diff --git a/ansible/add-user.yml b/ansible/add-user.yml index 0018db5..1f5e8ce 100644 --- a/ansible/add-user.yml +++ b/ansible/add-user.yml @@ -4,16 +4,17 @@ remote_user: root any_errors_fatal: yes tasks: - - name: dnf install packages - dnf: - name: ["zsh", "wget", "git"] - state: latest + - name: add root ssh key + ansible.posix.authorized_key: + user: root + state: present + key: "{{ lookup('file', '../ssh_pub') }}" - name: add user user: name: quackerd - password: "{{ password | password_hash('sha512', salt) }}" - shell: /usr/bin/sh + password: "{{ user_password | password_hash('sha512', user_salt) }}" + shell: /bin/sh groups: wheel append: yes state: present @@ -23,26 +24,3 @@ user: quackerd state: present key: "{{ lookup('file', '../ssh_pub') }}" - - - name: download ozsh script - get_url: - url: "https://git.quacker.org/d/ozsh/raw/branch/master/setup.sh" - dest: "/home/quackerd/setup.sh" - - - name: configure user shell - become: yes - become_user: quackerd - shell: - cmd: "sh /home/quackerd/setup.sh" - creates: "/home/quackerd/.zshrc" - - - name: cleanup ozsh script - file: - dest: "/home/quackerd/setup.sh" - state: absent - - - name: chsh to zsh - user: - name: quackerd - shell: /usr/bin/zsh - state: present \ No newline at end of file diff --git a/ansible/pkg-ssh-firewall.yml b/ansible/pkg-ssh-firewall.yml index 47dabf0..1c30046 100644 --- a/ansible/pkg-ssh-firewall.yml +++ b/ansible/pkg-ssh-firewall.yml @@ -47,22 +47,18 @@ PermitRootLogin without-password PasswordAuthentication yes - - name: enable selinux - lineinfile: - path: "/etc/selinux/config" - regexp: "^(#)?{{item.key}}=.*" - line: "{{item.key}}={{item.value}}" - state: present - loop: - - { key: "SELINUX", value: "enforcing" } - - name: configure selinux seport: ports: 77 proto: tcp setype: ssh_port_t state: present - + + - name: start selinux + ansible.posix.selinux: + policy: targeted + state: enforcing + - name: allow ssh port in firewalld ansible.posix.firewalld: port: 77/tcp diff --git a/ansible/rhel/setup.yml b/ansible/rhel/setup.yml new file mode 100644 index 0000000..478a6c5 --- /dev/null +++ b/ansible/rhel/setup.yml @@ -0,0 +1,229 @@ +- hosts: '{{ target }}' + gather_facts: true + become: true + remote_user: root + any_errors_fatal: yes + tasks: + - name: dnf update + dnf: + name: "*" + state: latest + + - name: add root ssh key + ansible.posix.authorized_key: + user: root + state: present + key: "{{ lookup('file', '../../ssh_pub') }}" + + - name: add user + user: + name: quackerd + password: "{{ user_password | password_hash('sha512', user_salt) }}" + shell: /bin/sh + groups: wheel + append: yes + state: present + + - name: add user ssh key + ansible.posix.authorized_key: + user: quackerd + state: present + key: "{{ lookup('file', '../../ssh_pub') }}" + + - name: stop firewalld + service: + name: firewalld + state: stopped + + - name: dnf install epel repo + dnf: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm" + state: present + disable_gpg_check: yes + + - name: dnf install zfs repo + dnf: + name: "https://zfsonlinux.org/epel/zfs-release.el8_3.noarch.rpm" + state: present + disable_gpg_check: yes + + - name: dnf install elrepo repo + dnf: + name: "https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm" + state: present + disable_gpg_check: yes + + - name: dnf install docker repo + get_url: + url: "https://download.docker.com/linux/centos/docker-ce.repo" + dest: "/etc/yum.repos.d/docker-ce.repo" + + - name: dnf update + dnf: + name: "*" + state: latest + + - name: dnf remove cockpit + dnf: + name: "cockpit" + state: absent + + - name: dnf install pkgs + dnf: + name: ['python3', 'python3-jinja2', 'python3-pip', 'docker-ce', 'zfs', 'git', 'vim', 'curl', 'wget', 'yum-utils', 'dnf-automatic', 'mailx', 