From d73f54e7e56f689fa3dc69e5a54f078c9680c337 Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Wed, 3 Oct 2018 15:31:49 +0200 Subject: debian: add basic Debian role --- roles/debian/defaults/main.yml | 42 +++++++++++++++++++++ roles/debian/files/06norecommends | 2 + roles/debian/files/sudoers | 27 ++++++++++++++ roles/debian/files/tmp.mount | 15 ++++++++ roles/debian/handlers/main.yml | 20 ++++++++++ roles/debian/tasks/apt.yml | 68 ++++++++++++++++++++++++++++++++++ roles/debian/tasks/hostname.yml | 15 ++++++++ roles/debian/tasks/hosts.yml | 10 +++++ roles/debian/tasks/locale.yml | 41 ++++++++++++++++++++ roles/debian/tasks/main.yml | 31 ++++++++++++++++ roles/debian/tasks/networkd.yml | 27 ++++++++++++++ roles/debian/tasks/resolved.yml | 39 +++++++++++++++++++ roles/debian/tasks/sshd.yml | 56 ++++++++++++++++++++++++++++ roles/debian/tasks/sudo.yml | 18 +++++++++ roles/debian/tasks/systemd.yml | 32 ++++++++++++++++ roles/debian/tasks/timesyncd.yml | 25 +++++++++++++ roles/debian/tasks/timezone.yml | 6 +++ roles/debian/tasks/tmpfs.yml | 10 +++++ roles/debian/templates/hosts.j2 | 11 ++++++ roles/debian/templates/locale.gen.j2 | 3 ++ roles/debian/templates/locale.j2 | 3 ++ roles/debian/templates/sources.list.j2 | 8 ++++ 22 files changed, 509 insertions(+) create mode 100644 roles/debian/defaults/main.yml create mode 100644 roles/debian/files/06norecommends create mode 100644 roles/debian/files/sudoers create mode 100644 roles/debian/files/tmp.mount create mode 100644 roles/debian/handlers/main.yml create mode 100644 roles/debian/tasks/apt.yml create mode 100644 roles/debian/tasks/hostname.yml create mode 100644 roles/debian/tasks/hosts.yml create mode 100644 roles/debian/tasks/locale.yml create mode 100644 roles/debian/tasks/main.yml create mode 100644 roles/debian/tasks/networkd.yml create mode 100644 roles/debian/tasks/resolved.yml create mode 100644 roles/debian/tasks/sshd.yml create mode 100644 roles/debian/tasks/sudo.yml create mode 100644 roles/debian/tasks/systemd.yml create mode 100644 roles/debian/tasks/timesyncd.yml create mode 100644 roles/debian/tasks/timezone.yml create mode 100644 roles/debian/tasks/tmpfs.yml create mode 100644 roles/debian/templates/hosts.j2 create mode 100644 roles/debian/templates/locale.gen.j2 create mode 100644 roles/debian/templates/locale.j2 create mode 100644 roles/debian/templates/sources.list.j2 (limited to 'roles/debian') diff --git a/roles/debian/defaults/main.yml b/roles/debian/defaults/main.yml new file mode 100644 index 0000000..4ae8a53 --- /dev/null +++ b/roles/debian/defaults/main.yml @@ -0,0 +1,42 @@ +--- +use_tmpfs: true +use_resolved: true +use_networkd: true +use_timesyncd: true + +locale: + generated: # must be sorted + - en_US.UTF-8 UTF-8 + default: + LANG: 'en_US.UTF-8' + +systemd_conf: {} +journald_conf: {} +logind_conf: {} +resolved_conf: {} +timesyncd_conf: {} + +apt_repos: + base: + uri: 'https://deb.debian.org/debian' + suite: '{{ ansible_distribution_release }}' + security: + uri: 'https://deb.debian.org/debian-security' + suite: '{{ ansible_distribution_release }}/updates' + updates: + uri: 'https://deb.debian.org/debian' + suite: '{{ ansible_distribution_release }}-updates' + backports: + uri: 'https://deb.debian.org/debian' + suite: '{{ ansible_distribution_release }}-backports' + +apt_packages: + 'apt-transport-https': present + 'libpam-systemd': present + 'libnss-myhostname': present + 'vim': present + 'deborphan': present + +sudo_group: 'sudo' + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/files/06norecommends b/roles/debian/files/06norecommends new file mode 100644 index 0000000..a62feb1 --- /dev/null +++ b/roles/debian/files/06norecommends @@ -0,0 +1,2 @@ +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; diff --git a/roles/debian/files/sudoers b/roles/debian/files/sudoers new file mode 100644 index 0000000..07f33a5 --- /dev/null +++ b/roles/debian/files/sudoers @@ -0,0 +1,27 @@ +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) NOPASSWD: ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d diff --git a/roles/debian/files/tmp.mount b/roles/debian/files/tmp.mount new file mode 100644 index 0000000..25003f9 --- /dev/null +++ b/roles/debian/files/tmp.mount @@ -0,0 +1,15 @@ +[Unit] +Description=Temporary Directory (/tmp) +Documentation=man:hier(7) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +ConditionPathIsSymbolicLink=!/tmp +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target +After=swap.target + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=mode=1777,strictatime,nosuid,nodev diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml new file mode 100644 index 0000000..891fed9 --- /dev/null +++ b/roles/debian/handlers/main.yml @@ -0,0 +1,20 @@ +--- +- name: restart resolved + systemd: + name: systemd-resolved.service + state: restarted + when: not chroot + +- name: restart timesyncd + systemd: + name: systemd-timesyncd.service + state: restarted + when: not chroot + +- name: restart sshd + systemd: + name: ssh.service + state: restarted + when: not chroot + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/apt.yml b/roles/debian/tasks/apt.yml new file mode 100644 index 0000000..ff9a960 --- /dev/null +++ b/roles/debian/tasks/apt.yml @@ -0,0 +1,68 @@ +--- +- name: Don't install recommended packages + copy: + dest: '/etc/apt/apt.conf.d/06norecommends' + src: 06norecommends + owner: root + group: root + mode: 0644 + +- name: Don't start services by default + copy: + dest: '/usr/sbin/policy-rc.d' + content: "exit 101\n" + owner: root + group: root + mode: 0755 + +- name: Remove packages + apt: + name: '{{ item }}' + state: absent + autoremove: yes + purge: yes + with_items: "{{ apt_packages|dictsort(true)|selectattr(1,'equalto','absent')|map(attribute=0)|list }}" + tags: + - packages + +- name: Configure /etc/apt/sources.list + template: + dest: '/etc/apt/sources.list' + src: sources.list.j2 + owner: root + group: root + mode: 0644 + when: apt_sources is defined + +- name: Download repository keys + apt_key: + url: "{{ apt_repos[item.key]['key_url'] }}" + id: "{{ apt_repos[item.key]['key_id'] }}" + state: present + with_dict: '{{ apt_sources }}' + when: apt_sources is defined and 'key_url' in apt_repos[item.key] + +- name: Update apt cache + apt: + update_cache: yes + tags: + - update + - packages + +- name: Upgrade all packages + apt: + name: '*' + state: latest + tags: + - upgrade + - packages + +- name: Install packages + apt: + name: '{{ item }}' + state: present + with_items: "{{ apt_packages|dictsort(true)|selectattr(1,'equalto','present')|map(attribute=0)|list }}" + tags: + - packages + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/hostname.yml b/roles/debian/tasks/hostname.yml new file mode 100644 index 0000000..6709c03 --- /dev/null +++ b/roles/debian/tasks/hostname.yml @@ -0,0 +1,15 @@ +--- +- name: Set hostname + hostname: + name: '{{ hostname }}' + when: not chroot +- name: '- when in chroot' + copy: + dest: '/etc/hostname' + content: "{{ hostname }}\n" + owner: root + group: root + mode: 0644 + when: chroot + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/hosts.yml b/roles/debian/tasks/hosts.yml new file mode 100644 index 0000000..46299d6 --- /dev/null +++ b/roles/debian/tasks/hosts.yml @@ -0,0 +1,10 @@ +--- +- name: Configure /etc/hosts + template: + dest: '/etc/hosts' + src: hosts.j2 + owner: root + group: root + mode: 0644 + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/locale.yml b/roles/debian/tasks/locale.yml new file mode 100644 index 0000000..72a0b65 --- /dev/null +++ b/roles/debian/tasks/locale.yml @@ -0,0 +1,41 @@ +--- +- name: Setting locales to be generated + debconf: + name: locales + question: locales/locales_to_be_generated + value: "{{ locale.generated|join(', ') }}" + vtype: multiselect + register: locale_generated + +- name: dpkg-reconfigure locales + block: + - template: + dest: '/etc/locale.gen' + src: locale.gen.j2 + owner: root + group: root + mode: 0644 + - debconf: + name: locales + question: locales/locales_to_be_generated + value: "{{ locale.generated|join(', ') }}" + vtype: multiselect + - command: dpkg-reconfigure -fnoninteractive locales + when: locale_generated is changed + +- name: Setting default locale + template: + dest: '/etc/default/locale' + src: locale.j2 + owner: root + group: root + mode: 0644 + +- name: Update locales debconf + debconf: + name: locales + question: locales/default_environment_locale + value: '{{ locale.default.LANG }}' + vtype: select + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml new file mode 100644 index 0000000..71637c1 --- /dev/null +++ b/roles/debian/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- import_tasks: apt.yml + tags: apt +- import_tasks: tmpfs.yml + tags: tmpfs + when: use_tmpfs +- import_tasks: hosts.yml + tags: hosts +- import_tasks: timezone.yml + when: timezone is defined + tags: timezone +- import_tasks: locale.yml + when: locale is defined + tags: locale +- import_tasks: hostname.yml + when: hostname is defined + tags: hostname +- import_tasks: systemd.yml + tags: systemd +- import_tasks: resolved.yml + tags: resolved +- import_tasks: networkd.yml + tags: networkd +- import_tasks: timesyncd.yml + tags: timesyncd +- import_tasks: sshd.yml + tags: sshd +- import_tasks: sudo.yml + tags: sudo + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/networkd.yml b/roles/debian/tasks/networkd.yml new file mode 100644 index 0000000..4dac677 --- /dev/null +++ b/roles/debian/tasks/networkd.yml @@ -0,0 +1,27 @@ +--- +- name: Enable/disable systemd-networkd + systemd: + name: systemd-networkd.service + enabled: "{{ use_networkd|ternary('yes','no') }}" + masked: "{{ use_networkd|ternary('no',omit) }}" + # let the current network daemons run undisturbed until reboot + # aka. don't cut the pipe we're connected through + #state: "{{ use_networkd|ternary('started','stopped') }}" + when: not chroot +- name: '- when in chroot' + command: "systemctl {{ use_networkd|ternary('enable','disable') }} systemd-networkd.service" + when: chroot + +- name: Mask Debian networking.service + systemd: + name: networking.service + enabled: no + masked: yes + when: use_networkd and not chroot +- name: '- when in chroot' + block: + - command: systemctl disable networking.service + - command: systemctl mask networking.service + when: use_networkd and chroot + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/resolved.yml b/roles/debian/tasks/resolved.yml new file mode 100644 index 0000000..263f93d --- /dev/null +++ b/roles/debian/tasks/resolved.yml @@ -0,0 +1,39 @@ +--- +- name: Configure systemd-resolved + ini_file: + path: '/etc/systemd/resolved.conf' + no_extra_spaces: yes + section: "{{ item.key.split('.',1)[0] }}" + option: "{{ item.key.split('.',1)[1] }}" + value: "{{ item.value|ternary(item.value,omit) }}" + state: "{{ item.value|ternary('present','absent') }}" + with_dict: '{{ resolved_conf }}' + when: use_resolved + notify: restart resolved + +- name: Enable/disable systemd-resolved + systemd: + name: systemd-resolved.service + enabled: "{{ use_resolved|ternary('yes','no') }}" + masked: no + state: "{{ use_resolved|ternary('started','stopped') }}" + when: not chroot +- name: '- when in chroot' + command: 'systemctl {{ use_resolved|ternary("enable","disable") }} systemd-resolved.service' + when: chroot + +- name: Symlink /etc/resolv.conf + file: + path: '/etc/resolv.conf' + src: '/run/systemd/resolve/resolv.conf' + state: link + force: yes + when: use_resolved +- name: Use myhostname and possibly resolved nss plugins + lineinfile: + path: /etc/nsswitch.conf + regexp: '^hosts:' + line: 'hosts: files resolve [!UNAVAIL=return] dns myhostname' + when: use_resolved + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/sshd.yml b/roles/debian/tasks/sshd.yml new file mode 100644 index 0000000..a0a2d96 --- /dev/null +++ b/roles/debian/tasks/sshd.yml @@ -0,0 +1,56 @@ +--- +- name: Install SSH server + apt: + name: openssh-server + state: present + tags: + - packages + +- name: Create private host keys + copy: + dest: '/etc/ssh/{{ item.key }}' + content: '{{ item.value.private }}' + owner: root + group: ssh_keys + mode: 0640 + with_dict: '{{ ssh_host_keys }}' + loop_control: + label: '/etc/ssh/{{ item.key }}' + when: ssh_host_keys is defined + +- name: Create public host keys + copy: + dest: '/etc/ssh/{{ item.key }}.pub' + content: '{{ item.value.public }}' + owner: root + group: root + mode: 0644 + with_dict: '{{ ssh_host_keys }}' + loop_control: + label: '/etc/ssh/{{ item.key }}.pub' + when: ssh_host_keys is defined + +- name: Configure SSH daemon + lineinfile: + path: '/etc/ssh/sshd_config' + regexp: '{{ item.regexp }}' + line: '{{ item.line }}' + with_items: + - regexp: '^[# ]*PasswordAuthentication' + line: 'PasswordAuthentication no' + - regexp: '^#*GSSAPIAuthentication' + line: 'GSSAPIAuthentication no' + notify: restart sshd + +- name: Enable SSH daemon + systemd: + name: ssh.service + enabled: yes + masked: no + state: started + when: not chroot +- name: '- when in chroot' + command: systemctl enable ssh.service + when: chroot + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/sudo.yml b/roles/debian/tasks/sudo.yml new file mode 100644 index 0000000..e52e1f6 --- /dev/null +++ b/roles/debian/tasks/sudo.yml @@ -0,0 +1,18 @@ +--- +- name: Install sudo + apt: + name: sudo + state: present + tags: + - packages + +- name: Configure sudo + copy: + dest: '/etc/sudoers' + src: sudoers + owner: root + group: root + mode: 0440 + validate: visudo -cf %s + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/systemd.yml b/roles/debian/tasks/systemd.yml new file mode 100644 index 0000000..56a5898 --- /dev/null +++ b/roles/debian/tasks/systemd.yml @@ -0,0 +1,32 @@ +--- +- name: Configure systemd system.conf + ini_file: + path: '/etc/systemd/system.conf' + no_extra_spaces: yes + section: "{{ item.key.split('.',1)[0] }}" + option: "{{ item.key.split('.',1)[1] }}" + value: "{{ item.value|ternary(item.value,omit) }}" + state: "{{ item.value|ternary('present','absent') }}" + with_dict: '{{ systemd_conf }}' + +- name: Configure journald.conf + ini_file: + path: '/etc/systemd/journald.conf' + no_extra_spaces: yes + section: "{{ item.key.split('.',1)[0] }}" + option: "{{ item.key.split('.',1)[1] }}" + value: "{{ item.value|ternary(item.value,omit) }}" + state: "{{ item.value|ternary('present','absent') }}" + with_dict: '{{ journald_conf }}' + +- name: Configure logind.conf + ini_file: + path: '/etc/systemd/logind.conf' + no_extra_spaces: yes + section: "{{ item.key.split('.',1)[0] }}" + option: "{{ item.key.split('.',1)[1] }}" + value: "{{ item.value|ternary(item.value,omit) }}" + state: "{{ item.value|ternary('present','absent') }}" + with_dict: '{{ logind_conf }}' + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/timesyncd.yml b/roles/debian/tasks/timesyncd.yml new file mode 100644 index 0000000..63949fc --- /dev/null +++ b/roles/debian/tasks/timesyncd.yml @@ -0,0 +1,25 @@ +--- +- name: Configure systemd-timesyncd + ini_file: + path: '/etc/systemd/timesyncd.conf' + no_extra_spaces: yes + section: "{{ item.key.split('.',1)[0] }}" + option: "{{ item.key.split('.',1)[1] }}" + value: "{{ item.value|ternary(item.value,omit) }}" + state: "{{ item.value|ternary('present','absent') }}" + with_dict: '{{ timesyncd_conf }}' + when: use_timesyncd + notify: restart timesyncd + +- name: Enable systemd-timesyncd + systemd: + name: systemd-timesyncd.service + enabled: "{{ use_timesyncd|ternary('yes','no') }}" + masked: no + state: "{{ use_timesyncd|ternary('started','stopped') }}" + when: not chroot +- name: '- when in chroot' + command: systemctl enable systemd-timesyncd.service + when: chroot + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/timezone.yml b/roles/debian/tasks/timezone.yml new file mode 100644 index 0000000..28f31eb --- /dev/null +++ b/roles/debian/tasks/timezone.yml @@ -0,0 +1,6 @@ +--- +- name: Configure timezone + timezone: + name: '{{ timezone }}' + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/tasks/tmpfs.yml b/roles/debian/tasks/tmpfs.yml new file mode 100644 index 0000000..67b16c6 --- /dev/null +++ b/roles/debian/tasks/tmpfs.yml @@ -0,0 +1,10 @@ +--- +- name: Mount tmpfs on /tmp + copy: + dest: '/etc/systemd/system/tmp.mount' + src: tmp.mount + owner: root + group: root + mode: 0644 + +# vim: set ts=2 sw=2 et: diff --git a/roles/debian/templates/hosts.j2 b/roles/debian/templates/hosts.j2 new file mode 100644 index 0000000..bce5120 --- /dev/null +++ b/roles/debian/templates/hosts.j2 @@ -0,0 +1,11 @@ +127.0.0.1 localhost + +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +{% if hosts is defined %} + +{% for addr, names in hosts %} +{{ addr }} {{ names|join(' ') }} +{% endfor %} +{% endif %} diff --git a/roles/debian/templates/locale.gen.j2 b/roles/debian/templates/locale.gen.j2 new file mode 100644 index 0000000..2ab95c7 --- /dev/null +++ b/roles/debian/templates/locale.gen.j2 @@ -0,0 +1,3 @@ +{% for locale in locale.generated %} +{{ locale }} +{% endfor %} diff --git a/roles/debian/templates/locale.j2 b/roles/debian/templates/locale.j2 new file mode 100644 index 0000000..cad9883 --- /dev/null +++ b/roles/debian/templates/locale.j2 @@ -0,0 +1,3 @@ +{% for key, value in locale.default|dictsort(true) %} +{{ key }}={{ value }} +{% endfor %} diff --git a/roles/debian/templates/sources.list.j2 b/roles/debian/templates/sources.list.j2 new file mode 100644 index 0000000..b6c54c3 --- /dev/null +++ b/roles/debian/templates/sources.list.j2 @@ -0,0 +1,8 @@ +{% for name, opts in apt_sources|dictsort(true) %} +{% if opts is mapping %} +deb {{ apt_repos[name]['uri'] }} {{ apt_repos[name].suite }} {{ opts.components|join(' ') }} +{% if 'source' in opts and opts.source %} +deb-src {{ apt_repos[name]['uri'] }} {{ apt_repos[name].suite }} {{ opts.components|join(' ') }} +{% endif %} +{% endif %} +{% endfor %} -- cgit v1.2.1