Browse code

Initial commit

Lukasz P authored on20/01/2021 12:23:10
Showing45 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,529 @@
1
+# Example config file for ansible -- https://ansible.com/
2
+# =======================================================
3
+
4
+# Nearly all parameters can be overridden in ansible-playbook
5
+# or with command line flags. Ansible will read ANSIBLE_CONFIG,
6
+# ansible.cfg in the current working directory, .ansible.cfg in
7
+# the home directory, or /etc/ansible/ansible.cfg, whichever it
8
+# finds first
9
+
10
+# For a full list of available options, run ansible-config list or see the
11
+# documentation: https://docs.ansible.com/ansible/latest/reference_appendices/config.html.
12
+
13
+[defaults]
14
+inventory        = /home/lukasz/progi/ansible/hosts
15
+#library         = ~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
16
+#module_utils    = ~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
17
+#remote_tmp      = ~/.ansible/tmp
18
+#local_tmp       = ~/.ansible/tmp
19
+#forks           = 5
20
+#poll_interval   = 0.001
21
+#ask_pass        = False
22
+#transport       = smart
23
+
24
+interpreter_python = auto_silent
25
+
26
+# Plays will gather facts by default, which contain information about
27
+# the remote system.
28
+#
29
+# smart - gather by default, but don't regather if already gathered
30
+# implicit - gather by default, turn off with gather_facts: False
31
+# explicit - do not gather by default, must say gather_facts: True
32
+#gathering = implicit
33
+
34
+# This only affects the gathering done by a play's gather_facts directive,
35
+# by default gathering retrieves all facts subsets
36
+# all - gather all subsets
37
+# network - gather min and network facts
38
+# hardware - gather hardware facts (longest facts to retrieve)
39
+# virtual - gather min and virtual facts
40
+# facter - import facts from facter
41
+# ohai - import facts from ohai
42
+# You can combine them using comma (ex: network,virtual)
43
+# You can negate them using ! (ex: !hardware,!facter,!ohai)
44
+# A minimal set of facts is always gathered.
45
+#
46
+#gather_subset = all
47
+
48
+# some hardware related facts are collected
49
+# with a maximum timeout of 10 seconds. This
50
+# option lets you increase or decrease that
51
+# timeout to something more suitable for the
52
+# environment.
53
+#
54
+#gather_timeout = 10
55
+
56
+# Ansible facts are available inside the ansible_facts.* dictionary
57
+# namespace. This setting maintains the behaviour which was the default prior
58
+# to 2.5, duplicating these variables into the main namespace, each with a
59
+# prefix of 'ansible_'.
60
+# This variable is set to True by default for backwards compatibility. It
61
+# will be changed to a default of 'False' in a future release.
62
+#
63
+#inject_facts_as_vars = True
64
+
65
+# Paths to search for collections, colon separated
66
+# collections_paths = ~/.ansible/collections:/usr/share/ansible/collections
67
+
68
+# Paths to search for roles, colon separated
69
+#roles_path = ~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
70
+
71
+# Host key checking is enabled by default
72
+#host_key_checking = True
73
+
74
+# You can only have one 'stdout' callback type enabled at a time. The default
75
+# is 'default'. The 'yaml' or 'debug' stdout callback plugins are easier to read.
76
+#
77
+#stdout_callback = default
78
+#stdout_callback = yaml
79
+#stdout_callback = debug
80
+
81
+
82
+# Ansible ships with some plugins that require whitelisting,
83
+# this is done to avoid running all of a type by default.
84
+# These setting lists those that you want enabled for your system.
85
+# Custom plugins should not need this unless plugin author disables them
86
+# by default.
87
+#
88
+# Enable callback plugins, they can output to stdout but cannot be 'stdout' type.
89
+#callback_whitelist = timer, mail
90
+
91
+# Determine whether includes in tasks and handlers are "static" by
92
+# default. As of 2.0, includes are dynamic by default. Setting these
93
+# values to True will make includes behave more like they did in the
94
+# 1.x versions.
95
+#
96
+#task_includes_static = False
97
+#handler_includes_static = False
98
+
99
+# Controls if a missing handler for a notification event is an error or a warning
100
+#error_on_missing_handler = True
101
+
102
+# Default timeout for connection plugins
103
+#timeout = 10
104
+
105
+# Default user to use for playbooks if user is not specified
106
+# Uses the connection plugin's default, normally the user currently executing Ansible,
107
+# unless a different user is specified here.
108
+#
109
+remote_user = lukasz
110
+
111
+# Logging is off by default unless this path is defined.
112
+log_path = /home/lukasz/progi/ansible/var/ansible.log
113
+
114
+# Default module to use when running ad-hoc commands
115
+#module_name = command
116
+
117
+# Use this shell for commands executed under sudo.
118
+# you may need to change this to /bin/bash in rare instances
119
+# if sudo is constrained.
120
+#
121
+#executable = /bin/sh
122
+
123
+# By default, variables from roles will be visible in the global variable
124
+# scope. To prevent this, set the following option to True, and only
125
+# tasks and handlers within the role will see the variables there
126
+#
127
+#private_role_vars = False
128
+
129
+# List any Jinja2 extensions to enable here.
130
+#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
131
+
132
+# If set, always use this private key file for authentication, same as
133
+# if passing --private-key to ansible or ansible-playbook
134
+#
135
+#private_key_file = /path/to/file
136
+
137
+# If set, configures the path to the Vault password file as an alternative to
138
+# specifying --vault-password-file on the command line. This can also be
139
+# an executable script that returns the vault password to stdout.
140
+#
141
+#vault_password_file = /path/to/vault_password_file
142
+
143
+# Format of string {{ ansible_managed }} available within Jinja2
144
+# templates indicates to users editing templates files will be replaced.
145
+# replacing {file}, {host} and {uid} and strftime codes with proper values.
146
+#
147
+#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
148
+
149
+# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
150
+# in some situations so the default is a static string:
151
+#
152
+#ansible_managed = Ansible managed
153
+
154
+# By default, ansible-playbook will display "Skipping [host]" if it determines a task
155
+# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
156
+# messages. NOTE: the task header will still be shown regardless of whether or not the
157
+# task is skipped.
158
+#
159
+#display_skipped_hosts = True
160
+
161
+# By default, if a task in a playbook does not include a name: field then
162
+# ansible-playbook will construct a header that includes the task's action but
163
+# not the task's args. This is a security feature because ansible cannot know
164
+# if the *module* considers an argument to be no_log at the time that the
165
+# header is printed. If your environment doesn't have a problem securing
166
+# stdout from ansible-playbook (or you have manually specified no_log in your
167
+# playbook on all of the tasks where you have secret information) then you can
168
+# safely set this to True to get more informative messages.
169
+#
170
+#display_args_to_stdout = False
171
+
172
+# Ansible will raise errors when attempting to dereference
173
+# Jinja2 variables that are not set in templates or action lines. Uncomment this line
174
+# to change this behavior.
175
+#
176
+#error_on_undefined_vars = False
177
+
178
+# Ansible may display warnings based on the configuration of the
179
+# system running ansible itself. This may include warnings about 3rd party packages or
180
+# other conditions that should be resolved if possible.
181
+# To disable these warnings, set the following value to False:
182
+#
183
+#system_warnings = False
184
+
185
+# Ansible may display deprecation warnings for language
186
+# features that should no longer be used and will be removed in future versions.
187
+# To disable these warnings, set the following value to False:
188
+#
189
+#deprecation_warnings = False
190
+
191
+# Ansible can optionally warn when usage of the shell and
192
+# command module appear to be simplified by using a default Ansible module
193
+# instead. These warnings can be silenced by adjusting the following
194
+# setting or adding warn=yes or warn=no to the end of the command line
195
+# parameter string. This will for example suggest using the git module
196
+# instead of shelling out to the git command.
197
+#
198
+#command_warnings = False
199
+
200
+
201
+# set plugin path directories here, separate with colons
202
+#action_plugins     = /usr/share/ansible/plugins/action
203
+#become_plugins     = /usr/share/ansible/plugins/become
204
+#cache_plugins      = /usr/share/ansible/plugins/cache
205
+#callback_plugins   = /usr/share/ansible/plugins/callback
206
+#connection_plugins = /usr/share/ansible/plugins/connection
207
+#lookup_plugins     = /usr/share/ansible/plugins/lookup
208
+#inventory_plugins  = /usr/share/ansible/plugins/inventory
209
+#vars_plugins       = /usr/share/ansible/plugins/vars
210
+#filter_plugins     = /usr/share/ansible/plugins/filter
211
+#test_plugins       = /usr/share/ansible/plugins/test
212
+#terminal_plugins   = /usr/share/ansible/plugins/terminal
213
+#strategy_plugins   = /usr/share/ansible/plugins/strategy
214
+
215
+
216
+# Ansible will use the 'linear' strategy but you may want to try another one.
