Commit a7e1ddc0 authored by nanahira's avatar nanahira

complete template

parent 6a67d19c
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution. # newer versions of the distribution.
deb http://archive.ubuntu.com/ubuntu bionic main restricted deb http://archive.ubuntu.com/ubuntu focal main restricted
# deb-src http://archive.ubuntu.com/ubuntu bionic main restricted # deb-src http://archive.ubuntu.com/ubuntu focal main restricted
## Major bug fix updates produced after the final release of the ## Major bug fix updates produced after the final release of the
## distribution. ## distribution.
deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted deb http://archive.ubuntu.com/ubuntu focal-updates main restricted
# deb-src http://archive.ubuntu.com/ubuntu bionic-updates main restricted # deb-src http://archive.ubuntu.com/ubuntu focal-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any ## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team. ## review or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu bionic universe deb http://archive.ubuntu.com/ubuntu focal universe
# deb-src http://archive.ubuntu.com/ubuntu bionic universe # deb-src http://archive.ubuntu.com/ubuntu focal universe
deb http://archive.ubuntu.com/ubuntu bionic-updates universe deb http://archive.ubuntu.com/ubuntu focal-updates universe
# deb-src http://archive.ubuntu.com/ubuntu bionic-updates universe # deb-src http://archive.ubuntu.com/ubuntu focal-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to ## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in ## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu ## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team. ## security team.
deb http://archive.ubuntu.com/ubuntu bionic multiverse deb http://archive.ubuntu.com/ubuntu focal multiverse
# deb-src http://archive.ubuntu.com/ubuntu bionic multiverse # deb-src http://archive.ubuntu.com/ubuntu focal multiverse
deb http://archive.ubuntu.com/ubuntu bionic-updates multiverse deb http://archive.ubuntu.com/ubuntu focal-updates multiverse
# deb-src http://archive.ubuntu.com/ubuntu bionic-updates multiverse # deb-src http://archive.ubuntu.com/ubuntu focal-updates multiverse
## N.B. software from this repository may not have been tested as ## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes ## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features. ## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review ## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team. ## or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
# deb-src http://archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse # deb-src http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's ## Uncomment the following two lines to add software from Canonical's
## 'partner' repository. ## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the ## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users. ## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu bionic partner # deb http://archive.canonical.com/ubuntu focal partner
# deb-src http://archive.canonical.com/ubuntu bionic partner # deb-src http://archive.canonical.com/ubuntu focal partner
deb http://security.ubuntu.com/ubuntu bionic-security main restricted deb http://security.ubuntu.com/ubuntu focal-security main restricted
# deb-src http://security.ubuntu.com/ubuntu bionic-security main restricted # deb-src http://security.ubuntu.com/ubuntu focal-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe deb http://security.ubuntu.com/ubuntu focal-security universe
# deb-src http://security.ubuntu.com/ubuntu bionic-security universe # deb-src http://security.ubuntu.com/ubuntu focal-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse deb http://security.ubuntu.com/ubuntu focal-security multiverse
# deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse # deb-src http://security.ubuntu.com/ubuntu focal-security multiverse
--- ---
- hosts: template - hosts: template
remote_user: root remote_user: root
vars:
install_authorized_keys: false
allow_password: true
upgrade: true
reboot: true
china_mirror: false
mirror_debian: http://deb.debian.org
mirror_debian_security: http://security.debian.org
mirror_ubuntu: http://archive.ubuntu.com
mirror_ubuntu_security: http://security.ubuntu.com
tasks: tasks:
- name: source - name: tasks from init
become: true include_tasks: './roles/init/tasks/{{item}}.yml'
copy: with_items:
src: 'files/source/{{ansible_distribution|lower}}/sources.list' - utility
dest: /etc/apt/sources.list - sshd_config
when: ansible_os_family == 'Debian' - upgrade
- name: sudoers - sshd_config
become: true - sysctl
lineinfile:
path: /etc/sudoers
insertafter: 'EOF'
line: '{{ ansible_user_id }} ALL=(ALL:ALL) NOPASSWD: ALL'
validate: /usr/sbin/visudo -cf %s
when: "ansible_user_id != 'root'"
- name: timezone
become: true
timezone:
name: Asia/Shanghai
