2023-09-01 15:42:19 -04:00
---
#
# First run check
#
2023-09-01 15:42:30 -04:00
- name : regather facts
setup :
tags : always
2023-09-01 15:42:20 -04:00
- name : check if this is a new instance
shell : "echo 'bootstrapped' > /etc/pvc-install.base"
2023-09-01 15:42:19 -04:00
args :
2023-09-01 15:42:20 -04:00
creates : /etc/pvc-install.base
register : newhost_check
tags : always
- name : set newhost fact
set_fact :
newhost : yes
when : newhost_check.changed
tags : always
2023-09-01 15:42:28 -04:00
# Set this_node fact
- set_fact :
this_node : "{{ inventory_hostname.split('.')[0] }}"
tags : always
2023-09-01 15:42:27 -04:00
# Set coordinator state fact
- set_fact :
2023-09-01 15:42:28 -04:00
is_coordinator : "{% for node in pvc_nodes if node.hostname == this_node %}{{ node.is_coordinator }}{% endfor %}"
2023-09-01 15:42:27 -04:00
tags : always
2023-09-01 15:42:26 -04:00
#
2023-09-01 15:42:26 -04:00
# Set Debian details
2023-09-01 15:42:26 -04:00
#
2023-09-01 15:42:26 -04:00
- name : set Debian details (with ansible_distribution_*)
2023-09-01 15:42:26 -04:00
set_fact :
2023-09-01 15:42:26 -04:00
debian_version : "{{ ansible_distribution_major_version }}"
2023-09-01 15:42:26 -04:00
debian_codename : "{{ ansible_distribution_release }}"
when : ansible_distribution_release is defined
tags : always
2023-09-01 15:42:26 -04:00
- name : set Debian details (with ansible_lsb)
2023-09-01 15:42:26 -04:00
set_fact :
2023-09-01 15:42:26 -04:00
debian_version : "{{ ansible_lsb.major_release }}"
2023-09-01 15:42:26 -04:00
debian_codename : "{{ ansible_lsb.codename }}"
when : ansible_lsb.codename is defined
tags : always
2023-09-01 15:42:23 -04:00
#
# Remove obsolete issue-gen
#
2023-09-01 15:42:25 -04:00
- name : remove obsolete issue-gen script from PVC installer
2023-09-01 15:42:23 -04:00
file :
dest : /etc/network/if-up.d/issue-gen
state : absent
2023-09-01 15:42:25 -04:00
when : newhost is defined and newhost
tags : always
2023-09-01 15:42:19 -04:00
#
# Install custom fact scripts
#
- name : create facts directory
file :
dest : "/etc/ansible/facts.d"
state : directory
recurse : yes
2023-09-01 15:42:25 -04:00
tags : base-ansible
2023-09-01 15:42:19 -04:00
- name : install custom facts
template :
src : "etc/ansible/facts.d/{{ item }}.fact.j2"
dest : "/etc/ansible/facts.d/{{ item }}.fact"
mode : 0755
register : installed_facts
with_items :
- host_id
- host_group
- dhcp_status
2023-09-01 15:42:25 -04:00
tags : base-ansible
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:20 -04:00
- name : regather facts
2023-09-01 15:42:19 -04:00
setup :
2023-09-01 15:42:30 -04:00
tags : always
2023-09-01 15:42:19 -04:00
- debug :
var : ansible_local.host_group
verbosity : 1
2023-09-01 15:42:25 -04:00
tags : always
2023-09-01 15:42:19 -04:00
- debug :
var : ansible_local.host_id
verbosity : 1
2023-09-01 15:42:25 -04:00
tags : always
2023-09-01 15:42:19 -04:00
- debug :
var : ansible_local.dhcp_status
verbosity : 1
2023-09-01 15:42:25 -04:00
tags : always
2023-09-01 15:42:19 -04:00
#
# Configure APT
#
- name : install apt config files
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
with_items :
- { src : "etc/apt/apt.conf.d/10norecommends.j2" , dest : "/etc/apt/apt.conf.d/10norecommends" }
- { src : "etc/apt/preferences.d/pins.j2" , dest : "/etc/apt/preferences.d/pins" }
2023-09-01 15:42:26 -04:00
- { src : "etc/apt/sources.list.{{ ansible_machine }}.{{ debian_codename }}.j2" , dest : "/etc/apt/sources.list" }
2023-09-01 15:42:25 -04:00
register : apt_config
2023-09-01 15:42:25 -04:00
tags : base-apt
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:28 -04:00
- name : add key for PVC repo
2023-09-01 15:42:19 -04:00
apt_key :
2023-09-01 15:42:27 -04:00
url : "{{ debian_pvc_signing_key_path }}"
id : "{{ debian_pvc_signing_key_id }}"
2023-09-01 15:42:19 -04:00
state : present
