--- /dev/null
+---
+- set_fact:
+ sshd_allowusers: >-
+ {{ [ 'root' ] | union(user_groups.noc)
+ | union(sshd_allowusers_group | default([]))
+ | union(sshd_allowusers_host | default([])) }}
+
+- name: only allow pubkey auth for root
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^PermitRootLogin"
+ line: "PermitRootLogin without-password"
+ notify: restart ssh
+
+- name: limit allowed users (1/2)
+ when: sshd_allowgroup is not defined
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowUsers"
+ line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
+ notify: restart ssh
+
+- block:
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowGroups"
+ line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
+ user:
+ name: "{{ item }}"
+ groups: "{{ sshd_allowgroup }}"
+ append: True
+ with_items: "{{ sshd_allowusers }}"
+
+ when: sshd_allowgroup is defined
+
+- name: Set authorized keys for root user
+ authorized_key:
+ user: root
+ key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
+ exclusive: yes
--- /dev/null
+---
+- name: disable apt suggests and recommends
+ copy:
+ src: 02no-recommends
+ dest: /etc/apt/apt.conf.d/
+ mode: 0644
+
+- name: install basic packages
+ apt:
+ name:
+ - less
+ - psmisc
+ - sudo
+ - dstat
+ - mtr-tiny
+ - tcpdump
+ - debian-goodies
+ - lsof
+ - haveged
+ - net-tools
+ - screen
+ - aptitude
+ - unp
+ - ca-certificates
+ - file
+ - nano
+ - python-apt
+ - command-not-found
+ - man-db
+ - lshw
+ state: present
+
+- name: make sure grml-(etc|scripts)-core is not installed
+ apt:
+ name:
+ - grml-etc-core
+ - grml-scripts-core
+ state: absent
+ purge: yes
--- /dev/null
+---
+- when: base_managed_ntpd
+ block:
+ - name: check that ISC ntpd is not installed
+ apt:
+ name: ntp
+ state: absent
+ purge: yes
+
+ - name: install openntpd
+ apt:
+ name: openntpd
+
+ - name: configure openntpd
+ copy:
+ dest: /etc/openntpd/ntpd.conf
+ content: |
+ # Use the ffgraz.net NTP server
+ servers ntp.ffgraz.net weight 3
+
+ # Use some servers announced from the NTP Pool
+ servers 0.debian.pool.ntp.org
+ servers 1.debian.pool.ntp.org
+
+ notify: restart openntpd
--- /dev/null
+---
+- name: install systemd specific packages
+ apt:
+ state: present
+ name:
+ - dbus
+ - libpam-systemd
+
+- name: set systemd-related environment variables
+ copy:
+ src: xdg_runtime_dir.sh
+ dest: /etc/profile.d/xdg_runtime_dir.sh
+ mode: 0644
+
+
+- when: ansible_distribution == "Ubuntu"
+ block:
+ - name: workaround console-setup race condition (1/2)
+ file:
+ path: /etc/systemd/system/console-setup.service.d/
+ state: directory
+
+ - name: workaround console-setup race condition (2/2)
+ copy:
+ dest: /etc/systemd/system/console-setup.service.d/override.conf
+ mode: 0644
+ content: |
+ [Unit]
+ After=systemd-tmpfiles-setup.service
+ # no need to reload systemd, it is only there to fix a boot-time race-condition
--- /dev/null
+---
+- name: install base tools
+ apt:
+ name:
+ - htop
+ - zsh
+
+- name: set root default shell to zsh
+ user:
+ name: root
+ shell: /bin/zsh
+
+- name: set default shell for adduser
+ with_dict:
+ DSHELL: /bin/zsh
+ lineinfile:
+ dest: /etc/adduser.conf
+ regexp: "^#?{{ item.key }}="
+ line: "{{ item.key }}={{ item.value }}"
+
+- name: Deploy default configuration for tools
+ with_dict:
+ /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
+
+ /etc/zsh/zprofile: zprofile
+ /etc/zsh/zshrc: zshrc
+ /etc/skel/.zshrc: zshrc.skel
+
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ mode: 0644
+ src: "{{ item.value }}"
+ dest: "{{ item.key }}"
--- /dev/null
+---
+- name: Load the tcp_bbr kernel module
+ modprobe:
+ name: tcp_bbr
+
+- name: Persist the tcp_bbr module to configuration
+ copy:
+ dest: /etc/modules-load.d/local-network.conf
+ content: tcp_bbr
+
+- name: Set network-related sysctl options
+ sysctl:
+ sysctl_file: /etc/sysctl.d/local-network.conf
+ sysctl_set: yes
+ name: "{{ item.key }}"
+ value: "{{ item.value }}"
+
+ with_dict:
+ # CoDel (controlled delay) with Fair Queuing as the default queue scheduler
+ # mitigates bufferbloat and helps share bandwidth equitably across flows.