'lldpd', 'xauth', 'virt-manager', 'kmod-wireguard', 'lzop', 'mbuffer', 'mhash', 'pv', 'perl-Data-Dumper', 'perl-CPAN'] + state: latest + + - name: dnf install virt group + dnf: + name: '@Virtualization Host' + state: present + + - name: updating pip + pip: + executable: "/usr/bin/pip3" + state: latest + name: "pip" + + - name: pip instal docker-compose + pip: + executable: "/usr/bin/pip3" + state: latest + name: "docker-compose" + + - name: symlinking docker-compose + file: + src: "/usr/local/bin/docker-compose" + dest: "/usr/bin/docker-compose" + state: link + + - name: CPAN install Config-IniFiles + community.general.cpanm: + name: Config::IniFiles + + - name: CPAN install Capture-Tiny + community.general.cpanm: + name: Capture::Tiny + + - name: configure sshd + lineinfile: + path: "/etc/ssh/sshd_config" + regexp: "^(#)?{{item.key}}" + line: "{{item.key}} {{item.value}}" + state: present + validate: "/usr/sbin/sshd -t -f %s" + loop: + - { key: "PermitRootLogin", value: "no" } + - { key: "PasswordAuthentication", value: "no" } + - { key: "Port", value: "77" } + + - name: configure sshd match + blockinfile: + path: "/etc/ssh/sshd_config" + state: present + validate: "/usr/sbin/sshd -t -f %s" + block: | + Match Address 129.97.75.0/24 + PermitRootLogin without-password + PasswordAuthentication yes + + - name: configure ssh_port_t selinux + seport: + ports: 77 + proto: tcp + setype: ssh_port_t + state: present + + - name: allow ssh port in firewalld + ansible.posix.firewalld: + port: 77/tcp + permanent: yes + state: enabled + offline: yes + + - name: disallow cockpit in firewalld + ansible.posix.firewalld: + service: cockpit + permanent: yes + state: disabled + offline: yes + + - name: disallow dhcpv6-client in firewalld + ansible.posix.firewalld: + service: dhcpv6-client + permanent: yes + state: disabled + offline: yes + + - name: disallow default ssh port + ansible.posix.firewalld: + service: ssh + permanent: yes + state: disabled + offline: yes + + - name: start firewalld + service: + name: firewalld + state: started + enabled: yes + + - name: start and disable docker + service: + name: docker + state: started + enabled: no + + - name: start and disable libvirtd + service: + name: libvirtd + state: started + enabled: no + + - name: start and enable lldpd + service: + name: lldpd + state: started + enabled: yes + + - name: reload sshd + service: + name: sshd + state: reloaded + + - name: configure dnf-automatic + lineinfile: + path: "/etc/dnf/automatic.conf" + regexp: "^(#)?\\s*{{item.key}}" + line: "{{item.key}} = {{item.value}}" + state: present + loop: + - { key: "upgrade_type", value: "default" } + - { key: "download_updates", value: "yes" } + - { key: "apply_updates", value: "no" } + - { key: "emit_via", value: "command_email" } + - { key: "command_format", value: "\"mail -Ssendwait -s {subject} {email_to}\"" } + - { key: "stdin_format", value: "\"{body}\"" } + - { key: "email_to", value: "sys@quacker.org" } + - { key: "email_from", value: "no-reply@quacker.org" } + + - name: configure mailx + lineinfile: + path: "/etc/mail.rc" + regexp: "^set\\s*{{item.key}}\\s*=.*" + line: "set {{item.key}}={{item.value}}" + state: present + loop: + - { key: "smtp", value: "smtps://mx.quacker.org:465" } + - { key: "smtp-auth", value: "login" } + - { key: "smtp-auth-user", value: "no-reply@quacker.org" } + - { key: "smtp-auth-password", value: "{{ smtp_password }}" } + - { key: "from", value: "no-reply@quacker.org" } + + - name: send test email + ansible.builtin.shell: "echo \"test email from {{ target }}\" | mail -s \"test email from {{ target }}\" sys@quacker.org" + + - name: enable dnf-automatic + service: + name: dnf-automatic.timer + enabled: yes + state: started \ No newline at end of file