me/env-ansible
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

General Improvements (#36)

Browse Source 
* Add at and reword comment.

* Add cronie, thought this was already done but last pull request got wonky.

* Zypper is not happy about asking Brave repo to be added multiple times.

* Replace deprecated `include` commands.

* Add gcc.

* Add another cc command for openSUSE.

* include_tasks is not supporting ignore_errors like include used to, move to individual tasks.

* Do a better job of removing libreoffice from local package manager.

* Enhance reports.

* Add basic VIM setup.

* Undo some lynis changes, fix folder permissions so users can view.

* Change lynis back to chdir and local execution.

* Add doas.

* Add check against old usage of setup.sh BRANCH.

* Greatly reduce number of tasks, create temp file while building report.

* Create temp file while building report.
This commit is contained in:
Hyperling
2023-02-19 10:04:10 -06:00
committed by GitHub
parent 904dda6883
commit b162731c29
15 changed files with 211 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tasks/general/acct_mgmt/doas.yml Normal file
View File

@ -0,0 +1,53 @@
---
# Install and configure doas.
- name: General | Software | DoAs | Facts
set_fact:
doas_config: |
permit persist :wheel as root
permit persist :admin as root
permit persist :sudo as root
doas_conf_file_linux: /etc/doas.conf
doas_conf_file_bsd: /usr/local/etc/doas.conf
- name: General | Software | DoAs | Install
package:
name:
- doas
ignore_errors: yes
- name: General | Software | DoAs | Configure [Linux]
blockinfile:
path: "{{ doas_conf_file_linux }}"
block: |
{{ doas_config }}
marker: '# {mark} MANAGED BY ANSIBLE | doas Linux'
state: present
create: yes
backup: yes
when: ansible_system in ("Linux")
- name: General | Software | DoAs | Configure [BSD]
blockinfile:
path: "{{ doas_conf_file_linux }}"
block: |
{{ doas_config }}
marker: '# {mark} MANAGED BY ANSIBLE | doas BSD'
state: present
create: yes
backup: yes
when: ansible_system in ("FreeBSD")
- name: General | Software | DoAs | Configure [Other]
blockinfile:
path: "{{ item }}"
block: |
{{ doas_config }}
marker: '# {mark} MANAGED BY ANSIBLE | doas Other'
state: present
create: yes
backup: yes
loop:
- "{{ doas_conf_file_linux }}"
- "{{ doas_conf_file_bsd }}"
when: ansible_system not in ("Linux", "FreeBSD")

28
tasks/general/acct_mgmt/users.yml
View File

@ -102,6 +102,7 @@
- "{{ user_user.home }}/LBRY"
- "{{ user_user.home }}/TRASH"
- "{{ user_user.home }}/Downloads"
- "{{ user_user.home }}/Reports"
become_user: "{{ user }}"
when: user_user.home != ""
@ -277,6 +278,7 @@
return
echo "ERROR: Something went wrong while removing Flatpak apps!"
}
alias_vim: alias vi=vim
- name: General | Account Management | Users | Files | Common Variable
set_fact:
@ -302,6 +304,7 @@
{{ function_clean }}
{{ function_flatpak_usage }}
{{ function_flatpak_purge }}
{{ alias_vim }}
- name: General | Account Management | Users | Files | .bashrc
blockinfile:
@ -334,3 +337,28 @@
- "{{ user_user.home }}"
ignore_errors: yes
when: user_root.home != "" and user_user.home != ""
- name: General | Account Management | Users | Files | .vimrc
blockinfile:
path: "{{ item }}/.vimrc"
block: |
" Turn off syntax, flashy lights, etc. Make VIM into a basic editor.
syntax off
set nohlsearch
set noautoindent noautowrite noshowmatch wrapmargin=0 report=1 ts=3
set ignorecase
" Turn off auto-commenting.
autocmd Filetype * set fo-=c fo-=r fo-=o
" qq shortcut for immediately exiting all files without saving.
nnoremap qq :qa!<cr>
marker: '" {mark} MANAGED BY ANSIBLE | vimrc'
state: present
create: yes
backup: yes
loop:
- "{{ user_root.home }}"
- "{{ user_user.home }}"
ignore_errors: yes
when: user_root.home != "" and user_user.home != ""

