Tyler/Ansible-Linux_Base
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Wiki Activity

Initial commit

Browse source
This commit is contained in:
Tyler Hale 2021-09-01 17:31:49 -06:00
parent 46a6f7d3ec
commit 49ba7cd121
40 changed files with 1121 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
README.md
View file

@ -1,2 +1,75 @@
# Ansible-Linux_Base # Ansible-Linux_Base
Configures a Linux machine to the corporate base image from default install media
## Requirements
---
If the "base_core_hostname" variable is defined, it is recommended to set the ansible_ssh_common_args variable for the host to the following setting so the regeneration of the SSH host keys will not cause an error.
| Variable | Value |
| ----------------------- | ------------------------------------------------------------- |
| ansible_ssh_common_args | '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' |
## Role Variables
---
### Core Variables
| Variable | Required | Default | Choices | Comments |
| -------------------------------------------- | -------- | ------------ | ----------- | ---------------------------------------------------------------------- |
| base_core_management_user | No | ansible_user | | Defines the account that ansible will use for management in the future |
| base_core_install_updates | Yes | True | True, False | Install all available updates for the distro at runtime |
| base_core_hostname | No | "" | | Defines the computer hostname |
| base_core_motd_banner | No | "" | | Banner to be added to MOTD if desired |
| base_core_ssh_permit_root_login | Yes | False | True, False | Permits the use of root logins for ssh |
| base_core_ssh_permit_password_authentication | Yes | False | True, False | Permits the use of passwords for ssh |
| base_core_cert_common_name | No | nodename | | Common name for created self-signed cert |
| base_core_root_ca_basename | No | "" | | Basename of the cert for local system reference |
| base_core_root_ca_convert | Yes | False | True, False | Converts the defined certificate from DER to PEM type |
| base_core_root_ca_url | No | "" | | URL of a Root CA to install |
| base_core_web_management | Yes | False | True, False | Enables installation of the Cockpit web management package(s) |
## Example
---
Execute playbook with needed variables
`ansible-playbook -i hosts site.yml --ask-pass --ask-become-pass`
Inventory File:
```yaml
---
# file: hosts.yml
prod:
hosts:
prod-svr01:
ansible_host: 192.168.0.10
base_core_hostname: "prod-svr01"
prod-svr02:
ansible_host: 192.168.0.11
vars:
ansible_ssh_common_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
base_core_ssh_permit_password_authentication: true
ansible_user: haletek
base_core_motd_banner: "##########################################\n __ __ __ __ __ \n / / / /____ _ / /___ / /_ ___ / /__\n / /_/ // __ `// // _ \\ / __// _ \\ / //_/\n / __ // /_/ // // __// /_ / __// ,< \n/_/ /_/ \\__,_//_/ \\___/ \\__/ \\___//_/|_| \n##########################################"
base_core_root_ca_url: "http://cert.haletek.cloud/PKI/RootCA.cer"
base_core_root_ca_basename: "HLTKCL_RootCA"
base_core_root_ca_convert: false
```
### Tags
---
Available tags for the role:
| Role | Tags |
| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| Base | all, authorized_key, automatic_updates, cert, firewall, hostname, kernel, motd, password_auth, root_ca, root_login, ssh, time_sync, web_management |

7
base.yml Normal file
View file

@ -0,0 +1,7 @@
---
# file: base.yml
- hosts: all
become: true
roles:
- base

18
hosts.yml Normal file
View file

@ -0,0 +1,18 @@
---
# file: hosts.yml
prod:
hosts:
prod-svr01:
ansible_host: 192.168.0.10
base_core_hostname: "prod-svr01"
prod-svr02:
ansible_host: 192.168.0.11
vars:
ansible_ssh_common_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
base_core_ssh_permit_password_authentication: true
ansible_user: haletek
base_core_motd_banner: "##########################################\n __ __ __ __ __ \n / / / /____ _ / /___ / /_ ___ / /__\n / /_/ // __ `// // _ \\ / __// _ \\ / //_/\n / __ // /_/ // // __// /_ / __// ,< \n/_/ /_/ \\__,_//_/ \\___/ \\__/ \\___//_/|_| \n##########################################"
base_core_root_ca_url: "http://cert.haletek.cloud/PKI/RootCA.cer"
base_core_root_ca_basename: "HLTKCL_RootCA"

