first

c9ae031c · nanahira · 6e4a2303 · c9ae031c · c9ae031c · c9ae031c
Commit c9ae031c authored Feb 28, 2020 by nanahira
7 changed files
--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
-# defaults file for init
\ No newline at end of file
+# defaults file for init
+allow_password: false
+hypervisor: false
--- a/files/authorized_keys
+++ b/files/authorized_keys
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCf7d3z1zJ3+AekdFlF+7BTL8k1X5YrC/Mu23aBBETYxl7N37XM/Ts1u15Xu9l0rgKOe2YphAzexsTmvnBW+3ZJUaJ4gIelw2FWYSHmPkcTtLRrqmSqqCVqyxLrlkvDV1mJmRTQh9rFT3OM2jge4HkN2PSnxuT4AuRwblHcGj2LWD/4XijmHf/BK6GaKownt702ARX18D7d2hYZwO7TgVtJsZclIg3g9SjLgtx6sx+Khlx2/p3HdMo7lYmbucnk1Px11Z0Uq6H7gdUyZhRMWgHnqpnzTy02onhsDhPotUbJdEHJKMZW+eg3X1KiPH143jDHPW/EQjhnPfMBBqaPof1l nanahira@nanahira-another
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtRix6NrCSXMNpL9WuD6DA198aGirvb8cYIcx5fS98/EWqA8n8yjBEjfLkWZviSh8J6hDw5x4rlZWa777eP+qFfwZO5MjQp/n3cgpZgnbJFRUROuNEyaGQvv09uO05cgRKemVDysqte6xjH6YOts/+oX6dC/JK+Cwi7K0kUETQ2WLLTghyQfLkwKoXkP30v/j18yfyswyWsM1E70stmezMRYswsAeOP6j5/dZiSY9vPCPHJ0w3cGhV+YZcWVE3687cQyf++Iv4AGBzRWlGStGHfb3UB8fkeIClChkQDjjzrxfbrmeS3kC5w6hkbZFsreM8ZvWhDvB1eBxjU9KKbV0iQ== zh99998@gmail.com
--- a/handlers/main.yml
+++ b/handlers/main.yml
 ---
-# handlers file for init
\ No newline at end of file
+# handlers file for init
+- name: restart_sshd
+  become: true
+  systemd:
+    name: sshd
+    state: restarted
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
+- name: apt
+  apt:
+    update_cache: true
+    state: latest
+    name: curl,wget,git,vim,sudo,byobu,iftop,iotop,build-essential,p7zip-full,xclip,astyle,python-setuptools,python-dev,tcpdump,rsync,htop,locales,mtr,dnsutils,net-tools,traceroute,tar,unzip,iperf,nmap,mosh
+- name: Ubuntu packages
+  apt:
+    update_cache: true
+    state: latest
+    name: ctags
+  when: "ansible_distribution == 'Ubuntu'"
+- name: Debian packages
+  apt:
+    update_cache: true
+    state: latest
+    name: universal-ctags
+  when: "ansible_distribution == 'Debian'"
+- name: apt autoremove
+  apt:
+    autoremove: true
--- a/tasks/dnf.yml
+++ b/tasks/dnf.yml
+- name: dnf update
+  dnf:
+    name: '*'
+    #update_cache: true
+    state: latest
+- name: epel 8
+  dnf:
+    state: latest
+    name: epel-release
+- name: dnf
+  dnf:
+    state: latest
+    name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,ctags,astyle,xclip,traceroute,tar,unzip,nmap,python3-libselinux,mosh
+- name: dnf autoremove
+  dnf:
+    autoremove: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
-# tasks file for init
\ No newline at end of file
+# tasks file for init
+- name: authorized_key
+  authorized_key:
+    user: "{{ ansible_user_id }}"
+    key: "{{ lookup('file', '../authorized_keys') }}"
+  # when: "ansible_os_family == 'Debian' or ansible_distribution_major_version|int != 8"
+- name: sudoers
+  become: true
+  lineinfile:
+    path: /etc/sudoers
+    insertafter: 'EOF'
+    line: '{{ ansible_user_id }} ALL=(ALL:ALL) NOPASSWD: ALL'
+    validate: /usr/sbin/visudo -cf %s
+  when: "ansible_user_id != 'root'"
+- name: timezone
+  become: true
+  timezone:
+    name: Asia/Shanghai
+- name: disable password access
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication (true|yes).*$'
+    line: 'PasswordAuthentication no'
+    backrefs: true
+  when: "(ansible_user_id == 'root' or ansible_user_id == 'nanahira' or ansible_user_id == 'mycard' or ansible_user_id == 'zh99998') and not allow_password" # Only self-managed servers
+  notify: restart_sshd
+- name: sshd config
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?GSSAPIAuthentication (true|yes).*$'
+    line: 'GSSAPIAuthentication no'
