Skip to content
Snippets Groups Projects
Commit 71e46ef6 authored by nimrod's avatar nimrod
Browse files

Debian server role. 

Also, some adaptations for Ansible 2.10.
parent e9da05ac
No related branches found
No related tags found
No related merge requests found
Pipeline #200 passed
Stage: test
Show whitespace changes
Inline Side-by-side
.pre-commit-config.yaml
+ 13
1
View file @ 71e46ef6
...@@ -10,27 +10,39 @@ repos: ...@@ -10,27 +10,39 @@ repos:
- id: check-yaml - id: check-yaml
- id: detect-private-key - id: detect-private-key
- id: trailing-whitespace - id: trailing-whitespace
- repo: https://git.shore.co.il/ansible/ansible-pre-commit.git - repo: https://git.shore.co.il/ansible/ansible-pre-commit.git
rev: v0.10.0 rev: v0.10.0
hooks: hooks:
- id: ansible-syntax-check - id: ansible-syntax-check
files: bootstrap\.yaml|update\.yaml|renew-certs\.yaml # yamllint disable-line rule:line-length
files: bootstrap\.yaml|update\.yaml|renew-certs\.yaml|debian_server\.yaml
types: [yaml] types: [yaml]
- repo: https://github.com/ansible/ansible-lint - repo: https://github.com/ansible/ansible-lint
rev: v4.3.7 rev: v4.3.7
hooks: hooks:
- id: ansible-lint - id: ansible-lint
- repo: https://github.com/adrienverge/yamllint - repo: https://github.com/adrienverge/yamllint
rev: v1.25.0 rev: v1.25.0
hooks: hooks:
- id: yamllint - id: yamllint
- repo: https://github.com/amperser/proselint/ - repo: https://github.com/amperser/proselint/
rev: 0.10.2 rev: 0.10.2
hooks: hooks:
- id: proselint - id: proselint
types: [markdown] types: [markdown]
- repo: https://github.com/Yelp/detect-secrets - repo: https://github.com/Yelp/detect-secrets
rev: v0.14.3 rev: v0.14.3
hooks: hooks:
- id: detect-secrets - id: detect-secrets
exclude: Pipfile\.lock exclude: Pipfile\.lock
- repo: https://git.shore.co.il/nimrod/shell-pre-commit.git
sha: v0.6.0
hooks:
- id: shell-lint
- id: shellcheck
ansible.cfg
+ 1
1
View file @ 71e46ef6
[defaults] [defaults]
callback_whitelist = profile_tasks, timer callback_whitelist = ansible.posix.profile_tasks, ansible.posix.timer
command_warnings = True command_warnings = True
deprecation_warnings = True deprecation_warnings = True
fact_caching = jsonfile fact_caching = jsonfile
......
debian_server.yaml 0 → 100644
+ 8
0
View file @ 71e46ef6
---
- hosts:
- ns4
- host01
roles:
- debian_server
become: true
become_user: root
roles/debian_server/files/btrfs-backup 0 → 100755
+ 45
0
View file @ 71e46ef6
#!/bin/sh
set -eu
list_subvolumes() {
btrfs subvolume list --sort=path "$1" | awk '{print $9}' | uniq
}
cleanup() {
for volume in $(list_subvolumes "$source/.snapshot")
do
if [ -d "$source/.snapshot/$volume" ]
then
btrfs subvolume delete "$source/.snapshot/$volume"
fi
done
btrfs subvolume delete "$source/.snapshot"
sync --file-system "$source"
}
if [ "$#" -ne 2 ]
then
echo "Usage: $0 source destination" >&2
exit 1
fi
source="$1"
destination="$2"
# Before the first snapshot is made.
subvolumes="$(list_subvolumes "$source")"
trap 'cleanup' INT QUIT EXIT TERM
# It would be better to take all snapshots atomically, but that's not possible.
btrfs subvolume snapshot "$source" "$source/.snapshot"
for volume in $subvolumes
do
rm --dir "$source/.snapshot/$volume"
btrfs subvolume snapshot "$source/$volume" "$source/.snapshot/$volume"
done
sync --file-system "$source"
rsync --archive \
--delete \
"$source/.snapshot/" \
"$destination"
roles/debian_server/tasks/main.yml 0 → 100644
+ 109
0
View file @ 71e46ef6
---
- name: Verify assertions
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int >= 10
- name: Enable the backports repo
loop:
- deb
- deb-src
apt_repository:
# yamllint disable-line rule:line-length
repo: '{{ item }} http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib non-free'
state: present
update_cache: true
- name: Install packages
apt:
cache_valid_time: 3600
name:
- btrfs-progs
- cryptsetup
- docker.io
- fwupd
- fwupdate-signed
- intel-microcode
- libpam-mount-bin
- rsync
- tmux
- ufw
state: present
- name: Rate limit SSH
community.general.ufw:
rule: limit
port: ssh
proto: tcp
- name: Enable UFW
community.general.ufw:
default: reject
state: enabled
- name: Allow unprivileged user namespaces
ansible.posix.sysctl:
name: kernel/unprivileged_userns_clone
state: present
value: "1"
- name: Allow more inotify watches
ansible.posix.sysctl:
name: fs.inotify.max_user_watches
state: present
value: "640000"
- name: Secure SSH
with_dict:
PermitRootLogin: !!str no
PasswordAuthentication: !!str no
lineinfile:
backup: true
line: |-
{{ item.key }} {{ item.value }}
path: /etc/ssh/sshd_config
regexp: |-
{{ item.key }}
state: present
validate: sshd -Tf %s
- name: Make /tmp a tmpfs mount
ansible.posix.mount:
fstype: tmpfs
name: /tmp
src: none
opts: "defaults,nosuid,nodev"
state: present
- name: Disable swap
meta: noop
- name: Set UID/GID mapping range
loop:
- /etc/subgid
- /etc/subuid
copy:
content: |
nimrod:100000:65536
dest: |-
{{ item }}
group: root
mode: 0o0644
owner: root
- name: Create an SSL directory under /var
file:
group: root
mode: 0o0755
owner: root
path: /var/ssl
state: directory
- name: Copy btrfs copy script
copy:
dest: /usr/local/sbin/btrfs-backup
group: root
mode: preserve
owner: root
src: btrfs-backup
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment