ansible
This commit is contained in:
parent
e748a1e63f
commit
b73a9d64b5
|
@ -1,9 +1,8 @@
|
|||
- hosts: all
|
||||
- hosts: '{{ target }}'
|
||||
gather_facts: true
|
||||
become: true
|
||||
remote_user: root
|
||||
strategy: free
|
||||
#any_errors_fatal: yes
|
||||
tasks:
|
||||
- name: dnf install needs-restarting
|
||||
dnf:
|
||||
|
@ -11,12 +10,6 @@
|
|||
state: latest
|
||||
when: ansible_facts['os_family'] == 'RedHat' and ansible_facts ['distribution_major_version'] >= '8'
|
||||
|
||||
- name: yum install needs-restarting
|
||||
yum:
|
||||
name: "yum-utils"
|
||||
state: latest
|
||||
when: ansible_facts['os_family'] == 'RedHat' and ansible_facts ['distribution_major_version'] <= '7'
|
||||
|
||||
- name: check reboot
|
||||
command: "/usr/bin/needs-restarting -r"
|
||||
register: reboot_required
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
- hosts: '{{ target }}'
|
||||
gather_facts: false
|
||||
become: true
|
||||
remote_user: root
|
||||
tasks:
|
||||
- name: dnf install
|
||||
dnf:
|
||||
name: ['dnf-automatic', 'mailx']
|
||||
state: latest
|
||||
update_cache: True
|
||||
|
||||
- name: configure dnf-automatic
|
||||
lineinfile:
|
||||
path: "/etc/dnf/automatic.conf"
|
||||
regexp: "^(#)?\\s*{{item.key}}"
|
||||
line: "{{item.key}} = {{item.value}}"
|
||||
state: present
|
||||
loop:
|
||||
- { key: "upgrade_type", value: "default" }
|
||||
- { key: "download_updates", value: "yes" }
|
||||
- { key: "apply_updates", value: "no" }
|
||||
- { key: "emit_via", value: "command_email" }
|
||||
- { key: "command_format", value: "\"mail -Ssendwait -s {subject} {email_to}\"" }
|
||||
- { key: "stdin_format", value: "\"{body}\"" }
|
||||
- { key: "email_to", value: "sys@quacker.org" }
|
||||
- { key: "email_from", value: "no-reply@quacker.org" }
|
||||
|
||||
- name: configure mailx
|
||||
lineinfile:
|
||||
path: "/etc/mail.rc"
|
||||
regexp: "^set\\s*{{item.key}}\\s*=.*"
|
||||
line: "set {{item.key}}={{item.value}}"
|
||||
state: present
|
||||
loop:
|
||||
- { key: "smtp", value: "smtps://mx.quacker.org:465" }
|
||||
- { key: "smtp-auth", value: "login" }
|
||||
- { key: "smtp-auth-user", value: "no-reply@quacker.org" }
|
||||
- { key: "smtp-auth-password", value: "{{ smtp_password }}" }
|
||||
- { key: "from", value: "no-reply@quacker.org" }
|
||||
|
||||
- name: send test email
|
||||
ansible.builtin.shell: "echo \"test email from {{ target }}\" | mail -s \"test email from {{ target }}\" sys@quacker.org"
|
||||
|
||||
- name: enable dnf-automatic
|
||||
service:
|
||||
name: dnf-automatic.timer
|
||||
enabled: yes
|
||||
state: started
|
|
@ -1,4 +1,4 @@
|
|||
- hosts: all
|
||||
- hosts: '{{ target }}'
|
||||
gather_facts: true
|
||||
become: true
|
||||
remote_user: root
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- hosts: physical
|
||||
- hosts: '{{ target }}'
|
||||
gather_facts: false
|
||||
become: true
|
||||
remote_user: root
|
||||
|
|
|
@ -0,0 +1,125 @@
|
|||
- hosts: '{{ target }}'
|
||||
gather_facts: false
|
||||
become: true
|
||||
remote_user: root
|
||||
any_errors_fatal: yes
|
||||
tasks:
|
||||
- name: stop firewalld
|
||||
service:
|
||||
name: firewalld
|
||||
state: stopped
|
||||
|
||||
- name: dnf add repo
|
||||
get_url:
|
||||
url: "https://download.docker.com/linux/centos/docker-ce.repo"
|
||||
dest: /etc/yum.repos.d/docker-ce.repo
|
||||
|
||||
- name: dnf install epel
|
||||
dnf:
|
||||
name: "epel-release"
|
||||
state: latest
|
||||
|
||||
- name: dnf update
|
||||
dnf:
|
||||
name: "*"
|
||||
state: latest
|
||||
|
||||
- name: dnf install
|
||||
dnf:
|
||||
name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils', 'zsh', 'docker-ce']
|
||||
state: latest
|
||||
update_cache: True
|
||||
|
||||
- name: Change root password
|
||||
user:
|
||||
name: root
|
||||
update_password: always
|
||||
password: "{{ root_password | password_hash('sha512', user_salt) }}"
|
||||
|
||||
- name: add user
|
||||
user:
|
||||
name: quackerd
|
||||
password: "{{ user_password | password_hash('sha512', user_salt) }}"
|
||||
shell: /usr/bin/bash
|
||||
groups: wheel
|
||||
append: yes
|
||||
state: present
|
||||
|
||||
- name: add user ssh key
|
||||
ansible.posix.authorized_key:
|
||||
user: quackerd
|
||||
state: present
|
||||
key: "{{ lookup('file', '../ssh_pub') }}"
|
||||
|
||||
- name: configure sshd
|
||||
lineinfile:
|
||||
path: "/etc/ssh/sshd_config"
|
||||
regexp: "^(#)?{{item.key}}"
|
||||
line: "{{item.key}} {{item.value}}"
|
||||
state: present
|
||||
validate: "/usr/sbin/sshd -t -f %s"
|
||||
loop:
|
||||
- { key: "PermitRootLogin", value: "no" }
|
||||
- { key: "PasswordAuthentication", value: "yes" }
|
||||
- { key: "Port", value: "77" }
|
||||
|
||||
- name: enable selinux
|
||||
lineinfile:
|
||||
path: "/etc/selinux/config"
|
||||
regexp: "^(#)?{{item.key}}=.*"
|
||||
line: "{{item.key}}={{item.value}}"
|
||||
state: present
|
||||
loop:
|
||||
- { key: "SELINUX", value: "enforcing" }
|
||||
|
||||
- name: configure selinux
|
||||
seport:
|
||||
ports: 77
|
||||
proto: tcp
|
||||
setype: ssh_port_t
|
||||
state: present
|
||||
|
||||
- name: allow ssh port in firewalld
|
||||
ansible.posix.firewalld:
|
||||
port: 77/tcp
|
||||
permanent: yes
|
||||
state: enabled
|
||||
offline: yes
|
||||
|
||||
- name: disallow cockpit in firewalld
|
||||
ansible.posix.firewalld:
|
||||
service: cockpit
|
||||
permanent: yes
|
||||
state: disabled
|
||||
offline: yes
|
||||
|
||||
- name: disallow dhcpv6-client in firewalld
|
||||
ansible.posix.firewalld:
|
||||
service: dhcpv6-client
|
||||
permanent: yes
|
||||
state: disabled
|
||||
offline: yes
|
||||
|
||||
- name: disallow default ssh port
|
||||
ansible.posix.firewalld:
|
||||
service: ssh
|
||||
permanent: yes
|
||||
state: disabled
|
||||
offline: yes
|
||||
|
||||
- name: enable docker
|
||||
service:
|
||||
name: docker
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: start firewalld
|
||||
service:
|
||||
name: firewalld
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: reload sshd
|
||||
service:
|
||||
name: sshd
|
||||
state: reloaded
|
Loading…
Reference in New Issue