bonifacelabs-public/blse2-public
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add debian common role

Browse Source
This commit is contained in:
Joshua Boniface
2023-05-05 15:47:27 -04:00
parent b387d68eda
commit bf6bfe2809
79 changed files with 3166 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
common-debian/tasks/apt-base.yml Normal file
View File

@ -0,0 +1,92 @@
---
- name: install apt prerequisite packages
apt:
name:
- gpg
- gnupg
state: latest
when: bootstrap
- set_fact:
update_cache: no
- name: install apt configuration files
template:
src: "etc/apt/apt.conf.d/{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
mode: 0644
loop: "{{ apt_configurations }}"
register: configuration
- set_fact:
update_cache: yes
when: configuration.changed
- name: install apt pins configuration file
template:
src: "etc/apt/preferences.d/pins.j2"
dest: "/etc/apt/preferences.d/pins"
mode: 0644
register: pins
- set_fact:
update_cache: yes
when: pins.changed
- name: remove base apt sources files
file:
dest: /etc/apt/sources.list
state: absent
- name: install apt sources files
template:
src: "etc/apt/sources.list.d/source.j2"
dest: "/etc/apt/sources.list.d/{{ item.name }}.list"
mode: 0644
loop: "{{ apt_sources }}"
register: sources
- set_fact:
update_cache: yes
when: sources.changed
- name: install supplemental apt keyrings
apt_key:
url: "{{ item.gpg_url }}"
id: "{{ item.gpg_id }}"
keyring: "/etc/apt/trusted.gpg.d/{{ item.name }}.gpg"
state: present
when: item.gpg_url is defined and item.gpg_url
loop: "{{ apt_sources }}"
register: keyrings
- set_fact:
update_cache: yes
when: keyrings.changed
- name: set apt package preferences
debconf:
name: "{{ item.name }}"
question: "{{ item.question }}"
vtype: "{{ item.vtype }}"
value: "{{ item.value }}"
loop: "{{ apt_preferences }}"
register: preferences
- set_fact:
update_cache: yes
when: preferences.changed
- name: install cleanup scripts
template:
src: "usr/local/sbin/{{ item }}.j2"
dest: "/usr/local/sbin/{{ item }}"
mode: 0755
loop:
- dpkg-cleanup.sh
- kernel-cleanup.sh
- name: update apt cache
apt:
update_cache: yes
when: update_cache

17
common-debian/tasks/apt-bootstrap.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: clean out apt cache
file:
path: /var/cache/apt/archives
state: absent
- name: install pending updates and autoremove
apt:
update_cache: yes
autoremove: yes
upgrade: full
- name: install dbus if missing
apt:
name:
- dbus
state: latest

24
common-debian/tasks/apt-packages.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: install new packages
apt:
name: "{{ packages_add }}"
state: latest
- name: remove unneeded packages
apt:
name: "{{ packages_remove }}"
state: absent
purge: yes
- name: ensure services are started and enabled
service:
name: "{{ item }}"
state: started
enabled: yes
loop: "{{ enabled_services }}"
- name: disable needrestrt dpkg integration if present
file:
dest: /usr/lib/needrestart/dpkg-status
mode: o-x,g-x,u-x
when: "'needrestart' in packages_add"

23
common-debian/tasks/facts.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: create local facts directory
file:
dest: /etc/ansible/facts.d
state: directory
recurse: yes
- name: install local facts
template:
src: "etc/ansible/facts.d/{{ item }}.fact.j2"
dest: "/etc/ansible/facts.d/{{ item }}.fact"
mode: 0755
register: installed_facts
loop: "{{ custom_facts }}"
- name: regather all facts
setup:
gather_subset: "all,local"
when: installed_facts.changed
- name: set moe_release fact
set_fact:
moe_release: "{{ ansible_local.moe_release }}"

117
common-debian/tasks/main.yml Normal file
View File

@ -0,0 +1,117 @@
---
# First-run check
# Determines if the system has been bootstrapped previously
- name: ensure moe directory exists
file:
dest: /etc/moe
state: directory
tags: always
- name: first run bootstrap check
shell: "date > /etc/moe/bootstrapped"
register: bootstrap_check
args:
creates: "/etc/moe/bootstrapped"
tags: always
- set_fact:
bootstrap: no
tags: always
- set_fact:
bootstrap: yes
when: bootstrap_check.changed
tags: always
# Set system hostname
# Ensures that the system hostname matches the inventory hostname
- name: set hostname to inventory_hostname
copy:
dest: /etc/hostname
content: "{{ inventory_hostname }}\n"
tags: always
# Custom facts
# Loads facts.yml which installs and regathers supplemental local facts
- include: facts.yml
tags: debian-facts
# Configure APT environment
# Loads apt-base.yml which configures base Debian repositories
- include: apt-base.yml
tags: debian-apt-base
# Bootstrap APT configuration
# Loads apt-bootstrap.yml when bootstrap=yes to ensure system is ready for bootstrap
- include: apt-bootstrap.yml
when: bootstrap
tags: debian-apt-bootstrap
# Bootstrap restart (pre-configure)
# Loads restart.yml when bootstrap=yes to ensure system is ready for bootstrap
- include: restart.yml
when: bootstrap
tags: always
# Package configuration
# Loads apt-packages.yml to install and remove packages for base system setup
- include: apt-packages.yml
tags: debian-apt-packages
# General system setup
# Loads system.yml to configure core system items like capabilities, locales, timezones, cron, ntp, etc.
- include: system.yml
tags: debian-system
# Networking setup
# Loads network.yml to configure core network items like resolv.conf, hosts, firewall, etc.
- include: network.yml
tags: debian-network
# Syslog setup
# Loads syslog.yml to configure rsyslog
- include: syslog.yml
tags: debian-syslog
# Shell setup
# Loads shell.yml to configure basic global shell items like sudo, bash, motd, etc.
- include: shell.yml
tags: debian-shell
# SSH setup
# Loads ssh.yml to configure SSH server for remote management
- include: ssh.yml
tags: debian-ssh
# Monitoring setup
# Loads monitoring.yml to configure remote monitoring items like check_mk, etc.
- include: monitoring.yml
tags: debian-monitoring
# Root user setup
# Loads root.yml to configure root user
- include: users/root.yml
tags: debian-users-root
# Backup user setup
# Loads backup.yml to configure backup user
- include: users/backup.yml
tags: debian-users-backup
# Deploy (Ansible) user setup
# Loads deploy.yml to configure deploy user
- include: users/deploy.yml
tags: debian-users-deploy
# Administrative users setup
# Loads admin.yml to configure administrative shell users
- include: users/admin.yml
loop: "{{ admin_users }}"
tags: debian-users-admin
# Bootstrap restart (post-configure)
# Loads restart.yml when bootstrap=yes to ensure system is finalized after bootstrap
- include: restart.yml
when: bootstrap
tags: always

13
common-debian/tasks/monitoring.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: install check_mk logwatch configuration file
template:
src: etc/check_mk/logwatch.cfg.j2
dest: /etc/check_mk/logwatch.cfg
mode: 0644
- name: install check_mk agent check configuration files
copy:
src: "usr/lib/check_mk_agent/plugins/{{ item }}"
dest: "/usr/lib/check_mk_agent/plugins/{{ item }}"
mode: 0755
loop: "{{ check_mk_plugins }}"

33
common-debian/tasks/network.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: disable managed /etc/hosts from cloud-init
lineinfile:
dest: /etc/cloud/cloud.cfg
regexp: "^manage_etc_hosts"
line: " manage_etc_hosts:false"
ignore_errors: yes
- name: write hosts configuration file
template:
src: etc/hosts.j2
dest: /etc/hosts
mode: 0644
- name: write resolver configuration files
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 0644
loop:
- etc/dhcp/dhclient-enter-hooks.d/noresolv
- etc/resolv.conf
ignore_errors: yes
- name: write firewall rules configuration file
template:
src: etc/nftables.conf.j2
dest: /etc/nftables.conf
when: nftables_rules is defined and nftables_rules
notify:
- restart nftables
- meta: flush_handlers

10
common-debian/tasks/restart.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: restart system
reboot:
post_reboot_delay: 15
- name: wait 15 seconds for system to stabilize
pause:
seconds: 15
become: no
connection: local

49
common-debian/tasks/shell.yml Normal file
View File

@ -0,0 +1,49 @@
---
- name: install sudo configuration file
template:
src: etc/sudoers.j2
dest: /etc/sudoers
mode: 0440
- name: install global bashrc configuration file
template:
src: etc/bash.bashrc.j2
dest: /etc/bash.bashrc
mode: 0644
- name: install general profile.d script files
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 0755
loop:
- etc/profile.d/w.sh
- name: remove default motd configuration file
file:
dest: /etc/motd
state: absent
- name: install motd handler script file
template:
src: usr/local/sbin/update-motd.sh.j2
dest: /usr/local/sbin/update-motd.sh
mode: 0755
- name: install motd update cron file
template:
src: etc/cron.d/update-motd.j2
dest: /etc/cron.d/update-motd
mode: 0644
- name: install global htoprc configuration file
template:
src: etc/htoprc.j2
dest: /etc/htoprc
mode: 0644
- name: add additional user groups
group:
name: "{{ item.name }}"
gid: "{{ item.gid }}"
loop: "{{ add_groups }}"

56
common-debian/tasks/ssh.yml Normal file
View File

@ -0,0 +1,56 @@
---
- name: install ssh configuration files
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 0644
notify:
- restart ssh
loop:
- etc/ssh/ssh_config
- etc/ssh/sshd_config
- etc/ssh/shosts.equiv
- etc/ssh/ssh_known_hosts
- etc/pam.d/sshd
- name: clean up unwanted ssh host keys (DSA and ECDSA)
file:
name: "{{ item }}"
state: absent
notify:
- restart ssh
loop:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_dsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
- name: correct permissions on host keys
file:
dest: "{{ item.name }}"
mode: "{{ item.mode }}"
loop:
- name: /etc/ssh/ssh_host_rsa_key
mode: "0600"
- name: /etc/ssh/ssh_host_rsa_key.pub
mode: "0644"
- name: /etc/ssh/ssh_host_ed25519_key
mode: "0600"
- name: /etc/ssh/ssh_host_ed25519_key.pub
mode: "0644"
- name: install fail2ban configuration files
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 0644
notify:
- restart fail2ban
loop:
- etc/fail2ban/action.d/route.conf
- etc/fail2ban/filter.d/sshd.conf
- etc/fail2ban/jail.d/global.local
- etc/fail2ban/jail.d/sshd.conf
- etc/fail2ban/jail.d/sshd.local
- meta: flush_handlers

25
common-debian/tasks/syslog.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: install rsyslog config
template:
src: etc/rsyslog.conf.j2
dest: /etc/rsyslog.conf
mode: 0644
notify:
- restart rsyslog
- name: install logrotate configs
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 0644
loop:
- etc/logrotate.d/rsyslog
- etc/logrotate.d/backup-rsync
- name: set journalctl persistence
template:
src: etc/systemd/journald.conf.j2
dest: /etc/systemd/journald.conf
mode: 0644
- meta: flush_handlers

77
common-debian/tasks/system.yml Normal file
View File

@ -0,0 +1,77 @@
---
- name: install zramswap configuration
template:
src: etc/default/zramswap.j2
dest: /etc/default/zramswap
notify: restart zramswap
- name: enable and activate zramswap
service:
name: zramswap
state: started
enabled: yes
- name: set bin capabilities
capabilities:
path: "{{ item.path }}"
capability: "{{ item.capability }}"
ignore_errors: yes
loop: "{{ set_capabilities }}"
- name: install locale configuration files
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 0644
notify:
- generate locales
loop:
- etc/default/locale
- etc/locale.gen
- name: set timezone
file:
src: "/usr/share/zoneinfo/{{ timezone }}"
dest: /etc/localtime
state: link
mode: 0644
force: yes
- name: install sysctl tweaks
template:
src: "etc/sysctl.d/{{ item }}.j2"
dest: "/etc/sysctl.d/{{ item }}"
mode: 0644
notify:
- load sysctl tweaks
loop: "{{ sysctl_files }}"
- name: install base crontab file
template:
src: etc/crontab.j2
dest: /etc/crontab
mode: 0644
- name: install ntp configuration file
template:
src: etc/ntp.conf.j2
dest: /etc/ntp.conf
mode: 0644
notify:
- restart ntp
- name: register status of mailhost flag file
stat:
path: "{{ postfix_mailhost_flag_file }}"
register: mailhost_flag
- name: install postfix configuration file (non-mailhost only)
template:
src: etc/postfix/main.cf.j2
dest: /etc/postfix/main.cf
mode: 0644
when: not mailhost_flag.stat.exists
notify:
- restart postfix
- meta: flush_handlers