2023-09-01 15:42:25 -04:00
register : apt_key
2023-09-01 15:42:25 -04:00
tags : base-apt
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:19 -04:00
#
# Safe apt upgrades (on first install only)
#
- name : apt update
apt :
update-cache : yes
2023-09-01 15:42:25 -04:00
when : (newhost is defined and newhost) or apt_config.changed or apt_key.changed
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:25 -04:00
tags : base-apt
2023-09-01 15:42:19 -04:00
2024-06-29 01:33:08 -04:00
- name : apt safe upgrade with autoremove
2023-09-01 15:42:19 -04:00
apt :
update_cache : yes
autoremove : yes
upgrade : safe
2023-09-01 15:42:20 -04:00
when : newhost is defined and newhost
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:25 -04:00
tags : base-apt
2023-09-01 15:42:19 -04:00
- name : install dbus
apt :
name :
- dbus
state : latest
2023-09-01 15:42:20 -04:00
when : newhost is defined and newhost
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:25 -04:00
tags : base-apt
2023-09-01 15:42:19 -04:00
- name : clean out apt cache
file :
path : "/var/cache/apt/archives"
state : absent
2023-09-01 15:42:20 -04:00
when : newhost is defined and newhost
2023-09-01 15:42:25 -04:00
tags : base-apt
2023-09-01 15:42:19 -04:00
#
# Purge unneeded packages
#
- name : remove unneeded packages
apt :
name :
- exim4
- exim4-base
- exim4-config
- exim4-daemon-light
- joe
2024-06-29 01:31:27 -04:00
- aptitude
2023-09-01 15:42:19 -04:00
state : absent
purge : yes
autoremove : yes
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:25 -04:00
tags : base-packages
2023-09-01 15:42:19 -04:00
- name : set override debconf selections
shell : 'echo "{{ item }}" | debconf-set-selections'
with_items :
- "wireshark-common wireshark-common/install-setuid boolean true"
2023-09-01 15:42:25 -04:00
tags : base-packages
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:27 -04:00
- name : install common packages (buster)
apt :
name :
- python
2023-09-01 15:42:30 -04:00
when : debian_version|int <= 10
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:27 -04:00
tags : base-packages
2023-09-01 15:42:27 -04:00
2023-09-01 15:42:30 -04:00
- name : install common packages (bullseye+)
2023-09-01 15:42:27 -04:00
apt :
name :
- python-is-python3
2023-09-01 15:42:30 -04:00
when : debian_version|int >= 11
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:27 -04:00
tags : base-packages
2023-09-01 15:42:27 -04:00
- name : install common packages (all versions)
2023-09-01 15:42:19 -04:00
apt :
name :
- debconf-utils
- iptables
- locales
- acpid
- acpi-support-base
- rsync
- bash
- bash-completion
- net-tools
2023-09-01 15:42:24 -04:00
- pciutils
- usbutils
2023-09-01 15:42:27 -04:00
- smartmontools
2023-09-01 15:42:29 -04:00
- edac-utils
2023-09-01 15:42:19 -04:00
- check-mk-agent
- dns-root-data
- bind9-host
- dnsutils
2023-09-01 15:42:25 -04:00
- whois
2023-09-01 15:42:19 -04:00
- postfix
- ntp
- openssh-client
- openssh-server
- libpam-systemd
- fail2ban
- ca-certificates
- openssl
- sudo
- rsyslog
- logrotate
- man
- less
- vim
2023-09-01 15:42:22 -04:00
- nano
2023-09-01 15:42:19 -04:00
- git
2023-09-01 15:42:19 -04:00
- vlan
- bridge-utils
- ifenslave
2023-09-01 15:42:19 -04:00
- nmap
2023-09-01 15:42:29 -04:00
- traceroute
- mtr
2023-09-01 15:42:19 -04:00
- netcat-openbsd
- htop
- psmisc
- dstat
- iotop
- lsof
- jnettop
- iperf
- sysstat
- binutils
- deborphan
2023-09-01 15:42:28 -04:00
- needrestart
2023-09-01 15:42:19 -04:00
- wget
- curl
- gawk
2023-09-01 15:42:23 -04:00
- uuid-runtime
2023-09-01 15:42:19 -04:00
- mmv
- pv
- bc
- reptyr
- sharutils
- tcptraceroute
- nethogs
- strace
- tshark
- acl
- bzip2
2023-09-01 15:42:25 -04:00
- lzop
- xz-utils
2023-09-01 15:42:30 -04:00
- zstd
2023-09-01 15:42:19 -04:00
- haveged
2023-09-01 15:42:28 -04:00
- cpufrequtils
2023-09-01 15:42:29 -04:00
