Update tags and add kernel-cleanup script

This commit is contained in:
Joshua Boniface 2021-02-02 12:34:25 -05:00
parent 1c05c8729f
commit ca3a5e144f
2 changed files with 133 additions and 58 deletions

View File

@ -18,10 +18,12 @@
# #
# Remove obsolete issue-gen # Remove obsolete issue-gen
# #
- name: remove obsolete issue-gen script - name: remove obsolete issue-gen script from PVC installer
file: file:
dest: /etc/network/if-up.d/issue-gen dest: /etc/network/if-up.d/issue-gen
state: absent state: absent
when: newhost is defined and newhost
tags: always
# #
# Install custom fact scripts # Install custom fact scripts
@ -31,6 +33,7 @@
dest: "/etc/ansible/facts.d" dest: "/etc/ansible/facts.d"
state: directory state: directory
recurse: yes recurse: yes
tags: base-ansible
- name: install custom facts - name: install custom facts
template: template:
@ -42,22 +45,27 @@
- host_id - host_id
- host_group - host_group
- dhcp_status - dhcp_status
tags: base-ansible
- name: regather facts - name: regather facts
setup: setup:
when: installed_facts.changed when: installed_facts.changed
tags: base-ansible
- debug: - debug:
var: ansible_local.host_group var: ansible_local.host_group
verbosity: 1 verbosity: 1
tags: always
- debug: - debug:
var: ansible_local.host_id var: ansible_local.host_id
verbosity: 1 verbosity: 1
tags: always
- debug: - debug:
var: ansible_local.dhcp_status var: ansible_local.dhcp_status
verbosity: 1 verbosity: 1
tags: always
# #
# Configure APT # Configure APT
@ -71,14 +79,14 @@
- { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" } - { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" }
- { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" } - { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" }
- { src: "etc/apt/sources.list.{{ ansible_machine }}.j2", dest: "/etc/apt/sources.list" } - { src: "etc/apt/sources.list.{{ ansible_machine }}.j2", dest: "/etc/apt/sources.list" }
tags: apt tags: base-apt
- name: add key for bonilan repo - name: add key for bonilan repo
apt_key: apt_key:
url: "https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub" url: "https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub"
id: "83D07192314835D4" id: "83D07192314835D4"
state: present state: present
tags: apt tags: base-apt
# #
# Safe apt upgrades (on first install only) # Safe apt upgrades (on first install only)
@ -87,6 +95,8 @@
- name: apt update - name: apt update
apt: apt:
update-cache: yes update-cache: yes
when: newhost is defined and newhost
tags: base-apt
- name: aptitude safe upgrade with autoremove - name: aptitude safe upgrade with autoremove
apt: apt:
@ -94,6 +104,7 @@
autoremove: yes autoremove: yes
upgrade: safe upgrade: safe
when: newhost is defined and newhost when: newhost is defined and newhost
tags: base-apt
- name: install dbus - name: install dbus
apt: apt:
@ -101,12 +112,14 @@
- dbus - dbus
state: latest state: latest
when: newhost is defined and newhost when: newhost is defined and newhost
tags: base-apt
- name: clean out apt cache - name: clean out apt cache
file: file:
path: "/var/cache/apt/archives" path: "/var/cache/apt/archives"
state: absent state: absent
when: newhost is defined and newhost when: newhost is defined and newhost
tags: base-apt
# #
# Purge unneeded packages # Purge unneeded packages
@ -123,15 +136,13 @@
state: absent state: absent
purge: yes purge: yes
autoremove: yes autoremove: yes
tags: base-packages
#
# Install common packages
#
- name: set override debconf selections - name: set override debconf selections
shell: 'echo "{{ item }}" | debconf-set-selections' shell: 'echo "{{ item }}" | debconf-set-selections'
with_items: with_items:
- "wireshark-common wireshark-common/install-setuid boolean true" - "wireshark-common wireshark-common/install-setuid boolean true"
tags: base-packages
- name: install common packages (all arch) - name: install common packages (all arch)
apt: apt:
@ -202,6 +213,17 @@
- haveged - haveged
- linux-image-amd64 - linux-image-amd64
- linux-headers-amd64 - linux-headers-amd64
tags: base-packages
- name: install cleanup scripts
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
with_items:
- { src: "usr/local/sbin/kernel-cleanup.sh.j2", dest: "/usr/local/sbin/kernel-cleanup.sh" }
- { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
tags: base-packages
# #
# System configuration # System configuration
@ -212,7 +234,7 @@
template: template:
src: etc/network/interfaces.j2 src: etc/network/interfaces.j2
dest: /etc/network/interfaces dest: /etc/network/interfaces
tags: network tags: base-network
- name: install per-interface files - name: install per-interface files
template: template:
@ -221,13 +243,14 @@
with_dict: "{{ networks }}" with_dict: "{{ networks }}"
loop_control: loop_control:
loop_var: network loop_var: network
tags: network tags: base-network
# capabilities # capabilities
- name: set ping capabilities - name: set ping capabilities
capabilities: capabilities:
path: /bin/ping path: /bin/ping
capability: cap_net_raw=ep capability: cap_net_raw=ep
tags: base-system
# locale # locale
- name: install locale config files - name: install locale config files
@ -239,6 +262,7 @@
with_items: with_items:
- { src: "etc/default/locale.j2", dest: "/etc/default/locale" } - { src: "etc/default/locale.j2", dest: "/etc/default/locale" }
- { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" } - { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" }
tags: base-system
- name: set timezone - name: set timezone
file: file:
@ -246,6 +270,30 @@
dest: /etc/localtime dest: /etc/localtime
state: link state: link
force: yes force: yes
tags: base-system
# sysctl
- name: install sysctl tweaks
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
tags: base-system
- name: activate sysctl tweaks
shell: "sysctl -p {{ item }}"
with_items:
- /etc/sysctl.d/pvc.conf
tags: base-system
# sudo
- name: write the sudoers file
template:
src: "etc/sudoers.j2"
dest: "/etc/sudoers"
mode: 0440
tags: base-system
# dns # dns
- name: write the hosts config - name: write the hosts config
@ -254,29 +302,16 @@
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
with_items: with_items:
- { src: "etc/hosts.j2", dest: "/etc/hosts" } - { src: "etc/hosts.j2", dest: "/etc/hosts" }
tags: dns tags: base-dns
- name: write the resolver configs - name: write the resolver configs
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
with_items: with_items:
- { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
- { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" } - { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" }
tags: dns - { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
tags: base-dns
# acpi
- name: install sysctl tweaks
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
- name: activate sysctl tweaks
shell: "sysctl -p {{ item }}"
with_items:
- /etc/sysctl.d/pvc.conf
# syslog # syslog
- name: install rsyslog and logrotate configs - name: install rsyslog and logrotate configs
@ -288,7 +323,7 @@
with_items: with_items:
- { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" } - { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" }
- { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" } - { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" }
tags: rsyslog tags: base-syslog
- name: set journalctl persistence - name: set journalctl persistence
template: template:
@ -297,7 +332,7 @@
mode: 0644 mode: 0644
with_items: with_items:
- { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" } - { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" }
tags: rsyslog tags: base-syslog
# cron # cron
- name: install crontab - name: install crontab
@ -307,6 +342,7 @@
mode: 0755 mode: 0755
with_items: with_items:
