From 3a2319c9c58886a7938deabafc66ad4bc128c9f8 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 31 May 2020 23:12:36 +0200 Subject: move core roles to subdir --- roles/core/base/tasks/Debian.yml | 116 ++++++++++++++++++++++++++++++++++++ roles/core/base/tasks/OpenBSD.yml | 14 +++++ roles/core/base/tasks/intel-nic.yml | 23 +++++++ roles/core/base/tasks/main.yml | 38 ++++++++++++ 4 files changed, 191 insertions(+) create mode 100644 roles/core/base/tasks/Debian.yml create mode 100644 roles/core/base/tasks/OpenBSD.yml create mode 100644 roles/core/base/tasks/intel-nic.yml create mode 100644 roles/core/base/tasks/main.yml (limited to 'roles/core/base/tasks') diff --git a/roles/core/base/tasks/Debian.yml b/roles/core/base/tasks/Debian.yml new file mode 100644 index 00000000..13c3c9f9 --- /dev/null +++ b/roles/core/base/tasks/Debian.yml @@ -0,0 +1,116 @@ +--- +- name: load distrubtion specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + skip: true + +- name: disable recommends and suggests + copy: + src: 02no-recommends + dest: /etc/apt/apt.conf.d/ + +- name: install base system tools + apt: + name: + - htop + - dstat + - lsof + - gawk + - psmisc + - less + - debian-goodies + - screen + - mtr-tiny + - tcpdump + - iptraf-ng + - unp + - dbus + - libpam-systemd + - aptitude + - ca-certificates + - file + - man-db + - manpages + - nano + state: present + +- name: install extra packages + apt: + name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" + state: present + +- name: install rngd + when: base_entropy_generator == 'rngd' + block: + - name: install rngd + apt: + name: "{{ base_rngd_package_name }}" + state: present + + - name: make sure haveged is removed/purged + apt: + name: haveged + state: absent + purge: yes + + +- name: install haveged + when: base_entropy_generator == 'haveged' + block: + - name: install haveged + apt: + name: haveged + state: present + + - name: make sure rngd is removed/purged + apt: + name: "{{ base_rngd_package_name }}" + state: absent + purge: yes + + +- name: Ensure /root is not world accessible + file: + path: /root + mode: 0700 + owner: root + group: root + state: directory + +- name: disable net/fs/misc kernel modules + copy: + content: | + {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %} + install {{ item }} /bin/true + {% endfor %} + dest: /etc/modprobe.d/disablemod.conf + owner: root + group: root + mode: 0644 + +- name: Change various sysctl-settings, look at the sysctl-vars file for documentation + loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + sysctl: + name: "{{ item.key }}" + value: "{{ item.value }}" + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + +- name: set kernel command line options + lineinfile: + path: /etc/default/grub + regexp: '^#?GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"' + when: install is defined and install.kernel_cmdline is defined + notify: update grub + +- name: apply stability fix/workaround for machines using intel NIC + when: base_intel_nic_stability_fix + import_tasks: intel-nic.yml diff --git a/roles/core/base/tasks/OpenBSD.yml b/roles/core/base/tasks/OpenBSD.yml new file mode 100644 index 00000000..4b64105c --- /dev/null +++ b/roles/core/base/tasks/OpenBSD.yml @@ -0,0 +1,14 @@ +--- +- name: install base system tools + openbsd_pkg: + name: + - htop + - screen-- + - mtr-- + - nano + state: present + +- name: install extra packages + openbsd_pkg: + name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" + state: present diff --git a/roles/core/base/tasks/intel-nic.yml b/roles/core/base/tasks/intel-nic.yml new file mode 100644 index 00000000..2b9be474 --- /dev/null +++ b/roles/core/base/tasks/intel-nic.yml @@ -0,0 +1,23 @@ +--- +- name: fetch default link options for network interfaces + slurp: + src: /usr/lib/systemd/network/99-default.link + register: base_systemd_default_link_unit + +- name: disable TSO (intel nic stability fix) + vars: + default_link_options: "{{ (base_systemd_default_link_unit.content | b64decode | from_ini)['Link'] }}" + copy: + content: | + [Match] + MACAddress={{ ansible_default_ipv4.macaddress }} + + [Link] + {% for name, value in default_link_options.items() | sort(attribute='0') %} + {{ name }}={{ value }} + {% endfor %} + + TCPSegmentationOffload=false + GenericSegmentationOffload=false + GenericReceiveOffload=false + dest: /etc/systemd/network/00-disable-offloading.link diff --git a/roles/core/base/tasks/main.yml b/roles/core/base/tasks/main.yml new file mode 100644 index 00000000..5484a3a6 --- /dev/null +++ b/roles/core/base/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: load os/distrubtion/version specific tasks + vars: + params: + files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + loop: "{{ q('first_found', params) }}" + loop_control: + loop_var: tasks_file + include_tasks: "{{ tasks_file }}" + +- name: Remove startup message from screen + lineinfile: + regexp: "^startup_message" + line: "startup_message off" + dest: /etc/screenrc + mode: 0644 + tags: + - screen + +- name: install htop config (1/2) + loop: + - /root + - /etc/skel + file: + name: "{{ item }}/.config/htop/" + state: directory + mode: 0700 + +- name: install htop config (2/2) + loop: + - /root + - /etc/skel + copy: + src: "{{ global_files_dir }}/common/htoprc" + dest: "{{ item }}/.config/htop/" -- cgit v1.2.3