From 07840c41194b85d3821b50e2d833a9f686420284 Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Thu, 25 Sep 2025 14:02:36 -0400 Subject: [PATCH 1/7] refactor(ansible): bring our ansible up to modern ansible-lint standards --- ansible/tasks/clean-build-dependencies.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index 43ec05179..567398f5f 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -1,5 +1,6 @@ - name: Remove build dependencies - apt: + ansible.builtin.apt: + autoremove: true pkg: - bison - build-essential @@ -17,5 +18,4 @@ - ninja-build - patch - python2 - state: absent - autoremove: yes + state: 'absent' From 61ba084e218f484dc23d246146e2a527686efb07 Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 26 Sep 2025 09:19:49 -0400 Subject: [PATCH 2/7] refactor(ansible): bring our ansible up to modern ansible-lint standards --- ansible/tasks/finalize-ami.yml | 139 +++++++++++++++++---------------- 1 file changed, 73 insertions(+), 66 deletions(-) diff --git a/ansible/tasks/finalize-ami.yml b/ansible/tasks/finalize-ami.yml index 7f0de3ac8..66ee22dab 100644 --- a/ansible/tasks/finalize-ami.yml +++ b/ansible/tasks/finalize-ami.yml @@ -1,81 +1,88 @@ - name: PG logging conf - template: - src: files/postgresql_config/postgresql-csvlog.conf - dest: /etc/postgresql/logging.conf - group: postgres + ansible.builtin.template: + dest: '/etc/postgresql/logging.conf' + group: 'postgres' + src: 'files/postgresql_config/postgresql-csvlog.conf' -- name: UFW - Allow SSH connections - ufw: - rule: allow - name: OpenSSH - -- name: UFW - Allow connections to postgreSQL (5432) - ufw: - rule: allow - port: "5432" - -- name: UFW - Allow connections to postgreSQL (6543) - ufw: - rule: allow - port: "6543" - tags: - - install-pgbouncer - -- name: UFW - Allow connections to http (80) - ufw: - rule: allow - port: http - tags: - - install-supabase-internal - -- name: UFW - Allow connections to https (443) - ufw: - rule: allow - port: https - tags: - - install-supabase-internal +- name: UFW - Allow SSH/PostgreSQL/PgBouncer/HTTP/HTTPS connections + community.general.ufw: + name: "{{ port_item }}" + rule: 'allow' + loop: + - 'OpenSSH' + - '5432' + - '6543' + - 'http' + - 'https' + loop_control: + loop_var: 'port_item' - name: UFW - Deny all other incoming traffic by default - ufw: - state: enabled - policy: deny - direction: incoming + community.general.ufw: + direction: 'incoming' + policy: 'deny' + state: 'enabled' - name: Move logrotate files to /etc/logrotate.d/ - copy: - src: "files/logrotate_config/{{ item.file }}" - dest: "/etc/logrotate.d/{{ item.file }}" - mode: "0700" - owner: root + ansible.builtin.copy: + dest: "/etc/logrotate.d/{{ logrotate_item['file'] }}" + mode: '0700' + owner: 'root' + src: "files/logrotate_config/{{ logrotate_item['file'] }}" loop: - - { file: "logrotate-postgres-csv.conf" } - - { file: "logrotate-postgres.conf" } - - { file: "logrotate-walg.conf" } - - { file: "logrotate-postgres-auth.conf" } + - { file: 'logrotate-postgres.conf' } + - { file: 'logrotate-postgres-auth.conf' } + - { file: 'logrotate-postgres-csv.conf' } + - { file: 'logrotate-walg.conf' } + loop_control: + loop_var: 'logrotate_item' -- name: Ensure default Postgres logrotate config is removed - file: - path: /etc/logrotate.d/postgresql-common - state: absent +- name: Ensure default PostgreSQL logrotate config is removed + ansible.builtin.file: + path: '/etc/logrotate.d/postgresql-common' + state: 'absent' - name: Disable cron access copy: - src: files/cron.deny - dest: /etc/cron.deny + dest: '/etc/cron.deny' + src: 'files/cron.deny' + +- name: Create logrotate.timer.d overrides dir + become: true + ansible.builtin.file: + group: 'root' + mode: '0755' + owner: 'root' + path: '/etc/systemd/system/logrotate.timer.d' + state: 'directory' + +- name: Configure logrotate.timer.d overrides + become: true + community.general.ini_file: + group: 'root' + mode: '0644' + noextraspaces: true + option: 'OnCalendar' + owner: 'root' + path: '/etc/systemd/system/logrotate.timer.d/override.conf' + section: 