commit ed8986fc5ccadf938a88e304fb7f56a7e2f3592e Author: kim Date: Thu Mar 21 23:06:28 2024 +0100 Move files to this submodule diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/files/etc/apt/apt.conf.d/20auto-upgrades b/files/etc/apt/apt.conf.d/20auto-upgrades new file mode 100644 index 0000000..7ef370f --- /dev/null +++ b/files/etc/apt/apt.conf.d/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; \ No newline at end of file diff --git a/files/etc/ssh/sshd_config b/files/etc/ssh/sshd_config new file mode 100644 index 0000000..2d7f818 --- /dev/null +++ b/files/etc/ssh/sshd_config @@ -0,0 +1,18 @@ +Port 22 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +SyslogFacility AUTH +PermitRootLogin without-password +MaxAuthTries 4 +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +PasswordAuthentication no +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding no +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +ClientAliveInterval 120 \ No newline at end of file diff --git a/tasks/config.yml b/tasks/config.yml new file mode 100644 index 0000000..7cf0355 --- /dev/null +++ b/tasks/config.yml @@ -0,0 +1,21 @@ +- name: copy base configs + copy: + src: etc/apt/apt.conf.d/20auto-upgrades + dest: /etc/apt/apt.conf.d/20auto-upgrades + +- name: set local timezone + file: + state: link + src: /usr/share/zoneinfo/Europe/Berlin + dest: /etc/localtime + +- name: Ensure the US locale exists + community.general.locale_gen: + name: en_US.UTF-8 + state: present + +- name: Ensure the DE locale exists + community.general.locale_gen: + name: de_DE.UTF-8 + state: present + diff --git a/tasks/customs.yml b/tasks/customs.yml new file mode 100644 index 0000000..b064c4c --- /dev/null +++ b/tasks/customs.yml @@ -0,0 +1,19 @@ +- name: Add azlux.fr GPG apt key + apt_key: + url: https://azlux.fr/repo.gpg.key + state: present + +- name: Add azlux.fr repository + apt_repository: + repo: deb http://packages.azlux.fr/debian bookworm main + state: present + +- name: install ctop package from azlux.fr + tags: [apt] + apt: + autoremove: yes + update_cache: yes + cache_valid_time: 3600 + state: present + name: + - docker-ctop \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..53eaed7 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,15 @@ +- name: base config + import_tasks: config.yml + +- name: install packages + import_tasks: packages.yml + +- name: install custom software + import_tasks: customs.yml + +- name: openssh settings + import_tasks: openssh.yml + +- name: performance optimisation + import_tasks: performance.yml + diff --git a/tasks/openssh.yml b/tasks/openssh.yml new file mode 100644 index 0000000..611f779 --- /dev/null +++ b/tasks/openssh.yml @@ -0,0 +1,15 @@ +- name: Add hardened SSH config + copy: + src: etc/ssh/sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0600 + register: config_change + +- name: Reload SSH daemon after config change + systemd: + name: ssh.service + daemon_reload: yes + state: reloaded + when: config_change.changed \ No newline at end of file diff --git a/tasks/packages.yml b/tasks/packages.yml new file mode 100644 index 0000000..61e2e79 --- /dev/null +++ b/tasks/packages.yml @@ -0,0 +1,33 @@ + +- name: install software packages + tags: [apt] + apt: + autoremove: yes + update_cache: yes + cache_valid_time: 3600 + state: present + name: + - cron + - curl + - ca-certificates + - gnupg + - dnsutils + - htop + - iftop + - iperf3 + - iputils-ping + - iotop + - sysstat + - jq + - rsync + - tcpdump + - tmux + - unattended-upgrades + - vim + - wget + - lsb-release + - qemu-guest-agent + - nload + - sysstat + - needrestart + - ncat \ No newline at end of file diff --git a/tasks/performance.yml b/tasks/performance.yml new file mode 100644 index 0000000..50f523b --- /dev/null +++ b/tasks/performance.yml @@ -0,0 +1,5 @@ +- name: run fstrim + ansible.builtin.cron: + name: "fstrim" + special_time: weekly + job: "/sbin/fstrim --all" \ No newline at end of file diff --git a/tasks/swap.yml b/tasks/swap.yml new file mode 100644 index 0000000..b8b4134 --- /dev/null +++ b/tasks/swap.yml @@ -0,0 +1,37 @@ + +- name: Check whether swap is already enabled or not + shell: cat /etc/sysctl.conf + register: swap_enabled + check_mode: false + changed_when: false + +- block: + - name: create swap file + command: dd if=/dev/zero of=/swapfile bs=1G count=4 + + - name: change permission type + file: path=/swapfile mode=600 state=file + + - name: setup swap + command: mkswap /swapfile + + - name: create swap + command: swapon /swapfile + + - name: Add to fstab + action: lineinfile dest=/etc/fstab regexp="swapfile" line="/swapfile none swap sw 0 0" state=present + + - name: start swap + command: swapon -a + + - name: set swapiness + sysctl: + name: vm.swappiness + value: "10" + + - name: set swapiness + sysctl: + name: vm.vfs_cache_pressure + value: "50" + + when: swap_enabled.stdout.find('swappiness') == -1