initial commit
This commit is contained in:
parent
388fa9174f
commit
c997368470
17
README.md
17
README.md
|
@ -1,3 +1,16 @@
|
|||
# base
|
||||
# Basic role
|
||||
|
||||
Simple role to deploy some basics
|
||||
This role sets up defaults we use across all newly created containers. It preconfigures various things as well as install few basic packages etc.
|
||||
|
||||
example playbook:
|
||||
|
||||
```
|
||||
---
|
||||
|
||||
- hosts: all
|
||||
roles:
|
||||
- base
|
||||
|
||||
```
|
||||
|
||||
All configurable variables reside in `defaults/main.yml`. If you wish to modify them per host, add them to your `/etc/ansible/host_vars/yourhostname.yml` of for group of hosts in `/etc/ansible/group_vars/yourgroup/main.yml` etc.
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
base_extra_path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt'
|
||||
ssh_permit_root: 'yes'
|
||||
ssh_port: '22'
|
||||
ssh_agent_forwarding: 'no'
|
||||
ssh_authkey_file: '/etc/ssh/authorized_keys/%u'
|
||||
bash_prompt_color: 'Green'
|
||||
deploy_hosts_file: 'false'
|
||||
base_apt_list:
|
||||
- htop
|
||||
- vim
|
||||
- file
|
||||
- cron
|
||||
- mc
|
||||
- git
|
||||
- ca-certificates
|
||||
- apt-transport-https
|
||||
- sudo
|
||||
- rsync
|
||||
- dialog
|
||||
- systemd
|
||||
- systemd-sysv
|
||||
- dirmngr
|
||||
base_ssh_authkey:
|
||||
- user: 'user1'
|
||||
key: 'key1 - user1'
|
||||
- user: 'user2'
|
||||
key: 'key2 - user2'
|
||||
base_ssh_user_config:
|
||||
- config_path: '/root/.ssh/config'
|
||||
setting: 'Host example.com'
|
||||
options:
|
||||
- 'IdentityFile ~/.ssh/key'
|
||||
- 'User user'
|
||||
base_journald_conf: 'true'
|
||||
base_journald_items:
|
||||
- name: 'SystemMaxUse'
|
||||
value: '100M'
|
||||
- name: 'Compress'
|
||||
value: 'yes'
|
||||
#shouter
|
||||
base_shouter_jid: 'user@example.org'
|
||||
base_shouter_server: 'example.org'
|
||||
base_shouter_resource: 'my bot'
|
||||
base_shouter_pwd: 'changeme'
|
||||
base_shouter_muc: 'my_room@chat.example.org'
|
||||
#dialogrc
|
||||
base_dialogrc: 'false'
|
|
@ -0,0 +1 @@
|
|||
Acquire::ForceIPv4 "true";
|
|
@ -0,0 +1,118 @@
|
|||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt"
|
||||
|
||||
genpasswd() {
|
||||
local l=$1
|
||||
[ "$l" == "" ] && l=16
|
||||
tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' < /dev/urandom | head -c ${l} | xargs
|
||||
}
|
||||
|
||||
source /usr/share/git/completion/git-prompt.sh
|
||||
|
||||
HOSTNAME=`/bin/hostname -A`
|
||||
# Customize BASH PS1 prompt to show current GIT repository and branch.
|
||||
# by Mike Stewart - http://MediaDoneRight.com
|
||||
|
||||
# SETUP CONSTANTS
|
||||
# Bunch-o-predefined colors. Makes reading code easier than escape sequences.
|
||||
# I don't remember where I found this. o_O
|
||||
# Reset
|
||||
Color_Off="\[\033[0m\]" # Text Reset
|
||||
|
||||
# Regular Colors
|
||||
Black="\[\033[0;30m\]" # Black
|
||||
Red="\[\033[0;31m\]" # Red
|
||||
Green="\[\033[0;32m\]" # Green
|
||||
Yellow="\[\033[0;33m\]" # Yellow
|
||||
Blue="\[\033[0;34m\]" # Blue
|
||||
Purple="\[\033[0;35m\]" # Purple
|
||||
Cyan="\[\033[0;36m\]" # Cyan
|
||||
White="\[\033[0;37m\]" # White
