8025-awxRefactor-debianBootStrap #30

Merged
juan merged 37 commits from 8025-awxRefactor-debianBootStrap into main 2024-10-16 14:49:33 +00:00
36 changed files with 281 additions and 168 deletions

1
.gitignore vendored
View File

@ -2,5 +2,6 @@
.vault-pass .vault-pass
.vault.yml .vault.yml
.passbolt.yml .passbolt.yml
inventories/local
xavi marked this conversation as resolved
Review

Esta linea está repetida

Esta linea está repetida
venv venv
inventories/local inventories/local

View File

@ -12,7 +12,6 @@ main_dns_server: ns1.domain.local
ldap_uri: ldap://ldap.domain.local ldap_uri: ldap://ldap.domain.local
ldap_base: dc=domain,dc=local ldap_base: dc=domain,dc=local
dc_net: "10.0.0.0/16" dc_net: "10.0.0.0/16"
resolv_domain: domain.local
resolvers: resolvers:
- '8.8.8.8' - '8.8.8.8'
- '8.8.4.4' - '8.8.4.4'

View File

@ -1,11 +1,11 @@
- name: Configure base Debian host - name: Configure base Debian host
hosts: all hosts: all
tasks: tasks:
- name: Configure virtual machine or host - name: Configure virtual machine or host (not LXC)
import_role: import_role:
name: debian-host name: debian-host
when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm' when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm'
- name: Configure base system - name: Configure base system (all)
import_role: import_role:
name: debian-base name: debian-base
- name: Configure guest - name: Configure guest
@ -15,4 +15,4 @@
- name: Configure virtual machine - name: Configure virtual machine
import_role: import_role:
name: debian-qemu name: debian-qemu
when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm' when: ansible_virtualization_type == 'kvm'

View File

@ -5,3 +5,55 @@ fail2ban:
bantime: 600 bantime: 600
maxretry: 4 maxretry: 4
ignore: "127.0.0.0/8 {{ dc_net }}" ignore: "127.0.0.0/8 {{ dc_net }}"
logpath: "/var/log/auth.log"
fail2ban_base_packages:
- fail2ban
- rsyslog
vn_host:
url: http://apt.verdnatura.es/pool/main/v/vn-host
package: vn-host_2.0.2_all.deb
name: vn-host
time_server_spain: ntp.roa.es
nagios_packages:
- nagios-nrpe-server
- nagios-plugins-contrib
- monitoring-plugins-basic
base_packages:
- htop
- psmisc
- bash-completion
- screen
- aptitude
- tree
- btop
- ncdu
- debconf-utils
- net-tools
locales_present:
- en_US.UTF-8
- es_ES.UTF-8
master_cert_content: |
-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIUDwR1QkWYb73hAeNnphytR1tGE0swDQYJKoZIhvcNAQEL
BQAwgYQxCzAJBgNVBAYTAkVTMQ4wDAYDVQQIDAVTcGFpbjERMA8GA1UEBwwIVmFs
ZW5jaWExHjAcBgNVBAoMFVZlcmRuYXR1cmEgTGV2YW50ZSBTTDETMBEGA1UECwwK
TWFzdGVyIEtleTEdMBsGA1UEAwwUYmFjdWxhLnZlcmRuYXR1cmEuZXMwHhcNMjMx
MDAxMTc1MzQyWhcNMzMwOTI4MTc1MzQyWjCBhDELMAkGA1UEBhMCRVMxDjAMBgNV
BAgMBVNwYWluMREwDwYDVQQHDAhWYWxlbmNpYTEeMBwGA1UECgwVVmVyZG5hdHVy
YSBMZXZhbnRlIFNMMRMwEQYDVQQLDApNYXN0ZXIgS2V5MR0wGwYDVQQDDBRiYWN1
bGEudmVyZG5hdHVyYS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJr2D9thvNVxmMyNO8wvFYZJeWLyc8RcNfjiKaY53RadMgXgsiAl4BlSNxc9ngqA
2z7ef4SK50pU9Pl6w1Ljua4lFnZqW9Ow6J9nT6wbdkkuilVoao+0wZBQCX19ToJg
LtgJ00KU2SH7KCi+mYdEY1oW/BsZy+QTJ6HYbOOjb/yISUp4crGE5h+vph1tyhC1
Vfj17wACmFjtZ52cQMWyQRT3kSrxTp4Y+xAsFUE9lTQaoBQ5XcRO5tmDnxEVKZIR
B5ZNatpY8em4CFUQ2B+9XPoXYY3KAzAh8U7fEqcZQ8x44LTVZjHvjXOlHwrcgYoh
P0Rbtv7uRbGBn9EviFW6lrUCAwEAAaNTMFEwHQYDVR0OBBYEFM1UYUBPXj82hm+W
UCXVSisi4bv6MB8GA1UdIwQYMBaAFM1UYUBPXj82hm+WUCXVSisi4bv6MA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC2gpGcsT2v2OfdxMaL9oI+B
EqHPrNM4UblRCyLF21JCEhYg3Ow9lseO3ObMz/cOJGsMgrvipUgxUNDuS+DpyG5E
tKO6895t30TIjICm9udVTyNzC3SyyP/kojNqA9mU8QU+fRdale+ruAJ/A0nbmP/v
uETeqHg49PfH98ce2pMpIiIm+UyvLDjH6KMcnt7KlxtSMxAD9ihK19M7m0CKL3PL
iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK
vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA=
-----END CERTIFICATE-----
vn_witness: false
xavi marked this conversation as resolved Outdated
Outdated
Review