- name: permit root login
become: true
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin (false|no).*$'
line: 'PasswordAuthentication yes'
backrefs: true
- name: sshd config
become: true
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?GSSAPIAuthentication (true|yes).*$'
line: 'GSSAPIAuthentication no'
backrefs: true
- name: sshd config
become: true
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?UseDNS (true|yes).*$'
line: 'UseDNS no'
backrefs: true
- name: net.ipv4.ip_forward
become: true
sysctl:
name: net.ipv4.ip_forward
value: 1
sysctl_set: true
- name: fs.inotify.max_user_watches
become: true
sysctl:
name: fs.inotify.max_user_watches
value: 524288
sysctl_set: true
- name: net.ipv4.conf.all.rp_filter
become: true
sysctl:
name: net.ipv4.conf.all.rp_filter
value: 0
sysctl_set: true
- name: net.ipv4.conf.default.rp_filter
become: true
sysctl:
name: net.ipv4.conf.default.rp_filter
value: 0
sysctl_set: true
- name: TCP BBR
become: true
sysctl:
name: net.core.default_qdisc
value: fq
sysctl_set: true
when: "ansible_os_family == 'Debian' or ansible_distribution_major_version|int > 7"
- name: TCP BBR
become: true
sysctl:
name: net.ipv4.tcp_congestion_control
value: bbr
sysctl_set: true
when: "ansible_os_family == 'Debian' or ansible_distribution_major_version|int > 7"
- name: limit
become: true
pam_limits:
domain: '{{ ansible_user_id }}'
limit_type: '-'
limit_item: nofile
value: 1048576
- name: apt upgrade
become: true
apt:
update_cache: true
upgrade: dist
when: "ansible_os_family == 'Debian'"
- name: yum update
become: true
yum:
name: '*'
update_cache: true
state: latest
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 7"
- name: dnf update
become: true
dnf:
name: '*'
#update_cache: true
state: latest
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
- name: fixup iptables with qemu
become: true
iptables:
chain: FORWARD
flush: true
when: 'ansible_virtualization_role == "host"'
- name: apt - name: apt
become: true include_tasks: ./roles/init/tasks/apt.yml
apt:
update_cache: true
state: latest
name: curl,wget,git,vim,sudo,byobu,iftop,iotop,build-essential,p7zip-full,tcpdump,rsync,htop,locales,mtr,dnsutils,net-tools,traceroute,tar,unzip,iperf,iperf3,nmap,dnsutils,open-vm-tools
when: "ansible_os_family == 'Debian'"
- name: apt autoremove
become: true
apt:
autoremove: true
when: "ansible_os_family == 'Debian'" when: "ansible_os_family == 'Debian'"
- name: epel 7
become: true
yum:
state: latest
name: epel-release
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 7"
- name: yum - name: yum
become: true include_tasks: ./roles/init/tasks/yum.yml
yum:
state: latest
name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,traceroute,tar,unzip,iperf,iperf3,nmap,libselinux-python,open-vm-tools
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 7" when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 7"
- name: epel 8
become: true
dnf:
state: latest
name: epel-release
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
- name: dnf - name: dnf
become: true include_tasks: ./roles/init/tasks/dnf.yml
dnf:
state: latest
name: curl,wget,git,vim,sudo,byobu,iftop,iotop,gcc,gcc-c++,make,autoconf,p7zip,p7zip-plugins,tcpdump,rsync,htop,mtr,net-tools,traceroute,tar,unzip,nmap,python3-libselinux,open-vm-tools
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
- name: dnf autoremove
become: true
dnf:
autoremove: true
when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8" when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version|int == 8"
- name: disable selinux - name: redhat configures
become: true include_tasks: ./roles/init/tasks/redhat_configures.yml
selinux:
state: disabled
when: "ansible_os_family == 'RedHat'"
- name: disable selinux
become: true
lineinfile:
path: /etc/selinux/config
regexp: '^SELINUX='
line: 'SELINUX=disabled'
backrefs: true
when: "ansible_os_family == 'RedHat'" when: "ansible_os_family == 'RedHat'"
- name: remove hwaddr in ifcfg - name: remove hwaddr in ifcfg
become: true become: true
...@@ -181,7 +47,30 @@ ...@@ -181,7 +47,30 @@
become: true become: true
copy: copy:
content: | content: |
[Unit]
Description=Regenerate SSH host keys
Before=sshd.service
[Service]
Type=oneshot
ExecStartPre=/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
ExecStart=/usr/bin/ssh-keygen -A -v
ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
[Install]
WantedBy=multi-user.target
dest: /lib/systemd/system/regenerate_ssh_host_keys.service
- name: systemd
become: true
systemd:
name: regenerate_ssh_host_keys
enabled: true
daemon_reload: true
- name: motd
become: true
copy:
content: Welcome to MyCard Cloud Service!
dest: /etc/motd
- name: clean logs and hostkeys - name: clean logs and hostkeys
become: true become: true
shell: 'rm -rf /etc/ssh/ssh_host_* /var/log/*' shell: 'rm -rf /etc/ssh/ssh_host_* /var/log/*'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment