From 4a88a5b28d8d9dff365e5c5b39b83730944b02b6 Mon Sep 17 00:00:00 2001 From: Simon Cornet Date: Fri, 22 Nov 2024 11:13:16 +0100 Subject: [PATCH] feat: move to dedicated repo --- .ansible-lint | 16 + .yamllint | 30 ++ handlers/main.yaml | 56 +++ readme.md | 9 + tasks/apt/config.yaml | 24 ++ tasks/apt/packages.yaml | 27 ++ tasks/apt/sources.yaml | 42 +++ tasks/cron.yaml | 13 + tasks/crowdsec.yaml | 42 +++ tasks/environment.yaml | 13 + tasks/firewall/firewall-general.yaml | 11 + tasks/firewall/firewall-rules-routed.yaml | 26 ++ tasks/firewall/firewall-rules.yaml | 12 + tasks/hostname.yaml | 9 + tasks/journald.yaml | 14 + tasks/lldpd.yaml | 12 + tasks/locale.yaml | 9 + tasks/lxd.yaml | 11 + tasks/main.yaml | 321 ++++++++++++++++++ tasks/motd.yaml | 43 +++ tasks/ntp.yaml | 23 ++ tasks/ossupport.yaml | 32 ++ tasks/service.yaml | 8 + tasks/snap/snap_daemon.yaml | 38 +++ tasks/snap/snap_package.yaml | 13 + tasks/sshd.yaml | 13 + tasks/swap.yaml | 94 +++++ tasks/sysctl.yaml | 10 + tasks/syslog/config.yaml | 53 +++ tasks/syslog/install.yaml | 11 + tasks/systemctl.yaml | 14 + tasks/telemetry.yaml | 10 + tasks/timezone.yaml | 8 + tasks/user.yaml | 81 +++++ templates/apt/conf.d/10periodic.j2 | 3 + .../conf.d/50unattended-upgrades.Debian.j2 | 44 +++ .../conf.d/50unattended-upgrades.Ubuntu.j2 | 44 +++ templates/apt/sources.d/Ubuntu.sources.j2 | 12 + .../apt/sources.d/sources.list.Debian.j2 | 3 + .../apt/sources.d/sources.list.Ubuntu.j2 | 21 ++ templates/chrony/chrony.conf.j2 | 8 + templates/collectd/collectd.conf.j2 | 37 ++ templates/cron/mount_zfs_kstat.j2 | 1 + templates/environment/environment.j2 | 4 + templates/journald/journald.conf.j2 | 5 + templates/motd/motd.sh.j2 | 42 +++ templates/sshd/sshd_config.j2 | 40 +++ templates/syslog/rsyslog.d/apt.conf.j2 | 6 + templates/syslog/rsyslog.d/remote-logging.j2 | 1 + .../syslog/rsyslog/rsyslog.debian.conf.j2 | 25 ++ .../syslog/rsyslog/rsyslog.ubuntu.conf.j2 | 27 ++ templates/systemctl/fstrim.timer.j2 | 12 + templates/usermanagement/sudoers.d/sudoers.j2 | 16 + vars/Debian.yaml | 25 ++ 54 files changed, 1524 insertions(+) create mode 100644 .ansible-lint create mode 100644 .yamllint create mode 100644 handlers/main.yaml create mode 100644 readme.md create mode 100644 tasks/apt/config.yaml create mode 100644 tasks/apt/packages.yaml create mode 100644 tasks/apt/sources.yaml create mode 100644 tasks/cron.yaml create mode 100644 tasks/crowdsec.yaml create mode 100644 tasks/environment.yaml create mode 100644 tasks/firewall/firewall-general.yaml create mode 100644 tasks/firewall/firewall-rules-routed.yaml create mode 100644 tasks/firewall/firewall-rules.yaml create mode 100644 tasks/hostname.yaml create mode 100644 tasks/journald.yaml create mode 100644 tasks/lldpd.yaml create mode 100644 tasks/locale.yaml create mode 100644 tasks/lxd.yaml create mode 100644 tasks/main.yaml create mode 100644 tasks/motd.yaml create mode 100644 tasks/ntp.yaml create mode 100644 tasks/ossupport.yaml create mode 100644 tasks/service.yaml create mode 100644 tasks/snap/snap_daemon.yaml create mode 100644 tasks/snap/snap_package.yaml create mode 100644 tasks/sshd.yaml create mode 100644 tasks/swap.yaml create mode 100644 tasks/sysctl.yaml create mode 100644 tasks/syslog/config.yaml create mode 100644 tasks/syslog/install.yaml create mode 100644 tasks/systemctl.yaml create mode 100644 tasks/telemetry.yaml create mode 100644 tasks/timezone.yaml create mode 100644 tasks/user.yaml create mode 100644 templates/apt/conf.d/10periodic.j2 create mode 100644 templates/apt/conf.d/50unattended-upgrades.Debian.j2 create mode 100644 templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2 create mode 100644 templates/apt/sources.d/Ubuntu.sources.j2 create mode 100644 templates/apt/sources.d/sources.list.Debian.j2 create mode 100644 templates/apt/sources.d/sources.list.Ubuntu.j2 create mode 100644 templates/chrony/chrony.conf.j2 create mode 100644 templates/collectd/collectd.conf.j2 create mode 100644 templates/cron/mount_zfs_kstat.j2 create mode 100644 templates/environment/environment.j2 create mode 100644 templates/journald/journald.conf.j2 create mode 100644 templates/motd/motd.sh.j2 create mode 100644 templates/sshd/sshd_config.j2 create mode 100644 templates/syslog/rsyslog.d/apt.conf.j2 create mode 100644 templates/syslog/rsyslog.d/remote-logging.j2 create mode 100644 templates/syslog/rsyslog/rsyslog.debian.conf.j2 create mode 100644 templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2 create mode 100644 templates/systemctl/fstrim.timer.j2 create mode 100644 templates/usermanagement/sudoers.d/sudoers.j2 create mode 100644 vars/Debian.yaml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..3b1b309 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,16 @@ +--- + +kinds: + - playbook: '**/*.{yml,yaml}' + +skip_list: + - 'command-shell' + - 'experimental' + - 'git-latest' + - 'no-changed-when' + - 'no-handler' + - 'name[casing]' + - 'name[template]' + - 'risky-file-permissions' + - 'schema[tasks]' + - 'var-naming[no-role-prefix]' diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..e4db48c --- /dev/null +++ b/.yamllint @@ -0,0 +1,30 @@ +--- +extends: 'default' + +rules: + braces: + max-spaces-inside: 1 + forbid: true + comments: + min-spaces-from-content: 1 + comments-indentation: false + empty-lines: + max: 2 + indentation: + spaces: 2 + check-multi-line-strings: true + line-length: + max: 130 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + new-line-at-end-of-file: 'enable' + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true + truthy: + allowed-values: + - 'true' + - 'false' + quoted-strings: + quote-type: 'any' + required: true diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..b124d36 --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,56 @@ +--- + +# apt +- name: "apt force cache update" + ansible.builtin.apt: + update_cache: true + +# chrony +- name: "restart chrony" + ansible.builtin.service: + name: "chrony" + enabled: true + state: "restarted" + +# collectd +- name: "restart collectd" + ansible.builtin.service: + name: "collectd" + enabled: true + state: "restarted" + +# fstrim.timer +- name: "daemon-reload fstrim.timer" + ansible.builtin.service: + name: "fstrim.timer" + enabled: true + state: "restarted" + daemon_reload: true + +# journald +- name: "restart journald" + ansible.builtin.service: + name: "systemd-journald.service" + enabled: true + state: "restarted" + +# lldpd +- name: "restart lldpd" + ansible.builtin.service: + name: "lldpd" + enabled: true + state: "restarted" + +# rsyslog +- name: "restart rsyslog" + ansible.builtin.service: + name: "rsyslog" + enabled: true + state: "restarted" + +# sshd +- name: "restart sshd" + ansible.builtin.systemd: + name: "sshd.service" + state: "restarted" + enabled: true diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..65c1af6 --- /dev/null +++ b/readme.md @@ -0,0 +1,9 @@ +# Overview +This role manages the build-in 'core' Operating System components and defaults tailored for Siempie. + +# Supported Operating Systems +| Operating System | Version | +| --- | ----- | +| Debian | 12 +| Ubuntu | 22 LTS +| Ubuntu | 24 LTS diff --git a/tasks/apt/config.yaml b/tasks/apt/config.yaml new file mode 100644 index 0000000..c08dd66 --- /dev/null +++ b/tasks/apt/config.yaml @@ -0,0 +1,24 @@ +--- + +# configure apt auto update +- name: "apt - config - configure apt periodic" + ansible.builtin.template: + src: "templates/apt/conf.d/10periodic.j2" + dest: "/etc/apt/apt.conf.d/10periodic" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + tags: + - "apt" + +- name: "apt - config - configure apt unatteded updates" + ansible.builtin.template: + src: "templates/apt/conf.d/50unattended-upgrades.{{ ansible_distribution }}.j2" + dest: "/etc/apt/apt.conf.d/50unattended-upgrades" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + tags: + - "apt" diff --git a/tasks/apt/packages.yaml b/tasks/apt/packages.yaml new file mode 100644 index 0000000..a50445c --- /dev/null +++ b/tasks/apt/packages.yaml @@ -0,0 +1,27 @@ +--- + +# install packages +- name: "apt - install - packages" + ansible.builtin.apt: + name: "{{ apt_default_install }}" + state: "present" + update_cache: true + when: 'ansible_os_family == "Debian"' + loop: "{{ apt_default_packages_install }}" + loop_control: + loop_var: "apt_default_install" + tags: + - "apt" + +# purge packages +- name: "apt - delete - packages" + ansible.builtin.apt: + name: "{{ apt_default_delete }}" + state: "absent" + purge: true + when: 'ansible_os_family == "Debian"' + loop: "{{ apt_default_packages_delete }}" + loop_control: + loop_var: "apt_default_delete" + tags: + - "apt" diff --git a/tasks/apt/sources.yaml b/tasks/apt/sources.yaml new file mode 100644 index 0000000..6f26406 --- /dev/null +++ b/tasks/apt/sources.yaml @@ -0,0 +1,42 @@ +--- + +# configure apt sources +- name: "apt - config - configure apt sources" + ansible.builtin.template: + src: "templates/apt/sources.d/sources.list.{{ ansible_distribution }}.j2" + dest: "/etc/apt/sources.list" + owner: "root" + group: "root" + mode: "0644" + when: + - 'ansible_os_family == "Debian"' + - 'ansible_distribution_major_version <= "23"' + notify: "apt force cache update" + tags: + - "apt" + +# configure apt sources +- name: "apt - config - configure apt sources" + ansible.builtin.template: + src: "templates/apt/sources.d/{{ ansible_distribution }}.sources.j2" + dest: "/etc/apt/sources.list.d/ubuntu.sources" + owner: "root" + group: "root" + mode: "0644" + when: + - 'ansible_distribution == "Ubuntu"' + - 'ansible_distribution_major_version >= "24"' + notify: "apt force cache update" + tags: + - "apt" + +# delete unused sources.list +- name: "apt - config - remove old sources.list" + ansible.builtin.file: + path: "/etc/apt/sources.list" + state: "absent" + when: + - 'ansible_distribution == "Ubuntu"' + - 'ansible_distribution_major_version >= "24"' + tags: + - "apt" diff --git a/tasks/cron.yaml b/tasks/cron.yaml new file mode 100644 index 0000000..8444f8f --- /dev/null +++ b/tasks/cron.yaml @@ -0,0 +1,13 @@ +--- + +# configure cron +- name: "cron - config - zfs kstat" + ansible.builtin.template: + src: "templates/cron/mount_zfs_kstat.j2" + dest: "/etc/cron.d/mount_zfs_kstat" + owner: "root" + group: "root" + mode: "0644" + when: 'type == "lxc"' + tags: + - "cron" diff --git a/tasks/crowdsec.yaml b/tasks/crowdsec.yaml new file mode 100644 index 0000000..7956235 --- /dev/null +++ b/tasks/crowdsec.yaml @@ -0,0 +1,42 @@ +--- + +# install crowdsec signing key +- name: "install signing key" + ansible.builtin.get_url: + url: "https://packagecloud.io/crowdsec/crowdsec/gpgkey" + dest: "/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg" + mode: "0644" + register: "install_crowdsec_key" + tags: + - "crowdsec" + +# update apt cache if required +- name: "update apt cache" + ansible.builtin.apt: + update_cache: true + when: + - 'ansible_os_family == "Debian"' + - "install_crowdsec_key.changed" + tags: + - "crowdsec" + +# install crowdsec security engine +- name: "install crowdsec security engine" + ansible.builtin.apt: + name: "crowdsec" + state: "present" + cache_valid_time: "120" + when: 'ansible_os_family == "Debian"' + register: "crowdsec_installed" + tags: + - "crowdsec" + +# install crowdsec firewall bouncer +- name: "install crowdsec firewall bouncer" + ansible.builtin.apt: + name: "crowdsec-firewall-bouncer" + state: "present" + cache_valid_time: "120" + when: 'ansible_os_family == "Debian"' + tags: + - "crowdsec" diff --git a/tasks/environment.yaml b/tasks/environment.yaml new file mode 100644 index 0000000..9fd3676 --- /dev/null +++ b/tasks/environment.yaml @@ -0,0 +1,13 @@ +--- + +# set environment file +- name: "set environment file" + ansible.builtin.template: + src: "templates/environment/environment.j2" + dest: "/etc/environment" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_distribution == "Ubuntu"' + tags: + - "environment-file" diff --git a/tasks/firewall/firewall-general.yaml b/tasks/firewall/firewall-general.yaml new file mode 100644 index 0000000..fc0994b --- /dev/null +++ b/tasks/firewall/firewall-general.yaml @@ -0,0 +1,11 @@ +--- + +# generic settings +- name: "firewall - set default policy and enable logging" + community.general.ufw: + state: "enabled" + direction: "incoming" + policy: "deny" + logging: "on" + tags: + - "firewall" diff --git a/tasks/firewall/firewall-rules-routed.yaml b/tasks/firewall/firewall-rules-routed.yaml new file mode 100644 index 0000000..8b863f0 --- /dev/null +++ b/tasks/firewall/firewall-rules-routed.yaml @@ -0,0 +1,26 @@ +--- + +# basic firewall rules +- name: "firewall - allow incoming routed traffic" + community.general.ufw: + rule: "allow" + route: "yes" + src: "{{ item[0] }}" + dest: "{{ item[1] }}" + with_nested: + - "{{ __rule['source_nets'] }}" + - "{{ __rule['destination_nets'] }}" + tags: + - "firewall" + +- name: "firewall - allow outgoing routed traffic" + community.general.ufw: + rule: "allow" + route: "yes" + src: "{{ item[1] }}" + dest: "{{ item[0] }}" + with_nested: + - "{{ __rule['source_nets'] }}" + - "{{ __rule['destination_nets'] }}" + tags: + - "firewall" diff --git a/tasks/firewall/firewall-rules.yaml b/tasks/firewall/firewall-rules.yaml new file mode 100644 index 0000000..1a1f373 --- /dev/null +++ b/tasks/firewall/firewall-rules.yaml @@ -0,0 +1,12 @@ +--- + +# create firewall rule +- name: "firewall - allow {{ __rule['to_port'] }} from {{ __rule['from_ip'] }}" + community.general.ufw: + rule: "allow" + direction: "in" + proto: "{{ __rule['proto'] | default('tcp') }}" + from_ip: "{{ __rule['from_ip'] }}" + to_port: "{{ __rule['to_port'] }}" + tags: + - "firewall" diff --git a/tasks/hostname.yaml b/tasks/hostname.yaml new file mode 100644 index 0000000..6020e96 --- /dev/null +++ b/tasks/hostname.yaml @@ -0,0 +1,9 @@ +--- + +# set hostname +- name: "set hostname" + ansible.builtin.hostname: + name: "{{ set_hostname | default(inventory_hostname) }}" + use: "{{ hostname_use_method }}" + tags: + - "hostname" diff --git a/tasks/journald.yaml b/tasks/journald.yaml new file mode 100644 index 0000000..f31c122 --- /dev/null +++ b/tasks/journald.yaml @@ -0,0 +1,14 @@ +--- + +# configure journald +- name: "syslog - config - configure journald" + ansible.builtin.template: + src: "templates/journald/journald.conf.j2" + dest: "/etc/systemd/journald.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_distribution == "Ubuntu"' + notify: "restart journald" + tags: + - "journald" diff --git a/tasks/lldpd.yaml b/tasks/lldpd.yaml new file mode 100644 index 0000000..64268be --- /dev/null +++ b/tasks/lldpd.yaml @@ -0,0 +1,12 @@ +--- + +# install lldpd +- name: "lldpd - installation package" + ansible.builtin.apt: + name: "lldpd" + state: "present" + cache_valid_time: "3600" + when: 'ansible_os_family == "Debian"' + notify: "restart lldpd" + tags: + - "lldp" diff --git a/tasks/locale.yaml b/tasks/locale.yaml new file mode 100644 index 0000000..890df1c --- /dev/null +++ b/tasks/locale.yaml @@ -0,0 +1,9 @@ +--- + +# set locale +- name: "set locale" + community.general.locale_gen: + name: "en_US.UTF-8" + state: "present" + tags: + - "locale" diff --git a/tasks/lxd.yaml b/tasks/lxd.yaml new file mode 100644 index 0000000..2ca7b1d --- /dev/null +++ b/tasks/lxd.yaml @@ -0,0 +1,11 @@ +--- + +# remove lxd +- name: "lxd - purge package" + ansible.builtin.apt: + name: "lxd" + state: "absent" + purge: "yes" + when: 'ansible_os_family == "Debian"' + tags: + - "lxd" diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..a0bc836 --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,321 @@ +--- + +# check os support +- name: "check for os support" + ansible.builtin.import_tasks: "ossupport.yaml" + tags: + - "apt" + - "cron" + - "crowdsec" + - "environment-file" + - "hostname" + - "firewall" + - "journald" + - "locale" + - "lldp" + - "lxd" + - "motd" + - "ntp" + - "telemetry" + - "snap" + - "sshd" + - "swap" + - "sysctl" + - "systemctl" + - "syslog" + - "timezone" + - "usermanagement" + +# load os variables +- name: "include os specific vars" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml" + when: "os_support" + tags: + - "apt" + - "cron" + - "crowdsec" + - "environment-file" + - "hostname" + - "firewall" + - "journald" + - "locale" + - "lldp" + - "lxd" + - "motd" + - "ntp" + - "telemetry" + - "snap" + - "sshd" + - "sysctl" + - "systemctl" + - "syslog" + - "timezone" + - "usermanagement" + +# set hostname +- name: "set hostname" + ansible.builtin.import_tasks: "hostname.yaml" + when: "os_support" + tags: "hostname" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# set locale +- name: "set locale" + ansible.builtin.import_tasks: "locale.yaml" + when: "os_support" + tags: "locale" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# environment +- name: "environment" + ansible.builtin.import_tasks: "environment.yaml" + when: "os_support" + tags: "environment-file" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# motd +- name: "motd" + ansible.builtin.import_tasks: "motd.yaml" + when: "os_support" + tags: "motd" + +# cron jobs +- name: "cron jobs" + ansible.builtin.import_tasks: "cron.yaml" + when: "os_support" + tags: "cron" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# swap +- name: "swap" + ansible.builtin.import_tasks: "swap.yaml" + when: + - "os_support" + - 'type == "vm"' + tags: "swap" + +# apt +- name: "apt" + ansible.builtin.import_tasks: "apt/sources.yaml" + when: "os_support" + tags: "apt" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +- name: "apt - packages" + ansible.builtin.import_tasks: "apt/packages.yaml" + when: "os_support" + tags: "apt" + +- name: "apt - config" + ansible.builtin.import_tasks: "apt/config.yaml" + when: "os_support" + tags: "apt" + +# telemetry +- name: "telemetry" + ansible.builtin.import_tasks: "telemetry.yaml" + when: "os_support" + tags: "telemetry" + +# service +- name: "service" + ansible.builtin.include_tasks: "service.yaml" + loop: "{{ service }}" + loop_control: + loop_var: "__service" + when: + - "os_support" + - "service is defined" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# chrony +- name: "ntp" + ansible.builtin.import_tasks: "ntp.yaml" + when: + - "os_support" + - 'type == "vm" or type == "hw"' + tags: "ntp" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# snap +- name: "snap - daemon" + ansible.builtin.import_tasks: "snap/snap_daemon.yaml" + when: "os_support" + tags: "snap" + +- name: "snap - package" + ansible.builtin.import_tasks: "snap/snap_package.yaml" + when: + - "os_support" + - "snap_package is defined" + tags: "snap" + +# llpd +- name: "lldpd" + ansible.builtin.import_tasks: "lldpd.yaml" + when: + - "os_support" + - 'type == "vm" or type == "hw"' + tags: "lldp" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# lxd +- name: "lxd" + ansible.builtin.import_tasks: "lxd.yaml" + when: + - "os_support" + - 'type == "vm"' + tags: "lxd" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# sysctl +- name: "sysctl - set sysctl" + ansible.builtin.include_tasks: "sysctl.yaml" + loop: "{{ sysctl }}" + loop_control: + loop_var: "__sysctl" + when: + - "os_support" + - 'type == "vm" or type == "hw"' + tags: "sysctl" + +# systemctl +- name: "sysctl - set systemctl" + ansible.builtin.include_tasks: "systemctl.yaml" + loop: "{{ systemctl }}" + loop_control: + loop_var: "__systemctl" + when: + - "os_support" + - 'type == "vm"' + tags: "systemctl" + +# syslog +- name: "syslog - install" + ansible.builtin.import_tasks: "syslog/install.yaml" + when: + - "os_support" + - "syslog_enable" + tags: "syslog" + +- name: "syslog - config" + ansible.builtin.import_tasks: "syslog/config.yaml" + when: + - "os_support" + - "syslog_enable" + tags: "syslog" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# journald +- name: "journald" + ansible.builtin.import_tasks: "journald.yaml" + when: "os_support" + tags: "journald" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# timezone +- name: "timezone" + ansible.builtin.import_tasks: "timezone.yaml" + when: "os_support" + tags: "timezone" + +# sshd +- name: "sshd" + ansible.builtin.import_tasks: "sshd.yaml" + when: "os_support" + tags: "sshd" + +# flush handler +- name: "flush handlers" + ansible.builtin.meta: "flush_handlers" + +# user +- name: "user - create users" + ansible.builtin.include_tasks: "user.yaml" + loop: "{{ user }}" + loop_control: + loop_var: "__user" + when: "os_support" + tags: "usermanagement" + +# crowdsec +- name: "crowdsec security engine" + ansible.builtin.include_tasks: "crowdsec.yaml" + when: + - "os_support" + - "crowdsec_enable" + tags: "crowdsec" + +# firewall +- name: "firewall" + ansible.builtin.import_tasks: "firewall/firewall-general.yaml" + when: + - "os_support" + - "firewall_enabled" + tags: "firewall" + +# firewall common rules +- name: "create firewall rules" + ansible.builtin.include_tasks: "firewall/firewall-rules.yaml" + loop: "{{ firewall_rules_common }}" + loop_control: + loop_var: "__rule" + when: + - "os_support" + - "firewall_rules_common is defined and firewall_enabled" + tags: "firewall" + +# firewall routed rules +- name: "create routed firewall rules" + ansible.builtin.include_tasks: "firewall/firewall-rules-routed.yaml" + loop: "{{ firewall_rules_routed }}" + loop_control: + loop_var: "__rule" + when: + - "os_support" + - "firewall_rules_routed is defined and firewall_enabled" + tags: "firewall" + +# firewall host rules +- name: "create firewall rules" + ansible.builtin.include_tasks: "firewall/firewall-rules.yaml" + loop: "{{ firewall_rules }}" + loop_control: + loop_var: "__rule" + when: + - "os_support" + - "firewall_rules is defined and firewall_enabled" + tags: "firewall" diff --git a/tasks/motd.yaml b/tasks/motd.yaml new file mode 100644 index 0000000..0b90a30 --- /dev/null +++ b/tasks/motd.yaml @@ -0,0 +1,43 @@ +--- + +# find old motd files +- name: "motd - find old scripts" + ansible.builtin.find: + paths: "/etc/update-motd.d/" + file_type: "file" + excludes: + - "10-custom-motd" + register: "old_motd" + tags: + - "motd" + +# remove old custom motd files +- name: "motd - cleanup directory" + ansible.builtin.file: + path: "{{ item.path }}" + state: "absent" + loop: "{{ old_motd.files }}" + when: "old_motd.files|length > 0" + tags: + - "motd" + +# remove old motd files +- name: "motd - cleanup main file" + ansible.builtin.file: + path: "/etc/motd" + state: "absent" + when: "inventory_hostname != 'bastion.siempie.internal'" + tags: + - "motd" + +# configure motd +- name: "motd - siempie" + ansible.builtin.template: + src: "templates/motd/motd.sh.j2" + dest: "/etc/update-motd.d/10-custom-motd" + owner: "root" + group: "root" + mode: "0755" + when: 'ansible_os_family == "Debian"' + tags: + - "motd" diff --git a/tasks/ntp.yaml b/tasks/ntp.yaml new file mode 100644 index 0000000..b88320d --- /dev/null +++ b/tasks/ntp.yaml @@ -0,0 +1,23 @@ +--- + +# install chrony +- name: "ntp - install - chrony debian" + ansible.builtin.apt: + name: "chrony" + state: "present" + when: 'ansible_os_family == "Debian"' + tags: + - "ntp" + +# configure chrony +- name: "ntp - config - configure chrony" + ansible.builtin.template: + src: "templates/chrony/chrony.conf.j2" + dest: "/etc/chrony/chrony.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "restart chrony" + tags: + - "ntp" diff --git a/tasks/ossupport.yaml b/tasks/ossupport.yaml new file mode 100644 index 0000000..50a5210 --- /dev/null +++ b/tasks/ossupport.yaml @@ -0,0 +1,32 @@ +--- + +# support debian 12 +- name: "check for os support" + ansible.builtin.set_fact: + os_support: true + when: + - 'ansible_distribution == "Debian"' + - 'ansible_distribution_major_version == "12"' + +# support ubuntu 22 +- name: "check for os support" + ansible.builtin.set_fact: + os_support: true + when: + - 'ansible_distribution == "Ubuntu"' + - 'ansible_distribution_major_version == "22"' + +# support ubuntu 24 +- name: "check for os support" + ansible.builtin.set_fact: + os_support: true + when: + - 'ansible_distribution == "Ubuntu"' + - 'ansible_distribution_major_version == "24"' + +# fail role when not supported +- name: "unsupported role" + ansible.builtin.fail: + msg: "This role not supported on this Operating System." + when: + - "os_support is not defined" diff --git a/tasks/service.yaml b/tasks/service.yaml new file mode 100644 index 0000000..3f68377 --- /dev/null +++ b/tasks/service.yaml @@ -0,0 +1,8 @@ +--- + +# manage service +- name: "service - {{ __service['name'] }}" + ansible.builtin.service: + name: "{{ __service['name'] }}" + enabled: "{{ __service['enabled'] }}" + state: "{{ __service['state'] }}" diff --git a/tasks/snap/snap_daemon.yaml b/tasks/snap/snap_daemon.yaml new file mode 100644 index 0000000..d270129 --- /dev/null +++ b/tasks/snap/snap_daemon.yaml @@ -0,0 +1,38 @@ +--- + +# set defaults +- name: "set facts" + ansible.builtin.set_fact: + __snapd_service: "{{ snapd_service | default('false') }}" + tags: + - "snap" + +# purge snapd +- name: "snapd - purge - package" + ansible.builtin.apt: + name: "snapd" + state: "absent" + purge: "yes" + when: "not __snapd_service" + tags: + - "snap" + +# install snapd +- name: "snapd - install - package" + ansible.builtin.apt: + name: "snapd" + state: "present" + cache_valid_time: "120" + when: "__snapd_service" + tags: + - "snap" + +# enable snapd +- name: "snapd - enable snapd service" + ansible.builtin.service: + name: "snapd" + state: "started" + enabled: true + when: "__snapd_service" + tags: + - "snap" diff --git a/tasks/snap/snap_package.yaml b/tasks/snap/snap_package.yaml new file mode 100644 index 0000000..421c522 --- /dev/null +++ b/tasks/snap/snap_package.yaml @@ -0,0 +1,13 @@ +--- + +# install snap +- name: "snap - install - packages" + community.general.snap: + name: "{{ __snap_package['name'] }}" + state: "present" + channel: "{{ __snap_package['channel'] | default('stable') }}" + loop: "{{ snap_package }}" + loop_control: + loop_var: "__snap_package" + tags: + - "snap" diff --git a/tasks/sshd.yaml b/tasks/sshd.yaml new file mode 100644 index 0000000..6a5fc07 --- /dev/null +++ b/tasks/sshd.yaml @@ -0,0 +1,13 @@ +--- + +# configure sshd +- name: "config - sshd" + ansible.builtin.template: + src: "templates/sshd/sshd_config.j2" + dest: "/etc/ssh/sshd_config" + owner: "root" + group: "root" + mode: "0644" + notify: "restart sshd" + tags: + - "sshd" diff --git a/tasks/swap.yaml b/tasks/swap.yaml new file mode 100644 index 0000000..e50b33d --- /dev/null +++ b/tasks/swap.yaml @@ -0,0 +1,94 @@ +--- + +# enable or disable swap +- name: "swap - set variable" + ansible.builtin.set_fact: + __swap: "{{ swap | default('true') }}" + tags: + - "swap" + +# verify swapfile +- name: "swap - verify swapfile" + ansible.builtin.stat: + path: "{{ swap_file_location | default('/swapfile') }}" + register: "swap_file_check" + tags: + - "swap" + +## create swap +# create swap file +- name: "swap - create swap file" + ansible.builtin.command: "fallocate -l {{ swap_file_size }} {{ swap_file_location }}" + when: "not swap_file_check.stat.exists and __swap" + tags: + - "swap" + +# set swap file permissions +- name: "swap - set permissions " + ansible.builtin.file: + path: "{{ swap_file_location }}" + owner: "root" + group: "root" + mode: "0600" + when: "__swap" + tags: + - "swap" + +# 'format' swapfile +- name: "swap - format swap file" + ansible.builtin.command: "mkswap {{ swap_file_location }}" + when: "not swap_file_check.stat.exists and __swap" + tags: + - "swap" + +# configure fstab +- name: "swap - configure fstab" + ansible.posix.mount: + name: "swapfile" + src: "{{ swap_file_location | default('/swapfile') }}" + fstype: "swap" + opts: "sw" + passno: "0" + dump: "0" + state: "present" + when: "__swap" + tags: + - "swap" + +# enable swap +- name: "swap - enable swap" + ansible.builtin.command: "swapon -a" + when: "not swap_file_check.stat.exists and __swap" + tags: + - "swap" + +## delete swap +# disable swap +- name: "swap - disable swap" + ansible.builtin.command: "swapoff -a" + when: "swap_file_check.stat.exists and not __swap" + tags: + - "swap" + +# delete swap file +- name: "swap - delete swap file" + ansible.builtin.file: + path: "{{ swap_file_location }}" + state: "absent" + when: "swap_file_check.stat.exists and not __swap" + tags: + - "swap" + +# configure fstab +- name: "swap - configure fstab" + ansible.posix.mount: + name: "swapfile" + src: "{{ swap_file_location | default('/swapfile') }}" + fstype: "swap" + opts: "sw" + passno: "0" + dump: "0" + state: "absent" + when: "not __swap" + tags: + - "swap" diff --git a/tasks/sysctl.yaml b/tasks/sysctl.yaml new file mode 100644 index 0000000..19dceef --- /dev/null +++ b/tasks/sysctl.yaml @@ -0,0 +1,10 @@ +--- + +# configure sysctl +- name: "sysctl - set {{ __sysctl['name'] }}" + ansible.posix.sysctl: + name: "{{ __sysctl['name'] }}" + value: "{{ __sysctl['value'] }}" + sysctl_set: "yes" + tags: + - "sysctl" diff --git a/tasks/syslog/config.yaml b/tasks/syslog/config.yaml new file mode 100644 index 0000000..a74146a --- /dev/null +++ b/tasks/syslog/config.yaml @@ -0,0 +1,53 @@ +--- + +# configure rsyslogd - debian +- name: "syslog - config - rsyslog - debian" + ansible.builtin.template: + src: "templates/syslog/rsyslog/rsyslog.debian.conf.j2" + dest: "/etc/rsyslog.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_distribution == "Debian"' + notify: "restart rsyslog" + tags: + - "syslog" + +# configure rsyslogd - ubuntu +- name: "syslog - config - rsyslog - ubuntu" + ansible.builtin.template: + src: "templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2" + dest: "/etc/rsyslog.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_distribution == "Ubuntu"' + notify: "restart rsyslog" + tags: + - "syslog" + +# configure rsyslogd - apt +- name: "syslog - config - apt" + ansible.builtin.template: + src: "templates/syslog/rsyslog.d/apt.conf.j2" + dest: "/etc/rsyslog.d/apt.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "restart rsyslog" + tags: + - "syslog" + +# configure rsyslogd - observium +- name: "syslog - config - remote-logging" + ansible.builtin.template: + src: "templates/syslog/rsyslog.d/remote-logging.j2" + dest: "/etc/rsyslog.d/remote-logging.