# `sudo` isn't configured yet too; use `su` and ask for root password.
ansible-playbook ../init-system.yml "$@" -e hosts="$host" \
--become-method=su -K &&
-exec ansible-playbook init-system2.yml "$@" -e hosts="$host"
+exec ansible-playbook ../init-system2.yml "$@" -e hosts="$host"
+++ /dev/null
-Init new Debian system: configure apt, install minimal list of packages.
+++ /dev/null
-- name: apt
- import_tasks: apt.yml
-
-- name: locales
- import_tasks: locales.yml
+++ /dev/null
-Init Debian system: phase2 - setup /usr/local.
+++ /dev/null
-Install Debian packages.
+++ /dev/null
-system_groups: root,adm,disk,cdrom,floppy,sudo,audio,www-data,video,plugdev,staff,users,Debian-exim,fuse,sambashare,input
- name: Setup Linux system
hosts: "{{ hosts | default('all') }}"
- gather_facts: false
+ gather_facts: true
roles:
- sudo
- phd
gather_facts: true
roles:
- init-system2
- - remove-systemd
+ - role: remove-systemd
+ when: ansible_facts.os_family == 'Debian'
- root
- firewall
- logcheck
# Passwordless access isn't configured yet; use `ssh` connection sharing.
# `sudo` isn't configured yet too; ask for phd password.
-ansible-playbook init-system.yml "$@" -e hosts="$host" -K &&
-exec ansible-playbook init-system2.yml "$@" -e hosts="$host"
+ansible-playbook ../init-system.yml "$@" -e hosts="$host" -K &&
+exec ansible-playbook ../init-system2.yml "$@" -e hosts="$host"
+++ /dev/null
-- name: Setup Debain system
- hosts: "{{ hosts | default('all') }}"
- gather_facts: false
- roles:
- - sudo
- - phd
+++ /dev/null
-- name: Setup Debain system - part 2
- hosts: "{{ hosts | default('all') }}"
- gather_facts: true
- roles:
- - init-system2
- - root
- - firewall
- - logcheck
- - sshd
+++ /dev/null
-Install development packages.
+++ /dev/null
-- name: Install development packages
- become: true
- dnf:
- name: ['expat', 'gcc', 'gcc-c++',
- 'gdbm', 'gdbm-libs', 'git', 'gmp',
- 'libffi', 'lzma-sdk', 'make', 'mpdecimal',
- 'openssl', 'patch', 'readline', 'sqlite', 'zlib',
- ]
- state: latest
- update_cache: yes
+++ /dev/null
-Init new RPM system: configure yum/dnf, install minimal list of packages.
+++ /dev/null
-- name: packages
- import_tasks: dnf.yml
+++ /dev/null
-Init RPM system: phase2 - setup /usr/local.
+++ /dev/null
-- name: Setup /usr/local
- become: true
- file:
- path: /usr/local
- state: directory
- owner: root
- group: wheel
- recurse: yes
-
-- name: Setup directories under /usr/local
- become: true
- command: find /usr/local -type d -exec chown root.wheel {} + -exec chmod ug+rwx,o+rx,g+s {} +
-
-- name: Setup files under /usr/local
- become: true
- command: find /usr/local -type f -exec chmod ug+rwX,o+rX {} +
-
-- name: Setup /usr/local/src
- become: true
- file:
- path: /usr/local/src
- state: directory
- owner: phd
- group: wheel
- recurse: yes
+++ /dev/null
-Update logcheck ignore patterns.
+++ /dev/null
-ignore.d/local-dhcpd
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bluetoothd\[[0-9]+\]: Endpoint (un)?registered: sender=:[0-9.]+ path=/MediaEndpoint/
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ console-kit-daemon\[[0-9]+\]: GLib-CRITICAL: Source ID [0-9]+ was not found when attempting to remove it$
-
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Activating service name='org\.freedesktop\.UDisks' \(using servicehelper\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Successfully activated service 'org\.freedesktop\.UDisks'$
-
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ firefox: getaddrinfo\*\.gaih_getanswer: got type "DNAME"$
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] CIFS VFS: Server [0-9.]+ has not responded in 120 seconds\. Reconnecting\.\.\.
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] Peer [0-9.:/]+ unexpectedly shrunk window [0-9]+:[0-9]+ \(repaired\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] TCP: request_sock_TCP: Possible SYN flooding on port [0-9]+\. Sending cookies\. Check SNMP counters\.
