feat: move to dedicated repo

2024-11-22 11:13:16 +01:00 · 2024-11-22 11:13:16 +01:00 · 4a88a5b28d
commit 4a88a5b28d
54 changed files with 1524 additions and 0 deletions
--- a/templates/apt/conf.d/10periodic.j2
+++ b/templates/apt/conf.d/10periodic.j2
@ -0,0 +1,3 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "1";
--- a/templates/apt/conf.d/50unattended-upgrades.Debian.j2
+++ b/templates/apt/conf.d/50unattended-upgrades.Debian.j2
@ -0,0 +1,44 @@
+Unattended-Upgrade::Origins-Pattern {
+
+  # debian
+  "origin=Debian,codename=${distro_codename}";
+  "origin=Debian,codename=${distro_codename}-updates";
+  "origin=Debian,codename=${distro_codename}-security";
+
+  # crowdsec
+  "origin=packagecloud.io/crowdsec/crowdsec,label=crowdsec";
+
+  # tailscale updates
+  "origin=Tailscale,codename=${distro_codename},label=Tailscale";
+
+  # zabbix
+  "origin=Zabbix,codename=${distro_codename},label=zabbix";
+  "origin=zabbix,codename=${distro_codename},label=zabbix";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+};
+
+# dpkg | default > old
+Dpkg::Options {
+   "--force-confdef";
+   "--force-confold";
+};
+
+# auto upgrade packages
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+Unattended-Upgrade::DevRelease "{{ apt_devrelease | default('false') }}";
+Unattended-Upgrade::AutoFixInterruptedDpkg "{{ apt_autofix_interrupted_dpkg | default('true') }}";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ apt_remove_unused_kernel_packages | default('true') }}";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "{{ apt_remove_new_unused_dependancies | default('true') }}";
+Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_remove_unused_dependancies | default('true') }}";
+
+# auto reboot
+Unattended-Upgrade::Automatic-Reboot "{{ apt_automatic_reboot }}";
+Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_automatic_reboot_with_users | default('true') }}";
+Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_automatic_reboot_time }}";
+
+# syslog
+Unattended-Upgrade::SyslogEnable "{{ apt_syslog_enable | default('true') }}";
+Unattended-Upgrade::SyslogFacility "{{ apt_syslog_facility | default('daemon') }}";
--- a/templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2
+++ b/templates/apt/conf.d/50unattended-upgrades.Ubuntu.j2
@ -0,0 +1,44 @@
+Unattended-Upgrade::Allowed-Origins {
+
+  # ubuntu updates
+  "${distro_id}:${distro_codename}";
+  "${distro_id}:${distro_codename}-security";
+  "${distro_id}:${distro_codename}-updates";
+  "${distro_id}:${distro_codename}-proposed";
+  "${distro_id}:${distro_codename}-backports";
+
+  # crowdsec
+  "packagecloud.io/crowdsec/crowdsec:${distro_codename}";
+
+  # tailscale updates
+  "Tailscale:${distro_codename}";
+
+  # zabbix updates
+  "Zabbix:${distro_codename}";
+  "zabbix:${distro_codename}";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+};
+
+# dpkg | default > old
+Dpkg::Options {
+   "--force-confdef";
+   "--force-confold";
+};
+
+# auto upgrade packages
+Unattended-Upgrade::DevRelease "{{ apt_devrelease | default('false') }}";
+Unattended-Upgrade::AutoFixInterruptedDpkg "{{ apt_autofix_interrupted_dpkg | default('true') }}";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ apt_remove_unused_kernel_packages | default('true') }}";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "{{ apt_remove_new_unused_dependancies | default('true') }}";
+Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_remove_unused_dependancies | default('true') }}";
+
+# auto reboot
+Unattended-Upgrade::Automatic-Reboot "{{ apt_automatic_reboot }}";
+Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_automatic_reboot_with_users | default('true') }}";
+Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_automatic_reboot_time }}";
+
+# syslog
+Unattended-Upgrade::SyslogEnable "{{ apt_syslog_enable | default('true') }}";
+Unattended-Upgrade::SyslogFacility "{{ apt_syslog_facility | default('daemon') }}";
--- a/templates/apt/sources.d/Ubuntu.sources.j2
+++ b/templates/apt/sources.d/Ubuntu.sources.j2
@ -0,0 +1,12 @@
+Types: deb
+URIs: {{ apt_repository_main }}
+Suites: {{ ansible_distribution_release }} {{ ansible_distribution_release }}-updates {{ ansible_distribution_release }}-backports
+Components: main restricted {% if apt_enable_universe == True %}universe{% endif %} {% if apt_enable_multiverse == True %}multiverse{% endif %} 
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+
