ansible-roles/base
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
beed86501b2470baaa98476fbbb119bc4432b469
base/README.md
T
Ludovic Cartier 717c98fa6c biiiiig update !
2026-02-20 15:46:38 +01:00

82 lines
2.8 KiB
Markdown
Raw Blame History

brainsys base configuration
===========================
This role sets up a base configuration for servers, including locales, timezone, time synchronization, standard packages, SSH hardening, and Python utilities. It handles differences between Debian versions (e.g., NTP vs systemd-timesyncd, Python venv management).
Supported Platforms
-------------------
- Debian 10+ (Buster, Bullseye, Bookworm, Trixie...)
Features & Details
------------------
### 1. Locales & Timezone
- Sets locale to `fr_FR.UTF-8`.
- Sets timezone to `Europe/Paris` (customizable).
- Configures NTP:
- **Debian < 13**: Installs `ntp` package.
- **Debian >= 13**: Installs and enables `systemd-timesyncd`.
### 2. Standard Packages
Installs a set of essential tools including:
- `bash-completion`, `curl`, `git-core`, `htop`, `iotop`, `ncdu`, `rsync`, `screen`, `tmux`, `vim`, `net-tools`, `telnet`, `sudo`, etc.
### 3. Python Utilities (ps_mem, bpytop)
Installs `ps_mem` and `bpytop`.
- **Debian < 12**: Installed globally via `pip3`.
- **Debian >= 12**: Installed in a dedicated virtual environment at `/opt/python/venv/brainsys`. Binaries are symlinked to `/usr/local/bin`.
### 4. Needrestart (Debian only)
Installs and configures `needrestart` to automatically restart services after upgrades.
- Sets auto-restart mode.
- Allows defining exclusions via variables (see below).
### 5. SSH Configuration
- Hardens SSH root login:
- `PermitRootLogin` set to `no` by default.
- Allows `prohibit-password` login only from specific IP addresses defined in variables (see below).
- Manages `/root/.ssh/authorized_keys` with a list of keys (see below).
Role Variables
--------------
| Variable | Description | Default |
|----------|-------------|---------|
| `timezone` | System timezone to configure. | `Europe/Paris` |
| `needrestart_exclude` | List of services to exclude from needrestart checks (keys in perl hash format). | `[]` |
| `ssh_root_authorized_ips` | List of IP addresses allowed to SSH as root (with key only). | `undefined` |
| `ssh_root_authorized_keys` | List of public keys to add to `/root/.ssh/authorized_keys`. **Warning: Overwrites file**. | `undefined` |
| `ssh_root_authorized_keys_file` | Custom path for the authorized_keys file destination. | `/root/.ssh/authorized_keys` |
Usage Example
-------------
```yaml
- hosts: servers
roles:
- role: base
vars:
timezone: "Etc/UTC"
needrestart_exclude:
- mysql
- postgresql
ssh_root_authorized_ips:
- "192.168.1.10"
- "10.0.0.5"
ssh_root_authorized_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA..."
```
License
-------
MIT
Author Information
------------------
Written by Ludovic Cartier <ludovic.cartier@brainsys.io>
Reference in New Issue View Git Blame Copy Permalink