|
||||
|
||||
# Bold
|
||||
BBlack="\[\033[1;30m\]" # Black
|
||||
BRed="\[\033[1;31m\]" # Red
|
||||
BGreen="\[\033[1;32m\]" # Green
|
||||
BYellow="\[\033[1;33m\]" # Yellow
|
||||
BBlue="\[\033[1;34m\]" # Blue
|
||||
BPurple="\[\033[1;35m\]" # Purple
|
||||
BCyan="\[\033[1;36m\]" # Cyan
|
||||
BWhite="\[\033[1;37m\]" # White
|
||||
|
||||
# Underline
|
||||
UBlack="\[\033[4;30m\]" # Black
|
||||
URed="\[\033[4;31m\]" # Red
|
||||
UGreen="\[\033[4;32m\]" # Green
|
||||
UYellow="\[\033[4;33m\]" # Yellow
|
||||
UBlue="\[\033[4;34m\]" # Blue
|
||||
UPurple="\[\033[4;35m\]" # Purple
|
||||
UCyan="\[\033[4;36m\]" # Cyan
|
||||
UWhite="\[\033[4;37m\]" # White
|
||||
|
||||
# Background
|
||||
On_Black="\[\033[40m\]" # Black
|
||||
On_Red="\[\033[41m\]" # Red
|
||||
On_Green="\[\033[42m\]" # Green
|
||||
On_Yellow="\[\033[43m\]" # Yellow
|
||||
On_Blue="\[\033[44m\]" # Blue
|
||||
On_Purple="\[\033[45m\]" # Purple
|
||||
On_Cyan="\[\033[46m\]" # Cyan
|
||||
On_White="\[\033[47m\]" # White
|
||||
|
||||
# High Intensty
|
||||
IBlack="\[\033[0;90m\]" # Black
|
||||
IRed="\[\033[0;91m\]" # Red
|
||||
IGreen="\[\033[0;92m\]" # Green
|
||||
IYellow="\[\033[0;93m\]" # Yellow
|
||||
IBlue="\[\033[0;94m\]" # Blue
|
||||
IPurple="\[\033[0;95m\]" # Purple
|
||||
ICyan="\[\033[0;96m\]" # Cyan
|
||||
IWhite="\[\033[0;97m\]" # White
|
||||
|
||||
# Bold High Intensty
|
||||
BIBlack="\[\033[1;90m\]" # Black
|
||||
BIRed="\[\033[1;91m\]" # Red
|
||||
BIGreen="\[\033[1;92m\]" # Green
|
||||
BIYellow="\[\033[1;93m\]" # Yellow
|
||||
BIBlue="\[\033[1;94m\]" # Blue
|
||||
BIPurple="\[\033[1;95m\]" # Purple
|
||||
BICyan="\[\033[1;96m\]" # Cyan
|
||||
BIWhite="\[\033[1;97m\]" # White
|
||||
|
||||
# High Intensty backgrounds
|
||||
On_IBlack="\[\033[0;100m\]" # Black
|
||||
On_IRed="\[\033[0;101m\]" # Red
|
||||
On_IGreen="\[\033[0;102m\]" # Green
|
||||
On_IYellow="\[\033[0;103m\]" # Yellow
|
||||
On_IBlue="\[\033[0;104m\]" # Blue
|
||||
On_IPurple="\[\033[10;95m\]" # Purple
|
||||
On_ICyan="\[\033[0;106m\]" # Cyan
|
||||
On_IWhite="\[\033[0;107m\]" # White
|
||||
|
||||
# Various variables you might want for your PS1 prompt instead
|
||||
Time12h="\T"
|
||||
Time12a="\@"
|
||||
PathShort="\w"
|
||||
PathFull="\W"
|
||||
NewLine="\n"
|
||||
Jobs="\j"
|
||||
|
||||
# This PS1 snippet was adopted from code for MAC/BSD I saw from: http://allancraig.net/index.php? option=com_content&view=article&id=108:ps1-export-command-for-git&catid=45:general&Itemid=96
|
||||
# I tweaked it to work on UBUNTU 11.04 & 11.10 plus made it mo' better
|
||||
|
||||
export PS1=$Color_Off'<'$__COLOR__$HOSTNAME$Color_Off'>'$IBlack$Color_Off'$(git branch &>/dev/null;\
|
||||
if [ $? -eq 0 ]; then \
|
||||
echo "$(echo `git status` | grep "nothing to commit" > /dev/null 2>&1; \
|
||||
if [ "$?" -eq "0" ]; then \
|
||||
# @4 - Clean repository - nothing to commit
|
||||
echo "'$Green'"$(__git_ps1 " (%s)"); \
|
||||
else \
|
||||
# @5 - Changes to working tree
|
||||
echo "'$IRed'"$(__git_ps1 " {%s}"); \
|
||||
fi) '$BYellow$PathShort$Color_Off'\$ "; \
|
||||
else \
|
||||
# @2 - Prompt when not in GIT repo
|
||||
echo " '$Yellow$PathShort$Color_Off'\$ "; \
|
||||
fi)'
