diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2024-01-04 12:59:39 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2024-01-04 13:42:18 +0100 |
| commit | 6691410f945719e62601c3d69d9b2ff9c4cfb4fb (patch) | |
| tree | 9ea4170a6d5d50ac14a326f42fa8b13303734241 /tasks | |
| parent | 609574f51c5c08af71419bddc1be16ad5668882a (diff) | |
Base system.
Diffstat (limited to 'tasks')
| -rw-r--r-- | tasks/apt.yml | 46 | ||||
| -rw-r--r-- | tasks/base.yml | 141 | ||||
| -rw-r--r-- | tasks/firewall.yml | 13 | ||||
| -rw-r--r-- | tasks/hosts.yml | 31 | ||||
| -rw-r--r-- | tasks/network.yml | 84 | ||||
| -rw-r--r-- | tasks/ssh.yml | 20 | ||||
| -rw-r--r-- | tasks/sysctl.yml | 22 |
7 files changed, 357 insertions, 0 deletions
diff --git a/tasks/apt.yml b/tasks/apt.yml new file mode 100644 index 0000000..1023908 --- /dev/null +++ b/tasks/apt.yml @@ -0,0 +1,46 @@ +- name: Install various APT tools (1) + apt: pkg={{ packages }} + vars: + packages: + - apt + - lsb-release + +- name: Remove /etc/apt/sources.list + file: path=/etc/apt/sources.list state=absent + notify: + - apt-get update + +- name: Remove /etc/apt/sources.list.d/hetzner-* + file: path={{ item }} state=absent + with_fileglob: /etc/apt/sources.list.d/hetzner-* + notify: + - apt-get update + +- name: Copy /etc/apt/sources.list.d/debian.sources + template: src=etc/apt/sources.list.d/debian.sources.j2 + dest=/etc/apt/sources.list.d/debian.sources + owner=root group=root + mode=0644 + notify: + - apt-get update + +- name: Remove /etc/apt/apt.conf.d/*hetzner + file: path={{ item }} state=absent + with_fileglob: /etc/apt/apt.conf.d/*hetzner + +# We should run 'apt-get update' before proceeding to any other task. +- meta: flush_handlers + +- name: Install various APT tools (2) + apt: pkg={{ packages }} + vars: + packages: + - apt-listchanges + - needrestart + - unattended-upgrades + +- name: Configure apt-listchanges + copy: src=etc/apt/listchanges.conf + dest=/etc/apt/listchanges.conf + owner=root group=root + mode=0644 diff --git a/tasks/base.yml b/tasks/base.yml new file mode 100644 index 0000000..7086ce9 --- /dev/null +++ b/tasks/base.yml @@ -0,0 +1,141 @@ +- name: Remove some packages + apt: pkg={{ packages }} state=absent purge=yes + vars: + packages: + - aptitude + - byobu + - at + - bc + - cryptsetup* + - mdadm + - netcat-traditional + - nano + - emacs-* + - hc-utils + - shorewall + - iptables + - lvm2 + - dosfstools + - eatmydata + - acpid + - acl + - fdisk + - gdisk + - genisoimage + - gnupg* + - gpg-wks-* + - mtr-tiny + - net-tools + - mtr-tiny + - net-tools + - xfsprogs + - traceroute + - wget + - python3-lib2to3 + - efibootmgr + - busybox + - console-setup + - debconf-i18n + - dmidecode + - task-* + - tasksel-* + - inetutils-telnet + - os-prober + ## + - chkrootkit + - debian-faq + - debian-handbook + - debian-policy + - debian-reference + - doc-debian + - iamerican + - ibritish + - ienglish-common + - installation-report + - laptop-detect + - lynx + - manpages-de + - mutt + - reportbug + - rkhunter + - vnstati + - wmanx + - python3-reportbug + - python3-debianbts + - locales-all + ## + - wamerican + - wamerican-huge + - wamerican-insane + - wamerican-large + - wamerican-small + - wbrazilian + - wbritish + - wbritish-huge + - wbritish-insane + - wbritish-large + - wbritish-small + - wbulgarian + - wcanadian + - wcanadian-huge + - wcanadian-insane + - wcanadian-large + - wcanadian-small + - wcatalan + - wdanish + - wdutch + - wfaroese + - wfrench + - wgaelic + - wgalician-minimos + - wgerman-medical + - wirish + - witalian + - wngerman + - wnorwegian + - wogerman + - wpolish + - wportuguese + - wspanish + - wswedish + - wswiss + - wukrainian + - xauth + +- name: Install some common packages + apt: pkg={{ packages }} + vars: + packages: + - bind9-dnsutils + - bzip2 + - htop + - ca-certificates + - rsync + - python3 + - less + - iproute2 + - git + - curl + - screen + - sudo + - vim-nox + - qemu-guest-agent + # Useful for `getent passwd dynamic_user` + - libnss-systemd + +- name: Set /etc/timezone + copy: dest=/etc/timezone content="Europe/Stockholm\n" + owner=root group=root + mode=0644 + +- name: Remove ~root/.ssh/authorized_keys + file: path=/root/.ssh/authorized_keys state=absent + +- name: Disable root password + user: name=root password="!" update_password=always + +- name: Set RESUME=none in initramfs.conf + copy: dest=/etc/initramfs-tools/conf.d/resume content="RESUME=none\n" + owner=root group=root + mode=0644 + notify: Update initramfs diff --git a/tasks/firewall.yml b/tasks/firewall.yml new file mode 100644 index 0000000..fa46ade --- /dev/null +++ b/tasks/firewall.yml @@ -0,0 +1,13 @@ +- name: Install nftables + apt: pkg=nftables + +- name: Configure nftables + copy: src=etc/nftables.conf + dest=/etc/nftables + owner=root group=root + mode=0644 + notify: + - Restart nftables + +- name: Start nftables + service: name=nftables.service enabled=true state=started diff --git a/tasks/hosts.yml b/tasks/hosts.yml new file mode 100644 index 0000000..b8e5931 --- /dev/null +++ b/tasks/hosts.yml @@ -0,0 +1,31 @@ +- name: Set hostname + # Use double quoted scalars to force expansion of escape sequences + # cf. https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw + copy: "content='{{ inventory_hostname_short }}\n' + dest=/etc/hostname + owner=root group=root + mode=0644" + tags: hostname + notify: + - Refresh hostname + +- name: Set mailname + copy: "content='{{ inventory_hostname }}\n' + dest=/etc/mailname + owner=root group=root + mode=0644" + tags: mailname + +- name: Fix /etc/hosts (1) + lineinfile: "dest=/etc/hosts create=yes + regexp='^127\\.0\\.0\\.1\\s+' + line='127.0.0.1\tlocalhost'" + tags: hosts + +- name: Fix /etc/hosts (2) + lineinfile: "dest=/etc/hosts create=yes + regexp='^127\\.0\\.1\\.1\\s+' + line='127.0.1.1\t{{ inventory_hostname }} {{ inventory_hostname_short }}'" + tags: hosts + +- meta: flush_handlers diff --git a/tasks/network.yml b/tasks/network.yml new file mode 100644 index 0000000..6b282f8 --- /dev/null +++ b/tasks/network.yml @@ -0,0 +1,84 @@ +- name: Copy systemd.network(5) configuration + template: src=etc/systemd/network/01-wired.network.j2 + dest=/etc/systemd/network/01-wired.network + owner=root group=root + mode=0644 + notify: + - Restart systemd-networkd + +- name: Start systemd-networkd + service: name=systemd-networkd.service enabled=true state=started + +- meta: flush_handlers + +- name: Remove ifupdown and isc-dhcp-* + apt: pkg={{ packages }} state=absent purge=yes + vars: + packages: + - ifupdown + - isc-dhcp-client + - isc-dhcp-common + +- name: Remove /etc/network/interfaces and /etc/network/interfaces.d + file: path={{ item }} state=absent + with_items: + - /etc/network/interfaces + - /etc/network/interfaces.d/ + + +- name: Install systemd-resolved + apt: pkg={{ packages }} + vars: + packages: + - systemd-resolved + - libnss-resolve + +- name: Create directory /etc/systemd/resolved.conf.d + file: path=/etc/systemd/resolved.conf.d + state=directory + owner=root group=root + mode=0755 + +- name: Configure systemd-resolved + copy: src=etc/systemd/resolved.conf.d/local.conf + dest=/etc/systemd/resolved.conf.d/local.conf + owner=root group=root + mode=0644 + notify: + - Restart systemd-resolved + +- name: Start systemd-resolved + service: name=systemd-resolved.service enabled=true state=started + +- name: Remove resolvconf + apt: pkg=resolvconf state=absent purge=yes + + +- name: Install systemd-timesyncd + apt: pkg=systemd-timesyncd + +- name: Create directory /etc/systemd/timesyncd.conf.d + file: path=/etc/systemd/timesyncd.conf.d + state=directory + owner=root group=root + mode=0755 + +- name: Configure systemd-timesyncd + copy: src=etc/systemd/timesyncd.conf.d/local.conf + dest=/etc/systemd/timesyncd.conf.d/local.conf + owner=root group=root + mode=0644 + notify: + - Restart systemd-timesyncd + +- name: Start systemd-timesyncd + service: name=systemd-timesyncd.service enabled=true state=started + +- name: Remove ntp + apt: pkg={{ packages }} state=absent purge=yes + vars: + packages: + - ntp + - ntpdate + - ntpsec + - ntpsec-ntpdate diff --git a/tasks/ssh.yml b/tasks/ssh.yml new file mode 100644 index 0000000..341a96d --- /dev/null +++ b/tasks/ssh.yml @@ -0,0 +1,20 @@ +--- +- name: Install OpenSSH server + apt: pkg={{ packages }} + vars: + packages: + - openssh-server + +- name: Create system group 'ssh-login' + group: name=ssh-login system=true + +- name: Copy sshd_config configuration + copy: src=etc/ssh/sshd_config.d/local.conf + dest=/etc/ssh/sshd_config.d/local.conf + owner=root group=root + mode=0644 + notify: + - Restart OpenSSH + +- name: Start Openssh + service: name=ssh enabled=true state=started diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml new file mode 100644 index 0000000..0f0a985 --- /dev/null +++ b/tasks/sysctl.yml @@ -0,0 +1,22 @@ +- name: Configure network-related sysctl.conf(5). + sysctl: name={{ item.key }} value={{ item.val }} + sysctl_file=/etc/sysctl.d/network.conf reload=true + with_items: + - { key: net.ipv4.tcp_timestamps, val: 0 } + - { key: net.ipv4.conf.default.accept_source_route, val: 0 } + - { key: net.ipv4.conf.default.send_redirects, val: 0 } + - { key: net.ipv4.conf.all.accept_source_route, val: 0 } + - { key: net.ipv4.conf.all.send_redirects, val: 0 } + - { key: net.ipv6.conf.default.autoconf, val: 0 } + - { key: net.ipv6.conf.default.accept_ra, val: 0 } + - { key: net.ipv6.conf.default.accept_ra_defrtr, val: 0 } + - { key: net.ipv6.conf.default.accept_ra_rtr_pref, val: 0 } + - { key: net.ipv6.conf.default.accept_ra_pinfo, val: 0 } + - { key: net.ipv6.conf.default.accept_source_route, val: 0 } + - { key: net.ipv6.conf.all.autoconf, val: 0 } + - { key: net.ipv6.conf.all.accept_ra, val: 0 } + - { key: net.ipv6.conf.all.accept_ra_defrtr, val: 0 } + - { key: net.ipv6.conf.all.accept_ra_rtr_pref, val: 0 } + - { key: net.ipv6.conf.all.accept_ra_pinfo, val: 0 } + - { key: net.ipv6.conf.all.accept_source_route, val: 0 } + - { key: net.ipv6.conf.all.accept_redirects, val: 0 } |