-
Notifications
You must be signed in to change notification settings - Fork 0
/
debian.yml
149 lines (128 loc) · 3.77 KB
/
debian.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
---
- hosts: all
tasks:
- name: reduce grub timeout when booting
register: grub
lineinfile:
path: /etc/default/grub
regexp: "^GRUB_TIMEOUT="
line: "GRUB_TIMEOUT=1"
- name: update grub bootloader
when: grub.changed
shell: "/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
- name: disable sshd banner
register: sshd_banner
file:
dest: /etc/update-motd.d/10-uname
mode: a-x
- name: disable sshd motd
register: sshd_motd
copy:
content: ""
dest: /etc/motd
- name: configure sshd_config
register: sshd_config
copy:
dest: /etc/ssh/sshd_config
validate: /usr/sbin/sshd -T -f %s
content: |
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PasswordAuthentication no
PrintLastLog no
- name: restart sshd
when: sshd_banner.changed or sshd_motd.changed or sshd_config.changed
service:
name: ssh
state: restarted
- name: remove hetzner apt repositories
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/apt/sources.list.d/hetzner-mirror.list
- /etc/apt/sources.list.d/hetzner-security-updates.list
- name: setup apt main apt repositories
copy:
content: "deb http://deb.debian.org/debian/ bullseye main\ndeb http://deb.debian.org/debian/ bullseye-updates main\ndeb http://security.debian.org/debian-security bullseye-security main"
dest: /etc/apt/sources.list
- name: update packages
apt:
name: "*"
state: latest
update_cache: yes
- name: uninstall cryptsetup
apt:
name: cryptsetup
state: absent
autoremove: yes
purge: yes
- name: install ansible dependencies and base packages
apt:
name:
- sudo
- zip
- unzip
- man
- curl
- wget
- gnupg
- htop
- net-tools
- python3-apt
- apt-transport-https
- open-vm-tools
- unattended-upgrades
state: present
- name: configure unattended upgrades
copy:
content: "Unattended-Upgrade::Origins-Pattern {\n \"origin=Debian,codename=${distro_codename}-security,label=Debian-Security\";\n};\n Unattended-Upgrade::Package-Blacklist {\n};"
dest: /etc/apt/apt.conf.d/50unattended-upgrades
- name: enable unattended upgrades
copy:
content: "APT::Periodic::Enable \"1\";\nAPT::Periodic::Update-Package-Lists \"1\";\nAPT::Periodic::Download-Upgradeable-Packages \"1\";\nAPT::Periodic::Unattended-Upgrade \"1\";\nAPT::Periodic::AutocleanInterval \"7\";"
dest: /etc/apt/apt.conf.d/02periodic
- name: set ntp server
register: ntp_server
copy:
content: "[Time]\nNTP=time.google.com"
dest: /etc/systemd/timesyncd.conf
- name: restart systemd-timesyncd
when: ntp_server.changed
service:
name: systemd-timesyncd
state: restarted
enabled: yes
- name: check if swapfile is created
stat:
path: /swapfile
register: swap
- name: create swapfile
command: fallocate -l 1536M /swapfile
when: swap.stat.exists == False
- name: set permissions for swapfile
file:
dest: /swapfile
mode: 0600
when: swap.stat.exists == False
- name: setup swapfile partition
command: mkswap /swapfile
when: swap.stat.exists == False
- name: enable swapfile
command: swapon /swapfile
when: swap.stat.exists == False
- name: add swapfile to /etc/fstab
mount:
src: /swapfile
name: "none"
fstype: "swap"
opts: "sw,nofail"
dump: "0"
passno: "0"
state: present
when: swap.stat.exists == False