ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/common/tasks/common.yml

606 lines
12 KiB
YAML
Raw Permalink Blame History

---
- name: set hostname
hostname:
name: "{{ inventory_hostname }}"
use: systemd
tags:
- hostname
# - name: set image hostname
# hostname:
# name: "sensor-image"
# use: systemd
# tags:
# - never
# - image
- name: check if we have ssh host keys for this host
stat:
path: "private/ssh_host_keys/{{ inventory_hostname }}"
delegate_to: localhost
register: ssh_host_keys
tags:
- ssh
- hostkeys
- install-hostkeys
- name: install host keys if known
copy:
dest: "/etc/ssh/{{ item }}"
src: "private/ssh_host_keys/{{ inventory_hostname }}/etc/ssh/{{ item }}"
with_items:
# - ssh_host_dsa_key
# - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_ed25519_key
- ssh_host_ed25519_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
when:
- ssh_host_keys.stat.exists
tags:
- ssh
- hostkeys
- install-hostkeys
- name: mask sleep targets in systemd
systemd:
name: "{{ item }}"
masked: true
with_items:
- sleep.target
- suspend.target
- hibernate.target
- hybrid-sleep.target
when: disable_sleep
tags:
- sleep
- name: disable logind handling lid switch if sleep is disabled
replace:
path: /etc/systemd/logind.conf
regexp: '^#?HandleLidSwitch=suspend$'
replace: 'HandleLidSwitch=ignore'
when: disable_sleep
tags:
- sleep
notify:
- systemctl daemon reload
- name: disable sleep systemd config
replace:
path: /etc/systemd/sleep.conf
regexp: '^#AllowSuspend=yes$'
replace: 'AllowSuspend=no'
when: disable_sleep
tags:
- sleep
notify:
- systemctl daemon reload
- name: copy sensor-image keys when relevant
copy:
src: "{{ item }}"
dest: /etc/ssh/
with_fileglob: "private/ssh_host_keys/sensor-image/ssh_host_*"
notify: reload sshd
tags:
- never
- image
- hostkeys
- meta: flush_handlers
- name: make dir for host keys
file:
state: directory
path: "private/ssh_host_keys/{{ inventory_hostname }}"
owner: "{{ myusername }}"
group: "{{ myusername }}"
delegate_to: localhost
tags:
- ssh
- hostkeys
- name: save hosts keys
fetch:
src: "/etc/ssh/{{ item }}"
dest: private/ssh_host_keys/
with_items:
# - ssh_host_dsa_key
# - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_ed25519_key
- ssh_host_ed25519_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
when:
- ssh_host_keys|default(true)
tags:
- ssh
- hostkeys
- save-hostkeys
- name: chown ssh_host_keys
file:
path: private/ssh_host_keys
owner: "{{ myusername }}"
group: "{{ myusername }}"
mode: 0700
recurse: yes
delegate_to: localhost
become: true
tags:
- ssh
- hostkeys
- name: Set timezone to UTC
timezone:
name: Etc/UTC
tags:
- timezone
- name: install python3
apt:
name:
- python3
- python3-pip
- python3-apt
- python3-setuptools
- python3-venv
- python3-dev
- python-setuptools
update_cache: true
state: latest
tags:
- packages
- python3
- python3-packages
#when: ansible_distribution == "Ubuntu"
# - name: install python3
# apt:
# name:
# - python3.9
# - python3.9-pip
# - python3.9-apt
# - python3.9-setuptools
# - python3.9-venv
# - python3.9-dev
# - python-setuptools
# update_cache: true
# state: latest
# tags:
# - packages
# - python3
# when: ansible_distribution != "Ubuntu"
# - name: correct python3 version selected on ubuntu
# alternatives:
# name: python3
# path: /usr/bin/python{{ python3_version }}
# link: /usr/bin/python3
# tags:
# - packages
# - alternatives
# when: ansible_distribution == "Ubuntu"
# - name: remove packages that should only be on mainframe
# apt:
# state: absent
# purge: yes
# name:
# - autoconf # emacs-build
# - gnupg2
# - gnutls-bin # emacs-build
# - irssi
# - kpcli
# - libgnutls28-dev # emacs-build
# - libncurses-dev # emacs-build
# - pkg-config # emacs-build
# - texinfo # emacs-build
# - libffi-dev
# - libssl-dev
# - cmake # emacs vterm
# - libtool # emacs vterm
# - libtool-bin
# when: 'inventory_hostname != "mainframe.sudo.is"'
# tags:
# - remove-packages
# - packages
- name: install packages
apt:
state: latest
name:
#- ntp
#- python-netaddr
- autoconf
- cmake
- libtool
- acl
- apt-transport-https
- aptitude
- at
- build-essential
- ca-certificates
- cbm
- cron
- chrony
- cryptsetup
- cryptsetup-initramfs
- curl
- dnsutils
- file
- git
- haveged
- htop
- iotop
- ipcalc
- iptraf
- jq
- lm-sensors
- locales
- lsb-base
- lsb-release
- lshw
- lsof
- lvm2
- molly-guard
- mtr
- mtr
- nano
- ncdu
- netcat
- nethogs
- nmap
- mergerfs
- openssl
- iputils-ping
- procmail
- pciutils
- rsync
- smartmontools
- sshfs
- sudo
- tcpdump
- tree
- tmux
- unzip
- vnstat
- whois
- zip
- zsh
environment:
PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin"
tags:
- packages
- common-packages
#- python-dateutil
- name: install common pip packages
pip:
name:
- poetry
- influxdb
- loguru
- requests
- psutil
- humanize # added because of telegraf/vnstat.py
state: latest
executable: pip3
tags:
- pip
- common-pip
- common-pip-packages
- packages
- name: remove pip packages that are only needed on mainframe
pip:
name:
- ansible
- certbot
- netaddr
state: absent
executable: pip3
when: 'inventory_hostname != "mainframe.sudo.is"'
tags:
- remove-packages
- pip
- packages
- name: set python minor version
set_fact:
python_minor: "{{ ansible_python_version.split('.')[1] }}"
tags:
- python
- pip
- packages
- fakelibs
- sudoisinflux
- name: template common simple shorthand fake libraries
template:
src: "{{ item }}.j2"
dest: "/usr/local/lib/python3.{{ python_minor }}/dist-packages/{{ item }}"
owner: root
group: root
mode: 0775
with_items:
- sudoisinflux.py
tags:
- python
- pip
- packages
- fakelibs
- sudoisinflux
- name: remove packages
apt:
name:
- update-motd
- landscape-client
- landscape-common
autoremove: false
state: absent
purge: true
tags: packages
- name: make sure openssh-server is installed
apt:
name: openssh-server
state: present
tags:
- packages
- name: remove ntp package (systemd...)
