200 lines
4.7 KiB
YAML
200 lines
4.7 KiB
YAML
- name: System - apt update and apt upgrade
|
|
apt: update_cache=yes upgrade=yes
|
|
when: debpkg_mode or nixpkg_mode
|
|
# SEE http://archive.vn/DKJjs#parameter-upgrade
|
|
|
|
- name: Install required security updates
|
|
apt:
|
|
pkg:
|
|
- tzdata
|
|
- linux-libc-dev
|
|
when: debpkg_mode or nixpkg_mode
|
|
# SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638
|
|
# Without this, a similar error is faced
|
|
- name: Install Ansible dependencies
|
|
apt:
|
|
pkg:
|
|
- acl
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Install security tools
|
|
apt:
|
|
pkg:
|
|
- nftables
|
|
- fail2ban
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Use nftables backend
|
|
shell: |
|
|
update-alternatives --set iptables /usr/sbin/iptables-nft
|
|
update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
|
|
update-alternatives --set arptables /usr/sbin/arptables-nft
|
|
update-alternatives --set ebtables /usr/sbin/ebtables-nft
|
|
systemctl restart ufw
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Create Sysstat log directory
|
|
file:
|
|
path: /var/log/sysstat
|
|
state: directory
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Install other useful tools
|
|
apt:
|
|
pkg:
|
|
- bwm-ng
|
|
- htop
|
|
- net-tools
|
|
- ngrep
|
|
- sysstat
|
|
- vim-tiny
|
|
update_cache: yes
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Configure sysstat
|
|
copy:
|
|
src: files/sysstat.sysstat
|
|
dest: /etc/sysstat/sysstat
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Configure default sysstat
|
|
copy:
|
|
src: files/default.sysstat
|
|
dest: /etc/default/sysstat
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
|
|
- name: Adjust APT update intervals
|
|
copy:
|
|
src: files/apt_periodic
|
|
dest: /etc/apt/apt.conf.d/10periodic
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
# Find platform architecture and set as a variable
|
|
- name: finding platform architecture
|
|
shell: if [ $(uname -m) = "aarch64" ]; then echo "arm64"; else echo "amd64"; fi
|
|
register: platform_output
|
|
tags:
|
|
- update
|
|
- update-only
|
|
- set_fact:
|
|
platform: "{{ platform_output.stdout }}"
|
|
tags:
|
|
- update
|
|
- update-only
|
|
when: debpkg_mode or nixpkg_mode or stage2_nix
|
|
|
|
- name: create overrides dir
|
|
file:
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
path: /etc/systemd/system/systemd-resolved.service.d
|
|
mode: '0700'
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Custom systemd overrides for resolved
|
|
copy:
|
|
src: files/systemd-resolved.conf
|
|
dest: /etc/systemd/system/systemd-resolved.service.d/override.conf
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: System - Create services.slice
|
|
template:
|
|
src: files/services.slice.j2
|
|
dest: /etc/systemd/system/services.slice
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
|
|
- name: System - systemd reload
|
|
systemd: daemon_reload=yes
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Configure journald
|
|
copy:
|
|
src: files/journald.conf
|
|
dest: /etc/systemd/journald.conf
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: reload systemd-journald
|
|
systemd:
|
|
name: systemd-journald
|
|
state: restarted
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Configure logind
|
|
copy:
|
|
src: files/logind.conf
|
|
dest: /etc/systemd/logind.conf
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: reload systemd-logind
|
|
systemd:
|
|
name: systemd-logind
|
|
state: restarted
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: enable timestamps for shell history
|
|
copy:
|
|
content: |
|
|
export HISTTIMEFORMAT='%d/%m/%y %T '
|
|
dest: /etc/profile.d/09-history-timestamps.sh
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: set hosts file
|
|
copy:
|
|
content: |
|
|
127.0.0.1 localhost
|
|
::1 localhost
|
|
dest: /etc/hosts
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
when: debpkg_mode or stage2_nix
|
|
|
|
#Set Sysctl params for restarting the OS on oom after 10
|
|
- name: Set vm.panic_on_oom=1
|
|
ansible.builtin.sysctl:
|
|
name: vm.panic_on_oom
|
|
value: '1'
|
|
state: present
|
|
reload: yes
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: Set kernel.panic=10
|
|
ansible.builtin.sysctl:
|
|
name: kernel.panic
|
|
value: '10'
|
|
state: present
|
|
reload: yes
|
|
when: debpkg_mode or nixpkg_mode
|
|
|
|
- name: configure system
|
|
ansible.posix.sysctl:
|
|
name: 'net.core.somaxconn'
|
|
value: 16834
|
|
|
|
- name: configure system
|
|
ansible.posix.sysctl:
|
|
name: 'net.ipv4.ip_local_port_range'
|
|
value: '1025 65000'
|
|
|
|
#Set Sysctl params specific to keepalives
|
|
- name: Set net.ipv4.tcp_keepalive_time=1800
|
|
ansible.builtin.sysctl:
|
|
name: net.ipv4.tcp_keepalive_time
|
|
value: 1800
|
|
state: present
|
|
when: debpkg_mode or nixpkg_mode
|
|
- name: Set net.ipv4.tcp_keepalive_intvl=60
|
|
ansible.builtin.sysctl:
|
|
name: net.ipv4.tcp_keepalive_intvl
|
|
value: 60
|
|
state: present
|
|
when: debpkg_mode or nixpkg_mode
|