Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
63887d3b
Commit
63887d3b
authored
Aug 18, 2020
by
Frederik Schwan
Committed by
Sven-Hendrik Haase
Aug 27, 2020
Browse files
fix E208 'File permissions not mentioned'
parent
04b2e3b1
Changes
31
Hide whitespace changes
Inline
Side-by-side
playbooks/tasks/fetch-borg-keys.yml
View file @
63887d3b
...
...
@@ -4,7 +4,7 @@
hosts
:
127.0.0.1
tasks
:
-
name
:
create borg-keys directory
file
:
path="{{ playbook_dir }}/../../borg-keys/" state=directory
file
:
path="{{ playbook_dir }}/../../borg-keys/" state=directory
mode=preserve
-
name
:
fetch borg keys
hosts
:
borg_clients
...
...
playbooks/tasks/pacman-website.yml
View file @
63887d3b
...
...
@@ -14,10 +14,10 @@
get_url
:
url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.gz dest={{ tempdir.path }}/pacman.tar.gz
-
name
:
create extraction dir
file
:
path={{ tempdir.path }}/pacman state=directory
file
:
path={{ tempdir.path }}/pacman state=directory
owner=root group=root mode=0755
-
name
:
unpack tarball
unarchive
:
src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/
unarchive
:
src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/
owner=root group=root mode=0755
-
name
:
configure
command
:
./configure chdir={{ tempdir.path }}/pacman/pacman-{{ pacman_version }}
...
...
playbooks/tasks/sync-ssh-hostkeys.yml
View file @
63887d3b
...
...
@@ -21,26 +21,36 @@
copy
:
dest
:
"
{{
playbook_dir
}}/../../docs/ssh-hostkeys.txt"
content
:
"
{%
for
host
in
query('inventory_hostnames',
'all,!rsync_net,!hetzner_storageboxes,!localhost')
|
sort
%}#
{{
host
}}
\n
{{
hostvars[host].ssh_hostkeys.stdout
}}
\n\n
{%
endfor
%}"
mode
:
preserve
delegate_to
:
localhost
-
name
:
store known_hosts
copy
:
dest
:
"
{{
playbook_dir
}}/../../docs/ssh-known_hosts.txt"
content
:
"
{%
for
host
in
query('inventory_hostnames',
'all,!rsync_net,!hetzner_storageboxes,!localhost')
|
sort
%}#
{{
host
}}
\n
{{
hostvars[host].known_hosts.stdout
}}
\n\n
{%
endfor
%}"
owner
:
root
group
:
root
mode
:
0644
delegate_to
:
localhost
-
name
:
manually append rsync.net host keys
lineinfile
:
path
:
"
{{
playbook_dir
}}/../../docs/ssh-known_hosts.txt"
line
:
"
{%
for
host
in
query('inventory_hostnames',
'rsync_net')
|
sort
%}#
{{
host
}}
\n
{{
hostvars[host].known_host
}}
\n\n
{%
endfor
%}"
owner
:
root
group
:
root
mode
:
0644
delegate_to
:
localhost
-
name
:
manually append Hetzner Storageboxes host keys
lineinfile
:
path
:
"
{{
playbook_dir
}}/../../docs/ssh-known_hosts.txt"
line
:
"
{%
for
host
in
query('inventory_hostnames',
'hetzner_storageboxes')
|
sort
%}#
{{
host
}}
\n
{{
hostvars[host].known_host
}}
\n\n
{%
endfor
%}"
owner
:
root
group
:
root
mode
:
0644
delegate_to
:
localhost
-
name
:
upload known_hosts to all nodes
hosts
:
all,!rsync_net,!hetzner_storageboxes
tasks
:
-
name
:
upload known_hosts
copy
:
dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
copy
:
dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
owner=root group=root mode=0644
tags
:
[
'
upload-known-hosts'
]
roles/arch_boxes/tasks/main.yml
View file @
63887d3b
...
...
