diff --git a/ansible/check-reboot.yml b/ansible/check-reboot.yml index 9efb8ec..db4b6d7 100644 --- a/ansible/check-reboot.yml +++ b/ansible/check-reboot.yml @@ -1,9 +1,8 @@ -- hosts: all +- hosts: '{{ target }}' gather_facts: true become: true remote_user: root strategy: free - #any_errors_fatal: yes tasks: - name: dnf install needs-restarting dnf: @@ -11,12 +10,6 @@ state: latest when: ansible_facts['os_family'] == 'RedHat' and ansible_facts ['distribution_major_version'] >= '8' - - name: yum install needs-restarting - yum: - name: "yum-utils" - state: latest - when: ansible_facts['os_family'] == 'RedHat' and ansible_facts ['distribution_major_version'] <= '7' - - name: check reboot command: "/usr/bin/needs-restarting -r" register: reboot_required diff --git a/ansible/dnf-automatic.yml b/ansible/dnf-automatic.yml new file mode 100644 index 0000000..eb32684 --- /dev/null +++ b/ansible/dnf-automatic.yml @@ -0,0 +1,48 @@ +- hosts: '{{ target }}' + gather_facts: false + become: true + remote_user: root + tasks: + - name: dnf install + dnf: + name: ['dnf-automatic', 'mailx'] + state: latest + update_cache: True + + - name: configure dnf-automatic + lineinfile: + path: "/etc/dnf/automatic.conf" + regexp: "^(#)?\\s*{{item.key}}" + line: "{{item.key}} = {{item.value}}" + state: present + loop: + - { key: "upgrade_type", value: "default" } + - { key: "download_updates", value: "yes" } + - { key: "apply_updates", value: "no" } + - { key: "emit_via", value: "command_email" } + - { key: "command_format", value: "\"mail -Ssendwait -s {subject} {email_to}\"" } + - { key: "stdin_format", value: "\"{body}\"" } + - { key: "email_to", value: "sys@quacker.org" } + - { key: "email_from", value: "no-reply@quacker.org" } + + - name: configure mailx + lineinfile: + path: "/etc/mail.rc" + regexp: "^set\\s*{{item.key}}\\s*=.*" + line: "set {{item.key}}={{item.value}}" + state: present + loop: + - { key: "smtp", value: "smtps://mx.quacker.org:465" } + - { key: "smtp-auth", value: "login" } + - { key: "smtp-auth-user", value: "no-reply@quacker.org" } + - { key: "smtp-auth-password", value: "{{ smtp_password }}" } + - { key: "from", value: "no-reply@quacker.org" } + + - name: send test email + ansible.builtin.shell: "echo \"test email from {{ target }}\" | mail -s \"test email from {{ target }}\" sys@quacker.org" + + - name: enable dnf-automatic + service: + name: dnf-automatic.timer + enabled: yes + state: started \ No newline at end of file diff --git a/ansible/dnf-update.yml b/ansible/dnf-update.yml index 7554a47..1dc468b 100644 --- a/ansible/dnf-update.yml +++ b/ansible/dnf-update.yml @@ -1,4 +1,4 @@ -- hosts: all +- hosts: '{{ target }}' gather_facts: true become: true remote_user: root diff --git a/ansible/reboot.yml b/ansible/reboot.yml index 199a096..8bcda76 100644 --- a/ansible/reboot.yml +++ b/ansible/reboot.yml @@ -1,4 +1,4 @@ -- hosts: physical +- hosts: '{{ target }}' gather_facts: false become: true remote_user: root diff --git a/ansible/vm-setup.yml b/ansible/vm-setup.yml new file mode 100644 index 0000000..d8da6ac --- /dev/null +++ b/ansible/vm-setup.yml @@ -0,0 +1,125 @@ +- hosts: '{{ target }}' + gather_facts: false + become: true + remote_user: root + any_errors_fatal: yes + tasks: + - name: stop firewalld + service: + name: firewalld + state: stopped + + - name: dnf add repo + get_url: + url: "https://download.docker.com/linux/centos/docker-ce.repo" + dest: /etc/yum.repos.d/docker-ce.repo + + - name: dnf install epel + dnf: + name: "epel-release" + state: latest + + - name: dnf update + dnf: + name: "*" + state: latest + + - name: dnf install + dnf: + name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils', 'zsh', 'docker-ce'] + state: latest + update_cache: True + + - name: Change root password + user: + name: root + update_password: always + password: "{{ root_password | password_hash('sha512', user_salt) }}" + + - name: add user + user: + name: quackerd + password: "{{ user_password | password_hash('sha512', user_salt) }}" + shell: /usr/bin/bash + groups: wheel + append: yes + state: present + + - name: add user ssh key + ansible.posix.authorized_key: + user: quackerd + state: present + key: "{{ lookup('file', '../ssh_pub') }}" + + - name: configure sshd + lineinfile: + path: "/etc/ssh/sshd_config" + regexp: "^(#)?{{item.key}}" + line: "{{item.key}} {{item.value}}" + state: present + validate: "/usr/sbin/sshd -t -f %s" + loop: + - { key: "PermitRootLogin", value: "no" } + - { key: "PasswordAuthentication", value: "yes" } + - { key: "Port", value: "77" } + + - name: enable selinux + lineinfile: + path: "/etc/selinux/config" + regexp: "^(#)?{{item.key}}=.*" + line: "{{item.key}}={{item.value}}" + state: present + loop: + - { key: "SELINUX", value: "enforcing" } + + - name: configure selinux + seport: + ports: 77 + proto: tcp + setype: ssh_port_t + state: present + + - name: allow ssh port in firewalld + ansible.posix.firewalld: + port: 77/tcp + permanent: yes + state: enabled + offline: yes + + - name: disallow cockpit in firewalld + ansible.posix.firewalld: + service: cockpit + permanent: yes + state: disabled + offline: yes + + - name: disallow dhcpv6-client in firewalld + ansible.posix.firewalld: + service: dhcpv6-client + permanent: yes + state: disabled + offline: yes + + - name: disallow default ssh port + ansible.posix.firewalld: + service: ssh + permanent: yes + state: disabled + offline: yes + + - name: enable docker + service: + name: docker + state: started + enabled: yes + + - name: start firewalld + service: + name: firewalld + state: started + enabled: yes + + - name: reload sshd + service: + name: sshd + state: reloaded \ No newline at end of file