|
||||
|
||||
|
||||
[ -f ~/.fzf.bash ] && source ~/.fzf.bash
|
|
@ -0,0 +1,531 @@
|
|||
# bash/zsh git prompt support
|
||||
#
|
||||
# Copyright (C) 2006,2007 Shawn O. Pearce <spearce@spearce.org>
|
||||
# Distributed under the GNU General Public License, version 2.0.
|
||||
#
|
||||
# This script allows you to see repository status in your prompt.
|
||||
#
|
||||
# To enable:
|
||||
#
|
||||
# 1) Copy this file to somewhere (e.g. ~/.git-prompt.sh).
|
||||
# 2) Add the following line to your .bashrc/.zshrc:
|
||||
# source ~/.git-prompt.sh
|
||||
# 3a) Change your PS1 to call __git_ps1 as
|
||||
# command-substitution:
|
||||
# Bash: PS1='[\u@\h \W$(__git_ps1 " (%s)")]\$ '
|
||||
# ZSH: setopt PROMPT_SUBST ; PS1='[%n@%m %c$(__git_ps1 " (%s)")]\$ '
|
||||
# the optional argument will be used as format string.
|
||||
# 3b) Alternatively, for a slightly faster prompt, __git_ps1 can
|
||||
# be used for PROMPT_COMMAND in Bash or for precmd() in Zsh
|
||||
# with two parameters, <pre> and <post>, which are strings
|
||||
# you would put in $PS1 before and after the status string
|
||||
# generated by the git-prompt machinery. e.g.
|
||||
# Bash: PROMPT_COMMAND='__git_ps1 "\u@\h:\w" "\\\$ "'
|
||||
# will show username, at-sign, host, colon, cwd, then
|
||||
# various status string, followed by dollar and SP, as
|
||||
# your prompt.
|
||||
# ZSH: precmd () { __git_ps1 "%n" ":%~$ " "|%s" }
|
||||
# will show username, pipe, then various status string,
|
||||
# followed by colon, cwd, dollar and SP, as your prompt.
|
||||
# Optionally, you can supply a third argument with a printf
|
||||
# format string to finetune the output of the branch status
|
||||
#
|
||||
# The repository status will be displayed only if you are currently in a
|
||||
# git repository. The %s token is the placeholder for the shown status.
|
||||
#
|
||||
# The prompt status always includes the current branch name.
|
||||
#
|
||||
# In addition, if you set GIT_PS1_SHOWDIRTYSTATE to a nonempty value,
|
||||
# unstaged (*) and staged (+) changes will be shown next to the branch
|
||||
# name. You can configure this per-repository with the
|
||||
# bash.showDirtyState variable, which defaults to true once
|
||||
# GIT_PS1_SHOWDIRTYSTATE is enabled.
|
||||
#
|
||||
# You can also see if currently something is stashed, by setting
|
||||
# GIT_PS1_SHOWSTASHSTATE to a nonempty value. If something is stashed,
|
||||
# then a '$' will be shown next to the branch name.
|
||||
#
|
||||
# If you would like to see if there're untracked files, then you can set
|
||||
# GIT_PS1_SHOWUNTRACKEDFILES to a nonempty value. If there're untracked
|
||||
# files, then a '%' will be shown next to the branch name. You can
|
||||
# configure this per-repository with the bash.showUntrackedFiles
|
||||
# variable, which defaults to true once GIT_PS1_SHOWUNTRACKEDFILES is
|
||||
# enabled.
|
||||
#
|
||||
# If you would like to see the difference between HEAD and its upstream,
|
||||
# set GIT_PS1_SHOWUPSTREAM="auto". A "<" indicates you are behind, ">"
|
||||
# indicates you are ahead, "<>" indicates you have diverged and "="
|
||||
# indicates that there is no difference. You can further control
|
||||
# behaviour by setting GIT_PS1_SHOWUPSTREAM to a space-separated list
|
||||
# of values:
|
||||
#
|
||||
# verbose show number of commits ahead/behind (+/-) upstream
|
||||
# name if verbose, then also show the upstream abbrev name
|
||||
# legacy don't use the '--count' option available in recent
|
||||
# versions of git-rev-list
|
||||
# git always compare HEAD to @{upstream}
|
||||
# svn always compare HEAD to your SVN upstream
|
||||
#
|
||||
# You can change the separator between the branch name and the above
|
||||
# state symbols by setting GIT_PS1_STATESEPARATOR. The default separator
|
||||
# is SP.
|
||||
#
|
||||
# By default, __git_ps1 will compare HEAD to your SVN upstream if it can
|
||||
# find one, or @{upstream} otherwise. Once you have set
|
||||
# GIT_PS1_SHOWUPSTREAM, you can override it on a per-repository basis by
|
||||
# setting the bash.showUpstream config variable.
|
||||
#
|
||||
# If you would like to see more information about the identity of
|
||||
# commits checked out as a detached HEAD, set GIT_PS1_DESCRIBE_STYLE
|
||||
# to one of these values:
|
||||
#
|
||||
# contains relative to newer annotated tag (v1.6.3.2~35)
|
||||
# branch relative to newer tag or branch (master~4)
|
||||
# describe relative to older annotated tag (v1.6.3.1-13-gdd42c2f)
|
||||
# default exactly matching tag
|
||||
#
|
||||
# If you would like a colored hint about the current dirty state, set
|
||||
# GIT_PS1_SHOWCOLORHINTS to a nonempty value. The colors are based on
|
||||
# the colored output of "git status -sb" and are available only when
|
||||
# using __git_ps1 for PROMPT_COMMAND or precmd.
|
||||
#
|
||||
# If you would like __git_ps1 to do nothing in the case when the current
|
||||
# directory is set up to be ignored by git, then set
|
||||
# GIT_PS1_HIDE_IF_PWD_IGNORED to a nonempty value. Override this on the
|
||||
# repository level by setting bash.hideIfPwdIgnored to "false".
|
||||
|
||||
# check whether printf supports -v
|
||||
__git_printf_supports_v=
|
||||
printf -v __git_printf_supports_v -- '%s' yes >/dev/null 2>&1
|
||||
|
||||
# stores the divergence from upstream in $p
|
||||
# used by GIT_PS1_SHOWUPSTREAM
|
||||
__git_ps1_show_upstream ()
|
||||
{
|
||||
local key value
|
||||
local svn_remote svn_url_pattern count n
|
||||
local upstream=git legacy="" verbose="" name=""
|
||||
|
||||
svn_remote=()
|
||||
# get some config options from git-config
|
||||
local output="$(git config -z --get-regexp '^(svn-remote\..*\.url|bash\.showupstream)$' 2>/dev/null | tr '\0\n' '\n ')"
|
||||
while read -r key value; do
|
||||
case "$key" in
|
||||
bash.showupstream)
|
||||
GIT_PS1_SHOWUPSTREAM="$value"
|
||||
if [[ -z "${GIT_PS1_SHOWUPSTREAM}" ]]; then
|
||||
p=""
|
||||
return
|
||||
fi
|
||||
;;
|
||||
svn-remote.*.url)
|
||||
svn_remote[$((${#svn_remote[@]} + 1))]="$value"
|
||||
svn_url_pattern="$svn_url_pattern\\|$value"
|
||||
upstream=svn+git # default upstream is SVN if available, else git
|
||||
;;
|
||||
esac
|
||||
done <<< "$output"
|
||||
|
||||
# parse configuration values
|
||||
for option in ${GIT_PS1_SHOWUPSTREAM}; do
|
||||
case "$option" in
|
||||
git|svn) upstream="$option" ;;
|
||||
verbose) verbose=1 ;;
|
||||
legacy) legacy=1 ;;
|
||||
name) name=1 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
# Find our upstream
|
||||
case "$upstream" in
|
||||
git) upstream="@{upstream}" ;;
|
||||
svn*)
|
||||
# get the upstream from the "git-svn-id: ..." in a commit message
|
||||
# (git-svn uses essentially the same procedure internally)
|
||||
local -a svn_upstream
|
||||
svn_upstream=($(git log --first-parent -1 \
|
||||
--grep="^git-svn-id: \(${svn_url_pattern#??}\)" 2>/dev/null))
|
||||
if [[ 0 -ne ${#svn_upstream[@]} ]]; then
|
||||
svn_upstream=${svn_upstream[${#svn_upstream[@]} - 2]}
|
||||
svn_upstream=${svn_upstream%@*}
|
||||
local n_stop="${#svn_remote[@]}"
|
||||
for ((n=1; n <= n_stop; n++)); do
|
||||
svn_upstream=${svn_upstream#${svn_remote[$n]}}
|
||||
done
|
||||
|
||||
if [[ -z "$svn_upstream" ]]; then
|
||||
# default branch name for checkouts with no layout:
|
||||
upstream=${GIT_SVN_ID:-git-svn}
|
||||
else
|
||||
upstream=${svn_upstream#/}
|
||||
fi
|
||||
elif [[ "svn+git" = "$upstream" ]]; then
|
||||
upstream="@{upstream}"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Find how many commits we are ahead/behind our upstream
|
||||
if [[ -z "$legacy" ]]; then
|
||||
count="$(git rev-list --count --left-right \
|
||||
"$upstream"...HEAD 2>/dev/null)"
|
||||
else
|
||||
# produce equivalent output to --count for older versions of git
|
||||
local commits
|
||||
if commits="$(git rev-list --left-right "$upstream"...HEAD 2>/dev/null)"
|
||||
then
|
||||
local commit behind=0 ahead=0
|
||||
for commit in $commits
|
||||
do
|
||||
case "$commit" in
|
||||
"<"*) ((behind++)) ;;
|
||||
*) ((ahead++)) ;;
|
||||
esac
|
||||
done
|
||||
count="$behind $ahead"
|
||||
else
|
||||
count=""
|
||||
fi
|
||||
fi
|
||||
|
||||
# calculate the result
|
||||
if [[ -z "$verbose" ]]; then
|
||||
case "$count" in
|
||||
"") # no upstream
|
||||
p="" ;;
|
||||
"0 0") # equal to upstream
|
||||
p="=" ;;
|
||||
"0 "*) # ahead of upstream
|
||||
p=">" ;;
|
||||
*" 0") # behind upstream
|
||||
p="<" ;;
|
||||
*) # diverged from upstream
|
||||
p="<>" ;;
|
||||
esac
|
||||
else
|
||||
case "$count" in
|
||||
"") # no upstream
|
||||
p="" ;;
|
||||
"0 0") # equal to upstream
|
||||
p=" u=" ;;
|
||||
"0 "*) # ahead of upstream
|
||||
p=" u+${count#0 }" ;;
|
||||
*" 0") # behind upstream
|
||||
p=" u-${count% 0}" ;;
|
||||
*) # diverged from upstream
|
||||
p=" u+${count#* }-${count% *}" ;;
|
||||
esac
|
||||
if [[ -n "$count" && -n "$name" ]]; then
|
||||
__git_ps1_upstream_name=$(git rev-parse \
|
||||
--abbrev-ref "$upstream" 2>/dev/null)
|
||||
if [ $pcmode = yes ] && [ $ps1_expanded = yes ]; then
|
||||
p="$p \${__git_ps1_upstream_name}"
|
||||
else
|
||||
p="$p ${__git_ps1_upstream_name}"
|
||||
# not needed anymore; keep user's
|
||||
# environment clean
|
||||
unset __git_ps1_upstream_name
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# Helper function that is meant to be called from __git_ps1. It
|
||||
# injects color codes into the appropriate gitstring variables used
|
||||
# to build a gitstring.
|
||||
__git_ps1_colorize_gitstring ()
|
||||
{
|
||||
if [[ -n ${ZSH_VERSION-} ]]; then
|
||||
local c_red='%F{red}'
|
||||
local c_green='%F{green}'
|
||||
local c_lblue='%F{blue}'
|
||||
local c_clear='%f'
|
||||
else
|
||||
# Using \[ and \] around colors is necessary to prevent
|
||||
# issues with command line editing/browsing/completion!
|
||||
local c_red='\[\e[31m\]'
|
||||
local c_green='\[\e[32m\]'
|
||||
local c_lblue='\[\e[1;34m\]'
|
||||
local c_clear='\[\e[0m\]'
|
||||
fi
|
||||
local bad_color=$c_red
|
||||
local ok_color=$c_green
|
||||
local flags_color="$c_lblue"
|
||||
|
||||
local branch_color=""
|
||||
if [ $detached = no ]; then
|
||||
branch_color="$ok_color"
|
||||
else
|
||||
branch_color="$bad_color"
|
||||
fi
|
||||
c="$branch_color$c"
|
||||
|
||||
z="$c_clear$z"
|
||||
if [ "$w" = "*" ]; then
|
||||
w="$bad_color$w"
|
||||
fi
|
||||
if [ -n "$i" ]; then
|
||||
i="$ok_color$i"
|
||||
fi
|
||||
if [ -n "$s" ]; then
|
||||
s="$flags_color$s"
|
||||
fi
|
||||
if [ -n "$u" ]; then
|
||||
u="$bad_color$u"
|
||||
fi
|
||||
r="$c_clear$r"
|
||||
}
|
||||
|
||||
__git_eread ()
|
||||
{
|
||||
local f="$1"
|
||||
shift
|
||||
test -r "$f" && read "$@" <"$f"
|
||||
}
|
||||
|
||||
# __git_ps1 accepts 0 or 1 arguments (i.e., format string)
|
||||
# when called from PS1 using command substitution
|
||||
# in this mode it prints text to add to bash PS1 prompt (includes branch name)
|
||||
#
|
||||
# __git_ps1 requires 2 or 3 arguments when called from PROMPT_COMMAND (pc)
|
||||
# in that case it _sets_ PS1. The arguments are parts of a PS1 string.
|
||||
# when two arguments are given, the first is prepended and the second appended
|
||||
# to the state string when assigned to PS1.
|
||||
# The optional third parameter will be used as printf format string to further
|
||||
# customize the output of the git-status string.
|
||||
# In this mode you can request colored hints using GIT_PS1_SHOWCOLORHINTS=true
|
||||
__git_ps1 ()
|
||||
{
|
||||
# preserve exit status
|
||||
local exit=$?
|
||||
local pcmode=no
|
||||
local detached=no
|
||||
local ps1pc_start='\u@\h:\w '
|
||||
local ps1pc_end='\$ '
|
||||
local printf_format=' (%s)'
|
||||
|
||||
case "$#" in
|
||||
2|3) pcmode=yes
|
||||
ps1pc_start="$1"
|
||||
ps1pc_end="$2"
|
||||
printf_format="${3:-$printf_format}"
|
||||
# set PS1 to a plain prompt so that we can
|
||||
# simply return early if the prompt should not
|
||||
# be decorated
|
||||
PS1="$ps1pc_start$ps1pc_end"
|
||||
;;
|
||||
0|1) printf_format="${1:-$printf_format}"
|
||||
;;
|
||||
*) return $exit
|
||||
;;
|
||||
esac
|
||||
|
||||
# ps1_expanded: This variable is set to 'yes' if the shell
|
||||
# subjects the value of PS1 to parameter expansion:
|
||||
#
|
||||
# * bash does unless the promptvars option is disabled
|
||||
# * zsh does not unless the PROMPT_SUBST option is set
|
||||
# * POSIX shells always do
|
||||
#
|
||||
# If the shell would expand the contents of PS1 when drawing
|
||||
# the prompt, a raw ref name must not be included in PS1.
|
||||
# This protects the user from arbitrary code execution via
|
||||
# specially crafted ref names. For example, a ref named
|
||||
# 'refs/heads/$(IFS=_;cmd=sudo_rm_-rf_/;$cmd)' might cause the
|
||||
# shell to execute 'sudo rm -rf /' when the prompt is drawn.
|
||||
#
|
||||
# Instead, the ref name should be placed in a separate global
|
||||
# variable (in the __git_ps1_* namespace to avoid colliding
|
||||
# with the user's environment) and that variable should be
|
||||
# referenced from PS1. For example:
|
||||
#
|
||||
# __git_ps1_foo=$(do_something_to_get_ref_name)
|
||||
# PS1="...stuff...\${__git_ps1_foo}...stuff..."
|
||||
#
|
||||
# If the shell does not expand the contents of PS1, the raw
|
||||
# ref name must be included in PS1.
|
||||
#
|
||||
# The value of this variable is only relevant when in pcmode.
|
||||
#
|
||||
# Assume that the shell follows the POSIX specification and
|
||||
# expands PS1 unless determined otherwise. (This is more
|
||||
# likely to be correct if the user has a non-bash, non-zsh
|
||||
# shell and safer than the alternative if the assumption is
|
||||
# incorrect.)
|
||||
#
|
||||
local ps1_expanded=yes
|
||||
[ -z "$ZSH_VERSION" ] || [[ -o PROMPT_SUBST ]] || ps1_expanded=no
|
||||
[ -z "$BASH_VERSION" ] || shopt -q promptvars || ps1_expanded=no
|
||||
|
||||
local repo_info rev_parse_exit_code
|
||||
repo_info="$(git rev-parse --git-dir --is-inside-git-dir \
|
||||
--is-bare-repository --is-inside-work-tree \
|
||||
--short HEAD 2>/dev/null)"
|
||||
rev_parse_exit_code="$?"
|
||||
|
||||
if [ -z "$repo_info" ]; then
|
||||
return $exit
|
||||
fi
|
||||
|
||||
local short_sha
|
||||
if [ "$rev_parse_exit_code" = "0" ]; then
|
||||
short_sha="${repo_info##*$'\n'}"
|
||||
repo_info="${repo_info%$'\n'*}"
|
||||
fi
|
||||
local inside_worktree="${repo_info##*$'\n'}"
|
||||
repo_info="${repo_info%$'\n'*}"
|
||||
local bare_repo="${repo_info##*$'\n'}"
|
||||
repo_info="${repo_info%$'\n'*}"
|
||||
local inside_gitdir="${repo_info##*$'\n'}"
|
||||
local g="${repo_info%$'\n'*}"
|
||||
|
||||
if [ "true" = "$inside_worktree" ] &&
|
||||
[ -n "${GIT_PS1_HIDE_IF_PWD_IGNORED-}" ] &&
|
||||
[ "$(git config --bool bash.hideIfPwdIgnored)" != "false" ] &&
|
||||
git check-ignore -q .
|
||||
then
|
||||
return $exit
|
||||
fi
|
||||
|
||||
local r=""
|
||||
local b=""
|
||||
local step=""
|
||||
local total=""
|
||||
if [ -d "$g/rebase-merge" ]; then
|
||||
__git_eread "$g/rebase-merge/head-name" b
|
||||
__git_eread "$g/rebase-merge/msgnum" step
|
||||
__git_eread "$g/rebase-merge/end" total
|
||||
if [ -f "$g/rebase-merge/interactive" ]; then
|
||||
r="|REBASE-i"
|
||||
else
|
||||
r="|REBASE-m"
|
||||
fi
|
||||
else
|
||||
if [ -d "$g/rebase-apply" ]; then
|
||||
__git_eread "$g/rebase-apply/next" step
|
||||
__git_eread "$g/rebase-apply/last" total
|
||||
if [ -f "$g/rebase-apply/rebasing" ]; then
|
||||
__git_eread "$g/rebase-apply/head-name" b
|
||||
r="|REBASE"
|
||||
elif [ -f "$g/rebase-apply/applying" ]; then
|
||||
r="|AM"
|
||||
else
|
||||
r="|AM/REBASE"
|
||||
fi
|
||||
elif [ -f "$g/MERGE_HEAD" ]; then
|
||||
r="|MERGING"
|
||||
elif [ -f "$g/CHERRY_PICK_HEAD" ]; then
|
||||
r="|CHERRY-PICKING"
|
||||
elif [ -f "$g/REVERT_HEAD" ]; then
|
||||
r="|REVERTING"
|
||||
elif [ -f "$g/BISECT_LOG" ]; then
|
||||
r="|BISECTING"
|
||||
fi
|
||||
|
||||
if [ -n "$b" ]; then
|
||||
:
|
||||
elif [ -h "$g/HEAD" ]; then
|
||||
# symlink symbolic ref
|
||||
b="$(git symbolic-ref HEAD 2>/dev/null)"
|
||||
else
|
||||
local head=""
|
||||
if ! __git_eread "$g/HEAD" head; then
|
||||
return $exit
|
||||
fi
|
||||
# is it a symbolic ref?
|
||||
b="${head#ref: }"
|
||||
if [ "$head" = "$b" ]; then
|
||||
detached=yes
|
||||
b="$(
|
||||
case "${GIT_PS1_DESCRIBE_STYLE-}" in
|
||||
(contains)
|
||||
git describe --contains HEAD ;;
|
||||
(branch)
|
||||
git describe --contains --all HEAD ;;
|
||||
(describe)
|
||||
git describe HEAD ;;
|
||||
(* | default)
|
||||
git describe --tags --exact-match HEAD ;;
|
||||
esac 2>/dev/null)" ||
|
||||
|
||||
b="$short_sha..."
|
||||
b="($b)"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$step" ] && [ -n "$total" ]; then
|
||||
r="$r $step/$total"
|
||||
fi
|
||||
|
||||
local w=""
|
||||
local i=""
|
||||
local s=""
|
||||
local u=""
|
||||
local c=""
|
||||
local p=""
|
||||
|
||||
if [ "true" = "$inside_gitdir" ]; then
|
||||
if [ "true" = "$bare_repo" ]; then
|
||||
c="BARE:"
|
||||
else
|
||||
b="GIT_DIR!"
|
||||
fi
|
||||
elif [ "true" = "$inside_worktree" ]; then
|
||||
if [ -n "${GIT_PS1_SHOWDIRTYSTATE-}" ] &&
|
||||
[ "$(git config --bool bash.showDirtyState)" != "false" ]
|
||||
then
|
||||
git diff --no-ext-diff --quiet || w="*"
|
||||
git diff --no-ext-diff --cached --quiet || i="+"
|
||||
if [ -z "$short_sha" ] && [ -z "$i" ]; then
|
||||
i="#"
|
||||
fi
|
||||
fi
|
||||
if [ -n "${GIT_PS1_SHOWSTASHSTATE-}" ] &&
|
||||
git rev-parse --verify --quiet refs/stash >/dev/null
|
||||
then
|
||||
s="$"
|
||||
fi
|
||||
|
||||
if [ -n "${GIT_PS1_SHOWUNTRACKEDFILES-}" ] &&
|
||||
[ "$(git config --bool bash.showUntrackedFiles)" != "false" ] &&
|
||||
git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*' >/dev/null 2>/dev/null
|
||||
then
|
||||
u="%${ZSH_VERSION+%}"
|
||||
fi
|
||||
|
||||
if [ -n "${GIT_PS1_SHOWUPSTREAM-}" ]; then
|
||||
__git_ps1_show_upstream
|
||||
fi
|
||||
fi
|
||||
|
||||
local z="${GIT_PS1_STATESEPARATOR-" "}"
|
||||
|
||||
# NO color option unless in PROMPT_COMMAND mode
|
||||
if [ $pcmode = yes ] && [ -n "${GIT_PS1_SHOWCOLORHINTS-}" ]; then
|
||||
__git_ps1_colorize_gitstring
|
||||
fi
|
||||
|
||||
b=${b##refs/heads/}
|
||||
if [ $pcmode = yes ] && [ $ps1_expanded = yes ]; then
|
||||
__git_ps1_branch_name=$b
|
||||
b="\${__git_ps1_branch_name}"
|
||||
fi
|
||||
|
||||
local f="$w$i$s$u"
|
||||
local gitstring="$c$b${f:+$z$f}$r$p"
|
||||
|
||||
if [ $pcmode = yes ]; then
|
||||
if [ "${__git_printf_supports_v-}" != yes ]; then
|
||||
gitstring=$(printf -- "$printf_format" "$gitstring")
|
||||
else
|
||||
printf -v gitstring -- "$printf_format" "$gitstring"
|
||||
fi
|
||||
PS1="$ps1pc_start$gitstring$ps1pc_end"
|
||||
else
|
||||
printf -- "$printf_format" "$gitstring"
|
||||
fi
|
||||
|
||||
return $exit
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
- name: restart ssh
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
|
||||
- name: Reload systemd
|
||||
systemd:
|
||||
daemon_reload: yes
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: '[APT] - Disable IPv6 for APT'
|
||||
copy:
|
||||
src: 99force-ipv4
|
||||
dest: /etc/apt/apt.conf.d/
|
||||
owner: root
|
||||
group: root
|
||||
mode: 644
|
||||
|
||||
- name: '[APT] - Installing some base packages'
|
||||
apt:
|
||||
name: "{{ base_apt_list }}"
|
||||
update_cache: yes
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
|
||||
- name: '[BASHRC] - Create directories'
|
||||
file:
|
||||
path: /usr/share/git/completion
|
||||
state: directory
|
||||
|
||||
- name: '[BASHRC] - Copy bashrc'
|
||||
copy:
|
||||
src: bash.bashrc
|
||||
dest: /etc/bash.bashrc
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: '[BASHRC] - Copy git highlight for bashrc'
|
||||
copy:
|
||||
src: git-prompt.sh
|
||||
dest: /usr/share/git/completion/git-prompt.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: '[BASHRC] - Change bash prompt color'
|
||||
shell: sed -i 's/__COLOR__/{{ bash_prompt_color }}/g' /etc/bash.bashrc
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
- name: "[CONFIG] - Setup journald"
|
||||
template:
|
||||
src: 'etc/journald.conf.j2'
|
||||
dest: '/etc/systemd/journald.conf'
|
||||
