Tested with Fedora 30.
--- /dev/null
+RedHat and redhatoids playbooks.
+
+Tested with Fedora 30.
--- /dev/null
+- name: Update local user phd
+ hosts: localhost
+ gather_facts: false
+ vars:
+ system_groups: root,wheel,adm,disk,cdrom,floppy,audio,video,users,mail,input
+ tasks:
+ - name: Create system groups
+ become: true
+ group:
+ name: "{{ item }}"
+ system: true
+ loop: "{{ system_groups.split(',') }}"
+ - name: Create group phd
+ become: true
+ group:
+ name: phd
+ - name: user phd
+ become: true
+ user:
+ name: phd
+ groups: "{{ system_groups }}"
+ - name: Install X11
+ become: true
+ dnf:
+ name: ['fvwm', 'rxvt-unicode', 'xorg']
+ state: latest
+ update_cache: yes
--- /dev/null
+#! /bin/sh
+
+if [ -z "$1" ]; then
+ echo "Usage: $0 host [...params...]" >&2
+ exit 1
+fi
+
+host="$1"
+shift
+
+cd "`dirname \"$0\"`" &&
+ANSIBLE_ROLES_PATH=roles:../roles &&
+export ANSIBLE_ROLES_PATH &&
+
+# Passwordless access isn't configured yet; use `ssh` connection sharing.
+# `sudo` isn't configured yet too; ask for phd password.
+ansible-playbook init-system.yml "$@" -e hosts="$host" -K &&
+exec ansible-playbook init-system2.yml "$@" -e hosts="$host"
--- /dev/null
+- name: Setup Debain system
+ hosts: "{{ hosts | default('all') }}"
+ gather_facts: false
+ roles:
+ - sudo
+ - phd
--- /dev/null
+- name: Setup Debain system - part 2
+ hosts: "{{ hosts | default('all') }}"
+ gather_facts: true
+ roles:
+ - init-system2
+ - root
+ - firewall
+ - logcheck
+ - sshd
--- /dev/null
+Install development packages.
--- /dev/null
+- name: Install development packages
+ become: true
+ dnf:
+ name: ['gcc', 'gcc-c++', 'git', 'make',
+ ]
+ state: latest
+ update_cache: yes
--- /dev/null
+Configure iptables firewall.
+
+Allow everything out, limit in, disable forward.
--- /dev/null
+IPTABLES=/sbin/iptables
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+my_ip() {
+ MYIP=$1
+
+ # Allow everything from this host
+ $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+
+ # Allow ICMP
+ $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+
+ # Allow ports >1024
+ $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
+ $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+}
+
+start_firewall() {
+ # Allow everything from localhost
+ $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+
+ # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
+ $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
+ $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
+ $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
+ $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+
+ # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
+ $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
+ $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
+ $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
+ $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
+ $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
+ $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+
+ # FTP
+ $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+ # Allow ftp-data for active connections
+ #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+
+ # Track FTP connections to allow active and passive mode FTP
+ $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
+ for ip in $MY_IP; do my_ip "$ip"; done
+}
--- /dev/null
+#!/bin/sh
+exec /etc/rc.d/init.d/iptables.sh start
--- /dev/null
+#!/bin/sh
+exec /etc/rc.d/init.d/iptables.sh start
--- /dev/null
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: iptables.sh
+# Required-Start: $remote_fs $network
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: iptables firewall
+### END INIT INFO
+
+# Setup ip firewall
+
+. /etc/network/functions.phd
+
+case "$1" in
+ start)
+ systemctl stop fail2ban.service
+
+ # Start afresh
+ $IPTABLES -F
+ $IPTABLES -F -t nat
+ $IPTABLES -F -t mangle
+
+ # Default policies
+ $IPTABLES -P INPUT DROP
+ $IPTABLES -P OUTPUT ACCEPT
+ $IPTABLES -P FORWARD DROP
+
+ start_firewall
+ /etc/rc.d/init.d/rc.masq
+ systemctl start fail2ban.service
+ ;;
+
+ stop)
+ systemctl stop fail2ban.service
+
+ $IPTABLES -F
+ $IPTABLES -F -t nat
+ $IPTABLES -F -t mangle
+ $IPTABLES -P INPUT DROP
+ $IPTABLES -P OUTPUT DROP
+ $IPTABLES -P FORWARD DROP
+ ;;
+
+ clear)
+ systemctl stop fail2ban.service
+
+ # Flush (delete) all rules
+ $IPTABLES -F
+ $IPTABLES -F -t nat
+ $IPTABLES -F -t mangle
+ $IPTABLES -P INPUT ACCEPT
+ $IPTABLES -P OUTPUT ACCEPT
+ $IPTABLES -P FORWARD ACCEPT
+ ;;
+
+ *)
+ echo "Usage: firewall {start|stop|clear}"
+ exit 1
+esac
+
+exit 0
--- /dev/null
+#!/bin/sh
+#
+# rc.masq - IP Masquerade
+#
+# Load all required IP MASQ modules
+#
+# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
+# are shown below but are commented out from loading.
+
+# Needed to initially load modules
+#
+#/sbin/depmod -a
+
+# Supports the proper masquerading of FTP file transfers using the PORT method
+#
+#/sbin/modprobe ip_masq_ftp
+
+# Supports the masquerading of RealAudio over UDP. Without this module,
+# RealAudio WILL function but in TCP mode. This can cause a reduction
+# in sound quality
+#
+#/sbin/modprobe ip_masq_raudio
+
+# Supports the masquerading of IRC DCC file transfers
+#
+#/sbin/modprobe ip_masq_irc
+
+
+# Supports the masquerading of Quake and QuakeWorld by default. This modules is
+# for for multiple users behind the Linux MASQ server. If you are going to play
+# Quake I, II, and III, use the second example.
+#
+# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
+# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
+#
+#Quake I / QuakeWorld (ports 26000 and 27000)
+#/sbin/modprobe ip_masq_quake
+#
+#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
+#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
+
+
+# Supports the masquerading of the CuSeeme video conferencing software
+#
+#/sbin/modprobe ip_masq_cuseeme
+
+#Supports the masquerading of the VDO-live video conferencing software
+#
+#/sbin/modprobe ip_masq_vdolive
+
+
+#CRITICAL: Enable IP forwarding since it is disabled by default since
+#
+# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
+#
+# FORWARD_IPV4=false
+# to
+# FORWARD_IPV4=true
+#
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+
+# Dynamic IP users:
+#
+# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
+# option. This enables dynamic-ip address hacking in IP MASQ, making the life
+# with Diald and similar programs much easier.
+#
+#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
+
+
+IPTABLES=/sbin/iptables
+
+
+# DHCP: For people who receive their external IP address from either DHCP or BOOTP
+# such as ADSL or Cablemodem users, it is necessary to use the following
+# before the deny command. The "bootp_client_net_if_name" should be replaced
+# the name of the link that the DHCP/BOOTP server will put an address on to?
+# This will be something like "eth0", "eth1", etc.
+#
+# This example is currently commented out.
+#
+#
+#$IPCHAINS -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp
+
+# Enable simple IP forwarding and Masquerading
+#
+# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
+# network with a 255.255.255.0 or a "24" bit subnet mask.
+#
+# Please change this network number and subnet mask to match your internal LAN setup
+#
--- /dev/null
+- name: Install fail2ban and iptables-services
+ become: true
+ dnf:
+ name: ['fail2ban', 'iptables-services']
+ state: latest
+ update_cache: yes
+ register: services
+
+- name: Disable firewalld
+ become: true
+ service:
+ name: firewalld.service
+ state: stopped
+ enabled: no
+
+- name: Enable fail2ban
+ become: true
+ service:
+ name: fail2ban
+ state: started
+ enabled: yes
+
+- name: Enable iptables-service
+ become: true
+ service:
+ name: iptables
+ state: started
+ enabled: yes
+
+- name: Configure firewall
+ become: true
+ copy:
+ src: etc
+ dest: /
+ owner: root
+ group: root
+ directory_mode: '0750'
+ mode: '0750'
+ force: no
+ register: etc
+
+- name: Fix permissions for /etc/network/functions
+ become: true
+ file:
+ path: /etc/network/functions.phd
+ mode: '0640'
+ register: functions
+
+- name: Start iptables
+ become: true
+ command: /etc/rc.d/init.d/iptables.sh start
+ when: services.changed or etc.changed or functions.changed
--- /dev/null
+Init new RPM system: configure yum/dnf, install minimal list of packages.
--- /dev/null
+- name: Install minimal software packages
+ become: true
+ dnf:
+ name: ['bash', 'bash-completion', 'bzip2',
+ 'curl', 'dnsutils', 'dselect',
+ 'gnupg', 'gnupg2', 'logcheck', 'mc', 'mutt',
+ 'procmail', 'rsync', 'unzip', 'vim', 'wget', 'zip',
+ ]
+ state: latest
+ update_cache: yes
--- /dev/null
+- name: packages
+ import_tasks: dnf.yml
+
+- name: Python
+ import_tasks: python.yml
--- /dev/null
+- name: Install Python and packages
+ become: true
+ dnf:
+ name: ['python2', 'python3', 'python2-pip', 'python3-pip',
+ 'python2-setuptools', 'python3-setuptools',
+ ]
+ state: latest
+ update_cache: yes
+ register: python
+
+- name: Upgrade Python packages
+ become: true
+ shell: 'umask 022; {{ item }} -m pip install --upgrade
+ "pip < 19.1" setuptools tox virtualenv virtualenvwrapper "wheel < 0.31.1"
+ flake8 sphinx twine'
+ when: python.changed
+ loop: ['python3', 'python2']
--- /dev/null
+Init RPM system: phase2 - setup /usr/local.