+ net.core.default_qdisc: fq_codel
+
+ # BBR is currently the best TCP congestion control algorithm.
+ # C.f. https://queue.acm.org/detail.cfm?id=3022184
+ net.ipv4.tcp_congestion_control: bbr
+
+ loop_control:
+ label: "{{ item.key }}"
---
-- set_fact:
- sshd_allowusers: >-
- {{ [ 'root' ] | union(user_groups.noc)
- | union(sshd_allowusers_group | default([]))
- | union(sshd_allowusers_host | default([])) }}
-
-- name: only allow pubkey auth for root
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^PermitRootLogin"
- line: "PermitRootLogin without-password"
- notify: restart ssh
-
-- name: limit allowed users (1/2)
- when: sshd_allowgroup is not defined
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowUsers"
- line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
- notify: restart ssh
-
-- block:
- - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
- state: absent
- notify: restart ssh
-
- - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowGroups"
- line: AllowGroups {{ sshd_allowgroup }}
- notify: restart ssh
-
- - name: "limit allowed users (2/2): Add allowed users to ssh group"
- user:
- name: "{{ item }}"
- groups: "{{ sshd_allowgroup }}"
- append: True
- with_items: "{{ sshd_allowusers }}"
-
- when: sshd_allowgroup is defined
-
-- name: Set authorized keys for root user
- authorized_key:
- user: root
- key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
- exclusive: yes
-
-- name: disable apt suggests and recommends
- copy:
- src: 02no-recommends
- dest: /etc/apt/apt.conf.d/
- mode: 0644
-
-- name: install basic packages
- apt:
- name:
- - less
- - psmisc
- - sudo
- - htop
- - dstat
- - mtr-tiny
- - tcpdump
- - debian-goodies
- - lsof
- - haveged
- - net-tools
- - screen
- - aptitude
- - unp
- - ca-certificates
- - file
- - nano
- - zsh
- - python-apt
- - command-not-found
- - man-db
- - lshw
- state: present
-
-- when: base_managed_ntpd
- block:
- - name: check that ISC ntpd is not installed
- apt:
- name: ntp
- state: absent
- purge: yes
-
- - name: install openntpd
- apt:
- name: openntpd
-
- - name: configure openntpd
- copy:
- dest: /etc/openntpd/ntpd.conf
- content: |
- # Use the ffgraz.net NTP server
- servers ntp.ffgraz.net weight 3
-
- # Use some servers announced from the NTP Pool
- servers 0.debian.pool.ntp.org
- servers 1.debian.pool.ntp.org
-
- notify: restart openntpd
-
-
-- name: make sure grml-(etc|scripts)-core is not installed
- apt:
- name:
- - grml-etc-core
- - grml-scripts-core
- state: absent
- purge: yes
-
-- block:
- - name: install systemd specific packages
- apt:
- name:
- - dbus
- - libpam-systemd
- state: present
-
- - name: set systemd-related environment variables
- copy:
- src: xdg_runtime_dir.sh
- dest: /etc/profile.d/xdg_runtime_dir.sh
- mode: 0644
-
- when: ansible_service_mgr == "systemd"
-
-- block:
- - name: workaround console-setup race condition (1/2)
- file:
- path: /etc/systemd/system/console-setup.service.d/
- state: directory
-
- - name: workaround console-setup race condition (2/2)
- copy:
- content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
- dest: /etc/systemd/system/console-setup.service.d/override.conf
- mode: 0644
- # no need to relaod systemd here, it is only there to fix a boot-time race-condition
-
- when: ansible_distribution == "Ubuntu"
-
-- name: set root default shell to zsh
- user:
- name: root
- shell: /bin/zsh
-
-- name: set default shell for adduser
- with_dict:
- DSHELL: /bin/zsh
- lineinfile:
- dest: /etc/adduser.conf
- regexp: "^#?{{ item.key }}="
- line: "{{ item.key }}={{ item.value }}"
-
-- name: Deploy default configuration for tools
- with_dict:
- /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
-
- /etc/zsh/zprofile: zprofile
- /etc/zsh/zshrc: zshrc
- /etc/skel/.zshrc: zshrc.skel
-
- loop_control:
- label: "{{ item.key }}"
- copy:
- mode: 0644
- src: "{{ item.value }}"
- dest: "{{ item.key }}"
+- import_tasks: 01ssh.yml
+- import_tasks: 02debian.yml
+- import_tasks: 03ntp.yml
+- when: ansible_service_mgr == "systemd"
+ import_tasks: 04systemd.yml
+- import_tasks: 05tools.yml
+- import_tasks: 06net.yml
d-i pkgsel/upgrade select safe-upgrade
popularity-contest popularity-contest/participate boolean false
d-i pkgsel/update-policy select none
+d-i base-installer/kernel/override-image string linux-generic-hwe-16.04
d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }}
d-i grub-installer/only_debian boolean true