diff --git a/ansible/group_vars/all/apt.yml b/ansible/group_vars/all/apt.yml new file mode 100644 index 0000000..dda3e95 --- /dev/null +++ b/ansible/group_vars/all/apt.yml @@ -0,0 +1,644 @@ +apt: + repositories: + weechat: + url: https://weechat.org/debian + key: 11E9DE8848F2B65222AA75B8D1820DB22A11534E + + tor: + url: https://deb.torproject.org/torproject.org + key: A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 + keyring: deb.torproject.org-keyring.gpg + + packages: + dns: + - name: unbound + - name: dnsutils + - name: ldnsutils + + tor: + - name: deb.torproject.org-keyring + - name: python-torctl + - name: tor + - name: torsocks + - name: tor-arm + + misc: + - name: acl + - name: acpi + - name: acpi-support-base + - name: acpid + - name: adduser + - name: aglfn + - name: alpine + - name: anarchism + - name: ansible + - name: apt + - name: apt-file + - name: apt-transport-https + - name: apt-utils + - name: aptitude + - name: aptitude-common + - name: aria2 + - name: aspell + - name: aspell-en + - name: atool + - name: auditd + - name: autoconf + - name: automake + - name: autopoint + - name: autotools-dev + - name: awscli + - name: base-files + - name: base-passwd + - name: bash + - name: bash-completion + - name: bastet + - name: bc + - name: bcrypt + - name: binfmt-support + - name: binutils + - name: bitlbee + - name: bitlbee-common + - name: bsdgames + - name: bsdmainutils + - name: bsdutils + - name: build-essential + - name: busybox + - name: byobu + - name: bzip2 + - name: ca-certificates + - name: cgroup-tools + - name: checkpolicy + - name: cloc + - name: cloud-initramfs-dyn-netconf + - name: cloud-initramfs-growroot + - name: cloud-utils + - name: cmake + - name: cmake-data + - name: command-not-found + - name: console-setup + - name: console-setup-linux + - name: coreutils + - name: cowsay + - name: cpio + - name: cpp + - name: cracklib-runtime + - name: cron + - name: curl + - name: cvs + - name: dash + - name: dbus + - name: dbus-x11 + - name: dc + - name: dconf-gsettings-backend + - name: dconf-service + - name: dctrl-tools + - name: debconf + - name: debconf-i18n + - name: debconf-utils + - name: debhelper + - name: debian-archive-keyring + - name: debian-keyring + - name: debianutils + - name: debsums + - name: devscripts + - name: dh-lua + - name: dh-python + - name: dictionaries-common + - name: diffutils + - name: dirmngr + - name: discount + - name: discover + - name: discover-data + - name: distro-info + - name: distro-info-data + - name: dmidecode + - name: dmsetup + - name: docutils-common + - name: dos2unix + - name: dpkg + - name: dpkg-dev + - name: duplicity + - name: e2fslibs + - name: e2fsprogs + - name: eject + - name: elinks + - name: elinks-data + - name: elixir + - name: emacs-nox + - name: emacs24-bin-common + - name: emacs24-common + - name: emacs24-nox + - name: emacsen-common + - name: encfs + - name: erlang-asn1 + - name: erlang-base + - name: erlang-crypto + - name: erlang-inets + - name: erlang-mnesia + - name: erlang-os-mon + - name: erlang-public-key + - name: erlang-runtime-tools + - name: erlang-snmp + - name: erlang-ssl + - name: euca2ools + - name: exuberant-ctags + - name: fakeroot + - name: ferm + - name: figlet + - name: file + - name: findutils + - name: firejail + - name: fish + - name: fish-common + - name: fontconfig + - name: fontconfig-config + - name: fonts-dejavu-core + - name: fonts-lyx + - name: frotz + - name: fuse + - name: g++ + - name: gawk + - name: gcc + - name: gconf-service + - name: gconf2 + - name: gconf2-common + - name: gdb + - name: geoip-database + - name: gettext + - name: gettext-base + - name: gforth + - name: gforth-common + - name: gforth-lib + - name: ghc + - name: gir1.2-glib-2.0 + - name: git-email + - name: git-man + - name: glances + - name: glib-networking + - name: glib-networking-common + - name: glib-networking-services + - name: gnuchess + - name: gnugo + - name: gnupg-agent + - name: gnupg2 + - name: gnuplot-data + - name: gnuplot-nox + - name: golang-go + - name: golang-src + - name: gpgv + - name: grep + - name: groff-base + - name: grub-common + - name: grub-pc + - name: grub-pc-bin + - name: grub2-common + - name: gsettings-desktop-schemas + - name: gsfonts + - name: guile-2.0 + - name: guile-2.0-dev + - name: guile-2.0-libs + - name: gyp + - name: gzip + - name: haveged + - name: hddtemp + - name: hostname + - name: html2text + - name: htop + - name: httpie + - name: iamerican + - name: ibritish + - name: ieee-data + - name: ienglish-common + - name: ifupdown + - name: imagemagick + - name: imagemagick-6.q16 + - name: imagemagick-common + - name: info + - name: init + - name: init-system-helpers + - name: initramfs-tools + - name: initscripts + - name: insserv + - name: install-info + - name: installation-report + - name: intltool-debian + - name: iotop + - name: ipcalc + - name: iperf + - name: iproute + - name: iproute2 + - name: iptables + - name: iputils-ping + - name: ipxe-qemu + - name: irssi + - name: isc-dhcp-client + - name: isc-dhcp-common + - name: iso-codes + - name: ispell + - name: java-common + - name: javascript-common + - name: joe + - name: john + - name: john-data + - name: jq + - name: kbd + - name: kexec-tools + - name: keyboard-configuration + - name: klibc-utils + - name: kmod + - name: krb5-locales + - name: ksh + - name: ldap-utils + - name: less + - name: lftp + - name: libpam-systemd + - name: libsqlite3-dev + - name: linux-image-amd64 + - name: lm-sensors + - name: locales + - name: locales-all + - name: locate + - name: login + - name: logrotate + - name: lsb-base + - name: lsb-release + - name: lsof + - name: ltrace + - name: lua5.1 + - name: lua5.2 + - name: lua5.3 + - name: luajit + - name: luarocks + - name: lynx + - name: lynx-cur + - name: m4 + - name: man-db + - name: manpages + - name: manpages-dev + - name: mat + - name: mawk + - name: mc + - name: mc-data + - name: mime-support + - name: mksh + - name: mlock + - name: mosh + - name: mount + - name: mtr + - name: multiarch-support + - name: mutt + - name: mysql-common + - name: nano + - name: ncdu + - name: ncurses-base + - name: ncurses-bin + - name: ncurses-doc + - name: ncurses-term + - name: net-tools + - name: netbase + - name: netcat-traditional + - name: nethack-common + - name: nethack-console + - name: nfacct + - name: nmap + - name: node-abbrev + - name: node-ansi + - name: node-ansi-color-table + - name: node-archy + - name: node-async + - name: node-block-stream + - name: node-combined-stream + - name: node-cookie-jar + - name: node-delayed-stream + - name: node-forever-agent + - name: node-form-data + - name: node-fstream + - name: node-fstream-ignore + - name: node-github-url-from-git + - name: node-glob + - name: node-graceful-fs + - name: node-gyp + - name: node-inherits + - name: node-ini + - name: node-json-stringify-safe + - name: node-lockfile + - name: node-lru-cache + - name: node-mime + - name: node-minimatch + - name: node-mkdirp + - name: node-mute-stream + - name: node-node-uuid + - name: node-nopt + - name: node-normalize-package-data + - name: node-npmlog + - name: node-once + - name: node-osenv + - name: node-qs + - name: node-read + - name: node-read-package-json + - name: node-request + - name: node-retry + - name: node-rimraf + - name: node-semver + - name: node-sha + - name: node-sigmund + - name: node-slide + - name: node-tar + - name: node-tunnel-agent + - name: node-underscore + - name: node-which + - name: nodejs + - name: nodejs-dev + - name: nodejs-legacy + - name: nscd + - name: nslcd + - name: nslcd-utils + - name: oidentd + - name: openbios-ppc + - name: openbios-sparc + - name: openhackware + - name: openntpd + - name: openssh-client + - name: openssh-sftp-server + - name: openssl + - name: os-prober + - name: p7zip + - name: pandoc + - name: pandoc-data + - name: parallel + - name: parted + - name: pass + - name: passwd + - name: patch + - name: pciutils + - name: pep8 + - name: perl + - name: perl-base + - name: perl-modules + - name: php-cgi + - name: php-cli + - name: php-common + - name: php-curl + - name: php-fpm + - name: php-json + - name: php-mysql + - name: php-sqlite3 + - name: pidgin-data + - name: pinentry-curses + - name: pkg-config + - name: po-debconf + - name: policykit-1 + - name: poppler-data + - name: procps + - name: psmisc + - name: pv + - name: pwgen + - name: pyflakes + - name: python + - name: python-apt + - name: python-apt-common + - name: python-audit + - name: python-backports.ssl-match-hostname + - name: python-boto + - name: python-cffi + - name: python-characteristic + - name: python-chardet + - name: python-cheetah + - name: python-colorama + - name: python-configobj + - name: python-crypto + - name: python-cryptography + - name: python-dateutil + - name: python-debian + - name: python-debianbts + - name: python-decorator + - name: python-defusedxml + - name: python-dev + - name: python-distlib + - name: python-distro-info + - name: python-docutils + - name: python-ecdsa + - name: python-flake8 + - name: python-gdbm + - name: python-geoip + - name: python-gi + - name: python-hachoir-core + - name: python-hachoir-parser + - name: python-html5lib + - name: python-httplib2 + - name: python-ipy + - name: python-jinja2 + - name: python-json-pointer + - name: python-jsonpatch + - name: python-ldap + - name: python-lockfile + - name: python-lxml + - name: python-markupsafe + - name: python-matplotlib-data + - name: python-mccabe + - name: python-minimal + - name: python-mock + - name: python-mutagen + - name: python-ndg-httpsclient + - name: python-netaddr + - name: python-networkx + - name: python-newt + - name: python-nose + - name: python-numpy + - name: python-oauth + - name: python-openssl + - name: python-paramiko + - name: python-pdfrw + - name: python-pip + - name: python-pkg-resources + - name: python-ply + - name: python-potr + - name: python-prettytable + - name: python-pyasn1 + - name: python-pyasn1-modules + - name: python-pycparser + - name: python-pygments + - name: python-pyparsing + - name: python-reportlab + - name: python-reportlab-accel + - name: python-requestbuilder + - name: python-requests + - name: python-roman + - name: python-serial + - name: python-service-identity + - name: python-setuptools + - name: python-six + - name: python-soappy + - name: python-sss + - name: python-stevedore + - name: python-talloc + - name: python-tox + - name: python-twisted + - name: python-twisted-bin + - name: python-twisted-conch + - name: python-twisted-core + - name: python-twisted-mail + - name: python-twisted-names + - name: python-twisted-news + - name: python-twisted-runner + - name: python-twisted-web + - name: python-twisted-words + - name: python-tz + - name: python-urllib3 + - name: python-virtualenv + - name: python-websocket + - name: python-wheel + - name: python-wstools + - name: python-yaml + - name: python-zope.interface + - name: python2.7 + - name: python2.7-dev + - name: python2.7-minimal + - name: python3 + - name: python3-apt + - name: python3-bottle + - name: python3-chardet + - name: python3-colorama + - name: python3-crypto + - name: python3-decorator + - name: python3-dev + - name: python3-distlib + - name: python3-html5lib + - name: python3-jinja2 + - name: python3-markupsafe + - name: python3-minimal + - name: python3-numpy + - name: python3-pip + - name: python3-pkg-resources + - name: python3-psutil + - name: python3-py + - name: python3-pyasn1 + - name: python3-pysnmp4 + - name: python3-reportbug + - name: python3-requests + - name: python3-scipy + - name: python3-setuptools + - name: python3-six + - name: python3-software-properties + - name: python3-urllib3 + - name: python3-venv + - name: python3-virtualenv + - name: python3-wheel + - name: qalc + - name: qemu-slof + - name: qemu-system-common + - name: qemu-user + - name: qemu-utils + - name: qprint + - name: qtcore4-l10n + - name: ranger + - name: readline-common + - name: redis-server + - name: redis-tools + - name: remind + - name: reportbug + - name: reptyr + - name: resolvconf + - name: rsync + - name: rsyslog + - name: rtorrent + - name: ruby + - name: rubygems-integration + - name: samba-libs + - name: sbcl + - name: screen + - name: seabios + - name: sed + - name: sensible-utils + - name: sgml-base + - name: shared-mime-info + - name: shellcheck + - name: siege + - name: signing-party + - name: silversearcher-ag + - name: silversearcher-ag-el + - name: slashem + - name: slashem-common + - name: socat + - name: sqlite3 + - name: ssh + - name: ssl-cert + - name: sssd + - name: sssd-ad + - name: sssd-ad-common + - name: sssd-common + - name: sssd-ipa + - name: sssd-krb5 + - name: sssd-krb5-common + - name: sssd-ldap + - name: sssd-proxy + - name: sssd-tools + - name: startpar + - name: stow + - name: strace + - name: subversion + - name: sudo + - name: swaks + - name: sysstat + - name: tar + - name: task-english + - name: tasksel + - name: tasksel-data + - name: tcl + - name: tcl-tls + - name: tcl8.5 + - name: tcl8.6 + - name: tcllib + - name: tcpd + - name: telnet + - name: tig + - name: tmux + - name: toilet + - name: toilet-fonts + - name: topgit + - name: traceroute + - name: tree + - name: tudu + - name: tzdata + - name: ucf + - name: udev + - name: units + - name: unzip + - name: urlview + - name: usbutils + - name: util-linux + - name: util-linux-locales + - name: vim-common + - name: vim-nox + - name: vim-runtime + - name: vim-tiny + - name: virtualenv + - name: virtualenv-clone + - name: virtualenvwrapper + - name: w3m + - name: wamerican + - name: weechat + - name: weechat-core + - name: weechat-curses + - name: weechat-lua + - name: weechat-plugins + - name: weechat-perl + - name: weechat-python + - name: wget + - name: whiptail + - name: whois + - name: wyrd + - name: xauth + - name: xdg-user-dirs + - name: xkb-data + - name: xml-core + - name: xz-utils + - name: zile + - name: zip + - name: zlib1g + - name: zlib1g-dev + - name: znc + - name: zpaq + - name: zsh + - name: zsh-common diff --git a/ansible/tasks/docker/main.post.yml b/ansible/hacks/docker.post.yml similarity index 100% rename from ansible/tasks/docker/main.post.yml rename to ansible/hacks/docker.post.yml diff --git a/ansible/tasks/docker/main.pre.yml b/ansible/hacks/docker.pre.yml similarity index 97% rename from ansible/tasks/docker/main.pre.yml rename to ansible/hacks/docker.pre.yml index 1b6640c..08d7c12 100644 --- a/ansible/tasks/docker/main.pre.yml +++ b/ansible/hacks/docker.pre.yml @@ -1,4 +1,8 @@ --- +- name: Ensure systemd is installed + apt: + name: systemd + - name: Ensure resolvconf package does not link debconf: name: resolvconf diff --git a/ansible/main.yml b/ansible/main.yml index 0601016..938c403 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -2,102 +2,39 @@ - hosts: all gather_facts: false pre_tasks: - - name: Install python2 for Ansible - raw: bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qqy python-minimal)" - register: output - changed_when: output.stdout != "" - - name: Gathering Facts - setup: + - name: Install python2 for Ansible + raw: bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qqy python-minimal)" + register: output + changed_when: output.stdout != "" - tasks: - - - name: Install minimum system packages - apt: - update_cache: true - name: "{{ item }}" - with_items: - - ansible - - git - - gnupg - - apt-transport-https - - unattended-upgrades - - systemd - - apt-utils - - lsb-release - - curl - - initscripts - - systemd - - udev - - util-linux - - openssh-server - - - name: Remove undesirable apt files - file: - path: /etc/apt/{{ item }} - state: absent - with_items: - - trusted.gpg # Use