60
roles/base/defaults/main.yml Normal file
View file

@ -0,0 +1,60 @@
---
# file: roles/base/defaults/main.yml
# ****
# Core
# ****
# General
# =======
# User that should have the authorized keys added
base_core_management_user: "{{ ansible_user }}"
# Install all available updates at runtime
base_core_install_updates: true
# Hostname
# ========
# Defines the hostname to be forced on the host but is ignored if undefined
base_core_hostname: ""
# MOTD
# ====
# Banner to add to MOTD
base_core_motd_banner: ""
# SSH
# ===
# Allow ssh root login
base_core_ssh_permit_root_login: false
# Allow ssh password authentication
base_core_ssh_permit_password_authentication: false
# Self Signed Cert
# ================
# Common name for self signed cert, use hostname as a default
base_core_cert_common_name: "{{ ansible_facts['nodename'] }}"
# Root CA
# =======
# Defines the basename to use for the Root CA
base_core_root_ca_basename: ""
# Converts the defined certificate from DER to PEM type
base_core_root_ca_convert: false
# URL to download the Root CA
base_core_root_ca_url: ""
# Web Management
# ==============
# Enables the installation of the cockpit web management package(s)
base_core_web_management: false

29
roles/base/handlers/main.yml Normal file
View file

@ -0,0 +1,29 @@
---
# file: roles/base/handlers/main.yml
- name: Daemon Reload
systemd:
daemon_reload: yes
- name: Reboot Host
reboot:
- name: Reload Firewalld
service:
name: firewalld
state: reloaded
- name: Reload UFW
ufw:
state: reloaded
- name: Restart SSH
service:
name: sshd
state: restarted
- name: Update CA Debian
command: update-ca-certificates
- name: Update CA RedHat
command: /bin/update-ca-trust

1
roles/base/public_keys/ansible_awx Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACzgUaiXanC7LIMR2JHlNjqHdscstjUQ4ZMJOG9ndZY2Ml81g+KPSUQHsmEAO+24TBVc/EpmeU3iMX4BO6XhUEhRACIAfyxW0zZWBZlO46TWf+oMcH6CQNQHubEpxqGvZd8A0tNxI2npzOEW6b3mKDGd1Z60yBPjNr5KZWVcJePPMwjaw== ansible_awx

1
roles/base/public_keys/thale-bw Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGz4ngE94T9hGd7OeHf1fFnEefScPirBTDswVXCci9r5IQUOxQNlTy/Se/pMIiqNyx7xiKbqUF35tFb/Hu6DgnKZgAFyUTKJw8hK7n8R4xugEvjI1buW2cT7B05E1fA/1Q0ZE9F92CXVjwjHI3mRbrxtFBbuGM16PnPhvKMlgzPV5gp6A== thale-bw

2
roles/base/public_keys/thale-desktop Normal file
View file

@ -0,0 +1,2 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAAr8WVfAwXo2mpzfoIb6j/TOi8rvrvhHgVmDK8W+qq0AQLXKXJFof4yfiDpsxOOuMpgN1OqtMuIq1q5BHu1QdDhQwHF/W3U3OnhA8EFBaIqTdg1xZqI985NOslb4ZmNBdE3zmR3WHf2JvjbWap7MXzWFZyhl5b/khix05mN5X+66BhQag== thale-desktop

1
roles/base/public_keys/thale-laptop Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACBwI8/hl03oNEdeVwswy+pnh3DwCTmnn+tW//UdHURxqIUV2gI1t06HlHOkc7GSJuxkCgyq8QulzDyqw04B9cahQCcOiA3KGGDuZ9o8THNKtOLlrLfsuWy8sUaWQC3ThXhGgJn0Yl5T+3AY7vtxUUy/EIyYMPqNpiZI/a7vECduR0VrA== thale-laptop

1
roles/base/public_keys/thale-phone Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEVNT5rXIswezr8ItJRhPoOrajSAedK8NtM1Di2VD/zqtPvqGCwwJ7mXkX9jtVsSmLSkX5CjMBtUnisbbL5ccsAngFWaXcuCtiA4RTbC+0nLuho5YoFeRhqp4V85OjP90NOPGmaglj5Ic9GDGx0gYfoSn3axCxoGRMKwc4MSjU1+cZEpA== thale-phone

