initial commit

This commit is contained in:
erebion 2022-12-14 17:43:16 +01:00
parent 03f19e477f
commit 42af636589
33 changed files with 522 additions and 0 deletions

View file

@ -0,0 +1,2 @@
#!/bin/bash
ansible-playbook site.yml -i inventory.yml --limit unhb4

View file

@ -0,0 +1,2 @@
#!/bin/bash
ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff

7
inventory.yml Normal file
View file

@ -0,0 +1,7 @@
---
all:
children:
debianservers:
hosts:
unhb4

View file

@ -0,0 +1,8 @@
---
- name: Update and upgrade apt packages
become: "true"
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 3600 #an hour

View file

@ -0,0 +1,9 @@
---
# handlers file for matrix_synapse
- name: restart-unattendedupgrades
ansible.builtin.service:
state: restarted
daemon_reload: yes
name: unattended-upgrades
tags: molecule-notest

17
roles/apt/tasks/apt.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: Install packages if Debian based
apt:
name: unattended-upgrades
state: present
update_cache: true
become: true
- name: Apt Config (/etc/apt.conf.d/10periodic)
ansible.builtin.template:
src: ../templates/10periodic.j2
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: '0644'
notify: restart-unattendedupgrades

6
roles/apt/tasks/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: Include other yaml files
include_tasks: "{{ item }}"
with_fileglob:
- apt.yml

View file

@ -0,0 +1,4 @@
APT::Periodic::Update-Package-Lists "{{ APT_Periodic_Update_Package_Lists }}";
APT::Periodic::Download-Upgradeable-Packages "{{ APT_Periodic_Download_Upgradeable_Packages }}";
APT::Periodic::AutocleanInterval "{{ APT_Periodic_AutocleanInterval }}";
APT::Periodic::Unattended-Upgrade "{{ APT_Periodic_Unattended_Upgrade }}";

View file

@ -0,0 +1,9 @@
[apt]
frontend=pager
which=news
email_address=none
email_format=text
confirm=false
headers=false
reverse=true
save_seen=/var/lib/apt/listchanges.db

View file

@ -0,0 +1,17 @@
---
- name: apt-listchanges Config (/etc/apt/listchanges.conf)
ansible.builtin.template:
src: ../files/listchanges.conf
dest: /etc/apt/listchanges.conf
owner: root
group: root
mode: '0644'
- name: Install packages if Debian based
apt:
name: "apt-listchanges"
state: present
update_cache: true
become: true
when: ansible_os_family == 'Debian'

View file

@ -0,0 +1,8 @@
---
# to do list:
- name: Include other yaml files
include_tasks: "{{ item }}"
with_fileglob:
- apt-listchanges-conf.yml

View file

@ -0,0 +1 @@
%sudo ALL = NOPASSWD: /opt/scripts/update.sh

View file

@ -0,0 +1,28 @@
# Default settings for earlyoom. This file is sourced by /bin/sh from
# /etc/init.d/earlyoom or by systemd from earlyoom.service.
# Options to pass to earlyoom
#EARLYOOM_ARGS="-r 60"
# Examples:
# Print memory report every second instead of every minute
# EARLYOOM_ARGS="-r 1"
# Available minimum memory 5%
#EARLYOOM_ARGS="-m 5"
# Available minimum memory 15% and free minimum swap 5%
#EARLYOOM_ARGS="-m 15 -s 5"
# Avoid killing processes whose name matches this regexp
#EARLYOOM_ARGS="--avoid '(^|/)(init|X|sshd|firefox)$'"
#prefer:
#EARLYOOM_ARGS="--prefer '(^|/)(telegram-desktop|element-desktop)$'"
# See more at `earlyoom -h'
#
#
#
EARLYOOM_ARGS="-r 60 -m 3 --avoid '(^|/)(init|X|sshd|firefox)$' --prefer '(^|/)(signal-desktop|element-desktop)$'"

View file

@ -0,0 +1,8 @@
---
- name: restart-earlyoom
ansible.builtin.service:
state: restarted
daemon_reload: yes
name: earlyoom
tags: molecule-notest

View file

@ -0,0 +1,17 @@
---
- name: Install earlyoom if OS is based on Debian
ansible.builtin.package:
name: earlyoom
when: ansible_os_family == 'Debian'
- name: Create earlyoom config
ansible.builtin.template:
src: ../files/debian_earlyoom
dest: /etc/default/earlyoom
owner: root
group: root
mode: '0644'
force: true
when: ansible_os_family == 'Debian'
notify: restart-earlyoom

View file

@ -0,0 +1,16 @@
---
- name: Install useful packages
include_tasks: "useful_packages.yml"
- name: Set up sudo (FreeBSD/OpenBSD)
include_tasks: "sudo.yml"
- name: Set up earlyoom (Debian)
include_tasks: "sudo.yml"
- name: Deploy update script
include_tasks: "update_script.yml"
- name: Deploy ZSH config to /etc/skel
include_tasks: "zsh_skel.yml"

View file

@ -0,0 +1,17 @@
---
- name: "Install security/sudo (FreeBSD)"
ansible.builtin.package:
name: security/sudo
state: present
when: ansible_os_family == 'FreeBSD'
- name: "Allow group wheel to use sudo (FreeBSD)"
ansible.builtin.lineinfile:
path: /usr/local/etc/sudoers
regexp: '%wheel ALL=\(ALL\) ALL'
line: '%wheel ALL=(ALL) ALL'
owner: root
group: wheel
mode: '0440'
when: ansible_os_family == 'FreeBSD'

