Commit Graph

160 Commits

Author SHA1 Message Date
4faeb79b5c
roles/common: Add zstd to base packages 2019-09-14 20:36:40 +03:00
43715dd392
roles/common: Use stable tarsnap 2019-09-13 22:14:49 +03:00
7551b803f6
roles/common: Use iptables 1.8.3 on Debian Buster
There is a bug in iptables 1.8.2 in Debian 10 "Buster" that causes
firewalld to fail when restoring rules. The bug has been fixed in
iptables 1.8.3, which is currently in buster-backports.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-08-01 15:36:15 +03:00
7d8457e5b3
roles/common: Remove old SSH public key 2019-07-23 16:07:39 +03:00
c148da73e7
roles/common: Use experimental Tarsnap on Debian buster
Tarsnap currently provides experimental packages for Debian Buster.

See: https://www.tarsnap.com/pkg-deb.html#experimental
2019-07-19 12:07:27 +03:00
03e2abc4fb roles/common: Install gnupg2 on Debian
Needed by Ansible to add and verify apt package signing keys.
2019-07-07 15:52:25 +03:00
12b6f3aaa2
roles/common: Don't ignore errors on Tarsnap key add
It turns out that I had the wrong key ID so it's no wonder this was
failing...
2019-07-07 15:51:04 +03:00
704b02ce0a
roles/common: Fix tarsnap package key
For some reason the key ID I had here was wrong. According to the
Tarsnap website the key ID is 0x6D97F5A4CA38CF33.

ee: https://www.tarsnap.com/pkg-deb.html
2019-07-07 15:49:45 +03:00
709a947987
Merge branch 'debian10' 2019-07-06 21:43:41 +03:00
3b95730417
roles/common: Synchronize Debian package task with Ubuntu 2019-07-06 21:36:04 +03:00
10200e52ab
roles/common: Use a fact for base packages on Debian
This is safer and ends up being faster because all packages get in-
stalled in one apt transaction.
2019-07-06 21:31:59 +03:00
39622077cd roles/common: Use Debian 9 tarsnap packages
There are no tarsnap binaries for Debian 10 yet.
2019-07-06 21:16:19 +03:00
b79001f97a roles/common: Update security.sources.list for cron-apt
We need to make sure to get security updates for packages that are
not in main!
2019-07-06 21:16:19 +03:00
207296b1f8 roles/common: Update Debian security apt repository
See: https://www.debian.org/security/
2019-07-06 21:16:19 +03:00
1b4e9ae87c roles/common: Install Python 3 version of pycurl on Debian 10
Debian 10 comes with Python 2 and Python 3 (at least from the ISO),
so we should prefer the Python 3 version of pycurl. We'll see whet-
her cloud providers like Linode and Digital Ocean ship with Python
3 or not in their default image.
2019-07-06 21:16:19 +03:00
da4a6660fb roles/common: Update comment in tasks/ntp.yml 2019-07-06 21:16:19 +03:00
dd5662911e roles/common: Import sshd_config from Debian 10
OpenSSH version is 7.9p1-10.
2019-07-06 21:16:19 +03:00
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
c5b5cda3d3
Smarter updating of apt index during playbook execution
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
bec79f18d1
roles/common: Ignore tarsnap key errors
Ansible errors on adding the tarsnap signing key because it is not
valid (expired a month ago). I contacted Colin Percival about this
on Twitter but he did not seem worried for some reason.
2019-03-13 12:36:47 +02:00
18ee583261
roles/common: Don't log brute force SSH attempts
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
2019-02-26 10:30:03 -08:00
329edaee87
roles/common: Rate limit SSH connections in firewalld
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.

See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
2019-01-28 14:09:18 +02:00
9921a40c19
roles/common: Update comment 2018-12-20 10:31:18 +02:00
91356ab364
roles/common: Disable Canonical spam in MOTD 2018-12-20 10:27:52 +02:00
49cfbc4c47
roles/common: Add missing systemd-journald config
I apparently forgot to add this when I committed the systemd-journald
changes a few weeks ago.
2018-12-20 09:59:13 +02:00
96f14bdda7
roles/common: Remove blank line 2018-12-20 09:57:47 +02:00
6aed22b633
roles/common: Use one task to remove Ubuntu packages
I had previously been removing some packages for security reasons,
then removing others because they were annoying, and yet *others*
because they were annoying on newer Ubuntus only. It is easier to
just unify these tasks and remove them all in one go.