217
+#strategy = linear
218
+
219
+# By default, callbacks are not loaded for /bin/ansible. Enable this if you
220
+# want, for example, a notification or logging callback to also apply to
221
+# /bin/ansible runs
222
+#
223
+#bin_ansible_callbacks = False
224
+
225
+
226
+# Don't like cows?  that's unfortunate.
227
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
228
+#nocows = 1
229
+
230
+# Set which cowsay stencil you'd like to use by default. When set to 'random',
231
+# a random stencil will be selected for each task. The selection will be filtered
232
+# against the `cow_whitelist` option below.
233
+#
234
+#cow_selection = default
235
+#cow_selection = random
236
+
237
+# When using the 'random' option for cowsay, stencils will be restricted to this list.
238
+# it should be formatted as a comma-separated list with no spaces between names.
239
+# NOTE: line continuations here are for formatting purposes only, as the INI parser
240
+#       in python does not support them.
241
+#
242
+#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
243
+#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
244
+#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
245
+
246
+# Don't like colors either?
247
+# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
248
+#
249
+#nocolor = 1
250
+
251
+# If set to a persistent type (not 'memory', for example 'redis') fact values
252
+# from previous runs in Ansible will be stored. This may be useful when
253
+# wanting to use, for example, IP information from one group of servers
254
+# without having to talk to them in the same playbook run to get their
255
+# current IP information.
256
+#
257
+#fact_caching = memory
258
+
259
+# This option tells Ansible where to cache facts. The value is plugin dependent.
260
+# For the jsonfile plugin, it should be a path to a local directory.
261
+# For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
262
+#
263
+#fact_caching_connection=/tmp
264
+
265
+# retry files
266
+# When a playbook fails a .retry file can be created that will be placed in ~/
267
+# You can enable this feature by setting retry_files_enabled to True
268
+# and you can change the location of the files by setting retry_files_save_path
269
+#
270
+#retry_files_enabled = False
271
+#retry_files_save_path = ~/.ansible-retry
272
+
273
+# prevents logging of task data, off by default
274
+#no_log = False
275
+
276
+# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
277
+#no_target_syslog = False
278
+
279
+# Controls whether Ansible will raise an error or warning if a task has no
280
+# choice but to create world readable temporary files to execute a module on
281
+# the remote machine. This option is False by default for security. Users may
282
+# turn this on to have behaviour more like Ansible prior to 2.1.x. See
283
+# https://docs.ansible.com/ansible/latest/user_guide/become.html#becoming-an-unprivileged-user
284
+# for more secure ways to fix this than enabling this option.
285
+#
286
+#allow_world_readable_tmpfiles = False
287
+
288
+# Controls what compression method is used for new-style ansible modules when
289
+# they are sent to the remote system. The compression types depend on having
290
+# support compiled into both the controller's python and the client's python.
291
+# The names should match with the python Zipfile compression types:
292
+# * ZIP_STORED (no compression. available everywhere)
293
+# * ZIP_DEFLATED (uses zlib, the default)
294
+# These values may be set per host via the ansible_module_compression inventory variable.
295
+#
296
+#module_compression = 'ZIP_DEFLATED'
297
+
298
+# This controls the cutoff point (in bytes) on --diff for files
299
+# set to 0 for unlimited (RAM may suffer!).
300
+#
301
+#max_diff_size = 104448
302
+
303
+# Controls showing custom stats at the end, off by default
304
+#show_custom_stats = False
305
+
306
+# Controls which files to ignore when using a directory as inventory with
307
+# possibly multiple sources (both static and dynamic)
308
+#
309
+#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
310
+
311
+# This family of modules use an alternative execution path optimized for network appliances
312
+# only update this setting if you know how this works, otherwise it can break module execution
313
+#
314
+#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
315
+
316
+# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
317
+# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
318
+# jinja2 templating language which will be run through the templating engine.
319
+# ENABLING THIS COULD BE A SECURITY RISK
320
+#
321
+#allow_unsafe_lookups = False
322
+
323
+# set default errors for all plays
324
+#any_errors_fatal = False
325
+
326
+
327
+[inventory]
328
+# List of enabled inventory plugins and the order in which they are used.
329
+#enable_plugins = host_list, script, auto, yaml, ini, toml
330
+
331
+# Ignore these extensions when parsing a directory as inventory source
332
+#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
333
+
334
+# ignore files matching these patterns when parsing a directory as inventory source
335
+#ignore_patterns=
336
+
337
+# If 'True' unparsed inventory sources become fatal errors, otherwise they are warnings.
338
+#unparsed_is_failed = False
339
+
340
+
341
+[privilege_escalation]
342
+become = True
343
+become_method = sudo
344
+become_ask_pass = False
345
+
346
+
347
+## Connection Plugins ##
348
+
349
+# Settings for each connection plugin go under a section titled '[[plugin_name]_connection]'
350
+# To view available connection plugins, run ansible-doc -t connection -l
351
+# To view available options for a connection plugin, run ansible-doc -t connection [plugin_name]
352
+# https://docs.ansible.com/ansible/latest/plugins/connection.html
353
+
354
+[paramiko_connection]
355
+# uncomment this line to cause the paramiko connection plugin to not record new host
356
+# keys encountered. Increases performance on new host additions. Setting works independently of the
357
+# host key checking setting above.
358
+#record_host_keys=False
359
+
360
+# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
361
+# line to disable this behaviour.
362
+#pty = False
363
+
364
+# paramiko will default to looking for SSH keys initially when trying to
365
+# authenticate to remote devices. This is a problem for some network devices
366
+# that close the connection after a key failure. Uncomment this line to
367
+# disable the Paramiko look for keys function
368
+#look_for_keys = False
369
+
370
+# When using persistent connections with Paramiko, the connection runs in a
371
+# background process. If the host doesn't already have a valid SSH key, by
372
+# default Ansible will prompt to add the host key. This will cause connections
373
+# running in background processes to fail. Uncomment this line to have
374
+# Paramiko automatically add host keys.
375
+#host_key_auto_add = True
376
+
377
+
378
+[ssh_connection]
379
+# ssh arguments to use
380
+# Leaving off ControlPersist will result in poor performance, so use
381
+# paramiko on older platforms rather than removing it, -C controls compression use
382
+#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
383
+
384
+# The base directory for the ControlPath sockets.
385
+# This is the "%(directory)s" in the control_path option
386
+#
387
+# Example:
388
+# control_path_dir = /tmp/.ansible/cp
389
+#control_path_dir = ~/.ansible/cp
390
+
391
+# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
392
+# port and username (empty string in the config). The hash mitigates a common problem users
393
+# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
394
+# In those cases, a "too long for Unix domain socket" ssh error would occur.
395
+#
396
+# Example:
397
+# control_path = %(directory)s/%%C
398
+#control_path =
399
+
400
+# Enabling pipelining reduces the number of SSH operations required to
401
+# execute a module on the remote server. This can result in a significant
402
+# performance improvement when enabled, however when using "sudo:" you must
403
+# first disable 'requiretty' in /etc/sudoers
404
+#
405
+# By default, this option is disabled to preserve compatibility with
406
+# sudoers configurations that have requiretty (the default on many distros).
407
+#
408
+#pipelining = False
409
+
410
+# Control the mechanism for transferring files (old)
411
+#   * smart = try sftp and then try scp [default]
412
+#   * True = use scp only
413
+#   * False = use sftp only
414
+#scp_if_ssh = smart
415
+
416
+# Control the mechanism for transferring files (new)
417
+# If set, this will override the scp_if_ssh option
418
+#   * sftp  = use sftp to transfer files
419
+#   * scp   = use scp to transfer files
420
+#   * piped = use 'dd' over SSH to transfer files
421
+#   * smart = try sftp, scp, and piped, in that order [default]
422
+#transfer_method = smart
423
+
424
+# If False, sftp will not use batch mode to transfer files. This may cause some
425
+# types of file transfer failures impossible to catch however, and should
426
+# only be disabled if your sftp version has problems with batch mode
427
+#sftp_batch_mode = False
428
+
429
+# The -tt argument is passed to ssh when pipelining is not enabled because sudo
430
+# requires a tty by default.
431
+#usetty = True
432
+
433
+# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
434
+# For each retry attempt, there is an exponential backoff,
435
+# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
436
+#retries = 3
437
+
438
+
439
+[persistent_connection]
440
+# Configures the persistent connection timeout value in seconds. This value is
441
+# how long the persistent connection will remain idle before it is destroyed.
442
+# If the connection doesn't receive a request before the timeout value
443
+# expires, the connection is shutdown. The default value is 30 seconds.
444
+#connect_timeout = 30
445
+
446
+# The command timeout value defines the amount of time to wait for a command
447
+# or RPC call before timing out. The value for the command timeout must
448
+# be less than the value of the persistent connection idle timeout (connect_timeout)
449
+# The default value is 30 second.
450
+#command_timeout = 30
451
+
452
+
453
+## Become Plugins ##
454
+
455
+# Settings for become plugins go under a section named '[[plugin_name]_become_plugin]'
456
+# To view available become plugins, run ansible-doc -t become -l
457
+# To view available options for a specific plugin, run ansible-doc -t become [plugin_name]
458
+# https://docs.ansible.com/ansible/latest/plugins/become.html
459
+
460
+[sudo_become_plugin]
461
+#flags = -H -S -n
462
+#user = root
463
+
464
+
465
+[selinux]
466
+# file systems that require special treatment when dealing with security context
467
+# the default behaviour that copies the existing context or uses the user default
468
+# needs to be changed to use the file system dependent context.
469
+#special_context_filesystems=fuse,nfs,vboxsf,ramfs,9p,vfat
470
+
471
+# Set this to True to allow libvirt_lxc connections to work without SELinux.
472
+#libvirt_lxc_noseclabel = False
473
+
474
+
475
+[colors]
476
+#highlight = white
477
+#verbose = blue
478
+#warn = bright purple
479
+#error = red
480
+#debug = dark gray
481
+#deprecate = purple
482
+#skip = cyan
483
+#unreachable = red
484
+#ok = green
485
+#changed = yellow
486
+#diff_add = green
487
+#diff_remove = red
488
+#diff_lines = cyan
489
+
490
+
491
+[diff]
492
+# Always print diff when running ( same as always running with -D/--diff )
493
+#always = False
494
+
495
+# Set how many context lines to show in diff
496
+#context = 3
497
+
498
+[galaxy]
499
+# Controls whether the display wheel is shown or not
500
+#display_progress=
501
+
502
+# Validate TLS certificates for Galaxy server
503
+#ignore_certs = False
504
+
505
+# Role or collection skeleton directory to use as a template for
506
+# the init action in ansible-galaxy command
507
+#role_skeleton=
508
+
509
+# Patterns of files to ignore inside a Galaxy role or collection
510
+# skeleton directory
511
+#role_skeleton_ignore="^.git$", "^.*/.git_keep$"
512
+
513
+# Galaxy Server URL
514
+#server=https://galaxy.ansible.com
515
+
516
+# A list of Galaxy servers to use when installing a collection.
517
+#server_list=automation_hub, release_galaxy
518
+
519
+# Server specific details which are mentioned in server_list
520
+#[galaxy_server.automation_hub]
521
+#url=https://cloud.redhat.com/api/automation-hub/
522
+#auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
523
+#token=my_ah_token
524
+#
525
+#[galaxy_server.release_galaxy]
526
+#url=https://galaxy.ansible.com/
527
+#token=my_token
528
+
529
+
0 530
new file mode 100644
... ...
@@ -0,0 +1,27 @@
1
+---
2
+- name: Upgrade apt cache
3
+  import_playbook: "helpers/apt_cache_update.yaml"
4
+
5
+- name: Setup basic packages
6
+  import_playbook: "helpers/install_basic_packages.yaml"
7
+
8
+- name: Setup tools for physical hosts
9
+  import_playbook: "helpers/install_tools_for_bare_metal.yaml"
10
+  when: "'virtual' not in group_names and 'raspberrypi' not in group_names"
11
+
12
+- name: Setup Nginx
13
+  import_playbook: "helpers/nginx_base_setup.yaml"
14
+  when: "'www' in group_names"
15
+
16
+- name: Setup Apache
17
+  import_playbook: "helpers/apache_base_setup.yaml"
18
+  when: "'www_apache' in group_names"
19
+
20
+- name: Setup MariaDB
21
+  import_playbook: "helpers/mariadb_base_setup.yaml"
22
+  when: "'database' in group_names"
23
+
24
+- name: Setup VM tools
25
+  import_playbook: "helpers/install_vm_basic_tools.yaml"
26
+  when: "'virtual' in group_names"
27
+
0 28
new file mode 100644
... ...
@@ -0,0 +1,18 @@
1
+---
2
+- name: Send status on IRC
3
+  hosts: outpost.ping.local
4
+
5
+  tasks:
6
+
7
+  - name: Check failed tasks
8
+    command: '/usr/bin/bash /home/lukasz/progi/ansible/helpers/check_failed.sh'
9
+    register: fails
10
+
11
+  - name: Send a report to a linuxlab channel
12
+    irc:
13
+      server: irc.freenode.net
14
+      port: 6667
15
+      nick: raport
16
+      channel: '#linuxlab-pw'
17
+      msg: "[ANSIBLE] Todays failed tasks: {{ fails['stdout_lines'][0] }}."
18
+
0 19
new file mode 100644
... ...
@@ -0,0 +1,11 @@
1
+---
2
+- import_playbook: system_upgrade.yaml
3
+- import_playbook: setup_users.yaml
4
+- import_playbook: set_bashrc.yaml
5
+- import_playbook: set_vim.yaml
6
+- import_playbook: local_bin_files.yaml
7
+- import_playbook: firewall_configuration.yaml
8
+- import_playbook: journal_basic_setup.yaml
9
+- import_playbook: basic_host_role_setup.yaml
10
+- import_playbook: disable_unused_services.yaml
11
+
0 12
new file mode 100644
... ...
@@ -0,0 +1,18 @@
1
+---
2
+- name: Setup vhosts on DenOfPython
3
+  hosts: python-cave.ping.local
4
+
5
+  tasks:
6
+
7
+  - include: helpers/nginx_base_setup.yaml
8
+
9
+  - name: Ensure that databases and users exists
10
+    include_tasks: helpers/mariadb_db_add.yaml
11
+    loop:
12
+    - {dbname: "001", password: "*A8AC9DD9636B33B18132578A39720BBC3827E261"}
13
+
14
+  - name: Ensure that databases and users do not exist
15
+    include_tasks: helpers/mariadb_db_remove.yaml
16
+    loop:
17
+    - {dbname: "000"}
18
+
0 19
new file mode 100644
... ...
@@ -0,0 +1,54 @@
1
+---
2
+- name: Disable unused services
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Check installed packages
8
+    package_facts:
9
+      manager: "auto"
10
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
11
+  
12
+  - name: Ensure that Nginx is stopped and disabled in systemd
13
+    systemd:
14
+      name: nginx
15
+      state: stopped
16
+      enabled: no
17
+      masked: yes
18
+    when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' or ansible_os_family == 'Suse') and
19
+          'www' not in group_names and
20
+          'nginx' in ansible_facts.packages
21
+  
22
+  - name: Ensure that Apache is stopped and disabled in systemd on Debian-like and Suse hosts
23
+    systemd:
24
+      name: apache2
25
+      state: stopped
26
+      enabled: no
27
+      masked: yes
28
+    when: (ansible_os_family == 'Debian' or ansible_os_family == 'Suse') and
29
+          'www_apache' not in group_names and
30
+          'apache2' in ansible_facts.packages
31
+
32
+  - name: Ensure that Apache is stopped and disabled in systemd on Redhat-like hosts
33
+    systemd:
34
+      name: httpd
35
+      state: stopped
36
+      enabled: no
37
+      masked: yes
38
+    when: ansible_os_family == 'RedHat' and
39
+          'www_apache' not in group_names and
40
+          'httpd' in ansible_facts.packages
41
+
42
+  - name: Disable access for vhosts
43
+    file:
44
+      path: /var/www
45
+      state: directory
46
+      owner: root
47
+      group: root
48
+      mode: '750'
49
+    when: ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Debian') or (ansible_os_family == 'Suse')) and
50
+          (not (('www' in group_names) or ('www_apache' in group_names))) and
51
+          ('nginx' in ansible_facts.packages or
52
+          'apache2' in ansible_facts.packages or
53
+          'httpd' in ansible_facts.packages)
54
+
0 55
new file mode 100644
... ...
@@ -0,0 +1,172 @@
1
+---
2
+- import_playbook: helpers/firewall_basic_setup.yaml
3
+
4
+
5
+- name: Configure firewall
6
+  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local
7
+
8
+
9
+  tasks:
10
+
11
+# ------------------------------------------------------
12
+# ---------------- SSH ---------------------------------
13
+# ------------------------------------------------------
14
+
15
+  - name: Open ports on all hosts.
16
+    include_tasks: helpers/firewall_open.yaml
17
+    loop:
18
+    - {service_firewalld: ssh, zone: home, service_ufw: OpenSSH, source: 192.168.111.0/24, proto: tcp, comment: Remote shell}
19
+
20
+  - name: Close ports on all hosts.
