diff --git a/basics.yml b/basics.yml new file mode 100644 index 0000000..56e8c76 --- /dev/null +++ b/basics.yml @@ -0,0 +1,5 @@ +--- +- hosts: all + roles: + - role: basics + tags: basics diff --git a/common.yml b/common.yml deleted file mode 100644 index 99861b5..0000000 --- a/common.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - common diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000..191e5b2 --- /dev/null +++ b/group_vars/all @@ -0,0 +1,7 @@ +--- +basics_autoupdate_reboot: "false" +basics_install_packages: + - mosh + - nano + - virtualenv + - zsh diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..82937fe --- /dev/null +++ b/requirements.yml @@ -0,0 +1,4 @@ +--- +- src: https://github.com/7adietri/ansible-basics.git + version: v1.1.0 + name: basics diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml deleted file mode 100644 index b2a7773..0000000 --- a/roles/common/defaults/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -common_expected_packages: - - curl - - git - - python-virtualenv - - python3-virtualenv - - wget -ssh_match_blocks: [] -unattended_upgrades_mail: false -unattended_upgrades_origins: - - o=${distro_id},n=${distro_codename},l=Debian-Security -unattended_upgrades_reboot: "false" -unattended_upgrades_reboot_time: "07:00" -user_sanity_packages: - - htop - - less - - mosh - - nano - - screen - - tree - - vim - - zsh diff --git a/roles/common/files/10periodic b/roles/common/files/10periodic deleted file mode 100644 index 191f810..0000000 --- a/roles/common/files/10periodic +++ /dev/null @@ -1,6 +0,0 @@ -APT::Periodic::Enable "1"; -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::Unattended-Upgrade "1"; -APT::Periodic::RandomSleep "900"; -APT::Periodic::AutocleanInterval "7"; diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml deleted file mode 100644 index 43f70c8..0000000 --- a/roles/common/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- include: pre-tasks.yml - tags: common -- include: secure-secure-shell.yml - tags: common -- include: unattended-upgrades.yml - tags: common -- include: user-sanity.yml - tags: common -- include: post-tasks.yml - tags: common diff --git a/roles/common/tasks/post-tasks.yml b/roles/common/tasks/post-tasks.yml deleted file mode 100644 index b56f9a3..0000000 --- a/roles/common/tasks/post-tasks.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: install expected packages - apt: - name: "{{ item }}" - state: present - with_items: "{{ common_expected_packages }}" diff --git a/roles/common/tasks/pre-tasks.yml b/roles/common/tasks/pre-tasks.yml deleted file mode 100644 index 7052e15..0000000 --- a/roles/common/tasks/pre-tasks.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: install requirements for some Ansible operations - apt: - name: "{{ item }}" - state: present - update_cache: yes - cache_valid_time: 86400 - with_items: - - aptitude - - python-apt diff --git a/roles/common/tasks/secure-secure-shell.yml b/roles/common/tasks/secure-secure-shell.yml deleted file mode 100644 index c6e681d..0000000 --- a/roles/common/tasks/secure-secure-shell.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Secure SSH Configuration -# https://stribika.github.io/2015/01/04/secure-secure-shell.html ---- -- name: check for ED25519 host key - stat: path=/etc/ssh/ssh_host_ed25519_key - register: f -- fail: msg="No ED25519 host key found" - when: not f.stat.exists - -- name: check for RSA host key - stat: path=/etc/ssh/ssh_host_rsa_key - register: f -- fail: msg="No RSA host key found" - when: not f.stat.exists - -- name: template sshd_config - template: - src: templates/sshd_config.j2 - dest: /etc/ssh/sshd_config - backup: yes - register: sshd_config - -# reload sshd now in case the handlers don't run -- name: reload sshd - service: - name: ssh - state: reloaded - when: sshd_config.changed diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml deleted file mode 100644 index 7f64739..0000000 --- a/roles/common/tasks/unattended-upgrades.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: install unattended-upgrades - apt: - name: unattended-upgrades - state: present - -- name: copy 10periodic - copy: - src: files/10periodic - dest: /etc/apt/apt.conf.d - -- name: template 50unattended-upgrades - template: - src: templates/50unattended-upgrades.j2 - dest: /etc/apt/apt.conf.d/50unattended-upgrades diff --git a/roles/common/tasks/user-sanity.yml b/roles/common/tasks/user-sanity.yml deleted file mode 100644 index 45b040d..0000000 --- a/roles/common/tasks/user-sanity.