rhel setup
This commit is contained in:
parent
f1d5f8b686
commit
3b7e6bfe33
|
@ -4,16 +4,17 @@
|
||||||
remote_user: root
|
remote_user: root
|
||||||
any_errors_fatal: yes
|
any_errors_fatal: yes
|
||||||
tasks:
|
tasks:
|
||||||
- name: dnf install packages
|
- name: add root ssh key
|
||||||
dnf:
|
ansible.posix.authorized_key:
|
||||||
name: ["zsh", "wget", "git"]
|
user: root
|
||||||
state: latest
|
state: present
|
||||||
|
key: "{{ lookup('file', '../ssh_pub') }}"
|
||||||
|
|
||||||
- name: add user
|
- name: add user
|
||||||
user:
|
user:
|
||||||
name: quackerd
|
name: quackerd
|
||||||
password: "{{ password | password_hash('sha512', salt) }}"
|
password: "{{ user_password | password_hash('sha512', user_salt) }}"
|
||||||
shell: /usr/bin/sh
|
shell: /bin/sh
|
||||||
groups: wheel
|
groups: wheel
|
||||||
append: yes
|
append: yes
|
||||||
state: present
|
state: present
|
||||||
|
@ -23,26 +24,3 @@
|
||||||
user: quackerd
|
user: quackerd
|
||||||
state: present
|
state: present
|
||||||
key: "{{ lookup('file', '../ssh_pub') }}"
|
key: "{{ lookup('file', '../ssh_pub') }}"
|
||||||
|
|
||||||
- name: download ozsh script
|
|
||||||
get_url:
|
|
||||||
url: "https://git.quacker.org/d/ozsh/raw/branch/master/setup.sh"
|
|
||||||
dest: "/home/quackerd/setup.sh"
|
|
||||||
|
|
||||||
- name: configure user shell
|
|
||||||
become: yes
|
|
||||||
become_user: quackerd
|
|
||||||
shell:
|
|
||||||
cmd: "sh /home/quackerd/setup.sh"
|
|
||||||
creates: "/home/quackerd/.zshrc"
|
|
||||||
|
|
||||||
- name: cleanup ozsh script
|
|
||||||
file:
|
|
||||||
dest: "/home/quackerd/setup.sh"
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: chsh to zsh
|
|
||||||
user:
|
|
||||||
name: quackerd
|
|
||||||
shell: /usr/bin/zsh
|
|
||||||
state: present
|
|
|
@ -47,22 +47,18 @@
|
||||||
PermitRootLogin without-password
|
PermitRootLogin without-password
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
|
|
||||||
- name: enable selinux
|
|
||||||
lineinfile:
|
|
||||||
path: "/etc/selinux/config"
|
|
||||||
regexp: "^(#)?{{item.key}}=.*"
|
|
||||||
line: "{{item.key}}={{item.value}}"
|
|
||||||
state: present
|
|
||||||
loop:
|
|
||||||
- { key: "SELINUX", value: "enforcing" }
|
|
||||||
|
|
||||||
- name: configure selinux
|
- name: configure selinux
|
||||||
seport:
|
seport:
|
||||||
ports: 77
|
ports: 77
|
||||||
proto: tcp
|
proto: tcp
|
||||||
setype: ssh_port_t
|
setype: ssh_port_t
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: start selinux
|
||||||
|
ansible.posix.selinux:
|
||||||
|
policy: targeted
|
||||||
|
state: enforcing
|
||||||
|
|
||||||
- name: allow ssh port in firewalld
|
- name: allow ssh port in firewalld
|
||||||
ansible.posix.firewalld:
|
ansible.posix.firewalld:
|
||||||
port: 77/tcp
|
port: 77/tcp
|
||||||
|
|
|
@ -0,0 +1,229 @@
|
||||||
|
- hosts: '{{ target }}'
|
||||||
|
gather_facts: true
|
||||||
|
become: true
|
||||||
|
remote_user: root
|
||||||
|
any_errors_fatal: yes
|
||||||
|
tasks:
|
||||||
|
- name: dnf update
|
||||||
|
dnf:
|
||||||
|
name: "*"
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: add root ssh key
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: root
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', '../../ssh_pub') }}"
|
||||||
|
|
||||||
|
- name: add user
|
||||||
|
user:
|
||||||
|
name: quackerd
|
||||||
|
password: "{{ user_password | password_hash('sha512', user_salt) }}"
|
||||||
|
shell: /bin/sh
|
||||||
|
groups: wheel
|
||||||
|
append: yes
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: add user ssh key
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: quackerd
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', '../../ssh_pub') }}"
|
||||||
|
|
||||||
|
- name: stop firewalld
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: dnf install epel repo
|
||||||
|
dnf:
|
||||||
|
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm"
|
||||||
|
state: present
|
||||||
|
disable_gpg_check: yes
|
||||||
|
|
||||||
|
- name: dnf install zfs repo
|
||||||
|
dnf:
|
||||||
|
name: "https://zfsonlinux.org/epel/zfs-release.el8_3.noarch.rpm"
|
||||||
|
state: present
|
||||||
|
disable_gpg_check: yes
|
||||||
|
|
||||||
|
- name: dnf install elrepo repo
|
||||||
|
dnf:
|
||||||
|
name: "https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm"
|
||||||
|
state: present
|
||||||
|
disable_gpg_check: yes
|
||||||
|
|
||||||
|
- name: dnf install docker repo
|
||||||
|
get_url:
|
||||||
|
url: "https://download.docker.com/linux/centos/docker-ce.repo"
|
||||||
|
dest: "/etc/yum.repos.d/docker-ce.repo"
|
||||||
|
|
||||||
|
- name: dnf update
|
||||||
|
dnf:
|
||||||
|
name: "*"
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: dnf remove cockpit
|
||||||
|
dnf:
|
||||||
|
name: "cockpit"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: dnf install pkgs
|
||||||
|
dnf:
|
||||||
|
name: ['python3', 'python3-jinja2', 'python3-pip', 'docker-ce', 'zfs', 'git', 'vim', 'curl', 'wget', 'yum-utils', 'dnf-automatic', 'mailx', 'lldpd', 'xauth', 'virt-manager', 'kmod-wireguard', 'lzop', 'mbuffer', 'mhash', 'pv', 'perl-Data-Dumper', 'perl-CPAN']
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: dnf install virt group
|
||||||
|
dnf:
|
||||||
|
name: '@Virtualization Host'
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: updating pip
|
||||||
|
pip:
|
||||||
|
executable: "/usr/bin/pip3"
|
||||||
|
state: latest
|
||||||
|
name: "pip"
|
||||||
|
|
||||||
|
- name: pip instal docker-compose
|
||||||
|
pip:
|
||||||
|
executable: "/usr/bin/pip3"
|
||||||
|
state: latest
|
||||||
|
name: "docker-compose"
|
||||||
|
|
||||||
|
- name: symlinking docker-compose
|
||||||
|
file:
|
||||||
|
src: "/usr/local/bin/docker-compose"
|
||||||
|
dest: "/usr/bin/docker-compose"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: CPAN install Config-IniFiles
|
||||||
|
community.general.cpanm:
|
||||||
|
name: Config::IniFiles
|
||||||
|
|
||||||
|
- name: CPAN install Capture-Tiny
|
||||||
|
community.general.cpanm:
|
||||||
|
name: Capture::Tiny
|
||||||
|
|
||||||
|
- name: configure sshd
|
||||||
|
lineinfile:
|
||||||
|
path: "/etc/ssh/sshd_config"
|
||||||
|
regexp: "^(#)?{{item.key}}"
|
||||||
|
line: "{{item.key}} {{item.value}}"
|
||||||
|
state: present
|
||||||
|
validate: "/usr/sbin/sshd -t -f %s"
|
||||||
|
loop:
|
||||||
|
- { key: "PermitRootLogin", value: "no" }
|
||||||
|
- { key: "PasswordAuthentication", value: "no" }
|
||||||
|
- { key: "Port", value: "77" }
|
||||||
|
|
||||||
|
- name: configure sshd match
|
||||||
|
blockinfile:
|
||||||
|
path: "/etc/ssh/sshd_config"
|
||||||
|
state: present
|
||||||
|
validate: "/usr/sbin/sshd -t -f %s"
|
||||||
|
