me/env-ansible
me/env-ansible
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

General Improvements (#36)

Browse Source 
* Add at and reword comment.

* Add cronie, thought this was already done but last pull request got wonky.

* Zypper is not happy about asking Brave repo to be added multiple times.

* Replace deprecated `include` commands.

* Add gcc.

* Add another cc command for openSUSE.

* include_tasks is not supporting ignore_errors like include used to, move to individual tasks.

* Do a better job of removing libreoffice from local package manager.

* Enhance reports.

* Add basic VIM setup.

* Undo some lynis changes, fix folder permissions so users can view.

* Change lynis back to chdir and local execution.

* Add doas.

* Add check against old usage of setup.sh BRANCH.

* Greatly reduce number of tasks, create temp file while building report.

* Create temp file while building report.
This commit is contained in:
Hyperling 2023-02-19 10:04:10 -06:00 committed by GitHub
parent 904dda6883
commit b162731c29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 211 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
facts/general/package.yml
View File

@ -60,6 +60,7 @@
tar: tar tar: tar
microcode_amd: ucode-amd microcode_amd: ucode-amd
microcode_intel: ucode-intel microcode_intel: ucode-intel
cron: cronie
when: ansible_pkg_mgr == "zypper" when: ansible_pkg_mgr == "zypper"

4
facts/general/system.yml
View File

@ -39,8 +39,8 @@
- name: General | Facts | System | Report File Names - name: General | Facts | System | Report File Names
set_fact: set_fact:
lynis_report: "{{ lynis_install_dir }}/run.txt" lynis_report: "lynis_hardness_check.txt"
nmap_report: "{{ lynis_install_dir }}/nmap.txt" nmap_report: "nmap_port_check.txt"
- name: General | Facts | System | Ansible Branch - name: General | Facts | System | Ansible Branch

122
local.yml
View File

@ -8,92 +8,88 @@
become: true become: true
tasks: tasks:
- include: facts/general/gather.yml - include_tasks: facts/general/gather.yml
- include: tasks/general/acct_mgmt/provision_config.yml - include_tasks: tasks/general/acct_mgmt/provision_config.yml
- include: facts/general/system.yml - include_tasks: facts/general/system.yml
- include: facts/general/package.yml - include_tasks: facts/general/package.yml
- include: facts/general/service.yml - include_tasks: facts/general/service.yml
- include: facts/general/user.yml - include_tasks: facts/general/user.yml
- include: tasks/general/software/packages.yml - include_tasks: tasks/general/software/packages.yml
- include: tasks/general/software/services.yml - include_tasks: tasks/general/software/services.yml
ignore_errors: yes - include_tasks: tasks/general/software/sendmail.yml
- include: tasks/general/software/sendmail.yml
ignore_errors: yes
when: ansible_system == "FreeBSD" when: ansible_system == "FreeBSD"
- include: facts/general/gather.yml - include_tasks: facts/general/gather.yml
- include: tasks/general/acct_mgmt/groups.yml - include_tasks: tasks/general/acct_mgmt/groups.yml
- include: tasks/general/acct_mgmt/users.yml - include_tasks: tasks/general/acct_mgmt/users.yml
- include: tasks/general/acct_mgmt/sudo.yml - include_tasks: tasks/general/acct_mgmt/sudo.yml
- include_tasks: tasks/general/acct_mgmt/doas.yml
- include: tasks/general/scripts/root.yml - include_tasks: tasks/general/scripts/root.yml
- include: tasks/general/scripts/user.yml - include_tasks: tasks/general/scripts/user.yml
- include: tasks/general/cron/ansible.yml - include_tasks: tasks/general/cron/ansible.yml
# TODO Need to refactor. Maybe tasks/general/cron/freebsd.yml # TODO Need to refactor. Maybe tasks/general/cron/freebsd.yml
- include: tasks/workstation/freebsd/cron/ansible.yml - include_tasks: tasks/workstation/freebsd/cron/ansible.yml
when: ansible_system == "FreeBSD" when: ansible_system == "FreeBSD"
- include: tasks/general/software/metasploit.yml - include_tasks: tasks/general/software/metasploit.yml
when: pentesting == true when: pentesting == true
####### Workstations ####### ####### Workstations #######
# Additional setup for systems with GUI. # Additional setup for systems with GUI.
- name: Main | Workstation Setup - name: Main | Workstation Setup
block: block:
- include: facts/workstation/package.yml - include_tasks: facts/workstation/package.yml
# Set Up Desktop Environments # # Set Up Desktop Environments #
- include: tasks/workstation/freebsd/software/gpu.yml - include_tasks: tasks/workstation/freebsd/software/gpu.yml
when: ansible_system == "FreeBSD" and bsd_gpu == true when: ansible_system == "FreeBSD" and bsd_gpu == true
- include: tasks/workstation/freebsd/software/gnome.yml - include_tasks: tasks/workstation/freebsd/software/gnome.yml
when: ansible_system == "FreeBSD" when: ansible_system == "FreeBSD"
- include: tasks/workstation/linux/software/gnome.yml - include_tasks: tasks/workstation/linux/software/gnome.yml
when: ansible_system == "Linux" when: ansible_system == "Linux"
- include: tasks/workstation/shared/software/dwm.yml - include_tasks: tasks/workstation/shared/software/dwm.yml
ignore_errors: yes
# Software Tasks # # Software Tasks #
- include: tasks/workstation/linux/software/flatpaks.yml - include_tasks: tasks/workstation/linux/software/flatpaks.yml
when: ansible_system == "Linux" and flatpak_distro when: ansible_system == "Linux" and flatpak_distro
- include: tasks/workstation/linux/software/brave.yml - include_tasks: tasks/workstation/linux/software/brave.yml
when: ansible_pkg_mgr in ("apt", "dnf", "zypper") and not mobile when: ansible_pkg_mgr in ("apt", "dnf", "zypper") and not mobile
- include: tasks/workstation/freebsd/software/packages.yml - include_tasks: tasks/workstation/freebsd/software/packages.yml
when: ansible_system == "FreeBSD" when: ansible_system == "FreeBSD"
- include: tasks/workstation/mac-os/software/brew.yml - include_tasks: tasks/workstation/mac-os/software/brew.yml
when: ansible_system == "Darwin" when: ansible_system == "Darwin"
# Configuration Tasks # # Configuration Tasks #
- include: tasks/workstation/shared/settings/gnome.yml - include_tasks: tasks/workstation/shared/settings/gnome.yml
when: not mobile when: not mobile
- include: tasks/workstation/linux/cron/ansible.yml - include_tasks: tasks/workstation/linux/cron/ansible.yml
when: ansible_system == "Linux" and not mobile when: ansible_system == "Linux" and not mobile
- include: tasks/workstation/shared/settings/nfs.yml - include_tasks: tasks/workstation/shared/settings/nfs.yml