--- /dev/null
+- name: Setup /usr/local
+ become: true
+ file:
+ path: /usr/local
+ state: directory
+ owner: root
+ group: wheel
+ recurse: yes
+
+- name: Setup directories under /usr/local
+ become: true
+ command: find /usr/local -type d -exec chown root.wheel {} + -exec chmod ug+rwx,o+rx,g+s {} +
+
+- name: Setup files under /usr/local
+ become: true
+ command: find /usr/local -type f -exec chmod ug+rwX,o+rX {} +
+
+- name: Setup /usr/local/src
+ become: true
+ file:
+ path: /usr/local/src
+ state: directory
+ owner: phd
+ group: wheel
+ recurse: yes
--- /dev/null
+Update logcheck ignore patterns.
--- /dev/null
+ignore.d/local-dhcpd
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bluetoothd\[[0-9]+\]: Endpoint (un)?registered: sender=:[0-9.]+ path=/MediaEndpoint/
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ console-kit-daemon\[[0-9]+\]: GLib-CRITICAL: Source ID [0-9]+ was not found when attempting to remove it$
+
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Activating service name='org\.freedesktop\.UDisks' \(using servicehelper\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Successfully activated service 'org\.freedesktop\.UDisks'$
+
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ firefox: getaddrinfo\*\.gaih_getanswer: got type "DNAME"$
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] CIFS VFS: Server [0-9.]+ has not responded in 120 seconds\. Reconnecting\.\.\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] Peer [0-9.:/]+ unexpectedly shrunk window [0-9]+:[0-9]+ \(repaired\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] TCP: request_sock_TCP: Possible SYN flooding on port [0-9]+\. Sending cookies\. Check SNMP counters\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] ncpfs: ncp_evict_inode: could not close
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] net_ratelimit: [0-9]+ callbacks suppressed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] perf: interrupt took too long
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ minissdpd\[[0-9]+\]: method , don't know what to do
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: DNS format error from ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} resolving
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5}: message parsing failed
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} \([._[:alnum:]-]+\): query (\(cache\) )?'.+' denied
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client 192\.168\.3\.20#[0-9]+ \([._[:alnum:]-]+\): error sending response: host unreachable$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: clients-per-query (de|in)creased to
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: skipping nameserver '[A-Za-z0-9._-]+' because it is a CNAME, while resolving
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: ALSA woke us up to (read|write) new data (from|to) the device, but there was actually nothing to (read|write)!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: Most likely this is a bug in the ALSA driver 'snd_hda_intel'\. Please report this issue to the ALSA developers\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: We were woken up with POLL(IN|OUT) set -- however a subsequent snd_pcm_avail\(\) returned 0 or another value < min_avail.$
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ .0-9]{11,13}\] postgres \([0-9]+\): /proc/[0-9]+/oom_adj is deprecated, please use /proc/[0-9]+/oom_score_adj instead\.
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (liblogging-stdlog|rsyslogd): {1,2}\[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9-]+: action 'action 17' (suspended|resumed)
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ runuser: pam_unix\(runuser:session\): session (opened|closed) for user nobody
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd: pam_unix\(samba:session\): session opened for user
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd: pam_unix\(samba:session\): session closed for user
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: new_dns_packet: domain is utf8 flagged:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: adjust:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: handled cleanup of child
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result:
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (error: )?Received disconnect from
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (packet_write_wait|ssh_dispatch_run_fatal): Connection from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: Broken pipe \[preauth\]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection (closed|reset) by ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Change of username or service not allowed:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Too many authentication failures
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3}
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM service\(sshd\) ignoring max retries
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: no matching (host key type|key exchange method) found\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: no hostkey alg \[preauth\]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: input_userauth_request: invalid user.+\[preauth\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_unix(sshd:auth): bad username
+
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ transmission-daemon\[[0-9]+\]: UDP Failed to set (send|receive) buffer:
--- /dev/null
+- name: Install logcheck
+ become: true
+ dnf:
+ name: logcheck
+ state: latest
+ update_cache: yes
+
+- name: Configure logcheck
+ become: true
+ lineinfile:
+ path: /etc/logcheck/logcheck.conf
+ regexp: "^INTRO=0$"
+ line: "INTRO=0"
+ insertafter: "^#INTRO=1$"
+
+- name: Update logcheck ignore patterns
+ become: true
+ copy:
+ src: ignore.d/
+ dest: "/etc/logcheck/ignore.d.{{ item }}"
+ owner: root
+ group: logcheck
+ directory_mode: '0750'
+ mode: 0640
+ loop: ['server', 'workstation']
--- /dev/null
+Install RPM packages.