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "restart rsyslog" + tags: + - "syslog" diff --git a/tasks/syslog/install.yaml b/tasks/syslog/install.yaml new file mode 100644 index 0000000..d0afc49 --- /dev/null +++ b/tasks/syslog/install.yaml @@ -0,0 +1,11 @@ +--- + +# install rsyslog +- name: "syslog - install - rsyslog" + ansible.builtin.apt: + name: "rsyslog" + state: "present" + cache_valid_time: "3600" + when: 'ansible_os_family == "Debian"' + tags: + - "syslog" diff --git a/tasks/systemctl.yaml b/tasks/systemctl.yaml new file mode 100644 index 0000000..95c2ef0 --- /dev/null +++ b/tasks/systemctl.yaml @@ -0,0 +1,14 @@ +--- + +# configure fstrim.timer +- name: "systemctl - config - fstrim.timer" + ansible.builtin.template: + src: "templates/systemctl/fstrim.timer.j2" + dest: "/usr/lib/systemd/system/fstrim.timer" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "daemon-reload fstrim.timer" + tags: + - "systemctl" diff --git a/tasks/telemetry.yaml b/tasks/telemetry.yaml new file mode 100644 index 0000000..6d69d9c --- /dev/null +++ b/tasks/telemetry.yaml @@ -0,0 +1,10 @@ +--- + +# delete daily popularity contest cronjob +- name: "telemetry - delete popularity-contest cron" + ansible.builtin.file: + path: "/etc/cron.daily/popularity-contest" + state: "absent" + when: 'ansible_distribution == "Ubuntu"' + tags: + - "telemetry" diff --git a/tasks/timezone.yaml b/tasks/timezone.yaml new file mode 100644 index 0000000..668d935 --- /dev/null +++ b/tasks/timezone.yaml @@ -0,0 +1,8 @@ +--- + +# set timezone +- name: "timezone - set {{ timezone }}" + community.general.timezone: + name: "{{ timezone }}" + tags: + - "timezone" diff --git a/tasks/user.yaml b/tasks/user.yaml new file mode 100644 index 0000000..5ee790a --- /dev/null +++ b/tasks/user.yaml @@ -0,0 +1,81 @@ +--- + +# manage facts +- name: "user - set default facts for {{ __user['username'] }}" + ansible.builtin.set_fact: + sudo_hosts: "{{ __user['hosts'] | default('all') }}" + sudo_file: "{{ __user['sudo'] | default('False') }}" + sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}" + user_state: "{{ __user['state'] | default('present') }}" + tags: + - "usermanagement" + +# create users +- name: "user - create users with password - {{ __user['username'] }}" + ansible.builtin.user: + name: "{{ __user['username'] }}" + comment: "{{ __user['name'] }}" + password: "{{ __user['password'] }}" + shell: "{{ __user['shell'] | default('/bin/bash') }}" + state: "present" + when: + - "__user['password'] is defined" + - "user_state == 'present'" + tags: + - "usermanagement" + +- name: "user - create users withouth password - {{ __user['username'] }}" + ansible.builtin.user: + name: "{{ __user['username'] }}" + comment: "{{ __user['name'] }}" + shell: "{{ __user['shell'] | default('/bin/bash') }}" + state: "state" + when: + - "__user['password'] is not defined" + - "user_state == 'present'" + tags: + - "usermanagement" + +# manage authorized_keys +- name: "user - manage authorized_keys - {{ __user['username'] }}" + ansible.posix.authorized_key: + user: "{{ __user['username'] }}" + key: "{{ __user['publickey'] }}" + state: "present" + manage_dir: "true" + when: + - "__user['publickey'] is defined" + tags: + - "usermanagement" + +# delete users +- name: "user - delete users - {{ __user['username'] }}" + ansible.builtin.user: + name: "{{ __user['username'] }}" + state: "absent" + remove: "yes" + when: "user_state == 'absent'" + tags: + - "usermanagement" + +# manage sudoers file +- name: "user - create sudoers file - {{ __user['username'] }}" + ansible.builtin.template: + src: "templates/usermanagement/sudoers.d/sudoers.j2" + dest: "/etc/sudoers.d/{{ __user['username'] }}" + owner: "root" + group: "root" + mode: "0644" + when: + - "sudo_file" + tags: + - "usermanagement" + +- name: "user - delete sudoers file - {{ __user['username'] }}" + ansible.builtin.file: + state: "absent" + path: "/etc/sudoers.d/{{ __user['username'] }}" + when: + - "not sudo_file" + tags: + - "usermanagement" diff --git a/templates/apt/conf.d/10periodic.j2 b/templates/apt/conf.d/10periodic.j2 new file mode 100644 index 0000000..22b66ce --- /dev/null +++ b/templates/apt/conf.d/10periodic.j2 @@ -0,0 +1,3 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "0"; +APT::Periodic::AutocleanInterval "1"; diff --git a/templates/apt/conf.d/50unattended-upgrades.Debian.j2 b/templates/apt/conf.d/50unattended-upgrades.Debian.j2 new file mode 100644 index 0000000..adf367b --- /dev/null +++ b/templates/apt/conf.d/50unattended-upgrades.Debian.j2 @@ -0,0 +1,44 @@ +Unattended-Upgrade::Origins-Pattern { + + # debian + "origin=Debian,codename=${distro_codename}"; + "origin=Debian,codename=${distro_codename}-updates"; + "origin=Debian,codename=${distro_codename}-security"; + + # crowdsec + "origin=packagecloud.io/crowdsec/crowdsec,label=crowdsec"; + + # tailscale updates + "origin=Tailscale,codename=${distro_codename},label=Tailscale"; + + # zabbix + "origin=Zabbix,codename=${distro_codename},label=zabbix"; + "origin=zabbix,codename=${distro_codename},label=zabbix"; +}; + +Unattended-Upgrade::Package-Blacklist { +}; + +# dpkg | default > old +Dpkg::Options { + "--force-confdef"; + "--force-confold"; +}; + +# auto upgrade packages +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; +Unattended-Upgrade::DevRelease "{{ apt_devrelease | default('false') }}"; +Unattended-Upgrade::AutoFixInterruptedDpkg "{{ apt_autofix_interrupted_dpkg | default('true') }}"; +Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ apt_remove_unused_kernel_packages | default('true') }}"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "{{ apt_remove_new_unused_dependancies | default('true') }}"; +Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_remove_unused_dependancies | default('true') }}"; + +# auto reboot +Unattended-Upgrade::Automatic-Reboot "{{ apt_automatic_reboot }}"; +Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_automatic_reboot_with_users | default('true') }}"; +Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_automatic_reboot_time }}"; + +# syslog +Unattended-Upgrade::SyslogEnable "{{ apt_syslog_enable | default('true') }}"; +Unattended-Upgrade::SyslogFacility "{{ apt_syslog_facility | default('daemon') }}"; diff --git a/templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2 b/templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2 new file mode 100644 index 0000000..6f8396e --- /dev/null +++ b/templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2 @@ -0,0 +1,44 @@ +Unattended-Upgrade::Allowed-Origins { + + # ubuntu updates + "${distro_id}:${distro_codename}"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}:${distro_codename}-updates"; + "${distro_id}:${distro_codename}-proposed"; + "${distro_id}:${distro_codename}-backports"; + + # crowdsec + "packagecloud.io/crowdsec/crowdsec:${distro_codename}"; + + # tailscale updates + "Tailscale:${distro_codename}"; + + # zabbix updates + "Zabbix:${distro_codename}"; + "zabbix:${distro_codename}"; +}; + +Unattended-Upgrade::Package-Blacklist { +}; + +# dpkg | default > old +Dpkg::Options { + "--force-confdef"; + "--force-confold"; +}; + +# auto upgrade packages +Unattended-Upgrade::DevRelease "{{ apt_devrelease | default('false') }}"; +Unattended-Upgrade::AutoFixInterruptedDpkg "{{ apt_autofix_interrupted_dpkg | default('true') }}"; +Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ apt_remove_unused_kernel_packages | default('true') }}"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "{{ apt_remove_new_unused_dependancies | default('true') }}"; +Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_remove_unused_dependancies | default('true') }}"; + +# auto reboot +Unattended-Upgrade::Automatic-Reboot "{{ apt_automatic_reboot }}"; +Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_automatic_reboot_with_users | default('true') }}"; +Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_automatic_reboot_time }}"; + +# syslog +Unattended-Upgrade::SyslogEnable "{{ apt_syslog_enable | default('true') }}"; +Unattended-Upgrade::SyslogFacility "{{ apt_syslog_facility | default('daemon') }}"; diff --git a/templates/apt/sources.d/Ubuntu.sources.j2 b/templates/apt/sources.d/Ubuntu.sources.j2 new file mode 100644 index 0000000..ae5deae --- /dev/null +++ b/templates/apt/sources.d/Ubuntu.sources.j2 @@ -0,0 +1,12 @@ +Types: deb +URIs: {{ apt_repository_main }} +Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports +Components: main restricted {% if apt_enable_universe == True %}universe{% endif %} {% if apt_enable_multiverse == True %}multiverse{% endif %} +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg + +Types: deb +URIs: {{ apt_repository_security }} +Suites: {{ ansible_distribution_release }}-security +Components: main restricted {% if apt_enable_universe == True %}universe{% endif %} {% if apt_enable_multiverse == True %}multiverse{% endif %} +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg + diff --git a/templates/apt/sources.d/sources.list.Debian.j2 b/templates/apt/sources.d/sources.list.Debian.j2 new file mode 100644 index 0000000..d1bc98a --- /dev/null +++ b/templates/apt/sources.d/sources.list.Debian.j2 @@ -0,0 +1,3 @@ +deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware +deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware +deb http://security.debian.org bookworm-security main contrib non-free non-free-firmware diff --git a/templates/apt/sources.d/sources.list.Ubuntu.j2 b/templates/apt/sources.d/sources.list.Ubuntu.j2 new file mode 100644 index 0000000..a346e2b --- /dev/null +++ b/templates/apt/sources.d/sources.list.Ubuntu.j2 @@ -0,0 +1,21 @@ +# main + restricted +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} main restricted +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates main restricted +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security main restricted +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports main restricted + +{% if apt_enable_universe == True %} +# universe +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} universe +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates universe +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security universe +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports universe + +{% endif %} +{% if apt_enable_multiverse == True %} +# multiverse +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} multiverse +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates multiverse +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security multiverse +deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports multiverse +{% endif %} diff --git a/templates/chrony/chrony.conf.j2 b/templates/chrony/chrony.conf.j2 new file mode 100644 index 0000000..a295fb4 --- /dev/null +++ b/templates/chrony/chrony.conf.j2 @@ -0,0 +1,8 @@ +pool {{ ntp_server }} iburst + +keyfile /etc/chrony/chrony.keys +driftfile /var/lib/chrony/chrony.drift +logdir /var/log/chrony +maxupdateskew 100.0 +makestep 1 3 +rtcsync diff --git a/templates/collectd/collectd.conf.j2 b/templates/collectd/collectd.conf.j2 new file mode 100644 index 0000000..9f6f3d5 --- /dev/null +++ b/templates/collectd/collectd.conf.j2 @@ -0,0 +1,37 @@ +hostname "{{ inventory_hostname }}" + +BaseDir "/var/lib/collectd" +PIDFile "/var/run/collectd.pid" +PluginDir "/usr/lib/collectd" +TypesDB "/usr/share/collectd/types.db" + +LoadPlugin cpu +LoadPlugin df +LoadPlugin disk +LoadPlugin interface +LoadPlugin load +LoadPlugin memory +LoadPlugin network +LoadPlugin uptime + + + ReportByCpu false + ReportByState true + ValuesPercentage true + + + + MountPoint "/" + + + + + + + Interface "{{ collectd_network_interface }}" + IgnoreSelected false + + + + Server "{{ collectd_network_dest_address }}" "{{ collectd_network_dest_port }}" + diff --git a/templates/cron/mount_zfs_kstat.j2 b/templates/cron/mount_zfs_kstat.j2 new file mode 100644 index 0000000..8ac404a --- /dev/null +++ b/templates/cron/mount_zfs_kstat.j2 @@ -0,0 +1 @@ +@reboot root mount -t tmpfs tmpfs /proc/spl/kstat/zfs diff --git a/templates/environment/environment.j2 b/templates/environment/environment.j2 new file mode 100644 index 0000000..9a1aa98 --- /dev/null +++ b/templates/environment/environment.j2 @@ -0,0 +1,4 @@ +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games" + +## Locale Fix +LC_ALL="en_US.UTF-8" diff --git a/templates/journald/journald.conf.j2 b/templates/journald/journald.conf.j2 new file mode 100644 index 0000000..2bc804c --- /dev/null +++ b/templates/journald/journald.conf.j2 @@ -0,0 +1,5 @@ +[Journal] +SystemMaxUse=25M +SystemMaxFileSize=1M +MaxRetentionSec=1h +MaxFileSec=1h diff --git a/templates/motd/motd.sh.j2 b/templates/motd/motd.sh.j2 new file mode 100644 index 0000000..32b4fcb --- /dev/null +++ b/templates/motd/motd.sh.j2 @@ -0,0 +1,42 @@ +#!