notify: reload systemd
|
||||
|
||||
- name: '[CONFIG] - Set sysctl rules'
|
||||
sysctl: name="net.ipv6.conf.all.disable_ipv6" value=0 sysctl_set=yes state=absent reload=yes
|
||||
- sysctl: name="net.ipv6.conf.default.disable_ipv6" value=0 sysctl_set=yes state=absent reload=yes
|
||||
- sysctl: name="net.ipv6.conf.lo.disable_ipv6" value=0 sysctl_set=yes state=absent reload=yes
|
||||
- sysctl: name="net.ipv6.conf.all.forwarding" value=1 sysctl_set=yes state=present reload=yes
|
||||
|
||||
- name: "[CONFIG] - Deploy dialogRC"
|
||||
copy:
|
||||
src: /etc/ansible/extra_files/dialogrc
|
||||
dest: /etc/dialogrc
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: 'base_dialogrc is defined and base_dialogrc == true'
|
||||
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
- name: '[HOSTS] - Deploy /etc/hosts'
|
||||
copy:
|
||||
src: /etc/ansible/extra_files/hosts_file
|
||||
dest: /etc/hosts
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
|
||||
- include: apt.yml
|
||||
|
||||
- include: mkdir.yml
|
||||
|
||||
- include: vimrc.yml
|
||||
|
||||
- include: bashrc.yml
|
||||
|
||||
- include: permissions.yml
|
||||
|
||||
- include: ssh.yml
|
||||
|
||||
- include: hosts.yml
|
||||
when: deploy_hosts_file == 'true'
|
||||
tags:
|
||||
- hosts
|
||||
- include: shouter.yml
|
||||
when: base_shouter is defined
|
||||
|
||||
- include: configs.yml
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
- name: '[MKDIR] - Create some base directories'
|
||||
file:
|
||||
path: /etc/letsencrypt/live
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
state: directory
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
- name: '[PERMISSION] - Change ping permissions'
|
||||
file:
|
||||
path: /bin/ping
|
||||
state: touch
|
||||
mode: "u=rws,g=rx,o=rx"
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
|
||||
- name: '[SHOUTER] - Create shouter var dir'
|
||||
file:
|
||||
path: /var/local/container-scripts/general
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
state: directory
|
||||
|
||||
- name: '[SHOUTER] - Deploy shouter config'
|
||||
template:
|
||||
src: shouter.var.j2
|
||||
dest: /var/local/container-scripts/general/shouter.var
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: base_shouter is defined
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
|
||||
- name: '[SSH] - Create local dir'
|
||||
file:
|
||||
path: /root/.ssh
|
||||
state: directory
|
||||
mode: 0640
|
||||
|
||||
- name: '[SSH] - Create authorized keys dir'
|
||||
file:
|
||||
path: /etc/ssh/authorized_keys
|
||||
state: directory
|
||||
|
||||
- name: '[SSH] - Deploy configuration'
|
||||
template:
|
||||
src: ssh/sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: restart ssh
|
||||
|
||||
- name: '[SSH] - Deploy git poller ssh key'
|
||||
copy:
|
||||
src: '{{ base_ssh_poller_key }}'
|
||||
dest: /root/.ssh/bs_git-key
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
when: base_ssh_poller_key is defined
|
||||
|
||||
- name: '[SSH] - Manage authorized keys'
|
||||
template:
|
||||
src: ssh/authorized_keys.j2
|
||||
dest: "/etc/ssh/authorized_keys/{{ item.user }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
with_items: "{{ base_ssh_authkey }}"
|
||||
|
||||
- name: '[SSH] - Setup ssh config'
|
||||
template:
|
||||
src: ssh/config.j2
|
||||
dest: "{{ item.config_path }}"
|
||||
with_items: "{{ base_ssh_user_config }}"
|
||||
when: "base_ssh_user_config is defined"
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
- name: '[VIM] - Install vimrc'
|
||||
git:
|
||||
repo: https://github.com/amix/vimrc.git
|
||||
dest: /root/.vim_runtime
|
||||
|
||||
- name: '[VIM] - Enable new vimrc'
|
||||
command: /bin/bash /root/.vim_runtime/install_awesome_vimrc.sh
|
|
@ -0,0 +1,52 @@
|
|||
# This file is part of systemd.
|
||||
#
|
||||
# systemd is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU Lesser General Public License as published by
|
||||
# the Free Software Foundation; either version 2.1 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Entries in this file show the compile time defaults.
|
||||
# You can change settings by editing this file.
|
||||
# Defaults can be restored by simply deleting this file.
|
||||
#
|
||||
# See journald.conf(5) for details.
|
||||
|
||||
[Journal]
|
||||
{% if base_journald_conf is defined %}
|
||||
{% for item in base_journald_items %}
|
||||
{{ item.name }}={{ item.value }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
##Examples
|
||||
#Storage=auto
|
||||
#Compress=yes
|
||||
#Seal=yes
|
||||
#SplitMode=uid
|
||||
#SyncIntervalSec=5m
|
||||
#RateLimitIntervalSec=30s
|
||||
#RateLimitBurst=10000
|
||||
#SystemMaxUse=100M
|
||||
#SystemKeepFree=
|
||||
#SystemMaxFileSize=
|
||||
#SystemMaxFiles=100
|
||||
#RuntimeMaxUse=
|
||||
#RuntimeKeepFree=
|
||||
#RuntimeMaxFileSize=
|
||||
#RuntimeMaxFiles=100
|
||||
#MaxRetentionSec=
|
||||
#MaxFileSec=1month
|
||||
#ForwardToSyslog=yes
|
||||
#ForwardToKMsg=no
|
||||
#ForwardToConsole=no
|
||||
#ForwardToWall=yes
|
||||
#TTYPath=/dev/console
|
||||
#MaxLevelStore=debug
|
||||
#MaxLevelSyslog=debug
|
||||
#MaxLevelKMsg=notice
|
||||
#MaxLevelConsole=info
|
||||
#MaxLevelWall=emerg
|
||||
#LineMax=48K
|
||||
#ReadKMsg=yes
|
||||
#Audit=no
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
XMPP_JID="{{ base_shouter_jid }}"
|
||||
XMPP_SERVER="{{ base_shouter_server }}"
|
||||
XMPP_RESOURCE="{{ base_shouter_resource }}"
|
||||
XMPP_PWD="{{ base_shouter_pwd }}"
|
||||
XMPP_MUC="{{ base_shouter_muc }}"
|
||||
SENDXMPP="/opt/go/bin/go-sendxmpp -u ${XMPP_JID} -j ${XMPP_SERVER} -r ${XMPP_RESOURCE} -p ${XMPP_PWD} -c ${XMPP_MUC}"
|
|
@ -0,0 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
|
||||
{% for pubkey in item.ssh_pubkeys %}
|
||||
{{ pubkey }}
|
||||
{% endfor %}
|
|
@ -0,0 +1,9 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% for item in base_ssh_user_config %}
|
||||
{{ item.settings }}
|
||||
{% for option in item.options %}
|
||||
{{ option }}
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
|
@ -0,0 +1,109 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd_config(5) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
Port {{ ssh_port }}
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
#ListenAddress ::
|
||||
#ListenAddress 0.0.0.0
|
||||
Protocol 2
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
#Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Cipher selection
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
|
||||
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 1024
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin {{ ssh_permit_root }}
|
||||
StrictModes yes
|
||||
|
||||
RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
|
||||
AuthorizedKeysFile {{ ssh_authkey_file }}
|
||||
AllowAgentForwarding {{ ssh_agent_forwarding }}
|
||||
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication no
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable tunnelled clear text passwords
|
||||
PasswordAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
X11Forwarding no
|
||||
X11DisplayOffset 10
|
||||
PrintMotd no
|
||||
PrintLastLog no
|
||||
TCPKeepAlive no
|
||||
UseLogin no
|
||||
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
#Banner /etc/issue.net
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
{% if ssh_2fa is defined %}
|
||||
|
||||
# 2FA
|
||||
AuthenticationMethods publickey,keyboard-interactive
|
||||
ChallengeResponseAuthentication yes
|
||||
{% else %}
|
||||
ChallengeResponseAuthentication no
|
||||
{% endif %}
|
||||
|
||||
{% if base_ssh_extra_rules is defined %}
|
||||
{% for item in base_ssh_extra_rules %}
|
||||
# Extra SSH rules
|
||||
{{ item.name }}
|
||||
{% for option in item.options %}
|
||||
{{ option }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -0,0 +1,67 @@
|
|||
#
|
||||
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||
# See /etc/sysctl.d/ for additional system variables.
|
||||
# See sysctl.conf (5) for information.
|
||||
#
|
||||
|
||||
#kernel.domainname = example.com
|
||||
|
||||
# Uncomment the following to stop low-level messages on console
|
||||
#kernel.printk = 3 4 1 3
|
||||
|
||||
##############################################################3
|
||||
# Functions previously found in netbase
|
||||
#
|
||||
|
||||
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||
# Turn on Source Address Verification in all interfaces to
|
||||
# prevent some spoofing attacks
|
||||
#net.ipv4.conf.default.rp_filter=1
|
||||
#net.ipv4.conf.all.rp_filter=1
|
||||
|
||||
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||
# See http://lwn.net/Articles/277146/
|
||||
# Note: This may impact IPv6 TCP sessions too
|
||||
#net.ipv4.tcp_syncookies=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv4
|
||||
#net.ipv4.ip_forward=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv6
|
||||
# Enabling this option disables Stateless Address Autoconfiguration
|
||||
# based on Router Advertisements for this host
|
||||
#net.ipv6.conf.all.forwarding=1
|
||||
|
||||
|
||||
###################################################################
|
||||
# Additional settings - these settings can improve the network
|
||||
# security of the host and prevent against some network attacks
|
||||
# including spoofing attacks and man in the middle attacks through
|
||||
# redirection. Some network environments, however, require that these
|
||||
# settings are disabled so review and enable them as needed.
|
||||
#
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
#net.ipv4.conf.all.accept_redirects = 0
|
||||
#net.ipv6.conf.all.accept_redirects = 0
|
||||
# _or_
|
||||
# Accept ICMP redirects only for gateways listed in our default
|
||||
# gateway list (enabled by default)
|
||||
# net.ipv4.conf.all.secure_redirects = 1
|
||||
#
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
#net.ipv4.conf.all.send_redirects = 0
|
||||
#
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
#net.ipv4.conf.all.accept_source_route = 0
|
||||
#net.ipv6.conf.all.accept_source_route = 0
|
||||
#
|
||||
# Log Martian Packets
|
||||
#net.ipv4.conf.all.log_martians = 1
|
||||
#
|
||||
|
||||
# {{ ansible_managed }}
|
||||
# Custom settings
|
||||
{% for item in sysctl_rules %}
|
||||
{{ item.name }} = {{ item.value }}
|
||||
{% endfor %}
|
||||
|
Loading…
Reference in New Issue