freifunk/Ansible-Configuration Changeset - a9ca3f5ae102 · Chaos Computer Club Lëtzebuerg Projects

Changeset - a9ca3f5ae102

Parent rev.

Child rev.

[Not reviewed]

master

0 2 0

x - 2 days ago 2025-08-24 15:15:44
xbr@c3l.lu

add: interactive debugging packages

2 files changed with 3 insertions and 0 deletions:

gateway/initial_gw_setup.yml

initial_server_setup/initial_setup.yml

0 comments (0 inline, 0 general)

gateway/initial_gw_setup.yml

➞

Show inline comments

 ---
 - name: Initial Gateway Setup
   hosts: initial-gateway
   become: true
   become_method: ansible.builtin.sudo
   tasks:
     # Update packages
     - name: Update all packages to their latest version
       ansible.builtin.apt:
         update_cache: true
         upgrade: "yes"
       tags: update
     - name: Install a list of packages
       ansible.builtin.apt:
         update_cache: true
         pkg:
           - git
           - bridge-utils
           - batctl
           - ntpsec
           - dnsmasq
           - iptables-persistent
           - openvpn
           - fastd
           - build-essential
           - pkg-config
           - checkinstall
           - libnl-3-dev
           - libnl-genl-3-dev
           - linux-headers-amd64
           - systemd-resolved # We current use it later, but we don't really need it
           - dkms
           - lsb-release
           - ethtool
           - python3
           - wget # for fastd-blacklist
           - tcpdump # for debugging
       tags: update
     # fix systemd-resolved's default config
     - name: Stop systemd-resolved
       ansible.builtin.service:
         name: "systemd-resolved"
         state: "stopped"
       tags: config
     - name: Copy resolved.conf
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/systemd-resolved/resolved.conf"
         dest: /etc/systemd/resolved.conf
         owner: root
         group: root
         mode: "0644"
       tags: config
     - name: Remove immutable attribute on resolv.conf
       ansible.builtin.file:
         dest: /etc/resolv.conf
         attributes: '-i'
       become: true
       tags: config
     - name: Create a symbolic link for resolv.conf, replacing the initial resolv.conf
       ansible.builtin.file:
         src: /run/systemd/resolve/resolv.conf
         dest: /etc/resolv.conf
         owner: root
         group: root
         state: link
         attributes: '-i'
         force: true
       become: true
       tags: config
     - name: Start systemd-resolved
       ansible.builtin.service:
         name: "systemd-resolved"
         state: "started"
         enabled: "true"
       tags: config
     - name: Ensure /etc/iproute2 exists
       ansible.builtin.file:
         path: /etc/iproute2
         state: directory
         mode: '0755'
       tags: config
     - name: Copy routing table if non-existing
       ansible.builtin.copy:

initial_server_setup/initial_setup.yml

➞

Show inline comments

 ---
 - name: Initial Server Setup
   hosts: initial
   become: true
   vars_files:
     - ../user_vars.yml
   vars:
     password: Welcome1234
     ansible_managed: "This file is managed by Ansible. Do not modify."
   tasks:
     - name: Update + Upgrade packages
       ansible.builtin.apt:
         upgrade: true
         update_cache: true
       tags: basic
     - name: Install some basic packages
       ansible.builtin.apt:
         pkg:
           - sudo
           - git
           - vim
           - python3
           - python3-pip
           - tmux
           - man-db
       tags: basic
     # Change Hostname
     - name: "Update Hostnames"
       ansible.builtin.hostname:
         name: "{{ inventory_hostname }}"
       tags: hostname
     # Update /etc/hosts
     - name: Make sure an IPV4 entry in /etc/hosts exists
       ansible.builtin.lineinfile:
         path: /etc/hosts
         regexp: "^{{ ansible_default_ipv4.address }}"
         line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
         state: present
       tags: network,hostname,dns
     - name: Make sure an IPV6 entry in /etc/hosts exists
       ansible.builtin.lineinfile:
         path: /etc/hosts
         regexp: "^{{ ansible_default_ipv6.address }}"
         line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
         state: present
       tags: network,hostname,dns
     # SSH security improvements (EmptyPass, PassAuth, RootLogin)
     - name: Disable SSH Password Auth
       ansible.builtin.copy:
         dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
         owner: root
         mode: u=rw,g=r,o=r
         content: |
           # {{ ansible_managed }}
           PasswordAuthentication no
       tags: network,ssh
       register: pass_auth
     - name: Remove SSH Password Auth from sshd_config
       ansible.builtin.lineinfile:
         path: /etc/ssh/sshd_config
         regex: "^PasswordAuthentication"
         line: "# PasswordAuthentication No"
       tags: network,ssh
       register: pass_auth_sshd
     - name: Disable SSH Empty Password
       ansible.builtin.copy:
         dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
         owner: root
         mode: u=rw,g=r,o=r
         content: |

0 comments (0 inline, 0 general)