- lm-sensors
2023-09-01 15:42:26 -04:00
- ipmitool
2023-09-01 15:42:26 -04:00
- grub-efi
2023-09-01 15:42:29 -04:00
- efibootmgr
2023-09-01 15:42:26 -04:00
- plymouth
- plymouth-themes
2023-09-01 15:42:19 -04:00
- linux-image-amd64
- linux-headers-amd64
2023-09-01 15:42:30 -04:00
register : apt_res
retries : 5
until : apt_res is success
2023-09-01 15:42:25 -04:00
tags : base-packages
2023-12-10 00:24:19 -05:00
- name : install Prometheus node and process exporters if enabled
2023-12-10 00:18:44 -05:00
apt :
name :
- prometheus-node-exporter
2023-12-10 00:24:19 -05:00
- prometheus-process-exporter
when : enable_prometheus_exporters is defined and enable_prometheus_exporters
2023-12-10 00:18:44 -05:00
2023-09-20 16:43:08 -04:00
- name : install Intel-specific microcode package
apt :
name :
- intel-microcode
when : "'GenuineIntel' in ansible_processor"
2023-10-03 13:36:44 -04:00
- name : install AMD-specific microcode package
apt :
name :
- amd64-microcode
when : "'AuthenticAMD' in ansible_processor"
2023-09-01 15:42:25 -04:00
- name : install cleanup scripts
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
mode : 0755
with_items :
- { src : "usr/local/sbin/kernel-cleanup.sh.j2" , dest : "/usr/local/sbin/kernel-cleanup.sh" }
- { src : "usr/local/sbin/dpkg-cleanup.sh.j2" , dest : "/usr/local/sbin/dpkg-cleanup.sh" }
tags : base-packages
2023-09-01 15:42:19 -04:00
#
# System configuration
#
2023-09-01 15:42:21 -04:00
# networking
- name : install base interfaces file
template :
src : etc/network/interfaces.j2
dest : /etc/network/interfaces
2023-09-01 15:42:25 -04:00
tags : base-network
2023-09-01 15:42:21 -04:00
- name : install per-interface files
template :
src : etc/network/interfaces-perif.j2
dest : /etc/network/interfaces.d/{{ network.key }}
with_dict : "{{ networks }}"
loop_control :
loop_var : network
2023-09-01 15:42:25 -04:00
tags : base-network
2023-09-01 15:42:21 -04:00
2023-09-01 15:42:19 -04:00
# locale
- name : install locale config files
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
with_items :
- { src : "etc/default/locale.j2" , dest : "/etc/default/locale" }
- { src : "etc/locale.gen.j2" , dest : "/etc/locale.gen" }
2023-09-01 15:42:25 -04:00
tags : base-system
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:28 -04:00
- name : set timezone for /etc/localtime
2023-09-01 15:42:19 -04:00
file :
2023-09-01 15:42:22 -04:00
src : /usr/share/zoneinfo/{{ timezone_location }}
2023-09-01 15:42:19 -04:00
dest : /etc/localtime
state : link
force : yes
2023-09-01 15:42:25 -04:00
tags : base-system
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:28 -04:00
- name : set timezone for /etc/timezone
copy :
content : "{{ timezone_location }}"
dest : /etc/timezone
tags : base-system
2023-09-01 15:42:28 -04:00
- name : generate locales
command : locale-gen
tags : base-system
2023-09-01 15:42:25 -04:00
# sysctl
- name : install sysctl tweaks
2023-09-01 15:42:19 -04:00
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
with_items :
2023-09-01 15:42:25 -04:00
- { src : "etc/sysctl.d/pvc.conf.j2" , dest : "/etc/sysctl.d/pvc.conf" }
tags : base-system
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:25 -04:00
- name : activate sysctl tweaks
shell : "sysctl -p {{ item }}"
with_items :
- /etc/sysctl.d/pvc.conf
tags : base-system
2023-09-01 15:42:28 -04:00
# cpufreq
- name : write the cpufrequtils governor
template :
src : etc/default/cpufrequtils.j2
dest : /etc/default/cpufrequtils
register : cpufrequtils
tags : base-system
- name : activate cpufrequtils governor
service :
name : cpufrequtils
state : restarted
when : cpufrequtils.changed
tags : base-system
2023-09-01 15:42:25 -04:00
# sudo
- name : write the sudoers file
template :
src : "etc/sudoers.j2"
dest : "/etc/sudoers"
mode : 0440
tags : base-system