77
common-debian/tasks/users/admin.yml Normal file
View File

@ -0,0 +1,77 @@
---
- name: "ensure {{ item.name }} user exists and is configured properly"
user:
name: "{{ item.name }}"
uid: "{{ item.uid }}"
group: operator
groups: "adm,sudo,{{ item.add_groups|join(',') }}"
shell: "{{ item.shell }}"
home: "/var/home/{{ item.name }}"
createhome: yes
move_home: yes
append: yes
state: present
- name: "set ownership of {{ item.name }} home directory"
file:
dest: "/var/home/{{ item.name }}"
state: directory
owner: "{{ item.name }}"
group: operator
mode: 0700
- name: "create {{ item.name }} .ssh configuration directory"
file:
dest: "/var/home/{{ item.name }}/.ssh"
state: directory
owner: "{{ item.name }}"
group: operator
mode: 0700
- name: "write {{ item.name }} ssh authorized_keys configuration file"
template:
src: var/home/user/ssh/authorized_keys.j2
dest: "/var/home/{{ item.name }}/.ssh/authorized_keys"
owner: "{{ item.name }}"
group: operator
mode: 0640
- name: "write {{ item.name }} profile configuration file"
template:
src: var/home/user/profile.j2
dest: "/var/home/{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: operator
mode: 0750
- name: "write {{ item.name }} bashrc configuration file"
template:
src: var/home/user/bashrc.j2
dest: "/var/home/{{ item.name }}/.bashrc"
owner: "{{ item.name }}"
group: operator
mode: 0750
- name: "write {{ item.name }} bash_logout configuration file"
template:
src: var/home/user/bash_logout.j2
dest: "/var/home/{{ item.name }}/.bash_logout"
owner: "{{ item.name }}"
group: operator
mode: 0750
- name: "create {{ item.name }} vim state directory"
file:
dest: "/var/home/{{ item.name }}/.vim"
state: directory
owner: "{{ item.name }}"
group: operator
mode: 0700
- name: "write {{ item.name }} vimrc configuration file"
template:
src: var/home/user/vimrc.j2
dest: "/var/home/{{ item.name }}/.vimrc"
owner: "{{ item.name }}"
group: operator
mode: 0600

40
common-debian/tasks/users/backup.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: ensure backup user has /bin/sh shell
user:
name: backup
shell: /bin/sh
state: present
- name: create backup .ssh configuration directory
file:
dest: /var/backups/.ssh
state: directory
owner: backup
group: operator
mode: 0700
- name: write backup ssh authorized_keys configuration file
template:
src: var/backups/ssh/authorized_keys.j2
dest: /var/backups/.ssh/authorized_keys
owner: backup
group: operator
mode: 0640
- name: install post-backup timestamp script
template:
src: var/backups/timestamp.sh.j2
dest: /var/backups/timestamp.sh
mode: 0755
- name: create backup shares file
command: touch /var/backups/shares
args:
creates: /var/backups/shares
- name: set ownership of backup shares file
file:
dest: /var/backups/shares
owner: backup
group: operator
mode: 0644

35
common-debian/tasks/users/deploy.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: ensure deploy user exists and is configured properly
user:
name: deploy
uid: 200
group: operator
shell: /bin/bash
home: /var/home/deploy
createhome: yes
move_home: yes
state: present
- name: set ownership of deploy home directory
file:
dest: /var/home/deploy
state: directory
owner: deploy
group: operator
mode: 0700
- name: create deploy .ssh configuration directory
file:
dest: /var/home/deploy/.ssh
state: directory
owner: deploy
group: operator
mode: 0700
- name: write deploy ssh authorized_keys configuration file
template:
src: var/home/deploy/ssh/authorized_keys.j2
dest: /var/home/deploy/.ssh/authorized_keys
owner: deploy
group: operator
mode: 0640

23
common-debian/tasks/users/root.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: set root password
user:
name: root
password: "{{ root_password | password_hash('sha512', root_password) }}" # Use password as salt for idemptence
state: present
- name: remove any root known_hosts configuration file
file:
dest: /root/.ssh/known_hosts
state: absent
- name: create root vim state directory
file:
dest: /root/.vim
state: directory
mode: 0700
- name: write admin user vimrc configuration file to root homedir
template:
src: var/home/user/vimrc.j2
dest: /root/.vimrc
mode: 0600