move core roles to subdir

10 files changed, 286 insertions, 0 deletions

diff --git a/roles/core/base/defaults/main.yml b/roles/core/base/defaults/main.yml
new file mode 100644
index 00000000..c4b0d42c
--- /dev/null
+++ b/roles/core/base/defaults/main.yml
@@ -0,0 +1,36 @@
+---
+base_entropy_generator: haveged
+
+base_sysctl_config_user: {}
+
+base_modules_blacklist_:
+  net:
+  - dccp
+  - sctp
+  - rds
+  - tipc
+  fs:
+  - cramfs
+  - freevxfs
+  - hfs
+  - hfsplus
+  - jffs2
+  sound:
+  - soundcore
+  - usb-midi
+  misc:
+  - bluetooth
+  - firewire-core
+  - n_hdlc
+  - net-pf-31
+  - thunderbolt
+
+base_modules_blacklist_full: "{{ base_modules_blacklist_ | list }}"
+base_modules_blacklist_all_but_sound: "{{ base_modules_blacklist_ | difference(['sound']) | list }}"
+base_modules_blacklist_none: []
+base_modules_blacklist: "{{ base_modules_blacklist_full }}"
+
+base_packages_extra_host: []
+base_packages_extra_group: []
+
+base_intel_nic_stability_fix: false
diff --git a/roles/core/base/files/02no-recommends b/roles/core/base/files/02no-recommends
new file mode 100644
index 00000000..a2fba330
--- /dev/null
+++ b/roles/core/base/files/02no-recommends
@@ -0,0 +1,2 @@
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
diff --git a/roles/core/base/handlers/main.yml b/roles/core/base/handlers/main.yml
new file mode 100644
index 00000000..a23868cf
--- /dev/null
+++ b/roles/core/base/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: update grub
+  command: update-grub
diff --git a/roles/core/base/tasks/Debian.yml b/roles/core/base/tasks/Debian.yml
new file mode 100644
index 00000000..13c3c9f9
--- /dev/null
+++ b/roles/core/base/tasks/Debian.yml
@@ -0,0 +1,116 @@
+---
+- name: load distrubtion specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution }}.yml"
+      skip: true
+
+- name: disable recommends and suggests
+  copy:
+    src: 02no-recommends
+    dest: /etc/apt/apt.conf.d/
+
+- name: install base system tools
+  apt:
+    name:
+    - htop
+    - dstat
+    - lsof
+    - gawk
+    - psmisc
+    - less
+    - debian-goodies
+    - screen
+    - mtr-tiny
+    - tcpdump
+    - iptraf-ng
+    - unp
+    - dbus
+    - libpam-systemd
+    - aptitude
+    - ca-certificates
+    - file
+    - man-db
+    - manpages
+    - nano
+    state: present
+
+- name: install extra packages
+  apt:
+    name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}"
+    state: present
+
+- name: install rngd
+  when: base_entropy_generator == 'rngd'
+  block:
+  - name: install rngd
+    apt:
+      name: "{{ base_rngd_package_name }}"
+      state: present
+
+  - name: make sure haveged is removed/purged
+    apt:
+      name: haveged
+      state: absent
+      purge: yes
+
+
+- name: install haveged
+  when: base_entropy_generator == 'haveged'
+  block:
+  - name: install haveged
+    apt:
+      name: haveged
+      state: present
+
+  - name: make sure rngd is removed/purged
+    apt:
+      name: "{{ base_rngd_package_name }}"
+      state: absent
+      purge: yes
+
+
+- name: Ensure /root is not world accessible
+  file:
+    path: /root
+    mode: 0700
+    owner: root
+    group: root
+    state: directory
+
+- name: disable net/fs/misc kernel modules
+  copy:
+    content: |
+      {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %}
+      install {{ item }} /bin/true
+      {% endfor %}
+    dest: /etc/modprobe.d/disablemod.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
+  loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} = {{ item.value }}"
+  sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
+    ignoreerrors: yes
+
+- name: set kernel command line options
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^#?GRUB_CMDLINE_LINUX='
+    line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"'
+  when: install is defined and install.kernel_cmdline is defined
+  notify: update grub
+
+- name: apply stability fix/workaround for machines using intel NIC
+  when: base_intel_nic_stability_fix
+  import_tasks: intel-nic.yml
diff --git a/roles/core/base/tasks/OpenBSD.yml b/roles/core/base/tasks/OpenBSD.yml
new file mode 100644
index 00000000..4b64105c
--- /dev/null
+++ b/roles/core/base/tasks/OpenBSD.yml
@@ -0,0 +1,14 @@
+---
+- name: install base system tools
+  openbsd_pkg:
+    name:
+    - htop
+    - screen--
+    - mtr--
+    - nano
+    state: present
+
+- name: install extra packages
+  openbsd_pkg:
+    name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}"
+    state: present
diff --git a/roles/core/base/tasks/intel-nic.yml b/roles/core/base/tasks/intel-nic.yml
new file mode 100644
index 00000000..2b9be474
--- /dev/null
+++ b/roles/core/base/tasks/intel-nic.yml
@@ -0,0 +1,23 @@
+---
+- name: fetch default link options for network interfaces
+  slurp:
+    src: /usr/lib/systemd/network/99-default.link
+  register: base_systemd_default_link_unit
+
+- name: disable TSO (intel nic stability fix)
+  vars:
+    default_link_options: "{{ (base_systemd_default_link_unit.content | b64decode | from_ini)['Link'] }}"
+  copy:
+    content: |
+      [Match]
+      MACAddress={{ ansible_default_ipv4.macaddress }}
+
+      [Link]
+      {% for name, value in default_link_options.items() | sort(attribute='0') %}
+      {{ name }}={{ value }}
+      {% endfor %}
+
+      TCPSegmentationOffload=false
+      GenericSegmentationOffload=false
+      GenericReceiveOffload=false
+    dest: /etc/systemd/network/00-disable-offloading.link
diff --git a/roles/core/base/tasks/main.yml b/roles/core/base/tasks/main.yml
new file mode 100644
index 00000000..5484a3a6
--- /dev/null
+++ b/roles/core/base/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: load os/distrubtion/version specific tasks
+  vars:
+    params:
+      files:
+      - "{{ ansible_distribution_release }}.yml"
+      - "{{ ansible_distribution }}.yml"
+      - "{{ ansible_os_family }}.yml"
+  loop: "{{ q('first_found', params) }}"
+  loop_control:
+    loop_var: tasks_file
+  include_tasks: "{{ tasks_file }}"
+
+- name: Remove startup message from screen
+  lineinfile:
+    regexp: "^startup_message"
+    line: "startup_message off"
+    dest: /etc/screenrc
+    mode: 0644
+  tags:
+  - screen
+
+- name: install htop config (1/2)
+  loop:
+    - /root
+    - /etc/skel
+  file:
+    name: "{{ item }}/.config/htop/"
+    state: directory
+    mode: 0700
+
+- name: install htop config (2/2)
+  loop:
+    - /root
+    - /etc/skel
+  copy:
+    src: "{{ global_files_dir }}/common/htoprc"
+    dest: "{{ item }}/.config/htop/"
diff --git a/roles/core/base/vars/Debian.yml b/roles/core/base/vars/Debian.yml
new file mode 100644
index 00000000..96baf89b
--- /dev/null
+++ b/roles/core/base/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+base_rngd_package_name: rng-tools5
diff --git a/roles/core/base/vars/Ubuntu.yml b/roles/core/base/vars/Ubuntu.yml
new file mode 100644
index 00000000..eb2591da
--- /dev/null
+++ b/roles/core/base/vars/Ubuntu.yml
@@ -0,0 +1,2 @@
+---
+base_rngd_package_name: rng-tools
diff --git a/roles/core/base/vars/main.yml b/roles/core/base/vars/main.yml
new file mode 100644
index 00000000..9940d7a6
--- /dev/null
+++ b/roles/core/base/vars/main.yml
@@ -0,0 +1,50 @@
+# SYSTEM CONFIGURATION
+# ====================
+# These are not meant to be modified by the user
+
+#
+# To adjust these settings use base_sysctl_config_user dict
+#
+base_sysctl_config:
+
+  # Enable RFC-recommended source validation feature.
+  net.ipv4.conf.all.rp_filter: 1
+  net.ipv4.conf.default.rp_filter: 1
+
+  # Log packets with impossible addresses to kernel log? yes
+  net.ipv4.conf.all.log_martians: 1
+  net.ipv4.conf.default.log_martians: 1
+
+  # Reduce the surface on SMURF attacks.
+  # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
+  net.ipv4.icmp_echo_ignore_broadcasts: 1
+
+  # There is no reason to accept bogus error responses from ICMP, so ignore them instead.
+  net.ipv4.icmp_ignore_bogus_error_responses: 1
+
+  # Limit the amount of traffic the system uses for ICMP.
+  net.ipv4.icmp_ratelimit: 1000
+
+  # Send redirects, if router, but this is just server
+  net.ipv4.conf.all.send_redirects: 0
+  net.ipv4.conf.default.send_redirects: 0
+  net.ipv4.conf.all.accept_redirects: 0
+  net.ipv4.conf.default.accept_redirects: 0
+  net.ipv6.conf.all.accept_redirects: 0
+  net.ipv6.conf.default.accept_redirects: 0
+  net.ipv4.conf.all.secure_redirects: 0
+  net.ipv4.conf.default.secure_redirects: 0
+
+  net.ipv4.conf.all.accept_source_route: 0
+  net.ipv4.conf.default.accept_source_route: 0
+
+  # Protect against wrapping sequence numbers at gigabit speeds
+  net.ipv4.tcp_timestamps: 0
+
+  # Prevent against the common 'syn flood attack'
+  net.ipv4.tcp_syncookies: 1
+
+  # Disable Selective Acknowledgement (SACK)
+  # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
+  # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+  net.ipv4.tcp_sack: 0