1
roles/base/public_keys/thale-work Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACrXaAsTYw2ltE364tsiUYZ1l4DSzIWwLHcFyf2tl2RhyWcYlfUY5banoMsL9QBg33AOmeP//O8dKMFXWz48OFp4wF6+/U+nfpbZQru/ejRLwD1M+hlYqhPNDpysWLf8LH9c8VhfRpk1Y27AfbROuR8BkUrdKChCz2gMnVJnqnnapE7nQ== thale-work

62
roles/base/tasks/core.yml Normal file
View file

@ -0,0 +1,62 @@
---
# file: roles/base/tasks/core.yml
- name: "*** Hostname Configuration ***"
include_tasks:
file: core_hostname.yml
apply:
tags: hostname
tags:
- hostname
# Gather facts now that the hostname may have changed
- name: Gather facts
setup:
when: hostname_change.changed
- name: Gather service facts
service_facts:
tags:
- always
- name: "*** MOTD Configuration ***"
include_tasks:
file: core_motd.yml
apply:
tags: motd
tags:
- motd
- name: "*** SSH Configuration ***"
include_tasks:
file: core_ssh.yml
apply:
tags: ssh
tags:
- ssh
- name: "*** Generate Self-Signed Cert ***"
include_tasks:
file: core_cert.yml
apply:
tags: cert
when: base_core_cert_common_name != ''
tags:
- cert
- name: "*** Root CA Install ***"
include_tasks:
file: core_root_ca.yml
apply:
tags: root_ca
tags:
- root_ca
- name: "*** Web Management Configuration ***"
include_tasks:
file: core_web_management.yml
apply:
tags: web_management
when: base_core_web_management == true
tags:
- web_management

53
roles/base/tasks/core_cert.yml Normal file
View file

@ -0,0 +1,53 @@
---
# file: roles/base/tasks/core_cert.yml
- name: Install pip
package:
name: python3-pip
state: latest
register: pip_install
when: ansible_python_version is version('3', '>=')
- name: Upgrade pip
command : pip3 install -U pip
when: pip_install.changed
- name: Install latest python2-cryptography
package:
name: python2-cryptography
state: latest
when: ((ansible_python_version is version('2', '>=')) and (ansible_python_version is version('3', '<')) )
- name: Install latest cryptography
pip:
name: cryptography
state: latest
when: ansible_python_version is version('3', '>=')
- name: Ensure directory exists for local self-signed TLS certs
file:
path: /etc/ssl/{{ base_core_cert_common_name }}/live
state: directory
- name: Generate an OpenSSL private key
openssl_privatekey:
path: /etc/ssl/{{ base_core_cert_common_name }}/live/privkey.pem
- name: Generate an OpenSSL CSR
openssl_csr:
path: /etc/ssl/{{ base_core_cert_common_name }}/{{ base_core_cert_common_name }}.csr
privatekey_path: /etc/ssl/{{ base_core_cert_common_name }}/live/privkey.pem
common_name: "{{ base_core_cert_common_name }}"
- name: Generate a self signed OpenSSL certificate
openssl_certificate:
path: /etc/ssl/{{ base_core_cert_common_name }}/live/fullchain.pem
privatekey_path: /etc/ssl/{{ base_core_cert_common_name }}/live/privkey.pem
csr_path: /etc/ssl/{{ base_core_cert_common_name }}/{{ base_core_cert_common_name }}.csr
provider: selfsigned
- name: Create merged certificate
assemble:
src: /etc/ssl/{{ base_core_cert_common_name }}/live/
dest: /etc/ssl/{{ base_core_cert_common_name }}/live/merged.pem
regexp: '(fullchain.pem$|privkey.pem$)'

58
roles/base/tasks/core_hostname.yml Normal file
View file

@ -0,0 +1,58 @@
---
# file: roles/base/tasks/core_hostname.yml
- name: Ensure system hostname
hostname:
name: "{{ base_core_hostname }}"
when: base_core_hostname != "" and base_core_hostname != ansible_facts['nodename']
register: hostname_change
notify: Reboot Host
- block:
- name: Ensure hostname is set in /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '^127\.0\.0\.1[ \t]+localhost'
line: '127.0.0.1 localhost {{ base_core_hostname }}'
state: present
- name: Ensure hostname is set in /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '^127\.0\.1\.1[ \t]'
line: '127.0.1.1 {{ base_core_hostname }}'
state: present
- name: Remove ssh certs
file:
state: absent
path: "{{item}}"
loop:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
- name: Generate /etc/ssh/ RSA host key
command : ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_rsa_key
- name: Generate /etc/ssh/ DSA host key
command : ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_dsa_key
- name: Generate /etc/ssh/ ECDSA host key
command : ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_ecdsa_key
- name: Generate /etc/ssh/ ED25519 host key
command : ssh-keygen -q -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_ed25519_key
when: hostname_change.changed
- name: Flush handlers
meta: flush_handlers

42
roles/base/tasks/core_motd.yml Normal file
View file

@ -0,0 +1,42 @@
---
# file: roles/base/tasks/core_motd.yml
- name: Disable unnecessary MOTD files
file:
path: "{{ item }}"
mode: 644
with_items:
- "/etc/update-motd.d/00-header"
- "/etc/update-motd.d/10-help-text"
- "/etc/update-motd.d/50-motd-news"
- "/etc/update-motd.d/50-landscape-sysinfo"
when: ansible_os_family == "Debian"
- name: Disable motd-news service in config file
ansible.builtin.lineinfile:
path: /etc/default/motd-news
regexp: ^ENABLED=
line: "ENABLED=0"
when: ansible_os_family == "Debian"
notify:
- Reboot Host
- name: Disable motd-news timer
service:
name: motd-news.timer
state: stopped
enabled: no
when: ansible_os_family == "Debian"
- name: Install the MOTD Script
template:
src: motd.j2
dest: /etc/profile.d/login-info.sh
- name: Configure SSH to not use the default MOTD
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PrintMotd '
line: PrintMotd no
notify:
- Restart SSH

73
roles/base/tasks/core_root_ca.yml Normal file
View file

@ -0,0 +1,73 @@
---
# file: roles/base/tasks/core_root_ca.yml
- name: Install ca-certificates package
package:
name: ca-certificates
state: latest
- block:
- name: Create temporary file for cert download
tempfile:
state: file
suffix: temp
register: cert_download
changed_when: False
- name: Download root CA cert
get_url:
url: "{{ base_core_root_ca_url }}"
dest: "{{ cert_download.path }}"
force: yes
changed_when: False
- block:
- name: Convert der to pem
command: "openssl x509 -inform DER -outform PEM -in '{{ cert_download.path }}' -out '{{ cert_download.path }}.crt'"
changed_when: False
- name: Replace the temp file with the converted cert
copy:
src: "{{ cert_download.path }}.crt"
dest: "{{ cert_download.path }}"
remote_src: yes
changed_when: False
- name: Remove the temporary converted cert
file:
path: "{{ cert_download.path }}.crt"
state: absent
changed_when: False
when: base_core_root_ca_convert == true
- name: Ensure CR are removed
replace:
dest: "{{ cert_download.path }}"
regexp: "\r"
changed_when: False
- name: Copy the certificate
copy:
src: "{{ cert_download.path }}"
dest: "/usr/local/share/ca-certificates/{{ base_core_root_ca_basename }}.crt"
remote_src: yes
notify: Update CA Debian
when: ansible_os_family == "Debian"
- name: Copy the certificate
copy:
src: "{{ cert_download.path }}"
dest: "/etc/pki/ca-trust/source/anchors/{{ base_core_root_ca_basename }}.crt"
remote_src: yes
notify: Update CA RedHat
when: ansible_os_family == "RedHat"
- name: Remove the temporary file
file:
path: "{{ cert_download.path }}"
state: absent
when: cert_download.path is defined
changed_when: False
when: base_core_root_ca_url != "" and base_core_root_ca_basename != ""

51
roles/base/tasks/core_ssh.yml Normal file
View file

@ -0,0 +1,51 @@
---
# file: roles/base/tasks/core_ssh.yml
- name: Install the issue notice
template:
src: issue.j2
dest: /etc/issue
notify: Restart SSH
tags:
- issue
- name: Configure SSH to display the issue notice
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?Banner '
line: Banner /etc/issue
notify: Restart SSH
tags:
- issue
- name: Setup authorized keys
authorized_key:
user: "{{ base_core_management_user }}"
state: present
key: '{{ lookup("file", item) }}'
with_fileglob:
- "public_keys/*"
tags:
- authorized_key
- name: Configure SSH root login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin '
line: PermitRootLogin no
when: base_core_ssh_permit_root_login == false
notify:
- Restart SSH
tags:
- root_login
- name: Configure SSH password auth
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication '
line: PasswordAuthentication no
when: base_core_ssh_permit_password_authentication == false
notify:
- Restart SSH
tags:
- password_auth

39
roles/base/tasks/core_web_management.yml Normal file
View file

@ -0,0 +1,39 @@
---
# file: roles/base/tasks/core_web_management.yml
- name: Install cockpit packages
package:
name:
- cockpit
- cockpit-networkmanager
- cockpit-packagekit
- cockpit-storaged
- cockpit-dashboard
state: present
- name: Install cockpit-machines package
package:
name: cockpit-machines
state: present
when: "'libvirt' in services"
- name: Install redhat cockpit packages
package:
name:
- cockpit-selinux
- cockpit-sosreport
state: present
when: ansible_os_family == "RedHat"
- name: Use created self-signed cert
file:
src: /etc/ssl/{{ base_core_cert_common_name }}/live/merged.pem
dest: /etc/cockpit/ws-certs.d/50-ansible.crt
state: link
when: base_core_cert_common_name != ''
- name: Start and enable cockpit service
service:
name: cockpit.socket
state: started
enabled: yes

40
roles/base/tasks/debian.yml Normal file
View file

@ -0,0 +1,40 @@
---
# file: roles/base/tasks/debian.yml
- name: Install Current Updates
apt:
upgrade: full
update_cache: yes
when: base_core_install_updates == true
- name: "*** Debian: Kernel Configuration ***"
include_tasks:
file: debian_kernel.yml
apply:
tags: kernel
tags:
- kernel
- name: "*** Debian: Time Sync Configuration ***"
include_tasks:
file: debian_time_sync.yml
apply:
tags: time_sync
tags:
- time_sync
- name: "*** Debian: Automatic Updates Configuration ***"
include_tasks:
file: debian_automatic_updates.yml
apply:
tags: automatic_updates
tags:
- automatic_updates
- name: "*** Debian: Firewall Configuration ***"
include_tasks:
file: debian_firewall.yml
apply:
tags: firewall
tags:
- firewall

56
roles/base/tasks/debian_automatic_updates.yml Normal file
View file

@ -0,0 +1,56 @@
---
# file: roles/base/tasks/debian_automatic_updates.yml
- name: Install unattended upgrade packages
package:
name:
- unattended-upgrades
- update-notifier-common
state: latest
- name: Activate auto upgrades
template:
src: 20auto-upgrades.j2
dest: /etc/apt/apt.conf.d/20auto-upgrades
- name: Enable updates for all repos
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '"\${distro_id}:\${distro_codename}-updates";'
line: ' "*:*";'
- name: Enable auto-reboot
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^\/?\/?Unattended-Upgrade::Automatic-Reboot '
line: 'Unattended-Upgrade::Automatic-Reboot "true";'
- name: Configure auto-reboot time
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^\/?\/?Unattended-Upgrade::Automatic-Reboot-Time '
line: 'Unattended-Upgrade::Automatic-Reboot-Time "03:30";'
- name: Ensure directory exists for daily download timer
file:
path: /etc/systemd/system/apt-daily.timer.d
recurse: yes
state: directory
- name: Configure daily download timer
template:
src: apt-daily.timer.d_override.conf.j2
dest: /etc/systemd/system/apt-daily.timer.d/override.conf
notify: Daemon Reload
- name: Ensure directory exists for daily upgrade timer
file:
path: /etc/systemd/system/apt-daily-upgrade.timer.d
recurse: yes
state: directory
- name: Configure daily upgrade timer
template:
src: apt-daily-upgrade.timer.d_override.conf.j2
dest: /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
notify: Daemon Reload

25
roles/base/tasks/debian_firewall.yml Normal file
View file

@ -0,0 +1,25 @@
---
# file: roles/base/tasks/debian_firewall.yml
- name: Allow SSH access through the firewall
ufw:
rule: allow
port: "22"
proto: tcp
interface: eth0
direction: in
notify: Reload UFW
- name: Allow web management access through the firewall
ufw:
rule: allow
port: "9090"
proto: tcp
notify: Reload UFW
when: base_core_web_management == true
tags:
- web_management
- name: Enable firewall
ufw:
state: enabled

8
roles/base/tasks/debian_kernel.yml Normal file
View file

@ -0,0 +1,8 @@
---
# file: roles/base/tasks/debian_kernel.yml
- name: Install linux-azure kernel
package:
name: linux-azure
state: latest
notify: Reboot Host

