--- - name: disable recommends, suggests and pdiffs loop: - 02no-recommends - 02no-pdiffs copy: src: "{{ item }}" dest: /etc/apt/apt.conf.d/ - name: disable phased updates for Ubuntu when: 'ansible_distribution == "Ubuntu"' copy: content: | Update-Manager::Always-Include-Phased-Updates "true"; APT::Get::Always-Include-Phased-Updates "true"; dest: /etc/apt/apt.conf.d/03no-phased-updates - name: install base system tools apt: name: - htop - lsof - gawk - psmisc - less - debian-goodies - screen - mtr-tiny - tcpdump - iptraf-ng - ethtool - unp - zstd - dbus - libpam-systemd - aptitude - ca-certificates - file - man-db - manpages - nano - curl - wget - iotop-c - bwm-ng state: present ## TODO: install dool on newer systems... or all of them. From which package source?? - name: install dstat for older systems only when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) <= 12) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 24) apt: name: dstat state: present - name: install extra packages apt: name: "{{ base_packages_extra }}" state: present - name: install rngd when: base_entropy_generator == 'rngd' block: - name: install rngd apt: name: rng-tools5 state: present - name: make sure haveged and legacy rngd versions are removed/purged apt: name: - haveged - rng-tools - rng-tools-debian state: absent purge: yes - name: install haveged when: base_entropy_generator == 'haveged' block: - name: install haveged apt: name: haveged state: present - name: make sure rngd is removed/purged apt: name: - rng-tools - rng-tools5 - rng-tools-debian state: absent purge: yes - name: Ensure /root is not world accessible file: path: /root mode: 0700 owner: root group: root state: directory - name: disable net/fs/misc kernel modules copy: content: | {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %} install {{ item }} /bin/true {% endfor %} dest: /etc/modprobe.d/disablemod.conf owner: root group: root mode: 0644 - name: Change various sysctl-settings, look at the sysctl-vars file for documentation loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}" loop_control: label: "{{ item.key }} = {{ item.value }}" sysctl: name: "{{ item.key }}" value: "{{ item.value }}" sysctl_set: yes state: present reload: yes ignoreerrors: yes - name: set kernel command line options when: install is defined and install.kernel_cmdline is defined lineinfile: path: /etc/default/grub regexp: '^#?GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"' notify: update grub ## see https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814403 - name: lower grub recordfail timeout for ubuntu/efi systems when: - ansible_distribution == "Ubuntu" - install.efi | default(false) lineinfile: path: /etc/default/grub regexp: '^#?GRUB_RECORDFAIL_TIMEOUT=' line: 'GRUB_RECORDFAIL_TIMEOUT="3"' insertafter: '^#?GRUB_TIMEOUT=' notify: update grub - name: apply stability fix/workaround for machines using intel NIC when: base_intel_nic_stability_fix import_tasks: intel-nic.yml - name: enable/disable fstrim timer systemd: name: fstrim.timer state: "{{ base_enable_fstrim | ternary('started', 'stopped') }}" enabled: "{{ base_enable_fstrim }}" - name: remove cloud-init bullshit loop: - /var/log/cloud-init.log - /var/log/cloud-init-output.log - /etc/ssh/sshd_config.d/50-cloud-init.conf file: path: "{{ item }}" state: absent