aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/debian/defaults/main.yml42
-rw-r--r--roles/debian/files/06norecommends2
-rw-r--r--roles/debian/files/sudoers27
-rw-r--r--roles/debian/files/tmp.mount15
-rw-r--r--roles/debian/handlers/main.yml20
-rw-r--r--roles/debian/tasks/apt.yml68
-rw-r--r--roles/debian/tasks/hostname.yml15
-rw-r--r--roles/debian/tasks/hosts.yml10
-rw-r--r--roles/debian/tasks/locale.yml41
-rw-r--r--roles/debian/tasks/main.yml31
-rw-r--r--roles/debian/tasks/networkd.yml27
-rw-r--r--roles/debian/tasks/resolved.yml39
-rw-r--r--roles/debian/tasks/sshd.yml56
-rw-r--r--roles/debian/tasks/sudo.yml18
-rw-r--r--roles/debian/tasks/systemd.yml32
-rw-r--r--roles/debian/tasks/timesyncd.yml25
-rw-r--r--roles/debian/tasks/timezone.yml6
-rw-r--r--roles/debian/tasks/tmpfs.yml10
-rw-r--r--roles/debian/templates/hosts.j211
-rw-r--r--roles/debian/templates/locale.gen.j23
-rw-r--r--roles/debian/templates/locale.j23
-rw-r--r--roles/debian/templates/sources.list.j28
22 files changed, 509 insertions, 0 deletions
diff --git a/roles/debian/defaults/main.yml b/roles/debian/defaults/main.yml
new file mode 100644
index 0000000..4ae8a53
--- /dev/null
+++ b/roles/debian/defaults/main.yml
@@ -0,0 +1,42 @@
+---
+use_tmpfs: true
+use_resolved: true
+use_networkd: true
+use_timesyncd: true
+
+locale:
+ generated: # must be sorted
+ - en_US.UTF-8 UTF-8
+ default:
+ LANG: 'en_US.UTF-8'
+
+systemd_conf: {}
+journald_conf: {}
+logind_conf: {}
+resolved_conf: {}
+timesyncd_conf: {}
+
+apt_repos:
+ base:
+ uri: 'https://deb.debian.org/debian'
+ suite: '{{ ansible_distribution_release }}'
+ security:
+ uri: 'https://deb.debian.org/debian-security'
+ suite: '{{ ansible_distribution_release }}/updates'
+ updates:
+ uri: 'https://deb.debian.org/debian'
+ suite: '{{ ansible_distribution_release }}-updates'
+ backports:
+ uri: 'https://deb.debian.org/debian'
+ suite: '{{ ansible_distribution_release }}-backports'
+
+apt_packages:
+ 'apt-transport-https': present
+ 'libpam-systemd': present
+ 'libnss-myhostname': present
+ 'vim': present
+ 'deborphan': present
+
+sudo_group: 'sudo'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/files/06norecommends b/roles/debian/files/06norecommends
new file mode 100644
index 0000000..a62feb1
--- /dev/null
+++ b/roles/debian/files/06norecommends
@@ -0,0 +1,2 @@
+APT::Install-Recommends "0";
+APT::Install-Suggests "0";
diff --git a/roles/debian/files/sudoers b/roles/debian/files/sudoers
new file mode 100644
index 0000000..07f33a5
--- /dev/null
+++ b/roles/debian/files/sudoers
@@ -0,0 +1,27 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults env_reset
+Defaults mail_badpass
+Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo ALL=(ALL:ALL) NOPASSWD: ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d
diff --git a/roles/debian/files/tmp.mount b/roles/debian/files/tmp.mount
new file mode 100644
index 0000000..25003f9
--- /dev/null
+++ b/roles/debian/files/tmp.mount
@@ -0,0 +1,15 @@
+[Unit]
+Description=Temporary Directory (/tmp)
+Documentation=man:hier(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,nosuid,nodev
diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml
new file mode 100644
index 0000000..891fed9
--- /dev/null
