feat: use ansible block
This commit is contained in:
parent
7d762d095d
commit
b5c819fb27
12 changed files with 399 additions and 424 deletions
|
|
@ -1,12 +1,15 @@
|
|||
---
|
||||
|
||||
# apt cleanup
|
||||
- name: "apt cleanup"
|
||||
block:
|
||||
|
||||
# clean apt cache
|
||||
- name: "apt - clean cache"
|
||||
ansible.builtin.apt:
|
||||
clean: true
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
tags: "apt-cleanup"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
|
||||
# run fstrim if target is a VM
|
||||
|
|
@ -14,5 +17,6 @@
|
|||
ansible.builtin.command: "fstrim /"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
tags: "apt-cleanup"
|
||||
when: 'type == "vm"'
|
||||
|
||||
tags: "apt-cleanup"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
|
||||
# apt config
|
||||
- name: "apt config"
|
||||
block:
|
||||
|
||||
# configure apt auto update
|
||||
- name: "apt - config - configure apt periodic"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -9,8 +13,6 @@
|
|||
group: "root"
|
||||
mode: "0644"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
tags:
|
||||
- "apt"
|
||||
|
||||
- name: "apt - config - configure apt unatteded updates"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -20,5 +22,6 @@
|
|||
group: "root"
|
||||
mode: "0644"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
|
||||
tags:
|
||||
- "apt"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
|
||||
# apt packages
|
||||
- name: "apt packages"
|
||||
block:
|
||||
|
||||
# install packages
|
||||
- name: "apt - install - packages"
|
||||
ansible.builtin.apt:
|
||||
|
|
@ -10,8 +14,6 @@
|
|||
loop: "{{ apt_default_packages_install }}"
|
||||
loop_control:
|
||||
loop_var: "apt_default_install"
|
||||
tags:
|
||||
- "apt"
|
||||
|
||||
# purge packages
|
||||
- name: "apt - delete - packages"
|
||||
|
|
@ -23,5 +25,6 @@
|
|||
loop: "{{ apt_default_packages_delete }}"
|
||||
loop_control:
|
||||
loop_var: "apt_default_delete"
|
||||
|
||||
tags:
|
||||
- "apt"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
|
||||
# manage apt sources
|
||||
- name: "manage apt sources"
|
||||
block:
|
||||
|
||||
# configure apt sources
|
||||
- name: "apt - config - configure apt sources"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -12,8 +16,6 @@
|
|||
- 'ansible_os_family == "Debian"'
|
||||
- 'ansible_distribution_major_version <= "23"'
|
||||
notify: "apt force cache update"
|
||||
tags:
|
||||
- "apt"
|
||||
|
||||
# configure apt sources
|
||||
- name: "apt - config - configure apt sources"
|
||||
|
|
@ -27,8 +29,6 @@
|
|||
- 'ansible_distribution == "Ubuntu"'
|
||||
- 'ansible_distribution_major_version >= "24"'
|
||||
notify: "apt force cache update"
|
||||
tags:
|
||||
- "apt"
|
||||
|
||||
# delete unused sources.list
|
||||
- name: "apt - config - remove old sources.list"
|
||||
|
|
@ -38,5 +38,6 @@
|
|||
when:
|
||||
- 'ansible_distribution == "Ubuntu"'
|
||||
- 'ansible_distribution_major_version >= "24"'
|
||||
|
||||
tags:
|
||||
- "apt"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
|
||||
# basic firewall rules
|
||||
- name: "basic firewall rules"
|
||||
block:
|
||||
|
||||
# basic firewall rules
|
||||
- name: "firewall - allow incoming routed traffic"
|
||||
community.general.ufw:
|
||||
|
|
@ -10,8 +14,6 @@
|
|||
with_nested:
|
||||
- "{{ __rule['source_nets'] }}"
|
||||
- "{{ __rule['destination_nets'] }}"
|
||||
tags:
|
||||
- "firewall"
|
||||
|
||||
- name: "firewall - allow outgoing routed traffic"
|
||||
community.general.ufw:
|
||||
|
|
@ -22,5 +24,6 @@
|
|||
with_nested:
|
||||
- "{{ __rule['source_nets'] }}"
|
||||
- "{{ __rule['destination_nets'] }}"
|
||||
|
||||
tags:
|
||||
- "firewall"
|
||||
|
|
|
|||
|
|
@ -1,35 +1,18 @@
|
|||
---
|
||||
|
||||
# import ossupport and load variables
|
||||
- name: "import ossupport and load variables"
|
||||
block:
|
||||
|
||||
# check os support
|
||||
- name: "check for os support"
|
||||
ansible.builtin.import_tasks: "ossupport.yaml"
|
||||
tags:
|
||||
- "apt"
|
||||
- "apt-cleanup"
|
||||
- "cron"
|
||||
- "environment-file"
|
||||
- "hostname"
|
||||
- "firewall"
|
||||
- "journald"
|
||||
- "locale"
|
||||
- "lldp"
|
||||
- "lxd"
|
||||
- "motd"
|
||||
- "ntp"
|
||||
- "telemetry"
|
||||
- "snap"
|
||||
- "sshd"
|
||||
- "swap"
|
||||
- "sysctl"
|
||||
- "systemctl"
|
||||
- "syslog"
|
||||
- "timezone"
|
||||
- "usermanagement"
|
||||
|
||||
# load os variables
|
||||
- name: "include os specific vars"
|
||||
ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml"
|
||||
when: "os_support"
|
||||
|
||||
tags:
|
||||
- "apt"
|
||||
- "apt-cleanup"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
---
|
||||
|
||||
- name: "manage motd"
|
||||
block:
|
||||
|
||||
# find old motd files
|
||||
- name: "motd - find old scripts"
|
||||
ansible.builtin.find:
|
||||
|
|
@ -8,8 +11,6 @@
|
|||
excludes:
|
||||
- "10-custom-motd"
|
||||
register: "old_motd"
|
||||
tags:
|
||||
- "motd"
|
||||
|
||||
# remove old custom motd files
|
||||
- name: "motd - cleanup directory"
|
||||
|
|
@ -18,8 +19,6 @@
|
|||
state: "absent"
|
||||
loop: "{{ old_motd.files }}"
|
||||
when: "old_motd.files|length > 0"
|
||||
tags:
|
||||
- "motd"
|
||||
|
||||
# remove old motd files
|
||||
- name: "motd - cleanup main file"
|
||||
|
|
@ -27,8 +26,6 @@
|
|||
path: "/etc/motd"
|
||||
state: "absent"
|
||||
when: "inventory_hostname != 'bastion.siempie.internal'"
|
||||
tags:
|
||||
- "motd"
|
||||
|
||||
# configure motd
|
||||
- name: "motd - siempie"
|
||||
|
|
@ -39,5 +36,6 @@
|
|||
group: "root"
|
||||
mode: "0755"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
|
||||
tags:
|
||||
- "motd"
|
||||
|
|
|
|||
|
|
@ -1,13 +1,14 @@
|
|||
---
|
||||
|
||||
- name: "manage ntp"
|
||||
block:
|
||||
|
||||
# install chrony
|
||||
- name: "ntp - install - chrony debian"
|
||||
ansible.builtin.apt:
|
||||
name: "chrony"
|
||||
state: "present"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
tags:
|
||||
- "ntp"
|
||||
|
||||
# configure chrony
|
||||
- name: "ntp - config - configure chrony"
|
||||
|
|
@ -19,5 +20,6 @@
|
|||
mode: "0644"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
notify: "restart chrony"
|
||||
|
||||
tags:
|
||||
- "ntp"
|
||||
|
|
|
|||
|
|
@ -1,11 +1,13 @@
|
|||
---
|
||||
|
||||
# manage snapd
|
||||
- name: "manage snapd"
|
||||
block:
|
||||
|
||||
# set defaults
|
||||
- name: "set facts"
|
||||
ansible.builtin.set_fact:
|
||||
__snapd_service: "{{ snapd_service | default('false') }}"
|
||||
tags:
|
||||
- "snap"
|
||||
|
||||
# purge snapd
|
||||
- name: "snapd - purge - package"
|
||||
|
|
@ -14,8 +16,6 @@
|
|||
state: "absent"
|
||||
purge: "yes"
|
||||
when: "not __snapd_service"
|
||||
tags:
|
||||
- "snap"
|
||||
|
||||
# install snapd
|
||||
- name: "snapd - install - package"
|
||||
|
|
@ -24,8 +24,6 @@
|
|||
state: "present"
|
||||
cache_valid_time: "120"
|
||||
when: "__snapd_service"
|
||||
tags:
|
||||
- "snap"
|
||||
|
||||
# enable snapd
|
||||
- name: "snapd - enable snapd service"
|
||||
|
|
@ -34,5 +32,6 @@
|
|||
state: "started"
|
||||
enabled: true
|
||||
when: "__snapd_service"
|
||||
|
||||
tags:
|
||||
- "snap"
|
||||
|
|
|
|||
|
|
@ -1,27 +1,25 @@
|
|||
---
|
||||
|
||||
# manage swap
|
||||
- name: "manage swap"
|
||||
block:
|
||||
|
||||
# enable or disable swap
|
||||
- name: "swap - set variable"
|
||||
ansible.builtin.set_fact:
|
||||
__swap: "{{ swap | default('true') }}"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# verify swapfile
|
||||
- name: "swap - verify swapfile"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ swap_file_location | default('/swapfile') }}"
|
||||
register: "swap_file_check"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
## create swap
|
||||
# create swap file
|
||||
- name: "swap - create swap file"
|
||||
ansible.builtin.command: "fallocate -l {{ swap_file_size }} {{ swap_file_location }}"
|
||||
when: "not swap_file_check.stat.exists and __swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# set swap file permissions
|
||||
- name: "swap - set permissions "
|
||||
|
|
@ -31,15 +29,11 @@
|
|||
group: "root"
|
||||
mode: "0600"
|
||||
when: "__swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# 'format' swapfile
|
||||
- name: "swap - format swap file"
|
||||
ansible.builtin.command: "mkswap {{ swap_file_location }}"
|
||||
when: "not swap_file_check.stat.exists and __swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# configure fstab
|
||||
- name: "swap - configure fstab"
|
||||
|
|
@ -52,23 +46,17 @@
