Update requirements.yml

This commit is contained in:
Sangelo 2024-01-06 17:47:21 +01:00
parent 2f44ff08b0
commit c4578d646a
10 changed files with 1 additions and 228 deletions

View file

@ -1,4 +1,4 @@
--- ---
collections: collections:
- name: community.general # - name: community.general
- name: ansible.posix - name: ansible.posix

View file

@ -1,10 +0,0 @@
- name: Run all common tasks
ansible.builtin.include_role:
name: '{{ common_role }}'
loop:
- 'common_secure'
# - 'common_mgmt'
- 'common_tools'
- 'common_tweaks'
loop_control:
loop_var: common_role

View file

@ -1,16 +0,0 @@
# Make a full system upgrade (using apt-get full-upgrade)
common_full_upgrade: false
# Install and configure UFW Firewall on the system
common_firewall_enable: true
common_firewall_reject: false # reject all connections by default
common_firewall_ssh: true # allow ssh connections
common_firewall_https: false # allow https connections
common_firewall_http: false # allow http connections
# Configure SSH to only accept SSH Keys
common_ssh_configure: true
# This locks the root account *password*, but still allows SSH Key and sudo logins
# To unlock the password, set this to false.
common_lock_root: true

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg9CWMZHj6ksnVsxsZf/6sP6ae1kP2FSMPcfguYmXs1 contact@sangelo.space

View file

@ -1,4 +0,0 @@
- name: restart ssh
ansible.builtin.service:
name: sshd
state: restarted

View file

@ -1,99 +0,0 @@
---
# roles/common_secure/tasks/main.yml
- name: Upgrade system packages
ansible.builtin.apt:
update_cache: true
upgrade: full
when: common_full_upgrade
- name: Install UFW Firewall
ansible.builtin.apt:
name: ufw
# update_cache: true
state: present
when: common_firewall_enable
- name: Enable UFW
community.general.ufw:
state: enabled
logging: 'on'
when: common_firewall_enable
- name: Disable UFW Firewall
ansible.builtin.apt:
name: ufw
state: absent
when: not common_firewall_enable
- name: Reject incoming connections by default
community.general.ufw:
policy: reject
comment: 'Reject all by default'
when: common_firewall_reject and common_firewall_enable
- name: Allow SSH Connections
community.general.ufw:
rule: limit
port: ssh
proto: tcp
comment: 'Allow SSH'
when: common_firewall_ssh and common_firewall_enable
- name: Allow HTTPS Connections
community.general.ufw:
rule: allow
port: https
proto: tcp
comment: 'Allow HTTPS'
when: common_firewall_https and common_firewall_enable
- name: Allow HTTP Connections
community.general.ufw:
rule: allow
port: http
proto: tcp
comment: 'Allow HTTP'
when: common_firewall_http and common_firewall_enable
- name: Configure SSH to disallow passwords
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ ssh_config_entry.regexp }}"
line: "{{ ssh_config_entry.line }}"
state: present
loop:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
loop_control:
loop_var: ssh_config_entry
notify: restart ssh
when: common_ssh_configure
- name: Add authorized ssh keys for root
ansible.posix.authorized_key:
user: root
state: present
key: "{{ lookup('file', ssh_key_file) }}"
loop: "{{ query('fileglob', '../files/*') }}"
loop_control:
loop_var: ssh_key_file
- name: Lock the root account
ansible.builtin.user:
name: root
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
# - name: Configure SSH to disallow root login
# ansible.builtin.lineinfile:
# path: /etc/ssh/sshd_config
# regexp: '^PermitRootLogin'
# line: 'PermitRootLogin no'
# state: present
# notify: restart ssh
# when: common_ssh_configure
# - name: Disable root shell
# ansible.builtin.user:
# name: root
# shell: /usr/sbin/nologin
# when: common_disable_root

View file

@ -1,9 +0,0 @@
---
# roles/common_tools/tasks/main.yml
- name: Install common tools
ansible.builtin.apt:
pkg:
- vim
- curl
update_cache: true
state: present

View file

@ -1 +0,0 @@
proxmox_id: "'PLEASE SET IN ANSIBLE'"

View file

@ -1,45 +0,0 @@
#!/bin/bash
source /etc/environment
# Function to get usage and colorize based on the percentage
get_usage_color() {
local usage=$1
if [ $usage -lt 60 ]; then
echo -e "\e[32m${usage}%\e[0m" # Dark Green for < 60%
elif [ $usage -lt 80 ]; then
echo -e "\e[92m${usage}%\e[0m" # Green for >= 60% and < 80%
elif [ $usage -lt 90 ]; then
echo -e "\e[93m${usage}%\e[0m" # Orange for >= 80% and < 90%
else
echo -e "\e[91m${usage}%\e[0m" # Red for >= 90%
fi
}
echo "===================="
# Hostname
echo "Connecting to: $(hostname) ($PROXMOX_ID)"
# CPU Usage
cpu_usage=$(grep 'cpu ' /proc/stat | awk '{usage=($2+$4)*100/($2+$4+$5)} END {print usage}')
cpu_color=$(get_usage_color ${cpu_usage%.*})
echo "CPU Usage: $cpu_color"
# RAM Usage
ram_usage=$(free | grep Mem | awk '{print $3/$2 * 100.0}')
ram_color=$(get_usage_color ${ram_usage%.*})
echo "RAM Usage: $ram_color"
# Disk Usage
disk_usage=$(df -h / | awk 'NR==2 {print $5}' | sed 's/%//g')
disk_color=$(get_usage_color $disk_usage)
echo "Disk Usage: $disk_color"
# Swap Usage
swap_usage=$(free | grep Swap | awk '{print $3/$2 * 100.0}')
swap_color=$(get_usage_color ${swap_usage%.*})
echo "Swap Usage: $swap_color"
echo -e "====================
"

View file

@ -1,42 +0,0 @@
---
# roles/common_tweaks/tasks/main.yml
- name: Find existing files in /etc/update-motd.d
ansible.builtin.find:
paths: /etc/update-motd.d
register: files_to_remove
- name: Remove other files in /etc/update-motd.d
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
with_items: "{{ files_to_remove.files }}"
when: item.path != '/etc/update-motd.d/01-motd'
- name: Copy 01-motd to /etc/update-motd.d on remote host
ansible.builtin.copy:
src: ../files/etc/update-motd.d/01-motd
dest: /etc/update-motd.d/01-motd
mode: '0755'
- name: Ensure /etc/motd is empty
ansible.builtin.copy:
content: ''
dest: /etc/motd
mode: '0644'
- name: Add Proxmox-ID to /etc/environment ({{ proxmox_id }})
ansible.builtin.lineinfile:
path: /etc/environment
regexp: '^PROXMOX_ID='
line: 'PROXMOX_ID={{ proxmox_id }}'
create: yes
state: present
- name: Add a warning comment
ansible.builtin.lineinfile:
path: /etc/environment
insertbefore: "^PROXMOX_ID="
line: "# Do not change the line below - it is set by Ansible"
create: yes
state: present