117 lines
2.9 KiB
YAML
117 lines
2.9 KiB
YAML
- block:
|
|
- name: Determine if this is a Proxmox host
|
|
stat:
|
|
path: /etc/pve
|
|
register: stat_pve
|
|
- set_fact:
|
|
is_proxmox: "{{ stat_pve.stat.exists and stat_pve.stat.isdir }}"
|
|
|
|
- name: Configure MOTD
|
|
template:
|
|
dest: /etc/motd
|
|
src: motd.j2
|
|
|
|
- name: Add rules to rename network interfaces
|
|
template:
|
|
dest: "/etc/systemd/network/10-{{ item.name }}.link"
|
|
src: interface.link.j2
|
|
mode: "0644"
|
|
loop: "{{ interfaces | selectattr('mac_address') }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
notify: reboot
|
|
|
|
- name: Set hostname
|
|
hostname:
|
|
name: '{{ inventory_hostname }}'
|
|
|
|
- name: Set up debian repositories
|
|
template:
|
|
dest: /etc/apt/sources.list
|
|
src: sources.list.j2
|
|
mode: 0644
|
|
notify: update package cache
|
|
when: debian_release is defined
|
|
|
|
- name: Install essential packages
|
|
package:
|
|
name:
|
|
- git
|
|
- ifupdown2
|
|
- rsync
|
|
- vim
|
|
- tmux
|
|
|
|
# for base Debian the main interfaces file is just an include
|
|
- name: Remove interface definitions added by installer
|
|
when: not is_proxmox
|
|
copy:
|
|
dest: /etc/network/interfaces
|
|
content: |
|
|
source /etc/network/interfaces.d/*
|
|
notify: reload interfaces
|
|
|
|
# for Proxmox the main interfaces file will define bridges
|
|
# here we just remove the vmbr0 definition created by installer to preserve idempotency
|
|
- name: Include interfaces.d definitions
|
|
when: is_proxmox
|
|
lineinfile:
|
|
path: /etc/network/interfaces
|
|
regexp: '^(auto vmbr0|iface vmbr0|\t)' # our definitions start with four spaces instead of tab
|
|
state: absent
|
|
notify: reload interfaces
|
|
|
|
- name: Set up interfaces
|
|
template:
|
|
dest: /etc/network/interfaces.d/ansible.intf
|
|
src: ansible.intf.j2
|
|
mode: 0644
|
|
notify: reload interfaces
|
|
|
|
- name: Set up resolv.conf
|
|
template:
|
|
dest: /etc/resolv.conf
|
|
src: resolv.conf.j2
|
|
mode: 0644
|
|
|
|
- name: Disable SSH password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?{{ item.key }}'
|
|
line: '{{ item.key }} {{ item.value }}'
|
|
loop:
|
|
- key: PasswordAuthentication
|
|
value: 'no'
|
|
- key: PermitRootLogin
|
|
value: 'prohibit-password'
|
|
notify: reload sshd
|
|
|
|
- name: Set up firewall
|
|
include_tasks: firewall.yml
|
|
when: not is_proxmox # proxmox has its own firewall configuration
|
|
|
|
- name: Run SSH instance in management VRF
|
|
when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
|
|
block:
|
|
- name: Configure SSH instance in management VRF
|
|
copy:
|
|
dest: /etc/ssh/
|
|
src: sshd_config.mgmt
|
|
mode: 0644
|
|
notify: reboot
|
|
|
|
- name: Set up a SSH instance in management VRF
|
|
copy:
|
|
dest: /etc/systemd/system/
|
|
src: sshd@mgmt.service
|
|
mode: 0644
|
|
notify: reboot
|
|
|
|
- name: Enable management SSH
|
|
service:
|
|
name: sshd@mgmt
|
|
enabled: yes
|
|
notify: reboot
|
|
|
|
- when: is_virtual
|
|
include_tasks: vm.yml
|