+Types: deb
+URIs: {{ apt_repository_security }}
+Suites: {{ ansible_distribution_release }}-security
+Components: main restricted {% if apt_enable_universe == True %}universe{% endif %} {% if apt_enable_multiverse == True %}multiverse{% endif %} 
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+
--- a/templates/apt/sources.d/sources.list.Debian.j2
+++ b/templates/apt/sources.d/sources.list.Debian.j2
@ -0,0 +1,3 @@
+deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb http://security.debian.org bookworm-security main contrib non-free non-free-firmware
--- a/templates/apt/sources.d/sources.list.Ubuntu.j2
+++ b/templates/apt/sources.d/sources.list.Ubuntu.j2
@ -0,0 +1,21 @@
+# main + restricted
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} main restricted
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates main restricted
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security main restricted
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports main restricted
+
+{% if apt_enable_universe == True %}
+# universe
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} universe
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates universe
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security universe
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports universe
+
+{% endif %}
+{% if apt_enable_multiverse == True %}
+# multiverse
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }} multiverse
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-updates multiverse
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-security multiverse
+deb [ arch=amd64 ] {{ apt_repository }} {{ ansible_distribution_release }}-backports multiverse
+{% endif %}
--- a/templates/chrony/chrony.conf.j2
+++ b/templates/chrony/chrony.conf.j2
@ -0,0 +1,8 @@
+pool {{ ntp_server }} iburst
+
+keyfile /etc/chrony/chrony.keys
+driftfile /var/lib/chrony/chrony.drift
+logdir /var/log/chrony
+maxupdateskew 100.0
+makestep 1 3
+rtcsync
--- a/templates/collectd/collectd.conf.j2
+++ b/templates/collectd/collectd.conf.j2
@ -0,0 +1,37 @@
+hostname    "{{ inventory_hostname }}"
+
+BaseDir     "/var/lib/collectd"
+PIDFile     "/var/run/collectd.pid"
+PluginDir   "/usr/lib/collectd"
+TypesDB     "/usr/share/collectd/types.db"
+
+LoadPlugin  cpu
+LoadPlugin  df
+LoadPlugin  disk
+LoadPlugin  interface
+LoadPlugin  load
+LoadPlugin  memory
+LoadPlugin  network
+LoadPlugin  uptime
+
+<Plugin cpu>
+  ReportByCpu false
+  ReportByState true
+  ValuesPercentage true
+</Plugin>
+
+<Plugin df>
+  MountPoint "/"
+</Plugin>
+
+<Plugin disk>
+</Plugin>
+
+<Plugin interface>
+  Interface "{{ collectd_network_interface }}"
+  IgnoreSelected false
+</Plugin>
+
+<Plugin network>
+  Server "{{ collectd_network_dest_address }}" "{{ collectd_network_dest_port }}"
+</Plugin>
--- a/templates/cron/mount_zfs_kstat.j2
+++ b/templates/cron/mount_zfs_kstat.j2
@ -0,0 +1 @@
+@reboot root mount -t tmpfs tmpfs /proc/spl/kstat/zfs
--- a/templates/environment/environment.j2
+++ b/templates/environment/environment.j2
@ -0,0 +1,4 @@
+PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
+
+## Locale Fix
+LC_ALL="en_US.UTF-8"
--- a/templates/journald/journald.conf.j2
+++ b/templates/journald/journald.conf.j2
@ -0,0 +1,5 @@
+[Journal]
+SystemMaxUse=25M
+SystemMaxFileSize=1M
+MaxRetentionSec=1h
+MaxFileSec=1h
--- a/templates/motd/motd.sh.j2
+++ b/templates/motd/motd.sh.j2
@ -0,0 +1,42 @@
+#!/bin/bash
+
+# distribution information
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+    if [ "$ID" = "ubuntu" ]; then
+        linux_distribution="\e[33m$PRETTY_NAME\e[0m"
+    elif [ "$ID" = "debian" ]; then
+        linux_distribution="\e[91m$PRETTY_NAME\e[0m"
+    else
+        linux_distribution="\e[94m$NAME\e[0m"
+    fi
+else
+    linux_distribution="\e[94mUnknown Linux Distribution\e[0m"
+fi
+
+# disk usage
+disk_usage=$(df -h / | awk 'NR==2 {print $3 " / " $2 " (" $5 ")"}')
+
+# memory usage
+memory_usage=$(free -m | awk 'NR==2 {print $3 " MB / " $2 " MB (" int($3/$2*100) "%)"}')
+
+# pending updates
+pending_updates=$(apt list --upgradable 2>/dev/null | grep -c 'upgradable')
+
+# display motd
+echo "Welcome to $(hostname)!"
+echo ""
+echo -e "$linux_distribution"
+echo "Disk Usage: $disk_usage"
+echo "Memory Usage: $memory_usage"
+echo ""
+
+if [ "$pending_updates" -eq 1 ]; then
+  echo "There is $pending_updates pending update."
+
+elif [ "$pending_updates" -gt 1 ]; then
+  echo "There are $pending_updates pendinging updates."
+
+else
+  echo "No pending updates."
+fi
--- a/templates/sshd/sshd_config.j2
+++ b/templates/sshd/sshd_config.j2
@ -0,0 +1,40 @@
+# networking
+Protocol 2
+Port 22
+AddressFamily inet
+ListenAddress 0.0.0.0
+
+# hostkey
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Authentication
+PermitRootLogin no
+
+# Hardening
+StrictModes yes
+MaxAuthTries 2
+MaxStartups 10:50:20
+LoginGraceTime 15
+MaxSessions 8
+PasswordAuthentication no
+PubkeyAuthentication yes
+AllowUsers ansible drone hugo rundeck simon
+VersionAddendum ""
+IgnoreRhosts yes
+UseDNS no
+X11Forwarding no
+ClientAliveCountMax 8
+Compression no
+AllowTcpForwarding yes
+AllowAgentForwarding yes
+UsePAM yes
+PrintMotd no
+PrintLastLog no
+
+# The cryptos
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# sFTP
+Subsystem sftp /usr/libexec/sftp-server
--- a/templates/syslog/rsyslog.d/apt.conf.j2
+++ b/templates/syslog/rsyslog.d/apt.conf.j2
@ -0,0 +1,6 @@
+$InputFileName /var/log/apt/history.log
+$InputFileTag apt
+$InputFileStateFile apt-history-log
+$InputFileSeverity info
+$InputFileFacility local3
+$InputRunFileMonitor
--- a/templates/syslog/rsyslog.d/remote-logging.j2
+++ b/templates/syslog/rsyslog.d/remote-logging.j2
@ -0,0 +1 @@
+*.* @{{ rsyslog_destination }}:{{ rsyslog_port }}
--- a/templates/syslog/rsyslog/rsyslog.debian.conf.j2
+++ b/templates/syslog/rsyslog/rsyslog.debian.conf.j2
@ -0,0 +1,25 @@
+#################
+#### MODULES ####
+#################
+module(load="imfile")   # provides support for logfile polling
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+$RepeatedMsgReduction on
+
+# Set the default permissions for all log files.
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+# Where to place spool and state files
+$WorkDirectory /var/spool/rsyslog
+
+# Include all config files in /etc/rsyslog.d/
+$IncludeConfig /etc/rsyslog.d/*.conf
--- a/templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2
+++ b/templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2
@ -0,0 +1,27 @@
+#################
+#### MODULES ####
+#################
+module(load="imfile")   # provides support for logfile polling
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+$RepeatedMsgReduction on
+
+# Set the default permissions for all log files.
+$FileOwner syslog
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+$PrivDropToUser syslog
+$PrivDropToGroup syslog
+
+# Where to place spool and state files
+$WorkDirectory /var/spool/rsyslog
+
+# Include all config files in /etc/rsyslog.d/
+$IncludeConfig /etc/rsyslog.d/*.conf
--- a/templates/systemctl/fstrim.timer.j2
+++ b/templates/systemctl/fstrim.timer.j2
@ -0,0 +1,12 @@
+[Unit]
+Description={{ __systemctl['description'] }}
+Documentation=man:fstrim
+ConditionVirtualization=!container
+
+[Timer]
+OnCalendar={{ __systemctl['oncalendar'] | default('weekly') }}
+AccuracySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/templates/usermanagement/sudoers.d/sudoers.j2
+++ b/templates/usermanagement/sudoers.d/sudoers.j2
@ -0,0 +1,16 @@
+{% if __user['username'] == 'drone' %}
+# ansible.siempie.internal
+drone ansible.siempie.internal=(root) NOPASSWD:/usr/bin/git -C /etc/ansible *
+drone ansible.siempie.internal=(root) NOPASSWD:/usr/local/bin/ansible-galaxy install -r /etc/ansible/ansible_requirements.yaml
+drone ansible.siempie.internal=(root) NOPASSWD:/usr/local/bin/ansible-playbook *
+
+# mgmt01.siempie.local
+drone mgmt01.siempie.internal=(simon) NOPASSWD:/usr/local/bin/kubectl *
+{% else %}
+{% if sudo_pwless == False %}
+{{ __user['username'] }} ALL=(ALL) ALL
+{% endif %}
+{% if sudo_pwless == True %}
+{{ __user['username'] }} ALL=(ALL) NOPASSWD: ALL
+{% endif %}
+{% endif %}
				`@ -0,0 +1 @@`
				`@reboot root mount -t tmpfs tmpfs /proc/spl/kstat/zfs`
				`@ -0,0 +1 @@`
				`. @{{ rsyslog_destination }}:{{ rsyslog_port }}`