blob: 1aad1720ef031d20495247f67d1c2ab1346829a2 [file] [log] [blame]
Hung-Wei Chiu9708ed82021-04-14 14:20:08 -07001---
2- hosts: all
3 become_user: root
4 become_method: sudo
5
6 pre_tasks:
7 - include_role: name=lfit.system-update
8
9 - name: Install base packages
10 include_tasks: "{{item}}"
11 with_first_found:
12 - "install-base-pkgs-{{ansible_distribution}}.yaml"
13 - "install-base-pkgs-{{ansible_os_family}}.yaml"
14
15 - name: Allow jenkins user sudo access
16 copy:
17 dest: /etc/sudoers.d/89-jenkins-user-defaults
18 content: |
19 Defaults:jenkins !requiretty
20 jenkins ALL=(ALL) NOPASSWD:ALL
21 validate: /usr/sbin/visudo -cf %s
22 become: yes
23
24 roles:
25 - lfit.lf-recommended-tools
26 - lfit.lf-dev-libs
27 - lfit.haveged-install
28 - lfit.java-install
29 - lfit.python-install
30 - lfit.shellcheck-install
31 - lfit.sysstat-install
32
33 post_tasks:
34 - name: Update /etc/nss-switch.conf to map hostname with IP
35 # Update /etc/nss-switch.conf to map hostname with IP instead of using `localhost`
36 # from /etc/hosts which is required by some of the Java API's to avoid
37 # Java UnknownHostException: "Name or service not known" error.
38 replace:
39 path: /etc/nsswitch.conf
40 regexp: '^hosts:(\s+.*)?$'
41 replace: 'hosts:\1 myhostname'
42 backup: yes
43 become: yes
44
45 - name: Disable periodic updates
46 block:
47 - name: Set all periodic update options to 0
48 replace:
49 path: /etc/apt/apt.conf.d/10periodic
50 regexp: "1"
51 replace: "0"
52 - name: Set all auto update options to 0
53 replace:
54 path: /etc/apt/apt.conf.d/20auto-upgrades
55 regexp: "1"
56 replace: "0"
57 - name: Disable unattended upgrades
58 lineinfile:
59 path: /etc/apt/apt.conf.d/10periodic
60 regexp: "^APT::Periodic::Unattended-Upgrade"
61 line: 'APT::Periodic::Unattended-Upgrade "0";'
62 create: yes
63 - name: Uninstall unattended upgrades
64 apt:
65 name: unattended-upgrades
66 state: absent
67 - name: Prevent unattended upgrades from being installed
68 dpkg_selections:
69 name: unattended-upgrades
70 selection: hold
71 - name: Disable apt-daily.* systemd services
72 systemd:
73 name: "{{service}}"
74 enabled: no
75 masked: yes
76 with_items:
77 - apt-daily.service
78 - apt-daily.timer
79 - apt-daily-upgrade.service
80 - apt-daily-upgrade.timer
81 loop_control:
82 loop_var: service
83 when: ansible_distribution == 'Ubuntu'
84 become: yes
85
86 - name: System Reseal
87 script: system-reseal.sh
88 become: true