+    backrefs: true
+  notify: restart_sshd
+- name: sshd config
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?UseDNS (true|yes).*$'
+    line: 'UseDNS no'
+    backrefs: true
+  notify: restart_sshd
+- name: swappiness
+  become: true
+  sysctl:
+    name: vm.swappiness
+    value: 1
+    sysctl_set: true
+- name: net.ipv4.ip_forward
+  become: true
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_set: true
+- name: fs.inotify.max_user_watches
+  become: true
+  sysctl:
+    name: fs.inotify.max_user_watches
+    value: 524288
+    sysctl_set: true
+- name: net.ipv4.conf.all.rp_filter
+  become: true
+  sysctl:
+    name: net.ipv4.conf.all.rp_filter
+    value: 0
+    sysctl_set: true
+- name: net.ipv4.conf.default.rp_filter
+  become: true
+  sysctl:
+    name: net.ipv4.conf.default.rp_filter
+    value: 0
+    sysctl_set: true
+- name: TCP BBR
+  become: true
+  sysctl:
+    name: net.core.default_qdisc
+    value: fq
+    sysctl_set: true
+  when: "ansible_os_family == 'Debian' or ansible_distribution_major_version|int > 7"
+- name: TCP BBR
+  become: true
+  sysctl:
+    name: net.ipv4.tcp_congestion_control
+    value: bbr
+    sysctl_set: true
+  when: "ansible_os_family == 'Debian' or ansible_distribution_major_version|int > 7"
+- name: limit
+  become: true
+  pam_limits:
+    domain: '{{ ansible_user_id }}'
+    limit_type: '-'
+    limit_item: nofile
+    value: 1048576
+- name: apt upgrade
+  become: true
+  apt:
+    update_cache: true
+    upgrade: dist
+  when: "ansible_os_family == 'Debian'"
+- name: yum update
+  become: true
+  yum:
+    name: '*'
+    update_cache: true
+    state: latest
+  when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 7"
+- name: dnf update
+  become: true
+  dnf:
+    name: '*'
+    state: latest
+  when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
+- name: fixup iptables with qemu
+  become: true
+  iptables:
+    chain: FORWARD
+    flush: true
+  when: 'hypervisor is defined'
+- name: apt
+  become: true
+  include_tasks: apt.yml
+  when: "ansible_os_family == 'Debian'"
+- name: yum
+  become: true
+  include_tasks: yum.yml
+  when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
+- name: dnf
+  become: true
+  include_tasks: dnf.yml
+  when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
+- name: disable selinux
+  become: true
+  selinux:
+    state: disabled
+  when: "ansible_os_family == 'RedHat'"
+- name: disable selinux
+  lineinfile:
+    path: /etc/selinux/config
+    regexp: '^SELINUX='
+    line: 'SELINUX=disabled'
+    backrefs: true
+  when: "ansible_os_family == 'RedHat'"
+- name: vim
+  unarchive:
+    src: https://minio.mycard.moe:9000/nanahira/nanahira-vim.tar.gz
+    dest: '~'
+    creates: '~/.vim'
+    remote_src: true
+- name: ctags link
+  become: true
+  file:
+    src: /usr/bin/ctags
+    path: /usr/local/bin/ctags
+    state: link
+- name: git user.email
+  git_config:
+    name: user.email
+    scope: global
+    value: 78877@qq.com
+- name: git user.name
+  git_config:
+    name: user.name
+    scope: global
+    value: purerosefallen
+- name: git push.default
+  git_config:
+    name: push.default
+    scope: global
+    value: simple
+- name: git ssh
+  known_hosts:
+    name: github.com
+    key: "{{ lookup('pipe', 'ssh-keyscan github.com') }}"
--- a/tasks/yum.yml
+++ b/tasks/yum.yml
+- name: yum update
+  yum:
+    name: '*'
+    update_cache: true
+    state: latest
+- name: epel 7
+  yum:
+    state: latest
+    name: epel-release
+- name: yum
+  yum:
+    state: latest
+    name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,ctags,xclip,traceroute,tar,unzip,iperf,nmap,libselinux-python,mosh # astyle