Externe Rolle "basics" statt "common"

This commit is contained in:
Alexander Dietrich 2017-04-01 01:00:07 +02:00
parent a7e9078453
commit acf416f7ef
16 changed files with 20 additions and 238 deletions

5
basics.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: all
roles:
- role: basics
tags: basics

View file

@ -1,4 +0,0 @@
---
- hosts: all
roles:
- common

7
group_vars/all Normal file
View file

@ -0,0 +1,7 @@
---
basics_autoupdate_reboot: "false"
basics_install_packages:
- mosh
- nano
- virtualenv
- zsh

4
requirements.yml Normal file
View file

@ -0,0 +1,4 @@
---
- src: https://github.com/7adietri/ansible-basics.git
version: v1.1.0
name: basics

View file

@ -1,22 +0,0 @@
---
common_expected_packages:
- curl
- git
- python-virtualenv
- python3-virtualenv
- wget
ssh_match_blocks: []
unattended_upgrades_mail: false
unattended_upgrades_origins:
- o=${distro_id},n=${distro_codename},l=Debian-Security
unattended_upgrades_reboot: "false"
unattended_upgrades_reboot_time: "07:00"
user_sanity_packages:
- htop
- less
- mosh
- nano
- screen
- tree
- vim
- zsh

View file

@ -1,6 +0,0 @@
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::RandomSleep "900";
APT::Periodic::AutocleanInterval "7";

View file

@ -1,11 +0,0 @@
---
- include: pre-tasks.yml
tags: common
- include: secure-secure-shell.yml
tags: common
- include: unattended-upgrades.yml
tags: common
- include: user-sanity.yml
tags: common
- include: post-tasks.yml
tags: common

View file

@ -1,6 +0,0 @@
---
- name: install expected packages
apt:
name: "{{ item }}"
state: present
with_items: "{{ common_expected_packages }}"

View file

@ -1,10 +0,0 @@
---
- name: install requirements for some Ansible operations
apt:
name: "{{ item }}"
state: present
update_cache: yes
cache_valid_time: 86400
with_items:
- aptitude
- python-apt

View file

@ -1,28 +0,0 @@
# Secure SSH Configuration
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
---
- name: check for ED25519 host key
stat: path=/etc/ssh/ssh_host_ed25519_key
register: f
- fail: msg="No ED25519 host key found"
when: not f.stat.exists
- name: check for RSA host key
stat: path=/etc/ssh/ssh_host_rsa_key
register: f
- fail: msg="No RSA host key found"
when: not f.stat.exists
- name: template sshd_config
template:
src: templates/sshd_config.j2
dest: /etc/ssh/sshd_config
backup: yes
register: sshd_config
# reload sshd now in case the handlers don't run
- name: reload sshd
service:
name: ssh
state: reloaded
when: sshd_config.changed

View file

@ -1,15 +0,0 @@
---
- name: install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: copy 10periodic
copy:
src: files/10periodic
dest: /etc/apt/apt.conf.d
- name: template 50unattended-upgrades
template:
src: templates/50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades

View file

@ -1,25 +0,0 @@
---
- name: purge vim-tiny
apt:
name: vim-tiny
state: absent
purge: yes
- name: install user sanity packages
apt:
name: "{{ item }}"
state: present
with_items: "{{ user_sanity_packages }}"
- name: check for /etc/screenrc
stat: path=/etc/screenrc
register: f
- name: disable screen startup message
lineinfile:
dest: /etc/screenrc
regexp: '^#(startup_message off)$'
line: '\1'
backrefs: yes
backup: yes
when: f.stat.exists

View file

@ -1,84 +0,0 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "crontrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
{% for origin in unattended_upgrades_origins %}
"{{ origin }}";
{% endfor %}
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
{% if unattended_upgrades_mail %}
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "{{ unattended_upgrades_mail }}";
{% endif %}
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_reboot }}";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_reboot_time }}";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Do not cause conffile prompts
Dpkg::Options { --force-confold; };

View file

@ -1,26 +0,0 @@
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
ChallengeResponseAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
IgnoreUserKnownHosts yes
PermitRootLogin no
PrintMotd no
StrictModes yes
Subsystem sftp internal-sftp
UsePAM yes
{% for block in ssh_match_blocks %}
Match {{ block.match }}
{% for option in block.options %}
{{ option }}
{% endfor %}
{% endfor %}

3
site
View file

@ -1,3 +1,6 @@
#!/bin/bash
ANSIBLE_ROLES_PATH="$HOME/.ansible/roles"
ansible-galaxy install -f -r requirements.yml
ansible-playbook site.yml -i production -bK $*

View file

@ -1,3 +1,3 @@
---
- include: common.yml
- include: basics.yml
- include: services.yml