31
roles/base/tasks/debian_time_sync.yml Normal file
View file

@ -0,0 +1,31 @@
---
# file: roles/base/tasks/debian_time_sync.yml
- name: Install chrony
package:
name: chrony
state: latest
- name: Set refclock
lineinfile:
path: /etc/chrony/chrony.conf
line: 'refclock PHC /dev/ptp0 trust poll 1 filter 4'
insertafter: EOF
- name: Set makestep
lineinfile:
path: /etc/chrony/chrony.conf
regexp: '^makestep '
line: 'makestep 1 -1'
- name: Disable systemd-timesyncd
service:
name: systemd-timesyncd
state: stopped
enabled: false
- name: Enable chrony
service:
name: chronyd
state: started
enabled: true

22
roles/base/tasks/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
# file: roles/base/tasks/main.yml
- name: "### Core Tasks ###"
include_tasks:
file: core.yml
tags:
- always
- name: "### Debian Family ###"
include_tasks:
file: debian.yml
when: ansible_os_family == "Debian"
tags:
- always
- name: "### RedHat Family ###"
include_tasks:
file: redhat.yml
when: ansible_os_family == "RedHat"
tags:
- always

40
roles/base/tasks/redhat.yml Normal file
View file

@ -0,0 +1,40 @@
---
# file: roles/base/tasks/redhat.yml
- name: Install Current Updates
yum:
name: '*'
state: latest
when: base_core_install_updates == true
- name: "*** RedHat: EPEL Install ***"
include_tasks:
file: redhat_epel.yml
apply:
tags: epel
tags:
- epel
- name: "*** RedHat: Time Sync Configuration ***"
include_tasks:
file: redhat_time_sync.yml
apply:
tags: time_sync
tags:
- time_sync
- name: "*** RedHat: Automatic Updates Configuration ***"
include_tasks:
file: redhat_automatic_updates.yml
apply:
tags: automatic_updates
tags:
- automatic_updates
- name: "*** RedHat: Firewall Configuration ***"
include_tasks:
file: redhat_firewall.yml
apply:
tags: firewall
tags:
- firewall

50
roles/base/tasks/redhat_automatic_updates.yml Normal file
View file

@ -0,0 +1,50 @@
---
# file: roles/base/tasks/redhat_automatic_updates.yml
- name: Install dnf-automatic package
package:
name: dnf-automatic
state: present
- name: Install yum-utils package for needs restarting
package:
name: yum-utils
state: present
when: ansible_distribution_major_version == 7
- name: Deploy dnf-automatic configuration file
template:
src: automatic.conf.j2
dest: /etc/dnf/automatic.conf
- name: Create dnf-automatic-install.timer directory
file:
path: /etc/systemd/system/dnf-automatic-install.timer.d
recurse: yes
state: directory
- name: Deploy dnf-automatic install timer override
template:
src: dnf-automatic-install.timer.j2
dest: /etc/systemd/system/dnf-automatic-install.timer.d/time.conf
become: yes
notify: Daemon Reload
- name: Start and enable systemd timer for dnf-automatic
service:
name: dnf-automatic-install.timer
state: started
enabled: yes
- name: Create dnf-automatic-install.service directory
file:
path: /etc/systemd/system/dnf-automatic-install.service.d
recurse: yes
state: directory
- name: Deploy dnf-automatic install service override
template:
src: "dnf-automatic-install.service-{{ ansible_distribution_major_version }}.j2"
dest: /etc/systemd/system/dnf-automatic-install.service.d/override.conf
become: yes
notify: Daemon Reload

8
roles/base/tasks/redhat_epel.yml Normal file
View file

@ -0,0 +1,8 @@
---
# file: roles/base/tasks/redhat_epel.yml
- name: Install EPEL RPM
package:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present
disable_gpg_check: True

25
roles/base/tasks/redhat_firewall.yml Normal file
View file

@ -0,0 +1,25 @@
---
# file: roles/base/tasks/redhat_firewall.yml
- name: Allow SSH access through the firewall
firewalld:
service: ssh
permanent: yes
state: enabled
notify: Reload Firewalld
- name: Allow web management access through the firewall
firewalld:
service: cockpit
permanent: yes
state: enabled
notify: Reload Firewalld
when: base_core_web_management == true
tags:
- web_management
- name: Enable firewall
service:
name: firewalld
state: started
enabled: yes