21
+    include_tasks: helpers/firewall_close.yaml
22
+    loop:
23
+    - {service_firewalld: ssh, zone: public}
24
+    - {service_firewalld: samba-client, zone: home}
25
+    - {service_firewalld: mdns, zone: home}
26
+    - {service_firewalld: cockpit, zone: home}
27
+    - {service_firewalld: cockpit, zone: public}
28
+
29
+# ------------------------------------------------------
30
+# ---------------- Samba -------------------------------
31
+# ------------------------------------------------------
32
+
33
+  - name: Open ports for Samba.
34
+    include_tasks: helpers/firewall_open.yaml
35
+    loop:
36
+    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: tcp, comment: Samba}
37
+    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: udp, comment: Samba}
38
+    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 192.168.111.0/24, proto: tcp, comment: Samba}
39
+    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 192.168.111.0/24, proto: tcp, comment: Samba}
40
+    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 192.168.111.0/24, proto: tcp, comment: Samba}
41
+    when: "'samba' in group_names"
42
+
43
+  - name: Delete rules, which are blocking access to Samba.
44
+    include_tasks: helpers/firewall_delete_deny.yaml
45
+    loop:
46
+    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: tcp, comment: Samba}
47
+    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 0.0.0.0/0, proto: tcp, comment: Samba}
48
+    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: udp, comment: Samba}
49
+    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 0.0.0.0/0, proto: udp, comment: Samba}
50
+    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 192.168.111.0/24, proto: tcp, comment: Samba}
51
+    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 0.0.0.0/0, proto: tcp, comment: Samba}
52
+    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 192.168.111.0/24, proto: tcp, comment: Samba}
53
+    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 0.0.0.0/0, proto: tcp, comment: Samba}
54
+    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 192.168.111.0/24, proto: tcp, comment: Samba}
55
+    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 0.0.0.0/0, proto: tcp, comment: Samba}
56
+    when: "'samba' in group_names"
57
+
58
+  - name: Close ports for Samba.
59
+    include_tasks: helpers/firewall_close.yaml
60
+    loop:
61
+    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: tcp, comment: Samba}
62
+    - {port_firewalld: 445/tcp, zone: public, port_ufw: 445, source: 0.0.0.0/0, proto: tcp, comment: Samba}
63
+    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: udp, comment: Samba}
64
+    - {port_firewalld: 445/udp, zone: public, port_ufw: 445, source: 0.0.0.0/0, proto: udp, comment: Samba}
65
+    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 192.168.111.0/24, proto: tcp, comment: Samba}
66
+    - {port_firewalld: 137/tcp, zone: public, port_ufw: 137, source: 0.0.0.0/0, proto: tcp, comment: Samba}
67
+    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 192.168.111.0/24, proto: tcp, comment: Samba}
68
+    - {port_firewalld: 138/tcp, zone: public, port_ufw: 138, source: 0.0.0.0/0, proto: tcp, comment: Samba}
69
+    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 192.168.111.0/24, proto: tcp, comment: Samba}
70
+    - {port_firewalld: 139/tcp, zone: public, port_ufw: 139, source: 0.0.0.0/0, proto: tcp, comment: Samba}
71
+    when: "'samba' not in group_names"
72
+
73
+# ------------------------------------------------------
74
+# ---------------- DNS, Pi-hole ------------------------
75
+# ------------------------------------------------------
76
+
77
+  - name: Open ports for DNS server.
78
+    include_tasks: helpers/firewall_open.yaml
79
+    loop:
80
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
81
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
82
+    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
83
+    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
84
+    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
85
+    when: "'pihole' in group_names"
86
+
87
+  - name: Delete rules, which are blocking access DNS server.
88
+    include_tasks: helpers/firewall_delete_deny.yaml
89
+    loop:
90
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
91
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
92
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
93
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
94
+    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
95
+    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
96
+    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
97
+    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
98
+    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
99
+    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
100
+    when: "'pihole' in group_names"
101
+
102
+  - name: Close ports for DNS server.
103
+    include_tasks: helpers/firewall_close.yaml
104
+    loop:
105
+    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
106
+    - {port_firewalld: 53/tcp, zone: public, port_ufw: 53, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
107
+    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
108
+    - {port_firewalld: 53/udp, zone: public, port_ufw: 53, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
109
+    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
110
+    - {port_firewalld: 67/udp, zone: public, port_ufw: 67, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
111
+    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
112
+    - {port_firewalld: 4711/tcp, zone: public, port_ufw: 4711, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
113
+    when: "'pihole' not in group_names"
114
+
115
+# ------------------------------------------------------
116
+# ---------------- HTTP(S) -----------------------------
117
+# ------------------------------------------------------
118
+  
119
+  - name: Open ports for http.
120
+    include_tasks: helpers/firewall_open.yaml
121
+    loop:
122
+    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 192.168.111.0/24, proto: tcp, comment: WWW}
123
+    when: ('www' in group_names) or
124
+          ('www_apache' in group_names) or
125
+          ('pihole' in group_names)
126
+
127
+  - name: Open ports for https.
128
+    include_tasks: helpers/firewall_open.yaml
129
+    loop:
130
+    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 192.168.111.0/24, proto: tcp, comment: WWW}
131
+    when: ('www' in group_names) or 
132
+          ('www_apache' in group_names)
133
+
134
+  - name: Close http access.
135
+    include_tasks: helpers/firewall_close.yaml
136
+    loop:
137
+    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 192.168.111.0/24, proto: tcp, comment: WWW}
138
+    - {port_firewalld: 80/tcp, zone: public, port_ufw: 80, source: 0.0.0.0/0, proto: tcp, comment: WWW}
139
+    when: not (('www' in group_names) or
140
+               ('pihole' in group_names) or
141
+               ('www_apache' in group_names))
142
+
143
+  - name: Close https access.
144
+    include_tasks: helpers/firewall_close.yaml
145
+    loop:
146
+    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 192.168.111.0/24, proto: tcp, comment: WWW}
147
+    - {port_firewalld: 443/tcp, zone: public, port_ufw: 443, source: 0.0.0.0/0, proto: tcp, comment: WWW}
148
+    when: not (('www' in group_names) or
149
+               ('www_apache' in group_names))
150
+
151
+  - name: Delete rule blocking http.
152
+    include_tasks: helpers/firewall_delete_deny.yaml
153
+    loop:
154
+    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 192.168.111.0/24, proto: tcp, comment: WWW}
155
+    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 0.0.0.0/0, proto: tcp, comment: WWW}
156
+    when: ('www' in group_names) or
157
+          ('www_apache' in group_names) or
158
+          ('pihole' in group_names)
159
+
160
+  - name: Delete rule blocking https.
161
+    include_tasks: helpers/firewall_delete_deny.yaml
162
+    loop:
163
+    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 192.168.111.0/24, proto: tcp, comment: WWW}
164
+    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 0.0.0.0/0, proto: tcp, comment: WWW}
165
+    when: ('www' in group_names) or 
166
+          ('www_apache' in group_names)
167
+  
168
+  handlers:
169
+  
170
+  - name: Reload firewall
171
+    raw: firewall-cmd --reload
172
+
0 173
new file mode 100644
... ...
@@ -0,0 +1,67 @@
1
+--- 
2
+- import_playbook: apt_cache_update.yaml
3
+
4
+- name: Basic setup of Apache web server
5
+  hosts: all
6
+
7
+
8
+  tasks:
9
+
10
+  - name: Ensure that Apache in installed on Redhat-like hosts
11
+    dnf:
12
+      name:
13
+      - httpd
14
+      - mod_ssl
15
+      state: latest
16
+    when: ansible_os_family == 'RedHat'
17
+  
18
+  - name: Ensure that Nginx in installed on Debian-like hosts
19
+    apt:
20
+      pkg:
21
+      - apache2
22
+      - libapache2-mpm-itk
23
+    when: ansible_os_family == 'Debian'
24
+  
25
+  - name: Ensure that Nginx in installed on Suse hosts
26
+    zypper:
27
+      pkg:
28
+      - apache2
29
+      state: present
30
+    when: ansible_os_family == 'Suse'
31
+
32
+  - name: Ensure that Apache is running and enabled in systemd
33
+    systemd:
34
+      state: started
35
+      name: httpd
36
+      enabled: yes
37
+      masked: no
38
+    when: ansible_os_family == 'RedHat'
39
+  
40
+  - name: Ensure that Apache is running and enabled in systemd
41
+    systemd:
42
+      state: started
43
+      name: apache2
44
+      enabled: yes
45
+      masked: no
46
+    when: ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
47
+
48
+  - name: Setup base directory for Apache vhosts
49
+    file:
50
+      path: /var/www
51
+      state: directory
52
+      owner: root
53
+      group: root
54
+      mode: '751'
55
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
56
+  
57
+  - name: Allow Apache to read files in webroot
58
+    sefcontext:
59
+      target: '/var/www(/.*)?'
60
+      setype: httpd_sys_content_t
61
+      state: present
62
+    when: ansible_os_family == 'RedHat'
63
+  
64
+  - name: Apply new SELinux file context to /var/www
65
+    command: restorecon -irv /var/www
66
+    when: ansible_os_family == 'RedHat'
67
+  
0 68
new file mode 100644
... ...
@@ -0,0 +1,12 @@
1
+---
2
+- name: Apt cache updater
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Update apt cache
8
+    apt:
9
+      update_cache: yes
10
+      cache_valid_time: 600
11
+    when: ansible_os_family == 'Debian'
12
+ 
0 13
new file mode 100644
... ...
@@ -0,0 +1,3 @@
1
+#!/usr/bin/bash
2
+cat /home/lukasz/progi/ansible/var/ansible.log | grep -E "^$(date "+%Y-%m-%d").*failed" | grep -Ev "failed\=0" | wc -l
3
+
0 4
new file mode 100644
... ...
@@ -0,0 +1,42 @@
1
+---
2
+- name: Configure zones and networks in firewall
3
+  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local
4
+ 
5
+
6
+  tasks:
7
+
8
+  - name: Set public as default zone in Firewalld
9
+    raw: firewall-cmd --set-default-zone=public
10
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
11
+    notify:
12
+    - Reload Firewalld
13
+
14
+  - name: Add home network to home zone in Firewalld
15
+    firewalld:
16
+      source: 192.168.111.0/24
17
+      zone: home
18
+      state: enabled
19
+      permanent: yes
20
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
21
+    notify:
22
+    - Reload Firewalld
23
+
24
+  - name: Set up UFW configuration in /etc/default
25
+    copy:
26
+      src: ../templates/ufw_defaults
27
+      dest: /etc/default/ufw
28
+      owner: root
29
+      group: root
30
+      mode: '644'
31
+    when: ansible_os_family == 'Debian'
32
+    notify:
33
+    - Reload UFW
34
+
35
+  handlers:
36
+  
37
+  - name: Reload Firewalld
38
+    raw: firewall-cmd --reload
39
+
40
+  - name: Reload UFW
41
+    raw: ufw reload
42
+
0 43
new file mode 100644
... ...
@@ -0,0 +1,52 @@
1
+---
2
+- import_playbook: firewall_basic_setup.yaml
3
+
4
+- name: Clear all firewall rules, except for ssh and dns connections
5
+  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local
6
+
7
+  tasks:
8
+
9
+  - name: Clear rules for home zone in Firewalld
10
+    copy: 
11
+      src: ../templates/firewalld_home_zone.xml
12
+      dest: /etc/firewalld/zones/home.xml
13
+      owner: root
14
+      group: root
15
+      mode: 644
16
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
17
+
18
+  - name: Clear rules for public zone in Firewalld
19
+    copy: 
20
+      src: ../templates/firewalld_public_zone.xml
21
+      dest: /etc/firewalld/zones/public.xml
22
+      owner: root
23
+      group: root
24
+      mode: 644
25
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
26
+
27
+  - name: Clear rules in UFW
28
+    copy: 
29
+      src: ../templates/ufw_user.rules
30
+      dest: /etc/ufw/user.rules
31
+      owner: root
32
+      group: root
33
+      mode: 0640
34
+    when: (ansible_os_family == 'Debian') and ("not 'pihole' in group_names")
35
+
36
+  - name: Clear rules in UFW for DNS server
37
+    copy: 
38
+      src: ../templates/ufw_user_pihole.rules
39
+      dest: /etc/ufw/user.rules
40
+      owner: root
41
+      group: root
42
+      mode: 0640
43
+    when: (ansible_os_family == 'Debian') and ('pihole' in group_names)
44
+
45
+  - name: Reload firewalld
46
+    raw: firewall-cmd --reload
47
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
48
+
49
+  - name: Reload UFW
50
+    raw: ufw reload
51
+    when: ansible_os_family == 'Debian'
52
+
0 53
new file mode 100644
... ...
@@ -0,0 +1,54 @@
1
+- debug:
2
+    msg: Disabling service - {{ item.service_firewalld }}
3
+  when: item.service_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
4
+
5
+- debug:
6
+    msg: Disabling port - {{ item.port_firewalld }}
7
+  when: item.port_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
8
+
9
+- debug:
10
+    msg: Disabling service - {{ item.service_ufw }}
11
+  when: item.service_ufw is defined and ansible_os_family == 'Debian'
12
+
13
+- debug:
14
+    msg: Disabling port - {{ item.port_ufw }}/{{ item.proto }}
15
+  when: item.port_ufw is defined and ansible_os_family == 'Debian'
16
+
17
+- name: Ensure serivce is disabled on firewalld
18
+  firewalld:
19
+    service: "{{ item.service_firewalld }}" 
20
+    zone: "{{ item.zone }}"
21
+    permanent: yes
22
+    state: disabled
23
+  when: item.service_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
24
+  notify: Reload firewall
25
+
26
+- name: Ensure port is disabled on firewalld
27
+  firewalld:
28
+    port: "{{ item.port_firewalld }}" 
29
+    zone: "{{ item.zone }}"
30
+    permanent: yes
31
+    state: disabled
32
+  when: item.port_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
33
+  notify: Reload firewall
34
+
35
+- name: Delete allowing port rule in ufw
36
+  ufw:
37
+    rule: allow
38
+    port: "{{ item.port_ufw }}"
39
+    src: "{{ item.source }}"
40
+    proto: "{{ item.proto }}"
41
+    comment: "{{ item.comment }}"
42
+    delete: yes
43
+  when: item.port_ufw is defined and ansible_os_family == 'Debian'
44
+
45
+- name: Delete allowing serivce rule ufw
46
+  ufw:
47
+    rule: allow
48
+    name: "{{ item.service_ufw }}"
49
+    src: "{{ item.source }}"
50
+    proto: "{{ item.proto }}"
51
+    comment: "{{ item.comment }}"
52
+    delete: yes
53
+  when: item.service_ufw is defined and ansible_os_family == 'Debian'
54
+
0 55
new file mode 100644
... ...
@@ -0,0 +1,26 @@
1
+- debug:
2
+    msg: Deleting rule blocking service - {{ item.service_firewalld }}
3
+  when: item.service_firewalld is defined and (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse')
4
+
5
+- debug:
6
+    msg: Deleting rule blocking port - {{ item.port_firewalld }}
7
+  when: item.port_firewalld is defined and (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse')
8
+
9
+- debug:
10
+    msg: Deleting rule blocking service - {{ item.service_ufw }}
11
+  when: item.service_ufw is defined and ansible_os_family == 'Debian'
12
+
13
+- debug:
14
+    msg: Deleting rule blocking port - {{ item.port_ufw }}/{{ item.proto }}
15
+  when: item.port_ufw is defined and ansible_os_family == 'Debian'
16
+
17
+- name: Delete blocking rule in ufw
18
+  ufw:
19
+    rule: deny
20
+    port: "{{ item.port_ufw }}"
21
+    src: "{{ item.source }}"
22
+    proto: "{{ item.proto }}"
23
+    comment: "{{ item.comment }}"
24
+    delete: yes
25
+  when: item.port_ufw is defined and ansible_os_family == 'Debian'
26
+
0 27
new file mode 100644
... ...
@@ -0,0 +1,53 @@
1
+- debug:
2
+    msg: Enabling service - {{ item.service_firewalld }}
3
+  when: item.service_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
4
+
5
+- debug:
6
+    msg: Enabling port - {{ item.port_firewalld }}
7
+  when: item.port_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
8
+
9
+- debug:
10
+    msg: Enabling service - {{ item.service_ufw }}
11
+  when: item.service_ufw is defined and ansible_os_family == 'Debian'
12
+
13
+- debug:
14
+    msg: Enabling port - {{ item.port_ufw }}/{{ item.proto }}
15
+  when: item.port_ufw is defined and ansible_os_family == 'Debian'
16
+
17
+- name: Ensure serivce is enabled on firewalld
18
+  firewalld:
19
+    service: "{{ item.service_firewalld }}" 
20
+    zone: "{{ item.zone }}"
21
+    permanent: yes
22
+    state: enabled
23
+  when: item.service_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
24
+  notify:
25
+  - Reload firewall
26
+
27
+- name: Ensure port is enabled on firewalld
28
+  firewalld:
29
+    port: "{{ item.port_firewalld }}" 
30
+    zone: "{{ item.zone }}"
31
+    permanent: yes
32
+    state: enabled
33
+  when: item.port_firewalld is defined and ((ansible_os_family == 'RedHat') or (ansible_os_family == 'Suse'))
34
+  notify:
35
+  - Reload firewall
36
+
37
+- name: Ensure serivce is enabled on ufw
38
+  ufw:
39
+    rule: allow
40
+    name: "{{ item.service_ufw }}"
41
+    src: "{{ item.source }}"
42
+    comment: "{{ item.comment }}"
43
+  when: item.service_ufw is defined and ansible_os_family == 'Debian'
44
+
45
+- name: Ensure port is enabled on ufw
46
+  ufw:
47
+    rule: allow
48
+    port: "{{ item.port_ufw }}"
49
+    src: "{{ item.source }}"
50
+    proto: "{{ item.proto }}"
51
+    comment: "{{ item.comment }}"
52
+  when: item.port_ufw is defined and ansible_os_family == 'Debian'
53
+
0 54
new file mode 100644
... ...
