ansible

ansible/check-reboot.yml

@@ -1,9 +1,8 @@
-- hosts: all
+- hosts: '{{ target }}'
   gather_facts: true
   become: true
   remote_user: root
   strategy: free
-    #any_errors_fatal: yes
   tasks:
   - name: dnf install needs-restarting
     dnf:
@@ -11,12 +10,6 @@
       state: latest
     when: ansible_facts['os_family'] == 'RedHat' and ansible_facts  ['distribution_major_version'] >= '8'
 
-  - name: yum install needs-restarting
-    yum:
-      name: "yum-utils"
-      state: latest
-    when: ansible_facts['os_family'] == 'RedHat' and ansible_facts ['distribution_major_version'] <= '7'
-
   - name: check reboot
     command: "/usr/bin/needs-restarting -r"
     register: reboot_required

ansible/dnf-automatic.yml

@@ -0,0 +1,48 @@
+- hosts: '{{ target }}'
+  gather_facts: false
+  become: true
+  remote_user: root
+  tasks:
+  - name: dnf install
+    dnf:
+      name: ['dnf-automatic', 'mailx']
+      state: latest
+      update_cache: True
+
+  - name: configure dnf-automatic
+    lineinfile:
+      path: "/etc/dnf/automatic.conf"
+      regexp: "^(#)?\\s*{{item.key}}"
+      line: "{{item.key}} = {{item.value}}"
+      state: present
+    loop:
+      - { key: "upgrade_type", value: "default" }
+      - { key: "download_updates", value: "yes" }
+      - { key: "apply_updates", value: "no" }
+      - { key: "emit_via", value: "command_email" }
+      - { key: "command_format", value: "\"mail -Ssendwait -s {subject} {email_to}\"" }
+      - { key: "stdin_format", value: "\"{body}\"" }
+      - { key: "email_to", value: "sys@quacker.org" }      
+      - { key: "email_from", value: "no-reply@quacker.org" }    
+  
+  - name: configure mailx
+    lineinfile:
+      path: "/etc/mail.rc"
+      regexp: "^set\\s*{{item.key}}\\s*=.*"
+      line: "set {{item.key}}={{item.value}}"
+      state: present
+    loop:
+      - { key: "smtp", value: "smtps://mx.quacker.org:465" }
+      - { key: "smtp-auth", value: "login" }
+      - { key: "smtp-auth-user", value: "no-reply@quacker.org" }
+      - { key: "smtp-auth-password", value: "{{ smtp_password }}" }
+      - { key: "from", value: "no-reply@quacker.org" }
+
+  - name: send test email
+    ansible.builtin.shell: "echo \"test email from {{ target }}\" | mail -s \"test email from {{ target }}\" sys@quacker.org"
+
+  - name: enable dnf-automatic
+    service:
+      name: dnf-automatic.timer
+      enabled: yes
+      state: started

ansible/dnf-update.yml

@@ -1,4 +1,4 @@
-- hosts: all
+- hosts: '{{ target }}'
   gather_facts: true
   become: true
   remote_user: root

ansible/reboot.yml

@@ -1,4 +1,4 @@
-- hosts: physical
+- hosts: '{{ target }}'
   gather_facts: false
   become: true
   remote_user: root

ansible/vm-setup.yml

@@ -0,0 +1,125 @@
+- hosts: '{{ target }}'
+  gather_facts: false
+  become: true
+  remote_user: root
+  any_errors_fatal: yes
+  tasks:
+  - name: stop firewalld
+    service:
+      name: firewalld
+      state: stopped
+
+  - name: dnf add repo
+    get_url:
+      url: "https://download.docker.com/linux/centos/docker-ce.repo"
+      dest: /etc/yum.repos.d/docker-ce.repo
+
+  - name: dnf install epel    
+    dnf:
+      name: "epel-release"
+      state: latest
+
+  - name: dnf update
+    dnf:
+      name:  "*"
+      state: latest
+
+  - name: dnf install
+    dnf:
+      name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils', 'zsh', 'docker-ce']
+      state: latest
+      update_cache: True
+  
+  - name: Change root password
+    user:
+      name: root 
+      update_password: always 
+      password: "{{ root_password | password_hash('sha512', user_salt) }}"
+
+  - name: add user
+    user:
+      name: quackerd
+      password: "{{ user_password | password_hash('sha512', user_salt) }}"
+      shell: /usr/bin/bash
+      groups: wheel
+      append: yes
+      state: present
+  
+  - name: add user ssh key
+    ansible.posix.authorized_key:
+      user: quackerd
+      state: present
+      key: "{{ lookup('file', '../ssh_pub') }}"
+
+  - name: configure sshd
+    lineinfile:
+      path: "/etc/ssh/sshd_config"
+      regexp: "^(#)?{{item.key}}"
+      line: "{{item.key}} {{item.value}}"
+      state: present
+      validate: "/usr/sbin/sshd -t -f %s"
+    loop:
+      - { key: "PermitRootLogin", value: "no" }
+      - { key: "PasswordAuthentication", value: "yes" }
+      - { key: "Port", value: "77" }
+
+  - name: enable selinux
+    lineinfile:
+      path: "/etc/selinux/config"
+      regexp: "^(#)?{{item.key}}=.*"
+      line: "{{item.key}}={{item.value}}"
+      state: present
+    loop:
+      - { key: "SELINUX", value: "enforcing" }
+
+  - name: configure selinux
+    seport:
+      ports: 77
+      proto: tcp
+      setype: ssh_port_t
+      state: present
+  
+  - name: allow ssh port in firewalld
+    ansible.posix.firewalld:
+      port: 77/tcp
+      permanent: yes
+      state: enabled
+      offline: yes
+
+  - name: disallow cockpit in firewalld
+    ansible.posix.firewalld:
+      service: cockpit
+      permanent: yes
+      state: disabled
+      offline: yes
+  
+  - name: disallow dhcpv6-client in firewalld
+    ansible.posix.firewalld:
+      service: dhcpv6-client
+      permanent: yes
+      state: disabled
+      offline: yes
+
+  - name: disallow default ssh port
+    ansible.posix.firewalld:
+      service: ssh
+      permanent: yes
+      state: disabled
+      offline: yes
+
+  - name: enable docker
+    service:
+      name: docker
+      state: started
+      enabled: yes
+
+  - name: start firewalld
+    service:
+      name: firewalld
+      state: started
+      enabled: yes
+
+  - name: reload sshd
+    service:
+      name: sshd
+      state: reloaded