-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathscripts-real.yml
More file actions
277 lines (275 loc) · 7.69 KB
/
scripts-real.yml
File metadata and controls
277 lines (275 loc) · 7.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
# TODO: Select and install miscellaneous packages
# TODO: Install credentials:
# /etc/krb5.keytab
# /etc/daemon.keytab (0400 afsagent:afsagent)
# /etc/signup.keytab (0400 signup:signup)
# /etc/dirsrv/keytab (0400 dirsrv:dirsrv)
# /etc/pki/tls/private/scripts*.key (0400 root:root)
# /etc/ssh/*_key{,.pub}
# Maybe:
# TODO: Consider installing a crontab for export-scripts-certs (currently in scripts locker's crontab)
- hosts: scripts-real
serial: 1
vars:
ldap_server: "{{ use_local_ldap | default(True) | ternary('ldapi://%2fvar%2frun%2fslapd-scripts.socket/', 'ldap://scripts-ldap.mit.edu/') }}"
ldap_server_tcp: "{{ use_local_ldap | default(True) | ternary('ldap://127.0.0.1/', 'ldap://scripts-ldap.mit.edu/') }}"
preferred_mta: postfix
pre_tasks:
- name: Block Ansible on legacy realservers
assert:
that:
- ansible_distribution == "Fedora" and ansible_distribution_major_version|int >= 29
- name: Remove stale packages
dnf:
name:
- fedora-obsolete-packages
- nfs-utils
autoremove: yes
disable_excludes: main
state: absent
- include_role:
name: real-network
roles:
- role: rpm-repos
tags: [always]
- role: packages
tags: [always]
- role: syslog-client
when: syslog_client | default(True)
- ansible-config-me
- mock
- sysctl
- tmpfiles
- dnf-automatic
- real-statoverride
- real-munin-node
- real-dns
- real-hosts
- real-ntp
- role: real-ldap
tags: [ldap]
- real-k5login
- real-nrpe
- real-modprobe
- real-nsspam
- real-pki
- real-iptables
- real-sshd
- real-postfix
- real-afs
- real-php
- real-cron
- real-httpd
- real-logrotate
- real-logwatch
- real-clamav
- role: real-spheroids
tags: [spheroids]
tasks:
- name: Editors
block:
- name: Install editors
dnf:
name:
- vim
- emacs-nox
state: present
- name: Disable viminfo
lineinfile:
path: /etc/vimrc
regexp: '^set viminfo='
line: "set viminfo= \" don't keep a viminfo file"
- name: Install accountadm
dnf:
name:
- accountadm
state: present
when: use_accountadm | default('accountadm' in scripts_packages)
- name: execsys
when: use_execsys | default('execsys' in scripts_packages)
block:
- name: Install execsys
dnf: name=execsys state=present
- name: Enable execsys services
systemd:
name: "{{ item }}"
enabled: yes
state: started
loop:
- execsys-binfmt.service
- scripts-svn.socket
- scripts-git.socket
- scripts-local-smtp.socket
- name: Hesiod
block:
- name: Install hesiod
dnf: name=hesiod-devel state=present
when: use_hesiod | default('hesiod-devel' in scripts_packages)
- name: Configure hesiod
copy:
dest: /etc/hesiod.conf
content: |
rhs=.ATHENA.MIT.EDU
lhs=.ns
- name: Zephyr
when: use_zephyr | default('zephyr' in scripts_packages)
block:
- name: Install zephyr
dnf:
name:
- zephyr
- zephyr-devel
state: present
- name: Start zephyr
service:
name: zhm
enabled: yes
state: started
- name: autofs
when: use_autofs | default(ansible_distribution_major_version|int < 30 or 'autofs' in scripts_packages)
block:
- name: Install autofs
dnf: name={% if ansible_distribution_major_version|int >= 30 %}scripts-{% endif %}autofs state=present
- name: Configure autofs
copy:
dest: /etc/auto.master
content: |
/mit hesiod:hesiod
notify: reload autofs
- name: Enable autofs
service:
name: autofs
enabled: yes
state: started
- name: Configure sudoers
copy:
dest: /etc/sudoers.d/scripts
content: |
scripts ALL=(root) NOPASSWD: /usr/local/sbin/ldap-backup ""
scripts ALL=(root) NOPASSWD: /usr/local/sbin/get-homedirs ""
- name: Limit Java memory
lineinfile:
path: /etc/environment
line: JAVA_TOOL_OPTIONS="-Xmx128M -XX:MaxPermSize=64M"
regexp: '^JAVA_TOOL_OPTIONS='
- name: Clean up kdump cores
copy:
dest: /etc/tmpfiles.d/scripts-crash.conf
content: |
d /var/crash 1755 root root 10d
notify: create tmpfiles
- name: Configure resource limits
copy:
dest: /etc/security/limits.d/scripts
content: |
# No limits for root
root -
scripts-build -
# For everyone else,
* soft core 0
* - rss 524268
* - data 1048576
* - as 1572864
- name: Enable per-user logs
block:
- name: Configure journald to split logs
ini_file:
no_extra_spaces: yes
path: /etc/systemd/journald.conf
section: Journal
option: SplitMode
value: uid
notify: restart journald
- name: Configure systemd user sessions to not log startup messages
ini_file:
no_extra_spaces: yes
path: /etc/systemd/user.conf
section: Manager
option: LogLevel
value: notice
- name: grub
block:
- name: Configure grub
ini_file:
no_extra_spaces: yes
path: /etc/default/grub
section: null
option: "{{ item.option }}"
value: "\"{{ item.value }}\""
loop:
- option: GRUB_CMDLINE_LINUX
value: "biosdevname=0 console=tty1 console=ttyS0 console=hvc0 rd.md=0 rd.lvm=0 rd.dm=0 rd.luks=0 crashkernel=128M"
- option: GRUB_TERMINAL
value: "serial console"
notify: regenerate grub
- name: Configure reboot on {panic,oops,OOM}
copy:
dest: /etc/sysctl.d/99-scripts-reboot.conf
content: |
kernel.panic = 5
kernel.panic_on_oops = 1
vm.panic_on_oom = 1
notify: apply sysctl
- name: Enable sysrq
copy:
dest: /etc/sysctl.d/99-scripts-sysrq.conf
content: |
kernel.sysrq = 1
notify: apply sysctl
- name: Configure multihomed networking sysctls
copy:
dest: /etc/sysctl.d/99-scripts-networking.conf
content: |
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 2
net.ipv4.tcp_keepalive_time = 825
notify: apply sysctl
- name: sysstat
block:
- dnf: name=sysstat state=present
- name: Retain sysstat logs for 30 days
ini_file:
no_extra_spaces: yes
path: /etc/sysconfig/sysstat
section: null
option: "HISTORY"
value: "30"
- name: Install dotfiles
copy:
dest: /root/
src: files/dotfiles/
- name: athrun
dnf: name=athrun state=present
ignore_errors: yes
- name: discuss
dnf:
name:
- discuss
- discuss-emacs
state: present
ignore_errors: yes
- name: scripts-wizard
dnf: name=scripts-wizard state=present
ignore_errors: yes
- name: Disable rpcbind
systemd:
name: "{{ item }}"
enabled: no
state: stopped
loop:
- rpcbind.socket
- rpcbind.service
handlers:
- name: reload autofs
service: name=autofs state=reloaded
- name: restart journald
service: name=systemd-journald state=restarted
- name: regenerate grub
command: grub2-mkconfig -o /boot/grub2/grub.cfg
- name: reboot
reboot:
notify: setup
- name: setup
setup: