---
- include_tasks: repos.yml
# Upgrade already installed packages to latest version and clean system
- name: apt update
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
update_cache: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
changed_when: false
- name: apt dist upgrade
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
upgrade: dist
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: apt clean and autoremove
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
autoclean: true
autoremove: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
# Install new packages and remove conflicts
- name: install system utilities
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
name: "{{ sysconfig_packages }}"
state: latest
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: remove conflicting packages
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
name:
- exim4
- exim4-base
- exim4-config
- exim4-daemon-light
state: absent
purge: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
# Enable automatic security upgrades
- name: install unattended-upgrades
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
name: unattended-upgrades
state: latest
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: enable unattended upgrades
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
mode: '644'
- name: remove old kernel with unattended-upgrades
ansible.builtin.replace:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^//Unattended-Upgrade::Remove-Unused-Kernel-Packages.*$'
replace: 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'
notify: restart unattended-upgrades
- name: allow automatic updates for ubicast security repo
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
insertafter: '^Unattended-Upgrade::Origins-Pattern {$'
line: ' "origin=UbiCast,label=UbiCast-Security";'
backup: true
notify: restart unattended-upgrades
- name: enable root login via ssh with key
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: "^#PermitRootLogin (yes|without-password|prohibit-password)"
replace: "PermitRootLogin without-password"
notify: restart sshd
- name: remove disabled root login
ansible.builtin.replace:
dest: /root/.ssh/authorized_keys
regexp: "^no-port-forwarding,(.+) ssh-"
replace: "ssh-"
mode: '600'
failed_when: false
# FIREWALL
- name: firewall
when: sysconfig_firewall_enabled
vars:
ferm_rules_filename: "{{ sysconfig_ferm_rules_filename }}"
ferm_input_rules: "{{ sysconfig_ferm_input_rules }}"
ferm_output_rules: "{{ sysconfig_ferm_output_rules }}"
ferm_global_settings: "{{ sysconfig_ferm_global_settings }}"
ansible.builtin.include_role:
name: ferm-configure
- include_tasks: logs.yml
- include_tasks: locale.yml
- include_tasks: ntp.yml
...