-
-
Notifications
You must be signed in to change notification settings - Fork 174
/
Copy pathsetup-system.yml
199 lines (173 loc) · 4.69 KB
/
setup-system.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
- name: System - apt update and apt upgrade
apt: update_cache=yes upgrade=yes
when: debpkg_mode or nixpkg_mode
# SEE http://archive.vn/DKJjs#parameter-upgrade
- name: Install required security updates
apt:
pkg:
- tzdata
- linux-libc-dev
when: debpkg_mode or nixpkg_mode
# SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638
# Without this, a similar error is faced
- name: Install Ansible dependencies
apt:
pkg:
- acl
when: debpkg_mode or nixpkg_mode
- name: Install security tools
apt:
pkg:
- nftables
- fail2ban
update_cache: yes
cache_valid_time: 3600
when: debpkg_mode or nixpkg_mode
- name: Use nftables backend
shell: |
update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
update-alternatives --set arptables /usr/sbin/arptables-nft
update-alternatives --set ebtables /usr/sbin/ebtables-nft
systemctl restart ufw
when: debpkg_mode or nixpkg_mode
- name: Create Sysstat log directory
file:
path: /var/log/sysstat
state: directory
when: debpkg_mode or nixpkg_mode
- name: Install other useful tools
apt:
pkg:
- bwm-ng
- htop
- net-tools
- ngrep
- sysstat
- vim-tiny
update_cache: yes
when: debpkg_mode or nixpkg_mode
- name: Configure sysstat
copy:
src: files/sysstat.sysstat
dest: /etc/sysstat/sysstat
when: debpkg_mode or nixpkg_mode
- name: Configure default sysstat
copy:
src: files/default.sysstat
dest: /etc/default/sysstat
when: debpkg_mode or nixpkg_mode
- name: Adjust APT update intervals
copy:
src: files/apt_periodic
dest: /etc/apt/apt.conf.d/10periodic
when: debpkg_mode or nixpkg_mode
# Find platform architecture and set as a variable
- name: finding platform architecture
shell: if [ $(uname -m) = "aarch64" ]; then echo "arm64"; else echo "amd64"; fi
register: platform_output
tags:
- update
- update-only
- set_fact:
platform: "{{ platform_output.stdout }}"
tags:
- update
- update-only
when: debpkg_mode or nixpkg_mode or stage2_nix
- name: create overrides dir
file:
state: directory
owner: root
group: root
path: /etc/systemd/system/systemd-resolved.service.d
mode: '0700'
when: debpkg_mode or nixpkg_mode
- name: Custom systemd overrides for resolved
copy:
src: files/systemd-resolved.conf
dest: /etc/systemd/system/systemd-resolved.service.d/override.conf
when: debpkg_mode or nixpkg_mode
- name: System - Create services.slice
template:
src: files/services.slice.j2
dest: /etc/systemd/system/services.slice
when: debpkg_mode or nixpkg_mode
- name: System - systemd reload
systemd: daemon_reload=yes
when: debpkg_mode or nixpkg_mode
- name: Configure journald
copy:
src: files/journald.conf
dest: /etc/systemd/journald.conf
when: debpkg_mode or nixpkg_mode
- name: reload systemd-journald
systemd:
name: systemd-journald
state: restarted
when: debpkg_mode or nixpkg_mode
- name: Configure logind
copy:
src: files/logind.conf
dest: /etc/systemd/logind.conf
when: debpkg_mode or nixpkg_mode
- name: reload systemd-logind
systemd:
name: systemd-logind
state: restarted
when: debpkg_mode or nixpkg_mode
- name: enable timestamps for shell history
copy:
content: |
export HISTTIMEFORMAT='%d/%m/%y %T '
dest: /etc/profile.d/09-history-timestamps.sh
mode: 0644
owner: root
group: root
when: debpkg_mode or nixpkg_mode
- name: set hosts file
copy:
content: |
127.0.0.1 localhost
::1 localhost
dest: /etc/hosts
mode: 0644
owner: root
group: root
when: debpkg_mode or stage2_nix
#Set Sysctl params for restarting the OS on oom after 10
- name: Set vm.panic_on_oom=1
ansible.builtin.sysctl:
name: vm.panic_on_oom
value: '1'
state: present
reload: yes
when: debpkg_mode or nixpkg_mode
- name: Set kernel.panic=10
ansible.builtin.sysctl:
name: kernel.panic
value: '10'
state: present
reload: yes
when: debpkg_mode or nixpkg_mode
- name: configure system
ansible.posix.sysctl:
name: 'net.core.somaxconn'
value: 16834
- name: configure system
ansible.posix.sysctl:
name: 'net.ipv4.ip_local_port_range'
value: '1025 65000'
#Set Sysctl params specific to keepalives
- name: Set net.ipv4.tcp_keepalive_time=1800
ansible.builtin.sysctl:
name: net.ipv4.tcp_keepalive_time
value: 1800
state: present
when: debpkg_mode or nixpkg_mode
- name: Set net.ipv4.tcp_keepalive_intvl=60
ansible.builtin.sysctl:
name: net.ipv4.tcp_keepalive_intvl
value: 60
state: present
when: debpkg_mode or nixpkg_mode