View file

@ -0,0 +1,42 @@
---
- name: "Ensure /opt/scripts/ exists"
ansible.builtin.file:
path: /opt/scripts
state: directory
mode: '0755'
- name: "Create directory (/etc/sudoers.d)"
ansible.builtin.file:
path: /etc/sudoers.d
state: directory
owner: root
group: root
mode: '0755'
- name: "Sudoers (/etc/sudoers.d/97-update.conf)"
ansible.builtin.template:
src: ../files/97-update.conf
dest: /etc/sudoers.d/97-update-conf
owner: root
group: root
mode: '0440'
when: ansible_os_family != 'OpenBSD' # sudo Installation must be fixed first for OpenBSD
- name: "Template Update Script"
ansible.builtin.template:
src: ../templates/update.sh.j2
dest: /opt/scripts/update.sh
owner: root
group: root
mode: u+rwx
when: ansible_os_family == 'Debian'
- name: "Template Update Script"
ansible.builtin.template:
src: ../templates/update.sh.j2
dest: /opt/scripts/update.sh
owner: root
group: wheel
mode: u+rwx
when: ansible_os_family == 'FreeBSD' or ansible_os_family == 'OpenBSD'

View file

@ -0,0 +1,26 @@
---
- name: Install useful packages for servers if Debian-based
apt:
pkg:
- whois
- curl
- nmap
- traceroute
- zsh
- vim
- git
- net-tools
- wget
- apt-transport-https
- earlyoom
- gpg
- gpg-agent
- htop
#- duf #currently not in Debian stable, change when it is
- at
- pwgen
state: present
update_cache: true
become: true
when: ansible_os_family == 'Debian'

View file

@ -0,0 +1,44 @@
---
- name: Create ZSH config dir (/etc/zsh)
file:
path: /etc/zsh/
owner: root
group: root
state: directory
when: ansible_os_family == 'Debian'
- name: Create ZSH config dir (/etc/zsh)
file:
path: /etc/zsh/
owner: root
group: wheel
state: directory
when: ansible_os_family == 'OpenBSD'
- name: Download GRML ZSH config
get_url:
url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master
dest: /etc/zsh/zshrc
mode: '0644'
retries: 10
delay: 3
when: ansible_os_family == 'Debian' or ansible_os_family == 'OpenBSD'
- name: Copy ZSH config to /etc/skel/.zshrc
get_url:
url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master
dest: /etc/skel/.zshrc
owner: root
group: root
mode: '0644'
when: ansible_os_family == 'Debian'
- name: Copy ZSH config to /etc/skel/.zshrc
get_url:
url: https://git.grml.org/?p=grml-etc-core.git;a=blob_plain;f=etc/zsh/zshrc;h=22ed16228d1e26b47322bd34b041f544aa5d458d;hb=refs/heads/master
dest: /etc/skel/.zshrc
owner: root
group: wheel
mode: '0644'
when: ansible_os_family == 'OpenBSD'

View file

@ -0,0 +1,23 @@
#!/bin/sh
{% if ansible_os_family == "Debian" %}
export DEBIAN_FRONTEND=noninteractive
apt update
apt upgrade -y
apt autoremove -y
apt clean
{% endif %}
{% if ansible_os_family == "FreeBSD" %}
freebsd-update fetch
freebsd-update install
pkg upgrade
# Upgrades the Release to the latest updates
pkg-static install -f pkg
pkg bootstrap -f
pkg update
pkg upgrade
# Updates all packages
# Following this How To: https://www.cyberciti.biz/open-source/freebsd-13-released-how-to-update-upgrade-freebsd-12-to-13/
{% endif %}
{% if ansible_os_family == "OpenBSD" %}
pkg_add -u && syspatch
{% endif %}

33
roles/firewalld/.yamllint Normal file
View file

@ -0,0 +1,33 @@
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable

38
roles/firewalld/README.md Normal file
View file

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

View file

@ -0,0 +1,2 @@
---
# handlers file for example_role

View file

@ -0,0 +1,53 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
namespace: firewalld
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,2 @@
FROM debian:stable
RUN apt-get update && apt-get install python3-pip python-is-python3 sudo lsb-release -y

View file

@ -0,0 +1,8 @@
---
- name: Converge
hosts: all
tasks:
- name: "Include firewalld"
include_role:
name: "firewalld"

View file

@ -0,0 +1,13 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: molecule
image: debian:stable
#pre_build_image: true
provisioner:
name: ansible
verifier:
name: ansible

View file

@ -0,0 +1,10 @@
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: Example assertion
assert:
that: true

View file

@ -0,0 +1,37 @@
---
- name: install firewalld
package:
name: firewalld
state: present
- name: "Make sure FirewallD is running"
ansible.builtin.service:
name: firewalld
enabled: yes
state: started
- name: Open SSH port in firewall
ansible.posix.firewalld:
service: ssh
permanent: yes
state: enabled
immediate: yes
#this is seperate so you don't accidentally remove it
- name: Open services in firewall
ansible.posix.firewalld:
service: "{{ item }}"
permanent: yes
state: enabled
immediate: yes
with_items: "{{ firewall_services }}"
- name: Open ports in firewall
ansible.posix.firewalld:
port: "{{ item }}"
permanent: yes
state: enabled
immediate: yes
with_items: "{{ firewall_ports }}"
when: firewall_ports is defined

View file

@ -0,0 +1,2 @@
localhost

View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- example_role

8
site.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Set up user account on all hosts
hosts: all
remote_user: root
roles:
- basic_common_settings