Hung-Wei Chiu | 9708ed8 | 2021-04-14 14:20:08 -0700 | [diff] [blame] | 1 | --- |
| 2 | - hosts: all |
| 3 | become_user: root |
| 4 | become_method: sudo |
| 5 | |
| 6 | pre_tasks: |
| 7 | - include_role: name=lfit.system-update |
| 8 | |
| 9 | - name: Install base packages |
| 10 | include_tasks: "{{item}}" |
| 11 | with_first_found: |
| 12 | - "install-base-pkgs-{{ansible_distribution}}.yaml" |
| 13 | - "install-base-pkgs-{{ansible_os_family}}.yaml" |
| 14 | |
| 15 | - name: Allow jenkins user sudo access |
| 16 | copy: |
| 17 | dest: /etc/sudoers.d/89-jenkins-user-defaults |
| 18 | content: | |
| 19 | Defaults:jenkins !requiretty |
| 20 | jenkins ALL=(ALL) NOPASSWD:ALL |
| 21 | validate: /usr/sbin/visudo -cf %s |
| 22 | become: yes |
| 23 | |
| 24 | roles: |
| 25 | - lfit.lf-recommended-tools |
| 26 | - lfit.lf-dev-libs |
| 27 | - lfit.haveged-install |
| 28 | - lfit.java-install |
| 29 | - lfit.python-install |
| 30 | - lfit.shellcheck-install |
| 31 | - lfit.sysstat-install |
| 32 | |
| 33 | post_tasks: |
| 34 | - name: Update /etc/nss-switch.conf to map hostname with IP |
| 35 | # Update /etc/nss-switch.conf to map hostname with IP instead of using `localhost` |
| 36 | # from /etc/hosts which is required by some of the Java API's to avoid |
| 37 | # Java UnknownHostException: "Name or service not known" error. |
| 38 | replace: |
| 39 | path: /etc/nsswitch.conf |
| 40 | regexp: '^hosts:(\s+.*)?$' |
| 41 | replace: 'hosts:\1 myhostname' |
| 42 | backup: yes |
| 43 | become: yes |
| 44 | |
| 45 | - name: Disable periodic updates |
| 46 | block: |
| 47 | - name: Set all periodic update options to 0 |
| 48 | replace: |
| 49 | path: /etc/apt/apt.conf.d/10periodic |
| 50 | regexp: "1" |
| 51 | replace: "0" |
| 52 | - name: Set all auto update options to 0 |
| 53 | replace: |
| 54 | path: /etc/apt/apt.conf.d/20auto-upgrades |
| 55 | regexp: "1" |
| 56 | replace: "0" |
| 57 | - name: Disable unattended upgrades |
| 58 | lineinfile: |
| 59 | path: /etc/apt/apt.conf.d/10periodic |
| 60 | regexp: "^APT::Periodic::Unattended-Upgrade" |
| 61 | line: 'APT::Periodic::Unattended-Upgrade "0";' |
| 62 | create: yes |
| 63 | - name: Uninstall unattended upgrades |
| 64 | apt: |
| 65 | name: unattended-upgrades |
| 66 | state: absent |
| 67 | - name: Prevent unattended upgrades from being installed |
| 68 | dpkg_selections: |
| 69 | name: unattended-upgrades |
| 70 | selection: hold |
| 71 | - name: Disable apt-daily.* systemd services |
| 72 | systemd: |
| 73 | name: "{{service}}" |
| 74 | enabled: no |
| 75 | masked: yes |
| 76 | with_items: |
| 77 | - apt-daily.service |
| 78 | - apt-daily.timer |
| 79 | - apt-daily-upgrade.service |
| 80 | - apt-daily-upgrade.timer |
| 81 | loop_control: |
| 82 | loop_var: service |
| 83 | when: ansible_distribution == 'Ubuntu' |
| 84 | become: yes |
| 85 | |
| 86 | - name: System Reseal |
| 87 | script: system-reseal.sh |
| 88 | become: true |