block: |
|
||||||
|
Match Address 129.97.75.0/24
|
||||||
|
PermitRootLogin without-password
|
||||||
|
PasswordAuthentication yes
|
||||||
|
|
||||||
|
- name: configure ssh_port_t selinux
|
||||||
|
seport:
|
||||||
|
ports: 77
|
||||||
|
proto: tcp
|
||||||
|
setype: ssh_port_t
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: allow ssh port in firewalld
|
||||||
|
ansible.posix.firewalld:
|
||||||
|
port: 77/tcp
|
||||||
|
permanent: yes
|
||||||
|
state: enabled
|
||||||
|
offline: yes
|
||||||
|
|
||||||
|
- name: disallow cockpit in firewalld
|
||||||
|
ansible.posix.firewalld:
|
||||||
|
service: cockpit
|
||||||
|
permanent: yes
|
||||||
|
state: disabled
|
||||||
|
offline: yes
|
||||||
|
|
||||||
|
- name: disallow dhcpv6-client in firewalld
|
||||||
|
ansible.posix.firewalld:
|
||||||
|
service: dhcpv6-client
|
||||||
|
permanent: yes
|
||||||
|
state: disabled
|
||||||
|
offline: yes
|
||||||
|
|
||||||
|
- name: disallow default ssh port
|
||||||
|
ansible.posix.firewalld:
|
||||||
|
service: ssh
|
||||||
|
permanent: yes
|
||||||
|
state: disabled
|
||||||
|
offline: yes
|
||||||
|
|
||||||
|
- name: start firewalld
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: start and disable docker
|
||||||
|
service:
|
||||||
|
name: docker
|
||||||
|
state: started
|
||||||
|
enabled: no
|
||||||
|
|
||||||
|
- name: start and disable libvirtd
|
||||||
|
service:
|
||||||
|
name: libvirtd
|
||||||
|
state: started
|
||||||
|
enabled: no
|
||||||
|
|
||||||
|
- name: start and enable lldpd
|
||||||
|
service:
|
||||||
|
name: lldpd
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: reload sshd
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: configure dnf-automatic
|
||||||
|
lineinfile:
|
||||||
|
path: "/etc/dnf/automatic.conf"
|
||||||
|
regexp: "^(#)?\\s*{{item.key}}"
|
||||||
|
line: "{{item.key}} = {{item.value}}"
|
||||||
|
state: present
|
||||||
|
loop:
|
||||||
|
- { key: "upgrade_type", value: "default" }
|
||||||
|
- { key: "download_updates", value: "yes" }
|
||||||
|
- { key: "apply_updates", value: "no" }
|
||||||
|
- { key: "emit_via", value: "command_email" }
|
||||||
|
- { key: "command_format", value: "\"mail -Ssendwait -s {subject} {email_to}\"" }
|
||||||
|
- { key: "stdin_format", value: "\"{body}\"" }
|
||||||
|
- { key: "email_to", value: "sys@quacker.org" }
|
||||||
|
- { key: "email_from", value: "no-reply@quacker.org" }
|
||||||
|
|
||||||
|
- name: configure mailx
|
||||||
|
lineinfile:
|
||||||
|
path: "/etc/mail.rc"
|
||||||
|
regexp: "^set\\s*{{item.key}}\\s*=.*"
|
||||||
|
line: "set {{item.key}}={{item.value}}"
|
||||||
|
state: present
|
||||||
|
loop:
|
||||||
|
- { key: "smtp", value: "smtps://mx.quacker.org:465" }
|
||||||
|
- { key: "smtp-auth", value: "login" }
|
||||||
|
- { key: "smtp-auth-user", value: "no-reply@quacker.org" }
|
||||||
|
- { key: "smtp-auth-password", value: "{{ smtp_password }}" }
|
||||||
|
- { key: "from", value: "no-reply@quacker.org" }
|
||||||
|
|
||||||
|
- name: send test email
|
||||||
|
ansible.builtin.shell: "echo \"test email from {{ target }}\" | mail -s \"test email from {{ target }}\" sys@quacker.org"
|
||||||
|
|
||||||
|
- name: enable dnf-automatic
|
||||||
|
service:
|
||||||
|
name: dnf-automatic.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
Loading…
Reference in New Issue