Add debian common role

2023-05-05 15:47:27 -04:00
parent b387d68eda
commit bf6bfe2809
79 changed files with 3166 additions and 0 deletions
--- a/common-debian/defaults/main.yml
+++ b/common-debian/defaults/main.yml
@ -0,0 +1,223 @@
+---
+# A root password for the system in plaintext format
+root_password: "OverrideMeToSomethingSecurePlease!"
+
+# Timezone & Locale
+timezone: Canada/Eastern
+locale: en_CA.UTF-8
+
+# Hosts to allow for hostbased authentication
+hostbased_auth: # Must be list of inventory hostnames
+#  - adminhost.domain.tld
+
+# Custom facts (from the templates/etc/ansible/facts.d directory) to install
+custom_facts:
+  - moe_release
+  - host_id
+  - host_group
+  - dhcp_status
+
+# Apt configuration files (from the templates/etc/apt/apt.conf.d directory) to install
+apt_configurations:
+  - 10norecommends
+  - 30aptcacher
+  - 50unattended-upgrades
+
+# Apt sources entries
+apt_sources:
+  - name: rafal.ca-base
+    has_src: yes
+    url: http://debian.mirror.rafal.ca/debian
+    distribution: "{{ moe_release.debian_codename }}"
+    components:
+      - main
+      - contrib
+      - non-free
+
+  - name: rafal.ca-updates
+    has_src: yes
+    url: http://debian.mirror.rafal.ca/debian
+    distribution: "{{ moe_release.debian_codename }}-updates"
+    components:
+      - main
+      - contrib
+      - non-free
+
+  - name: rafal.ca-security
+    has_src: yes
+    url: http://security.debian.org/debian-security
+    distribution: "{{ moe_release.debian_codename }}-security"
+    components:
+      - main
+      - contrib
+      - non-free
+
+  - name: repo.bonifacelabs.net
+    has_src: no
+    url: https://repo.bonifacelabs.net/debian
+    distribution: "{{ moe_release.debian_codename }}"
+    components:
+      - main
+    gpg_url: https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub
+    gpg_id: 83D07192314835D4
+
+# Packages to explicitly remove from the system
+packages_remove:
+  - exim4
+  - exim4-base
+  - exim4-config
+  - exim4-daemon-light
+  - nano
+  - joe
+  - python2
+
+# Packages to install on the system
+packages_add:
+  - acl
+  - acpi-support-base
+  - acpid
+  - bash
+  - bash-completion
+  - bc
+  - bind9-host
+  - binutils
+  - bzip2
+  - ca-certificates
+  - check-mk-agent
+  - curl
+  - debconf-utils
+  - deborphan
+  - dns-root-data
+  - dnsutils
+  - dstat
+  - fail2ban
+  - gawk
+  - git
+  - haveged
+  - htop
+  - iotop
+  - iperf
+  - iperf3
+  - iptables
+  - jnettop
+  - less
+  - libpam-systemd
+  - locales
+  - logrotate
+  - lsof
+  - man
+  - mmv
+  - needrestart
+  - net-tools
+  - netcat-openbsd
+  - nethogs
+  - nftables
+  - nmap
+  - ntp
+  - openssh-client
+  - openssh-server
+  - openssl
+  - postfix
+  - psmisc
+  - pv
+  - reptyr
+  - rsync
+  - rsyslog
+  - screenfetch
+  - sharutils
+  - shellcheck
+  - strace
+  - sudo
+  - sysstat
+  - tcptraceroute
+  - traceroute
+  - tshark
+  - unattended-upgrades
+  - vim
+  - wget
+  - zram-tools
+  - "linux-headers-{{ moe_release.dpkg_architecture }}"
+  - "linux-image-{{ moe_release.dpkg_architecture }}"
+
+# Apt preferences to set before installing packages
+apt_preferences:
+  - name: wireshark-common
+    question: wireshark-common/install-setuid
+    vtype: select
+    value: 'true'
+  - name: postfix
+    question: postfix/main_mailer_type
+    vtype: select
+    value: "Internet Site"
+
+# Services to enable (after installing but before configuring)
+enabled_services:
+  - acpid
+  - rsyslog
+  - nftables
+  - postfix
+  - ntp
+  - ssh
+
+# Capabilities overrides on binaries
+set_capabilities:
+  - path: /bin/ping
+    capability: cap_net_raw=ep
+
+# Sysctl configuration files (from templates/etc/sysctl.d) to install
+sysctl_files:
+  - moe.conf
+
+# NFTables rules to create; leave empty for a default allow-all ruleset
+nftables_rules:
+#  # EXAMPLE: Permit CheckMK only from RFC1918 subnets
+#  - chain: input
+#    rule: "ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } tcp dport 6556 accept"
+#  - chain: input
+#    rule: "ip tcp dport 6556 drop"
+
+# CheckMK plugin files (from files/usr/lib/check_mk_agent/plugins) to install
+check_mk_plugins:
+  - mk_logwatch
+  - backup
+  - cephfsmounts
+  - dpkg
+  - entropy
+  - freshness
+  - kernel_taint
+  - ownership
+
+# Additional groups to add
+add_groups:
+  - name: media
+    gid: 9000
+
+# SSH keys for backup purposes
+backup_ssh_keys:
+  - name: backup@domain.tld
+    date: 2020-01
+    type: ssh-ed25519
+    key: AAAA...ZZZZ
+
+# Administrative users
+admin_users:
+  - name: example
+    uid: 501
+    add_groups:
+      - wireshark
+      - media
+    shell: /bin/bash
+    ssh_keys:
+      - name: example@domain.tld
+        date: 2020-01
+        type: ssh-ed25519
+        key: AAAA...ZZZZ
+
+# Non-mailhost postfix relay and domain information (for cron emails, etc.)
+postfix_relay: ""
+postfix_domain: ""
+
+# File used to determine if the Postfix main.cf configuration should not be installed
+# Ensure this file is created in a later role for hosts that need their own main.cf configuration
+# to avoid this role overwriting it in the future.
+postfix_mailhost_flag_file: "/etc/postfix/mailhost"