---
- name: REPOS
ansible.builtin.include_tasks: repos.yml
# Upgrade already installed packages to latest version and clean system
- name: apt update
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
update_cache: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
changed_when: false
- name: apt dist upgrade
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
upgrade: dist
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: apt clean and autoremove
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
autoclean: true
autoremove: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
# Install new packages and remove conflicts
- name: install system utilities
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
name: "{{ sysconfig_packages }}"
state: latest
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: remove conflicting packages
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
name:
- exim4
- exim4-base
- exim4-config
- exim4-daemon-light
state: absent
purge: true
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
# Enable automatic security upgrades
- name: install unattended-upgrades
ansible.builtin.apt:
force_apt_get: true
install_recommends: false
name: unattended-upgrades
state: latest
register: apt_status
retries: 60
until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: enable unattended upgrades
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
mode: "644"
- name: remove old kernel with unattended-upgrades
ansible.builtin.replace:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: ^//Unattended-Upgrade::Remove-Unused-Kernel-Packages.*$
replace: Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
notify: restart unattended-upgrades
- name: allow automatic updates for ubicast security repo
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
insertafter: ^Unattended-Upgrade::Origins-Pattern {$
line: ' "origin=UbiCast,label=UbiCast-Security";'
backup: true
notify: restart unattended-upgrades
- name: enable root login via ssh with key
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: ^#?PermitRootLogin.*
replace: PermitRootLogin without-password
notify: restart sshd
- name: remove disabled root login
ansible.builtin.replace:
dest: /root/.ssh/authorized_keys
regexp: ^no-port-forwarding,(.+) ssh-
replace: ssh-
mode: "600"
failed_when: false
- name: set issue file
ansible.builtin.copy:
content: |
\e{lightblue} © UBICAST\e{reset}
IP Address:
\e{bold}\4\e{reset}
dest: /etc/issue
mode: "644"
# FIREWALL
- name: firewall
when: sysconfig_firewall_enabled
vars:
ferm_rules_filename: "{{ sysconfig_ferm_rules_filename }}"
ferm_input_rules: "{{ sysconfig_ferm_input_rules }}"
ferm_output_rules: "{{ sysconfig_ferm_output_rules }}"
ferm_global_settings: "{{ sysconfig_ferm_global_settings }}"
ansible.builtin.include_role:
name: ferm-configure
- name: LOGS
ansible.builtin.include_tasks: logs.yml
- name: LOCALE
ansible.builtin.include_tasks: locale.yml
- name: NTP
ansible.builtin.include_tasks: ntp.yml