# dns
- name : write the hosts config
2023-09-01 15:42:19 -04:00
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
with_items :
2023-09-01 15:42:25 -04:00
- { src : "etc/hosts.j2" , dest : "/etc/hosts" }
tags : base-dns
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:25 -04:00
- name : write the resolver configs
2023-09-01 15:42:19 -04:00
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
with_items :
2023-09-01 15:42:25 -04:00
- { src : "etc/resolv.conf.j2" , dest : "/etc/resolv.conf" }
- { src : "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2" , dest : "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
tags : base-dns
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:26 -04:00
# GRUB bootloader
- name : create PVC grub directory
file :
state : directory
dest : "/usr/share/grub-pvc"
- name : install PVC grub style
copy :
src : "usr/share/grub-pvc/{{ item }}"
dest : "/usr/share/grub-pvc/{{ item }}"
with_items :
- background.png
- theme.txt
- name : install GRUB configuration
template :
src : etc/default/grub.j2
dest : /etc/default/grub
notify :
- update grub
2023-09-01 15:42:29 -04:00
- regenerate uefi entries
2023-09-01 15:42:26 -04:00
# Plymouth theme
- name : install PVC Plymouth theme archive
unarchive :
src : "usr/share/plymouth/themes/pvc.tar"
dest : "/usr/share/plymouth/themes/"
creates : "/usr/share/plymouth/themes/pvc"
owner : root
group : root
- name : install PVC Plymouth background file
copy :
src : "usr/share/grub-pvc/background.png"
dest : "/usr/share/plymouth/themes/pvc/background-tile.png"
- name : set PVC Plymouth theme as the default
command : plymouth-set-default-theme -R pvc
2023-09-01 15:42:19 -04:00
# syslog
- name : install rsyslog and logrotate configs
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
notify :
- restart rsyslog
with_items :
- { src : "etc/rsyslog.conf.j2" , dest : "/etc/rsyslog.conf" }
- { src : "etc/logrotate.d/rsyslog.j2" , dest : "/etc/logrotate.d/rsyslog" }
2023-09-01 15:42:25 -04:00
tags : base-syslog
2023-09-01 15:42:19 -04:00
- name : set journalctl persistence
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
mode : 0644
with_items :
- { src : "etc/systemd/journald.conf.j2" , dest : "/etc/systemd/journald.conf" }
2023-09-01 15:42:25 -04:00
tags : base-syslog
2023-09-01 15:42:19 -04:00
# cron
- name : install crontab
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
mode : 0755
with_items :
- { src : "etc/crontab.j2" , dest : "/etc/crontab" }
2023-09-01 15:42:25 -04:00
tags : base-cron
2023-09-01 15:42:19 -04:00
# mta
- name : install postfix generic config
template :
src : "etc/postfix/main.cf.j2"
dest : "/etc/postfix/main.cf"
notify :
- restart postfix
2023-09-01 15:42:25 -04:00
tags : base-mta
2023-09-01 15:42:19 -04:00
- name : touch the postfix aliases file
file :
dest : /etc/postfix/aliases
state : touch
2023-09-01 15:42:25 -04:00
tags : base-mta
2023-09-01 15:42:19 -04:00
- name : install local alias maps for various users
lineinfile :
dest : "/etc/aliases"
regexp : "^{{ item }}:"
line : "{{ item }}: {{ username_email_root }}"
state : present
with_items :
- root
- postmaster
- amavis
- clamav
notify :
- newaliases
2023-09-01 15:42:25 -04:00
tags : base-mta
2023-09-01 15:42:19 -04:00
# ntp
2024-03-07 14:24:05 -05:00
- name : write the NTP config file on Debian < 12
2023-09-01 15:42:19 -04:00
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
notify :
- restart ntp
with_items :
- { src : "etc/ntp.conf.j2" , dest : "/etc/ntp.conf" }
2024-03-07 14:24:05 -05:00
when : debian_version|int < 12
2023-09-01 15:42:25 -04:00
tags : base-time
2023-09-01 15:42:19 -04:00
2024-03-07 14:24:05 -05:00
- name : write the NTP config file on Debian >= 12
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
notify :
- restart ntp
with_items :
- { src : "etc/ntpsec/ntp.conf.j2" , dest : "/etc/ntpsec/ntp.conf" }
2024-03-07 13:55:07 -05:00
when : debian_version|int >= 12
2024-03-07 14:24:05 -05:00
tags : base-time
- name : clean up old NTP config file on Debian >= 12
file :
dest : /etc/ntp.conf
state : absent
2024-03-07 13:55:07 -05:00
notify :
- restart ntp
2024-03-07 14:24:05 -05:00
when : debian_version|int >= 12
2024-03-07 13:55:07 -05:00
tags : base-time
2023-09-01 15:42:19 -04:00
# ssl
- name : ensure haveged is running
service :
name : haveged
state : started
2023-09-01 15:42:25 -04:00
tags : base-ssl
2023-09-01 15:42:19 -04:00
- name : generate diffie-hellman parameters
command : openssl dhparam -out /etc/ssl/dhparams.pem 2048
args :
creates : /etc/ssl/dhparams.pem
2023-09-01 15:42:25 -04:00
tags : base-ssl
2023-09-01 15:42:19 -04:00
- name : correct permissions on dhparams
file :
dest : /etc/ssl/dhparams.pem
mode : 0440
2023-09-01 15:42:25 -04:00
tags : base-ssl
2023-09-01 15:42:19 -04:00
# ssh
- name : write the sshd_config files
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
notify :
- restart ssh
with_items :
- { src: 'etc/ssh/ssh_config.j2', dest : '/etc/ssh/ssh_config' }
- { src: 'etc/ssh/sshd_config.j2', dest : '/etc/ssh/sshd_config' }
- { src: 'etc/ssh/shosts.equiv.j2', dest : '/etc/ssh/shosts.equiv' }
- { src: 'etc/ssh/ssh_known_hosts.j2', dest : '/etc/ssh/ssh_known_hosts' }
2023-09-01 15:42:25 -04:00
tags : base-ssh
2023-09-01 15:42:19 -04:00
- name : write sshd pam.d config
template :
src : "etc/pam.d/sshd.j2"
dest : "/etc/pam.d/sshd"
2023-09-01 15:42:25 -04:00
tags : base-ssh
2023-09-01 15:42:19 -04:00
- name : remove unneeded SSH keys (leave only RSA and ED25519)
file :
name : "{{ item }}"
state : "absent"
with_items :
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_dsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
notify :
- restart ssh
2023-09-01 15:42:25 -04:00
tags : base-ssh
2023-09-01 15:42:19 -04:00
- name : set permissions on rsa and ed25519 host keys (just in case they're wrong)
file :
name : "/etc/ssh/{{ item.name }}"
mode : "{{ item.mode }}"
with_items :
- { name: 'ssh_host_rsa_key', mode : '600' }
- { name: 'ssh_host_rsa_key.pub', mode : '644' }
- { name: 'ssh_host_ed25519_key', mode : '600' }
- { name: 'ssh_host_ed25519_key.pub', mode : '644' }
2023-09-01 15:42:25 -04:00
tags : base-ssh
2023-09-01 15:42:19 -04:00
# bash
- name : write the bash.bashrc config file
template :
src : "etc/bash.bashrc.j2"
dest : "/etc/bash.bashrc"
2023-09-01 15:42:25 -04:00
tags : base-shell
2023-09-01 15:42:19 -04:00
# motd
2024-05-24 10:36:19 -04:00
- name : ensure update-issue, update-motd and profile.d scripts are present
2023-09-01 15:42:19 -04:00
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
mode : 0755
with_items :
2024-05-24 10:36:19 -04:00
- { src : "usr/local/sbin/update-issue.sh.j2" , dest : "/usr/local/sbin/update-issue.sh" }
2023-09-01 15:42:19 -04:00
- { src : "usr/local/sbin/update-motd.sh.j2" , dest : "/usr/local/sbin/update-motd.sh" }
- { src : "etc/profile.d/w.sh.j2" , dest : "/etc/profile.d/w.sh" }
2023-09-01 15:42:24 -04:00
- { src : "etc/profile.d/pvc.sh.j2" , dest : "/etc/profile.d/zzz_pvc.sh" }
2023-09-01 15:42:29 -04:00
register : profile_scripts
2023-09-01 15:42:25 -04:00
tags : base-shell
2023-09-01 15:42:19 -04:00
2024-05-24 10:36:19 -04:00
- name : install banner update crontabs
2023-09-01 15:42:19 -04:00
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
mode : 0644
with_items :
2024-05-24 10:36:19 -04:00
- { src : "etc/cron.d/update-issue.j2" , dest : "/etc/cron.d/update-issue" }
2023-09-01 15:42:19 -04:00
- { src : "etc/cron.d/update-motd.j2" , dest : "/etc/cron.d/update-motd" }
2023-09-01 15:42:25 -04:00
tags : base-shell
2023-09-01 15:42:19 -04:00
- name : ensure /etc/motd is absent
file :
dest : "/etc/motd"
state : absent
2023-09-01 15:42:25 -04:00
tags : base-shell
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:29 -04:00
- name : run update-motd on change
command : /usr/local/sbin/update-motd.sh
when : profile_scripts.changed
tags : base-shell
2024-05-24 10:36:19 -04:00
- name : run update-issue on change
command : /usr/local/sbin/update-issue.sh
when : profile_scripts.changed
tags : base-shell
2023-09-01 15:42:29 -04:00
# htop
- name : install htop configuration
template :
src : "etc/htoprc.j2"
dest : "/etc/htoprc"
mode : 0644
tags : base-shell
2023-09-01 15:42:19 -04:00
# fail2ban
- name : install fail2ban configurations
template :
src : "{{ item.src }}"
dest : "{{ item.dest }}"
mode : 0644
notify : restart fail2ban
with_items :
- { src : "etc/fail2ban/action.d/route.conf.j2" , dest : "/etc/fail2ban/action.d/route.conf" }
- { src : "etc/fail2ban/filter.d/sshd.conf.j2" , dest : "/etc/fail2ban/filter.d/sshd.conf" }
- { src : "etc/fail2ban/jail.d/sshd.conf.j2" , dest : "/etc/fail2ban/jail.d/sshd.conf" }
- { src : "etc/fail2ban/jail.d/sshd.local.j2" , dest : "/etc/fail2ban/jail.d/sshd.local" }
2023-09-01 15:42:25 -04:00
tags : base-fail2ban
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:29 -04:00
# lm-sensors
- name : run sensors-detect to update sensors configuration
command : sensors-detect --auto
tags : base-sensors
2023-09-01 15:42:24 -04:00
# check-mk-agent
- name : install check_mk agent plugins
copy :
src : "usr/lib/check_mk_agent/plugins/{{ item }}"
dest : "/usr/lib/check_mk_agent/plugins/{{ item }}"
2023-09-01 15:42:24 -04:00
mode : 0755
2023-09-01 15:42:24 -04:00
with_items :
- backup
2023-09-01 15:42:29 -04:00
- ceph
2023-09-01 15:42:24 -04:00
- cephfsmounts
- dpkg
- entropy
- freshness
2023-09-01 15:42:28 -04:00
- ipmi
2023-09-01 15:42:24 -04:00
- ownership
2023-09-01 15:42:25 -04:00
tags : base-cmkagent
2023-09-01 15:42:24 -04:00
2023-09-01 15:42:25 -04:00
# backups
- name : create backup directory
file :
dest : /srv/backups
state : directory
tags : base-backups
2023-09-01 15:42:29 -04:00
- name : install daily backup scripts
2023-09-01 15:42:25 -04:00
template :
2023-09-01 15:42:29 -04:00
src : "etc/cron.daily/{{ item }}.j2"
dest : "/etc/cron.daily/{{ item }}"
2023-09-01 15:42:25 -04:00
mode : 0755
2023-09-01 15:42:29 -04:00
with_items :
- pvc-backup
- mon-backup
2023-09-01 15:42:25 -04:00
tags : base-backups
- name : install IPMI network interfaces fragment
template :
src : etc/network/interfaces.d/ipmi.j2
dest : /etc/network/interfaces.d/ipmi
tags : base-ipmi
- name : configure IPMI username
command : "ipmitool user set name {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['username'] }}"
with_items :
- "admin"
- "pvc"
2023-09-01 15:42:26 -04:00
ignore_errors : yes
2023-09-01 15:42:25 -04:00
tags : base-ipmi
- name : configure IPMI password
command : "ipmitool user set password {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['password'] }}"
with_items :
- "admin"
- "pvc"
2023-09-01 15:42:26 -04:00
ignore_errors : yes
2023-09-01 15:42:25 -04:00
tags : base-ipmi
- name : configure IPMI role
command : "ipmitool user priv {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['role'] }} {{ ipmi_user_configuration[cluster_hardware]['channel'] }}"
with_items :
- "admin"
- "pvc"
2023-09-01 15:42:26 -04:00
ignore_errors : yes
2023-09-01 15:42:25 -04:00
tags : base-ipmi
- name : enable IPMI user
command : "ipmitool user enable {{ ipmi_user_configuration[cluster_hardware][item]['id'] }}"
with_items :
- "admin"
- "pvc"
2023-09-01 15:42:26 -04:00
ignore_errors : yes
2023-09-01 15:42:25 -04:00
tags : base-ipmi
2023-09-01 15:42:19 -04:00
#
# Configure users
#
# common
- name : ensure /var/home exists
file :
state : directory
dest : /var/home
2023-09-01 15:42:25 -04:00
tags :
- users
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:25 -04:00
# root
- name : generate Root password hash
