brainsys base configuration =========================== This role sets up a base configuration for servers, including locales, timezone, time synchronization, standard packages, SSH hardening, and Python utilities. It handles differences between Debian versions (e.g., NTP vs systemd-timesyncd, Python venv management). Supported Platforms ------------------- - Debian 10+ (Buster, Bullseye, Bookworm, Trixie...) Features & Details ------------------ ### 1. Locales & Timezone - Sets locale to `fr_FR.UTF-8`. - Sets timezone to `Europe/Paris` (customizable). - Configures NTP: - **Debian < 13**: Installs `ntp` package. - **Debian >= 13**: Installs and enables `systemd-timesyncd`. ### 2. Standard Packages Installs a set of essential tools including: - `bash-completion`, `curl`, `git-core`, `htop`, `iotop`, `ncdu`, `rsync`, `screen`, `tmux`, `vim`, `net-tools`, `telnet`, `sudo`, etc. ### 3. Python Utilities (ps_mem, bpytop) Installs `ps_mem` and `bpytop`. - **Debian < 12**: Installed globally via `pip3`. - **Debian >= 12**: Installed in a dedicated virtual environment at `/opt/python/venv/brainsys`. Binaries are symlinked to `/usr/local/bin`. ### 4. Needrestart (Debian only) Installs and configures `needrestart` to automatically restart services after upgrades. - Sets auto-restart mode. - Allows defining exclusions via variables (see below). ### 5. SSH Configuration - Hardens SSH root login: - `PermitRootLogin` set to `no` by default. - Allows `prohibit-password` login only from specific IP addresses defined in variables (see below). - Manages `/root/.ssh/authorized_keys` with a list of keys (see below). Role Variables -------------- | Variable | Description | Default | |----------|-------------|---------| | `timezone` | System timezone to configure. | `Europe/Paris` | | `needrestart_exclude` | List of services to exclude from needrestart checks (keys in perl hash format). | `[]` | | `ssh_root_authorized_ips` | List of IP addresses allowed to SSH as root (with key only). | `undefined` | | `ssh_root_authorized_keys` | List of public keys to add to `/root/.ssh/authorized_keys`. **Warning: Overwrites file**. | `undefined` | | `ssh_root_authorized_keys_file` | Custom path for the authorized_keys file destination. | `/root/.ssh/authorized_keys` | Usage Example ------------- ```yaml - hosts: servers roles: - role: base vars: timezone: "Etc/UTC" needrestart_exclude: - mysql - postgresql ssh_root_authorized_ips: - "192.168.1.10" - "10.0.0.5" ssh_root_authorized_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..." - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA..." ``` License ------- MIT Author Information ------------------ Written by Ludovic Cartier