{{ pkg_netcat_name |default('netcat') }}"
- nethogs
- nload
- nmap
- tcpdump
- vnstat
environment:
PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin"
tags:
- packages
- common-packages
- name: install packages (Ubuntu)
package:
name:
- iptraf
state: present
tags:
- packages
- common-packages
when: ansible_distribution|lower == "ubuntu"
- name: install host specific packages
apt:
name: "{{ host_extra_packages | default([]) | list }}"
state: latest
environment:
PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin"
tags:
- host-extra-packages
- packages
- common-packages
- common-host-packages
- name: install common pip packages to the common-scripts venv
pip:
name:
- influxdb
- loguru
- requests
- psutil
- python-dateutil
#- humanize # added because of telegraf/vnstat.py
state: present
virtualenv: /var/lib/virtualenvs/common-scripts
virtualenv_site_packages: false
virtualenv_command: python3 -m venv
when:
- not ansible_check_mode
tags:
- pip
- common-pip
- common-pip-packages
- packages
- pip-latest
- venvs
- virtulenv
- name: install poetry to the common-scripts venv
pip:
name:
- poetry
state: present
virtualenv: /var/lib/virtualenvs/common-scripts
virtualenv_site_packages: false
virtualenv_command: python3 -m venv
when:
- not ansible_check_mode
- common_scripts_poetry|default(true)
tags:
- pip
- common-pip
- common-pip-packages
- packages
- pip-latest
- venvs
- virtulenv
# - name: set python minor version
# set_fact:
# python_minor: "{{ ansible_python_version.split('.')[1] }}"
# tags:
# - python
# - pip
# - packages
# - fakelibs
# - sudoisinflux
# - name: template common simple shorthand fake libraries
# template:
# src: "{{ item }}.j2"
# dest: "/usr/local/lib/python3.{{ python_minor }}/dist-packages/{{ item }}"
# owner: root
# group: root
# mode: 0775
# when: install_common_pip_packages|default(true)
# with_items:
# - sudoisinflux.py
# tags:
# - python
# - pip
# - packages
# - fakelibs
# - sudoisinflux
- name: remove packages
apt:
name:
- update-motd
- landscape-client
- landscape-common
autoremove: true
state: absent
purge: true
tags: packages
- name: disable cloud-init (when set, defaults to false)
copy:
content: ""
dest: "/etc/cloud/cloud-init.disabled"
force: false
owner: root
group: root
mode: 0644
when: disable_cloudinit|default(false)
- name: make sure openssh-server is installed
apt:
name: openssh-server
state: present
tags:
- packages
#- name: ensure ntp package is not installed
# apt:
# name: ntp
# state: absent
# purge: true
# when: false
# tags:
# - ntp
# - name: set ntp servers
# lineinfile:
# path: /etc/systemd/timesyncd.conf
# line: "NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
# create: no
# notify:
# - systemctl daemon reload
# - restart systemd-timesyncd
# tags: ntp
# - name: enable systemd-timesyncd
# service:
# name: systemd-timesyncd
# enabled: yes
# state: started
# tags: ntp
# - name: enable ntp
# command: timedatectl set-ntp true
# changed_when: false
# tags: ntp
#- name: check if hosts file needs fixing
# command: grep {{ inventory_hostname }} /etc/hosts
# register: grephosts
# failed_when: grephosts.rc >= 2
# changed_when: grephosts.rc != 0
# tags:
# - image
# - etchosts
#- name: fix hosts file
# lineinfile:
# path: /etc/hosts
# line: "127.0.0.1 {{ inventory_hostname }}"
# create: no
# when: not grephosts.skipped|default(false) and grephosts.rc != 0
# tags:
# - etchosts
# - image
- name: enable en_US.UTF-8 (is usually enabled)
lineinfile:
path: /etc/locale.gen
line: 'en_US.UTF-8 UTF-8'
state: present
tags:
- common-scripts
- locale
notify: locale-gen
- name: disable password authentication
replace:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication(?: yes| no)$'
replace: 'PasswordAuthentication no'
tags:
- ssh
notify:
- reload sshd
- name: disable challengeresponse authentication
replace:
path: /etc/ssh/sshd_config
regexp: '^#?ChallengeResponseAuthentication(?: yes| no)$'
replace: 'ChallengeResponseAuthentication no'
tags:
- ssh
notify:
- reload sshd
- meta: flush_handlers
# /etc/motd is updated in the 'users' role
- name: chmod /etc/update-motd.d
file:
dest: /etc/update-motd.d
owner: root
group: root
mode: 0755
state: directory
tags:
- motd
- name: look for update-motd.d files
find:
paths: /etc/update-motd.d
file_type: file
register: motd_d
tags:
- motd
- name: chmod -x on files in update-mot.d
file:
path: "{{ item.path }}"
state: file
owner: root
group: root
mode: 0644
loop_control:
label: "{{ item.path }}"
with_items: "{{ motd_d.files }}"
tags:
- motd
- name: check if /etc/default/motd-news exists
stat:
path: /etc/default/motd-news
register: motd_news
tags:
- motd
- name: disable motd-news if /etc/default file exists
lineinfile:
path: /etc/default/motd-news
line: "ENABLED=0"
create: false
when: motd_news.stat.exists
tags:
- motd
- name: install/remove unattended-upgrades
apt:
name: unattended-upgrades
state: "{% if unatt_enabled|bool %}present{% else %}absent{%endif%}"
update_cache: true
tags:
- unatt
- packages
- name: template common scripts
template:
src: "{{ item }}.j2"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0775
with_items:
- reboot_required.py
- update_omzsh.sh
- matrixmsg.py
- authelia-auth.py
tags:
- common-scripts
- update_omzsh
- name: template common cron jobs
template:
src: "{{ item }}-cron.j2"
dest: "/etc/cron.d/{{ item }}"
owner: root
group: root
mode: 0600
tags:
- cron
- cron-common
with_items:
- backup_age_marker
- reboot_required
- update_omzsh
- name: install zmq
apt:
name:
- python3-zmq
- python3-yaml
state: latest
tags:
- packages
when: install_zmq
# TODO: Decide on which way...
- name: enable unattended-upgrades (following codenames)
template:
src: "{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
with_items:
- 50unattended-upgrades
- 20auto-upgrades
when: unatt_enabled|bool
tags:
- unatt
- name: clean up unattended-upgrades config if not used
file:
path: "/etc/apt/apt.conf.d/{{ item }}"
state: absent
with_items:
- 50unattended-upgrades
- 20auto-upgrades
when: not unatt_enabled|bool
tags:
- unatt2
- name: add apt key for apt.sudo.is
get_url:
url: https://{{ apt_url }}/KEY.gpg
# /usr/share/keyrings: needs [signed-by]
# /etc/apt/trusted.gpg.d/: trusted without [signed-by]
#dest: /usr/share/keyrings/apt.sudo.is.gpg.asc
dest: "{{ item }}/apt.sudo.is.gpg.asc"
with_items:
- /etc/apt/trusted.gpg.d
- /usr/share/keyrings
tags:
- packages
- apt.sudo.is
- sudo-apt-key
- name: add apt.sudo.is repo
apt_repository:
repo: "deb https://{{ apt_url }} /"
state: present
filename: "{{ apt_url }}"
update_cache: true
tags:
- packages
- apt.sudo.is
- name: tempalte priorities for apt
template:
src: apt-sudois.j2
dest: /etc/apt/preferences.d/sudois
mode: 644
owner: root
group: root
tags:
- packages
- apt.sudo.is
- name: ensure /deadspace exists
file:
path: /deadspace
state: directory
owner: root
group: "{{ grouplist.media.gid }}"
mode: "0775"
tags:
- deadspace
- deadspace-dir
View Git Blame Copy Permalink