Ethan Paul
2814d42148
Add network group for filtering network hosts Add network target for auth'ing to network hosts Update playbooks to filter out network targets
170 lines
5.0 KiB
YAML
170 lines
5.0 KiB
YAML
---
|
|
- name: Bootstrap remote ansible environment
|
|
hosts: all,!network,!network
|
|
tags:
|
|
- always
|
|
tasks:
|
|
- name: Install CentOS 8 python bindings
|
|
when: ansible_distribution == "Rocky"
|
|
become: true
|
|
ansible.builtin.dnf:
|
|
state: present
|
|
name:
|
|
- python3-libselinux
|
|
- python3-policycoreutils
|
|
- python3-firewall
|
|
|
|
- name: Create state directory
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ skylab_state_dir }}"
|
|
state: directory
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
mode: 0755
|
|
|
|
- name: Create bootstrap virtualenv
|
|
ansible.builtin.command:
|
|
cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages"
|
|
creates: "{{ skylab_ansible_venv }}/bin/python"
|
|
|
|
- name: Pin bootstrap virtualenv pip
|
|
ansible.builtin.pip:
|
|
executable: "{{ skylab_ansible_venv }}/bin/pip"
|
|
name: pip
|
|
state: present
|
|
version: "{{ skylab_pip_version }}"
|
|
|
|
- name: Copy requirements file to remote
|
|
ansible.builtin.copy:
|
|
src: remote-requirements.txt
|
|
dest: "{{ skylab_ansible_venv }}/requirements.txt"
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
mode: 0644
|
|
|
|
- name: Install remote requirements
|
|
ansible.builtin.pip:
|
|
executable: "{{ skylab_ansible_venv }}/bin/pip"
|
|
requirements: "{{ skylab_ansible_venv }}/requirements.txt"
|
|
state: present
|
|
|
|
|
|
- name: Configure common server settings
|
|
hosts: all,!network
|
|
vars_files:
|
|
- vars/packages.yaml
|
|
tasks:
|
|
- name: Set hostname
|
|
become: true
|
|
ansible.builtin.hostname:
|
|
name: "{{ inventory_hostname }}"
|
|
use: systemd
|
|
|
|
- name: Install EPEL repository config
|
|
when: ansible_distribution == "Rocky"
|
|
become: true
|
|
ansible.builtin.yum_repository:
|
|
name: epel
|
|
description: Extra Packages for Enterprise Linux
|
|
baseurl: https://download.fedoraproject.org/pub/epel/$releasever{{ '/Everything' if ansible_distribution_major_version == '8' else '' }}/$basearch/
|
|
|
|
- name: Install EPEL GPG key
|
|
when: ansible_distribution == "Rocky"
|
|
become: true
|
|
ansible.builtin.rpm_key:
|
|
state: present
|
|
key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
|
|
|
|
- name: Disable sudo password for WHEEL group
|
|
when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: wheel-group-no-sudo-password
|
|
dest: /etc/sudoers.d/30-wheel
|
|
owner: root
|
|
group: "{{ ansible_user }}"
|
|
mode: 0644
|
|
|
|
- name: Install global bash config
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: global.sh
|
|
dest: /etc/profile.d/ZZ-skylab-global.sh
|
|
owner: root
|
|
group: "{{ ansible_user }}"
|
|
mode: 0644
|
|
|
|
- name: Install universal packages
|
|
when: ansible_distribution == "Rocky"
|
|
become: true
|
|
ansible.builtin.dnf:
|
|
name: "{{ skylab_packages_global + skylab_packages_rocky }}"
|
|
state: present
|
|
|
|
|
|
- name: Configure SSH
|
|
hosts: all,!network
|
|
handlers:
|
|
- name: restart-sshd
|
|
become: true
|
|
ansible.builtin.systemd:
|
|
name: sshd
|
|
state: restarted
|
|
tasks:
|
|
- name: Disable root auth
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^.*PermitRootLogin (yes|no).*$"
|
|
replace: "PermitRootLogin no"
|
|
notify: [restart-sshd]
|
|
|
|
- name: Disable password auth
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^.*PasswordAuthentication (yes|no).*$"
|
|
replace: "PasswordAuthentication no"
|
|
notify: [restart-sshd]
|
|
|
|
- name: Disable challenge response auth
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^.*ChallengeResponseAuthentication (yes|no).*$"
|
|
replace: "ChallengeResponseAuthentication no"
|
|
notify: [restart-sshd]
|
|
|
|
- name: Disable GSSAPI auth
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^.*GSSAPIAuthentication (yes|no).*$"
|
|
replace: "GSSAPIAuthentication no"
|
|
notify: [restart-sshd]
|
|
|
|
- name: Disable dynamic MOTD on debian systems
|
|
when: ansible_os_family == "Debian"
|
|
ansible.builtin.replace:
|
|
path: /etc/pam.d/sshd
|
|
regexp: "^session optional pam_motd.so motd=/run/motd.dynamic"
|
|
replace: "#session optional pam_motd.so motd=/run/motd.dynamic"
|
|
|
|
- name: Disable Cockpit activation message on Rocky
|
|
when: ansible_distribution == "Rocky"
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: /etc/motd.d/cockpit
|
|
state: absent
|
|
|
|
- name: Copy MOTD to remote
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: motd.j2
|
|
dest: /etc/motd
|
|
mode: 0644
|
|
|
|
|
|
- import_playbook: update.yaml
|