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] ncpfs: ncp_evict_inode: could not close
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] net_ratelimit: [0-9]+ callbacks suppressed$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] perf: interrupt took too long
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ minissdpd\[[0-9]+\]: method , don't know what to do
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: DNS format error from ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} resolving
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5}: message parsing failed
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} \([._[:alnum:]-]+\): query (\(cache\) )?'.+' denied
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client 192\.168\.3\.20#[0-9]+ \([._[:alnum:]-]+\): error sending response: host unreachable$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: clients-per-query (de|in)creased to
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: skipping nameserver '[A-Za-z0-9._-]+' because it is a CNAME, while resolving
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: ALSA woke us up to (read|write) new data (from|to) the device, but there was actually nothing to (read|write)!$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: Most likely this is a bug in the ALSA driver 'snd_hda_intel'\. Please report this issue to the ALSA developers\.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pulseaudio\[[[:digit:]]+\]: \[alsa-(sink|source)-ALC269VC Analog\] alsa-(sink|source)\.c: We were woken up with POLL(IN|OUT) set -- however a subsequent snd_pcm_avail\(\) returned 0 or another value < min_avail.$
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ .0-9]{11,13}\] postgres \([0-9]+\): /proc/[0-9]+/oom_adj is deprecated, please use /proc/[0-9]+/oom_score_adj instead\.
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (liblogging-stdlog|rsyslogd): {1,2}\[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9-]+: action 'action 17' (suspended|resumed)
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ runuser: pam_unix\(runuser:session\): session (opened|closed) for user nobody
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd: pam_unix\(samba:session\): session opened for user
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd: pam_unix\(samba:session\): session closed for user
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: new_dns_packet: domain is utf8 flagged:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: adjust:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: handled cleanup of child
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result:
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (error: )?Received disconnect from
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (packet_write_wait|ssh_dispatch_run_fatal): Connection from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: Broken pipe \[preauth\]
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection (closed|reset) by ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\]
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\]
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Change of username or service not allowed:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Too many authentication failures
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3}
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM service\(sshd\) ignoring max retries
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: no matching (host key type|key exchange method) found\.
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: no hostkey alg \[preauth\]
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: input_userauth_request: invalid user.+\[preauth\]$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_unix(sshd:auth): bad username
-
+++ /dev/null
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ transmission-daemon\[[0-9]+\]: UDP Failed to set (send|receive) buffer:
+++ /dev/null
-- name: Install logcheck
- become: true
- dnf:
- name: logcheck
- state: latest
- update_cache: yes
-
-- name: Configure logcheck
- become: true
- lineinfile:
- path: /etc/logcheck/logcheck.conf
- regexp: "^INTRO=0$"
- line: "INTRO=0"
- insertafter: "^#INTRO=1$"
-
-- name: Update logcheck ignore patterns
- become: true
- copy:
- src: ignore.d/
- dest: "/etc/logcheck/ignore.d.{{ item }}"
- owner: root
- group: logcheck
- directory_mode: '0750'
- mode: 0640
- loop: ['server', 'workstation']
+++ /dev/null
-Install RPM packages.
+++ /dev/null
-- name: Install software packages
- become: true
- dnf:
- name: ['adjtimex', 'arj', 'mailx', 'elinks', 'fetchmail', 'links',
- 'lzip', 'lzma', 'lzop', 'p7zip', 'xz',
- ]
- state: latest
- update_cache: yes
+++ /dev/null
-Init remote user phd: create system and user groups, create the user,
-upload SSH public key.
+++ /dev/null
-system_groups: root,wheel,adm,disk,cdrom,floppy,audio,video,users,mail,input
+++ /dev/null
-dependencies: ['init-system']
+++ /dev/null
-- name: Test if user phd already exists
- stat:
- path: "{{ item }}"
- register: phd_exists
- changed_when: not phd_exists.stat.exists
- loop: ['~/.profile', '~/.shellrc']
-
-- debug:
- msg: "User phd has already been created"
- when: phd_exists.results|selectattr('stat.exists')|list|length == 2
-
-- name: Create and setup user phd
- block:
- - name: Create system groups
- become: true
- group:
- name: "{{ item }}"
- system: true
- loop: "{{ system_groups.split(',') }}"
-
- - name: Create group phd
- become: true
- group:
- name: phd
-
- - name: Add user phd
- become: true
- user:
- name: phd
- group: phd
- groups: "{{ system_groups }}"
-
- - name: Remove mc directories
- file:
- path: "{{ item }}"
- state: absent
- loop: ['~/.cache/mc', '~/.config/mc', '~/.local/share/mc']
-
- - name: Upload and extract home archive
- unarchive:
- src: ~/archive/STORE/phd/Home/phd.tar.bz2
- dest: /home
- when: phd_exists.results|selectattr('stat.exists')|list|length != 2
-
-- name: Add alias
- become: true
- lineinfile:
- path: /etc/aliases
- regexp: "^root: phd$"
- line: "root: phd"
+++ /dev/null
-Install development packages.
