You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
187 lines
4.5 KiB
187 lines
4.5 KiB
- name: Set locale
|
|
lineinfile:
|
|
path: /etc/locale.gen
|
|
line: en_US.UTF-8 UTF-8
|
|
state: present
|
|
create: yes
|
|
notify:
|
|
- locale gen
|
|
- update locale
|
|
|
|
- name: Set timezone to America/Denver
|
|
file:
|
|
src: /usr/share/zoneinfo/America/Denver
|
|
dest: /etc/localtime
|
|
state: link
|
|
force: yes
|
|
owner: root
|
|
group: root
|
|
notify: restart cron
|
|
|
|
# Set up iptables
|
|
- name: Configure iptables
|
|
include_role:
|
|
name: mikegleasonjr.firewall
|
|
|
|
- name: Set up APT
|
|
apt_repository:
|
|
repo: "{{ item }}"
|
|
state: present
|
|
with_items:
|
|
- deb http://mirrors.kernel.org/debian/ buster main
|
|
- deb http://mirrors.kernel.org/debian/ buster-updates main
|
|
- deb http://security.debian.org/ buster/updates main
|
|
#- deb http://mirrors.kernel.org/debian/ buster-backports main
|
|
|
|
# Make apt use IPv4
|
|
- name: Make apt use IPv4
|
|
lineinfile:
|
|
path: /etc/apt/apt.conf.d/99force-ipv4
|
|
line: 'Acquire::ForceIPv4 "true";'
|
|
state: present
|
|
insertafter: EOF
|
|
create: yes
|
|
|
|
# Upgrade server
|
|
- name: Upgrade server
|
|
apt:
|
|
upgrade: dist
|
|
dpkg_options: 'force-confdef,force-confnew'
|
|
update_cache: yes
|
|
|
|
- name: Install utilities
|
|
apt:
|
|
name: "{{ item }}"
|
|
dpkg_options: 'force-confdef,force-confnew'
|
|
update_cache: yes
|
|
with_items:
|
|
- apt-transport-https
|
|
#- bind9-host
|
|
- bzip2
|
|
- ca-certificates
|
|
- colordiff
|
|
- curl
|
|
- debian-archive-keyring
|
|
- exuberant-ctags
|
|
- git
|
|
- less
|
|
- locales
|
|
- lsb-release
|
|
- man-db
|
|
- manpages
|
|
- molly-guard
|
|
- net-tools
|
|
- ntp
|
|
- openssh-server
|
|
- python3
|
|
- rsync
|
|
- telnet
|
|
- traceroute
|
|
- vim
|
|
- vim-scripts
|
|
|
|
# Small user tweaks
|
|
- name: Update vimrc
|
|
lineinfile:
|
|
path: ~/.vimrc
|
|
line: ':syntax on'
|
|
state: present
|
|
insertafter: EOF
|
|
create: yes
|
|
|
|
- name: Update .bashrc
|
|
lineinfile:
|
|
path: /root/.bashrc
|
|
line: 'export EDITOR=vi'
|
|
state: present
|
|
insertafter: EOF
|
|
create: yes
|
|
|
|
# XXX Passwordless sudo XXX Ya, probably remove
|
|
- name: Passwordless sudo
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
regexp: '^%sudo[\t]ALL=\(ALL:ALL\) ALL'
|
|
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
|
state: present
|
|
|
|
# SSH Config
|
|
- name: SSH Configuration
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '{{ item.find }}'
|
|
line: '{{ item.replace }}'
|
|
state: present
|
|
with_items:
|
|
- {find: '^.*PermitRootLogin.*', replace: 'PermitRootLogin no'}
|
|
- {find: '^.*PasswordAuthentication.*', replace: 'PasswordAuthentication no'}
|
|
- {find: '^.*RSAAuthentication.*', replace: 'RSAAuthentication no'}
|
|
- {find: '^.*X11Forwarding.*', replace: 'X11Forwarding no'}
|
|
notify:
|
|
- restart ssh
|
|
|
|
- name: Adding SSH configuration to the end of file
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
block: |
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
AllowUsers jebba
|
|
notify:
|
|
- restart ssh
|
|
|
|
# Startup XXX disable as unneeded
|
|
# To disable additional services
|
|
# Add more "- service_name" lines as needed
|
|
- name: Disabling unneeded services
|
|
service:
|
|
name: "{{ item }}"
|
|
enabled: no
|
|
with_items:
|
|
- rsync
|
|
|
|
# Disable IPv6 in Grub
|
|
- name: Disabling IPv6 in Grub
|
|
lineinfile:
|
|
path: /etc/default/grub
|
|
regexp: '{{ item.find }}'
|
|
line: '{{ item.replace }}'
|
|
state: present
|
|
with_items:
|
|
- { find: '^.*?GRUB_TIMEOUT=.*', replace: 'GRUB_TIMEOUT=1'}
|
|
- { find: '^.*?GRUB_CMDLINE_LINUX=.*', replace: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'}
|
|
- { find: '^.*?GRUB_TERMINAL=.*', replace: 'GRUB_TERMINAL=console'}
|
|
notify:
|
|
- update grub
|
|
|
|
- name: Disable IPv6 in modprobe ipv6 conf file
|
|
lineinfile:
|
|
path: /etc/modprobe.d/ipv6.conf
|
|
line: 'blacklist ipv6'
|
|
state: present
|
|
insertafter: EOF
|
|
create: yes
|
|
|
|
- name: Disable IPv6 in modprobe aliases conf file
|
|
blockinfile:
|
|
path: /etc/modprobe.d/aliases.conf
|
|
block: |
|
|
alias net-pf-10 off
|
|
alias ivp6 off
|
|
insertafter: EOF
|
|
state: present
|
|
create: yes
|
|
|
|
- name: Disable IPv6 with sysctl
|
|
blockinfile:
|
|
path: /etc/sysctl.conf
|
|
block: |
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
net.ipv6.conf.default.disable_ipv6 = 1
|
|
net.ipv6.conf.lo.disable_ipv6 = 1
|
|
insertafter: EOF
|
|
state: present
|
|
notify:
|
|
- sysctl
|