- include: tasks/workstation/shared/settings/rdp.yml - include_tasks: tasks/workstation/shared/settings/rdp.yml
when: rdp == true when: rdp == true
- include: tasks/workstation/shared/settings/vnc.yml - include_tasks: tasks/workstation/shared/settings/vnc.yml
when: vnc == true when: vnc == true
- include: tasks/workstation/shared/settings/services.yml - include_tasks: tasks/workstation/shared/settings/services.yml
ignore_errors: yes
when: workstation == true when: workstation == true
@ -106,81 +102,79 @@
# block: # block:
# #
# ##### Setup ##### # ##### Setup #####
# - include: tasks/miner/debug.yml # - include_tasks: tasks/miner/debug.yml
# #
# - include: tasks/miner/acct_mgmt/users.yml # - include_tasks: tasks/miner/acct_mgmt/users.yml
# #
# - include: facts/miner/system.yml # - include_tasks: facts/miner/system.yml
# - include: facts/miner/config.yml # - include_tasks: facts/miner/config.yml
# - include: facts/miner/pool.yml # - include_tasks: facts/miner/pool.yml
# #
# ##### Installations ##### # ##### Installations #####
# ### CPU SECTION ### # ### CPU SECTION ###
# # Monero # # # Monero #
# - include: tasks/miner/software/xmr-stak-cpu.yml # - include_tasks: tasks/miner/software/xmr-stak-cpu.yml
# when: xmr_stak_cpu is defined # when: xmr_stak_cpu is defined
# #
# ### GPU Section ### # ### GPU Section ###
# ## Drivers ## # ## Drivers ##
# - include: tasks/miner/drivers/amdgpu.yml # - include_tasks: tasks/miner/drivers/amdgpu.yml
# when: ansible_distribution == "Ubuntu" and amdgpu == true # when: ansible_distribution == "Ubuntu" and amdgpu == true
# #
# # Ethereum # # # Ethereum #
# - include: tasks/miner/software/ethminer.yml # - include_tasks: tasks/miner/software/ethminer.yml
# when: ethminer == true # when: ethminer == true
# #
# - include: tasks/miner/software/nanominer.yml # - include_tasks: tasks/miner/software/nanominer.yml
# when: nanominer == true # when: nanominer == true
# #
# ##### Scheduling ##### # ##### Scheduling #####
# - include: tasks/miner/cron/ansible.yml # - include_tasks: tasks/miner/cron/ansible.yml
# - include: tasks/miner/cron/mfn.yml # - include_tasks: tasks/miner/cron/mfn.yml
# #
# when: miner == true # when: miner == true
####### Servers ####### ####### Servers #######
# Easy to deploy server configurations. # Easy to deploy server configurations.
- name: Main | Server Setup - name: Main | Server Setup
block: block:
- include: tasks/server/software/services.yml - include_tasks: tasks/server/software/services.yml
- include: tasks/server/software/certbot.yml - include_tasks: tasks/server/software/certbot.yml
when: certbot == true when: certbot == true
- include: tasks/server/cron/certbot.yml - include_tasks: tasks/server/cron/certbot.yml
when: certbot == true when: certbot == true
- include: tasks/server/software/onlyoffice.yml - include_tasks: tasks/server/software/onlyoffice.yml
when: onlyoffice == true and ansible_pkg_mgr == "apt" when: onlyoffice == true and ansible_pkg_mgr == "apt"
- include: tasks/server/software/influxdb1.yml - include_tasks: tasks/server/software/influxdb1.yml
when: influxdb1 == true and ansible_pkg_mgr == "apt" when: influxdb1 == true and ansible_pkg_mgr == "apt"
- include: tasks/server/software/influxdb2.yml - include_tasks: tasks/server/software/influxdb2.yml
when: influxdb2 == true and ansible_pkg_mgr == "apt" when: influxdb2 == true and ansible_pkg_mgr == "apt"
- include: tasks/server/software/grafana.yml - include_tasks: tasks/server/software/grafana.yml
when: grafana == true and ansible_pkg_mgr == "apt" when: grafana == true and ansible_pkg_mgr == "apt"
- include: tasks/server/software/hugo.yml - include_tasks: tasks/server/software/hugo.yml
when: hugo == true when: hugo == true
- include: tasks/server/software/gitlab.yml - include_tasks: tasks/server/software/gitlab.yml
when: gitlab and ansible_pkg_mgr in ("apt", "dnf") and ansible_distribution not in ("Fedora") when: gitlab and ansible_pkg_mgr in ("apt", "dnf") and ansible_distribution not in ("Fedora")
- include: tasks/server/software/git.yml - include_tasks: tasks/server/software/git.yml
when: git and ansible_pkg_mgr in ("apt") when: git and ansible_pkg_mgr in ("apt")
when: server == true when: server == true
####### Reporting ####### ####### Reporting #######
# Provide information for analysis. # Provide information for analysis.
- include: tasks/general/software/telegraf.yml - include_tasks: tasks/general/software/telegraf.yml
- include: tasks/general/tests/lynis.yml - include_tasks: tasks/general/tests/lynis.yml
- include: tasks/general/tests/nmap.yml - include_tasks: tasks/general/tests/nmap.yml

6
setup.sh
View File

@ -53,9 +53,15 @@ while getopts ":lb:h" arg; do
done done
if [[ $branch == "" ]]; then if [[ $branch == "" ]]; then
echo "Using default branch $BRANCH."
branch="$BRANCH" branch="$BRANCH"
fi fi
if [[ $1 != "-"* ]]; then
echo "ERROR: '$1' is not a valid option, please check your parameters and try again."
usage 1
fi
## Main ## ## Main ##
os="$(cat /etc/os-release)" os="$(cat /etc/os-release)"

53
tasks/general/acct_mgmt/doas.yml Normal file
View File

@ -0,0 +1,53 @@
---
# Install and configure doas.
- name: General | Software | DoAs | Facts
set_fact:
doas_config: |
permit persist :wheel as root
permit persist :admin as root
permit persist :sudo as root
doas_conf_file_linux: /etc/doas.conf
doas_conf_file_bsd: /usr/local/etc/doas.conf
- name: General | Software | DoAs | Install
package:
name:
- doas
ignore_errors: yes
- name: General | Software | DoAs | Configure [Linux]
blockinfile:
path: "{{ doas_conf_file_linux }}"
block: |
{{ doas_config }}
marker: '# {mark} MANAGED BY ANSIBLE | doas Linux'
state: present
create: yes
backup: yes
when: ansible_system in ("Linux")
- name: General | Software | DoAs | Configure [BSD]
blockinfile:
path: "{{ doas_conf_file_linux }}"
block: |
{{ doas_config }}
marker: '# {mark} MANAGED BY ANSIBLE | doas BSD'
state: present
create: yes
backup: yes
when: ansible_system in ("FreeBSD")
- name: General | Software | DoAs | Configure [Other]
blockinfile:
path: "{{ item }}"
block: |
{{ doas_config }}
marker: '# {mark} MANAGED BY ANSIBLE | doas Other'
state: present
create: yes
backup: yes
loop:
- "{{ doas_conf_file_linux }}"
- "{{ doas_conf_file_bsd }}"
when: ansible_system not in ("Linux", "FreeBSD")

28
tasks/general/acct_mgmt/users.yml
View File

@ -102,6 +102,7 @@
- "{{ user_user.home }}/LBRY" - "{{ user_user.home }}/LBRY"
- "{{ user_user.home }}/TRASH" - "{{ user_user.home }}/TRASH"
- "{{ user_user.home }}/Downloads" - "{{ user_user.home }}/Downloads"
- "{{ user_user.home }}/Reports"
become_user: "{{ user }}" become_user: "{{ user }}"
when: user_user.home != "" when: user_user.home != ""
@ -277,6 +278,7 @@
return return
echo "ERROR: Something went wrong while removing Flatpak apps!" echo "ERROR: Something went wrong while removing Flatpak apps!"
} }
alias_vim: alias vi=vim
- name: General | Account Management | Users | Files | Common Variable - name: General | Account Management | Users | Files | Common Variable
set_fact: set_fact:
@ -302,6 +304,7 @@
{{ function_clean }} {{ function_clean }}
{{ function_flatpak_usage }} {{ function_flatpak_usage }}
{{ function_flatpak_purge }} {{ function_flatpak_purge }}
{{ alias_vim }}
- name: General | Account Management | Users | Files | .bashrc - name: General | Account Management | Users | Files | .bashrc
blockinfile: blockinfile:
@ -334,3 +337,28 @@
- "{{ user_user.home }}" - "{{ user_user.home }}"
ignore_errors: yes ignore_errors: yes
when: user_root.home != "" and user_user.home != "" when: user_root.home != "" and user_user.home != ""
- name: General | Account Management | Users | Files | .vimrc
blockinfile:
path: "{{ item }}/.vimrc"
block: |
" Turn off syntax, flashy lights, etc. Make VIM into a basic editor.
syntax off
set nohlsearch
set noautoindent noautowrite noshowmatch wrapmargin=0 report=1 ts=3
set ignorecase
" Turn off auto-commenting.
autocmd Filetype * set fo-=c fo-=r fo-=o
" qq shortcut for immediately exiting all files without saving.
nnoremap qq :qa!<cr>
marker: '" {mark} MANAGED BY ANSIBLE | vimrc'
state: present
create: yes
backup: yes
loop:
- "{{ user_root.home }}"
- "{{ user_user.home }}"
ignore_errors: yes
when: user_root.home != "" and user_user.home != ""

12
tasks/general/software/packages.yml
View File

@ -50,6 +50,9 @@
- "{{ opensshd }}" - "{{ opensshd }}"
- "{{ tar }}" - "{{ tar }}"
- curl - curl
- at
- gcc
- vim
state: present state: present
- name: General | Software | Packages | Install Software (DEV) - name: General | Software | Packages | Install Software (DEV)
@ -89,17 +92,18 @@
name: name:
- which - which
- "{{ cron }}" - "{{ cron }}"
- vi
state: present state: present
when: ansible_distribution == "Archlinux" when: ansible_distribution == "Archlinux"
# openSUSE Tumbleweed comes without gnome-control-center being able to open
# properly. Hopefully just a one-time accident but I wanted bleeding edge so I
# guess I got it! Luckily was easy to figure out based on CLI error launching.
- name: General | Software | Services | Install Fix (Looking at you, openSUSE) - name: General | Software | Services | Install Fix (Looking at you, openSUSE)
package: package:
name: name:
# openSUSE Tumbleweed comes without gnome-control-center being able to open
# properly. Hopefully just a one-time accident but I wanted bleeding edge so I
# guess I got it! Luckily was easy to figure out based on CLI error on launch.
- libvulkan1 - libvulkan1
# Provides c99 used to compile ST for DWM.
- posix_cc
state: present state: present
when: ansible_pkg_mgr in ("zypper") when: ansible_pkg_mgr in ("zypper")

1
tasks/general/software/sendmail.yml
View File

@ -10,6 +10,7 @@
- name: Server | Sendmail | Check - name: Server | Sendmail | Check
shell: which postfix shell: which postfix
register: postfix register: postfix
ignore_errors: yes
- name: Server | Sendmail | Install - name: Server | Sendmail | Install
package: package:

2
tasks/general/software/services.yml
View File

@ -19,6 +19,7 @@
pattern: "{{ cups_pattern }}" pattern: "{{ cups_pattern }}"
state: stopped state: stopped
enabled: no enabled: no
ignore_errors: yes
- name: General | Software | Services | CUPS-Browse | Disable - name: General | Software | Services | CUPS-Browse | Disable
service: service:
@ -26,6 +27,7 @@
pattern: "{{ cups_browse_pattern }}" pattern: "{{ cups_browse_pattern }}"
state: stopped state: stopped
enabled: no enabled: no
ignore_errors: yes
## SSHD ## ## SSHD ##

24
tasks/general/tests/lynis.yml
View File

@ -1,6 +1,14 @@
--- ---
# Lynis hardness check. # Lynis hardness check.
- name: General | Tests | Lynis | Set Facts
set_fact:
lynis_file: "{{ user_user.home }}/Reports/{{ lynis_report }}"
- name: General | Tests | Lynis | Set Facts 2
set_fact:
lynis_temp_file: "{{ lynis_file }}.tmp"
- name: General | Tests | Lynis | Rename Old Install - name: General | Tests | Lynis | Rename Old Install
shell: mv "/usr/local/lynis" "/usr/local/src/" shell: mv "/usr/local/lynis" "/usr/local/src/"
ignore_errors: yes ignore_errors: yes
@ -27,13 +35,23 @@
path: "{{ lynis_install_dir }}/lynis" path: "{{ lynis_install_dir }}/lynis"
mode: '0755' mode: '0755'
- name: General | Tests | Lynis | Ensure Folder Permissions
file:
path: "{{ lynis_install_dir }}"
state: directory
mode: '0755'
recurse: no
- name: General | Tests | Lynis | Run System Audit - name: General | Tests | Lynis | Run System Audit
shell: "./lynis audit system --no-colors > {{ lynis_report }} 2>&1" shell: "{{ item }}"
loop:
- "./lynis audit system --no-colors > {{ lynis_temp_file }} 2>&1"
- "mv {{ lynis_temp_file }} {{ lynis_file }}"
args: args:
executable: "{{ bash_exec.stdout }}" executable: "{{ bash_exec.stdout }}"
chdir: "{{ lynis_install_dir }}" chdir: "{{ lynis_install_dir }}"
- name: General | Tests | Lynis | Make Report Readable - name: General | Tests | Lynis | Make Report Readable
file: file:
path: "{{ lynis_report }}" path: "{{ lynis_file }}"
mode: '0777' mode: '0644'

29
tasks/general/tests/nmap.yml
View File

@ -1,13 +1,30 @@
--- ---
# Nmap port test # Nmap port test
- name: General | Tests | nmap | Run Count - name: General | Tests | nmap | Set Facts
shell: "nmap --open localhost | grep -c open > {{ nmap_report }}; echo success" set_fact:
nmap_file: "{{ user_user.home }}/Reports/{{ nmap_report }}"
nmap_separator: "\n*******************************\n\n"
- name: General | Tests | nmap | Run Open - name: General | Tests | nmap | Set Facts 2
shell: "nmap --open localhost | grep open >> {{ nmap_report }}; echo success" set_fact:
nmap_temp_file: "{{ nmap_file }}.tmp"
- name: General | Tests | nmap | Create Report
shell: "{{ item }}"
loop:
- "date > {{ nmap_temp_file }}"
- "printf '{{ nmap_separator }}' >> {{ nmap_temp_file }}"
- "echo '-=Open Ports=-' >> {{ nmap_temp_file }}"
- "printf 'Number of open ports: ' >> {{ nmap_temp_file }}"
- "nmap --open localhost | grep -c open >> {{ nmap_temp_file }}; echo success"
- "nmap --open localhost | grep open >> {{ nmap_temp_file }}; echo success"
- "printf '{{ nmap_separator }}' >> {{ nmap_temp_file }}"
- "echo '-=Aggressive Vulnerability Check=-' >> {{ nmap_temp_file }}"
- "nmap -A localhost >> {{ nmap_temp_file }}; echo success"
- "mv {{ nmap_temp_file }} {{ nmap_file }}"
- name: General | Tests | nmap | Make Viewable - name: General | Tests | nmap | Make Viewable
file: file:
path: "{{ nmap_report }}" path: "{{ nmap_file }}"
mode: '0777' mode: '0644'

3
tasks/workstation/linux/software/brave.yml
View File

@ -37,8 +37,9 @@
shell: "{{ item }}" shell: "{{ item }}"
loop: loop:
- rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc - rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
- sudo zypper addrepo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo - zypper addrepo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo
when: ansible_pkg_mgr == "zypper" when: ansible_pkg_mgr == "zypper"
ignore_errors: yes
- name: Workstation | Software | Brave | Install - name: Workstation | Software | Brave | Install
package: package:

2
tasks/workstation/linux/software/flatpaks.yml
View File

@ -330,6 +330,8 @@
- steam - steam
- vscode - vscode
- code - code
- libreoffice
- "*libreoffice*"
- '*libreoffice*' - '*libreoffice*'
- gimp - gimp
state: absent state: absent

2
tasks/workstation/shared/settings/services.yml
View File

@ -9,6 +9,7 @@
pattern: "{{ cups_pattern }}" pattern: "{{ cups_pattern }}"
state: started state: started
enabled: yes enabled: yes
ignore_errors: yes
- name: General | Software | Services | Disable CUPS-Browse Daemon - name: General | Software | Services | Disable CUPS-Browse Daemon
service: service:
@ -16,3 +17,4 @@
pattern: "{{ cups_browse_pattern }}" pattern: "{{ cups_browse_pattern }}"
state: started state: started
enabled: yes enabled: yes
ignore_errors: yes

2
tasks/workstation/shared/software/dwm.yml
View File

@ -51,9 +51,11 @@
- name: Workstation | Linux | Software | DWM | Install - name: Workstation | Linux | Software | DWM | Install
shell: "cd {{ dwm_install_dir }}; {{ make }} clean install" shell: "cd {{ dwm_install_dir }}; {{ make }} clean install"
ignore_errors: yes
- name: Workstation | Linux | Software | DWM | Install (st) - name: Workstation | Linux | Software | DWM | Install (st)
shell: "cd {{ st_install_dir }}; {{ make }} clean install" shell: "cd {{ st_install_dir }}; {{ make }} clean install"
ignore_errors: yes
## X Init Sript ## ## X Init Sript ##