From a2f60b8691706d67c1b5446a78f8bebd541f554c Mon Sep 17 00:00:00 2001 From: Dmitry Ilvokhin Date: Sat, 6 Jan 2024 18:31:09 +0000 Subject: Migrate essential role to playbook completely --- roles/atop/handlers/main.yml | 4 ++++ roles/atop/tasks/main.yml | 38 ++++++++++++++++++++++++++++++++++++++ roles/essential/files/id_rsa.pub | 1 - roles/essential/handlers/atop.yml | 4 ---- roles/essential/handlers/main.yml | 1 - roles/essential/tasks/atop.yml | 38 -------------------------------------- roles/essential/tasks/main.yml | 4 ---- roles/essential/tasks/sudo.yml | 31 ------------------------------- roles/essential/tasks/users.yml | 29 ----------------------------- roles/minimal/tasks/main.yml | 2 +- roles/sudo/tasks/main.yml | 31 +++++++++++++++++++++++++++++++ roles/users/files/id_rsa.pub | 1 + roles/users/tasks/main.yml | 29 +++++++++++++++++++++++++++++ 13 files changed, 104 insertions(+), 109 deletions(-) create mode 100644 roles/atop/handlers/main.yml create mode 100644 roles/atop/tasks/main.yml delete mode 100644 roles/essential/files/id_rsa.pub delete mode 100644 roles/essential/handlers/atop.yml delete mode 100644 roles/essential/handlers/main.yml delete mode 100644 roles/essential/tasks/atop.yml delete mode 100644 roles/essential/tasks/main.yml delete mode 100644 roles/essential/tasks/sudo.yml delete mode 100644 roles/essential/tasks/users.yml create mode 100644 roles/sudo/tasks/main.yml create mode 100644 roles/users/files/id_rsa.pub create mode 100644 roles/users/tasks/main.yml (limited to 'roles') diff --git a/roles/atop/handlers/main.yml b/roles/atop/handlers/main.yml new file mode 100644 index 0000000..33ed20d --- /dev/null +++ b/roles/atop/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart atop + ansible.builtin.service: + name: atop + state: restarted diff --git a/roles/atop/tasks/main.yml b/roles/atop/tasks/main.yml new file mode 100644 index 0000000..7617f68 --- /dev/null +++ b/roles/atop/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Install atop + ansible.builtin.package: + name: + - atop + state: present + +- name: Setup per-minute atop snapshot + ansible.builtin.lineinfile: + dest: /etc/default/atop + state: present + regexp: '^#?LOGINTERVAL=' + line: 'LOGINTERVAL=60' + owner: root + group: root + mode: u+rw,g+r,o+r + notify: + - Restart atop + +- name: Setup logrotate to save 7 days of logs for atop + ansible.builtin.lineinfile: + dest: /etc/default/atop + state: present + regexp: '^#?LOGGENERATIONS=' + line: 'LOGGENERATIONS=7' + owner: root + group: root + mode: u+rw,g+r,o+r + notify: + - Restart atop + +- name: Enable atop systemd service and logrotate timer + ansible.builtin.service: + name: '{{ item }}' + enabled: yes + state: started + loop: + - atop + - atop-rotate.timer diff --git a/roles/essential/files/id_rsa.pub b/roles/essential/files/id_rsa.pub deleted file mode 100644 index e2df735..0000000 --- a/roles/essential/files/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5gs7lZUDZhw/8SNRHJTRq8b6KCrscYXkXb3Mtb4SNair4UYLUg4ME/gRgUxkRCJQaQtDbduZ6AUgDN7UN6o8a4jTD1t9H/SaZ9p84I5y8wXG7VJQsfYDKLUVY8+9M5mUIqKRQVcQnjf6SNs8caNFnOoDp+EeC5pVl1xa0VydIiEvKQMlCXf8zFivZE/Y8IUNv5UUM6pQRA7/yr+0ofxyRW0VfmcpzxXDwErOF+vgH4D6YUQsZ6F92OKzrg36PIz2Pbe2XqgTnv/52O5Qholulho9cmDsWjyB4is9lLcFM6gGD5W9PzjKL4iqDqWkt9I0lDQ+Y1qfsLLxdw2kcj8td d@ilvokhin.com diff --git a/roles/essential/handlers/atop.yml b/roles/essential/handlers/atop.yml deleted file mode 100644 index 33ed20d..0000000 --- a/roles/essential/handlers/atop.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Restart atop - ansible.builtin.service: - name: atop - state: restarted diff --git a/roles/essential/handlers/main.yml b/roles/essential/handlers/main.yml deleted file mode 100644 index 2ea72d6..0000000 --- a/roles/essential/handlers/main.yml +++ /dev/null @@ -1 +0,0 @@ -- ansible.builtin.import_tasks: roles/essential/handlers/atop.yml diff --git a/roles/essential/tasks/atop.yml b/roles/essential/tasks/atop.yml deleted file mode 100644 index 7617f68..0000000 --- a/roles/essential/tasks/atop.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: Install atop - ansible.builtin.package: - name: - - atop - state: present - -- name: Setup per-minute atop snapshot - ansible.builtin.lineinfile: - dest: /etc/default/atop - state: present - regexp: '^#?LOGINTERVAL=' - line: 'LOGINTERVAL=60' - owner: root - group: root - mode: u+rw,g+r,o+r - notify: - - Restart atop - -- name: Setup logrotate to save 7 days of logs for atop - ansible.builtin.lineinfile: - dest: /etc/default/atop - state: present - regexp: '^#?LOGGENERATIONS=' - line: 'LOGGENERATIONS=7' - owner: root - group: root - mode: u+rw,g+r,o+r - notify: - - Restart atop - -- name: Enable atop systemd service and logrotate timer - ansible.builtin.service: - name: '{{ item }}' - enabled: yes - state: started - loop: - - atop - - atop-rotate.timer diff --git a/roles/essential/tasks/main.yml b/roles/essential/tasks/main.yml deleted file mode 100644 index fbcf875..0000000 --- a/roles/essential/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- ansible.builtin.import_tasks: roles/essential/tasks/packages.yml -- ansible.builtin.import_tasks: roles/essential/tasks/users.yml -- ansible.builtin.import_tasks: roles/essential/tasks/sudo.yml -- ansible.builtin.import_tasks: roles/essential/tasks/atop.yml diff --git a/roles/essential/tasks/sudo.yml b/roles/essential/tasks/sudo.yml deleted file mode 100644 index e2d4861..0000000 --- a/roles/essential/tasks/sudo.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Install sudo - ansible.builtin.package: - name: - - sudo - state: present - -- name: Allow wheel group to use sudo - ansible.builtin.lineinfile: - dest: /etc/sudoers - state: present - regexp: '^(# )?%wheel ALL=\(ALL:ALL\) NOPASSWD: ALL' - line: '%wheel ALL=(ALL:ALL) NOPASSWD: ALL' - validate: "visudo -cf %s" - owner: root - group: root - mode: u+r,g+r,o-rwx - -- name: Use hard-coded PATH instead of the user's to find commands - ansible.builtin.lineinfile: - dest: /etc/sudoers - state: present - # Double quotes are important here if we want to break the line on multiple - # lines, as escaping doesn't work with single quotes. - regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\ - /usr/sbin:/usr/bin:/sbin:/bin\"" - line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\ - /usr/sbin:/usr/bin:/sbin:/bin\"" - validate: "visudo -cf %s" - owner: root - group: root - mode: u+r,g+r,o-rwx diff --git a/roles/essential/tasks/users.yml b/roles/essential/tasks/users.yml deleted file mode 100644 index 4749c44..0000000 --- a/roles/essential/tasks/users.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Remove default users - ansible.builtin.user: - name: '{{ item }}' - state: absent - loop: - - arch - -- name: Create user for Dmitry Ilvokhin - ansible.builtin.user: - name: d - home: /home/d - groups: - - wheel - -- name: Setup SSH directory for Dmitry Ilvokhin - ansible.builtin.file: - path: /home/d/.ssh - state: directory - owner: d - group: d - mode: u+rw,g-wx,o-rwx - -- name: Update authorized_keys for Dmitry Ilvokhin - ansible.builtin.copy: - src: roles/essential/files/id_rsa.pub - dest: /home/d/.ssh/authorized_keys - owner: d - group: d - mode: u+rw,g-rwx,o-rwx diff --git a/roles/minimal/tasks/main.yml b/roles/minimal/tasks/main.yml index e0f0390..ff85579 100644 --- a/roles/minimal/tasks/main.yml +++ b/roles/minimal/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Install essential tools +- name: Install minimal tools ansible.builtin.package: name: - vim diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml new file mode 100644 index 0000000..e2d4861 --- /dev/null +++ b/roles/sudo/tasks/main.yml @@ -0,0 +1,31 @@ +- name: Install sudo + ansible.builtin.package: + name: + - sudo + state: present + +- name: Allow wheel group to use sudo + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + regexp: '^(# )?%wheel ALL=\(ALL:ALL\) NOPASSWD: ALL' + line: '%wheel ALL=(ALL:ALL) NOPASSWD: ALL' + validate: "visudo -cf %s" + owner: root + group: root + mode: u+r,g+r,o-rwx + +- name: Use hard-coded PATH instead of the user's to find commands + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + # Double quotes are important here if we want to break the line on multiple + # lines, as escaping doesn't work with single quotes. + regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\ + /usr/sbin:/usr/bin:/sbin:/bin\"" + line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\ + /usr/sbin:/usr/bin:/sbin:/bin\"" + validate: "visudo -cf %s" + owner: root + group: root + mode: u+r,g+r,o-rwx diff --git a/roles/users/files/id_rsa.pub b/roles/users/files/id_rsa.pub new file mode 100644 index 0000000..e2df735 --- /dev/null +++ b/roles/users/files/id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5gs7lZUDZhw/8SNRHJTRq8b6KCrscYXkXb3Mtb4SNair4UYLUg4ME/gRgUxkRCJQaQtDbduZ6AUgDN7UN6o8a4jTD1t9H/SaZ9p84I5y8wXG7VJQsfYDKLUVY8+9M5mUIqKRQVcQnjf6SNs8caNFnOoDp+EeC5pVl1xa0VydIiEvKQMlCXf8zFivZE/Y8IUNv5UUM6pQRA7/yr+0ofxyRW0VfmcpzxXDwErOF+vgH4D6YUQsZ6F92OKzrg36PIz2Pbe2XqgTnv/52O5Qholulho9cmDsWjyB4is9lLcFM6gGD5W9PzjKL4iqDqWkt9I0lDQ+Y1qfsLLxdw2kcj8td d@ilvokhin.com diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml new file mode 100644 index 0000000..264ad28 --- /dev/null +++ b/roles/users/tasks/main.yml @@ -0,0 +1,29 @@ +- name: Remove default users + ansible.builtin.user: + name: '{{ item }}' + state: absent + loop: + - arch + +- name: Create user for Dmitry Ilvokhin + ansible.builtin.user: + name: d + home: /home/d + groups: + - wheel + +- name: Setup SSH directory for Dmitry Ilvokhin + ansible.builtin.file: + path: /home/d/.ssh + state: directory + owner: d + group: d + mode: u+rw,g-wx,o-rwx + +- name: Update authorized_keys for Dmitry Ilvokhin + ansible.builtin.copy: + src: roles/users/files/id_rsa.pub + dest: /home/d/.ssh/authorized_keys + owner: d + group: d + mode: u+rw,g-rwx,o-rwx -- cgit v1.2.3-70-g09d2