13
roles/base/tasks/redhat_time_sync.yml Normal file
View file

@ -0,0 +1,13 @@
---
# file: roles/base/tasks/redhat_time_sync.yml
- name: Install chrony package
package:
name: chrony
state: present
- name: Start and enable chrony
service:
name: chronyd
state: started
enabled: yes

2
roles/base/templates/20auto-upgrades.j2 Normal file
View file

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

4
roles/base/templates/apt-daily-upgrade.timer.d_override.conf.j2 Normal file
View file

@ -0,0 +1,4 @@
[Timer]
OnCalendar=
OnCalendar=02:15
RandomizedDelaySec=0

4
roles/base/templates/apt-daily.timer.d_override.conf.j2 Normal file
View file

@ -0,0 +1,4 @@
[Timer]
OnCalendar=
OnCalendar=02:00
RandomizedDelaySec=0

100
roles/base/templates/automatic.conf.j2 Normal file
View file

@ -0,0 +1,100 @@
[commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = {{ base_redhat_dnf_automatic_upgrade_type }}
random_sleep = {{ base_redhat_dnf_automatic_random_sleep }}
# To just receive updates use dnf-automatic-notifyonly.timer
# Whether updates should be downloaded when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
download_updates = {{ base_redhat_dnf_automatic_download_updates }}
# Whether updates should be applied when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
apply_updates = {{ base_redhat_dnf_automatic_apply_updates }}
[emitters]
# Name to use for this system in messages that are emitted. Default is the
# hostname.
{% if base_redhat_dnf_automatic_system_name != '' %}
system_name = {{ base_redhat_dnf_automatic_system_name }}
{% else %}
# system_name = my-host
{% endif %}
# How to send messages. Valid options are stdio, email and motd. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via includes motd, /etc/motd file will have the messages. if
# emit_via includes command_email, then messages will be send via a shell
# command compatible with sendmail.
# Default is email,stdio.
# If emit_via is None or left blank, no messages will be sent.
emit_via = {{ base_redhat_dnf_automatic_emit_via }}
[email]
# The address to send email messages from.
email_from = {{ base_redhat_dnf_automatic_email_from }}
# List of addresses to send messages to.
email_to = {{ base_redhat_dnf_automatic_email_to }}
# Name of the host to connect to to send email messages.
email_host = {{ base_redhat_dnf_automatic_email_host }}
[command]
# The shell command to execute. This is a Python format string, as used in
# str.format(). The format function will pass a shell-quoted argument called
# `body`.
{% if base_redhat_dnf_automatic_command_format != '' %}
command_format = {{ base_redhat_dnf_automatic_command_format }}
{% else %}
# command_format = "cat"
{% endif %}
# The contents of stdin to pass to the command. It is a format string with the
# same arguments as `command_format`.
{% if base_redhat_dnf_automatic_stdin_format != '' %}
stdin_format = {{ base_redhat_dnf_automatic_stdin_format }}
{% else %}
# stdin_format = "{body}"
{% endif %}
[command_email]
# The shell command to use to send email. This is a Python format string,
# as used in str.format(). The format function will pass shell-quoted arguments
# called body, subject, email_from, email_to.
{% if base_redhat_dnf_automatic_email_command_format != '' %}
command_format = {{ base_redhat_dnf_automatic_email_command_format }}
{% else %}
# command_format = "mail -s {subject} -r {email_from} {email_to}"
{% endif %}
# The contents of stdin to pass to the command. It is a format string with the
# same arguments as `command_format`.
{% if base_redhat_dnf_automatic_email_stdin_format != '' %}
stdin_format = {{ base_redhat_dnf_automatic_email_stdin_format }}
{% else %}
# stdin_format = "{body}"
{% endif %}
# The address to send email messages from.
email_from = {{ base_redhat_dnf_automatic_email_from }}
# List of addresses to send messages to.
email_to = {{ base_redhat_dnf_automatic_email_to }}
[base]
# This section overrides dnf.conf
# Use this to filter DNF core messages
debuglevel = 1

2
roles/base/templates/dnf-automatic-install.service-7.j2 Normal file
View file

@ -0,0 +1,2 @@
[Service]
ExecStartPost=/bin/sh -ec 'needs-restarting -r | grep -q "Reboot is req.*" && shutdown -r +5 Rebooting after applying package updates || exit 0'

