vn-ansible/linux/base-config-debian/roles/base-config-debian-os/tasks/main.yaml

242 lines
8.6 KiB
YAML

---
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Reconfigure locales - enable en_US-UTF8 and es_ES-UTF8
- name: reconfigure locales enable en_US-UTF8 and es_ES-UTF8
debconf:
name: locales
question: locales/default_environment_locale
value: en_US-UTF8, es_ES-UTF8
vtype: multiselect
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Reconfigure timezone - Europe/Madrid
- name: reconfigure timezone Europe/Madrid
debconf:
name: tzdata
question: tzdata/Zones/Europe
value: Madrid
vtype: select
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# update packages
- name: update packages
apt:
name: "*"
state: latest
update_cache: true
force_apt_get: true
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# upgrade packages
- name: upgrade packages
apt:
upgrade: dist
state: latest
force_apt_get: true
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# install packages
- name: install some packages (vim htop psmisc aptitude)
apt:
name: "{{ item }}"
state: present
with_items:
- vim
- htop
- psmisc
- aptitude
- nslcd
- exim4
- fail2ban
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Reconfigure relayhost smtp to smtp.verdnatura.es
- name: reconfigure relayhost to smtp.verdnatura.es
lineinfile:
dest: "{{ exim_configuration_file }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
with_items:
- regexp: '^dc_eximconfig_configtype'
line: "dc_eximconfig_configtype='{{ exim_dc_eximconfig_configtype }}'"
- regexp: '^dc_other_hostnames'
line: "dc_other_hostnames='{{ dc_other_hostnames }}'.verdnatura.es"
- regexp: '^dc_local_interfaces'
line: "dc_local_interfaces='{{ dc_local_interfaces }}'"
- regexp: '^dc_readhost'
line: "dc_readhost='{{ dc_readhost }}'.verdnatura.es"
- regexp: '^dc_relay_domains'
line: "dc_relay_domains='{{ dc_relay_domains }}'"
- regexp: '^dc_minimaldns'
line: "dc_minimaldns='{{ dc_minimaldns }}'"
- regexp: '^dc_relay_nets'
line: "dc_relay_nets='{{ dc_relay_nets }}'"
- regexp: '^dc_smarthost'
line: "dc_smarthost='{{ dc_smarthost }}'"
- regexp: '^CFILEMODE'
line: "CFILEMODE='{{ CFILEMODE }}'"
- regexp: '^dc_use_split_config'
line: "dc_use_split_config='{{ dc_use_split_config }}'"
- regexp: '^dc_hide_mailname'
line: "dc_hide_mailname='{{ dc_hide_mailname }}'"
- regexp: '^dc_mailname_in_oh'
line: "dc_mailname_in_oh='{{ dc_mailname_in_oh }}'"
- regexp: '^dc_localdelivery'
line: "dc_localdelivery='{{ dc_localdelivery }}'"
notify: restart exim4
register: exim4_config
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# DONT WORK :(
#- name: reconfigure relayhost to smtp.verdnatura.es
# debconf:
# name: exim4-config
# question: "{{ item.name }}"
# value: "{{ item.value }}"
# vtype: string
# loop:
# - name: exim4/dc_smarthost
# value: smtp.verdnatura.es
# - name: exim4/dc_local_interfaces
# value: ""
# - name: exim4/dc_minimaldns
# value: 'false'
# - name: exim4/dc_readhost
# value: "{{ ansible_nodename }}" # var to define survey(encuesta)
# - name: exim4/dc_other_hostnames
# value: ""
# - name: exim4/dc_eximconfig_configtype
# value: "mail sent by smarthost; no local mail"
# - name: exim4/mailname
# value: "{{ ansible_nodename }}" # var to define survey(encuesta)
# - name: exim4/use_split_config
# value: 'false'
#
# generate master config
#- name: generate master config
# command: update-exim4.conf
# notify: apply reconfig
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# DONT WORK :(
# NEEDS to INSTALL more MODULES with -> ansible-galaxy collection install community.general
#
# Send mail to verify relay-host
#- name: sending mail to verify exim4 config works
# mail:
# host: smtp.verdnatura.es
# port: 465
# subject: Verify Ansible playbook deployment exim4
# body: Hello , this is an e-mail to verify exim4 config works on {{ ansible_facts['ansible_nodename'] }}
# to:
# - informatica@verdnatura.es
# - rubenb@verdnatura.es
# delegate_to: localhost
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Send mail to verify relay-host
# Create file with message
#- name: create file and add line
# lineinfile:
# path: /tmp/messagefileverify
# line: Verify send email from host {{ ansible_nodename }}'.verdnatura.es with mailx , bye.
# create: yes
# Send mail with module shell (shell module accepts pipes "|" , command module dont accept pipes)
- name: sending mail to verify exim4 config works
shell: echo "Verify send email from host {{ ansible_nodename }}.verdnatura.es with mailx , bye." | mailx -s "test mail verify exim4 for the host {{ ansible_nodename }}.verdnatura.es" -c rubenb@verdnatura.es,nada@verdnatura.es,juan@verdnatura.es,davidl@verdnatura.es informatica@verdnatura.es
when: exim4_config.changed
# Delete tmp file /tmp/messagefileverify
#- name: delete tmp file /tmp/messagefileverify
# file:
# path: /tmp/messagefileverify
# state: absent
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# configure centralized authentication [nslcd]
# paso1 - Copy
- name: copy file nslcd.conf
copy:
src: nslcd.conf
dest: /etc/nslcd.conf
owner: root
group: nslcd
mode: '0640'
backup: yes
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# paso2 - lineinfile password with vault
- name: add password with ansible vault to file nslcd.conf
lineinfile:
dest: /etc/nslcd.conf
regexp: "{{item.regexp}}"
line: "{{item.line}}"
state: present
with_items:
- regexp: "^bindpw"
line: "bindpw {{ bindpw_password }}"
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# paso3 - editar lineas fichero /etc/nsswitch.conf
- name: edit file /etc/nsswitch.conf
lineinfile:
dest: /etc/nsswitch.conf
regexp: "{{item.regexp}}"
line: "{{item.line}}"
state: present
with_items:
- regexp: "^passwd:"
line: "passwd: files systemd ldap"
- regexp: "^group:"
line: "group: files systemd ldap"
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# paso4 - reconfigure PAM to use LDAP
- name: reconfigure PAM to use LDAP
shell: pam-auth-update --enable ldap
notify: restart nslcd
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# configure sudo for sysadmin group
# add sysadmin group to sudoers
- name: Add sysadmin group to sudoers
file:
path: /etc/sudoers.d/vn
state: touch
mode: u=rw,g=r,o=r
# add a line to /etc/sudoers.d/vn file
- name: add a line to /etc/sudoers.d/vn file
lineinfile:
path: "/etc/sudoers.d/vn"
line: "%sysadmin ALL=(ALL) NOPASSWD: ALL"
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Proteger grub
- name: GRUB se password boot protection
blockinfile:
path: /etc/grub.d/40_custom
block: |
set superusers="{{ user_grub }}"
password_pbkdf2 {{ user_grub }} {{ code_grub }}
register: grub_register
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# update grub
- name: update grub config
command: update-grub
when: grub_register.changed
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Install and configure FAIL2BAN
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++