unfinished

6f8416a5 · nanahira · f7458e1e · 6f8416a5 · 6f8416a5 · 6f8416a5
Commit 6f8416a5 authored Jan 29, 2020 by nanahira
6 changed files
--- a/includes/nodejs.yml
+++ b/includes/nodejs.yml
@@ -63,10 +63,11 @@
  npm:
    name: 'n'
    state: latest
+    registry: https://registry.npm.taobao.org
    global: true
 - name: nodejs version
  become: true
-  shell: 'n {{nodejs_version}}'
+  shell: 'env NODE_MIRROR=https://npm.taobao.org/mirrors/node/ n {{nodejs_version}}'
 - name: node setcap
  become: true
  with_items: ['/usr/bin/node', '/usr/local/bin/node']
@@ -80,6 +81,7 @@
  npm:
    name: '{{item}}'
    state: latest
+    registry: https://registry.npm.taobao.org
    global: true
 - name: fixup npm directory
  become: true

--- a/init.yml
+++ b/init.yml
@@ -23,11 +23,27 @@
      become: true
      lineinfile:
        path: /etc/ssh/sshd_config
-        regexp: '^#?PasswordAuthentication true.*$'
+        regexp: '^#?PasswordAuthentication (true|yes).*$'
        line: 'PasswordAuthentication no'
        backrefs: true
      when: "(ansible_user_id == 'root' or ansible_user_id == 'nanahira' or ansible_user_id == 'mycard' or ansible_user_id == 'zh99998') and not allow_password is defined" # Only self-managed servers
      notify: restart_sshd
+    - name: sshd config
+      become: true
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?GSSAPIAuthentication (true|yes).*$'
+        line: 'GSSAPIAuthentication no'
+        backrefs: true
+      notify: restart_sshd
+    - name: sshd config
+      become: true
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?UseDNS (true|yes).*$'
+        line: 'UseDNS no'
+        backrefs: true
+      notify: restart_sshd
    - name: swappiness
      become: true
      sysctl:
@@ -143,11 +159,6 @@
        state: latest
        name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,ctags,xclip,traceroute,tar,unzip,iperf,nmap,libselinux-python # astyle
      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 7"
-    #- name: yum autoremove
-    #  become: true
-    #  yum:
-    #    autoremove: true
-    #  when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int <= 7"
    - name: epel 8
      become: true
      dnf:
@@ -170,6 +181,13 @@
      selinux:
        state: disabled
      when: "ansible_distribution == 'CentOS'"
+    - name: disable selinux
+      lineinfile:
+        path: /etc/selinux/config
+        regexp: '^SELINUX='
+        line: 'SELINUX=disabled'
+        backrefs: true
+      when: "ansible_distribution == 'CentOS'"
    - name: vim
      unarchive:
        src: https://minio.mycard.moe:9000/nanahira/nanahira-vim.tar.gz

--- a/install_srvpro.yml
+++ b/install_srvpro.yml
@@ -124,6 +124,7 @@
    - name: srvpro npm
      npm:
        path: '{{home_path}}/ygopro-server'
+        registry: https://registry.npm.taobao.org
    - name: link ygopro repo
      file:
        state: link

--- a/pter.yml
+++ b/pter.yml
@@ -40,6 +40,7 @@
    - name: npm install
      npm:
        path: /srv/daemon
+        registry: https://registry.npm.taobao.org
        production: true
    - name: core.json
      template:

--- a/template.yml
+++ b/template.yml
+---
+- hosts: template
+  remote_user: root
+  tasks:
+    - name: source
+      become: true
+      copy:
+        src: 'files/source/{{ansible_distribution|lower}}/sources.list'
+        dest: /etc/apt/sources.list
+      when: ansible_distribution != 'CentOS'
+    - name: sudoers
+      become: true
+      lineinfile:
+        path: /etc/sudoers
+        insertafter: 'EOF'
+        line: '{{ ansible_user_id }} ALL=(ALL:ALL) NOPASSWD: ALL'
+        validate: /usr/sbin/visudo -cf %s
+      when: "ansible_user_id != 'root'"
+    - name: timezone
+      become: true
+      timezone:
+        name: Asia/Shanghai
+    - name: permit root login
+      become: true
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin (false|no).*$'
+        line: 'PasswordAuthentication yes'
+        backrefs: true
+    - name: sshd config
+      become: true
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?GSSAPIAuthentication (true|yes).*$'
+        line: 'GSSAPIAuthentication no'
+        backrefs: true
+    - name: sshd config
+      become: true
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?UseDNS (true|yes).*$'
+        line: 'UseDNS no'
+        backrefs: true
+    - name: net.ipv4.ip_forward
+      become: true
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        sysctl_set: true
+    - name: fs.inotify.max_user_watches
+      become: true
+      sysctl:
+        name: fs.inotify.max_user_watches
+        value: 524288
+        sysctl_set: true
+    - name: net.ipv4.conf.all.rp_filter
+      become: true
+      sysctl:
+        name: net.ipv4.conf.all.rp_filter
+        value: 0
+        sysctl_set: true
+    - name: net.ipv4.conf.default.rp_filter
+      become: true
+      sysctl:
+        name: net.ipv4.conf.default.rp_filter
+        value: 0
+        sysctl_set: true
+    - name: TCP BBR
+      become: true
+      sysctl:
+        name: net.core.default_qdisc
+        value: fq
+        sysctl_set: true
+      when: "ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 7"
+    - name: TCP BBR
+      become: true
+      sysctl:
+        name: net.ipv4.tcp_congestion_control
+        value: bbr
+        sysctl_set: true
+      when: "ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 7"
+    - name: limit
+      become: true
+      pam_limits:
+        domain: '{{ ansible_user_id }}'
+        limit_type: '-'
+        limit_item: nofile
+        value: 1048576
+    - name: apt upgrade
+      become: true
+      apt:
+        update_cache: true
+        upgrade: dist
+      when: "ansible_distribution != 'CentOS'"
+    - name: yum update
+      become: true
+      yum:
+        name: '*'
+        update_cache: true
+        state: latest
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 7"
+    - name: dnf update
+      become: true
+      dnf:
+        name: '*'
+        #update_cache: true
+        state: latest
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 8"
+    - name: fixup iptables with qemu
+      become: true
+      iptables:
+        chain: FORWARD
+        flush: true
+      when: 'hypervisor is defined'
+    - name: apt
+      become: true
+      apt:
+        update_cache: true
+        state: latest
+        name: curl,wget,git,vim,sudo,byobu,iftop,iotop,build-essential,p7zip-full,tcpdump,rsync,htop,locales,mtr,dnsutils,net-tools,traceroute,tar,unzip,iperf,nmap,dnsutils,open-vm-tools
+      when: "ansible_distribution != 'CentOS'"
+    - name: apt autoremove
+      become: true
+      apt:
+        autoremove: true
+      when: "ansible_distribution != 'CentOS'"
+    - name: epel 7
+      become: true
+      yum:
+        state: latest
+        name: epel-release
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 7"
+    - name: yum
+      become: true
+      yum:
+        state: latest
+        name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,traceroute,tar,unzip,iperf,nmap,libselinux-python,open-vm-tools
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 7"
+    - name: epel 8
+      become: true
+      dnf:
+        state: latest
+        name: epel-release
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 8"
+    - name: dnf
+      become: true
+      dnf:
+        state: latest
+        name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,traceroute,tar,unzip,nmap,python3-libselinux,open-vm-tools
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 8"
+    - name: dnf autoremove
+      become: true
+      dnf:
+        autoremove: true
+      when: "ansible_distribution == 'CentOS' and ansible_distribution_major_version|int == 8"
+    - name: disable selinux
+      become: true
+      selinux:
+        state: disabled
+      when: "ansible_distribution == 'CentOS'"
+    - name: disable selinux
+      become: true
+      lineinfile:
+        path: /etc/selinux/config
+        regexp: '^SELINUX='
+        line: 'SELINUX=disabled'
+        backrefs: true
+      when: "ansible_distribution == 'CentOS'"
+    - name: remove hwaddr in ifcfg
+      become: true
+      shell: 'sed -i "/HWADDR/d" /etc/sysconfig/network-scripts/ifcfg-*'
+      when: "ansible_distribution == 'CentOS'"
+    - name: set hostname to localhost
+      become: true
+      lineinfile:
+        path: /etc/sysconfig/network
+        line: 'HOSTNAME=localhost.localdomain'
+        insertafter: 'EOF'
+      when: "ansible_distribution == 'CentOS'"
+    - name: clean logs and hostkeys
+      become: true
+      shell: 'rm -rf /etc/ssh/ssh_host_* /var/log/*'
+    - name: clean bash history
+      file:
+        name: '~/.bash_history'
+        state: absent
--- a/update_srvpro.yml
+++ b/update_srvpro.yml
@@ -13,15 +13,6 @@
        force: true
        accept_hostkey: true
        track_submodules: true
-    #- name: permission
-    #  become: true
-    #  file:
-    #    path: '{{home_path}}/.npm'
-    #    recurse: true
-    #    owner: "{{ ansible_user_id }}"
-    #- name: srvpro npm
-    #  npm:
-    #    path: '{{home_path}}/ygopro-server'
    - name: challonge
      git:
        repo: 'https://github.com/moecube/challonge'