- { src: "etc/crontab.j2", dest: "/etc/crontab" } - { src: "etc/crontab.j2", dest: "/etc/crontab" }
tags: base-cron
# mta # mta
- name: install postfix generic config - name: install postfix generic config
@ -315,15 +351,14 @@
dest: "/etc/postfix/main.cf" dest: "/etc/postfix/main.cf"
notify: notify:
- restart postfix - restart postfix
tags: base-mta
- name: touch the postfix aliases file - name: touch the postfix aliases file
file: file:
dest: /etc/postfix/aliases dest: /etc/postfix/aliases
state: touch state: touch
tags: base-mta
#
# Local alias maps
#
- name: install local alias maps for various users - name: install local alias maps for various users
lineinfile: lineinfile:
dest: "/etc/aliases" dest: "/etc/aliases"
@ -337,6 +372,7 @@
- clamav - clamav
notify: notify:
- newaliases - newaliases
tags: base-mta
# ntp # ntp
- name: write the NTP config file - name: write the NTP config file
@ -347,23 +383,26 @@
- restart ntp - restart ntp
with_items: with_items:
- { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" } - { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
tags: ntp tags: base-time
# ssl # ssl
- name: ensure haveged is running - name: ensure haveged is running
service: service:
name: haveged name: haveged
state: started state: started
tags: base-ssl
- name: generate diffie-hellman parameters - name: generate diffie-hellman parameters
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 command: openssl dhparam -out /etc/ssl/dhparams.pem 2048
args: args:
creates: /etc/ssl/dhparams.pem creates: /etc/ssl/dhparams.pem
tags: base-ssl
- name: correct permissions on dhparams - name: correct permissions on dhparams
file: file:
dest: /etc/ssl/dhparams.pem dest: /etc/ssl/dhparams.pem
mode: 0440 mode: 0440
tags: base-ssl
# ssh # ssh
- name: write the sshd_config files - name: write the sshd_config files
@ -377,13 +416,13 @@
- { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' } - { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' }
- { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' } - { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' }
- { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' } - { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' }
tags: ssh tags: base-ssh
- name: write sshd pam.d config - name: write sshd pam.d config
template: template:
src: "etc/pam.d/sshd.j2" src: "etc/pam.d/sshd.j2"
dest: "/etc/pam.d/sshd" dest: "/etc/pam.d/sshd"
tags: ssh tags: base-ssh
- name: remove unneeded SSH keys (leave only RSA and ED25519) - name: remove unneeded SSH keys (leave only RSA and ED25519)
file: file:
@ -396,7 +435,7 @@
- /etc/ssh/ssh_host_ecdsa_key.pub - /etc/ssh/ssh_host_ecdsa_key.pub
notify: notify:
- restart ssh - restart ssh
tags: ssh tags: base-ssh
- name: set permissions on rsa and ed25519 host keys (just in case they're wrong) - name: set permissions on rsa and ed25519 host keys (just in case they're wrong)
file: file:
@ -407,20 +446,14 @@
- { name: 'ssh_host_rsa_key.pub', mode: '644' } - { name: 'ssh_host_rsa_key.pub', mode: '644' }
- { name: 'ssh_host_ed25519_key', mode: '600' } - { name: 'ssh_host_ed25519_key', mode: '600' }
- { name: 'ssh_host_ed25519_key.pub', mode: '644' } - { name: 'ssh_host_ed25519_key.pub', mode: '644' }
tags: ssh tags: base-ssh
# sudo
- name: write the sudoers file
template:
src: "etc/sudoers.j2"
dest: "/etc/sudoers"
mode: 0440
# bash # bash
- name: write the bash.bashrc config file - name: write the bash.bashrc config file
template: template:
src: "etc/bash.bashrc.j2" src: "etc/bash.bashrc.j2"
dest: "/etc/bash.bashrc" dest: "/etc/bash.bashrc"
tags: base-shell
# motd # motd
- name: ensure update-motd and profile.d scripts are present - name: ensure update-motd and profile.d scripts are present
@ -432,7 +465,7 @@
- { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" } - { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" }
- { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" } - { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" }
- { src: "etc/profile.d/pvc.sh.j2", dest: "/etc/profile.d/zzz_pvc.sh" } - { src: "etc/profile.d/pvc.sh.j2", dest: "/etc/profile.d/zzz_pvc.sh" }
tags: motd tags: base-shell
- name: install update-motd crontab - name: install update-motd crontab
template: template:
@ -441,23 +474,13 @@
mode: 0644 mode: 0644
with_items: with_items:
- { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" } - { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" }
tags: motd tags: base-shell
- name: ensure /etc/motd is absent - name: ensure /etc/motd is absent
file: file:
dest: "/etc/motd" dest: "/etc/motd"
state: absent state: absent
tags: motd tags: base-shell
# dpkg
- name: install dpkg-cleanup script
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
with_items:
- { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
tags: dpkg
# fail2ban # fail2ban
- name: install fail2ban configurations - name: install fail2ban configurations
@ -471,7 +494,7 @@
- { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" } - { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" }
- { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" } - { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" }
- { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" } - { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" }
tags: fail2ban tags: base-fail2ban
# check-mk-agent # check-mk-agent
- name: install check_mk agent plugins - name: install check_mk agent plugins
@ -487,7 +510,7 @@
- freshness - freshness
- kernelversion - kernelversion
- ownership - ownership
tags: check-mk-agent tags: base-cmkagent
# #
# Configure users # Configure users
@ -734,7 +757,7 @@
- name: create vimdir - name: create vimdir
file: file:
state: directory state: directory
dest: /var/home/{{ item.name }}/.vim dest: /var/home/{{ item.name }}/.vim
owner: "{{ item.name }}" owner: "{{ item.name }}"
group: operator group: operator
mode: 0700 mode: 0700
@ -756,5 +779,6 @@
- postfix - postfix
- ntp - ntp
- ssh - ssh
tags: base-services
- meta: flush_handlers - meta: flush_handlers

View File

@ -0,0 +1,51 @@
#!/bin/bash
# kernel-cleanup.sh - Remove obsolete packages and config files
# {{ ansible_managed }}
# Determine the active running kernel
RUNNING_KERNEL="$( uname -v | awk '{ print $4 }' )"
# Determine the list of installed kernels (latest is always last)
INSTALLED_KERNELS=( $( dpkg -l | grep 'linux-image-[0-9]' | awk '{ print $3 }' ) )
NUM_INSTALLED=${{ '{#' }}INSTALLED_KERNELS[@]}
if [[ ${NUM_INSTALLED} -le 1 ]]; then
echo "A single kernel is installed, aborting cleanly."
exit 0
fi
LATEST_KERNEL="${INSTALLED_KERNELS[-1]}"
if [[ ${LATEST_KERNEL} == ${RUNNING_KERNEL} ]]; then
force="--allow-remove-essential"
else
force=""
fi
# Remove the latest kernel from the array
NUM_REMOVABLE=$(( ${NUM_INSTALLED} - 1 ))
REMOVABLE_KERNELS=( ${INSTALLED_KERNELS[@]:0:${NUM_REMOVABLE}} )
PURGE_PACKAGES=()
for KERNEL in ${REMOVABLE_KERNELS[@]}; do
PURGE_PACKAGES+=( $( dpkg -l | grep ${KERNEL} | awk '{ print $2 }' ) )
done
# Override the "linux-check-removal" script
mv /usr/bin/linux-check-removal /usr/bin/linux-check-removal.orig
echo -e '#!/bin/sh\necho "Overriding default linux-check-removal script!"\nexit 0' > /usr/bin/linux-check-removal
chmod +x /usr/bin/linux-check-removal
# Remove the packages
echo "Removing: ${PURGE_PACKAGES[@]}"
apt-get purge --yes ${force} ${PURGE_PACKAGES[@]}
# Restore the "linux-check-removal" script
mv /usr/bin/linux-check-removal.orig /usr/bin/linux-check-removal
# Make sure there is still a valid kernel installed (just in case something broke)
if [[ $( dpkg -l | grep 'linux-image-[0-9]' | wc -l ) -lt 1 ]]; then
echo "WARNING: NO KERNEL IS INSTALLED. THROWING ERROR AND ABORTING."
exit 1
fi
exit 0