@@ -0,0 +1,45 @@
1
+---
2
+- name: Install basic packages
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Install basic packages on Debian-like systems.
8
+    apt:
9
+      pkg:
10
+      - bash-completion
11
+      - htop
12
+      - net-tools
13
+      - moreutils
14
+      - needrestart
15
+      - tree
16
+      - mtr
17
+      - vim
18
+    when: ansible_os_family == 'Debian'
19
+
20
+  - name: Install basic packages on RedHat-like systems.
21
+    dnf:
22
+      name:
23
+      - bash-completion
24
+      - htop
25
+      - vim
26
+      - mtr
27
+      - tree
28
+      - net-tools
29
+      - python3-policycoreutils
30
+      state: latest
31
+      enablerepo: epel-modular,epel
32
+    when: ansible_os_family == 'RedHat'
33
+
34
+  - name: Install basic packages on Suse systems.
35
+    zypper:
36
+      name:
37
+      - mtr
38
+      - htop
39
+      - telnet
40
+      - vim
41
+      - tree
42
+      - python3-firewall
43
+      state: present
44
+    when: ansible_os_family == 'Suse'
45
+
0 46
new file mode 100644
... ...
@@ -0,0 +1,32 @@
1
+--- 
2
+- import_playbook: apt_cache_update.yaml
3
+
4
+- name: Install tools for bare metal
5
+  hosts: all
6
+
7
+
8
+  tasks:
9
+
10
+  - name: Install bare metal tools on Redhat-like host
11
+    dnf:
12
+      name:
13
+      - smartmontools
14
+      - lm_sensors
15
+      state: latest
16
+    when: ansible_os_family == 'RedHat'
17
+  
18
+  - name: Install bare metal tools on Debian-like hosts
19
+    apt:
20
+      pkg:
21
+      - smartmontools
22
+      - lm-sensors
23
+    when: ansible_os_family == 'Debian'
24
+
25
+  - name: Install bare metal tools on Suse hosts
26
+    zypper:
27
+      name:
28
+      - smartmontools
29
+      - sensors
30
+      state: present
31
+    when: ansible_os_family == 'Suse'
32
+
0 33
new file mode 100644
... ...
@@ -0,0 +1,29 @@
1
+--- 
2
+- import_playbook: apt_cache_update.yaml
3
+
4
+- name: Install basic VM tools
5
+  hosts: all
6
+
7
+
8
+  tasks:
9
+
10
+  - name: Install VM tools on Redhat-like host
11
+    dnf:
12
+      name:
13
+      - qemu-guest-agent
14
+      state: latest
15
+    when: ansible_os_family == 'RedHat'
16
+  
17
+  - name: Install VM tools on Debian-like hosts
18
+    apt:
19
+      pkg:
20
+      - qemu-guest-agent
21
+    when: ansible_os_family == 'Debian'
22
+
23
+  - name: Install VM tools on Suse hosts
24
+    zypper:
25
+      name:
26
+      - qemu-guest-agent
27
+      state: present
28
+    when: ansible_os_family == 'Suse'
29
+
0 30
new file mode 100644
... ...
@@ -0,0 +1,22 @@
1
+---
2
+- name: Setup MariaDB server
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Installation and initial setup of MariaDB
8
+    include_tasks: helpers/mariadb_initial_setup.yaml
9
+    loop:
10
+    - {rootpasswd:     'jxyw6KveANvenD61KpPXdi',
11
+       rootpasswdenc:  '*B2ACD97F2A958A24CA7E41E0FBEBE7F5E4980170',
12
+       aredapasswd:    'autZ7MHsQpivXJWlv6IKfqf',
13
+       aredapasswdenc: '*03D5061927AAD8F3BC7F1B1027BA6D84CABBB907'}
14
+    when: "'database' in group_names"
15
+
16
+  handlers:
17
+
18
+  - name: restart mariadb
19
+    systemd:
20
+      name: mariadb
21
+      state: restarted
22
+
0 23
new file mode 100644
... ...
@@ -0,0 +1,18 @@
1
+---
2
+- debug:
3
+    msg: database - {{ item.dbname }}
4
+
5
+- name: Check if database exists
6
+  mysql_db:
7
+    name: "{{ item.dbname }}"
8
+    state: present
9
+
10
+- name: Ensure existence of user and privileges
11
+  mysql_user:
12
+    name: "{{ item.dbname }}"
13
+    host: "localhost"
14
+    password: "{{ item.password }}"
15
+    encrypted: yes
16
+    priv: '{{ item.dbname }}.*:ALL'
17
+    state: present
18
+
0 19
new file mode 100644
... ...
@@ -0,0 +1,10 @@
1
+---
2
+- debug:
3
+    msg: database - {{ item.dbname }}
4
+
5
+- name: Dump database
6
+  mysql_db:
7
+    state: dump
8
+    name: {{ "item.dbmane" }}
9
+    target: /var/www/{{ item.dbname }}/database/dump/{{ ansible_date_time.date }}.{{ ansible_date_time.time }}.sql
10
+
0 11
new file mode 100644
... ...
@@ -0,0 +1,14 @@
1
+---
2
+- debug:
3
+    msg: database - {{ item.dbname }}
4
+
5
+- name: Check if database do not exists
6
+  mysql_db:
7
+    name: "{{ item.dbname }}"
8
+    state: absent
9
+
10
+- name: Ensure absence of user and privileges
11
+  mysql_user:
12
+    name: "{{ item.dbname }}"
13
+    state: absent
14
+
0 15
new file mode 100644
... ...
@@ -0,0 +1,108 @@
1
+- name: Install MariaDB on Redhat-like hosts
2
+  dnf:
3
+  - name:
4
+    - mariadb-server
5
+    - mariadb
6
+    - python3-mysqlclient
7
+    state: latest
8
+  when: ansible_os_family == 'RedHat'
9
+
10
+- name: Install MariaDB on Debian-like hosts
11
+  apt:
12
+    pkg:
13
+    - mariadb-client
14
+    - mariadb-server
15
+    - python3-pymysql
16
+  when: ansible_os_family == 'Debian'
17
+
18
+- name: Check if MariaDB can be reached from 0.0.0.0 on Redhat-like hosts
19
+  ini_file:
20
+    path: /etc/my.cnf.d/mariadb-server.cnf
21
+    section: mysqld
22
+    option: bind-address
23
+    value: 0.0.0.0
24
+  notify:
25
+  - restart mariadb
26
+  when: ansible_os_family == 'RedHat'
27
+
28
+- name: Check if MariaDB can be reached from 0.0.0.0 on Debian-like hosts
29
+  ini_file:
30
+    path: /etc/mysql/mariadb.conf.d/50-server.cnf
31
+    section: mysqld
32
+    option: bind-address
33
+    value: 0.0.0.0
34
+  notify:
35
+  - restart mariadb
36
+  when: ansible_os_family == 'Debian'
37
+
38
+- name: Enable and start MariaDB
39
+  systemd:
40
+    state: started
41
+    enabled: yes
42
+    masked: no
43
+    name: mariadb
44
+
45
+# --------------------------------------------
46
+# mysql_secure_installation
47
+# --------------------------------------------
48
+
49
+- name: Check if mysql_secure_installation was done
50
+  stat:
51
+    path: /home/lukasz/.my.cnf
52
+  register: msi
53
+
54
+- name: Remove Test database
55
+  mysql_db:
56
+    login_user: root
57
+    login_unix_socket: /var/run/mysqld/mysqld.sock
58
+    name: test
59
+    state: absent
60
+  when:
61
+  - not msi.stat.exists
62
+
63
+- name: Remove anonymous users
64
+  mysql_user:
65
+    login_user: root
66
+    login_unix_socket: /var/run/mysqld/mysqld.sock
67
+    name: ''
68
+    state: absent
69
+  when:
70
+  - not msi.stat.exists
71
+
72
+- name: Check existence of administrative user lukasz
73
+  mysql_user:
74
+    login_user: root
75
+    login_unix_socket: /var/run/mysqld/mysqld.sock
76
+    name: lukasz
77
+    host: localhost
78
+    password: "{{ item.lukaszpasswdenc }}" 
79
+    encrypted: yes
80
+    priv: '*.*:ALL,GRANT'
81
+    state: present
82
+  when:
83
+  - not msi.stat.exists
84
+
85
+- name: Set root password
86
+  mysql_user:
87
+    login_user: root
88
+    login_unix_socket: /var/run/mysqld/mysqld.sock
89
+    name: root
90
+    host: localhost
91
+    password: "{{ item.rootpasswdenc }}"
92
+    encrypted: yes
93
+    state: present
94
+  when:
95
+  - not msi.stat.exists
96
+
97
+# --------------------------------------------
98
+# /mysql_secure_installation
99
+# --------------------------------------------
100
+
101
+- name: Copy .my.cnf with credentials
102
+  template:
103
+    src: templates/areda_my_cnf.j2
104
+    dest: /home/lukasz/.my.cnf
105
+    owner: lukasz
106
+    group: lukasz
107
+    mode: 0400
108
+
0 109
new file mode 100644
... ...
@@ -0,0 +1,71 @@
1
+--- 
2
+- import_playbook: apt_cache_update.yaml
3
+
4
+- name: Basic setup of Nginx web server
5
+  hosts: all
6
+
7
+
8
+  tasks:
9
+
10
+  - name: Ensure that Nginx in installed on Redhat-like hosts
11
+    dnf:
12
+      name:
13
+      - nginx
14
+      - nginx-all-modules
15
+      - python3-certbot-nginx
16
+      state: latest
17
+      enablerepo: epel-modular,epel
18
+    when: ansible_os_family == 'RedHat'
19
+  
20
+  - name: Ensure that Nginx in installed on Debian-like hosts
21
+    apt:
22
+      pkg:
23
+      - nginx
24
+      - python3-certbot-nginx
25
+    when: ansible_os_family == 'Debian'
26
+  
27
+  - name: Ensure that Nginx in installed on Suse hosts
28
+    zypper:
29
+      pkg:
30
+      - nginx
31
+      - python3-certbot-nginx
32
+      state: present
33
+    when: ansible_os_family == 'Suse'
34
+
35
+  - name: Ensure that Nginx is running and enabled in systemd
36
+    systemd:
37
+      state: started
38
+      name: nginx
39
+      enabled: yes
40
+      masked: no
41
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
42
+  
43
+  - name: Send updated deny rules for Nginx
44
+    copy:
45
+      src: ../templates/nginx_files_deny.include
46
+      dest: /etc/nginx/nginx_files_deny.include
47
+      owner: root
48
+      group: root
49
+      mode: '644'
50
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
51
+  
52
+  - name: Creates base directory for Nginx vhosts
53
+    file:
54
+      path: /var/www
55
+      state: directory
56
+      owner: root
57
+      group: root
58
+      mode: '751'
59
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
60
+  
61
+  - name: Allow Nginx to read files in webroot
62
+    sefcontext:
63
+      target: '/var/www(/.*)?'
64
+      setype: httpd_sys_content_t
65
+      state: present
66
+    when: ansible_os_family == 'RedHat'
67
+  
68
+  - name: Apply new SELinux file context to /var/www
69
+    command: restorecon -irv /var/www
70
+    when: ansible_os_family == 'RedHat'
71
+  
0 72
new file mode 100644
... ...
@@ -0,0 +1,26 @@
1
+---
2
+- debug:
3
+    msg: vhost - {{ item.id }}
4
+
5
+- name: Ensure that virtualhost do not exists on Redhat-like host
6
+  file:
7
+    path: /etc/nginx/conf.d/{{ item.domain }}.conf
8
+    state: absent
9
+  notify:
10
+  - Reload nginx
11
+  when: ansible_os_family == 'RedHat'
12
+
13
+- name: Ensure that virtualhost do not exists on Debian-like host
14
+  file:
15
+    path: /etc/nginx/sites-available/{{ item.id }}.conf
16
+    state: absent
17
+  when: ansible_os_family == 'Debian'
18
+
19
+- name: Ensure absence of link in sites-enabled
20
+  file:
21
+    path: /etc/nginx/sites-enabled/{{ item.id }}.conf
22
+    state: absent
23
+  notify:
24
+  - Reload nginx
25
+  when: ansible_os_family == 'Debian'
26
+
0 27
new file mode 100644
... ...
@@ -0,0 +1,32 @@
1
+---
2
+- debug:
3
+    msg: vhost - {{ item.id }}
4
+
5
+- name: Ensure that virtualhost exists on Redhat-like host
6
+  template:
7
+    src: templates/nginx_vhost.j2
8
+    dest: /etc/nginx/conf.d/{{ item.id }}.conf
9
+    owner: root
10
+    group: nginx
11
+    mode: 640
12
+  notify:
13
+  - reload nginx
14
+  when: ansible_os_family == 'RedHat'
15
+
16
+- name: Ensure that virtualhost exists on Debian-like host
17
+  template:
18
+    src: templates/nginx_proxy.j2
19
+    dest: /etc/nginx/sites-available/{{ item.id }}.conf
20
+    owner: root
21
+    group: nginx
22
+    mode: 640
23
+
24
+- name: Ensure existence of link in sites-enabled
25
+  file:
26
+    dest: /etc/nginx/sites-enabled/{{ item.id }}.conf
27
+    src: ../sites-available/{{ item.id }}.conf
28
+    state: link
29
+    force: yes
30
+  notify:
31
+  - reload nginx
32
+
0 33
new file mode 100644
... ...
@@ -0,0 +1,16 @@
1
+---
2
+- name: Setup ~/.local/bin directory.
3
+  hosts: all
4
+
5
+
6
+  tasks:
7
+
8
+  - name: Ensure, that ~/.local/bin directory exists.
9
+    file:
10
+      path: /home/lukasz/.local/bin
11
+      state: directory
12
+      owner: lukasz
13
+      group: lukasz
14
+      mode: '0700'
15
+    when: "'desktop' in group_names"
16
+
0 17
new file mode 100644
... ...
@@ -0,0 +1,31 @@
1
+- debug:
2
+    msg: user - {{ item.username }}
3
+
4
+- name: Ensure user is not able to log in
5
+  user:
6
+    name: "{{ item.username }}"
7
+    password_lock: yes
8
+
9
+- name: Unset authorized SSH keys for user
10
+  authorized_key:
11
+    user: "{{ item.username }}"
12
+    key: "{{ item.sshkey }}"
13
+    state: absent
14
+
15
+- name: Set permissions to home directory on Linux
16
+  file:
17
+    owner: root
18
+    group: root
19
+    path: /home/{{ item.username }}
20
+    mode: '700'
21
+  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat' or 
22
+        ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
23
+
24
+- name: Set permissions to home directory on FreeBSD
25
+  file:
26
+    owner: root
27
+    group: wheel
28
+    path: /home/{{ item.username }}
29
+    mode: '700'
30
+  when: ansible_os_family == 'FreeBSD'
31
+
0 32
new file mode 100644
... ...
@@ -0,0 +1,55 @@
1
+- debug:
2
+    msg: user - {{ item.username }}
3
+
4
+- name: Ensure, that a group for user exists on Suse
5
+  group:
6
+    name: "{{ item.username }}"
7
+    state: present
8
+  when: ansible_os_family == 'Suse'
9
+
10
+- name: Ensure user exists and is in correct groups on FreeBSD
11
+  user:
12
+    name: "{{ item.username }}" 
13
+    comment: "{{ item.comment }}"
14
+    shell: /usr/local/bin/bash
15
+    groups: wheel
16
+    append: yes
17
+  when: ansible_os_family == 'FreeBSD'
18
+
19
+- name: Ensure user exists and is in correct groups on Gentoo, Suse and RedHat-like hosts
20
+  user:
21
+    name: "{{ item.username }}" 
22
+    comment: "{{ item.comment }}"
23
+    shell: /bin/bash
24
+    groups: wheel
25
+    append: yes
26
+  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
27
+
28
+- name: Ensure user exists and is in correct groups on Debian-like hosts
29
+  user:
30
+    name: "{{ item.username }}" 
31
+    comment: "{{ item.comment }}"
32
+    shell: /bin/bash
33
+    groups: sudo
34
+    append: yes
35
+  when: ansible_os_family == 'Debian'
36
+
37
+- name: Set authorized SSH keys for user
38
+  authorized_key:
39
+    user: "{{ item.username }}"
40
+    key: "{{ item.sshkey }}"
41
+    state: present
42
+    exclusive: True
43
+
44
+- name: Ensure user is able to log in
45
+  user:
46
+    name: "{{ item.username }}"
47
+    password_lock: no
48
+
49
+- name: Set permissions to home directory
50
+  file:
51
+    path: /home/{{ item.username }}
52
+    owner: "{{ item.username }}"
53
+    group: "{{ item.username }}"
54
+    mode: '700'
55
+
0 56
new file mode 100644
... ...
@@ -0,0 +1,46 @@
1
+[desktop]
2
+outpost.ping.local
3
+union.ping.local
4
+dropshuttle.ping.local
5
+
6
+[raspberrypi]
7
+malinka.ping.local
8
+jezynka.ping.local
9
+
10
+[server]
11
+aegis.ping.local
12
+potemkin.ping.local
13
+
14
+[virtual]
15
+python-cave.ping.local
16
+rawhide.ping.local
17
+strategie.ping.local
18
+stream.ping.local
19
+
20
+ubuntu2004test.ping.local
21
+centos8test.ping.local
22
+fedora33test.ping.local
23
+leap15test.ping.local
24
+
25
+[testing]
26
+ubuntu2004test.ping.local
27
+centos8test.ping.local
28
+fedora33test.ping.local
29
+leap15test.ping.local
30
+
31
+# ---------------------------------------
32
+
33
+[pihole]
34
+jezynka.ping.local
35
+
36
+[samba]
37
+malinka.ping.local
38
+
39
+[www]
40
+python-cave.ping.local
41
+
42
+[www_apache]
43
+strategie.ping.local
44
+potemkin.ping.local
45
+# ---------------------------------------
46
+
0 47
new file mode 100644
... ...
@@ -0,0 +1,22 @@
1
+---
2
+- name: Setup journald logs
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Create logs directory if it does not exist
8
+    file:
9
+      path: /var/log/journal
10
+      state: directory
11
+      owner: root
12
+      group: systemd-journal
13
+    when: ansible_os_family == 'Debian' or ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
14
+    notify: Restart journald
15
+  
16
+  handlers:
17
+
18
+  - name: Restart journald
19
+    systemd:
20
+      name: systemd-journald
21
+      state: restarted
22
+
0 23
new file mode 100644
... ...
@@ -0,0 +1,16 @@
1
+---
2
+- import_playbook: helpers/setup_bin_dir.yaml
3
+- name: Setup local bin files
4
+  hosts: all
5
+
6
+  tasks:
7
+
8
+  - name: Copy backup_baszarek script
9
+    template:
10
+      src: templates/backup_baszarek
11
+      dest: /home/lukasz/.local/bin/backup_baszarek
12
+      owner: lukasz
13
+      group: lukasz
14
+      mode: 0700
15
+    when: "'desktop' in group_names"
16
+
0 17
new file mode 100644
... ...
@@ -0,0 +1,14 @@
1
+---
2
+- name: Setup Bashrc
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Send updated .bashrc file
8
+    copy:
9
+      src: templates/.bashrc
10
+      dest: /home/lukasz/.bashrc
11
+      owner: lukasz
12
+      group: lukasz
13
+      mode: '644'
14
+
0 15
new file mode 100644
... ...
@@ -0,0 +1,14 @@
1
+---
2
+- name: Setup vimrc 
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Send updated .vimrc file
8
+    copy:
9
+      src: templates/.vimrc
10
+      dest: /home/lukasz/.vimrc
11
+      owner: lukasz
12
+      group: lukasz
13
+      mode: '644'
14
+
0 15
new file mode 100644
... ...
@@ -0,0 +1,17 @@
1
+---
2
+- name: Enable users
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Ensure that users exists and are in correct groups
8
+    include_tasks: helpers/users_enable.yaml
9
+    loop:
10
+    - {username: lukasz, comment: Lukasz, sshkey: "{{ lookup('file', 'ssh_keys/lukasz') }}"}
11
+
12
+  - name: Ensure that users can not login
13
+    include_tasks: helpers/users_disable.yaml
14
+    loop:
15
+    #- {username: qwerty, comment: QWERTY, sshkey: "{{ lookup('file', 'ssh_keys/QWERTY') }}"}
16
+    - {username: marcin, comment: Marcin Temp, sshkey: "{{ lookup('file', 'ssh_keys/lukasz') }}"}
17
+
0 18
new file mode 100644
... ...
@@ -0,0 +1,38 @@
1
+---
2
+- name: Upgrade apt cache
3
+  import_playbook: helpers/apt_cache_update.yaml
4
+
5
+- name: Upgrade packages
6
+  hosts: all
7
+
8
+  tasks:
9
+
10
+  - name: Apt upgrade all packages
11
+    apt:
12
+      name: "*"
13
+      state: latest
14
+    when: ansible_os_family == 'Debian'
15
+
16
+  - name: Apt remove unused dependencies
17
+    apt:
18
+      autoremove: yes
19
+    when: ansible_os_family == 'Debian'
20
+
21
+  - name: Dnf upgrade all packages
22
+    dnf:
23
+      name: "*"
24
+      state: latest
25
+    when: ansible_os_family == 'RedHat'
26
+
27
+  - name: Dnf remove unused dependencies
28
+    dnf:
29
+      autoremove: yes
30
+    when: ansible_os_family == 'RedHat'
31
+
32
+  - name: Zypper upgrade all packages
33
+    zypper:
34
+      name: '*'
35
+      state: latest
36
+      update_cache: yes
37
+    when: ansible_os_family == 'Suse'
38
+
0 39
new file mode 100644
... ...
@@ -0,0 +1,74 @@
1
+# Generated with Ansible
2
+
3
+# User specific aliases and functions
4
+
5
+# przyspieszenie klawiatury
6
+#xset r rate 180 60
7
+
8
+# multiterminal
9
+# tmux
10
+
11
+# zeby nie skasowac plikow
12
+alias rm='rm -i'
13
+alias cp='cp -i'
14
+alias mv='mv -i'
15
+
16
+# ladny ls, dziala rowniez w mc
17
+alias 'dir'='ls --sort=extension --color -h -Al'
18
+
19
+# takie top, ale na razie zrezygnowalem
20
+#alias 'top'='htop --user=lukasz --sort=PERCENT_CPU --delay=25'
21
+
22
+# nie potrafie szybko wpisac ee
23
+alias tre='tree'
24
+
25
+# ciagle mi sie myli
26
+alias vi='vim'
27
+
28
+# do odpalania jarek
29
+alias sjava='/usr/java/default/bin/java -jar'
30
+alias sjavaws='/usr/java/default/bin/javaws'
31
+
32
+# logowania do serwerow
33
+alias MALINKA='ssh 192.168.111.106 -l lukasz'
34
+alias JEZYNKA='ssh 192.168.111.110 -l lukasz'
35
+alias AEGIS='ssh 192.168.111.21 -l lukasz'
36
+alias OVH='ssh 54.38.53.153 -l lukasz'
37
+alias plassh='ssh -l lukaszp -i /home/lukasz/.ssh_areda/id_rsa '
38
+
39
+# xterm, na ktorym cos widac
40
+alias xterm='xterm -bg 'black' -fg 'grey' -fa 'Monospace' -fs 14'
41
+
42
+# czasami tlumaczenie nie jest najlepsze
43
+alias men='LANG=C man'
44
+
45
+# do pythona
46
+alias sba='source bin/activate'
47
+
48
+#PS1="$(tput setaf 2)[\\u@\\h \\w]$ $(tput sgr0)"
49
+# znak zachety
50
+green="\001$(tput setaf 2)\002"
51
+blue="\001$(tput setaf 4)\002"
52
+dim="\001$(tput dim)\002"
53
+reset="\001$(tput sgr0)\002"
54
+PS1="$green\u @ \h \t $blue \w $ \n  $green->$reset  "
55
+export PS1
56
+unset green blue dim reset
57
+
58
+# historia
59
+HISTSIZE=20000
60
+HISTFILESIZE=50000
61
+
62
+# losowe slowo
63
+losowik()
64
+{
65
+  cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-32} | head -n 1
66
+}
67
+
68
+# Source global definitions
69
+if [ -f /etc/bashrc ]; then
70
+	. /etc/bashrc
71
+fi
72
+
73
+PATH=~/.local/bin/:$PATH
74
+
0 75
new file mode 100644
... ...
@@ -0,0 +1,27 @@
1
+" Generated with Ansible
2
+
3
+language messages C
4
+syntax on
5
+set showmatch
6
+set number