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: purge vim-tiny - apt: - name: vim-tiny - state: absent - purge: yes - -- name: install user sanity packages - apt: - name: "{{ item }}" - state: present - with_items: "{{ user_sanity_packages }}" - -- name: check for /etc/screenrc - stat: path=/etc/screenrc - register: f - -- name: disable screen startup message - lineinfile: - dest: /etc/screenrc - regexp: '^#(startup_message off)$' - line: '\1' - backrefs: yes - backup: yes - when: f.stat.exists diff --git a/roles/common/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2 deleted file mode 100644 index 0d053fa..0000000 --- a/roles/common/templates/50unattended-upgrades.j2 +++ /dev/null @@ -1,84 +0,0 @@ -// Unattended-Upgrade::Origins-Pattern controls which packages are -// upgraded. -// -// Lines below have the format format is "keyword=value,...". A -// package will be upgraded only if the values in its metadata match -// all the supplied keywords in a line. (In other words, omitted -// keywords are wild cards.) The keywords originate from the Release -// file, but several aliases are accepted. The accepted keywords are: -// a,archive,suite (eg, "stable") -// c,component (eg, "main", "crontrib", "non-free") -// l,label (eg, "Debian", "Debian-Security") -// o,origin (eg, "Debian", "Unofficial Multimedia Packages") -// n,codename (eg, "jessie", "jessie-updates") -// site (eg, "http.debian.net") -// The available values on the system are printed by the command -// "apt-cache policy", and can be debugged by running -// "unattended-upgrades -d" and looking at the log file. -// -// Within lines unattended-upgrades allows 2 macros whose values are -// derived from /etc/debian_version: -// ${distro_id} Installed origin. -// ${distro_codename} Installed codename (eg, "jessie") -Unattended-Upgrade::Origins-Pattern { -{% for origin in unattended_upgrades_origins %} - "{{ origin }}"; -{% endfor %} -}; - -// List of packages to not update (regexp are supported) -Unattended-Upgrade::Package-Blacklist { -// "vim"; -// "libc6"; -// "libc6-dev"; -// "libc6-i686"; -}; - -// This option allows you to control if on a unclean dpkg exit -// unattended-upgrades will automatically run -// dpkg --force-confold --configure -a -// The default is true, to ensure updates keep getting installed -//Unattended-Upgrade::AutoFixInterruptedDpkg "false"; - -// Split the upgrade into the smallest possible chunks so that -// they can be interrupted with SIGUSR1. This makes the upgrade -// a bit slower but it has the benefit that shutdown while a upgrade -// is running is possible (with a small delay) -//Unattended-Upgrade::MinimalSteps "true"; - -// Install all unattended-upgrades when the machine is shuting down -// instead of doing it in the background while the machine is running -// This will (obviously) make shutdown slower -//Unattended-Upgrade::InstallOnShutdown "true"; - -{% if unattended_upgrades_mail %} -// Send email to this address for problems or packages upgrades -// If empty or unset then no email is sent, make sure that you -// have a working mail setup on your system. A package that provides -// 'mailx' must be installed. E.g. "user@example.com" -Unattended-Upgrade::Mail "{{ unattended_upgrades_mail }}"; -{% endif %} - -// Set this value to "true" to get emails only on errors. Default -// is to always send a mail if Unattended-Upgrade::Mail is set -//Unattended-Upgrade::MailOnlyOnError "true"; - -// Do automatic removal of new unused dependencies after the upgrade -// (equivalent to apt-get autoremove) -Unattended-Upgrade::Remove-Unused-Dependencies "true"; - -// Automatically reboot *WITHOUT CONFIRMATION* -// if the file /var/run/reboot-required is found after the upgrade -Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_reboot }}"; - -// If automatic reboot is enabled and needed, reboot at the specific -// time instead of immediately -// Default: "now" -Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_reboot_time }}"; - -// Use apt bandwidth limit feature, this example limits the download -// speed to 70kb/sec -//Acquire::http::Dl-Limit "70"; - -// Do not cause conffile prompts -Dpkg::Options { --force-confold; }; diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2 deleted file mode 100644 index 07e203d..0000000 --- a/roles/common/templates/sshd_config.j2 +++ /dev/null @@ -1,26 +0,0 @@ -Port 22 -Protocol 2 -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_rsa_key -KexAlgorithms curve25519-sha256@libssh.org -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com - -ChallengeResponseAuthentication no -HostbasedAuthentication no -PasswordAuthentication no -PubkeyAuthentication yes - -IgnoreUserKnownHosts yes -PermitRootLogin no -PrintMotd no -StrictModes yes -Subsystem sftp internal-sftp -UsePAM yes - -{% for block in ssh_match_blocks %} -Match {{ block.match }} -{% for option in block.options %} - {{ option }} -{% endfor %} -{% endfor %} diff --git a/site b/site index b783acb..598e1fc 100755 --- a/site +++ b/site @@ -1,3 +1,6 @@ #!/bin/bash +ANSIBLE_ROLES_PATH="$HOME/.ansible/roles" + +ansible-galaxy install -f -r requirements.yml ansible-playbook site.yml -i production -bK $* diff --git a/site.yml b/site.yml index 7562765..019da3e 100644 --- a/site.yml +++ b/site.yml @@ -1,3 +1,3 @@ --- -- include: common.yml +- include: basics.yml - include: services.yml