diff options
Diffstat (limited to 'roles/base')
-rw-r--r-- | roles/base/defaults/main.yml | 36 | ||||
-rw-r--r-- | roles/base/files/02no-recommends | 2 | ||||
-rw-r--r-- | roles/base/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/base/tasks/Debian.yml | 116 | ||||
-rw-r--r-- | roles/base/tasks/OpenBSD.yml | 14 | ||||
-rw-r--r-- | roles/base/tasks/intel-nic.yml | 23 | ||||
-rw-r--r-- | roles/base/tasks/main.yml | 38 | ||||
-rw-r--r-- | roles/base/vars/Debian.yml | 2 | ||||
-rw-r--r-- | roles/base/vars/Ubuntu.yml | 2 | ||||
-rw-r--r-- | roles/base/vars/main.yml | 50 |
10 files changed, 0 insertions, 286 deletions
diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml deleted file mode 100644 index c4b0d42c..00000000 --- a/roles/base/defaults/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -base_entropy_generator: haveged - -base_sysctl_config_user: {} - -base_modules_blacklist_: - net: - - dccp - - sctp - - rds - - tipc - fs: - - cramfs - - freevxfs - - hfs - - hfsplus - - jffs2 - sound: - - soundcore - - usb-midi - misc: - - bluetooth - - firewire-core - - n_hdlc - - net-pf-31 - - thunderbolt - -base_modules_blacklist_full: "{{ base_modules_blacklist_ | list }}" -base_modules_blacklist_all_but_sound: "{{ base_modules_blacklist_ | difference(['sound']) | list }}" -base_modules_blacklist_none: [] -base_modules_blacklist: "{{ base_modules_blacklist_full }}" - -base_packages_extra_host: [] -base_packages_extra_group: [] - -base_intel_nic_stability_fix: false diff --git a/roles/base/files/02no-recommends b/roles/base/files/02no-recommends deleted file mode 100644 index a2fba330..00000000 --- a/roles/base/files/02no-recommends +++ /dev/null @@ -1,2 +0,0 @@ -APT::Install-Recommends "false"; -APT::Install-Suggests "false"; diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml deleted file mode 100644 index a23868cf..00000000 --- a/roles/base/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: update grub - command: update-grub diff --git a/roles/base/tasks/Debian.yml b/roles/base/tasks/Debian.yml deleted file mode 100644 index 13c3c9f9..00000000 --- a/roles/base/tasks/Debian.yml +++ /dev/null @@ -1,116 +0,0 @@ ---- -- name: load distrubtion specific variables - include_vars: "{{ item }}" - with_first_found: - - files: - - "{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution }}.yml" - skip: true - -- name: disable recommends and suggests - copy: - src: 02no-recommends - dest: /etc/apt/apt.conf.d/ - -- name: install base system tools - apt: - name: - - htop - - dstat - - lsof - - gawk - - psmisc - - less - - debian-goodies - - screen - - mtr-tiny - - tcpdump - - iptraf-ng - - unp - - dbus - - libpam-systemd - - aptitude - - ca-certificates - - file - - man-db - - manpages - - nano - state: present - -- name: install extra packages - apt: - name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" - state: present - -- name: install rngd - when: base_entropy_generator == 'rngd' - block: - - name: install rngd - apt: - name: "{{ base_rngd_package_name }}" - state: present - - - name: make sure haveged is removed/purged - apt: - name: haveged - state: absent - purge: yes - - -- name: install haveged - when: base_entropy_generator == 'haveged' - block: - - name: install haveged - apt: - name: haveged - state: present - - - name: make sure rngd is removed/purged - apt: - name: "{{ base_rngd_package_name }}" - state: absent - purge: yes - - -- name: Ensure /root is not world accessible - file: - path: /root - mode: 0700 - owner: root - group: root - state: directory - -- name: disable net/fs/misc kernel modules - copy: - content: | - {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %} - install {{ item }} /bin/true - {% endfor %} - dest: /etc/modprobe.d/disablemod.conf - owner: root - group: root - mode: 0644 - -- name: Change various sysctl-settings, look at the sysctl-vars file for documentation - loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}" - loop_control: - label: "{{ item.key }} = {{ item.value }}" - sysctl: - name: "{{ item.key }}" - value: "{{ item.value }}" - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - -- name: set kernel command line options - lineinfile: - path: /etc/default/grub - regexp: '^#?GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"' - when: install is defined and install.kernel_cmdline is defined - notify: update grub - -- name: apply stability fix/workaround for machines using intel NIC - when: base_intel_nic_stability_fix - import_tasks: intel-nic.yml diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml deleted file mode 100644 index 4b64105c..00000000 --- a/roles/base/tasks/OpenBSD.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: install base system tools - openbsd_pkg: - name: - - htop - - screen-- - - mtr-- - - nano - state: present - -- name: install extra packages - openbsd_pkg: - name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" - state: present diff --git a/roles/base/tasks/intel-nic.yml b/roles/base/tasks/intel-nic.yml deleted file mode 100644 index 2b9be474..00000000 --- a/roles/base/tasks/intel-nic.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: fetch default link options for network interfaces - slurp: - src: /usr/lib/systemd/network/99-default.link - register: base_systemd_default_link_unit - -- name: disable TSO (intel nic stability fix) - vars: - default_link_options: "{{ (base_systemd_default_link_unit.content | b64decode | from_ini)['Link'] }}" - copy: - content: | - [Match] - MACAddress={{ ansible_default_ipv4.macaddress }} - - [Link] - {% for name, value in default_link_options.items() | sort(attribute='0') %} - {{ name }}={{ value }} - {% endfor %} - - TCPSegmentationOffload=false - GenericSegmentationOffload=false - GenericReceiveOffload=false - dest: /etc/systemd/network/00-disable-offloading.link diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml deleted file mode 100644 index 5484a3a6..00000000 --- a/roles/base/tasks/main.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: load os/distrubtion/version specific tasks - vars: - params: - files: - - "{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}.yml" - loop: "{{ q('first_found', params) }}" - loop_control: - loop_var: tasks_file - include_tasks: "{{ tasks_file }}" - -- name: Remove startup message from screen - lineinfile: - regexp: "^startup_message" - line: "startup_message off" - dest: /etc/screenrc - mode: 0644 - tags: - - screen - -- name: install htop config (1/2) - loop: - - /root - - /etc/skel - file: - name: "{{ item }}/.config/htop/" - state: directory - mode: 0700 - -- name: install htop config (2/2) - loop: - - /root - - /etc/skel - copy: - src: "{{ global_files_dir }}/common/htoprc" - dest: "{{ item }}/.config/htop/" diff --git a/roles/base/vars/Debian.yml b/roles/base/vars/Debian.yml deleted file mode 100644 index 96baf89b..00000000 --- a/roles/base/vars/Debian.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -base_rngd_package_name: rng-tools5 diff --git a/roles/base/vars/Ubuntu.yml b/roles/base/vars/Ubuntu.yml deleted file mode 100644 index eb2591da..00000000 --- a/roles/base/vars/Ubuntu.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -base_rngd_package_name: rng-tools diff --git a/roles/base/vars/main.yml b/roles/base/vars/main.yml deleted file mode 100644 index 9940d7a6..00000000 --- a/roles/base/vars/main.yml +++ /dev/null @@ -1,50 +0,0 @@ -# SYSTEM CONFIGURATION -# ==================== -# These are not meant to be modified by the user - -# -# To adjust these settings use base_sysctl_config_user dict -# -base_sysctl_config: - - # Enable RFC-recommended source validation feature. - net.ipv4.conf.all.rp_filter: 1 - net.ipv4.conf.default.rp_filter: 1 - - # Log packets with impossible addresses to kernel log? yes - net.ipv4.conf.all.log_martians: 1 - net.ipv4.conf.default.log_martians: 1 - - # Reduce the surface on SMURF attacks. - # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. - net.ipv4.icmp_echo_ignore_broadcasts: 1 - - # There is no reason to accept bogus error responses from ICMP, so ignore them instead. - net.ipv4.icmp_ignore_bogus_error_responses: 1 - - # Limit the amount of traffic the system uses for ICMP. - net.ipv4.icmp_ratelimit: 1000 - - # Send redirects, if router, but this is just server - net.ipv4.conf.all.send_redirects: 0 - net.ipv4.conf.default.send_redirects: 0 - net.ipv4.conf.all.accept_redirects: 0 - net.ipv4.conf.default.accept_redirects: 0 - net.ipv6.conf.all.accept_redirects: 0 - net.ipv6.conf.default.accept_redirects: 0 - net.ipv4.conf.all.secure_redirects: 0 - net.ipv4.conf.default.secure_redirects: 0 - - net.ipv4.conf.all.accept_source_route: 0 - net.ipv4.conf.default.accept_source_route: 0 - - # Protect against wrapping sequence numbers at gigabit speeds - net.ipv4.tcp_timestamps: 0 - - # Prevent against the common 'syn flood attack' - net.ipv4.tcp_syncookies: 1 - - # Disable Selective Acknowledgement (SACK) - # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 - # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md - net.ipv4.tcp_sack: 0 |