blob: 2d6bb3640f768e094cb1eeebafd54cfd3ddf836e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
---
- name: disable recommends, suggests and pdiffs
loop:
- 02no-recommends
- 02no-pdiffs
copy:
src: "{{ item }}"
dest: /etc/apt/apt.conf.d/
- name: disable phased updates for Ubuntu
when: 'ansible_distribution == "Ubuntu"'
copy:
content: |
Update-Manager::Always-Include-Phased-Updates "true";
APT::Get::Always-Include-Phased-Updates "true";
dest: /etc/apt/apt.conf.d/03no-phased-updates
- name: install base system tools
apt:
name:
- htop
- dstat
- lsof
- gawk
- psmisc
- less
- debian-goodies
- screen
- mtr-tiny
- tcpdump
- iptraf-ng
- ethtool
- unp
- zstd
- dbus
- libpam-systemd
- aptitude
- ca-certificates
- file
- man-db
- manpages
- nano
- curl
- wget
- iotop-c
- bwm-ng
state: present
- name: install extra packages
apt:
name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}"
state: present
- name: install rngd
when: base_entropy_generator == 'rngd'
block:
- name: install rngd
apt:
name: rng-tools5
state: present
- name: make sure haveged and legacy rngd versions are removed/purged
apt:
name:
- haveged
- rng-tools
- rng-tools-debian
state: absent
purge: yes
- name: install haveged
when: base_entropy_generator == 'haveged'
block:
- name: install haveged
apt:
name: haveged
state: present
- name: make sure rngd is removed/purged
apt:
name:
- rng-tools
- rng-tools5
- rng-tools-debian
state: absent
purge: yes
- name: Ensure /root is not world accessible
file:
path: /root
mode: 0700
owner: root
group: root
state: directory
- name: disable net/fs/misc kernel modules
copy:
content: |
{% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %}
install {{ item }} /bin/true
{% endfor %}
dest: /etc/modprobe.d/disablemod.conf
owner: root
group: root
mode: 0644
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}"
loop_control:
label: "{{ item.key }} = {{ item.value }}"
sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
- name: set kernel command line options
when: install is defined and install.kernel_cmdline is defined
lineinfile:
path: /etc/default/grub
regexp: '^#?GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"'
notify: update grub
## see https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814403
- name: lower grub recordfail timeout for ubuntu/efi systems
when:
- ansible_distribution == "Ubuntu"
- install.efi | default(false)
lineinfile:
path: /etc/default/grub
regexp: '^#?GRUB_RECORDFAIL_TIMEOUT='
line: 'GRUB_RECORDFAIL_TIMEOUT="3"'
insertafter: '^#?GRUB_TIMEOUT='
notify: update grub
- name: apply stability fix/workaround for machines using intel NIC
when: base_intel_nic_stability_fix
import_tasks: intel-nic.yml
- name: enable/disable fstrim timer
systemd:
name: fstrim.timer
state: "{{ base_enable_fstrim | ternary('started', 'stopped') }}"
enabled: "{{ base_enable_fstrim }}"
|