@@ -17,17 +17,17 @@
copy
:
src=virtualbox.conf dest=/etc/modules-load.d/virtualbox.conf owner=root group=root mode=0644
-
name
:
adjust permissions of git checkout
file
:
path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}"
file
:
path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}"
mode=preserve
-
name
:
ensure controller.py of arch-boxes is executable
file
:
path="{{ archboxes_git_dir }}/controller.py" mode=
'
0744
'
file
:
path="{{ archboxes_git_dir }}/controller.py" mode=0744
owner=root group=root
-
name
:
replace placeholder to vagrantcloud API Key
no_log
:
true
replace
:
path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}"
replace
:
path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}"
owner=root group=root mode=0600
-
name
:
install sudoers file
template
:
src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes
template
:
src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes
owner=root group=root mode=0440
-
name
:
install arch-boxes service
template
:
src='arch-boxes.service.j2' dest='/etc/systemd/system/arch-boxes.service' owner=root group=root mode=0644
...
...
roles/archbuild/tasks/main.yml
View file @
63887d3b
...
...
@@ -109,4 +109,4 @@
template
:
src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
-
name
:
install archbuild sudoers config
copy
:
src=sudoers dest=/etc/sudoers.d/archbuild
copy
:
src=sudoers dest=/etc/sudoers.d/archbuild
owner=root group=root mode=0440
roles/archweb/tasks/main.yml
View file @
63887d3b
...
...
@@ -16,7 +16,7 @@
user
:
name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
-
name
:
fix home permissions
file
:
state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
file
:
state=directory owner=archweb group=archweb
mode=0750
path="{{ archweb_dir }}"
-
name
:
set archweb groups
user
:
name=archweb groups=uwsgi
...
...
@@ -33,7 +33,7 @@
when
:
archweb_site|bool
-
name
:
make rsync iso dir
file
:
path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb
file
:
path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb
mode=0755
when
:
archweb_site|bool
-
name
:
clone archweb repo
...
...
@@ -59,11 +59,11 @@
register
:
virtualenv
-
name
:
create media dir
file
:
state=directory owner=archweb group=archweb path="{{ archweb_dir }}/media"
file
:
state=directory owner=archweb group=archweb
mode=0755
path="{{ archweb_dir }}/media"
when
:
archweb_site|bool
-
name
:
fix home permissions
file
:
state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
file
:
state=directory owner=archweb group=archweb
mode=0750
path="{{ archweb_dir }}"
-
name
:
configure archweb
template
:
src=local_settings.py.j2 dest=/srv/http/archweb/local_settings.py owner=archweb group=archweb mode=0660
...
...
@@ -196,7 +196,7 @@
when
:
archweb_services or archweb_pgp_import
-
name
:
create pacman.d hooks dir
file
:
state=directory owner=root group=root path="/etc/pacman.d/hooks"
file
:
state=directory owner=root group=root
mode=0750
path="/etc/pacman.d/hooks"
when
:
archweb_services or archweb_pgp_import
-
name
:
install pgp_import hook
...
...
@@ -265,7 +265,7 @@
-
name
:
deploy new release
become
:
true
become_user
:
archweb
file
:
path=/etc/uwsgi/vassals/archweb.ini state=touch
file
:
path=/etc/uwsgi/vassals/archweb.ini state=touch
owner=root group=root mode=0600
when
:
archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
notify
:
restart archweb memcached
...
...
@@ -320,7 +320,7 @@
when
:
archweb_donor_import|bool
-
name
:
create retro dir
file
:
state=directory owner=archweb group=archweb path="{{ archweb_retro_dir }}"
file
:
state=directory owner=archweb group=archweb
mode=0755
path="{{ archweb_retro_dir }}"
when
:
archweb_site|bool
-
name
:
clone archweb-retro repo
...
...
roles/archwiki/tasks/main.yml
View file @
63887d3b
...
...
@@ -21,7 +21,7 @@
register
:
user_created
-
name
:
fix home permissions
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}"
mode=0750
path="{{ archwiki_dir }}"
-
name
:
set up nginx
template
:
src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
...
...
@@ -47,16 +47,16 @@
-
run wiki updatescript
-
name
:
fix home permissions
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}"
mode=0750
path="{{ archwiki_dir }}"
-
name
:
fix cache permissions
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/cache"
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}"
mode=0755
path="{{ archwiki_dir }}/cache"
-
name
:
fix sessions permissions
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/sessions"
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}"
mode=0755
path="{{ archwiki_dir }}/sessions"
-
name
:
fix uploads permissions
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/uploads"
file
:
state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}"
mode=0755
path="{{ archwiki_dir }}/uploads"
-
name
:
configure archwiki
template
:
src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
...
...
@@ -119,7 +119,7 @@
file
:
state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
-
name
:
create pacman.d hooks dir
file
:
state=directory owner=root group=root path=/etc/pacman.d/hooks
file
:
state=directory owner=root group=root
mode=0755
path=/etc/pacman.d/hooks
-
name
:
install archwiki question updater hook
template
:
src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
roles/aurweb/tasks/main.yml
View file @
63887d3b
...
...
@@ -56,7 +56,7 @@
register
:
tubylaws_release
-
name
:
create necessary directories
file
:
path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }}
file
:
path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }}
mode=0755
with_items
:
-
'
aurblup'
-
'
sessions'
...
...
@@ -91,13 +91,13 @@
when
:
release.changed or db_created.changed
-
name
:
create aurweb conf dir
file
:
path={{ aurweb_conf_dir }} state=directory
file
:
path={{ aurweb_conf_dir }} state=directory
owner=root group=root mode=0755
-
name
:
copy aurweb configuration file
copy
:
src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes
copy
:
src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes
owner=root group=root mode=0644
-
name
:
install custom aurweb configuration
template
:
src=config.j2 dest={{ aurweb_conf_dir }}/config
template
:
src=config.j2 dest={{ aurweb_conf_dir }}/config
owner=root group=root mode=0644
-
name
:
Install python module
command
:
"
python3
setup.py
install
--install-scripts=/usr/local/bin"
...
...
@@ -126,11 +126,11 @@
when
:
tubylaws_release.changed
-
name
:
Install Trusted User documentation
copy
:
src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes
copy
:
src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes
owner={{ aurweb_user }} group=http mode=0644
when
:
tubylaws_release.changed
-
name
:
Install Trusted User documentation symlink
file
:
src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link
file
:
src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link
owner={{ aurweb_user }} group=http mode=0644
when
:
tubylaws_release.changed
-
name
:
set up nginx
...
...
@@ -152,7 +152,7 @@
service
:
name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
-
name
:
install cgit configuration
template
:
src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc"
template
:
src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc"
owner=root group=root mode=0644
-
name
:
configure cgit uwsgi service
template
:
src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
...
...
@@ -160,7 +160,7 @@
-
name
:
deploy new cgit release
become
:
true
become_user
:
"
{{
aurweb_user
}}"
file
:
path=/etc/uwsgi/vassals/cgit.ini state=touch
file
:
path=/etc/uwsgi/vassals/cgit.ini state=touch
owner=root group=root mode=0644
when
:
cgit.changed
-
name
:
configure smartgit uwsgi service
...
...
@@ -169,7 +169,7 @@
-
name
:
deploy new smartgit release
become
:
true
become_user
:
"
{{
aurweb_user
}}"
file
:
path=/etc/uwsgi/vassals/smartgit.ini state=touch
file
:
path=/etc/uwsgi/vassals/smartgit.ini state=touch
mode=preserve
when
:
git.changed
-
name
:
create git repo dir
...
...
@@ -227,6 +227,9 @@
file
:
src
:
"
{{
aurweb_git_hook
}}"
dest
:
"
{{
aurweb_git_dir
}}/hooks/update"
owner
:
root
group
:
root
mode
:
0755
state
:
link
-
name
:
install AUR systemd service and timers
...
...
roles/borg_client/tasks/main.yml
View file @
63887d3b
...
...
@@ -42,7 +42,7 @@
changed_when
:
check_postgres_user.stdout | length >
0
-
name
:
make postgres backup directory
file
:
path={{ postgres_backup_dir }} owner=root group=root state=directory
file
:
path={{ postgres_backup_dir }} owner=root group=root
mode=0755
state=directory
when
:
check_postgres_user is succeeded and postgres_backup_dir is defined
-
name
:
install mysql backup script
...
...
@@ -50,11 +50,11 @@
when
:
mysql_backup_dir is defined
-
name
:
install mysql backup config
template
:
src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }}
template
:
src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }}
owner=root group=root mode=0644
when
:
mysql_backup_defaults is defined
-
name
:
create mysql backup directory
file
:
path={{ mysql_backup_dir }} state=directory owner=root group=root
file
:
path={{ mysql_backup_dir }} state=directory owner=root group=root
mode=0755
when
:
mysql_backup_dir is defined
-
name
:
install gitlab backup script
...
...
roles/bugbot/tasks/main.yml
View file @
63887d3b
...
...
