--- # # First run check # - name: check if this is a new instance shell: "echo 'bootstrapped' > /etc/pvc-install.base" args: creates: /etc/pvc-install.base register: newhost_check tags: always - name: set newhost fact set_fact: newhost: yes when: newhost_check.changed tags: always # # Remove obsolete issue-gen # - name: remove obsolete issue-gen script from PVC installer file: dest: /etc/network/if-up.d/issue-gen state: absent when: newhost is defined and newhost tags: always # # Install custom fact scripts # - name: create facts directory file: dest: "/etc/ansible/facts.d" state: directory recurse: yes tags: base-ansible - name: install custom facts template: src: "etc/ansible/facts.d/{{ item }}.fact.j2" dest: "/etc/ansible/facts.d/{{ item }}.fact" mode: 0755 register: installed_facts with_items: - host_id - host_group - dhcp_status tags: base-ansible - name: regather facts setup: when: installed_facts.changed tags: base-ansible - debug: var: ansible_local.host_group verbosity: 1 tags: always - debug: var: ansible_local.host_id verbosity: 1 tags: always - debug: var: ansible_local.dhcp_status verbosity: 1 tags: always # # Configure APT # - name: install apt config files template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" } - { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" } - { src: "etc/apt/sources.list.{{ ansible_machine }}.{{ ansible_distribution_release }}.j2", dest: "/etc/apt/sources.list" } tags: base-apt - name: add key for bonilan repo apt_key: url: "https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub" id: "83D07192314835D4" state: present tags: base-apt # # Safe apt upgrades (on first install only) # - name: apt update apt: update-cache: yes when: newhost is defined and newhost tags: base-apt - name: aptitude safe upgrade with autoremove apt: update_cache: yes autoremove: yes upgrade: safe when: newhost is defined and newhost tags: base-apt - name: install dbus apt: name: - dbus state: latest when: newhost is defined and newhost tags: base-apt - name: clean out apt cache file: path: "/var/cache/apt/archives" state: absent when: newhost is defined and newhost tags: base-apt # # Purge unneeded packages # - name: remove unneeded packages apt: name: - exim4 - exim4-base - exim4-config - exim4-daemon-light - joe state: absent purge: yes autoremove: yes tags: base-packages - name: set override debconf selections shell: 'echo "{{ item }}" | debconf-set-selections' with_items: - "wireshark-common wireshark-common/install-setuid boolean true" tags: base-packages - name: install common packages (all arch) apt: name: - debconf-utils - iptables - locales - acpid - acpi-support-base - rsync - bash - bash-completion - net-tools - pciutils - usbutils - check-mk-agent - dns-root-data - bind9-host - dnsutils - whois - postfix - ntp - openssh-client - openssh-server - libpam-systemd - fail2ban - ca-certificates - openssl - sudo - rsyslog - logrotate - man - less - vim - nano - git - vlan - bridge-utils - ifenslave - nmap - netcat-openbsd - htop - psmisc - dstat - iotop - lsof - jnettop - iperf - sysstat - binutils - deborphan - wget - curl - gawk - uuid-runtime - mmv - pv - bc - reptyr - sharutils - tcptraceroute - nethogs - strace - tshark - acl - bzip2 - lzop - xz-utils - haveged - linux-image-amd64 - linux-headers-amd64 tags: base-packages - name: install cleanup scripts template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0755 with_items: - { src: "usr/local/sbin/kernel-cleanup.sh.j2", dest: "/usr/local/sbin/kernel-cleanup.sh" } - { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" } tags: base-packages # # System configuration # # networking - name: install base interfaces file template: src: etc/network/interfaces.j2 dest: /etc/network/interfaces tags: base-network - name: install per-interface files template: src: etc/network/interfaces-perif.j2 dest: /etc/network/interfaces.d/{{ network.key }} with_dict: "{{ networks }}" loop_control: loop_var: network tags: base-network # capabilities - name: set ping capabilities capabilities: path: /bin/ping capability: cap_net_raw=ep tags: base-system # locale - name: install locale config files template: src: "{{ item.src }}" dest: "{{ item.dest }}" notify: - generate locales with_items: - { src: "etc/default/locale.j2", dest: "/etc/default/locale" } - { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" } tags: base-system - name: set timezone file: src: /usr/share/zoneinfo/{{ timezone_location }} dest: /etc/localtime state: link force: yes tags: base-system # sysctl - name: install sysctl tweaks template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" } tags: base-system - name: activate sysctl tweaks shell: "sysctl -p {{ item }}" with_items: - /etc/sysctl.d/pvc.conf