roles/base/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

---
- name: load distrubtion specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - files:
        - "{{ ansible_distribution_release }}.yml"
        - "{{ ansible_distribution }}.yml"
      skip: true

- name: disable recommends and suggests
  copy:
    src: 02no-recommends
    dest: /etc/apt/apt.conf.d/

- name: install base system tools
  apt:
    name:
    - htop
    - dstat
    - lsof
    - gawk
    - psmisc
    - less
    - debian-goodies
    - screen
    - mtr-tiny
    - tcpdump
    - iptraf-ng
    - unp
    - dbus
    - libpam-systemd
    - aptitude
    - ca-certificates
    - file
    - man-db
    - manpages
    - nano
    state: present


- name: install rngd
  when: base_entropy_generator == 'rngd'
  block:
  - name: install rngd
    apt:
      name: "{{ base_rngd_package_name }}"
      state: present

  - name: make sure haveged is removed/purged
    apt:
      name: haveged
      state: absent
      purge: yes


- name: install haveged
  when: base_entropy_generator == 'haveged'
  block:
  - name: install haveged
    apt:
      name: haveged
      state: present

  - name: make sure rngd is removed/purged
    apt:
      name: "{{ base_rngd_package_name }}"
      state: absent
      purge: yes


- name: Remove startup message from screen
  lineinfile:
    regexp: "^startup_message"
    line: "startup_message off"
    dest: /etc/screenrc
    mode: 0644
  tags:
  - screen

- name: install htop config (1/2)
  loop:
    - /root
    - /etc/skel
  file:
    name: "{{ item }}/.config/htop/"
    state: directory
    mode: 0700

- name: install htop config (2/2)
  loop:
    - /root
    - /etc/skel
  copy:
    src: "{{ global_files_dir }}/common/htoprc"
    dest: "{{ item }}/.config/htop/"

- name: Ensure /root is not world accessible
  file:
    path: /root
    mode: 0700
    owner: root
    group: root
    state: directory

- name: disable net/fs/misc kernel modules
  loop: "{{ modules_blacklist.net | union(modules_blacklist.fs) | union(modules_blacklist.misc) }}"
  lineinfile:
    dest: /etc/modprobe.d/disablemod.conf
    line: "install {{ item }} /bin/true"
    create: yes
    owner: root
    group: root
    mode: 0644

- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
  loop: "{{ sysctl_config | combine(sysctl_config_user) | dict2items }}"
  loop_control:
    label: "{{ item.key }} = {{ item.value }}"
  sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes

- name: install extra packages
  apt:
    name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}"
    state: present

- name: set kernel command line options
  lineinfile:
    path: /etc/default/grub
    regexp: '^#?GRUB_CMDLINE_LINUX='
    line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"'
  when: install is defined and install.kernel_cmdline is defined
  notify: update grub