trusted.gpg.d rather than a monolithic file! - - # We aren't running Ubuntu ... - sources.list.d/ppa_launchpad_net_ansible_ansible_ubuntu.list - - - name: Add the backports suite - blockinfile: - path: /etc/apt/sources.list - create: yes - content: | - # Backports. Must be enabled per-package using a pin - deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free - deb-src http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free + - name: Gathering Facts + setup: - - name: Prefer the installed release over backports, by default - copy: - dest: /etc/apt/preferences - mode: "0644" - content: | - # Give {{ ansible_distribution_release }} priority over everything - Package: * - Pin: release n={{ ansible_distribution_release }} - Pin-Priority: 900 + - name: Determine if we are in a docker environment + stat: path=/.dockerenv + register: dockerenv - # Give backports priority over other sources - Package: * - Pin: release n={{ ansible_distribution_release }}-backports - Pin-Priority: 800 + - set_fact: + in_docker: "{{ dockerenv.stat.exists }}" - - name: Pin Ansible from backports - copy: - dest: /etc/apt/preferences.d/ansible - mode: "0644" - content: | - Package: ansible ieee-data python-netaddr - Pin: release n={{ ansible_distribution_release }}-backports - Pin-Priority: 990 + - name: Run Docker preinit task + include_tasks: hacks/docker.pre.yml + when: in_docker + ignore_errors: True + roles: + - apt + - systemd-cron.d + - systemd-journald + - unbound - - name: Install latest ansible - apt: - name: ansible - state: latest - update_cache: yes - - - name: Determine if we are in a docker environment - stat: path=/.dockerenv - register: dockerenv - - - name: Run Docker preinit task - include_tasks: tasks/docker/main.pre.yml - when: dockerenv.stat.exists - ignore_errors: True - + tasks: - name: Include tasks files include_tasks: "tasks/{{ item }}/main.yml" with_items: - tor - hashbang - - logging - - dns - mail - - packages - profile - misc - ldap-nss @@ -105,6 +42,6 @@ - nginx - name: Run Docker postinit task - include_tasks: tasks/docker/main.post.yml - when: dockerenv.stat.exists + include_tasks: hacks/docker.post.yml + when: in_docker ignore_errors: True diff --git a/ansible/roles/apt/handlers/main.yml b/ansible/roles/apt/handlers/main.yml new file mode 100644 index 0000000..d98b4b6 --- /dev/null +++ b/ansible/roles/apt/handlers/main.yml @@ -0,0 +1,3 @@ +- name: apt update + apt: + update_cache: yes diff --git a/ansible/roles/apt/tasks/main.yml b/ansible/roles/apt/tasks/main.yml new file mode 100644 index 0000000..d4f5041 --- /dev/null +++ b/ansible/roles/apt/tasks/main.yml @@ -0,0 +1,93 @@ +- name: Update apt cache + apt: + update_cache: true + +- # Those are the packages required for our playbooks to function correctly + name: Install minimum system packages + apt: + name: + - git + - gnupg + - apt-transport-https + - systemd + - openssh-server + +- name: Remove undesirable apt files + notify: apt update + file: + path: /etc/apt/{{ item }} + state: absent + with_items: + - trusted.gpg # Use trusted.gpg.d rather than a monolithic file! + - # We aren't running Ubuntu ... + sources.list.d/ppa_launchpad_net_ansible_ansible_ubuntu.list + +- name: Add the backports suite + notify: apt update + blockinfile: + path: /etc/apt/sources.list + create: yes + content: | + # Backports. Must be enabled per-package using a pin + deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free + deb-src http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free + +- name: Prefer the installed release over backports, by default + copy: + dest: /etc/apt/preferences + mode: "0644" + content: | + # Give {{ ansible_distribution_release }} priority over everything + Package: * + Pin: release n={{ ansible_distribution_release }} + Pin-Priority: 900 + + # Give backports priority over other sources + Package: * + Pin: release n={{ ansible_distribution_release }}-backports + Pin-Priority: 800 + +- name: Pin Ansible from backports + copy: + dest: /etc/apt/preferences.d/ansible + mode: "0644" + content: | + Package: ansible ieee-data python-netaddr + Pin: release n={{ ansible_distribution_release }}-backports + Pin-Priority: 990 + +- name: Add 3rd-party repositories (1/2) + notify: apt update + with_dict: "{{ apt.repositories }}" + apt_repository: + repo: deb {{ item.value.url | mandatory }} {{ item.value.suite | default(ansible_distribution_release) }} {{ item.value.section | default('main') }} + state: present + update_cache: no + filename: "{{ item.key }}" + + loop_control: + label: "{{ item.key }}" + +- name: Add 3rd-party repositories (2/2) + notify: apt update + with_dict: "{{ apt.repositories }}" + apt_key: + data: "{{ lookup('file', 'apt/{{ item.key }}.asc') }}" + id: "{{ item.value.key }}" + keyring: /etc/apt/trusted.gpg.d/{{ item.value.keyring | default(item.key) }}.gpg + + loop_control: + label: "{{ item.key }}" + + +- # Required to re-run `apt update` before installing the latest Ansible version + meta: flush_handlers + +- name: Install latest ansible + apt: + name: ansible + state: latest + +- name: Install extra packages + apt: + name: "{{ apt.packages.values() | flatten | map(attribute='name') | list }}" diff --git a/ansible/roles/systemd-cron.d/handlers/main.yml b/ansible/roles/systemd-cron.d/handlers/main.yml new file mode 100644 index 0000000..55762ef --- /dev/null +++ b/ansible/roles/systemd-cron.d/handlers/main.yml @@ -0,0 +1,4 @@ +- name: systemd reload + when: not in_docker + systemd: + daemon_reload: yes diff --git a/ansible/roles/systemd-cron.d/tasks/main.yml b/ansible/roles/systemd-cron.d/tasks/main.yml new file mode 100644 index 0000000..becf2f9 --- /dev/null +++ b/ansible/roles/systemd-cron.d/tasks/main.yml @@ -0,0 +1,53 @@ +- name: Install crontab target + notify: systemd reload + copy: + dest: /etc/systemd/system/crontab.target + content: | + [Install] + WantedBy=multi-user.target + + [Unit] + Description=Simulates cron, limited to /etc/cron.