From 139ba7504a4adfd73367c8514a38296b9cd3acaa Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 15:23:38 +0200 Subject: [PATCH 1/8] Add system-basics role - set time zone - limit journal size - set vim as editor - limit ssh login to pubkey --- roles/system-basics/handlers/main.json | 17 +++++++++++++ roles/system-basics/tasks/main.json | 33 ++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 roles/system-basics/handlers/main.json create mode 100644 roles/system-basics/tasks/main.json diff --git a/roles/system-basics/handlers/main.json b/roles/system-basics/handlers/main.json new file mode 100644 index 0000000..1da98d3 --- /dev/null +++ b/roles/system-basics/handlers/main.json @@ -0,0 +1,17 @@ +[ + { + "name": "restart sshd", + "service": { + "name": "sshd", + "state": "restarted" + } + }, + { + "name": "restart journal", + "service": { + "name": "systemd-journald", + "state": "restarted", + "enabled": "yes" + } + } +] diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json new file mode 100644 index 0000000..1b87040 --- /dev/null +++ b/roles/system-basics/tasks/main.json @@ -0,0 +1,33 @@ +[ + { + "name": "Set timezone to Berlin", + "community.general.timezone": { + "name": "Europe/Berlin" + } + }, + { + "name": "Limit syslogs", + "lineinfile": { + "dest": "/etc/systemd/journald.conf", + "regexp": "^#?\\s*SystemMaxFileSize", + "line": "SystemMaxFileSize=2G" + }, + "notify": "restart journal" + }, + { + "name": "Set vim as default editor", + "alternatives": { + "name": "editor", + "path": "/usr/bin/vim.basic" + } + }, + { + "name": "Disable root login without key", + "lineinfile": { + "dest": "/etc/ssh/sshd_config", + "regexp": "^#?PermitRootLogin ", + "line": "PermitRootLogin without-password" + }, + "notify": "restart sshd" + } +] From fcad5b93547d48d9a897e9abdd371e19a8c27703 Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 15:24:38 +0200 Subject: [PATCH 2/8] Add unattended upgrades Enable unattended upgrades and triggers unattended reboots (23:55 after an upgrade which needs reboot). Attention: this is specific to debian-style linux systems (Debian, Ubuntu,...). --- .../unattended-upgrades/files/20auto-upgrades | 2 ++ roles/unattended-upgrades/tasks/main.json | 33 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 roles/unattended-upgrades/files/20auto-upgrades create mode 100644 roles/unattended-upgrades/tasks/main.json diff --git a/roles/unattended-upgrades/files/20auto-upgrades b/roles/unattended-upgrades/files/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/roles/unattended-upgrades/files/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended-upgrades/tasks/main.json new file mode 100644 index 0000000..7706bc3 --- /dev/null +++ b/roles/unattended-upgrades/tasks/main.json @@ -0,0 +1,33 @@ +[ + { + "name": "Allow unattended reboots (1)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", + "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" + } + }, + { + "name": "Allow unattended reboots (2)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", + "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" + } + }, + { + "name": "Allow more origins for updates", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", + "line": "\"${distro_id}:${distro_codename}-updates\";" + } + }, + { + "name": "Enable unattended upgrades", + "copy": { + "src": "20auto-upgrades", + "dest": "/etc/apt/apt.conf.d/20auto-upgrades" + } + } +] From e70ab02fed0fa6c3a987b36fd911f0982f25344f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 24 Apr 2024 17:38:11 +0000 Subject: [PATCH 3/8] Apply 6 suggestion(s) to 2 file(s) --- roles/system-basics/handlers/main.json | 6 +++--- roles/system-basics/tasks/main.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/system-basics/handlers/main.json b/roles/system-basics/handlers/main.json index 1da98d3..ba5eace 100644 --- a/roles/system-basics/handlers/main.json +++ b/roles/system-basics/handlers/main.json @@ -1,17 +1,17 @@ [ { "name": "restart sshd", - "service": { + "ansible.builtin.service": { "name": "sshd", "state": "restarted" } }, { "name": "restart journal", - "service": { + "ansible.builtin.service": { "name": "systemd-journald", "state": "restarted", - "enabled": "yes" + "enabled": true } } ] diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json index 1b87040..707b1f1 100644 --- a/roles/system-basics/tasks/main.json +++ b/roles/system-basics/tasks/main.json @@ -7,7 +7,7 @@ }, { "name": "Limit syslogs", - "lineinfile": { + "ansible.builtin.lineinfile": { "dest": "/etc/systemd/journald.conf", "regexp": "^#?\\s*SystemMaxFileSize", "line": "SystemMaxFileSize=2G" @@ -16,14 +16,14 @@ }, { "name": "Set vim as default editor", - "alternatives": { + "community.general.alternatives": { "name": "editor", "path": "/usr/bin/vim.basic" } }, { "name": "Disable root login without key", - "lineinfile": { + "ansible.builtin.lineinfile": { "dest": "/etc/ssh/sshd_config", "regexp": "^#?PermitRootLogin ", "line": "PermitRootLogin without-password" From 389b171401bbef40b021e74e8c9249f172d2ca8b Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Wed, 24 Apr 2024 20:02:51 +0200 Subject: [PATCH 4/8] Apply review comments --- roles/system-basics/tasks/main.json | 9 ++++ roles/unattended-upgrades/tasks/main.json | 62 +++++++++++------------ 2 files changed, 40 insertions(+), 31 deletions(-) diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json index 707b1f1..08c35fe 100644 --- a/roles/system-basics/tasks/main.json +++ b/roles/system-basics/tasks/main.json @@ -14,6 +14,15 @@ }, "notify": "restart journal" }, + { + "name": "Install vim", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "vim" + ] + } + }, { "name": "Set vim as default editor", "community.general.alternatives": { diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended-upgrades/tasks/main.json index 7706bc3..4098ae9 100644 --- a/roles/unattended-upgrades/tasks/main.json +++ b/roles/unattended-upgrades/tasks/main.json @@ -1,33 +1,33 @@ [ - { - "name": "Allow unattended reboots (1)", - "lineinfile": { - "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", - "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", - "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" - } - }, - { - "name": "Allow unattended reboots (2)", - "lineinfile": { - "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", - "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", - "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" - } - }, - { - "name": "Allow more origins for updates", - "lineinfile": { - "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", - "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", - "line": "\"${distro_id}:${distro_codename}-updates\";" - } - }, - { - "name": "Enable unattended upgrades", - "copy": { - "src": "20auto-upgrades", - "dest": "/etc/apt/apt.conf.d/20auto-upgrades" - } - } + { + "name": "Allow unattended reboots (1)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", + "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" + } + }, + { + "name": "Allow unattended reboots (2)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", + "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" + } + }, + { + "name": "Allow more origins for updates", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", + "line": "\"${distro_id}:${distro_codename}-updates\";" + } + }, + { + "name": "Enable unattended upgrades", + "copy": { + "src": "20auto-upgrades", + "dest": "/etc/apt/apt.conf.d/20auto-upgrades" + } + } ] From 715d39716c6c903ee8bfdf7fbec9f96f05c22548 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:43:40 +0200 Subject: [PATCH 5/8] [fix] install required packages [fix] add missing become:true directives [mod] use fully qualified names for ansible tasks --- roles/unattended-upgrades/tasks/main.json | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended-upgrades/tasks/main.json index 4098ae9..014209d 100644 --- a/roles/unattended-upgrades/tasks/main.json +++ b/roles/unattended-upgrades/tasks/main.json @@ -1,7 +1,19 @@ [ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "unattended-upgrades", + "apt-listchanges" + ] + } + }, { "name": "Allow unattended reboots (1)", - "lineinfile": { + "become": true, + "ansible.builtin.lineinfile": { "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" @@ -9,7 +21,8 @@ }, { "name": "Allow unattended reboots (2)", - "lineinfile": { + "become": true, + "ansible.builtin.lineinfile": { "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" @@ -17,7 +30,8 @@ }, { "name": "Allow more origins for updates", - "lineinfile": { + "become": true, + "ansible.builtin.lineinfile": { "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", "line": "\"${distro_id}:${distro_codename}-updates\";" @@ -25,7 +39,8 @@ }, { "name": "Enable unattended upgrades", - "copy": { + "become": true, + "ansible.builtin.copy": { "src": "20auto-upgrades", "dest": "/etc/apt/apt.conf.d/20auto-upgrades" } From 8d57e57df82096477ec666310545f7c9dc269f13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:44:51 +0200 Subject: [PATCH 6/8] [mod] role:unattended-upgrades renamed to unattended_upgrades --- .../files/20auto-upgrades | 0 .../{unattended-upgrades => unattended_upgrades}/tasks/main.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename roles/{unattended-upgrades => unattended_upgrades}/files/20auto-upgrades (100%) rename roles/{unattended-upgrades => unattended_upgrades}/tasks/main.json (100%) diff --git a/roles/unattended-upgrades/files/20auto-upgrades b/roles/unattended_upgrades/files/20auto-upgrades similarity index 100% rename from roles/unattended-upgrades/files/20auto-upgrades rename to roles/unattended_upgrades/files/20auto-upgrades diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended_upgrades/tasks/main.json similarity index 100% rename from roles/unattended-upgrades/tasks/main.json rename to roles/unattended_upgrades/tasks/main.json From 0e913099e67b47e9a4362d40e958fac1675ba72f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:47:20 +0200 Subject: [PATCH 7/8] [fix] role:system-basics:add missing become:true directives [mod] role:system-basisc:also install htop and tmux --- roles/system-basics/tasks/main.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json index 08c35fe..11a8792 100644 --- a/roles/system-basics/tasks/main.json +++ b/roles/system-basics/tasks/main.json @@ -1,12 +1,14 @@ [ { "name": "Set timezone to Berlin", + "become": true, "community.general.timezone": { "name": "Europe/Berlin" } }, { "name": "Limit syslogs", + "become": true, "ansible.builtin.lineinfile": { "dest": "/etc/systemd/journald.conf", "regexp": "^#?\\s*SystemMaxFileSize", @@ -15,16 +17,19 @@ "notify": "restart journal" }, { - "name": "Install vim", + "name": "install packages", "become": true, "ansible.builtin.apt": { "pkg": [ - "vim" + "vim", + "htop", + "tmux" ] } }, { "name": "Set vim as default editor", + "become": true, "community.general.alternatives": { "name": "editor", "path": "/usr/bin/vim.basic" @@ -32,6 +37,7 @@ }, { "name": "Disable root login without key", + "become": true, "ansible.builtin.lineinfile": { "dest": "/etc/ssh/sshd_config", "regexp": "^#?PermitRootLogin ", From 434c90117317c9b9c5a8bd6e3fdadad355ee746a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:47:47 +0200 Subject: [PATCH 8/8] [mod] role:system-basics renamed to system_basics --- roles/{system-basics => system_basics}/handlers/main.json | 0 roles/{system-basics => system_basics}/tasks/main.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename roles/{system-basics => system_basics}/handlers/main.json (100%) rename roles/{system-basics => system_basics}/tasks/main.json (100%) diff --git a/roles/system-basics/handlers/main.json b/roles/system_basics/handlers/main.json similarity index 100% rename from roles/system-basics/handlers/main.json rename to roles/system_basics/handlers/main.json diff --git a/roles/system-basics/tasks/main.json b/roles/system_basics/tasks/main.json similarity index 100% rename from roles/system-basics/tasks/main.json rename to roles/system_basics/tasks/main.json