Update common role
- Add secure-secure-shell task - Add unattended-upgrades task - Change package installation tasks - Remove website tasks from generic services group
This commit is contained in:
parent
db911b40c1
commit
17468493cc
24
roles/common/defaults/main.yml
Normal file
24
roles/common/defaults/main.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
common_expected_packages:
|
||||
- curl
|
||||
- git
|
||||
- python-virtualenv
|
||||
- python3-virtualenv
|
||||
- wget
|
||||
ssh_match_blocks: []
|
||||
unattended_upgrades_mail: false
|
||||
unattended_upgrades_origins:
|
||||
- o=${distro_id},n=${distro_codename},l=Debian-Security
|
||||
- o=${distro_id},n=${distro_codename}-updates
|
||||
- o=${distro_id},n=${distro_codename}-backports
|
||||
unattended_upgrades_reboot: "false"
|
||||
unattended_upgrades_reboot_time: "07:00"
|
||||
user_sanity_packages:
|
||||
- htop
|
||||
- less
|
||||
- mosh
|
||||
- nano
|
||||
- screen
|
||||
- tree
|
||||
- vim
|
||||
- zsh
|
5
roles/common/files/10periodic
Normal file
5
roles/common/files/10periodic
Normal file
|
@ -0,0 +1,5 @@
|
|||
APT::Periodic::Enable "1";
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Download-Upgradeable-Packages "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
8
roles/common/handlers/main.yml
Normal file
8
roles/common/handlers/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: upgrade packages
|
||||
apt:
|
||||
upgrade: full
|
||||
update_cache: yes
|
||||
|
||||
- name: clean package cache
|
||||
command: apt-get clean
|
|
@ -1,19 +1,11 @@
|
|||
---
|
||||
- name: run apt-get update
|
||||
apt: update_cache=yes
|
||||
tags:
|
||||
- common
|
||||
|
||||
- name: install common packages
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- aptitude
|
||||
- curl
|
||||
- git
|
||||
- mosh
|
||||
- nano
|
||||
- python
|
||||
- wget
|
||||
- zsh
|
||||
tags:
|
||||
- common
|
||||
- include: pre-tasks.yml
|
||||
tags: common
|
||||
- include: secure-secure-shell.yml
|
||||
tags: common
|
||||
- include: unattended-upgrades.yml
|
||||
tags: common
|
||||
- include: user-sanity.yml
|
||||
tags: common
|
||||
- include: post-tasks.yml
|
||||
tags: common
|
||||
|
|
6
roles/common/tasks/post-tasks.yml
Normal file
6
roles/common/tasks/post-tasks.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: install expected packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items: "{{ common_expected_packages }}"
|
8
roles/common/tasks/pre-tasks.yml
Normal file
8
roles/common/tasks/pre-tasks.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: install requirements for some Ansible operations
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- aptitude
|
||||
- python-apt
|
28
roles/common/tasks/secure-secure-shell.yml
Normal file
28
roles/common/tasks/secure-secure-shell.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Secure SSH Configuration
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
---
|
||||
- name: check for ED25519 host key
|
||||
stat: path=/etc/ssh/ssh_host_ed25519_key
|
||||
register: f
|
||||
- fail: msg="No ED25519 host key found"
|
||||
when: not f.stat.exists
|
||||
|
||||
- name: check for RSA host key
|
||||
stat: path=/etc/ssh/ssh_host_rsa_key
|
||||
register: f
|
||||
- fail: msg="No RSA host key found"
|
||||
when: not f.stat.exists
|
||||
|
||||
- name: template sshd_config
|
||||
template:
|
||||
src: templates/sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
backup: yes
|
||||
register: sshd_config
|
||||
|
||||
# reload sshd now in case the handlers don't run
|
||||
- name: reload sshd
|
||||
service:
|
||||
name: ssh
|
||||
state: reloaded
|
||||
when: sshd_config.changed
|
18
roles/common/tasks/unattended-upgrades.yml
Normal file
18
roles/common/tasks/unattended-upgrades.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
- name: install unattended-upgrades
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
|
||||
- name: copy 10periodic
|
||||
copy:
|
||||
src: files/10periodic
|
||||
dest: /etc/apt/apt.conf.d
|
||||
|
||||
- name: template 50unattended-upgrades
|
||||
template:
|
||||
src: templates/50unattended-upgrades.j2
|
||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
notify:
|
||||
- upgrade packages
|
||||
- clean package cache
|
25
roles/common/tasks/user-sanity.yml
Normal file
25
roles/common/tasks/user-sanity.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
- name: purge vim-tiny
|
||||
apt:
|
||||
name: vim-tiny
|
||||
state: absent
|
||||
purge: yes
|
||||
|
||||
- name: install user sanity packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items: "{{ user_sanity_packages }}"
|
||||
|
||||
- name: check for /etc/screenrc
|
||||
stat: path=/etc/screenrc
|
||||
register: f
|
||||
|
||||
- name: disable screen startup message
|
||||
lineinfile:
|
||||
dest: /etc/screenrc
|
||||
regexp: '^#(startup_message off)$'
|
||||
line: '\1'
|
||||
backrefs: yes
|
||||
backup: yes
|
||||
when: f.stat.exists
|
84
roles/common/templates/50unattended-upgrades.j2
Normal file
84
roles/common/templates/50unattended-upgrades.j2
Normal file
|
@ -0,0 +1,84 @@
|
|||
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||
// upgraded.
|
||||
//
|
||||
// Lines below have the format format is "keyword=value,...". A
|
||||
// package will be upgraded only if the values in its metadata match
|
||||
// all the supplied keywords in a line. (In other words, omitted
|
||||
// keywords are wild cards.) The keywords originate from the Release
|
||||
// file, but several aliases are accepted. The accepted keywords are:
|
||||
// a,archive,suite (eg, "stable")
|
||||
// c,component (eg, "main", "crontrib", "non-free")
|
||||
// l,label (eg, "Debian", "Debian-Security")
|
||||
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
|
||||
// n,codename (eg, "jessie", "jessie-updates")
|
||||
// site (eg, "http.debian.net")
|
||||
// The available values on the system are printed by the command
|
||||
// "apt-cache policy", and can be debugged by running
|
||||
// "unattended-upgrades -d" and looking at the log file.
|
||||
//
|
||||
// Within lines unattended-upgrades allows 2 macros whose values are
|
||||
// derived from /etc/debian_version:
|
||||
// ${distro_id} Installed origin.
|
||||
// ${distro_codename} Installed codename (eg, "jessie")
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
{% for origin in unattended_upgrades_origins %}
|
||||
"{{ origin }}";
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
// List of packages to not update (regexp are supported)
|
||||
Unattended-Upgrade::Package-Blacklist {
|
||||
// "vim";
|
||||
// "libc6";
|
||||
// "libc6-dev";
|
||||
// "libc6-i686";
|
||||
};
|
||||
|
||||
// This option allows you to control if on a unclean dpkg exit
|
||||
// unattended-upgrades will automatically run
|
||||
// dpkg --force-confold --configure -a
|
||||
// The default is true, to ensure updates keep getting installed
|
||||
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
|
||||
|
||||
// Split the upgrade into the smallest possible chunks so that
|
||||
// they can be interrupted with SIGUSR1. This makes the upgrade
|
||||
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||
// is running is possible (with a small delay)
|
||||
//Unattended-Upgrade::MinimalSteps "true";
|
||||
|
||||
// Install all unattended-upgrades when the machine is shuting down
|
||||
// instead of doing it in the background while the machine is running
|
||||
// This will (obviously) make shutdown slower
|
||||
//Unattended-Upgrade::InstallOnShutdown "true";
|
||||
|
||||
{% if unattended_upgrades_mail %}
|
||||
// Send email to this address for problems or packages upgrades
|
||||
// If empty or unset then no email is sent, make sure that you
|
||||
// have a working mail setup on your system. A package that provides
|
||||
// 'mailx' must be installed. E.g. "user@example.com"
|
||||
Unattended-Upgrade::Mail "{{ unattended_upgrades_mail }}";
|
||||
{% endif %}
|
||||
|
||||
// Set this value to "true" to get emails only on errors. Default
|
||||
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||
//Unattended-Upgrade::MailOnlyOnError "true";
|
||||
|
||||
// Do automatic removal of new unused dependencies after the upgrade
|
||||
// (equivalent to apt-get autoremove)
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||
|
||||
// Automatically reboot *WITHOUT CONFIRMATION*
|
||||
// if the file /var/run/reboot-required is found after the upgrade
|
||||
Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_reboot }}";
|
||||
|
||||
// If automatic reboot is enabled and needed, reboot at the specific
|
||||
// time instead of immediately
|
||||
// Default: "now"
|
||||
Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_reboot_time }}";
|
||||
|
||||
// Use apt bandwidth limit feature, this example limits the download
|
||||
// speed to 70kb/sec
|
||||
//Acquire::http::Dl-Limit "70";
|
||||
|
||||
// Do not cause conffile prompts
|
||||
Dpkg::Options { --force-confold; };
|
26
roles/common/templates/sshd_config.j2
Normal file
26
roles/common/templates/sshd_config.j2
Normal file
|
@ -0,0 +1,26 @@
|
|||
Port 22
|
||||
Protocol 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
HostbasedAuthentication no
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
|
||||
IgnoreUserKnownHosts yes
|
||||
PermitRootLogin no
|
||||
PrintMotd no
|
||||
StrictModes yes
|
||||
Subsystem sftp internal-sftp
|
||||
UsePAM yes
|
||||
|
||||
{% for block in ssh_match_blocks %}
|
||||
Match {{ block.match }}
|
||||
{% for option in block.options %}
|
||||
{{ option }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
|
@ -2,7 +2,3 @@
|
|||
- hosts: services
|
||||
roles:
|
||||
- ntp-server
|
||||
- website/ffnord
|
||||
- website/media
|
||||
- website/meta
|
||||
|
||||
|
|
Loading…
Reference in a new issue