debian: add basic Debian role

13 files changed, 378 insertions, 0 deletions

diff --git a/roles/debian/tasks/apt.yml b/roles/debian/tasks/apt.yml
new file mode 100644
index 0000000..ff9a960
--- /dev/null
+++ b/roles/debian/tasks/apt.yml
@@ -0,0 +1,68 @@
+---
+- name: Don't install recommended packages
+  copy:
+    dest: '/etc/apt/apt.conf.d/06norecommends'
+    src: 06norecommends
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Don't start services by default
+  copy:
+    dest: '/usr/sbin/policy-rc.d'
+    content: "exit 101\n"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Remove packages
+  apt:
+    name: '{{ item }}'
+    state: absent
+    autoremove: yes
+    purge: yes
+  with_items: "{{ apt_packages|dictsort(true)|selectattr(1,'equalto','absent')|map(attribute=0)|list }}"
+  tags:
+  - packages
+
+- name: Configure /etc/apt/sources.list
+  template:
+    dest: '/etc/apt/sources.list'
+    src: sources.list.j2
+    owner: root
+    group: root
+    mode: 0644
+  when: apt_sources is defined
+
+- name: Download repository keys
+  apt_key:
+    url: "{{ apt_repos[item.key]['key_url'] }}"
+    id: "{{ apt_repos[item.key]['key_id'] }}"
+    state: present
+  with_dict: '{{ apt_sources }}'
+  when: apt_sources is defined and 'key_url' in apt_repos[item.key]
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+  tags:
+  - update
+  - packages
+
+- name: Upgrade all packages
+  apt:
+    name: '*'
+    state: latest
+  tags:
+  - upgrade
+  - packages
+
+- name: Install packages
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items: "{{ apt_packages|dictsort(true)|selectattr(1,'equalto','present')|map(attribute=0)|list }}"
+  tags:
+  - packages
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/hostname.yml b/roles/debian/tasks/hostname.yml
new file mode 100644
index 0000000..6709c03
--- /dev/null
+++ b/roles/debian/tasks/hostname.yml
@@ -0,0 +1,15 @@
+---
+- name: Set hostname
+  hostname:
+    name: '{{ hostname }}'
+  when: not chroot
+- name: '- when in chroot'
+  copy:
+    dest: '/etc/hostname'
+    content: "{{ hostname }}\n"
+    owner: root
+    group: root
+    mode: 0644
+  when: chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/hosts.yml b/roles/debian/tasks/hosts.yml
new file mode 100644
index 0000000..46299d6
--- /dev/null
+++ b/roles/debian/tasks/hosts.yml
@@ -0,0 +1,10 @@
+---
+- name: Configure /etc/hosts
+  template:
+    dest: '/etc/hosts'
+    src: hosts.j2
+    owner: root
+    group: root
+    mode: 0644
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/locale.yml b/roles/debian/tasks/locale.yml
new file mode 100644
index 0000000..72a0b65
--- /dev/null
+++ b/roles/debian/tasks/locale.yml
@@ -0,0 +1,41 @@
+---
+- name: Setting locales to be generated
+  debconf:
+    name: locales
+    question: locales/locales_to_be_generated
+    value: "{{ locale.generated|join(', ') }}"
+    vtype: multiselect
+  register: locale_generated
+
+- name: dpkg-reconfigure locales
+  block:
+  - template:
+      dest: '/etc/locale.gen'
+      src: locale.gen.j2
+      owner: root
+      group: root
+      mode: 0644
+  - debconf:
+      name: locales
+      question: locales/locales_to_be_generated
+      value: "{{ locale.generated|join(', ') }}"
+      vtype: multiselect
+  - command: dpkg-reconfigure -fnoninteractive locales
+  when: locale_generated is changed
+
+- name: Setting default locale
+  template:
+    dest: '/etc/default/locale'
+    src: locale.j2
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Update locales debconf
+  debconf:
+    name: locales
+    question: locales/default_environment_locale
+    value: '{{ locale.default.LANG }}'
+    vtype: select
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
new file mode 100644
index 0000000..71637c1
--- /dev/null
+++ b/roles/debian/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- import_tasks: apt.yml
+  tags: apt
+- import_tasks: tmpfs.yml
+  tags: tmpfs
+  when: use_tmpfs
+- import_tasks: hosts.yml
+  tags: hosts
+- import_tasks: timezone.yml
+  when: timezone is defined
+  tags: timezone
+- import_tasks: locale.yml
+  when: locale is defined
+  tags: locale
+- import_tasks: hostname.yml
+  when: hostname is defined
+  tags: hostname
+- import_tasks: systemd.yml
+  tags: systemd
+- import_tasks: resolved.yml
+  tags: resolved
+- import_tasks: networkd.yml
+  tags: networkd
+- import_tasks: timesyncd.yml
+  tags: timesyncd
+- import_tasks: sshd.yml
+  tags: sshd
+- import_tasks: sudo.yml
+  tags: sudo
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/networkd.yml b/roles/debian/tasks/networkd.yml
new file mode 100644
index 0000000..4dac677
--- /dev/null
+++ b/roles/debian/tasks/networkd.yml
@@ -0,0 +1,27 @@
+---
+- name: Enable/disable systemd-networkd
+  systemd:
+    name: systemd-networkd.service
+    enabled: "{{ use_networkd|ternary('yes','no') }}"
+    masked:  "{{ use_networkd|ternary('no',omit) }}"
+    # let the current network daemons run undisturbed until reboot
+    # aka. don't cut the pipe we're connected through
+    #state:  "{{ use_networkd|ternary('started','stopped') }}"
+  when: not chroot
+- name: '- when in chroot'
+  command: "systemctl {{ use_networkd|ternary('enable','disable') }} systemd-networkd.service"
+  when: chroot
+
+- name: Mask Debian networking.service
+  systemd:
+    name: networking.service
+    enabled: no
+    masked: yes
+  when: use_networkd and not chroot
+- name: '- when in chroot'
+  block:
+  - command: systemctl disable networking.service
+  - command: systemctl mask networking.service
+  when: use_networkd and chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/resolved.yml b/roles/debian/tasks/resolved.yml
new file mode 100644
index 0000000..263f93d
--- /dev/null
+++ b/roles/debian/tasks/resolved.yml
@@ -0,0 +1,39 @@
+---
+- name: Configure systemd-resolved
+  ini_file:
+    path: '/etc/systemd/resolved.conf'
+    no_extra_spaces: yes
+    section: "{{ item.key.split('.',1)[0] }}"
+    option:  "{{ item.key.split('.',1)[1] }}"
+    value:   "{{ item.value|ternary(item.value,omit) }}"
+    state:   "{{ item.value|ternary('present','absent') }}"
+  with_dict: '{{ resolved_conf }}'
+  when: use_resolved
+  notify: restart resolved
+
+- name: Enable/disable systemd-resolved
+  systemd:
+    name: systemd-resolved.service
+    enabled: "{{ use_resolved|ternary('yes','no') }}"
+    masked: no
+    state: "{{ use_resolved|ternary('started','stopped') }}"
+  when: not chroot
+- name: '- when in chroot'
+  command: 'systemctl {{ use_resolved|ternary("enable","disable") }} systemd-resolved.service'
+  when: chroot
+
+- name: Symlink /etc/resolv.conf
+  file:
+    path: '/etc/resolv.conf'
+    src: '/run/systemd/resolve/resolv.conf'
+    state: link
+    force: yes
+  when: use_resolved
+- name: Use myhostname and possibly resolved nss plugins
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^hosts:'
+    line: 'hosts:          files resolve [!UNAVAIL=return] dns myhostname'
+  when: use_resolved
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/sshd.yml b/roles/debian/tasks/sshd.yml
new file mode 100644
index 0000000..a0a2d96
--- /dev/null
+++ b/roles/debian/tasks/sshd.yml
@@ -0,0 +1,56 @@
+---
+- name: Install SSH server
+  apt:
+    name: openssh-server
+    state: present
+  tags:
+  - packages
+
+- name: Create private host keys
+  copy:
+    dest: '/etc/ssh/{{ item.key }}'
+    content: '{{ item.value.private }}'
+    owner: root
+    group: ssh_keys
+    mode: 0640
+  with_dict: '{{ ssh_host_keys }}'
+  loop_control:
+    label: '/etc/ssh/{{ item.key }}'
+  when: ssh_host_keys is defined
+
+- name: Create public host keys
+  copy:
+    dest: '/etc/ssh/{{ item.key }}.pub'
+    content: '{{ item.value.public }}'
+    owner: root
+    group: root
+    mode: 0644
+  with_dict: '{{ ssh_host_keys }}'
+  loop_control:
+    label: '/etc/ssh/{{ item.key }}.pub'
+  when: ssh_host_keys is defined
+
+- name: Configure SSH daemon
+  lineinfile:
+    path: '/etc/ssh/sshd_config'
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+  with_items:
+  - regexp: '^[# ]*PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+  - regexp: '^#*GSSAPIAuthentication'
+    line: 'GSSAPIAuthentication no'
+  notify: restart sshd
+
+- name: Enable SSH daemon
+  systemd:
+    name: ssh.service
+    enabled: yes
+    masked: no
+    state: started
+  when: not chroot
+- name: '- when in chroot'
+  command: systemctl enable ssh.service
+  when: chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/sudo.yml b/roles/debian/tasks/sudo.yml
new file mode 100644
index 0000000..e52e1f6
--- /dev/null
+++ b/roles/debian/tasks/sudo.yml
@@ -0,0 +1,18 @@
+---
+- name: Install sudo
+  apt:
+    name: sudo
+    state: present
+  tags:
+  - packages
+
+- name: Configure sudo
+  copy:
+    dest: '/etc/sudoers'
+    src: sudoers
+    owner: root
+    group: root
+    mode: 0440
+    validate: visudo -cf %s
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/systemd.yml b/roles/debian/tasks/systemd.yml
new file mode 100644
index 0000000..56a5898
--- /dev/null
+++ b/roles/debian/tasks/systemd.yml
@@ -0,0 +1,32 @@
+---
+- name: Configure systemd system.conf
+  ini_file:
+    path: '/etc/systemd/system.conf'
+    no_extra_spaces: yes
+    section: "{{ item.key.split('.',1)[0] }}"
+    option:  "{{ item.key.split('.',1)[1] }}"
+    value:   "{{ item.value|ternary(item.value,omit) }}"
+    state:   "{{ item.value|ternary('present','absent') }}"
+  with_dict: '{{ systemd_conf }}'
+
+- name: Configure journald.conf
+  ini_file:
+    path: '/etc/systemd/journald.conf'
+    no_extra_spaces: yes
+    section: "{{ item.key.split('.',1)[0] }}"
+    option:  "{{ item.key.split('.',1)[1] }}"
+    value:   "{{ item.value|ternary(item.value,omit) }}"
+    state:   "{{ item.value|ternary('present','absent') }}"
+  with_dict: '{{ journald_conf }}'
+
+- name: Configure logind.conf
+  ini_file:
+    path: '/etc/systemd/logind.conf'
+    no_extra_spaces: yes
+    section: "{{ item.key.split('.',1)[0] }}"
+    option:  "{{ item.key.split('.',1)[1] }}"
+    value:   "{{ item.value|ternary(item.value,omit) }}"
+    state:   "{{ item.value|ternary('present','absent') }}"
+  with_dict: '{{ logind_conf }}'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/timesyncd.yml b/roles/debian/tasks/timesyncd.yml
new file mode 100644
index 0000000..63949fc
--- /dev/null
+++ b/roles/debian/tasks/timesyncd.yml
@@ -0,0 +1,25 @@
+---
+- name: Configure systemd-timesyncd
+  ini_file:
+    path: '/etc/systemd/timesyncd.conf'
+    no_extra_spaces: yes
+    section: "{{ item.key.split('.',1)[0] }}"
+    option:  "{{ item.key.split('.',1)[1] }}"
+    value:   "{{ item.value|ternary(item.value,omit) }}"
+    state:   "{{ item.value|ternary('present','absent') }}"
+  with_dict: '{{ timesyncd_conf }}'
+  when: use_timesyncd
+  notify: restart timesyncd
+
+- name: Enable systemd-timesyncd
+  systemd:
+    name: systemd-timesyncd.service
+    enabled: "{{ use_timesyncd|ternary('yes','no') }}"
+    masked: no
+    state: "{{ use_timesyncd|ternary('started','stopped') }}"
+  when: not chroot
+- name: '- when in chroot'
+  command: systemctl enable systemd-timesyncd.service
+  when: chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/timezone.yml b/roles/debian/tasks/timezone.yml
new file mode 100644
index 0000000..28f31eb
--- /dev/null
+++ b/roles/debian/tasks/timezone.yml
@@ -0,0 +1,6 @@
+---
+- name: Configure timezone
+  timezone:
+    name: '{{ timezone }}'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/tmpfs.yml b/roles/debian/tasks/tmpfs.yml
new file mode 100644
index 0000000..67b16c6
--- /dev/null
+++ b/roles/debian/tasks/tmpfs.yml
@@ -0,0 +1,10 @@
+---
+- name: Mount tmpfs on /tmp
+  copy:
+    dest: '/etc/systemd/system/tmp.mount'
+    src: tmp.mount
+    owner: root
+    group: root
+    mode: 0644
+
+# vim: set ts=2 sw=2 et: