ansible-roles/base
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12 Commits 1 Branch 0 Tags
fb259d854b366aee44a3fa9468ed957f0f6baf99
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Ludovic Cartier fb259d854b packages - remove deborphan
2026-02-20 17:50:47 +01:00
meta
add meta info
2024-12-20 15:58:47 +01:00
tasks
packages - remove deborphan
2026-02-20 17:50:47 +01:00
templates
biiiiig update !
2026-02-20 15:46:38 +01:00
LICENSE
biiiiig update !
2026-02-20 15:46:38 +01:00
README.md
biiiiig update !
2026-02-20 15:46:38 +01:00

README.md

brainsys base configuration

This role sets up a base configuration for servers, including locales, timezone, time synchronization, standard packages, SSH hardening, and Python utilities. It handles differences between Debian versions (e.g., NTP vs systemd-timesyncd, Python venv management).

Supported Platforms

  • Debian 10+ (Buster, Bullseye, Bookworm, Trixie...)

Features & Details

1. Locales & Timezone

  • Sets locale to fr_FR.UTF-8.
  • Sets timezone to Europe/Paris (customizable).
  • Configures NTP:
    • Debian < 13: Installs ntp package.
    • Debian >= 13: Installs and enables systemd-timesyncd.

2. Standard Packages

Installs a set of essential tools including:

  • bash-completion, curl, git-core, htop, iotop, ncdu, rsync, screen, tmux, vim, net-tools, telnet, sudo, etc.

3. Python Utilities (ps_mem, bpytop)

Installs ps_mem and bpytop.

  • Debian < 12: Installed globally via pip3.
  • Debian >= 12: Installed in a dedicated virtual environment at /opt/python/venv/brainsys. Binaries are symlinked to /usr/local/bin.

4. Needrestart (Debian only)

Installs and configures needrestart to automatically restart services after upgrades.

  • Sets auto-restart mode.
  • Allows defining exclusions via variables (see below).

5. SSH Configuration

  • Hardens SSH root login:
    • PermitRootLogin set to no by default.
    • Allows prohibit-password login only from specific IP addresses defined in variables (see below).
  • Manages /root/.ssh/authorized_keys with a list of keys (see below).

Role Variables

Variable Description Default
timezone System timezone to configure. Europe/Paris
needrestart_exclude List of services to exclude from needrestart checks (keys in perl hash format). []
ssh_root_authorized_ips List of IP addresses allowed to SSH as root (with key only). undefined
ssh_root_authorized_keys List of public keys to add to /root/.ssh/authorized_keys. Warning: Overwrites file. undefined
ssh_root_authorized_keys_file Custom path for the authorized_keys file destination. /root/.ssh/authorized_keys

Usage Example

- hosts: servers
  roles:
    - role: base
      vars:
        timezone: "Etc/UTC"
        needrestart_exclude:
          - mysql
          - postgresql
        ssh_root_authorized_ips:
          - "192.168.1.10"
          - "10.0.0.5"
        ssh_root_authorized_keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."
          - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA..."

License

MIT

Author Information

Written by Ludovic Cartier ludovic.cartier@brainsys.io

Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme MIT 41 KiB
Languages
Jinja 100%