* + Requires=crontab@hourly.timer + Requires=crontab@daily.timer + Requires=crontab@weekly.timer + Requires=crontab@monthly.timer + +- name: Install crontab service + notify: systemd reload + copy: + dest: /etc/systemd/system/crontab@.service + content: | + [Unit] + Description=%I job for /etc/cron.%I + RefuseManualStart=yes + RefuseManualStop=yes + ConditionDirectoryNotEmpty=/etc/cron.%I + + [Service] + Type=oneshot + IgnoreSIGPIPE=no + WorkingDirectory=/ + ExecStart=/bin/run-parts --report /etc/cron.%I + +- name: Install crontab generic timer + notify: systemd reload + copy: + dest: /etc/systemd/system/crontab@.timer + content: | + [Unit] + Description=%I timer simulating /etc/cron.%I + PartOf=crontab.target + RefuseManualStart=yes + RefuseManualStop=yes + + [Timer] + OnCalendar=%I + Persistent=yes + +- name: Enable crontab service + when: not in_docker + systemd: + name: crontab + enabled: yes + masked: no diff --git a/ansible/roles/systemd-journald/handlers/main.yml b/ansible/roles/systemd-journald/handlers/main.yml new file mode 100644 index 0000000..5ce935a --- /dev/null +++ b/ansible/roles/systemd-journald/handlers/main.yml @@ -0,0 +1,5 @@ +- name: reload journald + when: not in_docker + systemd: + name: systemd-journald + state: reloaded diff --git a/ansible/tasks/logging/main.yml b/ansible/roles/systemd-journald/tasks/main.yml similarity index 77% rename from ansible/tasks/logging/main.yml rename to ansible/roles/systemd-journald/tasks/main.yml index 99d914e..e5e3760 100644 --- a/ansible/tasks/logging/main.yml +++ b/ansible/roles/systemd-journald/tasks/main.yml @@ -1,9 +1,11 @@ --- - name: Configure journald + notify: reload journald copy: dest: /etc/journald.conf content: | [Journal] MaxLevelStore=notice MaxRetentionSec=1month + Storage=persistent SystemMaxUse=1G diff --git a/ansible/roles/unbound/handlers/main.yml b/ansible/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..5141494 --- /dev/null +++ b/ansible/roles/unbound/handlers/main.yml @@ -0,0 +1,11 @@ +- name: reload resolvconf + when: not in_docker + systemd: + name: resolvconf + state: reloaded + +- name: reload unbound + when: not in_docker + systemd: + name: unbound + state: reloaded diff --git a/ansible/roles/unbound/tasks/main.yml b/ansible/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..024aef8 --- /dev/null +++ b/ansible/roles/unbound/tasks/main.yml @@ -0,0 +1,82 @@ +--- +- name: Install necessary packages + apt: + name: + - unbound + - dns-root-data + - resolvconf + +- name: Setup localhost as the default nameserver + notify: reload resolvconf + lineinfile: + path: /etc/resolvconf/resolv.conf.d/base + create: true + line: "nameserver 127.0.0.1" + +- name: Setup hashbang.sh as default domain + lineinfile: + path: /etc/resolvconf/resolv.conf.d/tail + create: true + line: "domain hashbang.sh" + +- name: Configure unbound + notify: reload unbound + copy: + dest: /etc/unbound/unbound.conf.d/{{ item.key }}.conf + content: | + # File managed with Ansible, do not edit manually + {{ item.value }} + + with_dict: + debian: | + # Use DNS root hints from the dns-root-data Debian package + server: + root-hints: "/usr/share/dns/root.hints" + + prefetch: | + # Prefetch popular domains before the cache expires + server: + prefetch: yes + prefetch-key: yes + + qname-minimisation: | + # Enable RFC 7816 "DNS Query Name Minimisation to Improve Privacy" + server: + # Minimises queries sent upstream + # Avoids information disclosure to root/TLD DNS servers & improves caching + qname-minimisation: yes + + harden: | + # Unbound configuration hardening + server: + # Do not expose information about the running deamon + hide-identity: yes + hide-version: yes + + # Harden against ridiculously-short buffer sizes (potential DoS vector) + # This is against spec, but we aren't a public resolver. + harden-short-bufsize: yes + + # Harden against abnormaly large queries (same reasoning) + harden-large-queries: yes + + # Return NXDOMAIN for queries under a terminal known (and DNSSEC-validated) + # to be NXDOMAIN. Improves caching and avoids certain attacks + harden-below-nxdomain: yes + + # Use 0x20-encoded random nonces for authenticating queries. + # Implementation of draft-dns-0x20, makes DNS poisoning harder + use-caps-for-id: yes + + +- name: Enable services + when: not in_docker + systemd: + name: "{{ item }}" + enabled: yes + masked: no + state: started + + with_items: + - unbound + - resolvconf diff --git a/ansible/tasks/cron/main.yml b/ansible/tasks/cron/main.yml deleted file mode 100644 index f93d308..0000000 --- a/ansible/tasks/cron/main.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Enable classic cron emulation with systemd timers - block: - - name: Install crontab target - copy: - dest: /etc/systemd/system/crontab.target - content: | - [Install] - WantedBy=multi-user.target - - [Unit] - Description=Simulates cron, limited to /etc/cron.* - Requires=crontab@hourly.timer - Requires=crontab@daily.timer - Requires=crontab@weekly.timer - Requires=crontab@monthly.timer - - - name: Install crontab service - copy: - dest: /etc/systemd/system/crontab@.service - content: | - [Unit] - Description=%I job for /etc/cron.%I - RefuseManualStart=yes - RefuseManualStop=yes - ConditionDirectoryNotEmpty=/etc/cron.%I - - [Service] - Type=oneshot - IgnoreSIGPIPE=no - WorkingDirectory=/ - ExecStart=/bin/run-parts --report /etc/cron.%I - - - name: Install crontab generic timer - copy: - dest: /etc/systemd/system/crontab@.timer - content: | - [Unit] - Description=%I timer simulating /etc/cron.%I - PartOf=crontab.target - RefuseManualStart=yes - RefuseManualStop=yes - - [Timer] - OnCalendar=%I - Persistent=yes - - - name: enable crontab service - when: not dockerenv.stat.exists - systemd: - name: crontab - enabled: yes - masked: no diff --git a/ansible/tasks/dns/main.yml b/ansible/tasks/dns/main.yml deleted file mode 100644 index bddcb87..0000000 --- a/ansible/tasks/dns/main.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -- name: Install DNS packages - apt: - update_cache: yes - name: - - unbound - - unbound-anchor - - dns-root-data - - dnsutils - - ldnsutils - - resolvconf - -- name: setup localhost as default nameserver - lineinfile: - path: /etc/resolvconf/resolv.conf.d/base - create: true - line: "nameserver 127.0.0.1" - -- name: setup hashbang.sh as default domain - lineinfile: - path: /etc/resolvconf/resolv.conf.d/tail - create: true - line: "domain hashbang.sh" - -- name: Setup unbound configuration - block: - - name: Use DNS root hints from the dns-root-data Debian package - blockinfile: - path: /etc/unbound/unbound.conf.d/debian.conf - marker: "# {mark} ANSIBLE - DNS Root Hints" - create: true - block: | - server: - root-hints: "/usr/share/dns/root.hints" - - name: Prefetch popular domains before the cache expires - blockinfile: - path: /etc/unbound/unbound.conf.d/prefetch.conf - marker: "# {mark} ANSIBLE - Prefetch popular domains" - create: true - block: | - server: - prefetch: yes - prefetch-key: yes - - name: Enable RFC 7816 "DNS Query Name Minimisation to Improve Privacy" - blockinfile: - path: /etc/unbound/unbound.conf.d/qname-minimisation.conf - marker: "# {mark} ANSIBLE - Enable RFC 7816" - create: true - block: | - server: - qname-minimisation: yes - - - name: unbound configuration hardening - copy: - dest: /etc/unbound/unbound.conf.d/harden.conf - content: | - server: - # Do not expose information about the running deamon - hide-identity: yes - hide-version: yes - - # Harden against ridiculously-short buffer sizes (potential DoS vector) - # This is against spec, but we aren't a public resolver. - harden-short-bufsize: yes - - # Harden against abnormaly large queries (same reasoning) - harden-large-queries: yes - - # Return NXDOMAIN for queries under a terminal known (and DNSSEC-validated) - # to be NXDOMAIN. Improves caching and avoids certain attacks - harden-below-nxdomain: yes - - # Use 0x20-encoded random nonces for authenticating queries. - # Implementation of draft-dns-0x20, makes DNS poisoning harder - use-caps-for-id: yes - - # Minimises queries sent upstream - # Avoids information disclosure to root/TLD DNS servers & improves caching - qname-minimisation: yes - -- name: Enable & reload services - when: not dockerenv.stat.exists - systemd: - name: "{{ item }}" - enabled: yes - masked: no - state: reloaded # TODO: This should be a handler instead - - with_items: - - unbound - - unbound-resolvconf - - resolvconf diff --git a/ansible/tasks/misc/main.yml b/ansible/tasks/misc/main.yml index b2c2c47..4e2d5ee 100644 --- a/ansible/tasks/misc/main.yml +++ b/ansible/tasks/misc/main.yml @@ -55,7 +55,7 @@ mkfs.ext4 /dev/sda2 - name: enable getty - when: not dockerenv.stat.exists + when: not in_docker systemd: name: getty@tty1 enabled: yes diff --git a/ansible/tasks/packages/main.yml b/ansible/tasks/packages/main.yml deleted file mode 100644 index f232f8c..0000000 --- a/ansible/tasks/packages/main.yml +++ /dev/null @@ -1,639 +0,0 @@ ---- -- apt_key: - data: "{{ lookup('file', 'apt/weechat.asc') }}" - id: 11E9DE8848F2B65222AA75B8D1820DB22A11534E - keyring: /etc/apt/trusted.gpg.d/weechat.gpg - -- apt_repository: - repo: deb https://weechat.org/debian stretch main - state: present - filename: weechat - -- apt_repository: - repo: deb-src https://weechat.org/debian stretch main - state: present - filename: weechat - -- name: Install all system packages - apt: - update_cache: yes - name: - - acl - - acpi - - acpi-support-base - - acpid - - adduser - - aglfn - - alpine - - anarchism - - ansible - - apt - - apt-file - - apt-transport-https - - apt-utils - - aptitude - - aptitude-common - - aria2 - - aspell - - aspell-en - - atool - - auditd - - autoconf - - automake - - autopoint - - autotools-dev - - awscli - - base-files - - base-passwd - - bash - - bash-completion - - bastet - - bc - - bcrypt - - binfmt-support - - binutils - - bitlbee - - bitlbee-common - - bsdgames - - bsdmainutils - - bsdutils - - build-essential - - busybox - - byobu - - bzip2 - - ca-certificates - - cgroup-tools - - checkpolicy - - cloc - - cloud-initramfs-dyn-netconf - - cloud-initramfs-growroot - - cloud-utils - - cmake - - cmake-data - - command-not-found - - console-setup - - console-setup-linux - - coreutils - - cowsay - - cpio - - cpp - - cracklib-runtime - - cron - - curl - - cvs - - dash - - dbus - - dbus-x11 - - dc - - dconf-gsettings-backend - - dconf-service - - dctrl-tools - - debconf - - debconf-i18n - - debconf-utils - - debhelper - - debian-archive-keyring - - debian-keyring - - debianutils - - debsums - - devscripts - - dh-lua - - dh-python - - dictionaries-common - - diffutils - - dirmngr - - discount - - discover - - discover-data - - distro-info - - distro-info-data - - dmidecode - - dmsetup - - docutils-common - - dos2unix - - dpkg - - dpkg-dev - - duplicity - - e2fslibs - - e2fsprogs - - eject - - elinks - - elinks-data - - elixir - - emacs-nox - - emacs24-bin-common - - emacs24-common - - emacs24-nox - - emacsen-common - - encfs - - erlang-asn1 - - erlang-base - - erlang-crypto - - erlang-inets - - erlang-mnesia - - erlang-os-mon - - erlang-public-key - - erlang-runtime-tools - - erlang-snmp - - erlang-ssl - - euca2ools - - exuberant-ctags - - fakeroot - - ferm - - figlet - - file - - findutils - - firejail - - fish - - fish-common - - fontconfig - - fontconfig-config - - fonts-dejavu-core - - fonts-lyx - - frotz - - fuse - - g++ - - gawk - - gcc - - gconf-service - - gconf2 - - gconf2-common - - gdb - - geoip-database - - gettext - - gettext-base - - gforth - - gforth-common - - gforth-lib - - ghc - - gir1.2-glib-2.0 - - git-email - - git-man - - glances - - glib-networking - - glib-networking-common - - glib-networking-services - - gnuchess - - gnugo - - gnupg-agent - - gnupg2 - - gnuplot-data - - gnuplot-nox - - golang-go - - golang-src - - gpgv - - grep - - groff-base - - grub-common - - grub-pc - - grub-pc-bin - - grub2-common - - gsettings-desktop-schemas - - gsfonts - - guile-2.0 - - guile-2.0-dev - - guile-2.0-libs - - gyp - - gzip - - haveged - - hddtemp - - hostname - - html2text - - htop - - httpie - - iamerican - - ibritish - - ieee-data - - ienglish-common - - ifupdown - - imagemagick - - imagemagick-6.q16 - - imagemagick-common - - info - - init - - init-system-helpers - - initramfs-tools - - initscripts - - insserv - - install-info - - installation-report - - intltool-debian - - iotop - - ipcalc - - iperf - - iproute - - iproute2 - - iptables - - iputils-ping - - ipxe-qemu - - irssi - - isc-dhcp-client - - isc-dhcp-common - - iso-codes - - ispell - - java-common - - javascript-common - - joe - - john - - john-data - - jq - - kbd - - kexec-tools - - keyboard-configuration - - klibc-utils - - kmod - - krb5-locales - - ksh - - ldap-utils - - less - - lftp - - libpam-systemd - - libsqlite3-dev - - linux-image-amd64 - - lm-sensors - - locales - - locales-all - - locate - - login - - logrotate - - lsb-base - - lsb-release - - lsof - - ltrace - - lua5.1 - - lua5.2 - - lua5.3 - - luajit - - luarocks - - lynx - - lynx-cur - - m4 - - man-db - - manpages - - manpages-dev - - mat - - mawk - - mc - - mc-data - - mime-support - - mksh - - mlock - - mosh - - mount - - mtr - - multiarch-support - - mutt - - mysql-common - - nano - - ncdu - - ncurses-base - - ncurses-bin - - ncurses-doc - - ncurses-term - - net-tools - - netbase - - netcat-traditional - - nethack-common - - nethack-console - - nfacct - - nmap - - node-abbrev - - node-ansi - - node-ansi-color-table - - node-archy - - node-async - - node-block-stream - - node-combined-stream - - node-cookie-jar - - node-delayed-stream - - node-forever-agent - - node-form-data - - node-fstream - - node-fstream-ignore - - node-github-url-from-git - - node-glob - - node-graceful-fs - - node-gyp - - node-inherits - - node-ini - - node-json-stringify-safe - - node-lockfile - - node-lru-cache - - node-mime - - node-minimatch - - node-mkdirp - - node-mute-stream - - node-node-uuid - - node-nopt - - node-normalize-package-data - - node-npmlog - - node-once - - node-osenv - - node-qs - - node-read - - node-read-package-json - - node-request - - node-retry - - node-rimraf - - node-semver - - node-sha - - node-sigmund - - node-slide - - node-tar - - node-tunnel-agent - - node-underscore - - node-which - - nodejs - - nodejs-dev - - nodejs-legacy - - nscd - - nslcd - - nslcd-utils - - oidentd - - openbios-ppc - - openbios-sparc - - openhackware - - openntpd - - openssh-client - - openssh-sftp-server - - openssl - - os-prober - - p7zip - - pandoc - - pandoc-data - - parallel - - parted - - pass - - passwd - - patch - - pciutils - - pep8 - - perl - - perl-base - - perl-modules - - php-cgi - - php-cli - - php-common - - php-curl - - php-fpm - - php-json - - php-mysql - - php-sqlite3 - - pidgin-data - - pinentry-curses - - pkg-config - - po-debconf - - policykit-1 - - poppler-data - - procps - - psmisc - - pv - - pwgen - - pyflakes - - python - - python-apt - - python-apt-common - - python-audit - - python-backports.ssl-match-hostname - - python-boto - - python-cffi - - python-characteristic - - python-chardet - - python-cheetah - - python-colorama - - python-configobj - - python-crypto - - python-cryptography - - python-dateutil - - python-debian - - python-debianbts - - python-decorator - - python-defusedxml - - python-dev - - python-distlib - - python-distro-info - - python-docutils - - python-ecdsa - - python-flake8 - - python-gdbm - - python-geoip - - python-gi - - python-hachoir-core - - python-hachoir-parser - - python-html5lib - - python-httplib2 - - python-ipy - - python-jinja2 - - python-json-pointer - - python-jsonpatch - - python-ldap - - python-lockfile - - python-lxml - - python-markupsafe - - python-matplotlib-data - - python-mccabe - - python-minimal - - python-mock - - python-mutagen - - python-ndg-httpsclient - - python-netaddr - - python-networkx - - python-newt - - python-nose - - python-numpy - - python-oauth - - python-openssl - - python-paramiko - - python-pdfrw - - python-pip - - python-pkg-resources - - python-ply - - python-potr - - python-prettytable - - python-pyasn1 - - python-pyasn1-modules - - python-pycparser - - python-pygments - - python-pyparsing - - python-reportlab - - python-reportlab-accel - - python-requestbuilder - - python-requests - - python-roman - - python-serial - - python-service-identity - - python-setuptools - - python-six - - python-soappy - - python-sss - - python-stevedore - - python-talloc - - python-tox - - python-twisted - - python-twisted-bin - - python-twisted-conch - - python-twisted-core - - python-twisted-mail - - python-twisted-names - - python-twisted-news - - python-twisted-runner - - python-twisted-web - - python-twisted-words - - python-tz - - python-urllib3 - - python-virtualenv - - python-websocket - - python-wheel - - python-wstools - - python-yaml - - python-zope.interface - - python2.7 - - python2.7-dev - - python2.7-minimal - - python3 - - python3-apt - - python3-bottle - - python3-chardet - - python3-colorama - - python3-crypto - - python3-decorator - - python3-dev - - python3-distlib - - python3-html5lib - - python3-jinja2 - - python3-markupsafe - - python3-minimal - - python3-numpy - - python3-pip - - python3-pkg-resources - - python3-psutil - - python3-py - - python3-pyasn1 - - python3-pysnmp4 - - python3-reportbug - - python3-requests - - python3-scipy - - python3-setuptools - - python3-six - - python3-software-properties - - python3-urllib3 - - python3-venv - - python3-virtualenv - - python3-wheel - - qalc - - qemu-slof - - qemu-system-common - - qemu-user - - qemu-utils - - qprint - - qtcore4-l10n - - ranger - - readline-common - - redis-server - - redis-tools - - remind - - reportbug - - reptyr - - resolvconf - - rsync - - rsyslog - - rtorrent - - ruby - - rubygems-integration - - samba-libs - - sbcl - - screen - - seabios - - sed - - sensible-utils - - sgml-base - - shared-mime-info - - shellcheck - - siege - - signing-party - - silversearcher-ag - - silversearcher-ag-el - - slashem - - slashem-common - - socat - - sqlite3 - - ssh - - ssl-cert - - sssd - - sssd-ad - - sssd-ad-common - - sssd-common - - sssd-ipa - - sssd-krb5 - - sssd-krb5-common - - sssd-ldap - - sssd-proxy - - sssd-tools - - startpar - - stow - - strace - - subversion - - sudo - - swaks - - sysstat - - tar - - task-english - - tasksel - - tasksel-data - - tcl - - tcl-tls - - tcl8.5 - - tcl8.6 - - tcllib - - tcpd - - telnet - - tig - - tmux - - toilet - - toilet-fonts - - topgit - - traceroute - - tree - - tudu - - tzdata - - ucf - - udev - - units - - unzip - - urlview - - usbutils - - util-linux - - util-linux-locales - - vim-common - - vim-nox - - vim-runtime - - vim-tiny - - virtualenv - - virtualenv-clone - - virtualenvwrapper - - w3m - - wamerican - - weechat - - weechat-core - - weechat-curses - - weechat-lua - - weechat-plugins - - weechat-perl - - weechat-python - - wget - - whiptail - - whois - - wyrd - - xauth - - xdg-user-dirs - - xkb-data - - xml-core - - xz-utils - - zile - - zip - - zlib1g - - zlib1g-dev - - znc - - zpaq - - zsh - - zsh-common diff --git a/ansible/tasks/security/main.yml b/ansible/tasks/security/main.yml index 56867f1..d07f4d9 100644 --- a/ansible/tasks/security/main.yml +++ b/ansible/tasks/security/main.yml @@ -48,7 +48,7 @@ - at - name: Disable services with known PAM escapes - when: not dockerenv.stat.exists + when: not in_docker systemd: name: "{{ item }}" masked: yes diff --git a/ansible/tasks/tor/main.yml b/ansible/tasks/tor/main.yml index 9d95ed1..371778f 100644 --- a/ansible/tasks/tor/main.yml +++ b/ansible/tasks/tor/main.yml @@ -1,20 +1,9 @@ --- -- apt_key: - data: "{{ lookup('file', 'apt/tor.asc') }}" - id: A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 - keyring: /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg - -- apt_repository: - repo: deb https://deb.torproject.org/torproject.org stretch main - state: present - filename: tor - - name: Install tor packages apt: name: "{{ item }}" with_items: - deb.torproject.org-keyring - - python-torctl - tor - torsocks - tor-arm @@ -30,4 +19,4 @@ enabled: yes masked: no state: started - when: not dockerenv.stat.exists + when: not in_docker