From 3a2319c9c58886a7938deabafc66ad4bc128c9f8 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 31 May 2020 23:12:36 +0200 Subject: move core roles to subdir --- roles/core/base/defaults/main.yml | 36 +++++++++++ roles/core/base/files/02no-recommends | 2 + roles/core/base/handlers/main.yml | 3 + roles/core/base/tasks/Debian.yml | 116 ++++++++++++++++++++++++++++++++++ roles/core/base/tasks/OpenBSD.yml | 14 ++++ roles/core/base/tasks/intel-nic.yml | 23 +++++++ roles/core/base/tasks/main.yml | 38 +++++++++++ roles/core/base/vars/Debian.yml | 2 + roles/core/base/vars/Ubuntu.yml | 2 + roles/core/base/vars/main.yml | 50 +++++++++++++++ 10 files changed, 286 insertions(+) create mode 100644 roles/core/base/defaults/main.yml create mode 100644 roles/core/base/files/02no-recommends create mode 100644 roles/core/base/handlers/main.yml create mode 100644 roles/core/base/tasks/Debian.yml create mode 100644 roles/core/base/tasks/OpenBSD.yml create mode 100644 roles/core/base/tasks/intel-nic.yml create mode 100644 roles/core/base/tasks/main.yml create mode 100644 roles/core/base/vars/Debian.yml create mode 100644 roles/core/base/vars/Ubuntu.yml create mode 100644 roles/core/base/vars/main.yml (limited to 'roles/core/base') diff --git a/roles/core/base/defaults/main.yml b/roles/core/base/defaults/main.yml new file mode 100644 index 00000000..c4b0d42c --- /dev/null +++ b/roles/core/base/defaults/main.yml @@ -0,0 +1,36 @@ +--- +base_entropy_generator: haveged + +base_sysctl_config_user: {} + +base_modules_blacklist_: + net: + - dccp + - sctp + - rds + - tipc + fs: + - cramfs + - freevxfs + - hfs + - hfsplus + - jffs2 + sound: + - soundcore + - usb-midi + misc: + - bluetooth + - firewire-core + - n_hdlc + - net-pf-31 + - thunderbolt + +base_modules_blacklist_full: "{{ base_modules_blacklist_ | list }}" +base_modules_blacklist_all_but_sound: "{{ base_modules_blacklist_ | difference(['sound']) | list }}" +base_modules_blacklist_none: [] +base_modules_blacklist: "{{ base_modules_blacklist_full }}" + +base_packages_extra_host: [] +base_packages_extra_group: [] + +base_intel_nic_stability_fix: false diff --git a/roles/core/base/files/02no-recommends b/roles/core/base/files/02no-recommends new file mode 100644 index 00000000..a2fba330 --- /dev/null +++ b/roles/core/base/files/02no-recommends @@ -0,0 +1,2 @@ +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; diff --git a/roles/core/base/handlers/main.yml b/roles/core/base/handlers/main.yml new file mode 100644 index 00000000..a23868cf --- /dev/null +++ b/roles/core/base/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: update grub + command: update-grub diff --git a/roles/core/base/tasks/Debian.yml b/roles/core/base/tasks/Debian.yml new file mode 100644 index 00000000..13c3c9f9 --- /dev/null +++ b/roles/core/base/tasks/Debian.yml @@ -0,0 +1,116 @@ +--- +- name: load distrubtion specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + skip: true + +- name: disable recommends and suggests + copy: + src: 02no-recommends + dest: /etc/apt/apt.conf.d/ + +- name: install base system tools + apt: + name: + - htop + - dstat + - lsof + - gawk + - psmisc + - less + - debian-goodies + - screen + - mtr-tiny + - tcpdump + - iptraf-ng + - unp + - dbus + - libpam-systemd + - aptitude + - ca-certificates + - file + - man-db + - manpages + - nano + state: present + +- name: install extra packages + apt: + name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" + state: present + +- name: install rngd + when: base_entropy_generator == 'rngd' + block: + - name: install rngd + apt: + name: "{{ base_rngd_package_name }}" + state: present + + - name: make sure haveged is removed/purged + apt: + name: haveged + state: absent + purge: yes + + +- name: install haveged + when: base_entropy_generator == 'haveged' + block: + - name: install haveged + apt: + name: haveged + state: present + + - name: make sure rngd is removed/purged + apt: + name: "{{ base_rngd_package_name }}" + state: absent + purge: yes + + +- name: Ensure /root is not world accessible + file: + path: /root + mode: 0700 + owner: root + group: root + state: directory + +- name: disable net/fs/misc kernel modules + copy: + content: | + {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %} + install {{ item }} /bin/true + {% endfor %} + dest: /etc/modprobe.d/disablemod.conf + owner: root + group: root + mode: 0644 + +- name: Change various sysctl-settings, look at the sysctl-vars file for documentation + loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + sysctl: + name: "{{ item.key }}" + value: "{{ item.value }}" + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + +- name: set kernel command line options + lineinfile: + path: /etc/default/grub + regexp: '^#?GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"' + when: install is defined and install.kernel_cmdline is defined + notify: update grub + +- name: apply stability fix/workaround for machines using intel NIC + when: base_intel_nic_stability_fix + import_tasks: intel-nic.yml diff --git a/roles/core/base/tasks/OpenBSD.yml b/roles/core/base/tasks/OpenBSD.yml new file mode 100644 index 00000000..4b64105c --- /dev/null +++ b/roles/core/base/tasks/OpenBSD.yml @@ -0,0 +1,14 @@ +--- +- name: install base system tools + openbsd_pkg: + name: + - htop + - screen-- + - mtr-- + - nano + state: present + +- name: install extra packages + openbsd_pkg: + name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}" + state: present diff --git a/roles/core/base/tasks/intel-nic.yml b/roles/core/base/tasks/intel-nic.yml new file mode 100644 index 00000000..2b9be474 --- /dev/null +++ b/roles/core/base/tasks/intel-nic.yml @@ -0,0 +1,23 @@ +--- +- name: fetch default link options for network interfaces + slurp: + src: /usr/lib/systemd/network/99-default.link + register: base_systemd_default_link_unit + +- name: disable TSO (intel nic stability fix) + vars: + default_link_options: "{{ (base_systemd_default_link_unit.content | b64decode | from_ini)['Link'] }}" + copy: + content: | + [Match] + MACAddress={{ ansible_default_ipv4.macaddress }} + + [Link] + {% for name, value in default_link_options.items() | sort(attribute='0') %} + {{ name }}={{ value }} + {% endfor %} + + TCPSegmentationOffload=false + GenericSegmentationOffload=false + GenericReceiveOffload=false + dest: /etc/systemd/network/00-disable-offloading.link diff --git a/roles/core/base/tasks/main.yml b/roles/core/base/tasks/main.yml new file mode 100644 index 00000000..5484a3a6 --- /dev/null +++ b/roles/core/base/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: load os/distrubtion/version specific tasks + vars: + params: + files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + loop: "{{ q('first_found', params) }}" + loop_control: + loop_var: tasks_file + include_tasks: "{{ tasks_file }}" + +- name: Remove startup message from screen + lineinfile: + regexp: "^startup_message" + line: "startup_message off" + dest: /etc/screenrc + mode: 0644 + tags: + - screen + +- name: install htop config (1/2) + loop: + - /root + - /etc/skel + file: + name: "{{ item }}/.config/htop/" + state: directory + mode: 0700 + +- name: install htop config (2/2) + loop: + - /root + - /etc/skel + copy: + src: "{{ global_files_dir }}/common/htoprc" + dest: "{{ item }}/.config/htop/" diff --git a/roles/core/base/vars/Debian.yml b/roles/core/base/vars/Debian.yml new file mode 100644 index 00000000..96baf89b --- /dev/null +++ b/roles/core/base/vars/Debian.yml @@ -0,0 +1,2 @@ +--- +base_rngd_package_name: rng-tools5 diff --git a/roles/core/base/vars/Ubuntu.yml b/roles/core/base/vars/Ubuntu.yml new file mode 100644 index 00000000..eb2591da --- /dev/null +++ b/roles/core/base/vars/Ubuntu.yml @@ -0,0 +1,2 @@ +--- +base_rngd_package_name: rng-tools diff --git a/roles/core/base/vars/main.yml b/roles/core/base/vars/main.yml new file mode 100644 index 00000000..9940d7a6 --- /dev/null +++ b/roles/core/base/vars/main.yml @@ -0,0 +1,50 @@ +# SYSTEM CONFIGURATION +# ==================== +# These are not meant to be modified by the user + +# +# To adjust these settings use base_sysctl_config_user dict +# +base_sysctl_config: + + # Enable RFC-recommended source validation feature. + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.conf.default.rp_filter: 1 + + # Log packets with impossible addresses to kernel log? yes + net.ipv4.conf.all.log_martians: 1 + net.ipv4.conf.default.log_martians: 1 + + # Reduce the surface on SMURF attacks. + # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. + net.ipv4.icmp_echo_ignore_broadcasts: 1 + + # There is no reason to accept bogus error responses from ICMP, so ignore them instead. + net.ipv4.icmp_ignore_bogus_error_responses: 1 + + # Limit the amount of traffic the system uses for ICMP. + net.ipv4.icmp_ratelimit: 1000 + + # Send redirects, if router, but this is just server + net.ipv4.conf.all.send_redirects: 0 + net.ipv4.conf.default.send_redirects: 0 + net.ipv4.conf.all.accept_redirects: 0 + net.ipv4.conf.default.accept_redirects: 0 + net.ipv6.conf.all.accept_redirects: 0 + net.ipv6.conf.default.accept_redirects: 0 + net.ipv4.conf.all.secure_redirects: 0 + net.ipv4.conf.default.secure_redirects: 0 + + net.ipv4.conf.all.accept_source_route: 0 + net.ipv4.conf.default.accept_source_route: 0 + + # Protect against wrapping sequence numbers at gigabit speeds + net.ipv4.tcp_timestamps: 0 + + # Prevent against the common 'syn flood attack' + net.ipv4.tcp_syncookies: 1 + + # Disable Selective Acknowledgement (SACK) + # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 + # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md + net.ipv4.tcp_sack: 0 -- cgit v1.2.3