From 10faf80ff91257acf2090a776ad4ed44f14d261e Mon Sep 17 00:00:00 2001 From: Dirk Wirts Date: Thu, 26 Oct 2023 15:20:20 +0200 Subject: [PATCH] Erster Upload --- Inventories/prod/inventory | 0 Inventories/test/group_vars/debian.yml | 0 Inventories/test/host_vars/ansible-test01.yml | 9 ++++ Inventories/test/host_vars/ansible-test02.yml | 9 ++++ Inventories/test/inventory | 0 ansible-diskspace.yml | 21 +++++++++ ansible-ping.yml | 0 ansible-reboot-required.yml | 14 ++++++ ansible-set-static-ip.yml | 42 +++++++++++++++++ ansible-update.yml | 27 +++++++++++ ansible_add-ssh-key.yml | 18 +++++++ ansible_docker-cleanup.yml | 14 ++++++ inventory.ini | 3 ++ set-pw-rules.yml | 47 +++++++++++++++++++ 14 files changed, 204 insertions(+) create mode 100644 Inventories/prod/inventory create mode 100644 Inventories/test/group_vars/debian.yml create mode 100644 Inventories/test/host_vars/ansible-test01.yml create mode 100644 Inventories/test/host_vars/ansible-test02.yml create mode 100644 Inventories/test/inventory create mode 100644 ansible-diskspace.yml create mode 100644 ansible-ping.yml create mode 100644 ansible-reboot-required.yml create mode 100644 ansible-set-static-ip.yml create mode 100644 ansible-update.yml create mode 100644 ansible_add-ssh-key.yml create mode 100644 ansible_docker-cleanup.yml create mode 100644 inventory.ini create mode 100644 set-pw-rules.yml diff --git a/Inventories/prod/inventory b/Inventories/prod/inventory new file mode 100644 index 0000000..e69de29 diff --git a/Inventories/test/group_vars/debian.yml b/Inventories/test/group_vars/debian.yml new file mode 100644 index 0000000..e69de29 diff --git a/Inventories/test/host_vars/ansible-test01.yml b/Inventories/test/host_vars/ansible-test01.yml new file mode 100644 index 0000000..9207ad2 --- /dev/null +++ b/Inventories/test/host_vars/ansible-test01.yml @@ -0,0 +1,9 @@ +interface_name: eth0 +static_ip: 172.20.1.31 +netmask: 255.255.255.0 +gateway: 172.20.1.251 +dns_servers: + - 172.20.1.251 + - 172.20.1.10 + - 172.20.1.11 + - 8.8.8.8 diff --git a/Inventories/test/host_vars/ansible-test02.yml b/Inventories/test/host_vars/ansible-test02.yml new file mode 100644 index 0000000..1b70b6f --- /dev/null +++ b/Inventories/test/host_vars/ansible-test02.yml @@ -0,0 +1,9 @@ +interface_name: eth0 +static_ip: 172.20.1.32 +netmask: 255.255.255.0 +gateway: 172.20.1.251 +dns_servers: + - 172.20.1.251 + - 172.20.1.10 + - 172.20.1.11 + - 8.8.8.8 diff --git a/Inventories/test/inventory b/Inventories/test/inventory new file mode 100644 index 0000000..e69de29 diff --git a/ansible-diskspace.yml b/ansible-diskspace.yml new file mode 100644 index 0000000..28b398b --- /dev/null +++ b/ansible-diskspace.yml @@ -0,0 +1,21 @@ +--- +- name: check disk space +# hosts: "{{ hosts }}" + hosts: all + tasks: + - name: get disk usage + command: df -h + register: disk_usage + - name: check disk space available + shell: df -h / | awk 'NR==2 {print $5}' + register: disk_usage + # - name: send discord message when disk space is over 80% + # uri: + # url: "your-webhook" + # method: POST + # body_format: json + # body: '{"content": "Disk space on {{ inventory_hostname }} is above 80%!"}' + # headers: + # Content-Type: application/json + # status_code: 204 + # when: disk_usage.stdout[:-1]|int > 80 \ No newline at end of file diff --git a/ansible-ping.yml b/ansible-ping.yml new file mode 100644 index 0000000..e69de29 diff --git a/ansible-reboot-required.yml b/ansible-reboot-required.yml new file mode 100644 index 0000000..ef3940c --- /dev/null +++ b/ansible-reboot-required.yml @@ -0,0 +1,14 @@ +--- +- name: check if system reboot is required +# hosts: "{{ hosts }}" + hosts: all + become: yes + tasks: + - name: check if system reboot is required + become: true + stat: + path: /var/run/reboot-required + register: reboot_required + - debug: + msg: "Reboot is required" + when: reboot_required.stat.exists \ No newline at end of file diff --git a/ansible-set-static-ip.yml b/ansible-set-static-ip.yml new file mode 100644 index 0000000..f441e07 --- /dev/null +++ b/ansible-set-static-ip.yml @@ -0,0 +1,42 @@ +--- +- name: IP von DHCP auf Static ändern basierend auf individuellen envs Dateien + hosts: debian + become: yes + tasks: + - name: Zeige den Wert der Variable an + debug: + var: interface_name + + - name: Überprüfe, ob NetworkManager installiert ist + command: dpkg-query -l network-manager + register: dpkg_query_result + ignore_errors: yes + + - name: Setze statische IP wenn NetworkManager installiert ist + block: + - name: Deaktiviere DHCP im NetworkManager + command: "nmcli connection modify {{ interface_name }} ipv4.method manual ipv4.addresses '{{ static_ip }}/{{ netmask | ipaddr('prefix') }}' ipv4.gateway '{{ gateway }}' ipv4.dns '{{ dns_servers | join(',') }}'" + - name: Starte NetworkManager neu + service: + name: NetworkManager + state: restarted + when: dpkg_query_result.rc == 0 + + - name: Setze statische IP wenn NetworkManager NICHT installiert ist + block: + - name: Sichere die aktuelle Netzwerkkonfiguration + copy: + src: /etc/network/interfaces + dest: /etc/network/interfaces.backup + - name: Setze statische IP in /etc/network/interfaces + blockinfile: + path: /etc/network/interfaces + block: | + iface {{ interface_name }} inet static + address {{ static_ip }} + netmask {{ netmask }} + gateway {{ gateway }} + dns-nameservers {{ dns_servers | join(' ') }} + - name: Starte Netzwerk neu + command: systemctl restart networking + when: dpkg_query_result.rc != 0 diff --git a/ansible-update.yml b/ansible-update.yml new file mode 100644 index 0000000..effbfd8 --- /dev/null +++ b/ansible-update.yml @@ -0,0 +1,27 @@ +--- +- name: Update and upgrade apt packages + hosts: all + become: yes + tasks: + - name: Update packages with apt + when: ansible_pkg_mgr == 'apt' + apt: + update_cache: yes + + - name: Update packages with yum + when: ansible_pkg_mgr == 'yum' + yum: + name: '*' + state: latest + + - name: Upgrade packages with apt + when: ansible_pkg_mgr == 'apt' + apt: + upgrade: dist + + - name: Upgrade packages with yum + when: ansible_pkg_mgr == 'yum' + yum: + name: '*' + state: latest + exclude: kernel* \ No newline at end of file diff --git a/ansible_add-ssh-key.yml b/ansible_add-ssh-key.yml new file mode 100644 index 0000000..7d1e37d --- /dev/null +++ b/ansible_add-ssh-key.yml @@ -0,0 +1,18 @@ +--- +- name: add ssh key +# hosts: "{{ hosts }}" + hosts: all + become: yes + tasks: + - name: install public keys + ansible.posix.authorized_key: + user: "{{ lookup('env','USER') }}" + state: present + key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + - name: change sudoers file + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + validate: /usr/sbin/visudo -cf %s \ No newline at end of file diff --git a/ansible_docker-cleanup.yml b/ansible_docker-cleanup.yml new file mode 100644 index 0000000..0e557db --- /dev/null +++ b/ansible_docker-cleanup.yml @@ -0,0 +1,14 @@ +--- +- name: clean docker +# hosts: "{{ hosts }}" + hosts: all + tasks: + - name: prune non-dangling images + community.docker.docker_prune: + containers: false + images: true + images_filters: + dangling: false + networks: false + volumes: false + builder_cache: false diff --git a/inventory.ini b/inventory.ini new file mode 100644 index 0000000..f5168a9 --- /dev/null +++ b/inventory.ini @@ -0,0 +1,3 @@ +[debian] +ansible-test01 ansible_host=172.20.1.31 hostname=ansible-test01 +ansible-test02 ansible_host=172.20.1.167 hostname=ansible-test02 \ No newline at end of file diff --git a/set-pw-rules.yml b/set-pw-rules.yml new file mode 100644 index 0000000..330b7a4 --- /dev/null +++ b/set-pw-rules.yml @@ -0,0 +1,47 @@ +--- +- name: Set Password Policies on Debian 11 + hosts: all + become: yes + tasks: + + - name: Install necessary packages + apt: + name: + - libpam-pwquality + - cracklib-runtime + state: present + + - name: Set password quality requirements in PAM + lineinfile: + dest: /etc/security/pwquality.conf + regexp: "^{{ item.regexp }}" + line: "{{ item.line }}" + state: present + loop: + - { regexp: "^# minlen", line: "minlen = 10" } + - { regexp: "^# minclass", line: "minclass = 4" } + - { regexp: "^# maxrepeat", line: "maxrepeat = 3" } + - { regexp: "^# remember", line: "remember = 6" } + - { regexp: "^# retry", line: "retry = 3" } + notify: + - restart ssh + + - name: Enforce password change every 180 days + lineinfile: + dest: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS 180' + state: present + + - name: Force existing users to comply with new policy upon next login + command: chage -m 1 -M 180 -W 15 -I 15 {{ item }} + with_fileglob: + - /home/* + loop_control: + loop_var: item + when: item is directory + handlers: + - name: restart ssh + service: + name: ssh + state: restarted