blse2-public/common-debian/defaults/main.yml

---
# A root password for the system in plaintext format
root_password: "OverrideMeToSomethingSecurePlease!"

# Timezone & Locale
timezone: Canada/Eastern
locale: en_CA.UTF-8

# Hosts to allow for hostbased authentication
hostbased_auth: # Must be list of inventory hostnames
#  - adminhost.domain.tld

# Custom facts (from the templates/etc/ansible/facts.d directory) to install
custom_facts:
  - moe_release
  - host_id
  - host_group
  - dhcp_status

# Apt configuration files (from the templates/etc/apt/apt.conf.d directory) to install
apt_configurations:
  - 10norecommends
  - 30aptcacher
  - 50unattended-upgrades

# Apt sources entries
apt_sources:
  - name: rafal.ca-base
    has_src: yes
    url: http://debian.mirror.rafal.ca/debian
    distribution: "{{ moe_release.debian_codename }}"
    components:
      - main
      - contrib
      - non-free

  - name: rafal.ca-updates
    has_src: yes
    url: http://debian.mirror.rafal.ca/debian
    distribution: "{{ moe_release.debian_codename }}-updates"
    components:
      - main
      - contrib
      - non-free

  - name: rafal.ca-security
    has_src: yes
    url: http://security.debian.org/debian-security
    distribution: "{{ moe_release.debian_codename }}-security"
    components:
      - main
      - contrib
      - non-free

  - name: repo.bonifacelabs.net
    has_src: no
    url: https://repo.bonifacelabs.net/debian
    distribution: "{{ moe_release.debian_codename }}"
    components:
      - main
    gpg_url: https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub
    gpg_id: 83D07192314835D4

# Packages to explicitly remove from the system
packages_remove:
  - exim4
  - exim4-base
  - exim4-config
  - exim4-daemon-light
  - nano
  - joe
  - python2

# Packages to install on the system
packages_add:
  - acl
  - acpi-support-base
  - acpid
  - bash
  - bash-completion
  - bc
  - bind9-host
  - binutils
  - bzip2
  - ca-certificates
  - check-mk-agent
  - curl
  - debconf-utils
  - deborphan
  - dns-root-data
  - dnsutils
  - dstat
  - fail2ban
  - gawk
  - git
  - haveged
  - htop
  - iotop
  - iperf
  - iperf3
  - iptables
  - jnettop
  - less
  - libpam-systemd
  - locales
  - logrotate
  - lsof
  - man
  - mmv
  - needrestart
  - net-tools
  - netcat-openbsd
  - nethogs
  - nftables
  - nmap
  - ntp
  - openssh-client
  - openssh-server
  - openssl
  - postfix
  - psmisc
  - pv
  - reptyr
  - rsync
  - rsyslog
  - screenfetch
  - sharutils
  - shellcheck
  - strace
  - sudo
  - sysstat
  - tcptraceroute
  - traceroute
  - tshark
  - unattended-upgrades
  - vim
  - wget
  - zram-tools
  - "linux-headers-{{ moe_release.dpkg_architecture }}"
  - "linux-image-{{ moe_release.dpkg_architecture }}"

# Apt preferences to set before installing packages
apt_preferences:
  - name: wireshark-common
    question: wireshark-common/install-setuid
    vtype: select
    value: 'true'
  - name: postfix
    question: postfix/main_mailer_type
    vtype: select
    value: "Internet Site"

# Services to enable (after installing but before configuring)
enabled_services:
  - acpid
  - rsyslog
  - nftables
  - postfix
  - ntp
  - ssh

# Capabilities overrides on binaries
set_capabilities:
  - path: /bin/ping
    capability: cap_net_raw=ep

# Sysctl configuration files (from templates/etc/sysctl.d) to install
sysctl_files:
  - moe.conf

# NFTables rules to create; leave empty for a default allow-all ruleset
nftables_rules:
#  # EXAMPLE: Permit CheckMK only from RFC1918 subnets
#  - chain: input
#    rule: "ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } tcp dport 6556 accept"
#  - chain: input
#    rule: "ip tcp dport 6556 drop"

# CheckMK plugin files (from files/usr/lib/check_mk_agent/plugins) to install
check_mk_plugins:
  - mk_logwatch
  - backup
  - cephfsmounts
  - dpkg
  - entropy
  - freshness
  - kernel_taint
  - ownership

# Additional groups to add
add_groups:
  - name: media
    gid: 9000

# SSH keys for backup purposes
backup_ssh_keys:
  - name: backup@domain.tld
    date: 2020-01
    type: ssh-ed25519
    key: AAAA...ZZZZ

# Administrative users
admin_users:
  - name: example
    uid: 501
    add_groups:
      - wireshark
      - media
    shell: /bin/bash
    ssh_keys:
      - name: example@domain.tld
        date: 2020-01
        type: ssh-ed25519
        key: AAAA...ZZZZ

# Non-mailhost postfix relay and domain information (for cron emails, etc.)
postfix_relay: ""
postfix_domain: ""

# File used to determine if the Postfix main.cf configuration should not be installed
# Ensure this file is created in a later role for hosts that need their own main.cf configuration
# to avoid this role overwriting it in the future.
postfix_mailhost_flag_file: "/etc/postfix/mailhost"
Add debian common role 2023-05-05 15:47:27 -04:00			`---`
			`# A root password for the system in plaintext format`
			`root_password: "OverrideMeToSomethingSecurePlease!"`

			`# Timezone & Locale`
			`timezone: Canada/Eastern`
			`locale: en_CA.UTF-8`

			`# Hosts to allow for hostbased authentication`
			`hostbased_auth: # Must be list of inventory hostnames`
			`# - adminhost.domain.tld`

			`# Custom facts (from the templates/etc/ansible/facts.d directory) to install`
			`custom_facts:`
			`- moe_release`
			`- host_id`
			`- host_group`
			`- dhcp_status`

			`# Apt configuration files (from the templates/etc/apt/apt.conf.d directory) to install`
			`apt_configurations:`
			`- 10norecommends`
			`- 30aptcacher`
			`- 50unattended-upgrades`

			`# Apt sources entries`
			`apt_sources:`
			`- name: rafal.ca-base`
			`has_src: yes`
			`url: http://debian.mirror.rafal.ca/debian`
			`distribution: "{{ moe_release.debian_codename }}"`
			`components:`
			`- main`
			`- contrib`
			`- non-free`

			`- name: rafal.ca-updates`
			`has_src: yes`
			`url: http://debian.mirror.rafal.ca/debian`
			`distribution: "{{ moe_release.debian_codename }}-updates"`
			`components:`
			`- main`
			`- contrib`
			`- non-free`

			`- name: rafal.ca-security`
			`has_src: yes`
			`url: http://security.debian.org/debian-security`
			`distribution: "{{ moe_release.debian_codename }}-security"`
			`components:`
			`- main`
			`- contrib`
			`- non-free`

			`- name: repo.bonifacelabs.net`
			`has_src: no`
			`url: https://repo.bonifacelabs.net/debian`
			`distribution: "{{ moe_release.debian_codename }}"`
			`components:`
			`- main`
			`gpg_url: https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub`
			`gpg_id: 83D07192314835D4`

			`# Packages to explicitly remove from the system`
			`packages_remove:`
			`- exim4`
			`- exim4-base`
			`- exim4-config`
			`- exim4-daemon-light`
			`- nano`
			`- joe`
			`- python2`

			`# Packages to install on the system`
			`packages_add:`
			`- acl`
			`- acpi-support-base`
			`- acpid`
			`- bash`
			`- bash-completion`
			`- bc`
			`- bind9-host`
			`- binutils`
			`- bzip2`
			`- ca-certificates`
			`- check-mk-agent`
			`- curl`
			`- debconf-utils`
			`- deborphan`
			`- dns-root-data`
			`- dnsutils`
			`- dstat`
			`- fail2ban`
			`- gawk`
			`- git`
			`- haveged`
			`- htop`
			`- iotop`
			`- iperf`
			`- iperf3`
			`- iptables`
			`- jnettop`
			`- less`
			`- libpam-systemd`
			`- locales`
			`- logrotate`
			`- lsof`
			`- man`
			`- mmv`
			`- needrestart`
			`- net-tools`
			`- netcat-openbsd`
			`- nethogs`
			`- nftables`
			`- nmap`
			`- ntp`
			`- openssh-client`
			`- openssh-server`
			`- openssl`
			`- postfix`
			`- psmisc`
			`- pv`
			`- reptyr`
			`- rsync`
			`- rsyslog`
			`- screenfetch`
			`- sharutils`
			`- shellcheck`
			`- strace`
			`- sudo`
			`- sysstat`
			`- tcptraceroute`
			`- traceroute`
			`- tshark`
			`- unattended-upgrades`
			`- vim`
			`- wget`
			`- zram-tools`
			`- "linux-headers-{{ moe_release.dpkg_architecture }}"`
			`- "linux-image-{{ moe_release.dpkg_architecture }}"`

			`# Apt preferences to set before installing packages`
			`apt_preferences:`
			`- name: wireshark-common`
			`question: wireshark-common/install-setuid`
			`vtype: select`
			`value: 'true'`
			`- name: postfix`
			`question: postfix/main_mailer_type`
			`vtype: select`
			`value: "Internet Site"`

			`# Services to enable (after installing but before configuring)`
			`enabled_services:`
			`- acpid`
			`- rsyslog`
			`- nftables`
			`- postfix`
			`- ntp`
			`- ssh`

			`# Capabilities overrides on binaries`
			`set_capabilities:`
			`- path: /bin/ping`
			`capability: cap_net_raw=ep`

			`# Sysctl configuration files (from templates/etc/sysctl.d) to install`
			`sysctl_files:`
			`- moe.conf`

			`# NFTables rules to create; leave empty for a default allow-all ruleset`
			`nftables_rules:`
			`# # EXAMPLE: Permit CheckMK only from RFC1918 subnets`
			`# - chain: input`
			`# rule: "ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } tcp dport 6556 accept"`
			`# - chain: input`
			`# rule: "ip tcp dport 6556 drop"`

			`# CheckMK plugin files (from files/usr/lib/check_mk_agent/plugins) to install`
			`check_mk_plugins:`
			`- mk_logwatch`
			`- backup`
			`- cephfsmounts`
			`- dpkg`
			`- entropy`
			`- freshness`
			`- kernel_taint`
			`- ownership`

			`# Additional groups to add`
			`add_groups:`
			`- name: media`
			`gid: 9000`

			`# SSH keys for backup purposes`
			`backup_ssh_keys:`
			`- name: backup@domain.tld`
			`date: 2020-01`
			`type: ssh-ed25519`
			`key: AAAA...ZZZZ`

			`# Administrative users`
			`admin_users:`
			`- name: example`
			`uid: 501`
			`add_groups:`
			`- wireshark`
			`- media`
			`shell: /bin/bash`
			`ssh_keys:`
			`- name: example@domain.tld`
			`date: 2020-01`
			`type: ssh-ed25519`
			`key: AAAA...ZZZZ`

			`# Non-mailhost postfix relay and domain information (for cron emails, etc.)`
			`postfix_relay: ""`
			`postfix_domain: ""`

			`# File used to determine if the Postfix main.cf configuration should not be installed`
			`# Ensure this file is created in a later role for hosts that need their own main.cf configuration`
			`# to avoid this role overwriting it in the future.`
			`postfix_mailhost_flag_file: "/etc/postfix/mailhost"`