Esto no puede ir directamente en la tarea que genera el fichero?

Esto no puede ir directamente en la tarea que genera el fichero?

View File

@ -1,8 +0,0 @@
#!/bin/bash
echo 'tzdata tzdata/Areas select Europe' | debconf-set-selections
echo 'tzdata tzdata/Zones/Europe select Madrid' | debconf-set-selections
echo 'tzdata tzdata/Zones/Etc select UTC' | debconf-set-selections
rm /etc/timezone
rm /etc/localtime
dpkg-reconfigure -f noninteractive tzdata

View File

@ -1,21 +1,26 @@
- name: restart-timesyncd - name: restart systemd-timesyncd
service: systemd:
name: systemd-timesyncd name: systemd-timesyncd
state: restarted state: restarted
- name: restart-exim
service:
name: exim4
state: restarted
- name: restart-ssh - name: restart-ssh
service: systemd:
name: ssh name: ssh
state: restarted state: restarted
- name: restart-fail2ban - name: restart fail2ban
service: systemd:
name: fail2ban name: fail2ban
state: restarted state: restarted
- name: restart-nrpe - name: restart-nrpe
service: systemd:
name: nagios-nrpe-server name: nagios-nrpe-server
state: restarted state: restarted
- name: restart sshd
systemd:
name: sshd
state: restarted
- name: generate locales
command: /usr/sbin/locale-gen
- name: reconfigure tzdata
command: dpkg-reconfigure -f noninteractive tzdata
- name: update exim configuration
command: /usr/sbin/update-exim4.conf

