path: root/roles/core/base/tasks/Debian.yml

---
- name: disable recommends, suggests and pdiffs
  loop:
  - 02no-recommends
  - 02no-pdiffs
  copy:
    src: "{{ item }}"
    dest: /etc/apt/apt.conf.d/

- name: disable phased updates for Ubuntu
  when: 'ansible_distribution == "Ubuntu"'
  copy:
    content: |
      Update-Manager::Always-Include-Phased-Updates "true";
      APT::Get::Always-Include-Phased-Updates "true";
    dest: /etc/apt/apt.conf.d/03no-phased-updates

- name: install base system tools
  apt:
    name:
    - htop
    - lsof
    - gawk
    - psmisc
    - less
    - debian-goodies
    - screen
    - mtr-tiny
    - tcpdump
    - iptraf-ng
    - ethtool
    - unp
    - zstd
    - dbus
    - libpam-systemd
    - aptitude
    - ca-certificates
    - file
    - man-db
    - manpages
    - nano
    - curl
    - wget
    - iotop-c
    - bwm-ng
    - tzdata
    state: present

  ## TODO: install dool on newer systems... or all of them. From which package source??
- name: install dstat for older systems only
  when: (ansible_distribution == 'Debian' and (ansible_distribution_release | debian_release_compare('<', 'trixie'))) or
        (ansible_distribution == 'Ubuntu' and (ansible_distribution_release | ubuntu_release_compare('<', 'noble')))
  apt:
    name: dstat
    state: present

- name: install extra packages
  apt:
    name: "{{ base_packages_extra }}"
    state: present

- name: install rngd
  when: base_entropy_generator == 'rngd'
  block:
  - name: install rngd
    apt:
      name: rng-tools5
      state: present

  - name: make sure haveged and legacy rngd versions are removed/purged
    apt:
      name:
      - haveged
      - rng-tools
      - rng-tools-debian
      state: absent
      purge: yes


- name: install haveged
  when: base_entropy_generator == 'haveged'
  block:
  - name: install haveged
    apt:
      name: haveged
      state: present

  - name: make sure rngd is removed/purged
    apt:
      name:
      - rng-tools
      - rng-tools5
      - rng-tools-debian
      state: absent
      purge: yes


- name: Ensure /root is not world accessible
  file:
    path: /root
    mode: 0700
    owner: root
    group: root
    state: directory

- name: disable net/fs/misc kernel modules
  copy:
    content: |
      {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %}
      install {{ item }} /bin/true
      {% endfor %}
    dest: /etc/modprobe.d/disablemod.conf
    owner: root
    group: root
    mode: 0644

- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
  loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}"
  loop_control:
    label: "{{ item.key }} = {{ item.value }}"
  sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes

- name: set kernel command line options
  when: install is defined and install.kernel_cmdline is defined
  lineinfile:
    path: /etc/default/grub
    regexp: '^#?GRUB_CMDLINE_LINUX='
    line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"'
  notify: update grub

  ## see https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814403
- name: lower grub recordfail timeout for ubuntu/efi systems
  when:
  - ansible_distribution == "Ubuntu"
  - install.efi | default(false)
  lineinfile:
    path: /etc/default/grub
    regexp: '^#?GRUB_RECORDFAIL_TIMEOUT='
    line: 'GRUB_RECORDFAIL_TIMEOUT="3"'
    insertafter: '^#?GRUB_TIMEOUT='
  notify: update grub

- name: apply stability fix/workaround for machines using intel NIC
  when: base_intel_nic_stability_fix
  import_tasks: intel-nic.yml

- name: enable/disable fstrim timer
  systemd:
    name: fstrim.timer
    state: "{{ base_enable_fstrim | ternary('started', 'stopped') }}"
    enabled: "{{ base_enable_fstrim }}"

- name: remove cloud-init bullshit
  loop:
  - /var/log/cloud-init.log
  - /var/log/cloud-init-output.log
  - /etc/ssh/sshd_config.d/50-cloud-init.conf
  file:
    path: "{{ item }}"
    state: absent