yohan/ovh_instance_playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
63255565b2
ovh_instance_playbooks/roles/role_configure_ovh_instance/tasks/main.yml
yohan 63255565b2 Fix install EPEL packages.
2024-06-20 01:03:59 +02:00

301 lines
6.1 KiB
YAML
Raw Blame History

---
# tasks file for role_configure_ovh_instance
- name: Enable DNF fastestmirror
ansible.builtin.lineinfile:
path: /etc/dnf/dnf.conf
line: fastestmirror=1
become: true
- name: Configure DNF fastestmirror
ansible.builtin.lineinfile:
path: /etc/dnf/plugins/fastestmirror.conf
line: include_only=.ovh.net
create: True
become: true
- name: Upgrade all packages
ansible.builtin.dnf:
name: '*'
state: latest
register: upgrade_register
become: true
tags: upgrade
- name: Reboot
ansible.builtin.reboot:
when:
- upgrade_register is defined
- upgrade_register is changed
become: true
- name: Add EPEL repository
ansible.builtin.package:
name:
- epel-release.noarch
state: latest
become: true
- name: Ensure the EPEL repository is disabled
ansible.builtin.command: "yum-config-manager --disable epel"
changed_when: false
become: true
- name: Install useful packages
ansible.builtin.package:
name:
- vim
- fio
- sysstat
- git
- strace
- perf
- telnet
- nmap
- bzip2
- bind-utils
- lsof
- tcpdump
- net-tools
- bash-completion
state: latest
become: true
- name: Install useful EPEL packages
ansible.builtin.dnf:
name:
- ioping
- sysbench
- screen
- atop
- iftop
enablerepo: epel
state: latest
become: true
- name: enable atop
ansible.builtin.service:
name: atop
state: started
enabled: True
become: true
- name: install fail2ban
ansible.builtin.dnf:
name:
- fail2ban
enablerepo: epel
state: latest
become: true
- name: enable firewalld
ansible.builtin.service:
name: firewalld
state: started
enabled: True
become: true
- name: disable useless firewall allowed services
ansible.posix.firewalld:
zone: public
service: "{{ item }}"
permanent: true
immediate: true
state: disabled
become: true
with_items:
- dhcpv6-client
- cockpit
- name: enable fail2ban
ansible.builtin.service:
name: fail2ban
state: started
enabled: True
become: true
- name: deploy jail.local
ansible.builtin.copy:
src: jail.local
dest: /etc/fail2ban/jail.local
register: jail_conf_register
become: true
# We need to change the rules to also block brute force attempt on gogs sshd:
# TODO
- name: restart fail2ban
ansible.builtin.service:
name: fail2ban
state: restarted
become: true
when: jail_conf_register is changed
- name: disable useless rpcbind.socket
ansible.builtin.service:
name: rpcbind.socket
state: stopped
enabled: False
become: true
- name: Configure logrotate
ansible.builtin.blockinfile:
path: /etc/logrotate.d/rsyslog
insertafter: "sharedscripts"
block: |2
daily
rotate 15
compress
become: true
- name: install podman
ansible.builtin.package:
name:
- podman
- podman-docker
state: latest
become: true
- name: install podman-compose
ansible.builtin.dnf:
name:
- podman-compose
enablerepo: epel
state: latest
become: true
- name: deploy containers.conf
ansible.builtin.copy:
src: containers.conf
dest: /etc/containers/containers.conf
become: true
- name: install mosh
ansible.builtin.package:
name:
- mosh
state: latest
become: true
- name: Allow mosh ports
ansible.posix.firewalld:
zone: public
port: 60000-61000/udp
permanent: true
immediate: true
state: enabled
become: true
- name: install duplicity
ansible.builtin.package:
name:
- duplicity
- python3-pip.noarch
state: latest
become: true
- name: Add user
ansible.builtin.user:
name: "{{ LINUX_USERNAME }}"
shell: /bin/bash
groups: wheel
append: yes
become: true
- name: Set authorized key
ansible.posix.authorized_key:
user: "{{ LINUX_USERNAME }}"
state: present
key: "{{ lookup('file', PUBLIC_KEY_FILE) }}"
become: true
- name: Comment out PASSWD wheel sudo rule
replace:
dest: /etc/sudoers
regexp: '^%wheel\s+ALL=\(ALL\)\s+ALL'
replace: '#%wheel ALL=(ALL) ALL'
become: true
tags: sudo
- name: Allow sudo NOPASSWD for the wheel group
replace:
dest: /etc/sudoers
regexp: '^#\s%wheel\s+ALL=\(ALL\)\s+NOPASSWD: ALL'
replace: '%wheel ALL=(ALL) NOPASSWD: ALL'
become: true
tags: sudo
- name: switch to new user
set_fact:
ansible_user: "{{ LINUX_USERNAME }}"
- name: Deploy SSH private key
copy:
src: "{{ PRIVATE_KEY_FILE }}"
dest: "/home/{{ LINUX_USERNAME }}/.ssh/"
mode: 0600
- name: Deploy SSH public key
copy:
src: "{{ PUBLIC_KEY_FILE }}"
dest: "/home/{{ LINUX_USERNAME }}/.ssh/"
mode: 0640
- name: Configure VIM
ansible.builtin.lineinfile:
path: /etc/vimrc
line: set bg=dark
become: true
- name: install openstack python modules
ansible.builtin.pip:
name:
- python-swiftclient
- python-keystoneclient
- python-novaclient
- python-cinderclient
- python-openstackclient
# Selinux prevents auto load of kernel module from container
# but we need to be able to mark packets with iptables in proxy-squid container.
- name: Enable Selinux boolean domain_kernel_load_modules
ansible.posix.seboolean:
name: domain_kernel_load_modules
state: true
persistent: true
become: true
- name: install postfix
ansible.builtin.package:
name:
- postfix
- cyrus-sasl-lib
- cyrus-sasl-plain
- sendemail
state: latest
become: true
- name: enable postfix
ansible.builtin.service:
name: postfix
state: started
enabled: True
become: true
- name: send test email
ansible.builtin.command:
cmd: "sendEmail -o tls=no -f {{ target_name.split('.')[0] }}@{{ DOMAIN }} -t {{ recipient_email }} -u 'Test subject' -m 'This is a test message.'"
changed_when: false
- name: Add a setting to ~/.gitconfig
community.general.git_config:
name: "{{ item.name }}"
scope: global
value: "{{ item.value }}"
with_items:
- name: user.name
value: "{{ LINUX_USERNAME }}"
- name: user.email
value: "{{ git_email }}"
Reference in New Issue View Git Blame Copy Permalink