From: Christian Pointner Date: Fri, 21 Dec 2018 18:14:00 +0000 (+0100) Subject: Merge pull request #47 from realraum/net/congestion-control X-Git-Url: https://git.realraum.at/?p=noc.git;a=commitdiff_plain;h=dfba427b2b89b238c1b09c152e9162784ec96d0e;hp=a851f7038c2ec5ef8870455c588481f4aca281f1 Merge pull request #47 from realraum/net/congestion-control base: Set congestion control option --- diff --git a/ansible/roles/base/tasks/01ssh.yml b/ansible/roles/base/tasks/01ssh.yml new file mode 100644 index 0000000..7e9eab5 --- /dev/null +++ b/ansible/roles/base/tasks/01ssh.yml @@ -0,0 +1,51 @@ +--- +- set_fact: + sshd_allowusers: >- + {{ [ 'root' ] | union(user_groups.noc) + | union(sshd_allowusers_group | default([])) + | union(sshd_allowusers_host | default([])) }} + +- name: only allow pubkey auth for root + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PermitRootLogin" + line: "PermitRootLogin without-password" + notify: restart ssh + +- name: limit allowed users (1/2) + when: sshd_allowgroup is not defined + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?AllowUsers" + line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" + notify: restart ssh + +- block: + - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + state: absent + notify: restart ssh + + - name: "limit allowed users (2/2): Set AllowGroups in sshd_config" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?AllowGroups" + line: AllowGroups {{ sshd_allowgroup }} + notify: restart ssh + + - name: "limit allowed users (2/2): Add allowed users to ssh group" + user: + name: "{{ item }}" + groups: "{{ sshd_allowgroup }}" + append: True + with_items: "{{ sshd_allowusers }}" + + when: sshd_allowgroup is defined + +- name: Set authorized keys for root user + authorized_key: + user: root + key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}" + exclusive: yes diff --git a/ansible/roles/base/tasks/02debian.yml b/ansible/roles/base/tasks/02debian.yml new file mode 100644 index 0000000..7aef268 --- /dev/null +++ b/ansible/roles/base/tasks/02debian.yml @@ -0,0 +1,39 @@ +--- +- name: disable apt suggests and recommends + copy: + src: 02no-recommends + dest: /etc/apt/apt.conf.d/ + mode: 0644 + +- name: install basic packages + apt: + name: + - less + - psmisc + - sudo + - dstat + - mtr-tiny + - tcpdump + - debian-goodies + - lsof + - haveged + - net-tools + - screen + - aptitude + - unp + - ca-certificates + - file + - nano + - python-apt + - command-not-found + - man-db + - lshw + state: present + +- name: make sure grml-(etc|scripts)-core is not installed + apt: + name: + - grml-etc-core + - grml-scripts-core + state: absent + purge: yes diff --git a/ansible/roles/base/tasks/03ntp.yml b/ansible/roles/base/tasks/03ntp.yml new file mode 100644 index 0000000..621e7f6 --- /dev/null +++ b/ansible/roles/base/tasks/03ntp.yml @@ -0,0 +1,25 @@ +--- +- when: base_managed_ntpd + block: + - name: check that ISC ntpd is not installed + apt: + name: ntp + state: absent + purge: yes + + - name: install openntpd + apt: + name: openntpd + + - name: configure openntpd + copy: + dest: /etc/openntpd/ntpd.conf + content: | + # Use the ffgraz.net NTP server + servers ntp.ffgraz.net weight 3 + + # Use some servers announced from the NTP Pool + servers 0.debian.pool.ntp.org + servers 1.debian.pool.ntp.org + + notify: restart openntpd diff --git a/ansible/roles/base/tasks/04systemd.yml b/ansible/roles/base/tasks/04systemd.yml new file mode 100644 index 0000000..dca585c --- /dev/null +++ b/ansible/roles/base/tasks/04systemd.yml @@ -0,0 +1,30 @@ +--- +- name: install systemd specific packages + apt: + state: present + name: + - dbus + - libpam-systemd + +- name: set systemd-related environment variables + copy: + src: xdg_runtime_dir.sh + dest: /etc/profile.d/xdg_runtime_dir.sh + mode: 0644 + + +- when: ansible_distribution == "Ubuntu" + block: + - name: workaround console-setup race condition (1/2) + file: + path: /etc/systemd/system/console-setup.service.d/ + state: directory + + - name: workaround console-setup race condition (2/2) + copy: + dest: /etc/systemd/system/console-setup.service.d/override.conf + mode: 0644 + content: | + [Unit] + After=systemd-tmpfiles-setup.service + # no need to reload systemd, it is only there to fix a boot-time race-condition diff --git a/ansible/roles/base/tasks/05tools.yml b/ansible/roles/base/tasks/05tools.yml new file mode 100644 index 0000000..8a25597 --- /dev/null +++ b/ansible/roles/base/tasks/05tools.yml @@ -0,0 +1,34 @@ +--- +- name: install base tools + apt: + name: + - htop + - zsh + +- name: set root default shell to zsh + user: + name: root + shell: /bin/zsh + +- name: set default shell for adduser + with_dict: + DSHELL: /bin/zsh + lineinfile: + dest: /etc/adduser.conf + regexp: "^#?{{ item.key }}=" + line: "{{ item.key }}={{ item.value }}" + +- name: Deploy default configuration for tools + with_dict: + /etc/htoprc: "{{ global_files_dir }}/common/htoprc" + + /etc/zsh/zprofile: zprofile + /etc/zsh/zshrc: zshrc + /etc/skel/.zshrc: zshrc.skel + + loop_control: + label: "{{ item.key }}" + copy: + mode: 0644 + src: "{{ item.value }}" + dest: "{{ item.key }}" diff --git a/ansible/roles/base/tasks/06net.yml b/ansible/roles/base/tasks/06net.yml new file mode 100644 index 0000000..04e33cd --- /dev/null +++ b/ansible/roles/base/tasks/06net.yml @@ -0,0 +1,28 @@ +--- +- name: Load the tcp_bbr kernel module + modprobe: + name: tcp_bbr + +- name: Persist the tcp_bbr module to configuration + copy: + dest: /etc/modules-load.d/local-network.conf + content: tcp_bbr + +- name: Set network-related sysctl options + sysctl: + sysctl_file: /etc/sysctl.d/local-network.conf + sysctl_set: yes + name: "{{ item.key }}" + value: "{{ item.value }}" + + with_dict: + # CoDel (controlled delay) with Fair Queuing as the default queue scheduler + # mitigates bufferbloat and helps share bandwidth equitably across flows. + net.core.default_qdisc: fq_codel + + # BBR is currently the best TCP congestion control algorithm. + # C.f. https://queue.acm.org/detail.cfm?id=3022184 + net.ipv4.tcp_congestion_control: bbr + + loop_control: + label: "{{ item.key }}" diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index b148a6d..cff0d6a 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -1,177 +1,8 @@ --- -- set_fact: - sshd_allowusers: >- - {{ [ 'root' ] | union(user_groups.noc) - | union(sshd_allowusers_group | default([])) - | union(sshd_allowusers_host | default([])) }} - -- name: only allow pubkey auth for root - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^PermitRootLogin" - line: "PermitRootLogin without-password" - notify: restart ssh - -- name: limit allowed users (1/2) - when: sshd_allowgroup is not defined - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#?AllowUsers" - line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" - notify: restart ssh - -- block: - - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config" - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - state: absent - notify: restart ssh - - - name: "limit allowed users (2/2): Set AllowGroups in sshd_config" - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#?AllowGroups" - line: AllowGroups {{ sshd_allowgroup }} - notify: restart ssh - - - name: "limit allowed users (2/2): Add allowed users to ssh group" - user: - name: "{{ item }}" - groups: "{{ sshd_allowgroup }}" - append: True - with_items: "{{ sshd_allowusers }}" - - when: sshd_allowgroup is defined - -- name: Set authorized keys for root user - authorized_key: - user: root - key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}" - exclusive: yes - -- name: disable apt suggests and recommends - copy: - src: 02no-recommends - dest: /etc/apt/apt.conf.d/ - mode: 0644 - -- name: install basic packages - apt: - name: - - less - - psmisc - - sudo - - htop - - dstat - - mtr-tiny - - tcpdump - - debian-goodies - - lsof - - haveged - - net-tools - - screen - - aptitude - - unp - - ca-certificates - - file - - nano - - zsh - - python-apt - - command-not-found - - man-db - - lshw - state: present - -- when: base_managed_ntpd - block: - - name: check that ISC ntpd is not installed - apt: - name: ntp - state: absent - purge: yes - - - name: install openntpd - apt: - name: openntpd - - - name: configure openntpd - copy: - dest: /etc/openntpd/ntpd.conf - content: | - # Use the ffgraz.net NTP server - servers ntp.ffgraz.net weight 3 - - # Use some servers announced from the NTP Pool - servers 0.debian.pool.ntp.org - servers 1.debian.pool.ntp.org - - notify: restart openntpd - - -- name: make sure grml-(etc|scripts)-core is not installed - apt: - name: - - grml-etc-core - - grml-scripts-core - state: absent - purge: yes - -- block: - - name: install systemd specific packages - apt: - name: - - dbus - - libpam-systemd - state: present - - - name: set systemd-related environment variables - copy: - src: xdg_runtime_dir.sh - dest: /etc/profile.d/xdg_runtime_dir.sh - mode: 0644 - - when: ansible_service_mgr == "systemd" - -- block: - - name: workaround console-setup race condition (1/2) - file: - path: /etc/systemd/system/console-setup.service.d/ - state: directory - - - name: workaround console-setup race condition (2/2) - copy: - content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n" - dest: /etc/systemd/system/console-setup.service.d/override.conf - mode: 0644 - # no need to relaod systemd here, it is only there to fix a boot-time race-condition - - when: ansible_distribution == "Ubuntu" - -- name: set root default shell to zsh - user: - name: root - shell: /bin/zsh - -- name: set default shell for adduser - with_dict: - DSHELL: /bin/zsh - lineinfile: - dest: /etc/adduser.conf - regexp: "^#?{{ item.key }}=" - line: "{{ item.key }}={{ item.value }}" - -- name: Deploy default configuration for tools - with_dict: - /etc/htoprc: "{{ global_files_dir }}/common/htoprc" - - /etc/zsh/zprofile: zprofile - /etc/zsh/zshrc: zshrc - /etc/skel/.zshrc: zshrc.skel - - loop_control: - label: "{{ item.key }}" - copy: - mode: 0644 - src: "{{ item.value }}" - dest: "{{ item.key }}" +- import_tasks: 01ssh.yml +- import_tasks: 02debian.yml +- import_tasks: 03ntp.yml +- when: ansible_service_mgr == "systemd" + import_tasks: 04systemd.yml +- import_tasks: 05tools.yml +- import_tasks: 06net.yml diff --git a/ansible/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 b/ansible/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 index 73fe409..73daa33 100644 --- a/ansible/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 +++ b/ansible/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 @@ -105,6 +105,7 @@ d-i pkgsel/include string openssh-server python d-i pkgsel/upgrade select safe-upgrade popularity-contest popularity-contest/participate boolean false d-i pkgsel/update-policy select none +d-i base-installer/kernel/override-image string linux-generic-hwe-16.04 d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i grub-installer/only_debian boolean true