12
tasks/general/software/packages.yml
View File

@ -50,6 +50,9 @@
- "{{ opensshd }}"
- "{{ tar }}"
- curl
- at
- gcc
- vim
state: present
- name: General | Software | Packages | Install Software (DEV)
@ -89,17 +92,18 @@
name:
- which
- "{{ cron }}"
- vi
state: present
when: ansible_distribution == "Archlinux"
# openSUSE Tumbleweed comes without gnome-control-center being able to open
# properly. Hopefully just a one-time accident but I wanted bleeding edge so I
# guess I got it! Luckily was easy to figure out based on CLI error launching.
- name: General | Software | Services | Install Fix (Looking at you, openSUSE)
package:
name:
# openSUSE Tumbleweed comes without gnome-control-center being able to open
# properly. Hopefully just a one-time accident but I wanted bleeding edge so I
# guess I got it! Luckily was easy to figure out based on CLI error on launch.
- libvulkan1
# Provides c99 used to compile ST for DWM.
- posix_cc
state: present
when: ansible_pkg_mgr in ("zypper")

1
tasks/general/software/sendmail.yml
View File

@ -10,6 +10,7 @@
- name: Server | Sendmail | Check
shell: which postfix
register: postfix
ignore_errors: yes
- name: Server | Sendmail | Install
package:

2
tasks/general/software/services.yml
View File

@ -19,6 +19,7 @@
pattern: "{{ cups_pattern }}"
state: stopped
enabled: no
ignore_errors: yes
- name: General | Software | Services | CUPS-Browse | Disable
service:
@ -26,6 +27,7 @@
pattern: "{{ cups_browse_pattern }}"
state: stopped
enabled: no
ignore_errors: yes
## SSHD ##

24
tasks/general/tests/lynis.yml
View File

@ -1,6 +1,14 @@
---
# Lynis hardness check.
- name: General | Tests | Lynis | Set Facts
set_fact:
lynis_file: "{{ user_user.home }}/Reports/{{ lynis_report }}"
- name: General | Tests | Lynis | Set Facts 2
set_fact:
lynis_temp_file: "{{ lynis_file }}.tmp"
- name: General | Tests | Lynis | Rename Old Install
shell: mv "/usr/local/lynis" "/usr/local/src/"
ignore_errors: yes
@ -27,13 +35,23 @@
path: "{{ lynis_install_dir }}/lynis"
mode: '0755'
- name: General | Tests | Lynis | Ensure Folder Permissions
file:
path: "{{ lynis_install_dir }}"
state: directory
mode: '0755'
recurse: no
- name: General | Tests | Lynis | Run System Audit
shell: "./lynis audit system --no-colors > {{ lynis_report }} 2>&1"
shell: "{{ item }}"
loop:
- "./lynis audit system --no-colors > {{ lynis_temp_file }} 2>&1"
- "mv {{ lynis_temp_file }} {{ lynis_file }}"
args:
executable: "{{ bash_exec.stdout }}"
chdir: "{{ lynis_install_dir }}"
- name: General | Tests | Lynis | Make Report Readable
file:
path: "{{ lynis_report }}"
mode: '0777'
path: "{{ lynis_file }}"
mode: '0644'

29
tasks/general/tests/nmap.yml
View File

@ -1,13 +1,30 @@
---
# Nmap port test
- name: General | Tests | nmap | Run Count
shell: "nmap --open localhost | grep -c open > {{ nmap_report }}; echo success"
- name: General | Tests | nmap | Set Facts
set_fact:
nmap_file: "{{ user_user.home }}/Reports/{{ nmap_report }}"
nmap_separator: "\n*******************************\n\n"
- name: General | Tests | nmap | Run Open
shell: "nmap --open localhost | grep open >> {{ nmap_report }}; echo success"
- name: General | Tests | nmap | Set Facts 2
set_fact:
nmap_temp_file: "{{ nmap_file }}.tmp"
- name: General | Tests | nmap | Create Report
shell: "{{ item }}"
loop:
- "date > {{ nmap_temp_file }}"
- "printf '{{ nmap_separator }}' >> {{ nmap_temp_file }}"
- "echo '-=Open Ports=-' >> {{ nmap_temp_file }}"
- "printf 'Number of open ports: ' >> {{ nmap_temp_file }}"
- "nmap --open localhost | grep -c open >> {{ nmap_temp_file }}; echo success"
- "nmap --open localhost | grep open >> {{ nmap_temp_file }}; echo success"
- "printf '{{ nmap_separator }}' >> {{ nmap_temp_file }}"
- "echo '-=Aggressive Vulnerability Check=-' >> {{ nmap_temp_file }}"
- "nmap -A localhost >> {{ nmap_temp_file }}; echo success"
- "mv {{ nmap_temp_file }} {{ nmap_file }}"
- name: General | Tests | nmap | Make Viewable
file:
path: "{{ nmap_report }}"
mode: '0777'
path: "{{ nmap_file }}"
mode: '0644'