2
roles/base/templates/dnf-automatic-install.service-8.j2 Normal file
View file

@ -0,0 +1,2 @@
[Service]
ExecStartPost=/bin/sh -ec 'dnf needs-restarting -r | grep -q "Reboot is req.*" && shutdown -r +5 Rebooting after applying package updates || exit 0'

5
roles/base/templates/dnf-automatic-install.timer.j2 Normal file
View file

@ -0,0 +1,5 @@
[Timer]
OnBootSec=
OnCalendar= 2:00
RandomizedDelaySec=5m
AccuracySec=1s

16
roles/base/templates/issue.j2 Normal file
View file

@ -0,0 +1,16 @@
#jinja2: trim_blocks:False
*********************************************************************
* *
* Unauthorized access to this machine is prohibited *
* Disconnect if you are not an authorized user *
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
*********************************************************************

48
roles/base/templates/motd.j2 Normal file
View file

@ -0,0 +1,48 @@
#! /usr/bin/env bash
# Basic info
HOSTNAME=`uname -n`
OSVERSION=`hostnamectl | grep "Operating System" | sed 's/^.*: //'`
CURRENTTIME=`date +"%Y-%m-%d %H:%M:%S"`
UPTIMEP=`uptime -p`
BOOTTIME=`uptime -s`
CONNECTEDUSERS=`who | wc -l`
# System load
MEMORY1=`free -t -m | grep Total | awk '{print $3" MB";}'`
MEMORY2=`free -t -m | grep "Mem" | awk '{print $2" MB";}'`
MEMORY3=`free -t -m | grep Mem | awk '{print $3/$2 * 100.0}'`
MEMORY4=`printf %.0f $MEMORY3`
LOAD1=`cat /proc/loadavg | awk {'print $1'}`
LOAD5=`cat /proc/loadavg | awk {'print $2'}`
LOAD15=`cat /proc/loadavg | awk {'print $3'}`
PROCESSES=`ps ax | wc -l | tr -d " "`
SWAPSTAT=`free -m | tail -n 1 | awk '{print $3}'`
USAGEROOT=`df -Ph | grep /$ | awk '{print $5 " of " $2}'`
IPADDRESSES=`ip a|grep -oP "inet \K[0-9.]*(?=.*[^ ][^l][^o]$)"`
{% if base_core_motd_banner != '' %}
BANNER='
{{ base_core_motd_banner }}
'
echo "$BANNER
*********************************************************************
{% else %}
echo "*********************************************************************
{% endif %}
- Hostname............: $HOSTNAME
- Operating System....: $OSVERSION
- Uptime..............: $UPTIMEP
- Current Time........: $CURRENTTIME
- Boot Time...........: $BOOTTIME
- Logged on users.....: $CONNECTEDUSERS
*********************************************************************
- Running Processes...: $PROCESSES
- CPU usage...........: $LOAD1, $LOAD5, $LOAD15 (1, 5, 15 min)
- Memory usage........: $MEMORY1 / $MEMORY2 ($MEMORY4%)
- Swap in use.........: $SWAPSTAT MB
- Usage of /..........: $USAGEROOT
- IP Addresses........: $IPADDRESSES
*********************************************************************
"

43
roles/base/vars/main.yml Normal file
View file

@ -0,0 +1,43 @@
---
# file: roles/base/vars/main.yml
# ******
# RedHat
# ******
# DNF Automatic
# =============
# commands
# --------
base_redhat_dnf_automatic_apply_updates: yes
base_redhat_dnf_automatic_download_updates: yes
base_redhat_dnf_automatic_upgrade_type: default
base_redhat_dnf_automatic_random_sleep: 0
# emitters
# --------
base_redhat_dnf_automatic_emit_via: stdio
base_redhat_dnf_automatic_system_name: "{{ ansible_facts['nodename'] }}"
# command
# -------
base_redhat_dnf_automatic_command_format: ""
base_redhat_dnf_automatic_stdin_format: ""
# command_email
# -------------
base_redhat_dnf_automatic_email_command_format: ""
base_redhat_dnf_automatic_email_stdin_format: ""
# email
# -----
base_redhat_dnf_automatic_email_from: root
base_redhat_dnf_automatic_email_to: root
base_redhat_dnf_automatic_email_host: localhost

5
site.yml Normal file
View file

@ -0,0 +1,5 @@
---
# file: site.yml
## This playbook deploys the whole application stack in this site.
- import_playbook: base.yml