tags: base-system # sudo - name: write the sudoers file template: src: "etc/sudoers.j2" dest: "/etc/sudoers" mode: 0440 tags: base-system # dns - name: write the hosts config template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: "etc/hosts.j2", dest: "/etc/hosts" } tags: base-dns - name: write the resolver configs template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" } - { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" } tags: base-dns # syslog - name: install rsyslog and logrotate configs template: src: "{{ item.src }}" dest: "{{ item.dest }}" notify: - restart rsyslog with_items: - { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" } - { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" } tags: base-syslog - name: set journalctl persistence template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0644 with_items: - { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" } tags: base-syslog # cron - name: install crontab template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0755 with_items: - { src: "etc/crontab.j2", dest: "/etc/crontab" } tags: base-cron # mta - name: install postfix generic config template: src: "etc/postfix/main.cf.j2" dest: "/etc/postfix/main.cf" notify: - restart postfix tags: base-mta - name: touch the postfix aliases file file: dest: /etc/postfix/aliases state: touch tags: base-mta - name: install local alias maps for various users lineinfile: dest: "/etc/aliases" regexp: "^{{ item }}:" line: "{{ item }}: {{ username_email_root }}" state: present with_items: - root - postmaster - amavis - clamav notify: - newaliases tags: base-mta # ntp - name: write the NTP config file template: src: "{{ item.src }}" dest: "{{ item.dest }}" notify: - restart ntp with_items: - { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" } tags: base-time # ssl - name: ensure haveged is running service: name: haveged state: started tags: base-ssl - name: generate diffie-hellman parameters command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 args: creates: /etc/ssl/dhparams.pem tags: base-ssl - name: correct permissions on dhparams file: dest: /etc/ssl/dhparams.pem mode: 0440 tags: base-ssl # ssh - name: write the sshd_config files template: src: "{{ item.src }}" dest: "{{ item.dest }}" notify: - restart ssh with_items: - { src: 'etc/ssh/ssh_config.j2', dest: '/etc/ssh/ssh_config' } - { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' } - { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' } - { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' } tags: base-ssh - name: write sshd pam.d config template: src: "etc/pam.d/sshd.j2" dest: "/etc/pam.d/sshd" tags: base-ssh - name: remove unneeded SSH keys (leave only RSA and ED25519) file: name: "{{ item }}" state: "absent" with_items: - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_dsa_key.pub - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ecdsa_key.pub notify: - restart ssh tags: base-ssh - name: set permissions on rsa and ed25519 host keys (just in case they're wrong) file: name: "/etc/ssh/{{ item.name }}" mode: "{{ item.mode }}" with_items: - { name: 'ssh_host_rsa_key', mode: '600' } - { name: 'ssh_host_rsa_key.pub', mode: '644' } - { name: 'ssh_host_ed25519_key', mode: '600' } - { name: 'ssh_host_ed25519_key.pub', mode: '644' } tags: base-ssh # bash - name: write the bash.bashrc config file template: src: "etc/bash.bashrc.j2" dest: "/etc/bash.bashrc" tags: base-shell # motd - name: ensure update-motd and profile.d scripts are present template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0755 with_items: - { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" } - { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" } - { src: "etc/profile.d/pvc.sh.j2", dest: "/etc/profile.d/zzz_pvc.sh" } tags: base-shell - name: install update-motd crontab template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0644 with_items: - { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" } tags: base-shell - name: ensure /etc/motd is absent file: dest: "/etc/motd" state: absent tags: base-shell # fail2ban - name: install fail2ban configurations template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0644 notify: restart fail2ban with_items: - { src: "etc/fail2ban/action.d/route.conf.j2", dest: "/etc/fail2ban/action.d/route.conf" } - { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" } - { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" } - { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" } tags: base-fail2ban # check-mk-agent - name: install check_mk agent plugins copy: src: "usr/lib/check_mk_agent/plugins/{{ item }}" dest: "/usr/lib/check_mk_agent/plugins/{{ item }}" mode: 0755 with_items: - backup - cephfsmounts - dpkg - entropy - freshness - kernelversion - ownership tags: base-cmkagent # # Configure users # # common - name: ensure /var/home exists file: state: directory dest: /var/home tags: users # root - name: generate Root password hash command: "mkpasswd --method=sha512crypt {{ root_password }}" no_log: true register: mkpasswd tags: users - name: set Root password user: name: root password: "{{ mkpasswd.stdout }}" tags: users - name: remove Root known_hosts file: state: absent dest: /root/.ssh/known_hosts tags: users - name: write vimrc to root homedir template: src: var/home/user/vimrc.j2 dest: /root/.vimrc mode: 0600 tags: users - name: create vimdir file: state: directory dest: /root/.vim mode: 0700 tags: users - name: write htoprc to homedir template: src: var/home/user/config/htop/htoprc.j2 dest: /root/.htoprc mode: 0600 tags: users # backup - name: ensure backup user has shell user: name: backup shell: /bin/sh tags: users - name: create backup .ssh directory file: path: /var/backups/.ssh state: directory owner: backup group: root mode: 0700 tags: users - name: create backup authorized_keys file template: src: var/backups/ssh/authorized_keys.j2 dest: /var/backups/.ssh/authorized_keys owner: backup group: root mode: 0640 tags: users - name: write the sudoers file template: src: etc/sudoers.d/sudoers-backup.j2 dest: /etc/sudoers.d/backup tags: users - name: install the post-backup timestamp script template: src: var/backups/timestamp.sh.j2 dest: /var/backups/timestamp.sh mode: 0755 tags: users - name: touch shares file file: dest: /var/backups/shares state: touch owner: backup tags: users # deploy - name: ensure user deploy exists user: name: deploy uid: 200 group: operator shell: /bin/bash home: /var/home/deploy createhome: yes move_home: yes state: present append: yes tags: users - name: ensure homedir has right permissions file: dest: /var/home/deploy state: directory owner: deploy group: operator mode: 0700 tags: users - name: ensure .ssh directory exists file: dest: /var/home/deploy/.ssh state: directory owner: deploy group: operator mode: 0700 tags: users - name: add authorized keys authorized_key: user: "deploy" key: "{{ item.1 }}" with_subelements: - "{{ admin_users }}" - keys tags: users # admin_users - name: ensure user exists user: name: "{{ item.name }}" uid: "{{ item.uid }}" group: operator groups: sudo,adm,wireshark shell: /bin/bash home: "/var/home/{{ item.name }}" createhome: yes state: present append: yes with_items: "{{ admin_users }}" tags: users - name: ensure homedir has right permissions file: dest: "/var/home/{{ item.name }}" state: directory owner: "{{ item.name }}" group: operator mode: 0700 with_items: "{{ admin_users }}" tags: users - name: ensure .ssh directory exists file: dest: "/var/home/{{ item.name }}/.ssh" state: directory owner: "{{ item.name }}" group: operator mode: 0700 with_items: "{{ admin_users }}" tags: users - name: add authorized keys authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" with_subelements: - "{{ admin_users }}" - keys tags: users - name: write bashrc to homedir template: src: var/home/user/bashrc.j2 dest: "/var/home/{{ item.name }}/.bashrc" owner: "{{ item.name }}" group: operator mode: 0700 with_items: "{{ admin_users }}" tags: users - name: write bash_logout to homedir template: src: var/home/user/bash_logout.j2 dest: "/var/home/{{ item.name }}/.bash_logout" owner: "{{ item.name }}" group: operator mode: 0700 with_items: "{{ admin_users }}" tags: users - name: ensure htop config directory exists file: dest: "/var/home/{{ item.name }}/.config/htop" state: directory owner: "{{ item.name }}" group: operator mode: 0755 with_items: "{{ admin_users }}" tags: users - name: write htoprc to homedir template: src: var/home/user/config/htop/htoprc.j2 dest: "/var/home/{{ item.name }}/.config/htop/htoprc" owner: "{{ item.name }}" group: operator mode: 0644 with_items: "{{ admin_users }}" tags: users - name: write profile to homedir template: src: var/home/user/profile.j2 dest: "/var/home/{{ item.name }}/.profile" owner: "{{ item.name }}" group: operator mode: 0700 with_items: "{{ admin_users }}" tags: users - name: write vimrc to homedir template: src: var/home/user/vimrc.j2 dest: "/var/home/{{ item.name }}/.vimrc" owner: "{{ item.name }}" group: operator mode: 0600 with_items: "{{ admin_users }}" tags: users - name: create vimdir file: state: directory dest: /var/home/{{ item.name }}/.vim owner: "{{ item.name }}" group: operator mode: 0700 with_items: "{{ admin_users }}" tags: users # # Verify and enable services # - name: verify and enable services service: name: "{{ item }}" state: started enabled: yes with_items: - acpid - rsyslog - postfix - ntp - ssh tags: base-services - meta: flush_handlers