View File

@ -2,19 +2,49 @@
apt: apt:
name: bacula-fd name: bacula-fd
state: present state: present
- name: Load Bacula default passwords - name: Read content file in base64
slurp: slurp:
src: /etc/bacula/common_default_passwords src: /etc/bacula/common_default_passwords
register: bacula_passwords register: file_content
- name: Going to text plane
set_fact:
file_content_decoded: "{{ file_content.content | b64decode }}"
- name: Extracting passwords
set_fact:
passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}"
- name: Initialize password dictionary
set_fact:
bacula_passwords: {}
- name: Convert lines to individual variables generating a new dict
set_fact:
bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}"
loop: "{{ passwords }}"
when: "'FDPASSWD' in item or 'FDMPASSWD' in item"
- name: Configure Bacula FD - name: Configure Bacula FD
template: template:
src: bacula-fd.conf src: bacula-fd.conf
dest: /etc/bacula/bacula-fd.conf dest: /etc/bacula/bacula-fd.conf
owner: root owner: root
group: bacula group: bacula
mode: '0640' mode: u=rw,g=r,o=
backup: true backup: true
register: bacula_config
- name: Configure master cert
copy:
content: "{{ master_cert_content }}"
dest: /etc/bacula/master-cert.pem
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Configure master cert
copy:
content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
dest: /etc/bacula/fd-cert.pem
owner: root
group: bacula
mode: u=rw,g=r,o=
- name: Restart Bacula FD service - name: Restart Bacula FD service
service: service:
name: bacula-fd name: bacula-fd
state: restarted state: restarted
when: bacula_config.changed

View File

@ -1,15 +1,32 @@
- name: Install fail2ban packages - name: Install fail2ban and rsyslog packages
apt: apt:
name: fail2ban name: "{{ fail2ban_base_packages }}"
state: present state: present
loop: - name: Configure sshd_config settings
- fail2ban copy:
- rsyslog dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf
content: |
# Do not edit this file! Ansible will overwrite it.
SyslogFacility AUTH
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart sshd
- name: Configure fail2ban service - name: Configure fail2ban service
template: template:
src: jail.local src: jail.local
dest: /etc/fail2ban/jail.local dest: /etc/fail2ban/jail.local
owner: root owner: root
group: root group: root
mode: '0644' mode: u=rw,g=r,o=r
notify: restart-fail2ban notify: restart fail2ban
register: jail
- name: Ensure file for auth sshd custom log exists
file:
path: /var/log/auth.log
state: touch
owner: root
group: adm
mode: u=rw,g=r,o=
when: jail.changed

View File

@ -1,10 +1,4 @@
- name: Install base packages - name: Install base packages
apt: apt:
name: "{{ item }}" name: "{{ base_packages }}"
state: present state: present
with_items:
- htop
- psmisc
- bash-completion
- screen
- aptitude

View File

@ -1,15 +1,6 @@
- name: Enable locale languages - name: make sure locales in variable are generated
lineinfile: locale_gen:
dest: /etc/locale.gen name: "{{ item }}"
regexp: "{{item.regexp}}"
line: "{{item.line}}"
state: present state: present
with_items: with_items: "{{ locales_present }}"
- regexp: "^# es_ES.UTF-8 UTF-8" notify: generate locales
line: "es_ES.UTF-8 UTF-8"
- regexp: "^# en_US.UTF-8 UTF-8"
line: "en_US.UTF-8 UTF-8"
- name: Generate locale
command: locale-gen
- name: Update locale
command: update-locale LANG=en_US.UTF-8

View File

@ -1,3 +1,11 @@
- import_tasks: witness.yml
tags: witness
- import_tasks: resolv.yml
tags: resolv
- import_tasks: timesync.yml
tags: timesync
- import_tasks: ssh.yml
tags: ssh
- import_tasks: defuser.yml - import_tasks: defuser.yml
tags: defuser tags: defuser
- import_tasks: install.yml - import_tasks: install.yml
@ -16,3 +24,9 @@
tags: vim tags: vim
- import_tasks: nrpe.yml - import_tasks: nrpe.yml
tags: nrpe tags: nrpe
- import_tasks: fail2ban.yml
tags: fail2ban
- import_tasks: bacula.yml
tags: bacula
- import_tasks: vn-repo.yml
tags: vn-repo

View File

@ -2,6 +2,6 @@
copy: copy:
src: motd src: motd
dest: /etc/update-motd.d/90-vn dest: /etc/update-motd.d/90-vn
mode: '755' mode: u=rwx,g=rx,o=rx
owner: root owner: root
group: root group: root

View File

@ -1,10 +1,8 @@
- name: Install NRPE packages - name: Install NRPE packages
apt: apt:
name: "{{ item }}" name: "{{ nagios_packages }}"
state: present state: present
loop: install_recommends: no
- nagios-nrpe-server
- nagios-plugins-contrib
- name: Set NRPE generic configuration - name: Set NRPE generic configuration
template: template:
src: nrpe.cfg src: nrpe.cfg

View File

@ -2,6 +2,6 @@
copy: copy:
src: profile.sh src: profile.sh
dest: /etc/profile.d/vn.sh dest: /etc/profile.d/vn.sh
mode: '644' mode: u=rw,g=r,o=r
owner: root owner: root
group: root group: root

View File

@ -3,46 +3,27 @@
name: exim4 name: exim4
state: present state: present
- name: Prepare exim configuration - name: Prepare exim configuration
lineinfile: blockinfile:
dest: /etc/exim4/update-exim4.conf.conf path: /etc/exim4/update-exim4.conf.conf
regexp: "{{ item.regexp }}" marker_begin: '--- BEGIN VN ---'
line: "{{ item.line }}" marker_end: '--- END VN ---'
marker: "# {mark}"
block: |
dc_eximconfig_configtype='satellite'
dc_other_hostnames='{{ ansible_fqdn }}'
dc_local_interfaces='127.0.0.1'
dc_readhost='{{ ansible_fqdn }}'
dc_smarthost='{{ smtp_server }}'
dc_hide_mailname='true'
state: present state: present
mode: 0644 create: yes
with_items: mode: u=rw,g=r,o=r
- regexp: '^dc_eximconfig_configtype' notify: update exim configuration
line: "dc_eximconfig_configtype='satellite'"
- regexp: '^dc_other_hostnames'
line: "dc_other_hostnames='{{ ansible_fqdn }}'"
- regexp: '^dc_local_interfaces'
line: "dc_local_interfaces='127.0.0.1'"
- regexp: '^dc_readhost'
line: "dc_readhost='{{ ansible_fqdn }}'"
- regexp: '^dc_relay_domains'
line: "dc_relay_domains=''"
- regexp: '^dc_minimaldns'
line: "dc_minimaldns='false'"
- regexp: '^dc_relay_nets'
line: "dc_relay_nets=''"
- regexp: '^dc_smarthost'
line: "dc_smarthost='{{ smtp_server }}'"
- regexp: '^CFILEMODE'
line: "CFILEMODE='644'"
- regexp: '^dc_use_split_config'
line: "dc_use_split_config='false'"
- regexp: '^dc_hide_mailname'
line: "dc_hide_mailname='true'"
- regexp: '^dc_mailname_in_oh'
line: "dc_mailname_in_oh='true'"
- regexp: '^dc_localdelivery'
line: "dc_localdelivery='mail_spool'"
notify: restart-exim
register: exim_config register: exim_config
- name: Update exim configuration - name: Force execution of handlers immediately
command: update-exim4.conf meta: flush_handlers
when: exim_config.changed
- name: Sending mail to verify relay host configuration works - name: Sending mail to verify relay host configuration works
shell: > shell: >
echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \
| mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}"
when: exim_config.changed when: exim_config.changed

View File

@ -0,0 +1,22 @@
- name: Check if DNS is already configured
stat:
path: /etc/resolv.conf
register: resolv_conf
- name: Read /etc/resolv.conf
slurp:
path: /etc/resolv.conf
register: resolv_conf_content
when: resolv_conf.stat.exists
- name: Check if DNS servers are already present
set_fact:
dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}"
when: resolv_conf.stat.exists
- name: Apply resolv.conf template only if DNS is not configured
template:
src: templates/resolv.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: u=rw,g=r,o=r
backup: true
when: not resolv_conf.stat.exists or not dns_configured

View File

@ -0,0 +1,22 @@
- name: Generate SSH key pairs
openssh_keypair:
path: "/etc/ssh/ssh_host_{{ item.type }}_key"
type: "{{ item.type }}"
force: yes
when: vn_witness
xavi marked this conversation as resolved Outdated
Outdated
Review

Primero borrar y luego generar, generar todos los tipos de clave

Primero borrar y luego generar, generar todos los tipos de clave
loop:
- { type: 'rsa' }
- { type: 'ecdsa' }
- { type: 'ed25519' }
notify: restart sshd
- name: Configure sshd_config settings
copy:
dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
content: |
# Do not edit this file! Ansible will overwrite it.
ListenAddress 0.0.0.0
xavi marked this conversation as resolved Outdated
Outdated
Review

Esto lo pondría en la tarea de fail2ban

Esto lo pondría en la tarea de fail2ban
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart sshd

View File

@ -1,21 +1,23 @@
- name: Configure /etc/systemd/timesyncd.conf - name: Ensure directory for timesyncd custom configuration exists
lineinfile: file:
path: /etc/systemd/timesyncd.conf path: /etc/systemd/timesyncd.conf.d/
regexp: '^#NTP' state: directory
line: "NTP={{ time_server }}"
owner: root owner: root
group: root group: root
mode: '0644' mode: u=rwx,g=rx,o=rx
- name: Configure /etc/systemd/timesyncd.conf - name: Configure NTP settings in /etc/systemd/timesyncd.conf.d/vn-ntp.conf
lineinfile: copy:
path: /etc/systemd/timesyncd.conf dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf
regexp: '^#?FallbackNTP=' content: |
line: "FallbackNTP=ntp.roa.es" [Time]
NTP={{ time_server }}
FallbackNTP={{ time_server_spain }}
owner: root owner: root
group: root group: root
mode: '0644' mode: u=rw,g=r,o=r
notify: restart systemd-timesyncd notify: restart systemd-timesyncd
- name: Service should start on boot - name: Ensure systemd-timesyncd service is enabled and started
service: service:
name: systemd-timesyncd name: systemd-timesyncd
enabled: yes enabled: yes
state: started

View File

@ -1,2 +1,11 @@
- name: Configure the time zone - name: Configure debconf for tzdata
script: set-timezone.sh debconf:
name: tzdata
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "string"
loop:
- { question: "tzdata/Areas", value: "Europe" }
- { question: "tzdata/Zones/Europe", value: "Madrid" }
- { question: "tzdata/Zones/Etc", value: "UTC" }
notify: reconfigure tzdata

View File

@ -6,6 +6,6 @@
copy: copy:
src: vimrc.local src: vimrc.local
dest: /etc/vim/ dest: /etc/vim/
mode: '644' mode: u=rw,g=r,o=r
owner: root owner: root
group: root group: root

View File

@ -1,12 +1,3 @@
- name: Download vn-host Debian package
get_url:
url: "{{ vn_host.url }}/{{ vn_host.package }}"
dest: "/tmp/{{ vn_host.package }}"
mode: '0644'
- name: Install package - name: Install package
apt: apt:
deb: "/tmp/{{ vn_host.package }}" deb: "{{ vn_host.url }}/{{ vn_host.package }}"
- name: Delete package
file:
path: "/tmp/{{ vn_host.package }}"
state: absent

View File

@ -0,0 +1,12 @@
- name: Check if witness have been generated
stat:
path: /etc/vn.witness
register: keys_generated_marker
- name: Generate variable if not exists
set_fact:
vn_witness: "{{ not keys_generated_marker.stat.exists }}"
- name: Create marker file to indicate vn happends
file:
path: /etc/vn.witness
state: touch
when: vn_witness

View File

@ -1,10 +1,10 @@
Director { Director {
Name = bacula-dir Name = bacula-dir
Password = "{{ FDPASSWD }}" Password = "{{ bacula_passwords.fdpasswd }}"
} }
Director { Director {
Name = bacula-mon Name = bacula-mon
Password = "{{ FDMPASSWD }}" Password = "{{ bacula_passwords.fdmpasswd }}"
Monitor = yes Monitor = yes
} }
FileDaemon { FileDaemon {

View File

@ -14,7 +14,9 @@ action = %(action_)s
#+++++++++++++++ Jails #+++++++++++++++ Jails
[sshd] [sshd]
ignoreip = 127.0.0.1/8
enabled = true enabled = true
port = 0:65535 port = 0:65535
filter = sshd filter = sshd
logpath = %(sshd_log)s logpath = {{ fail2ban.logpath }}
action = %(action_mwl)s

View File

@ -1,4 +1,5 @@
allowed_hosts={{ nagios_server }} allowed_hosts={{ nagios_server }}
server_address={{ ansible_default_ipv4.address }}
command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /
command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var

View File

@ -1,5 +1,5 @@
domain {{ resolv_domain }} domain {{ host_domain }}
search {{ resolv_domain }} search {{ host_domain }}
{% if resolvers is defined %} {% if resolvers is defined %}
{% for resolver in resolvers %} {% for resolver in resolvers %}
nameserver {{resolver}} nameserver {{resolver}}

View File

@ -1,3 +0,0 @@
vn_host:
url: http://apt.verdnatura.es/pool/main/v/vn-host
package: vn-host_2.0.2_all.deb

View File

@ -2,5 +2,3 @@
service: service:
name: nslcd name: nslcd
state: restarted state: restarted
- name: pam-update-ldap
shell: pam-auth-update --enable ldap

View File

@ -11,7 +11,7 @@
mode: '0640' mode: '0640'
notify: notify:
- restart-nslcd - restart-nslcd
- pam-update-ldap register: nslcd
- name: Configure nsswitch to use NSLCD - name: Configure nsswitch to use NSLCD
lineinfile: lineinfile:
dest: /etc/nsswitch.conf dest: /etc/nsswitch.conf

View File

@ -1,4 +1,4 @@
- name: restart-sysctl - name: restart-sysctl
service: systemd:
name: systemd-sysctl name: systemd-sysctl
state: restarted state: restarted

View File

@ -1,5 +1,12 @@
- name: Disable AppArmor - name: Stop AppArmor
service: systemd:
name: apparmor name: apparmor
state: stopped state: stopped
- name: Disable AppArmor service
systemd:
name: apparmor
enabled: no enabled: no
- name: Mask AppArmor service
systemd:
name: apparmor
masked: yes

View File

@ -2,11 +2,8 @@
hostname: hostname:
name: "{{ inventory_hostname_short }}" name: "{{ inventory_hostname_short }}"
use: debian use: debian
- name: Configure hosts file - name: Populating hosts file with hostname
blockinfile: lineinfile:
path: /etc/hosts path: /etc/hosts
marker_begin: '--- BEGIN VN ---' regexp: '^127\.0\.1\.1'
marker_end: '--- END VN ---' line: '127.0.1.1 {{ hostname_fqdn }} {{ inventory_hostname_short }}'
marker: "# {mark}"
block: |
{{ ansible_default_ipv4.address }} {{ hostname_fqdn }} {{ inventory_hostname_short }}

View File

@ -1,9 +0,0 @@
- name: Replace /etc/resolv.conf
template:
src: resolv.conf
dest: /etc/
owner: root
group: root
mode: '0644'
backup: true
when: resolv_enabled

View File

@ -1,4 +1,4 @@
- name: Set systctl configuration - name: Set systctl custom vn configuration
copy: copy:
src: sysctl/ src: sysctl/
dest: /etc/sysctl.d/ dest: /etc/sysctl.d/

View File

@ -1,4 +1,2 @@
- import_tasks: ssh.yml
tags: ssh
- import_tasks: root.yml - import_tasks: root.yml
tags: root tags: root

View File

@ -1,10 +0,0 @@
- name: Delete old host SSH keys
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_rsa_key
- name: Regenerate host SSH keys
command: dpkg-reconfigure openssh-server