|
|||
dump: "0"
|
||||
state: "present"
|
||||
when: "__swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# enable swap
|
||||
- name: "swap - enable swap"
|
||||
ansible.builtin.command: "swapon -a"
|
||||
when: "not swap_file_check.stat.exists and __swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
## delete swap
|
||||
# disable swap
|
||||
- name: "swap - disable swap"
|
||||
ansible.builtin.command: "swapoff -a"
|
||||
when: "swap_file_check.stat.exists and not __swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# delete swap file
|
||||
- name: "swap - delete swap file"
|
||||
|
|
@ -76,8 +64,6 @@
|
|||
path: "{{ swap_file_location }}"
|
||||
state: "absent"
|
||||
when: "swap_file_check.stat.exists and not __swap"
|
||||
tags:
|
||||
- "swap"
|
||||
|
||||
# configure fstab
|
||||
- name: "swap - configure fstab"
|
||||
|
|
@ -90,5 +76,6 @@
|
|||
dump: "0"
|
||||
state: "absent"
|
||||
when: "not __swap"
|
||||
|
||||
tags:
|
||||
- "swap"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
|
||||
# manage syslog
|
||||
- name: "manage syslog"
|
||||
block:
|
||||
|
||||
# configure rsyslogd - debian
|
||||
- name: "syslog - config - rsyslog - debian"
|
||||
ansible.builtin.template:
|
||||
|
|
@ -10,8 +14,6 @@
|
|||
mode: "0644"
|
||||
when: 'ansible_distribution == "Debian"'
|
||||
notify: "restart rsyslog"
|
||||
tags:
|
||||
- "syslog"
|
||||
|
||||
# configure rsyslogd - ubuntu
|
||||
- name: "syslog - config - rsyslog - ubuntu"
|
||||
|
|
@ -23,8 +25,6 @@
|
|||
mode: "0644"
|
||||
when: 'ansible_distribution == "Ubuntu"'
|
||||
notify: "restart rsyslog"
|
||||
tags:
|
||||
- "syslog"
|
||||
|
||||
# configure rsyslogd - apt
|
||||
- name: "syslog - config - apt"
|
||||
|
|
@ -36,8 +36,6 @@
|
|||
mode: "0644"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
notify: "restart rsyslog"
|
||||
tags:
|
||||
- "syslog"
|
||||
|
||||
# configure rsyslogd - observium
|
||||
- name: "syslog - config - remote-logging"
|
||||
|
|
@ -49,5 +47,6 @@
|
|||
mode: "0644"
|
||||
when: 'ansible_os_family == "Debian"'
|
||||
notify: "restart rsyslog"
|
||||
|
||||
tags:
|
||||
- "syslog"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
|
||||
# manage users
|
||||
- name: "manage users"
|
||||
block:
|
||||
|
||||
# manage facts
|
||||
- name: "user - set default facts for {{ __user['username'] }}"
|
||||
ansible.builtin.set_fact:
|
||||
|
|
@ -7,8 +11,6 @@
|
|||
sudo_file: "{{ __user['sudo'] | default('False') }}"
|
||||
sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}"
|
||||
user_state: "{{ __user['state'] | default('present') }}"
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
||||
# create users
|
||||
- name: "user - create users with password - {{ __user['username'] }}"
|
||||
|
|
@ -21,8 +23,6 @@
|
|||
when:
|
||||
- "__user['password'] is defined"
|
||||
- "user_state == 'present'"
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
||||
- name: "user - create users withouth password - {{ __user['username'] }}"
|
||||
ansible.builtin.user:
|
||||
|
|
@ -33,8 +33,6 @@
|
|||
when:
|
||||
- "__user['password'] is not defined"
|
||||
- "user_state == 'present'"
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
||||
# manage authorized_keys
|
||||
- name: "user - manage authorized_keys - {{ __user['username'] }}"
|
||||
|
|
@ -45,8 +43,6 @@
|
|||
manage_dir: "true"
|
||||
when:
|
||||
- "__user['publickey'] is defined"
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
||||
# delete users
|
||||
- name: "user - delete users - {{ __user['username'] }}"
|
||||
|
|
@ -55,8 +51,6 @@
|
|||
state: "absent"
|
||||
remove: "yes"
|
||||
when: "user_state == 'absent'"
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
||||
# manage sudoers file
|
||||
- name: "user - create sudoers file - {{ __user['username'] }}"
|
||||
|
|
@ -68,8 +62,6 @@
|
|||
mode: "0644"
|
||||
when:
|
||||
- "sudo_file"
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
||||
- name: "user - delete sudoers file - {{ __user['username'] }}"
|
||||
ansible.builtin.file:
|
||||
|
|
@ -77,5 +69,6 @@
|
|||
path: "/etc/sudoers.d/{{ __user['username'] }}"
|
||||
when:
|
||||
- "not sudo_file"
|
||||
|
||||
tags:
|
||||
- "usermanagement"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue