From b009cf578734a74a15f80824c7107bc814be3913 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 15 Jan 2024 01:08:11 +0100 Subject: [PATCH] update.. --- group_vars/all/main.yml | 61 +++++- group_vars/flr.yml | 71 +++++++ group_vars/mbr.yml | 7 + .../etc/security/limits.d/90-user-NOFILE.conf | 3 + roles/common/files/etc/sysctl.d/10-ddos.conf | 83 ++++++++ .../files/etc/sysctl.d/30-enable-ipv6.conf | 4 + .../common/files/etc/sysctl.d/50-dovecot.conf | 7 + roles/common/files/etc/sysctl.d/50-redis.conf | 30 +++ .../files/etc/sysctl.d/50-swappiness.conf | 1 + .../files/etc/sysctl.d/60-elasticsearch.conf | 8 + .../journald.conf.d/50-MaxFileSec.conf | 4 + .../journald.conf.d/50-SystemMaxFileSize.conf | 4 + .../journald.conf.d/50-SystemMaxUse.conf | 4 + .../system.conf.d/20-DefaultLimitCORE.conf | 4 + .../system.conf.d/20-DefaultLimitNOFILE.conf | 4 + .../system.conf.d/20-DefaultLimitNPROC.conf | 4 + .../system.conf.d/20-DefaultLimitRTPRIO.conf | 4 + .../system.conf.d/20-DefaultLimitRTTIME.conf | 4 + .../system.conf.d/20-DefaultTasksMax.conf | 4 + roles/common/handlers/main.yml | 5 + roles/common/tasks/basic.yml | 183 +++++++++++++++--- roles/common/tasks/systemd-resolved.yml | 8 +- .../apt/apt.conf.d/50unattended-upgrades.j2 | 17 ++ .../templates/etc/apt/listchanges.conf.j2 | 8 + 24 files changed, 501 insertions(+), 31 deletions(-) create mode 100644 roles/common/files/etc/security/limits.d/90-user-NOFILE.conf create mode 100644 roles/common/files/etc/sysctl.d/10-ddos.conf create mode 100644 roles/common/files/etc/sysctl.d/30-enable-ipv6.conf create mode 100644 roles/common/files/etc/sysctl.d/50-dovecot.conf create mode 100644 roles/common/files/etc/sysctl.d/50-redis.conf create mode 100644 roles/common/files/etc/sysctl.d/50-swappiness.conf create mode 100644 roles/common/files/etc/sysctl.d/60-elasticsearch.conf create mode 100644 roles/common/files/etc/systemd/journald.conf.d/50-MaxFileSec.conf create mode 100644 roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf create mode 100644 roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxUse.conf create mode 100644 roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitCORE.conf create mode 100644 roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf create mode 100644 roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf create mode 100644 roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf create mode 100644 roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf create mode 100644 roles/common/files/etc/systemd/system.conf.d/20-DefaultTasksMax.conf create mode 100644 roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 create mode 100644 roles/common/templates/etc/apt/listchanges.conf.j2 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 2658d02..153a5ca 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -34,7 +34,66 @@ locales: - en_US.UTF-8 - de_DE.UTF-8 -set_default_limit_nofile: false +#copy_plain_files_security_limits: [] +copy_plain_files_security_limits: + + # /etc/security/limits.d/*.conf + # + - name: 90-user-NOFILE.conf + src_path: etc/security/limits.d/90-user-NOFILE.conf + dest_path: /etc/security/limits.d/90-user-NOFILE.conf + + +#copy_plain_files_systemd: [] +copy_plain_files_systemd: + + # /etc/systemd/system.conf.d/*.conf + # + - name: DefaultLimitNOFILE + src_path: etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf + + - name: DefaultTasksMax + src_path: etc/systemd/system.conf.d/20-DefaultTasksMax.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultTasksMax.conf + + - name: DefaultLimitCORE + src_path: etc/systemd/system.conf.d/20-DefaultLimitCORE.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitCORE.conf + + - name: DefaultLimitNPROC + src_path: etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf + + - name: DefaultLimitRTPRIO + src_path: etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf + + - name: DefaultLimitRTTIME + src_path: etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf + + +#copy_plain_files_journald: [] +copy_plain_files_journald: + + - name: SystemMaxUse + src_path: etc/systemd/journald.conf.d/50-SystemMaxUse.conf + dest_path: /etc/systemd/journald.conf.d/50-SystemMaxUse.conf + + - name: SystemMaxFileSize + src_path: etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf + dest_path: /etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf + + - name: MaxFileSec + src_path: etc/systemd/journald.conf.d/50-MaxFileSec.conf + dest_path: /etc/systemd/journald.conf.d/50-MaxFileSec.conf + + + +#copy_plain_files_sysctl: [] + +#set_default_limit_nofile: false # ========== diff --git a/group_vars/flr.yml b/group_vars/flr.yml index 350fb36..dae5371 100644 --- a/group_vars/flr.yml +++ b/group_vars/flr.yml @@ -17,6 +17,77 @@ sshd_permit_root_login: !!str "yes" # ========== +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.102.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - flr.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 172.16.102.254 + + + # ========== # vars used by roles/common/tasks/git.yml # ========== diff --git a/group_vars/mbr.yml b/group_vars/mbr.yml index 91e6d84..75d3e5c 100644 --- a/group_vars/mbr.yml +++ b/group_vars/mbr.yml @@ -454,6 +454,13 @@ nis_user: # is_samba_user: true # password: 'YZ_bgn_2020!' + - name: praktikum.bgn1 + groups: + - all-users + - buero-scan + is_samba_user: true + password: 'MPL_baerin_20!' + - name: ulf.balmer groups: - all-users diff --git a/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf b/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf new file mode 100644 index 0000000..1249029 --- /dev/null +++ b/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf @@ -0,0 +1,3 @@ + +@staff hard nofile 1048576 +root hard nofile 1048576 diff --git a/roles/common/files/etc/sysctl.d/10-ddos.conf b/roles/common/files/etc/sysctl.d/10-ddos.conf new file mode 100644 index 0000000..1bcde6e --- /dev/null +++ b/roles/common/files/etc/sysctl.d/10-ddos.conf @@ -0,0 +1,83 @@ +# ========== +# Anti-DDoS Kernel Settings +# ========== + +# see: +# https://javapipe.com/blog/iptables-ddos-protection/ + +# These sysctl.conf settings help to maximize the performance of your server +# under DDoS as well as the effectiveness of the iptables rules that we’re going +# to provide in this guide. +kernel.printk = 4 4 1 7 +kernel.panic = 10 +kernel.sysrq = 0 +kernel.shmmax = 4294967296 +#kernel.shmall = 4194304 +kernel.shmall = 134217728 +kernel.core_uses_pid = 1 +kernel.msgmnb = 65536 +kernel.msgmax = 65536 +vm.swappiness = 20 +vm.dirty_ratio = 80 +vm.dirty_background_ratio = 5 +fs.file-max = 2097152 +net.core.netdev_max_backlog = 262144 +net.core.rmem_default = 31457280 +net.core.rmem_max = 67108864 +net.core.wmem_default = 31457280 +net.core.wmem_max = 67108864 +net.core.somaxconn = 65535 +net.core.optmem_max = 25165824 +net.ipv4.neigh.default.gc_thresh1 = 4096 +net.ipv4.neigh.default.gc_thresh2 = 8192 +net.ipv4.neigh.default.gc_thresh3 = 16384 +net.ipv4.neigh.default.gc_interval = 5 +net.ipv4.neigh.default.gc_stale_time = 120 +net.netfilter.nf_conntrack_max = 10000000 +net.netfilter.nf_conntrack_tcp_loose = 0 +net.netfilter.nf_conntrack_tcp_timeout_established = 1800 +net.netfilter.nf_conntrack_tcp_timeout_close = 10 +net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10 +net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20 +net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20 +net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20 +net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20 +net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 +net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.ip_local_port_range = 1024 65000 +net.ipv4.ip_no_pmtu_disc = 1 +net.ipv4.route.flush = 1 +net.ipv4.route.max_size = 8048576 +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.tcp_congestion_control = htcp +net.ipv4.tcp_mem = 65536 131072 262144 +net.ipv4.udp_mem = 65536 131072 262144 +net.ipv4.tcp_rmem = 4096 87380 33554432 +net.ipv4.udp_rmem_min = 16384 +net.ipv4.tcp_wmem = 4096 87380 33554432 +net.ipv4.udp_wmem_min = 16384 +net.ipv4.tcp_max_tw_buckets = 1440000 +net.ipv4.tcp_tw_recycle = 0 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_max_orphans = 400000 +net.ipv4.tcp_window_scaling = 1 +net.ipv4.tcp_rfc1337 = 1 +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_synack_retries = 1 +net.ipv4.tcp_syn_retries = 2 +net.ipv4.tcp_max_syn_backlog = 16384 +net.ipv4.tcp_timestamps = 1 +net.ipv4.tcp_sack = 1 +net.ipv4.tcp_fack = 1 +net.ipv4.tcp_ecn = 2 +net.ipv4.tcp_fin_timeout = 10 +net.ipv4.tcp_keepalive_time = 600 +net.ipv4.tcp_keepalive_intvl = 60 +net.ipv4.tcp_keepalive_probes = 10 +net.ipv4.tcp_no_metrics_save = 1 +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.all.rp_filter = 1 diff --git a/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf b/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf new file mode 100644 index 0000000..7ad2c64 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf @@ -0,0 +1,4 @@ + +# Enable packet forwarding for IPv6 +# +net.ipv6.conf.all.forwarding = 1 diff --git a/roles/common/files/etc/sysctl.d/50-dovecot.conf b/roles/common/files/etc/sysctl.d/50-dovecot.conf new file mode 100644 index 0000000..648a264 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/50-dovecot.conf @@ -0,0 +1,7 @@ +# Setting need by mailserver (dovecot) +# - +# - Warning messages from dovecot: +# - Warning: Inotify instance limit for user 5000 (UID vmail) exceeded, disabling. +# - Increase /proc/sys/fs/inotify/max_user_instances +# - +fs.inotify.max_user_instances = 2048 diff --git a/roles/common/files/etc/sysctl.d/50-redis.conf b/roles/common/files/etc/sysctl.d/50-redis.conf new file mode 100644 index 0000000..079096c --- /dev/null +++ b/roles/common/files/etc/sysctl.d/50-redis.conf @@ -0,0 +1,30 @@ +# ----- +# Running Redis Service (on LX-Container) +# +# See also changes at file /etc/rc.local +# ----- + +# Got this warning on redis logfile at LX-Container +# +# # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn +# is set to the lower value of 128 +# +net.core.somaxconn = 65535 + +# Redis Server says: +# +# WARNING overcommit_memory is set to 0! Background save may fail under +# low memory condition. To fix this issue add 'vm.overcommit_memory = 1' +# to /etc/sysctl.conf and then reboot or run the command +# 'sysctl vm.overcommit_memory=1' for this to take effect. +vm.overcommit_memory = 1 + +# increase Linux TCP buffer limits +net.core.rmem_max = 67108864 +net.core.wmem_max = 67108864 +net.core.netdev_max_backlog = 262144 + +# increase Linux autotuning TCP buffer limits +# min, default, and max number of bytes to use +net.ipv4.tcp_rmem = 4096 87380 33554432 +net.ipv4.tcp_wmem = 4096 87380 33554432 diff --git a/roles/common/files/etc/sysctl.d/50-swappiness.conf b/roles/common/files/etc/sysctl.d/50-swappiness.conf new file mode 100644 index 0000000..95f8990 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/50-swappiness.conf @@ -0,0 +1 @@ +vm.swappiness = 5 diff --git a/roles/common/files/etc/sysctl.d/60-elasticsearch.conf b/roles/common/files/etc/sysctl.d/60-elasticsearch.conf new file mode 100644 index 0000000..7c197d5 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/60-elasticsearch.conf @@ -0,0 +1,8 @@ + +# Needed by ElasticSearch Installation on virtual guest +# systems (LX-Containers) +# +# The error message there was: +# max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] +# +vm.max_map_count = 524288 diff --git a/roles/common/files/etc/systemd/journald.conf.d/50-MaxFileSec.conf b/roles/common/files/etc/systemd/journald.conf.d/50-MaxFileSec.conf new file mode 100644 index 0000000..559c4ab --- /dev/null +++ b/roles/common/files/etc/systemd/journald.conf.d/50-MaxFileSec.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/journald.conf' +# +[Journal] +MaxFileSec=2day diff --git a/roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf b/roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf new file mode 100644 index 0000000..1c6b9aa --- /dev/null +++ b/roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/journald.conf' +# +[Journal] +SystemMaxFileSize=10M diff --git a/roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxUse.conf b/roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxUse.conf new file mode 100644 index 0000000..1c99ee8 --- /dev/null +++ b/roles/common/files/etc/systemd/journald.conf.d/50-SystemMaxUse.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/journald.conf' +# +[Journal] +SystemMaxUse=100M diff --git a/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitCORE.conf b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitCORE.conf new file mode 100644 index 0000000..b4641dd --- /dev/null +++ b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitCORE.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/system.conf' +# +[Manager] +DefaultLimitCORE=infinity diff --git a/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf new file mode 100644 index 0000000..29382df --- /dev/null +++ b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/system.conf' +# +[Manager] +DefaultLimitNOFILE=1048576 diff --git a/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf new file mode 100644 index 0000000..d2ca1f5 --- /dev/null +++ b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/system.conf' +# +[Manager] +DefaultLimitNPROC=65000 diff --git a/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf new file mode 100644 index 0000000..e94ba47 --- /dev/null +++ b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/system.conf' +# +[Manager] +DefaultLimitRTPRIO=infinity diff --git a/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf new file mode 100644 index 0000000..3efce9d --- /dev/null +++ b/roles/common/files/etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/system.conf' +# +[Manager] +DefaultLimitRTTIME=infinity diff --git a/roles/common/files/etc/systemd/system.conf.d/20-DefaultTasksMax.conf b/roles/common/files/etc/systemd/system.conf.d/20-DefaultTasksMax.conf new file mode 100644 index 0000000..b891e21 --- /dev/null +++ b/roles/common/files/etc/systemd/system.conf.d/20-DefaultTasksMax.conf @@ -0,0 +1,4 @@ +# Custom Values overrides '/etc/systemd/system.conf' +# +[Manager] +DefaultTasksMax=65000 diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 097b0c5..79957c0 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -62,6 +62,11 @@ when: - "groups['samba_server']|string is search(inventory_hostname)" +- name: Restart systemd-journald + service: + name: systemd-journald + state: restarted + - name: Restart cups service: diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index cb57341..31bf3f3 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -28,53 +28,178 @@ - symlink-sh -- name: (basic.yml) Check file '/etc/systemd/system.conf' exists - stat: - path: /etc/systemd/system - register: etc_systemd_system_conf +# ---------- +# security limit (maybe DEPRECATED see systemd settings) +# ---------- + +- name: (basic.yml) Ensure directory '/etc/security/limits.d' exists + file: + path: /etc/security/limits.d + state: directory + mode: 0755 + group: root + owner: root when: - - set_default_limit_nofile|bool == true + - inventory_hostname in groups['file_server'] + - copy_plain_files_security_limits is defined + - copy_plain_files_security_limits|length > 0 + tags: + - systemd-config - -- name: (basic.yml) Change DefaultLimitNOFILE to 1048576 - lineinfile: - dest: /etc/systemd/system.conf - state: present - regexp: '^DefaultLimitNOFILE' - line: 'DefaultLimitNOFILE=1048576' - insertafter: '^#DefaultLimitNOFILE' +- name: (basic.yml) Ensure files /etc/security/limits.d/*.conf exists + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_plain_files_security_limits }}" + loop_control: + label: 'dest: {{ item.name }}' when: - - set_default_limit_nofile|bool == true - - etc_systemd_system_conf.stat.exists == true + - inventory_hostname in groups['file_server'] + - copy_plain_files_security_limits is defined + - copy_plain_files_security_limits|length > 0 tags: - - systemd-nofiles + - systemd-config -- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists - stat: - path: /etc/security/limits.conf.ORIG - register: etc_security_limits_conf_ORIG +# ---------- +# systemd stuff +# ---------- + +- name: (basic.yml) Ensure directory '/etc/systemd/system.conf.d' exists + file: + path: /etc/systemd/system.conf.d + state: directory + mode: 0755 + group: root + owner: root + when: + - inventory_hostname in groups['file_server'] + - copy_plain_files_systemd is defined + - copy_plain_files_systemd|length > 0 tags: - - limits-conf + - systemd-config -- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf' - command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG - when: etc_security_limits_conf_ORIG.stat.exists == False +- name: (basic.yml) Ensure files /etc/systemd/system.conf.d/*.conf exists + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_plain_files_systemd }}" + loop_control: + label: 'dest: {{ item.name }}' + when: + - inventory_hostname in groups['file_server'] + - copy_plain_files_systemd is defined + - copy_plain_files_systemd|length > 0 tags: - - limits-conf + - systemd-config + +- name: (basic.yml) Ensure directory '/etc/systemd/journald.conf.d' exists + file: + path: /etc/systemd/journald.conf.d + state: directory + mode: 0755 + group: root + owner: root + when: + - copy_plain_files_journald is defined + - copy_plain_files_journald|length > 0 + tags: + - systemd-config + +- name: (basic.yml) Ensure files /etc/systemd/journald.conf.d/*.conf exists + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_plain_files_journald }}" + loop_control: + label: 'dest: {{ item.name }}' + notify: "Restart systemd-journald" + when: + - copy_plain_files_journald is defined + - copy_plain_files_journald|length > 0 + tags: + - systemd-config -- name: (basic.yml) Create new sshd_config from template limits.conf.j2 +# ---------- +# unattended upgrades +# ---------- + +- name: (basic.yml) install unattended-upgrades + apt: pkg=unattended-upgrades state=present + when: + - ansible_facts['distribution'] == "Debian" + tags: + - unattended-upgrades + +- name: (basic.yml) install apt-listchanges + apt: pkg=apt-listchanges state=present + when: + - ansible_facts['distribution'] == "Debian" + tags: + - unattended-upgrades + +- name: (basic.yml) remove apticron + apt: pkg=apticron state=absent + when: + - ansible_facts['distribution'] == "Debian" + tags: + - unattended-upgrades + +- name: (basic.yml) check if /etc/apt/apt.conf.d/20auto-upgrades exists + stat: path=/etc/apt/apt.conf.d/20auto-upgrades + register: ua_enabled + when: + - ansible_facts['distribution'] == "Debian" + tags: + - unattended-upgrades + +- name: (basic.yml) activate unattended upgrades + shell: DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure -plow unattended-upgrades + when: + - ansible_facts['distribution'] == "Debian" + - ua_enabled.stat.exists == False + tags: + - unattended-upgrades + +- name: (basic.yml) copy apt-listchanges.conf template: - src: etc/security/limits.conf.j2 - dest: /etc/security/limits.conf + src: etc/apt/listchanges.conf.j2 + dest: /etc/apt/listchanges.conf owner: root group: root mode: 0644 + when: + - ansible_facts['distribution'] == "Debian" tags: - - limits-conf + - unattended-upgrades +- name: (basic.yml) copy unattended-upgrades conf + template: + src: etc/apt/apt.conf.d/50unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + backup: yes + owner: root + group: root + mode: 0644 + when: + - ansible_facts['distribution'] == "Debian" + tags: + - unattended-upgrades + + +# ---------- # - /etc/hosts +# ---------- - name: (basic.yml) Check file '/etc/hosts.ORIG' exists stat: diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml index bc6504f..fc7062b 100644 --- a/roles/common/tasks/systemd-resolved.yml +++ b/roles/common/tasks/systemd-resolved.yml @@ -73,4 +73,10 @@ owner: root group: root mode: 0644 - notify: "Restart systemd-resolved" + +- name: Restart systemd-resolved service + ansible.builtin.service: + name: systemd-resolved + state: restarted + + diff --git a/roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 b/roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 new file mode 100644 index 0000000..5197090 --- /dev/null +++ b/roles/common/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; + "origin=Debian,codename=${distro_codename}-updates"; + "origin=Debian,codename=${distro_codename}-backports"; +}; + +Unattended-Upgrade::Mail "root"; + +Unattended-Upgrade::MinimalSteps "true"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; diff --git a/roles/common/templates/etc/apt/listchanges.conf.j2 b/roles/common/templates/etc/apt/listchanges.conf.j2 new file mode 100644 index 0000000..1102a06 --- /dev/null +++ b/roles/common/templates/etc/apt/listchanges.conf.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +[apt] +frontend=mail +email_address=root +confirm=0 +save_seen=/var/lib/apt/listchanges.db +which=both