From f5b24e7977b5e453bde40b52f1cf7bbc1bb67ae2 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 26 Dec 2019 23:24:40 +0100 Subject: base role supports openbsd now too --- roles/base/tasks/Debian.yml | 124 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 roles/base/tasks/Debian.yml (limited to 'roles/base/tasks/Debian.yml') diff --git a/roles/base/tasks/Debian.yml b/roles/base/tasks/Debian.yml new file mode 100644 index 00000000..25195ad2 --- /dev/null +++ b/roles/base/tasks/Debian.yml @@ -0,0 +1,124 @@ +--- +- name: load distrubtion specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + skip: true + +- name: disable recommends and suggests + copy: + src: 02no-recommends + dest: /etc/apt/apt.conf.d/ + +- name: install base system tools + apt: + name: + - htop + - dstat + - lsof + - gawk + - psmisc + - less + - debian-goodies + - screen + - mtr-tiny + - tcpdump + - iptraf-ng + - unp + - dbus + - libpam-systemd + - aptitude + - ca-certificates + - file + - man-db + - manpages + - nano + state: present + +- name: install extra packages + apt: + name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" + state: present + +- name: install rngd + when: base_entropy_generator == 'rngd' + block: + - name: install rngd + apt: + name: "{{ base_rngd_package_name }}" + state: present + + - name: make sure haveged is removed/purged + apt: + name: haveged + state: absent + purge: yes + + +- name: install haveged + when: base_entropy_generator == 'haveged' + block: + - name: install haveged + apt: + name: haveged + state: present + + - name: make sure rngd is removed/purged + apt: + name: "{{ base_rngd_package_name }}" + state: absent + purge: yes + + +- name: Ensure /root is not world accessible + file: + path: /root + mode: 0700 + owner: root + group: root + state: directory + +- name: disable net/fs/misc kernel modules + loop: "{{ modules_blacklist.net | union(modules_blacklist.fs) | union(modules_blacklist.misc) }}" + lineinfile: + dest: /etc/modprobe.d/disablemod.conf + line: "install {{ item }} /bin/true" + create: yes + owner: root + group: root + mode: 0644 + +- name: Change various sysctl-settings, look at the sysctl-vars file for documentation + loop: "{{ sysctl_config | combine(sysctl_config_user) | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + sysctl: + name: "{{ item.key }}" + value: "{{ item.value }}" + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + +- name: set kernel command line options + lineinfile: + path: /etc/default/grub + regexp: '^#?GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"' + when: install is defined and install.kernel_cmdline is defined + notify: update grub + +- name: disable TSO (intel nic stability fix) + when: base_intel_nic_stability_fix + copy: + content: | + [Match] + MACAddress={{ ansible_default_ipv4.macaddress }} + + [Link] + TCPSegmentationOffload=false + GenericSegmentationOffload=false + GenericReceiveOffload=false + dest: /etc/systemd/network/00-disable-offloading.link -- cgit v1.2.3