+++ /dev/null
-dependencies: ['dev-packages', 'python-packages']
+++ /dev/null
-- name: Install development packages
- become: true
- dnf:
- name: ['bzip2-devel', 'expat-devel', 'gdbm-devel', 'gmp-devel',
- 'libffi-devel', 'lzma-sdk-devel', 'mpdecimal-devel',
- 'ncurses-devel', 'ncurses-libs', 'openssl-devel', 'openssl-libs',
- 'python2-devel', 'python3-devel', 'readline-devel', 'sqlite-devel',
- 'xz-devel', 'xz-libs', 'zlib-devel',
- ]
- state: latest
- update_cache: yes
+++ /dev/null
-Install Python packages.
+++ /dev/null
-- name: Install Python and packages
- become: true
- dnf:
- name: ['python2', 'python3', 'python2-pip', 'python3-pip',
- 'python2-setuptools', 'python3-setuptools',
- 'python2-pyOpenSSL', 'python3-pyOpenSSL',
- ]
- state: latest
- update_cache: yes
- register: python
-
-- name: Upgrade Python packages
- become: true
- shell: 'umask 022; {{ item }} -m pip install --upgrade
- "pip < 19.1" setuptools tox virtualenv virtualenvwrapper "wheel < 0.31.1"
- flake8 sphinx twine'
- when: python.changed
- loop: ['python3', 'python2']
--- /dev/null
+Empty "role" to satisfy `init-system2`.
+++ /dev/null
-Init sudo: install sudo, add user phd, allow passwordless operations.
+++ /dev/null
-dependencies: ['init-system']
+++ /dev/null
-- name: Allow passwordless operations for phd
- become: true
- copy:
- content: 'phd ALL=(ALL:ALL) NOPASSWD: ALL'
- dest: /etc/sudoers.d/phd
- owner: root
- group: root
- mode: 0640
+++ /dev/null
-- name: "Update ~root from ~phd"
- hosts: "{{ hosts | default('all') }}"
- become: yes
- gather_facts: false
- tasks:
- - name: "Update ~root - sync directories from ~phd"
- synchronize:
- src: "~phd/{{ item }}"
- dest: ~root
- archive: no # avoid setting owner/group
- recursive: yes
- links: yes
- times: yes
- delegate_to: "{{ inventory_hostname }}"
- loop: ['.vim', 'bin', 'lib']
-
- - name: "Update ~root - sync files from ~phd"
- copy:
- src: "~phd/{{ item }}"
- remote_src: yes
- dest: ~root
- owner: root
- group: root
- mode: "0600"
- force: no
- loop: ['.bashrc', 'admin/home/root/.profile',
- '.bash_logout', '.inputrc', '.less', '.lesskey',
- '.screenrc', '.shellrc', '.tmux.conf', '.vimrc',
- ]
-
- - name: "Update root mc - overwrite files from ~phd/admin"
- become: true
- copy:
- src: "~phd/admin/home/root/.mc/{{ item }}"
- remote_src: yes
- dest: ~root/.mc
- owner: root
- group: root
- mode: "0600"
- force: no
- loop: ['hotlist', 'ini', 'panels.ini']
-
]
state: latest
update_cache: yes
+ when: ansible_facts.os_family == 'Debian'
+
+- name: Install development packages
+ become: true
+ dnf:
+ name: ['expat', 'gcc', 'gcc-c++',
+ 'gdbm', 'gdbm-libs', 'git', 'gmp',
+ 'libffi', 'lzma-sdk', 'make', 'mpdecimal',
+ 'openssl', 'patch', 'readline', 'sqlite', 'zlib',
+ ]
+ state: latest
+ update_cache: yes
+ when: ansible_facts.os_family == 'RedHat'
--- /dev/null
+Init new Linux system: configure package manager,
+install minimal list of packages.
--- /dev/null
+- name: apt
+ import_tasks: apt.yml
+ when: ansible_facts.os_family == 'Debian'
+
+- name: locales
+ import_tasks: locales.yml
+ when: ansible_facts.os_family == 'Debian'
+
+- name: packages
+ import_tasks: dnf.yml
+ when: ansible_facts.os_family == 'RedHat'
--- /dev/null
+Init Linux system: phase2 - setup /usr/local.
+- set_fact:
+ system_group: "{% if ansible_facts.os_family == 'Debian' %}staff{% elif ansible_facts.os_family == 'RedHat' %}wheel{% endif %}"
+
- name: Setup /usr/local
become: true
file:
path: /usr/local
state: directory
owner: root
- group: staff
+ group: "{{ system_group }}"
recurse: yes
- name: Setup directories under /usr/local
become: true
- command: find /usr/local -type d -exec chown root.staff {} + -exec chmod ug+rwx,o+rx,g+s {} +
+ command: "find /usr/local -type d -exec chown root.{{ system_group }} {} + -exec chmod ug+rwx,o+rx,g+s {} +"
- name: Setup files under /usr/local
become: true
path: /usr/local/src
state: directory
owner: phd
- group: staff
+ group: "{{ system_group }}"
recurse: yes
name: logcheck
state: latest
update_cache: yes
+ when: ansible_facts.os_family == 'Debian'
+
+- name: Install logcheck
+ become: true
+ dnf:
+ name: logcheck
+ state: latest
+ update_cache: yes
+ when: ansible_facts.os_family == 'RedHat'
- name: Configure logcheck
become: true
--- /dev/null
+Install more packages.
]
state: latest
update_cache: yes
+ when: ansible_facts.os_family == 'Debian'
+
+- name: Install software packages
+ become: true
+ dnf:
+ name: ['adjtimex', 'arj', 'mailx', 'elinks', 'fetchmail', 'links',
+ 'lzip', 'lzma', 'lzop', 'p7zip', 'xz',
+ ]
+ state: latest
+ update_cache: yes
+ when: ansible_facts.os_family == 'RedHat'
--- /dev/null
+system_groups: "{% if ansible_facts.os_family == 'Debian' %}root,adm,disk,cdrom,floppy,sudo,audio,www-data,video,plugdev,staff,users,Debian-exim,fuse,sambashare,input{% elif ansible_facts.os_family == 'RedHat' %}root,wheel,adm,disk,cdrom,floppy,audio,video,users,mail,input{% endif %}"
path: /etc/aliases
regexp: "^root: phd$"
line: "root: phd"
+ when: ansible_facts.os_family == 'Debian'
when: phd_exists.results|selectattr('stat.exists')|list|length != 2
+
+- name: Add alias
+ become: true
+ lineinfile:
+ path: /etc/aliases
+ regexp: "^root: phd$"
+ line: "root: phd"
+ when: ansible_facts.os_family == 'RedHat'
state: latest
update_cache: yes
when: ansible_facts.distribution_major_version == '9'
+ when: ansible_facts.os_family == 'Debian'
- name: Install development packages
become: true
]
state: latest
update_cache: yes
+ when: ansible_facts.os_family == 'Debian'
+
+- name: Install development packages
+ become: true
+ dnf:
+ name: ['bzip2-devel', 'expat-devel', 'gdbm-devel', 'gmp-devel',
+ 'libffi-devel', 'lzma-sdk-devel', 'mpdecimal-devel',
+ 'ncurses-devel', 'ncurses-libs', 'openssl-devel', 'openssl-libs',
+ 'python2-devel', 'python3-devel', 'readline-devel', 'sqlite-devel',
+ 'xz-devel', 'xz-libs', 'zlib-devel',
+ ]
+ state: latest
+ update_cache: yes
+ when: ansible_facts.os_family == 'RedHat'
state: latest
update_cache: yes
register: python
+ when: ansible_facts.os_family == 'Debian'
+
+- name: Install Python and packages
+ become: true
+ dnf:
+ name: ['python2', 'python3', 'python2-pip', 'python3-pip',
+ 'python2-setuptools', 'python3-setuptools',
+ 'python2-pyOpenSSL', 'python3-pyOpenSSL',
+ ]
+ state: latest
+ update_cache: yes
+ register: python
+ when: ansible_facts.os_family == 'RedHat'
- name: Upgrade Python packages
become: true
name: sudo
state: latest
update_cache: yes
+ when: ansible_facts.os_family == 'Debian'
- name: Add user phd to group sudo
become: true
name: phd
append: yes
groups: sudo
+ when: ansible_facts.os_family == 'Debian'
- name: Allow passwordless operations for phd
become: true
content: 'phd ALL=(ALL:ALL) NOPASSWD: ALL'
dest: /etc/sudoers.d/phd
owner: root
- group: sudo
+ group: "{% if ansible_facts.os_family == 'Debian' %}sudo{% elif ansible_facts.os_family == 'RedHat' %}root{% endif %}"
mode: 0640
projects / ansible.git / commitdiff