Initialize repo for the sysadmin packages helper.

2023-07-03 15:20:02 -07:00 · 2023-07-03 15:20:02 -07:00 · f3fac3c2a2
commit f3fac3c2a2
11 changed files with 150 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
--- a/17
+++ b/17
@ -0,0 +1,17 @@
+MIT No Attribution License
+
+Copyright (c) 2023 Brian Lee
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
--- a/README.md
+++ b/README.md
@ -0,0 +1,18 @@
+# linux role
+
+This is an Ansible role that installs a baseline of useful packages for the Linux system administrator.
+
+It is intended to be composed along with other playbooks in the micro-stack pattern (as described by Kief Morris' Infrastructure as Code, 2nd edition).
+
+## requirements
+
+* role: bleetube-dotfiles
+
+## TODO
+
+* include difftastic
+* maybe include fzf, but not via apt because its an old version
+* selectively prevent updates (e.g. [postgresql](https://askubuntu.com/a/18656))
+* add a RedHat profile for Almalinux and Opensuse
+* configurable username
+* CI tests
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,2 @@
+---
+sysadmin_packages: []
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: restart ssh 
+  service: name=sshd state=restarted
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,2 @@
+---
+dependencies: []
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,22 @@
+---
+- import_tasks: setup-Debian.yml
+  when: ansible_os_family == 'Debian'
+
+- import_tasks: setup-RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- import_tasks: setup-Arch.yml
+  when: ansible_os_family == 'Archlinux'
+
+- name: Load a variable file based on the OS type, or a default if not found.
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+    - "Debian.yml"
+
+- name: Ensure sysadmin utility packages are installed.
+  ansible.builtin.package:
+    state: present
+    name: "{{ sysadmin_packages }}"
--- a/tasks/setup-Arch.yml
+++ b/tasks/setup-Arch.yml
@ -0,0 +1,4 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC
--- a/tasks/setup-Debian.yml
+++ b/tasks/setup-Debian.yml
@ -0,0 +1,59 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC
+
+- name: Let root authenticate via ssh pubkey, Ubuntu.
+  ansible.builtin.replace:
+    path: /root/.ssh/authorized_keys
+    regexp: '^no.*(ssh.*)$'
+    replace: '\1'
+
+- name: Check for Unattended-Upgrade
+  ansible.builtin.stat:
+    path: /etc/apt/apt.conf.d/20auto-upgrades
+  register: unattended_upgrade
+
+- name: Ensure apt automatic upgrades are not enabled.
+  lineinfile:
+    path: /etc/apt/apt.conf.d/20auto-upgrades
+    regexp: 'APT::Periodic::Unattended-Upgrade "1";'
+    line: 'APT::Periodic::Unattended-Upgrade "0";'
+  when: unattended_upgrade.stat.exists
+
+- name: Ensure unnecessary packages from Ubuntu are removed.
+  ansible.builtin.apt:
+    state: absent
+    name:
+      - snapd
+      - lxd-agent-loader
+      - modemmanager        # Curious: mmcli --list-modems
+  register: apt_status
+  until: apt_status is success
+  delay: 6
+  retries: 10
+
+- name: Only run "update_cache=yes" if the last one is more than 3600 seconds ago
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: 3600
+
+#- name: Update Linux Kernel
+#  ansible.builtin.apt:
+#    name: linux-image-amd64
+#    state: latest
+#  register: kernel_version
+#
+#- name: Reboot a slow machine that might have lots of updates to apply
+#  ansible.builtin.reboot:
+#    reboot_timeout: 3600
+#  when: kernel_version is changed
+
+- name: Update all packages to their latest version
+  ansible.builtin.apt:
+    name: '*'
+    state: latest
+
+- name: Remove dependencies that are no longer required
+  ansible.builtin.apt:
+    autoremove: yes
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@ -0,0 +1,4 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@ -0,0 +1,19 @@
+---
+sysadmin_packages:
+  - curl
+  - dnsutils
+  - git
+  - gpg
+  - htop
+  - iptables
+  - iputils-ping
+  - jq
+  - net-tools
+  - netcat
+  - psmisc
+  - python-is-python3
+  - rsync
+  - tcpdump
+  - tmux
+  - tree
+  - vim