/bin/bash + +# distribution information +if [ -f /etc/os-release ]; then + . /etc/os-release + if [ "$ID" = "ubuntu" ]; then + linux_distribution="\e[33m$PRETTY_NAME\e[0m" + elif [ "$ID" = "debian" ]; then + linux_distribution="\e[91m$PRETTY_NAME\e[0m" + else + linux_distribution="\e[94m$NAME\e[0m" + fi +else + linux_distribution="\e[94mUnknown Linux Distribution\e[0m" +fi + +# disk usage +disk_usage=$(df -h / | awk 'NR==2 {print $3 " / " $2 " (" $5 ")"}') + +# memory usage +memory_usage=$(free -m | awk 'NR==2 {print $3 " MB / " $2 " MB (" int($3/$2*100) "%)"}') + +# pending updates +pending_updates=$(apt list --upgradable 2>/dev/null | grep -c 'upgradable') + +# display motd +echo "Welcome to $(hostname)!" +echo "" +echo -e "$linux_distribution" +echo "Disk Usage: $disk_usage" +echo "Memory Usage: $memory_usage" +echo "" + +if [ "$pending_updates" -eq 1 ]; then + echo "There is $pending_updates pending update." + +elif [ "$pending_updates" -gt 1 ]; then + echo "There are $pending_updates pendinging updates." + +else + echo "No pending updates." +fi diff --git a/templates/sshd/sshd_config.j2 b/templates/sshd/sshd_config.j2 new file mode 100644 index 0000000..296661e --- /dev/null +++ b/templates/sshd/sshd_config.j2 @@ -0,0 +1,40 @@ +# networking +Protocol 2 +Port 22 +AddressFamily inet +ListenAddress 0.0.0.0 + +# hostkey +HostKey /etc/ssh/ssh_host_ed25519_key + +# Authentication +PermitRootLogin no + +# Hardening +StrictModes yes +MaxAuthTries 2 +MaxStartups 10:50:20 +LoginGraceTime 15 +MaxSessions 8 +PasswordAuthentication no +PubkeyAuthentication yes +AllowUsers ansible drone hugo rundeck simon +VersionAddendum "" +IgnoreRhosts yes +UseDNS no +X11Forwarding no +ClientAliveCountMax 8 +Compression no +AllowTcpForwarding yes +AllowAgentForwarding yes +UsePAM yes +PrintMotd no +PrintLastLog no + +# The cryptos +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# sFTP +Subsystem sftp /usr/libexec/sftp-server diff --git a/templates/syslog/rsyslog.d/apt.conf.j2 b/templates/syslog/rsyslog.d/apt.conf.j2 new file mode 100644 index 0000000..9bc6740 --- /dev/null +++ b/templates/syslog/rsyslog.d/apt.conf.j2 @@ -0,0 +1,6 @@ +$InputFileName /var/log/apt/history.log +$InputFileTag apt +$InputFileStateFile apt-history-log +$InputFileSeverity info +$InputFileFacility local3 +$InputRunFileMonitor diff --git a/templates/syslog/rsyslog.d/remote-logging.j2 b/templates/syslog/rsyslog.d/remote-logging.j2 new file mode 100644 index 0000000..057aa0b --- /dev/null +++ b/templates/syslog/rsyslog.d/remote-logging.j2 @@ -0,0 +1 @@ +*.* @{{ rsyslog_destination }}:{{ rsyslog_port }} diff --git a/templates/syslog/rsyslog/rsyslog.debian.conf.j2 b/templates/syslog/rsyslog/rsyslog.debian.conf.j2 new file mode 100644 index 0000000..5695bc8 --- /dev/null +++ b/templates/syslog/rsyslog/rsyslog.debian.conf.j2 @@ -0,0 +1,25 @@ +################# +#### MODULES #### +################# +module(load="imfile") # provides support for logfile polling +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support + +########################### +#### GLOBAL DIRECTIVES #### +########################### +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +$RepeatedMsgReduction on + +# Set the default permissions for all log files. +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# Where to place spool and state files +$WorkDirectory /var/spool/rsyslog + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2 b/templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2 new file mode 100644 index 0000000..76448c2 --- /dev/null +++ b/templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2 @@ -0,0 +1,27 @@ +################# +#### MODULES #### +################# +module(load="imfile") # provides support for logfile polling +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support + +########################### +#### GLOBAL DIRECTIVES #### +########################### +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +$RepeatedMsgReduction on + +# Set the default permissions for all log files. +$FileOwner syslog +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 +$PrivDropToUser syslog +$PrivDropToGroup syslog + +# Where to place spool and state files +$WorkDirectory /var/spool/rsyslog + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/templates/systemctl/fstrim.timer.j2 b/templates/systemctl/fstrim.timer.j2 new file mode 100644 index 0000000..2283c74 --- /dev/null +++ b/templates/systemctl/fstrim.timer.j2 @@ -0,0 +1,12 @@ +[Unit] +Description={{ __systemctl['description'] }} +Documentation=man:fstrim +ConditionVirtualization=!container + +[Timer] +OnCalendar={{ __systemctl['oncalendar'] | default('weekly') }} +AccuracySec=1h +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/templates/usermanagement/sudoers.d/sudoers.j2 b/templates/usermanagement/sudoers.d/sudoers.j2 new file mode 100644 index 0000000..8b2e48f --- /dev/null +++ b/templates/usermanagement/sudoers.d/sudoers.j2 @@ -0,0 +1,16 @@ +{% if __user['username'] == 'drone' %} +# ansible.siempie.internal +drone ansible.siempie.internal=(root) NOPASSWD:/usr/bin/git -C /etc/ansible * +drone ansible.siempie.internal=(root) NOPASSWD:/usr/local/bin/ansible-galaxy install -r /etc/ansible/ansible_requirements.yaml +drone ansible.siempie.internal=(root) NOPASSWD:/usr/local/bin/ansible-playbook * + +# mgmt01.siempie.local +drone mgmt01.siempie.internal=(simon) NOPASSWD:/usr/local/bin/kubectl * +{% else %} +{% if sudo_pwless == False %} +{{ __user['username'] }} ALL=(ALL) ALL +{% endif %} +{% if sudo_pwless == True %} +{{ __user['username'] }} ALL=(ALL) NOPASSWD: ALL +{% endif %} +{% endif %} diff --git a/vars/Debian.yaml b/vars/Debian.yaml new file mode 100644 index 0000000..614cc92 --- /dev/null +++ b/vars/Debian.yaml @@ -0,0 +1,25 @@ +--- + +# default packages to install +apt_default_packages_install: + - "aptitude" + - "apt-transport-https" + - "debian-archive-keyring" + - "btop" + - "curl" + - "gnupg" + - "htop" + - "mc" + - "net-tools" + - "nload" + - "python-apt-common" + - "software-properties-common" + - "unattended-upgrades" + - "ufw" + - "unzip" + - "vim" + +# default packages to delete +apt_default_packages_delete: + - "popularity-contest" + - "ubuntu-report"