+++ b/roles/debian/handlers/main.yml
@@ -0,0 +1,20 @@
+---
+- name: restart resolved
+ systemd:
+ name: systemd-resolved.service
+ state: restarted
+ when: not chroot
+
+- name: restart timesyncd
+ systemd:
+ name: systemd-timesyncd.service
+ state: restarted
+ when: not chroot
+
+- name: restart sshd
+ systemd:
+ name: ssh.service
+ state: restarted
+ when: not chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/apt.yml b/roles/debian/tasks/apt.yml
new file mode 100644
index 0000000..ff9a960
--- /dev/null
+++ b/roles/debian/tasks/apt.yml
@@ -0,0 +1,68 @@
+---
+- name: Don't install recommended packages
+ copy:
+ dest: '/etc/apt/apt.conf.d/06norecommends'
+ src: 06norecommends
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Don't start services by default
+ copy:
+ dest: '/usr/sbin/policy-rc.d'
+ content: "exit 101\n"
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Remove packages
+ apt:
+ name: '{{ item }}'
+ state: absent
+ autoremove: yes
+ purge: yes
+ with_items: "{{ apt_packages|dictsort(true)|selectattr(1,'equalto','absent')|map(attribute=0)|list }}"
+ tags:
+ - packages
+
+- name: Configure /etc/apt/sources.list
+ template:
+ dest: '/etc/apt/sources.list'
+ src: sources.list.j2
+ owner: root
+ group: root
+ mode: 0644
+ when: apt_sources is defined
+
+- name: Download repository keys
+ apt_key:
+ url: "{{ apt_repos[item.key]['key_url'] }}"
+ id: "{{ apt_repos[item.key]['key_id'] }}"
+ state: present
+ with_dict: '{{ apt_sources }}'
+ when: apt_sources is defined and 'key_url' in apt_repos[item.key]
+
+- name: Update apt cache
+ apt:
+ update_cache: yes
+ tags:
+ - update
+ - packages
+
+- name: Upgrade all packages
+ apt:
+ name: '*'
+ state: latest
+ tags:
+ - upgrade
+ - packages
+
+- name: Install packages
+ apt:
+ name: '{{ item }}'
+ state: present
+ with_items: "{{ apt_packages|dictsort(true)|selectattr(1,'equalto','present')|map(attribute=0)|list }}"
+ tags:
+ - packages
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/hostname.yml b/roles/debian/tasks/hostname.yml
new file mode 100644
index 0000000..6709c03
--- /dev/null
+++ b/roles/debian/tasks/hostname.yml
@@ -0,0 +1,15 @@
+---
+- name: Set hostname
+ hostname:
+ name: '{{ hostname }}'
+ when: not chroot
+- name: '- when in chroot'
+ copy:
+ dest: '/etc/hostname'
+ content: "{{ hostname }}\n"
+ owner: root
+ group: root
+ mode: 0644
+ when: chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/hosts.yml b/roles/debian/tasks/hosts.yml
new file mode 100644
index 0000000..46299d6
--- /dev/null
+++ b/roles/debian/tasks/hosts.yml
@@ -0,0 +1,10 @@
+---
+- name: Configure /etc/hosts
+ template:
+ dest: '/etc/hosts'
+ src: hosts.j2
+ owner: root
+ group: root
+ mode: 0644
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/locale.yml b/roles/debian/tasks/locale.yml
new file mode 100644
index 0000000..72a0b65
--- /dev/null
+++ b/roles/debian/tasks/locale.yml
@@ -0,0 +1,41 @@
+---
+- name: Setting locales to be generated
+ debconf:
+ name: locales
+ question: locales/locales_to_be_generated
+ value: "{{ locale.generated|join(', ') }}"
+ vtype: multiselect
+ register: locale_generated
+
+- name: dpkg-reconfigure locales
+ block:
+ - template:
+ dest: '/etc/locale.gen'
+ src: locale.gen.j2
+ owner: root
+ group: root
+ mode: 0644
+ - debconf:
+ name: locales
+ question: locales/locales_to_be_generated
+ value: "{{ locale.generated|join(', ') }}"
+ vtype: multiselect
+ - command: dpkg-reconfigure -fnoninteractive locales
+ when: locale_generated is changed
+
+- name: Setting default locale
+ template:
+ dest: '/etc/default/locale'
+ src: locale.j2
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Update locales debconf
+ debconf:
+ name: locales
+ question: locales/default_environment_locale
+ value: '{{ locale.default.LANG }}'
+ vtype: select
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
new file mode 100644
index 0000000..71637c1
--- /dev/null
+++ b/roles/debian/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- import_tasks: apt.yml
+ tags: apt
+- import_tasks: tmpfs.yml
+ tags: tmpfs
+ when: use_tmpfs
+- import_tasks: hosts.yml
+ tags: hosts
+- import_tasks: timezone.yml
+ when: timezone is defined
+ tags: timezone
+- import_tasks: locale.yml
+ when: locale is defined
+ tags: locale
+- import_tasks: hostname.yml
+ when: hostname is defined
+ tags: hostname
+- import_tasks: systemd.yml
+ tags: systemd
+- import_tasks: resolved.yml
+ tags: resolved
+- import_tasks: networkd.yml
+ tags: networkd
+- import_tasks: timesyncd.yml
+ tags: timesyncd
+- import_tasks: sshd.yml
+ tags: sshd
+- import_tasks: sudo.yml
+ tags: sudo
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/networkd.yml b/roles/debian/tasks/networkd.yml
new file mode 100644
index 0000000..4dac677
--- /dev/null
+++ b/roles/debian/tasks/networkd.yml
@@ -0,0 +1,27 @@
+---
+- name: Enable/disable systemd-networkd
+ systemd:
+ name: systemd-networkd.service
+ enabled: "{{ use_networkd|ternary('yes','no') }}"
+ masked: "{{ use_networkd|ternary('no',omit) }}"
+ # let the current network daemons run undisturbed until reboot
+ # aka. don't cut the pipe we're connected through
+ #state: "{{ use_networkd|ternary('started','stopped') }}"
+ when: not chroot
+- name: '- when in chroot'
+ command: "systemctl {{ use_networkd|ternary('enable','disable') }} systemd-networkd.service"
+ when: chroot
+
+- name: Mask Debian networking.service
+ systemd:
+ name: networking.service
+ enabled: no
+ masked: yes
+ when: use_networkd and not chroot
+- name: '- when in chroot'
+ block:
+ - command: systemctl disable networking.service
+ - command: systemctl mask networking.service
+ when: use_networkd and chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/resolved.yml b/roles/debian/tasks/resolved.yml
new file mode 100644
index 0000000..263f93d
--- /dev/null
+++ b/roles/debian/tasks/resolved.yml
@@ -0,0 +1,39 @@
+---
+- name: Configure systemd-resolved
+ ini_file:
+ path: '/etc/systemd/resolved.conf'
+ no_extra_spaces: yes
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ item.value|ternary(item.value,omit) }}"
+ state: "{{ item.value|ternary('present','absent') }}"
+ with_dict: '{{ resolved_conf }}'
+ when: use_resolved
+ notify: restart resolved
+
+- name: Enable/disable systemd-resolved
+ systemd:
+ name: systemd-resolved.service
+ enabled: "{{ use_resolved|ternary('yes','no') }}"
+ masked: no
+ state: "{{ use_resolved|ternary('started','stopped') }}"
+ when: not chroot
+- name: '- when in chroot'
+ command: 'systemctl {{ use_resolved|ternary("enable","disable") }} systemd-resolved.service'
+ when: chroot
+
+- name: Symlink /etc/resolv.conf
+ file:
+ path: '/etc/resolv.conf'
+ src: '/run/systemd/resolve/resolv.conf'
+ state: link
+ force: yes
+ when: use_resolved
+- name: Use myhostname and possibly resolved nss plugins
+ lineinfile:
+ path: /etc/nsswitch.conf
+ regexp: '^hosts:'
+ line: 'hosts: files resolve [!UNAVAIL=return] dns myhostname'
+ when: use_resolved
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/sshd.yml b/roles/debian/tasks/sshd.yml
new file mode 100644
index 0000000..a0a2d96
--- /dev/null
+++ b/roles/debian/tasks/sshd.yml
@@ -0,0 +1,56 @@
+---
+- name: Install SSH server
+ apt:
+ name: openssh-server
+ state: present
+ tags:
+ - packages
+
+- name: Create private host keys
+ copy:
+ dest: '/etc/ssh/{{ item.key }}'
+ content: '{{ item.value.private }}'
+ owner: root
+ group: ssh_keys
+ mode: 0640
+ with_dict: '{{ ssh_host_keys }}'
+ loop_control:
+ label: '/etc/ssh/{{ item.key }}'
+ when: ssh_host_keys is defined
+
+- name: Create public host keys
+ copy:
+ dest: '/etc/ssh/{{ item.key }}.pub'
+ content: '{{ item.value.public }}'
+ owner: root
+ group: root
+ mode: 0644
+ with_dict: '{{ ssh_host_keys }}'
+ loop_control:
+ label: '/etc/ssh/{{ item.key }}.pub'
+ when: ssh_host_keys is defined
+
+- name: Configure SSH daemon
+ lineinfile:
+ path: '/etc/ssh/sshd_config'
+ regexp: '{{ item.regexp }}'
+ line: '{{ item.line }}'
+ with_items:
+ - regexp: '^[# ]*PasswordAuthentication'
+ line: 'PasswordAuthentication no'
+ - regexp: '^#*GSSAPIAuthentication'
+ line: 'GSSAPIAuthentication no'
+ notify: restart sshd
+
+- name: Enable SSH daemon
+ systemd:
+ name: ssh.service
+ enabled: yes
+ masked: no
+ state: started
+ when: not chroot
+- name: '- when in chroot'
+ command: systemctl enable ssh.service
+ when: chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/sudo.yml b/roles/debian/tasks/sudo.yml
new file mode 100644
index 0000000..e52e1f6
--- /dev/null
+++ b/roles/debian/tasks/sudo.yml
@@ -0,0 +1,18 @@
+---
+- name: Install sudo
+ apt:
+ name: sudo
+ state: present
+ tags:
+ - packages
+
+- name: Configure sudo
+ copy:
+ dest: '/etc/sudoers'
+ src: sudoers
+ owner: root
+ group: root
+ mode: 0440
+ validate: visudo -cf %s
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/systemd.yml b/roles/debian/tasks/systemd.yml
new file mode 100644
index 0000000..56a5898
--- /dev/null
+++ b/roles/debian/tasks/systemd.yml
@@ -0,0 +1,32 @@
+---
+- name: Configure systemd system.conf
+ ini_file:
+ path: '/etc/systemd/system.conf'
+ no_extra_spaces: yes
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ item.value|ternary(item.value,omit) }}"
+ state: "{{ item.value|ternary('present','absent') }}"
+ with_dict: '{{ systemd_conf }}'
+
+- name: Configure journald.conf
+ ini_file:
+ path: '/etc/systemd/journald.conf'
+ no_extra_spaces: yes
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ item.value|ternary(item.value,omit) }}"
+ state: "{{ item.value|ternary('present','absent') }}"
+ with_dict: '{{ journald_conf }}'
+
+- name: Configure logind.conf
+ ini_file:
+ path: '/etc/systemd/logind.conf'
+ no_extra_spaces: yes
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ item.value|ternary(item.value,omit) }}"
+ state: "{{ item.value|ternary('present','absent') }}"
+ with_dict: '{{ logind_conf }}'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/timesyncd.yml b/roles/debian/tasks/timesyncd.yml
new file mode 100644
index 0000000..63949fc
--- /dev/null
+++ b/roles/debian/tasks/timesyncd.yml
@@ -0,0 +1,25 @@
+---
+- name: Configure systemd-timesyncd
+ ini_file:
+ path: '/etc/systemd/timesyncd.conf'
+ no_extra_spaces: yes
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ item.value|ternary(item.value,omit) }}"
+ state: "{{ item.value|ternary('present','absent') }}"
+ with_dict: '{{ timesyncd_conf }}'
+ when: use_timesyncd
+ notify: restart timesyncd
+
+- name: Enable systemd-timesyncd
+ systemd:
+ name: systemd-timesyncd.service
+ enabled: "{{ use_timesyncd|ternary('yes','no') }}"
+ masked: no
+ state: "{{ use_timesyncd|ternary('started','stopped') }}"
+ when: not chroot
+- name: '- when in chroot'
+ command: systemctl enable systemd-timesyncd.service
+ when: chroot
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/timezone.yml b/roles/debian/tasks/timezone.yml
new file mode 100644
index 0000000..28f31eb
--- /dev/null
+++ b/roles/debian/tasks/timezone.yml
@@ -0,0 +1,6 @@
+---
+- name: Configure timezone
+ timezone:
+ name: '{{ timezone }}'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/tasks/tmpfs.yml b/roles/debian/tasks/tmpfs.yml
new file mode 100644
index 0000000..67b16c6
--- /dev/null
+++ b/roles/debian/tasks/tmpfs.yml
@@ -0,0 +1,10 @@
+---
+- name: Mount tmpfs on /tmp
+ copy:
+ dest: '/etc/systemd/system/tmp.mount'
+ src: tmp.mount
+ owner: root
+ group: root
+ mode: 0644
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/debian/templates/hosts.j2 b/roles/debian/templates/hosts.j2
new file mode 100644
index 0000000..bce5120
--- /dev/null
+++ b/roles/debian/templates/hosts.j2
@@ -0,0 +1,11 @@
+127.0.0.1 localhost
+
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+{% if hosts is defined %}
+
+{% for addr, names in hosts %}
+{{ addr }} {{ names|join(' ') }}
+{% endfor %}
+{% endif %}
diff --git a/roles/debian/templates/locale.gen.j2 b/roles/debian/templates/locale.gen.j2
new file mode 100644
index 0000000..2ab95c7
--- /dev/null
+++ b/roles/debian/templates/locale.gen.j2
@@ -0,0 +1,3 @@
+{% for locale in locale.generated %}
+{{ locale }}
+{% endfor %}
diff --git a/roles/debian/templates/locale.j2 b/roles/debian/templates/locale.j2
new file mode 100644
index 0000000..cad9883
--- /dev/null
+++ b/roles/debian/templates/locale.j2
@@ -0,0 +1,3 @@
+{% for key, value in locale.default|dictsort(true) %}
+{{ key }}={{ value }}
+{% endfor %}
diff --git a/roles/debian/templates/sources.list.j2 b/roles/debian/templates/sources.list.j2
new file mode 100644
index 0000000..b6c54c3
--- /dev/null
+++ b/roles/debian/templates/sources.list.j2
@@ -0,0 +1,8 @@
+{% for name, opts in apt_sources|dictsort(true) %}
+{% if opts is mapping %}
+deb {{ apt_repos[name]['uri'] }} {{ apt_repos[name].suite }} {{ opts.components|join(' ') }}
+{% if 'source' in opts and opts.source %}
+deb-src {{ apt_repos[name]['uri'] }} {{ apt_repos[name].suite }} {{ opts.components|join(' ') }}
+{% endif %}
+{% endif %}
+{% endfor %}