On older Ubuntus where some packages don't exist the task will just
succeed because the package is absent anyways.
2018-12-20 09:54:46 +02:00
a15faabe32
roles/common: Update apt cache only if it's older than 1 hour 2018-12-20 09:40:10 +02:00
aeaa96b753
roles/common: Remove s3cmd from Ubuntu packages
I'm using tarsnap for backups so I don't need Amazon S3 stuff.
2018-12-20 09:38:51 +02:00
67172138a1
roles/common: Fix typo 2018-12-20 09:38:10 +02:00
400926821c
roles/common: Only update apt index if cache is older than 1 hour 2018-12-20 09:37:44 +02:00
281689e506
roles/common: Use an Ansible fact for Ubuntu packages 2018-12-20 09:36:43 +02:00
46bbb06527
roles/common: Remove more annoying packages on Ubuntu
Ubuntu 16.04 and up install a bunch of their technologies that I'm
not using, like lxc, lxd, and snaps.
2018-12-20 09:31:58 +02:00
691deb4fa7
roles/common: Use a persistent systemd journal
The default systemd journal configuration on CentOS 7 and Ubuntu
16.04 does not keep journal logs for multiple boots. This limits
the usefulness of the journal entirely (for example, try to see
sshd logs from even two or three months ago!).

Changing the storage to "persistent" makes systemd keep the logs
on disk in /var/log/journal for up to 2% of the partition size.
2018-12-07 23:46:18 +02:00
963bf65099
roles/common: Limit number of SSH authentication attempts
The default in later OpenSSH is 6, which seems too high. If you can't
get your password correct after 3 tries then I think you need help.

Eventually I'd like an easy way to enable blocking of repeated login
attempts at the firewall level. I think it's possible in firewalld.
2018-07-23 13:14:54 +03:00
f22b6af273
roles/common: Change mode of SSH public key 2018-05-30 08:32:11 -07:00
37a88f676b
roles/common: Add new SSH public key for aorth 2018-05-30 07:48:38 -07:00
131420be17
roles/common: Add task to copy tarsnaprc
One less thing to do manually after server provisioning, and there is
nothing sensitive in here anyways.
2018-05-20 12:51:02 +03:00
1a9033dece
roles/common: Use bionic tarsnap builds on Ubuntu 18.04
Tarsnap finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
2018-05-09 00:05:42 +03:00
0f512a5bf7
roles/common: Use blocks to tag children of dynamic tasks
When using dynamic includes, child tasks do not inherit tags from their
parents. You must tag the parent and each child task separately, or use
a block to group children and then apply a tag to a block.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-26 16:58:35 +03:00
7d950ade99
roles: Remove unreachable "packages" tags
After reörganizing for dynamic includes these tags will never be reached
because the children of dynamic includes do not inherit tags from their
parents as they did with static imports.
2018-04-26 16:31:06 +03:00
ab27caf877
roles/common: Use dynamic include_tasks for firewall
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 18:58:31 +03:00
a044fd2f55
roles/common: Add missing vim modelines 2018-04-25 18:55:22 +03:00
8b660dcfbe
roles/common: Use dynamic include_tasks for packages
Basically, when using conditionals or variables in your tasks you should
use include_tasks instead of import_tasks. The down side is that you now
need to tag all included tasks individually or with a block, unlike when
using static imports (tags are applied to all imported child tasks).

I would actually like to reduce this task to a single one that uses the
host's ansible_distribution variable, but Ansible 2.5.1 currently gives
the following error: ansible_distribution is undefined.
2018-04-25 18:46:28 +03:00
9445541f51
roles/common: Always use security.ubuntu.com
Vanilla Ubuntu (and Debian actually) defaults to using the official
mirror for security updates rather than country or regional mirrors.

Also, for what it's worth, Ubuntu mirrors didn't always sync these
security archives. I'd prefer to stay closer to vanilla Ubuntu but
also it kinda makes sense to get security updates from the official
source than a mirror (in case of delay or errors).
2018-04-25 18:09:11 +03:00
832573acc5
roles/common: Remove comments from sources.list
I want this file to be more like what comes from the stock Ubuntu.
2018-04-25 18:07:55 +03:00
a7eb04a152
Import OS-specific vars from task in common role
We stopped being able to do dynamic includes from the playbooks around
Ansible 2.4.0.0 if I recall correctly. Instead we can create a task to
include the variables and make it always run by using the special tag.

For now the Debian and Ubuntu vars files are the same, but I will keep
them separate so that it is more flexible in the future.
2018-04-25 18:04:29 +03:00
f3403cc79a
roles/common: Remove Ubuntu partner repo from apt sources
I haven't used this in years, and it looks to only be proprietary things
like Adobe, Skype, etc.
2018-04-25 17:49:38 +03:00
632aa1cf14 Fix a few more Jinja2 filters used as tests
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-05 12:17:26 +03:00
d1ba60e15d Use version_compare to test for Ubuntu 18.04 "bionic"
It just feels more correct, plus I usually forget the release code
name from time to time.
2018-04-05 12:17:26 +03:00