AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Catching up with current successes

Browse Source
This commit is contained in:
DarkFeather
2022-01-25 23:54:43 -06:00
parent 94a4736839
commit 921d53c724
70 changed files with 2912 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
roles/ShadowArch/tasks/archlinux-network.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: ArchLinux network packages
become: yes
package:
name:
- netctl
state: present
- name: Static ArchLinux network config
become: yes
when: static
template:
src: netctl-static.j2
dest: "/etc/netctl/{{ ipinterface }}"
- name: Dynamic ArchLinux network config
become: yes
when: static
template:
src: netctl-dhcp.j2
dest: "/etc/netctl/{{ ipinterface }}"
- name: Enable network config
become: yes
command: "netctl enable {{ ipinterface }}"

29
roles/ShadowArch/tasks/dns.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Install DNS packages
become: yes
ignore_errors: yes
package:
name:
- bind
- net-tools
- iputils
state: present
- name: Set up /etc/resolv.conf
become: yes
copy:
dest: /etc/resolv.conf
content: "domain {{ replica_domain }}\nnameserver {{ dns }}\n"
owner: root
group: root
mode: 0644
- name: Set up /etc/hosts
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
lineinfile:
dest: /etc/hosts
regexp: '^127.0.0.1[ \t]+localhost'
line: "127.0.0.1 localhost localhost.localdomain {{ inventory_hostname }} {{ inventory_hostname }}.{{ replica_domain }}"
state: present

190
roles/ShadowArch/tasks/main.yml Normal file
View File

@@ -0,0 +1,190 @@
---
###
# This role installs the basic package and host setup for AniNIX operations.
# This is an AniNIX convention to allow password management by Ansible.
- name: Base packages
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
package:
name:
- bash
- sudo
- git
- tmux
- vim
- sysstat
- iotop
- lsof
- rsync
state: present
update_cache: yes
- name: Ensure deploy user has sudo permissions.
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
copy:
dest: /etc/sudoers.d/basics
content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n"
- name: Ensure we include /etc/sudoers.d (Current)
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
when: ansible_architecture != "armv6l"
lineinfile:
path: /etc/sudoers
regexp: "includedir /etc/sudoers.d"
line: "@includedir /etc/sudoers.d"
- name: Ensure we include /etc/sudoers.d (Legacy)
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
when: ansible_architecture == "armv6l"
lineinfile:
path: /etc/sudoers
regexp: "includedir /etc/sudoers.d"
line: "#includedir /etc/sudoers.d"
- name: Test root password
ignore_errors: yes
register: root_password_test
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
command: id
- name: Define passwords
vars:
ansible_become_user: "root"
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
when: root_password_test.rc is not defined or root_password_test.rc != 0
command:
cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}"
loop:
- root
- "{{ ansible_user_id }}"
- name: Set up pacman.conf
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
copy:
src: pacman.conf
dest: /etc/pacman.conf
owner: root
group: root
mode: 0644
when: ansible_os_family == "Archlinux"
- name: Generate mirrorlist
delegate_to: localhost
run_once: yes
command: "bash ../bin/generate-mirrorlist"
- name: Copy mirrorlist
become: yes
when: ansible_os_family == "Archlinux"
copy:
src: mirrorlist
dest: /etc/pacman.d/mirrorlist.shadowarch
owner: root
group: root
mode: 0644
- name: Set up apt sources.list
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
copy:
content: |
deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi
# deb-src http://archive.raspbian.org/raspbian/ stretch main contrib non-free rpi
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
when: ansible_os_family == "Debian"
- name: Install ShadowArch (ArchLinux)
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
pacman:
name: ShadowArch
state: present
update_cache: yes
when: ansible_os_family == "Archlinux"
- name: Set up AniNIX-specific repository location (Other)
when: ansible_os_family != "Archlinux"
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
file:
path: /opt/aninix
state: directory
- name: Download ShadowArch (Other)
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
ignore_errors: yes
git:
repo: 'https://foundation.aninix.net/AniNIX/ShadowArch'
dest: '/opt/aninix/ShadowArch'
update: yes
when: ansible_os_family != "Archlinux"
- name: Install ShadowArch (Other)
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
command:
chdir: '/opt/aninix/ShadowArch'
cmd: '/bin/bash -c "make install; /usr/local/sbin/shadowarch-sync"'
when: ansible_os_family != "Archlinux"
- name: Set up hostname
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
hostname:
name: "{{ inventory_hostname }}.{{ replica_domain }}"
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- include: archlinux-network.yml
when: ansible_os_family == "Archlinux"
- include: raspbian-network.yml
when: ansible_os_family == "Debian"
- include: dns.yml
- include: ntp.yml

40
roles/ShadowArch/tasks/ntp.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Set up time zone
become: yes
register: localtime
file:
src: "/usr/share/zoneinfo/{{ time_zone }}"
dest: /etc/localtime
state: link
- name: Remove legacy NTP services
become: yes
ignore_errors: yes
service:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- ntpd
- openntpd
- name: Remove legacy NTP packages
become: yes
package:
name:
- ntp
- openntpd
state: absent
- name: Install NTP packages
become: yes
package:
name: chrony
state: present
- name: Start NTP service
become: yes
service:
name: chronyd
state: started
enabled: yes

43
roles/ShadowArch/tasks/raspbian-network.yml Normal file
View File

@@ -0,0 +1,43 @@
---
- name: Rasbian network packages
become: yes
package:
name:
- netbase
state: present
- name: Rasbian network config
become: yes
when: not static
copy:
src: raspbian-interfaces
dest: "/etc/network/interfaces"
owner: root
group: root
mode: 0644
- name: Rasbian network config (static)
become: yes
when: static
template:
src: raspbian-static.j2
dest: "/etc/network/interfaces"
owner: root
group: root
mode: 0644
- name: Raspbian wireless
become: yes
command:
cmd: /bin/bash -c "wpa_passphrase {{ wireless_ssid }} '{{ passwords['Shadowfeed'] }}' > /etc/wpa_supplicant.conf"
creates: '/etc/wpa_supplicant.conf'
- name: Raspbian wireless hardening
become: yes
file:
path: '/etc/wpa_supplicant.conf'
state: file
owner: root
group: root
mode: 0600