apt:
name: ntp
state: absent
purge: true
tags:
- ntp
# - name: set ntp servers
# lineinfile:
# path: /etc/systemd/timesyncd.conf
# line: "NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
# create: no
# notify:
# - systemctl daemon reload
# - restart systemd-timesyncd
# tags: ntp
# - name: enable systemd-timesyncd
# service:
# name: systemd-timesyncd
# enabled: yes
# state: started
# tags: ntp
# - name: enable ntp
# command: timedatectl set-ntp true
# changed_when: false
# tags: ntp
- name: check if hosts file needs fixing
command: grep {{ inventory_hostname }} /etc/hosts
register: grephosts
failed_when: grephosts.rc >= 2
changed_when: grephosts.rc != 0
tags:
- image
- etchosts
- name: fix hosts file
lineinfile:
path: /etc/hosts
line: "127.0.0.1 {{ inventory_hostname }}"
create: no
when: not grephosts.skipped|default(false) and grephosts.rc != 0
tags:
- etchosts
- image
- name: enable en_US.UTF-8 (is usually enabled)
lineinfile:
path: /etc/locale.gen
line: 'en_US.UTF-8 UTF-8'
state: present
tags:
- common-scripts
- locale
notify: locale-gen
- name: disable password authentication
replace:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication(?: yes| no)$'
replace: 'PasswordAuthentication no'
tags:
- ssh
notify:
- reload sshd
- name: disable challengeresponse authentication
replace:
path: /etc/ssh/sshd_config
regexp: '^#?ChallengeResponseAuthentication(?: yes| no)$'
replace: 'ChallengeResponseAuthentication no'
tags:
- ssh
notify:
- reload sshd
- meta: flush_handlers
# /etc/motd is updated in the 'users' role
- name: chmod /etc/update-motd.d
file:
dest: /etc/update-motd.d
owner: root
group: root
mode: 0755
state: directory
tags:
- motd
- name: look for update-motd.d files
find:
paths: /etc/update-motd.d
file_type: file
register: motd_d
tags:
- motd
- name: chmod -x on files in update-mot.d
file:
path: "{{ item.path }}"
state: file
owner: root
group: root
mode: 0644
loop_control:
label: "{{ item.path }}"
with_items: "{{ motd_d.files }}"
tags:
- motd
- name: check if /etc/default/motd-news exists
stat:
path: /etc/default/motd-news
register: motd_news
tags:
- motd
- name: disable motd-news if /etc/default file exists
lineinfile:
path: /etc/default/motd-news
line: "ENABLED=0"
create: false
when: motd_news.stat.exists
tags:
- motd
- name: install/remove unattended-upgrades
apt:
name: unattended-upgrades
state: "{% if unatt_enabled|bool %}present{% else %}absent{%endif%}"
update_cache: true
tags:
- unatt
- packages
- name: template common scripts
template:
src: "{{ item }}.j2"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0775
with_items:
- reboot_required.py
- update_omzsh.sh
- matrixmsg.py
- authelia-auth.py
tags:
- common-scripts
- update_omzsh
- name: template common cron jobs
template:
src: "{{ item }}-cron.j2"
dest: "/etc/cron.d/{{ item }}"
owner: root
group: root
mode: 0600
tags:
- cron
- cron-common
with_items:
- backup_age_marker
- reboot_required
- update_omzsh
- name: install zmq
apt:
name:
- python3-zmq
- python3-yaml
state: latest
tags:
- packages
when: install_zmq
# TODO: Decide on which way...
- name: enable unattended-upgrades (following codenames)
template:
src: "{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
with_items:
- 50unattended-upgrades
- 20auto-upgrades
when: unatt_enabled|bool
tags:
- unatt
- name: clean up unattended-upgrades config if not used
file:
path: "/etc/apt/apt.conf.d/{{ item }}"
state: absent
with_items:
- 50unattended-upgrades
- 20auto-upgrades
when: not unatt_enabled|bool
tags:
- unatt2
- name: add apt key for apt.sudo.is
apt_key:
url: https://{{ apt_url }}/KEY.gpg
state: present
tags:
- packages
- apt.sudo.is
- name: add apt.sudo.is repo
apt_repository:
repo: "deb https://{{ apt_url }} /"
state: present
filename: "{{ apt_url }}"
update_cache: true
tags:
- packages
- apt.sudo.is
- name: tempalte priorities for apt
template:
src: apt-sudois.j2
dest: /etc/apt/preferences.d/sudois
mode: 644
owner: root
group: root
tags:
- packages
- apt.sudo.is
- name: copy scripts
copy:
src: "{{ item }}"
dest: /usr/local/bin/{{ item }}
owner: root
group: sudo
mode: 0750
with_items:
- rub.py
tags:
- scripts
- pokies
View Git Blame Copy Permalink