command : "mkpasswd --method=sha512crypt {{ root_password }}"
no_log : true
register : mkpasswd
2023-09-01 15:42:25 -04:00
tags :
- users
- user-root
2023-09-01 15:42:19 -04:00
- name : set Root password
user :
name : root
2023-09-01 15:42:25 -04:00
password : "{{ mkpasswd.stdout }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-root
2023-09-01 15:42:19 -04:00
- name : remove Root known_hosts
file :
state : absent
dest : /root/.ssh/known_hosts
2023-09-01 15:42:25 -04:00
tags :
- users
- user-root
2023-09-01 15:42:19 -04:00
- name : write vimrc to root homedir
template :
src : var/home/user/vimrc.j2
dest : /root/.vimrc
mode : 0600
2023-09-01 15:42:25 -04:00
tags :
- users
- user-root
2023-09-01 15:42:19 -04:00
- name : create vimdir
file :
state : directory
dest : /root/.vim
mode : 0700
2023-09-01 15:42:25 -04:00
tags :
- users
- user-root
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:29 -04:00
- name : remove root htoprc
file :
dest : "{{ item }}"
state : absent
loop :
- /root/.htoprc
- /root/.config/htop
2023-09-01 15:42:25 -04:00
tags :
- users
- user-root
2023-09-01 15:42:19 -04:00
# backup
- name : ensure backup user has shell
user :
name : backup
shell : /bin/sh
2023-09-01 15:42:25 -04:00
tags :
- users
- user-backup
2023-09-01 15:42:19 -04:00
- name : create backup .ssh directory
file :
path : /var/backups/.ssh
state : directory
owner : backup
group : root
mode : 0700
2023-09-01 15:42:25 -04:00
tags :
- users
- user-backup
2023-09-01 15:42:19 -04:00
- name : create backup authorized_keys file
template :
src : var/backups/ssh/authorized_keys.j2
dest : /var/backups/.ssh/authorized_keys
owner : backup
group : root
mode : 0640
2023-09-01 15:42:25 -04:00
tags :
- users
- user-backup
2023-09-01 15:42:19 -04:00
- name : write the sudoers file
template :
src : etc/sudoers.d/sudoers-backup.j2
dest : /etc/sudoers.d/backup
2023-09-01 15:42:25 -04:00
tags :
- users
- user-backup
2023-09-01 15:42:19 -04:00
- name : install the post-backup timestamp script
template :
src : var/backups/timestamp.sh.j2
dest : /var/backups/timestamp.sh
mode : 0755
2023-09-01 15:42:25 -04:00
tags :
- users
- user-backup
2023-09-01 15:42:19 -04:00
- name : touch shares file
file :
dest : /var/backups/shares
state : touch
owner : backup
2023-09-01 15:42:25 -04:00
tags :
- users
- user-backup
2023-09-01 15:42:19 -04:00
# deploy
- name : ensure user deploy exists
user :
2023-09-01 15:42:25 -04:00
name : "{{ deploy_username }}"
2023-09-01 15:42:19 -04:00
uid : 200
group : operator
2023-09-01 15:42:30 -04:00
groups : operator
2023-09-01 15:42:19 -04:00
shell : /bin/bash
2023-09-01 15:42:25 -04:00
home : "/var/home/{{ deploy_username }}"
2023-09-01 15:42:19 -04:00
createhome : yes
move_home : yes
state : present
append : yes
2023-09-01 15:42:25 -04:00
tags :
- users
- user-deploy
2023-09-01 15:42:19 -04:00
- name : ensure homedir has right permissions
file :
2023-09-01 15:42:25 -04:00
dest : "/var/home/{{ deploy_username }}"
2023-09-01 15:42:19 -04:00
state : directory
2023-09-01 15:42:25 -04:00
owner : "{{ deploy_username }}"
2023-09-01 15:42:19 -04:00
group : operator
mode : 0700
2023-09-01 15:42:25 -04:00
tags :
- users
- user-deploy
2023-09-01 15:42:19 -04:00
- name : ensure .ssh directory exists
file :
2023-09-01 15:42:25 -04:00
dest : "/var/home/{{ deploy_username }}/.ssh"
2023-09-01 15:42:19 -04:00
state : directory
2023-09-01 15:42:25 -04:00
owner : "{{ deploy_username }}"
2023-09-01 15:42:19 -04:00
group : operator
mode : 0700
2023-09-01 15:42:25 -04:00
tags :
- users
- user-deploy
2023-09-01 15:42:19 -04:00
- name : add authorized keys
authorized_key :
2023-09-01 15:42:25 -04:00
user : "{{ deploy_username }}"
2023-09-01 15:42:19 -04:00
key : "{{ item.1 }}"
2023-09-01 15:42:28 -04:00
state : present
2023-09-01 15:42:19 -04:00
with_subelements :
- "{{ admin_users }}"
- keys
2023-09-01 15:42:25 -04:00
tags :
- users
- user-deploy
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:28 -04:00
- name : remove authorized keys
authorized_key :
user : "{{ deploy_username }}"
key : "{{ item.1 }}"
state : absent
with_subelements :
- "{{ admin_users }}"
- removed
2023-09-01 15:42:28 -04:00
ignore_errors : yes
2023-09-01 15:42:28 -04:00
tags :
- users
- user-deploy
2023-09-01 15:42:19 -04:00
# admin_users
- name : ensure user exists
user :
name : "{{ item.name }}"
uid : "{{ item.uid }}"
group : operator
2023-09-01 15:42:25 -04:00
groups : sudo,adm,wireshark
2023-09-01 15:42:19 -04:00
shell : /bin/bash
home : "/var/home/{{ item.name }}"
createhome : yes
state : present
append : yes
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : ensure homedir has right permissions
file :
dest : "/var/home/{{ item.name }}"
state : directory
owner : "{{ item.name }}"
group : operator
mode : 0700
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : ensure .ssh directory exists
file :
dest : "/var/home/{{ item.name }}/.ssh"
state : directory
owner : "{{ item.name }}"
group : operator
mode : 0700
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : add authorized keys
authorized_key :
2023-09-01 15:42:19 -04:00
user : "{{ item.0.name }}"
key : "{{ item.1 }}"
2023-09-01 15:42:28 -04:00
state : present
2023-09-01 15:42:19 -04:00
with_subelements :
- "{{ admin_users }}"
- keys
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:28 -04:00
- name : remove authorized keys
authorized_key :
user : "{{ item.0.name }}"
key : "{{ item.1 }}"
state : absent
with_subelements :
- "{{ admin_users }}"
- removed
2023-09-01 15:42:28 -04:00
ignore_errors : yes
2023-09-01 15:42:28 -04:00
tags :
- users
- user-deploy
2023-09-01 15:42:19 -04:00
- name : write bashrc to homedir
template :
src : var/home/user/bashrc.j2
dest : "/var/home/{{ item.name }}/.bashrc"
owner : "{{ item.name }}"
group : operator
mode : 0700
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : write bash_logout to homedir
template :
src : var/home/user/bash_logout.j2
dest : "/var/home/{{ item.name }}/.bash_logout"
owner : "{{ item.name }}"
group : operator
mode : 0700
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
2023-09-01 15:42:29 -04:00
- name : remove user htop configuration directory
2023-09-01 15:42:19 -04:00
file :
dest : "/var/home/{{ item.name }}/.config/htop"
2023-09-01 15:42:29 -04:00
state : absent
2023-09-01 15:42:19 -04:00
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : write profile to homedir
template :
src : var/home/user/profile.j2
dest : "/var/home/{{ item.name }}/.profile"
owner : "{{ item.name }}"
group : operator
mode : 0700
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : write vimrc to homedir
template :
src : var/home/user/vimrc.j2
dest : "/var/home/{{ item.name }}/.vimrc"
owner : "{{ item.name }}"
group : operator
mode : 0600
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
- name : create vimdir
file :
state : directory
2023-09-01 15:42:25 -04:00
dest : /var/home/{{ item.name }}/.vim
2023-09-01 15:42:19 -04:00
owner : "{{ item.name }}"
group : operator
mode : 0700
with_items : "{{ admin_users }}"
2023-09-01 15:42:25 -04:00
tags :
- users
- user-admin
2023-09-01 15:42:19 -04:00
#
# Verify and enable services
#
- name : verify and enable services
service :
name : "{{ item }}"
state : started
enabled : yes
with_items :
- acpid
2023-09-01 15:42:28 -04:00
- cpufrequtils
2023-09-01 15:42:19 -04:00
- ntp
2023-09-01 15:42:28 -04:00
- postfix
- rsyslog
2023-09-01 15:42:19 -04:00
- ssh
2023-09-01 15:42:25 -04:00
tags : base-services
2023-09-01 15:42:20 -04:00
2023-09-05 10:32:40 -04:00
#
# Cleanup
#
- name : run dpkg-cleanup.sh script
command : /usr/local/sbin/dpkg-cleanup.sh
2023-09-01 15:42:20 -04:00
- meta : flush_handlers