@@ -22,7 +22,7 @@
template
:
src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
-
name
:
install bugbot systemd service
copy
:
src=bugbot.service dest=/etc/systemd/system/bugbot.service
copy
:
src=bugbot.service dest=/etc/systemd/system/bugbot.service
owner=root group=root mode=0644
-
name
:
start and enable bugbot service
systemd
:
name=bugbot.service enabled=yes state=started daemon_reload=yes
roles/common/tasks/main.yml
View file @
63887d3b
...
...
@@ -55,7 +55,7 @@
when
:
configure_network
-
name
:
create symlink to resolv.conf
file
:
src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
file
:
src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
owner=root group=root mode=0755
when
:
configure_network and not host_has_local_dns_resolver
-
name
:
create resolv.conf
...
...
roles/conf_archlinux/tasks/main.yml
View file @
63887d3b
...
...
@@ -14,10 +14,10 @@
register
:
release
-
name
:
fix home permissions
file
:
state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ conference_dir }}"
file
:
state=directory owner={{ conference_user }} group={{ conference_user }}
mode=0750
path="{{ conference_dir }}"
-
name
:
create static conf.archlinux.org dir
file
:
state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ static_conference_dir }}"
file
:
state=directory owner={{ conference_user }} group={{ conference_user }}
mode=0755
path="{{ static_conference_dir }}"
-
name
:
generate conf.archlinux.org site
command
:
hugo
...
...
roles/dbscripts/tasks/main.yml
View file @
63887d3b
...
...
@@ -76,7 +76,7 @@
tags
:
[
"
archusers"
]
-
name
:
create dbscripts paths
file
:
path="{{ item }}" state=directory
file
:
path="{{ item }}" state=directory
owner=root group=root mode=0755
with_items
:
-
/srv/repos/svn-community
-
/srv/repos/svn-packages
...
...
@@ -167,19 +167,19 @@
-
svn-packages
-
name
:
make /srv/svn
file
:
path=/srv/svn state=directory
file
:
path=/srv/svn state=directory
owner=root group=root mode=0755
-
name
:
symlink /srv/svn/community to /srv/repos/svn-community/svn
file
:
path=/srv/svn/community src=/srv/repos/svn-community/svn state=link
file
:
path=/srv/svn/community src=/srv/repos/svn-community/svn state=link
owner=root group=root mode=0755
-
name
:
symlink /srv/svn/packages to /srv/repos/svn-packages/svn
file
:
path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link
file
:
path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link
owner=root group=root mode=0755
-
name
:
symlink /community to /srv/repos/svn-community/dbscripts
file
:
path=/community src=/srv/repos/svn-community/dbscripts state=link
file
:
path=/community src=/srv/repos/svn-community/dbscripts state=link
owner=root group=root mode=0755
-
name
:
symlink /packages to /srv/repos/svn-packages/dbscripts
file
:
path=/packages src=/srv/repos/svn-packages/dbscripts state=link
file
:
path=/packages src=/srv/repos/svn-packages/dbscripts state=link
owner=root group=root mode=0755
-
name
:
put rsyncd.conf into tmpfiles
copy
:
src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
...
...
@@ -301,7 +301,7 @@
-
firewall
-
name
:
configure svnserve
copy
:
dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
copy
:
dest=/etc/conf.d/svnserve
owner=root group=root mode=0644
content="SVNSERVE_ARGS=-R -r /srv/svn\n"
-
name
:
start and enable svnserve
service
:
name=svnserve enabled=yes state=started
...
...
roles/docker_image/tasks/main.yml
View file @
63887d3b
...
...
@@ -12,7 +12,7 @@
git
:
repo="{{ docker_image_git_remote }}" version="{{ docker_image_git_tag }}" dest="{{ docker_image_git_dir }}" force=yes
-
name
:
install sudoers file
template
:
src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image
template
:
src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image
owner=root group=root mode=0440
-
name
:
install docker_image service
template
:
src='docker-image.service.j2' dest='/etc/systemd/system/docker-image.service' owner=root group=root mode=0644
...
...
roles/fluxbb/tasks/main.yml
View file @
63887d3b
...
...
@@ -11,15 +11,11 @@
version
:
"
{{
fluxbb_version
}}"
-
name
:
fix home permissions
file
:
>
state=directory owner=fluxbb group=fluxbb recurse=yes
path="{{ fluxbb_dir }}"
file
:
state=directory owner=fluxbb group=fluxbb mode=0750 recurse=yes path="{{ fluxbb_dir }}"
changed_when
:
False
-
name
:
create uploads directory
file
:
>
state=directory owner=fluxbb group=fluxbb
path="{{ fluxbb_dir }}/uploads"
file
:
state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
-
name
:
create mariadb database
mysql_db
:
name=fluxbb state=present
...
...
roles/flyspray/tasks/main.yml
View file @
63887d3b
...
...
@@ -17,7 +17,7 @@
register
:
user_created
-
name
:
fix home permissions
file
:
state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
file
:
state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
mode=0750
-
name
:
set up nginx
template
:
src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
...
...
@@ -43,7 +43,7 @@
register
:
release
-
name
:
fix home permissions
file
:
state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
file
:
state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
mode=0755
-
name
:
take away setup dir write permissions
file
:
state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000
...
...
roles/gitlab_runner/tasks/main.yml
View file @
63887d3b
...
...
@@ -33,6 +33,9 @@
-
name
:
increase concurrency
lineinfile
:
path
:
/etc/gitlab-runner/config.toml
owner
:
root
group
:
root
mode
:
0640
regexp
:
'
^concurrent
=
.*'
line
:
concurrent =
100
notify
:
restart gitlab-runner
...
...
roles/hardening/tasks/main.yml
View file @
63887d3b
---
-
name
:
set restricted access to kernel logs
copy
:
src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
copy
:
src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
owner=root group=root mode=0644
notify
:
-
apply sysctl settings
-
name
:
set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
copy
:
src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
copy
:
src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
owner=root group=root mode=0644
notify
:
-
apply sysctl settings
-
name
:
set restricted access to kernel pointers in proc fs
copy
:
src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
copy
:
src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
owner=root group=root mode=0644
notify
:
-
apply sysctl settings
-
name
:
set kernel lockdown to restricted
copy
:
src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf
copy
:
src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf
owner=root group=root mode=0644
when
:
"
'hcloud'
in
group_names"
notify
:
-
apply sysctl settings
roles/hetzner_storagebox/tasks/main.yml
View file @
63887d3b
...
...
@@ -23,7 +23,7 @@
delegate_to
:
localhost
-
name
:
fill tempfile
copy
:
content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
copy
:
content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
mode=preserve
delegate_to
:
localhost
-
name
:
upload authorized_keys file
...
...
roles/install_arch/tasks/main.yml
View file @
63887d3b
...
...
@@ -40,7 +40,7 @@
when
:
filesystem == "btrfs"
-
name
:
touch LOCK file on mountpoint
file
:
path=/mnt/LOCK state=touch
file
:
path=/mnt/LOCK state=touch
owner=root group=root mode=0644
-
name
:
download bootstrap image
get_url
:
...
...
@@ -51,11 +51,14 @@
unarchive
:
src
:
/tmp/archlinux-bootstrap-{{ bootstrap_version }}-x86_64.tar.gz
dest
:
/tmp
owner
:
root
group
:
root
mode
:
0644
remote_src
:
yes
creates
:
/tmp/root.x86_64
-
name
:
copy resolv.conf to bootstrap chroot
copy
:
remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf
copy
:
remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf
owner=root group=root mode=0644
-
name
:
mount /proc to bootstrap chroot
mount
:
...
...
@@ -147,7 +150,7 @@
fstab
:
/dev/dummyfstab
-
name
:
configure locale.gen
lineinfile
:
dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
lineinfile
:
dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
owner=root group=root mode=0644
-
name
:
run locale-gen inside chroot
command
:
chroot /mnt locale-gen
...
...
@@ -189,6 +192,9 @@
-
name
:
provide default mount options (btrfs)
lineinfile
:
path
:
/mnt/etc/default/grub
owner
:
root
group
:
root
mode
:
0644
regexp
:
"
^GRUB_CMDLINE_LINUX_DEFAULT="
line
:
"
GRUB_CMDLINE_LINUX_DEFAULT=
\"
rootflags=compress-force=zstd
\"
"
when
:
filesystem == "btrfs"
...
...
@@ -225,7 +231,7 @@
template
:
src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
-
name
:
create symlink to resolv.conf
file
:
src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
file
:
src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
owner=root group=root mode=0644
-
name
:
clean pacman cache
command
:
chroot /mnt pacman -Scc --noconfirm
...
...
Prev
1
2
Next
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment