blob: c57d8fcfda6b22facc8006771c63718b233556ba [file] [log] [blame]
---
- hosts: all
become_user: root
become_method: sudo
pre_tasks:
- include_role: name=lfit.system-update
- name: Install base packages
include_tasks: "{{item}}"
with_first_found:
- "install-base-pkgs-{{ansible_distribution}}.yaml"
- "install-base-pkgs-{{ansible_os_family}}.yaml"
- name: Allow jenkins user sudo access
copy:
dest: /etc/sudoers.d/89-jenkins-user-defaults
content: |
Defaults:jenkins !requiretty
jenkins ALL = NOPASSWD: /usr/sbin/update-alternatives, /usr/sbin/update-java-alternatives
validate: /usr/sbin/visudo -cf %s
become: true
roles:
- lfit.lf-recommended-tools
- lfit.lf-dev-libs
- lfit.haveged-install
- lfit.java-install
- lfit.python-install
- lfit.shellcheck-install
- lfit.sysstat-install
post_tasks:
- name: Update /etc/nss-switch.conf to map hostname with IP
# Update /etc/nss-switch.conf to map hostname with IP instead of using `localhost`
# from /etc/hosts which is required by some of the Java API's to avoid
# Java UnknownHostException: "Name or service not known" error.
replace:
path: /etc/nsswitch.conf
regexp: '^hosts:(\s+.*)?$'
replace: 'hosts:\1 myhostname'
backup: true
become: true
- name: Disable periodic updates
block:
- name: Set all periodic update options to 0
replace:
path: /etc/apt/apt.conf.d/10periodic
regexp: "1"
replace: "0"
- name: Set all auto update options to 0
replace:
path: /etc/apt/apt.conf.d/20auto-upgrades
regexp: "1"
replace: "0"
- name: Disable unattended upgrades
lineinfile:
path: /etc/apt/apt.conf.d/10periodic
regexp: "^APT::Periodic::Unattended-Upgrade"
line: 'APT::Periodic::Unattended-Upgrade "0";'
create: true
- name: Uninstall unattended upgrades
apt:
name: unattended-upgrades
state: absent
- name: Prevent unattended upgrades from being installed
dpkg_selections:
name: unattended-upgrades
selection: hold
- name: Disable apt-daily.* systemd services
systemd:
name: "{{service}}"
enabled: false
masked: true
with_items:
- apt-daily.service
- apt-daily.timer
- apt-daily-upgrade.service
- apt-daily-upgrade.timer
loop_control:
loop_var: service
when: ansible_distribution == 'Ubuntu'
become: true
- name: System Reseal
script: system-reseal.sh
become: true
# [EOF]