Migrate from old repository

tasks/main.yml

@@ -0,0 +1,100 @@
+---
+- import_tasks: ssh.yml
+  tags:
+    - ssh
+
+- name: fix hostname
+  template:
+    src: hostname.j2
+    dest: /etc/hostname
+  register: firsttime
+  notify:
+    - reload hostname
+#  tags:
+#    - always
+
+- name: fix /etc/hosts
+  lineinfile:
+    dest: /etc/hosts
+    regexp: "^{{ item.ip }}"
+    line: "{{ item.ip }}    {{ item.hosts }}"
+  with_items:
+    - ip: "127.0.0.1"
+      hosts: "{{ inventory_hostname }}.{{ mydomain }} {{ inventory_hostname }} localhost localhost.localdomain"
+    - ip: "::1"
+      hosts: "{{ inventory_hostname }}.{{ mydomain }} {{ inventory_hostname }} localhost localhost.localdomain"
+  when: mydomain is defined
+
+- import_tasks: "pkg_Alpine.yml"
+  when: ansible_distribution == 'Alpine'
+  tags:
+    - pkg
+- import_tasks: "pkg_Debian.yml"
+  when: ansible_distribution == 'Debian'
+  tags:
+    - pkg
+
+- name: ensure rngd is running
+  service:
+    name: rngd
+    enabled: yes
+    state: started
+  tags:
+    - pkg
+
+- include_tasks: "sshd.yml"
+  tags:
+    - ssh
+
+- name: ensure netmount is enabled
+  service:
+    name: netmount
+    enabled: yes
+    state: started
+  tags:
+    - pkg
+  when: ansible_distribution == 'Alpine' and iscsid.session[ansible_hostname] is defined
+
+- name: ensure haveged is disabled
+  service:
+    name: haveged
+    enabled: no
+    state: stopped
+  tags:
+    - pkg
+
+- name: configure networking
+  template:
+    src: networking.j2
+    dest: /etc/network/interfaces
+  when: wanted_ip4 is defined or wanted_ip6 is defined
+  tags:
+    - networking
+
+- name: configure watchdog
+  template:
+    src: watchdog.conf.j2
+    dest: /etc/conf.d/watchdog
+  when: ansible_distribution == 'Alpine'
+
+- name: configure watchdog
+  template:
+    src: watchdog-deb.conf.j2
+    dest: /etc/watchdog.conf
+  when: ansible_distribution != 'Alpine'
+
+- name: ensure watchdog is running
+  service:
+    name: watchdog
+    enabled: yes
+    state: started
+
+- name: configure chrony
+  template:
+    src: chrony.conf.j2
+    dest: /etc/chrony/chrony.conf
+  notify:
+    - reload chronyd
+  when: ansible_distribution == 'Alpine'
+  tags:
+    - chrony

tasks/pkg_Alpine.yml

@@ -0,0 +1,76 @@
+---
+- name: remove acpid
+  apk:
+    name: busybox-acpid
+    state: absent
+  tags:
+    - pkg
+
+- name: set alpine repositories
+  template:
+    src: apk-repositories
+    dest: /etc/apk/repositories
+  register: change_release
+  tags:
+    - pkg
+
+- command: apk fix
+  when: firsttime is changed
+  tags:
+    - pkg
+
+- name: Upgrade system
+  apk:
+    update_cache: yes
+    upgrade: yes
+    available: "{{ change_release.changed }}"
+  when: firsttime is not changed
+  tags:
+    - pkg
+
+- name: install common packages (alpine)
+  apk:
+    name:
+      - acl
+      - chrony
+      - coreutils
+      - docker
+      - docker-py
+      - haveged
+      - htop
+      - iptables
+      - ip6tables
+      - nginx
+      - openssh
+      - openssl
+      - py3-openssl
+      - rng-tools
+#      - ssmtp
+    state: present
+    update_cache: yes
+  tags:
+    - pkg
+
+- name: install ssmtp (alpine)
+  apk:
+    name:
+      - ssmtp
+    state: present
+  when: "'scouts' not in group_names"
+  tags:
+    - pkg
+
+- name: configure ssmtp
+  template:
+    src: ssmtp.conf.j2
+    dest: /etc/ssmtp/ssmtp.conf
+  when: "'scouts' not in group_names"
+  tags:
+    - pkg
+
+- name: make Docker depends on netmount
+  lineinfile:
+    path: /etc/conf.d/docker
+    line: 'rc_need="netmount"'
+  tags:
+    - pkg

tasks/pkg_Debian.yml

@@ -0,0 +1,40 @@
+---
+- name: install common packages (debian)
+  apt:
+    name:
+      - ca-certificates
+      - apt-transport-https
+      - curl
+#      - docker.io
+      - haveged
+      - htop
+      - gpg
+      - iptables
+      - iptables-persistent
+      - msmtp-mta
+      - nginx
+      - openssh-server
+      - python3-apt
+      - python3-docker
+      - python3-openssl
+      - rng-tools5
+      - watchdog
+      - wget
+    state: present
+    update_cache: yes
+
+- name: ensure netfilter-persistent is enabled
+  service:
+    name: netfilter-persistent
+    enabled: yes
+    state: started
+  tags:
+    - pkg
+
+- name: configure msmtp
+  template:
+    src: msmtprc.j2
+    dest: /etc/msmtprc
+  when: "'scouts' not in group_names"
+  tags:
+    - pkg

tasks/ssh.yml

@@ -0,0 +1,7 @@
+---
+- name: Set ssh authorized_keys
+  ansible.posix.authorized_key:
+    key: "{{ ssh_authorized_keys | union(ssh_authorized_keys_extra) | flatten | join('\n') }}"
+    state: present
+    user: "{{ ansible_user }}"
+    exclusive: true

tasks/sshd.yml

@@ -0,0 +1,44 @@
+---
+- name: Disable legacy ssh algorithms
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#(HostKey {{ item }})$"
+    line: '\1'
+    backrefs: yes
+    validate: '/usr/sbin/sshd -f %s -t'
+  loop:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  notify:
+    - restart sshd
+  tags:
+    - pkg
+
+- name: Activate specifics SSH ports
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?(Port {{ item }})$"
+    insertafter: "^Port [0-9]+$"
+    line: "Port {{ item }}"
+    validate: '/usr/sbin/sshd -f %s -t'
+  loop:
+    - 22
+    - 622
+  notify:
+    - restart sshd
+  tags:
+    - pkg
+
+- name: Disable ssh password authentification
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#? *{{ item.regexp }}"
+    line: "{{ item.line }}"
+    validate: '/usr/sbin/sshd -f %s -t'
+  loop:
+    - { regexp: "ChallengeResponseAuthentication", line: "ChallengeResponseAuthentication no" }
+    - { regexp: "PasswordAuthentication", line: "PasswordAuthentication no" }
+  notify:
+    - restart sshd
+  tags:
+    - pkg