--- /dev/null
+- name: Install software packages
+ become: true
+ dnf:
+ name: ['adjtimex', 'arj', 'mailx', 'elinks', 'fetchmail', 'links',
+ 'lzip', 'lzma', 'lzop', 'p7zip', 'xz',
+ ]
+ state: latest
+ update_cache: yes
--- /dev/null
+Init remote user phd: create system and user groups, create the user,
+upload SSH public key.
--- /dev/null
+system_groups: root,wheel,adm,disk,cdrom,floppy,audio,video,users,mail,input
--- /dev/null
+dependencies: ['init-system']
--- /dev/null
+- name: Test if user phd already exists
+ stat:
+ path: "{{ item }}"
+ register: phd_exists
+ changed_when: not phd_exists.stat.exists
+ loop: ['~/.profile', '~/.shellrc']
+
+- debug:
+ msg: "User phd has already been created"
+ when: phd_exists.results|selectattr('stat.exists')|list|length == 2
+
+- name: Create and setup user phd
+ block:
+ - name: Create system groups
+ become: true
+ group:
+ name: "{{ item }}"
+ system: true
+ loop: "{{ system_groups.split(',') }}"
+
+ - name: Create group phd
+ become: true
+ group:
+ name: phd
+
+ - name: Add user phd
+ become: true
+ user:
+ name: phd
+ group: phd
+ groups: "{{ system_groups }}"
+
+ - name: Remove mc directories
+ file:
+ path: "{{ item }}"
+ state: absent
+ loop: ['~/.cache/mc', '~/.config/mc', '~/.local/share/mc']
+
+ - name: Upload and extract home archive
+ unarchive:
+ src: ~/archive/STORE/phd/Home/phd.tar.bz2
+ dest: /home
+ when: phd_exists.results|selectattr('stat.exists')|list|length != 2
+
+- name: Add alias
+ become: true
+ lineinfile:
+ path: /etc/aliases
+ regexp: "^root: phd$"
+ line: "root: phd"
--- /dev/null
+Init sudo: install sudo, add user phd, allow passwordless operations.
--- /dev/null
+dependencies: ['init-system']
--- /dev/null
+- name: Allow passwordless operations for phd
+ become: true
+ copy:
+ content: 'phd ALL=(ALL:ALL) NOPASSWD: ALL'
+ dest: /etc/sudoers.d/phd
+ owner: root
+ group: root
+ mode: 0640
--- /dev/null
+- name: Update RPM systems with dnf
+ hosts: "{{ hosts | default('all') }}"
+ become: yes
+ gather_facts: false
+ tasks:
+ - name: Update system using dnf
+ dnf:
+ name: "*"
+ state: latest
+ update_cache: yes
--- /dev/null
+- name: "Update ~root from ~phd"
+ hosts: "{{ hosts | default('all') }}"
+ become: yes
+ gather_facts: false
+ tasks:
+ - name: "Update ~root - sync directories from ~phd"
+ synchronize:
+ src: "~phd/{{ item }}"
+ dest: ~root
+ archive: no # avoid setting owner/group
+ recursive: yes
+ links: yes
+ times: yes
+ delegate_to: "{{ inventory_hostname }}"
+ loop: ['.vim', 'bin', 'lib']
+
+ - name: "Update ~root - sync files from ~phd"
+ copy:
+ src: "~phd/{{ item }}"
+ remote_src: yes
+ dest: ~root
+ owner: root
+ group: root
+ mode: "0600"
+ force: no
+ loop: ['.bashrc', 'admin/home/root/.profile',
+ '.bash_logout', '.inputrc', '.less', '.lesskey',
+ '.screenrc', '.shellrc', '.tmux.conf', '.vimrc',
+ ]
+
+ - name: "Update root mc - overwrite files from ~phd/admin"
+ become: true
+ copy:
+ src: "~phd/admin/home/root/.mc/{{ item }}"
+ remote_src: yes
+ dest: ~root/.mc
+ owner: root
+ group: root
+ mode: "0600"
+ force: no
+ loop: ['hotlist', 'ini', 'panels.ini']
+
-vbox9 ansible_host=localhost ansible_port=2022 debian_distr=stretch debian_mirror=http://mirror.yandex.ru/debian
-vbox10 ansible_host=localhost ansible_port=2022 debian_distr=buster debian_mirror=https://mirror.yandex.ru/debian
+vbox-d9 ansible_host=localhost ansible_port=2022 debian_distr=stretch debian_mirror=http://mirror.yandex.ru/debian
+vbox-d10 ansible_host=localhost ansible_port=2022 debian_distr=buster debian_mirror=https://mirror.yandex.ru/debian
+vbox-f30-64 ansible_host=localhost ansible_port=2022
projects / ansible.git / commitdiff