'Timer' + state: 'present' + value: '*:0/5' -- name: Configure logrotation to run every hour - shell: - cmd: | - cp /usr/lib/systemd/system/logrotate.timer /etc/systemd/system/logrotate.timer - sed -i -e 's;daily;*:0/5;' /etc/systemd/system/logrotate.timer - systemctl reenable logrotate.timer - become: yes +- name: Reload systemd and start logrotate timer + become: true + ansible.builtin.systemd_service: + daemon_reload: true + enabled: true + name: 'logrotate.timer' + state: 'restarted' - name: import pgsodium_getkey script - template: - src: files/pgsodium_getkey_readonly.sh.j2 + ansible.builtin.template: dest: "{{ pg_bindir }}/pgsodium_getkey.sh" - owner: postgres - group: postgres - mode: 0700 - when: debpkg_mode or stage2_nix + group: 'postgres' + mode: '0700' + owner: 'postgres' + src: 'files/pgsodium_getkey_readonly.sh.j2' + when: + - (debpkg_mode or stage2_nix) From 991fed4e3a069753ca7dd5f8be40f03a61cf5b6d Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 26 Sep 2025 09:43:41 -0400 Subject: [PATCH 3/7] refactor(ansible): bring our ansible up to modern ansible-lint standards --- ansible/tasks/setup-system.yml | 375 +++++++++++++++------------------ 1 file changed, 175 insertions(+), 200 deletions(-) diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml index c0653811d..ce083184b 100644 --- a/ansible/tasks/setup-system.yml +++ b/ansible/tasks/setup-system.yml @@ -1,209 +1,184 @@ -- name: System - apt update and apt upgrade - apt: update_cache=yes upgrade=yes - when: debpkg_mode or nixpkg_mode - # SEE http://archive.vn/DKJjs#parameter-upgrade - -- name: Install required security updates - apt: - pkg: - - tzdata - - linux-libc-dev - when: debpkg_mode or nixpkg_mode -# SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638 -# Without this, a similar error is faced -- name: Install Ansible dependencies - apt: - pkg: - - acl - when: debpkg_mode or nixpkg_mode - -- name: Install security tools - apt: - pkg: - - nftables - - fail2ban - update_cache: yes - cache_valid_time: 3600 - when: debpkg_mode or nixpkg_mode - -- name: Use nftables backend - shell: | - update-alternatives --set iptables /usr/sbin/iptables-nft - update-alternatives --set ip6tables /usr/sbin/ip6tables-nft - update-alternatives --set arptables /usr/sbin/arptables-nft - update-alternatives --set ebtables /usr/sbin/ebtables-nft - systemctl restart ufw - when: debpkg_mode or nixpkg_mode - -- name: Create Sysstat log directory - file: - path: /var/log/sysstat - state: directory - when: debpkg_mode or nixpkg_mode - -- name: Install other useful tools - apt: - pkg: - - bwm-ng - - htop - - net-tools - - ngrep - - sysstat - - vim-tiny - update_cache: yes - when: debpkg_mode or nixpkg_mode - -- name: Configure sysstat - copy: - src: files/sysstat.sysstat - dest: /etc/sysstat/sysstat - when: debpkg_mode or nixpkg_mode - -- name: Configure default sysstat - copy: - src: files/default.sysstat - dest: /etc/default/sysstat - when: debpkg_mode or nixpkg_mode - - -- name: Adjust APT update intervals - copy: - src: files/apt_periodic - dest: /etc/apt/apt.conf.d/10periodic - when: debpkg_mode or nixpkg_mode +- name: execute (debpkg_mode or nixpkg_mode) tasks + when: + - (debpkg_mode or nixpkg_mode) + block: + - name: System - apt update and apt upgrade + ansible.builtin.apt: + update_cache: true + upgrade: true + # SEE http://archive.vn/DKJjs#parameter-upgrade + + - name: Install desired packages + ansible.builtin.apt: + cache_valid_time: 3600 + pkg: + - acl # SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638 + - fail2ban + - htop + - linux-libc-dev + - net-tools + - nftables + - ngrep + - sysstat + - tzdata + - vim-tiny + state: 'present' + update_cache: true + + - name: Use nftables backend + community.general.alternatives: + name: "{{ nft_alt_item['name'] }}" + path: "{{ nft_alt_item['path'] }}" + loop: + - { name: 'arptables', path: '/usr/sbin/arptables-nft' } + - { name: 'ebtables', path: '/usr/sbin/ebtables-nft' } + - { name: 'iptables', path: '/usr/sbin/iptables-nft' } + - { name: 'ip6tables', path: '/usr/sbin/ip6tables-nft' } + loop_control: + loop_var: 'nft_alt_item' + + - name: Restart ufw + ansible.builtin.systemd_service: + name: 'ufw' + state: 'restarted' + + - name: Create Sysstat log directory + ansible.builtin.file: + path: '/var/log/sysstat' + state: 'directory' + + - bwm-ng + + - name: Configure sysstat + ansible.builtin.copy: + dest: "/etc/{{ systat_item }}/sysstat" + src: "files/{{ systat_item }}.sysstat" + loop: + - default + - systat + loop_control: + loop_var: 'systat_item' + + - name: Adjust APT update intervals + ansible.builtin.copy: + dest: '/etc/apt/apt.conf.d/10periodic' + src: 'files/apt_periodic' # Find platform architecture and set as a variable -- name: finding platform architecture - shell: if [ $(uname -m) = "aarch64" ]; then echo "arm64"; else echo "amd64"; fi - register: platform_output +- name: set the arch as a fact + ansible.builtin.set_fact: + platform: "{{ 'arm64' if ansible_facts['architecture'] == 'aarch64' else 'amd64' }}" tags: - update - update-only -- set_fact: - platform: "{{ platform_output.stdout }}" - tags: - - update - - update-only - when: debpkg_mode or nixpkg_mode or stage2_nix - -- name: create overrides dir - file: - state: directory - owner: root - group: root - path: /etc/systemd/system/systemd-resolved.service.d - mode: '0700' - when: debpkg_mode or nixpkg_mode - -- name: Custom systemd overrides for resolved - copy: - src: files/systemd-resolved.conf - dest: /etc/systemd/system/systemd-resolved.service.d/override.conf - when: debpkg_mode or nixpkg_mode - -- name: System - Create services.slice - template: - src: files/services.slice.j2 - dest: /etc/systemd/system/services.slice - when: debpkg_mode or nixpkg_mode - - -- name: System - systemd reload - systemd: daemon_reload=yes - when: debpkg_mode or nixpkg_mode - -- name: Configure journald - copy: - src: files/journald.conf - dest: /etc/systemd/journald.conf - when: debpkg_mode or nixpkg_mode - -- name: reload systemd-journald - systemd: - name: systemd-journald - state: restarted - when: debpkg_mode or nixpkg_mode - -- name: Configure logind - copy: - src: files/logind.conf - dest: /etc/systemd/logind.conf - when: debpkg_mode or nixpkg_mode - -- name: reload systemd-logind - systemd: - name: systemd-logind - state: restarted - when: debpkg_mode or nixpkg_mode - -- name: enable timestamps for shell history - copy: - content: | - export HISTTIMEFORMAT='%d/%m/%y %T ' - dest: /etc/profile.d/09-history-timestamps.sh - mode: 0644 - owner: root - group: root - when: debpkg_mode or nixpkg_mode - -- name: configure systemd's pager - copy: - content: | - export SYSTEMD_LESS=FRXMK - dest: /etc/profile.d/10-systemd-pager.sh - mode: 0644 - owner: root - group: root - when: debpkg_mode or nixpkg_mode - -- name: set hosts file - copy: - content: | - 127.0.0.1 localhost - ::1 localhost - dest: /etc/hosts - mode: 0644 - owner: root - group: root - when: debpkg_mode or stage2_nix - -#Set Sysctl params for restarting the OS on oom after 10 -- name: Set vm.panic_on_oom=1 - ansible.builtin.sysctl: - name: vm.panic_on_oom - value: '1' - state: present - reload: yes - when: debpkg_mode or nixpkg_mode - -- name: Set kernel.panic=10 - ansible.builtin.sysctl: - name: kernel.panic - value: '10' - state: present - reload: yes - when: debpkg_mode or nixpkg_mode + when: + - (debpkg_mode or nixpkg_mode or stage2_nix) + +- name: execute tasks when )debpkg_mode or nixpkg_mode) + when: + - (debpkg_mode or nixpkg_mode) + block: + - name: create overrides dir + ansible.builtin.file: + group: 'root' + mode: '0700' + owner: 'root' + path: '/etc/systemd/system/systemd-resolved.service.d' + state: 'directory' + + - name: Custom systemd overrides for resolved + ansible.builtin.copy: + dest: '/etc/systemd/system/systemd-resolved.service.d/override.conf' + src: 'files/systemd-resolved.conf' + + - name: System - Create services.slice + ansible.builtin.template: + dest: '/etc/systemd/system/services.slice' + src: 'files/services.slice.j2' + + + - name: System - systemd reload + ansible.builtin.systemd_service: + daemon_reload: true + + - name: Configure journald + ansible.builtin.copy: + dest: '/etc/systemd/journald.conf' + src: 'files/journald.conf' + + - name: reload systemd-journald + ansible.builtin.systemd_service: + name: 'systemd-journald' + state: 'restarted' + + - name: Configure logind + ansible.builtin.copy: + dest: '/etc/systemd/logind.conf' + src: 'files/logind.conf' + + - name: reload systemd-logind + ansible.builtin.systemd_service: + name: 'systemd-logind' + state: 'restarted' + + - name: enable timestamps for shell history + ansible.builtin.lineinfile: + create: true + group: 'root' + line: "export HISTTIMEFORMAT='%d/%m/%y %T '" + mode: '0644' + owner: 'root' + path: '/etc/profile.d/09-history-timestamps.sh' + state: 'present' + + - name: configure systemd's pager + ansible.builtin.lineinfile: + create: true + dest: '/etc/profile.d/10-systemd-pager.sh' + line: 'export SYSTEMD_LESS=FRXMK' + mode: '0644' + owner: 'root' + group: 'root' + state: 'present' + + - name: set hosts file + ansible.builtin.lineinfile: + dest: '/etc/hosts' + group: 'root' + line: "{{ localhost_item }}" + mode: '0644' + owner: 'root' + state: 'present' + loop: + - '127.0.0.1 localhost' + - '::1 localhost' + loop_control: + loop_var: 'localhost_item' + + # Set Sysctl params for restarting the OS on oom after 10 + - name: Set {{ sysctl_item['name'] }}={{ sysctl_item['value'] }} + ansible.posix.sysctl: + name: "{{ sysctl_item['name'] }}" + reload: true + state: 'present' + value: "{{ sysctl_item['value'] }}" + loop: + - { name: 'kernel.panic', value: 10 } + - { name: 'net.ipv4.tcp_keepalive_intvl', value: 60 } + - { name: 'net.ipv4.tcp_keepalive_time', value 1800 } + - { name: 'vm.panic_on_oom', value: 1 } + loop_control: + loop_var: 'sysctl_item' - name: configure system ansible.posix.sysctl: - name: 'net.core.somaxconn' - value: 16834 + name: "{{ sysctl_item['name'] }}" + reload: true + state: 'present' + value: "{{ sysctl_item['value'] }}" + loop: + - { name: 'net.ipv4.ip_local_port_range', value: '1025 65000' } + - { name: 'net.core.somaxconn', value: 16834 } + loop_control: + loop_var: 'sysctl_item' -- name: configure system - ansible.posix.sysctl: - name: 'net.ipv4.ip_local_port_range' - value: '1025 65000' - -#Set Sysctl params specific to keepalives -- name: Set net.ipv4.tcp_keepalive_time=1800 - ansible.builtin.sysctl: - name: net.ipv4.tcp_keepalive_time - value: 1800 - state: present - when: debpkg_mode or nixpkg_mode -- name: Set net.ipv4.tcp_keepalive_intvl=60 - ansible.builtin.sysctl: - name: net.ipv4.tcp_keepalive_intvl - value: 60 - state: present - when: debpkg_mode or nixpkg_mode From cfcca4ac3abfa4b76a8875edb57e988ed5334ae6 Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 26 Sep 2025 11:05:23 -0400 Subject: [PATCH 4/7] fix(finalize-ami.yml): Need to split the ufw tasks back up since they have different tags --- ansible/tasks/finalize-ami.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/ansible/tasks/finalize-ami.yml b/ansible/tasks/finalize-ami.yml index 66ee22dab..e64d3a70e 100644 --- a/ansible/tasks/finalize-ami.yml +++ b/ansible/tasks/finalize-ami.yml @@ -4,18 +4,34 @@ group: 'postgres' src: 'files/postgresql_config/postgresql-csvlog.conf' -- name: UFW - Allow SSH/PostgreSQL/PgBouncer/HTTP/HTTPS connections +- name: UFW - Allow SSH connections community.general.ufw: - name: "{{ port_item }}" + name: 'OpenSSH' + rule: 'allow' + +- name: UFW - Allow SSH/PostgreSQL connections + community.general.ufw: + port: '5432' + rule: 'allow' + +- name: UFW - Allow PgBouncer connections + community.general.ufw: + port: '6543' + rule: 'allow' + tags: + - install-pgbouncer + +- name: UFW - Allow HTTP/HTTPS connections + community.general.ufw: + port: "{{ port_item }}" rule: 'allow' loop: - - 'OpenSSH' - - '5432' - - '6543' - 'http' - 'https' loop_control: loop_var: 'port_item' + tags: + - install-supabase-internal - name: UFW - Deny all other incoming traffic by default community.general.ufw: From d88456207970c71b0eac916b44693bd47d8d879a Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 26 Sep 2025 11:07:54 -0400 Subject: [PATCH 5/7] revert(setup-system.yml): revert to upstream in this PR --- ansible/tasks/setup-system.yml | 383 ++++++++++++++++++--------------- 1 file changed, 207 insertions(+), 176 deletions(-) diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml index 10361f82a..1f8abec62 100644 --- a/ansible/tasks/setup-system.yml +++ b/ansible/tasks/setup-system.yml @@ -1,185 +1,216 @@ -- name: execute (debpkg_mode or nixpkg_mode) tasks - when: - - (debpkg_mode or nixpkg_mode) - block: - - name: System - apt update and apt upgrade - ansible.builtin.apt: - update_cache: true - upgrade: true - # SEE http://archive.vn/DKJjs#parameter-upgrade - - - name: Install desired packages - ansible.builtin.apt: - cache_valid_time: 3600 - pkg: - - acl # SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638 - - fail2ban - - htop - - less - - linux-libc-dev - - net-tools - - nftables - - ngrep - - sysstat - - tzdata - - vim-tiny - state: 'present' - update_cache: true - - - name: Use nftables backend - community.general.alternatives: - name: "{{ nft_alt_item['name'] }}" - path: "{{ nft_alt_item['path'] }}" - loop: - - { name: 'arptables', path: '/usr/sbin/arptables-nft' } - - { name: 'ebtables', path: '/usr/sbin/ebtables-nft' } - - { name: 'iptables', path: '/usr/sbin/iptables-nft' } - - { name: 'ip6tables', path: '/usr/sbin/ip6tables-nft' } - loop_control: - loop_var: 'nft_alt_item' - - - name: Restart ufw - ansible.builtin.systemd_service: - name: 'ufw' - state: 'restarted' - - - name: Create Sysstat log directory - ansible.builtin.file: - path: '/var/log/sysstat' - state: 'directory' - - - bwm-ng - - - name: Configure sysstat - ansible.builtin.copy: - dest: "/etc/{{ systat_item }}/sysstat" - src: "files/{{ systat_item }}.sysstat" - loop: - - default - - systat - loop_control: - loop_var: 'systat_item' - - - name: Adjust APT update intervals - ansible.builtin.copy: - dest: '/etc/apt/apt.conf.d/10periodic' - src: 'files/apt_periodic' +- name: System - apt update and apt upgrade + apt: update_cache=yes upgrade=yes + when: debpkg_mode or nixpkg_mode + # SEE http://archive.vn/DKJjs#parameter-upgrade + +- name: Install required security updates + apt: + pkg: + - tzdata + - linux-libc-dev + when: debpkg_mode or nixpkg_mode +# SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638 +# Without this, a similar error is faced +- name: Install Ansible dependencies + apt: + pkg: + - acl + when: debpkg_mode or nixpkg_mode + +- name: Install security tools + apt: + pkg: + - nftables + - fail2ban + update_cache: yes + cache_valid_time: 3600 + when: debpkg_mode or nixpkg_mode + +- name: Use nftables backend + shell: | + update-alternatives --set iptables /usr/sbin/iptables-nft + update-alternatives --set ip6tables /usr/sbin/ip6tables-nft + update-alternatives --set arptables /usr/sbin/arptables-nft + update-alternatives --set ebtables /usr/sbin/ebtables-nft + systemctl restart ufw + when: debpkg_mode or nixpkg_mode + +- name: Create Sysstat log directory + file: + path: /var/log/sysstat + state: directory + when: debpkg_mode or nixpkg_mode + +- name: Install other useful tools + apt: + pkg: + - bwm-ng + - htop + - net-tools + - ngrep + - sysstat + - vim-tiny + update_cache: yes + when: debpkg_mode or nixpkg_mode + +- name: Install other useful tools + apt: + pkg: + - less + update_cache: yes + when: qemu_mode is defined + +- name: Configure sysstat + copy: + src: files/sysstat.sysstat + dest: /etc/sysstat/sysstat + when: debpkg_mode or nixpkg_mode + +- name: Configure default sysstat + copy: + src: files/default.sysstat + dest: /etc/default/sysstat + when: debpkg_mode or nixpkg_mode + + +- name: Adjust APT update intervals + copy: + src: files/apt_periodic + dest: /etc/apt/apt.conf.d/10periodic + when: debpkg_mode or nixpkg_mode # Find platform architecture and set as a variable -- name: set the arch as a fact - ansible.builtin.set_fact: - platform: "{{ 'arm64' if ansible_facts['architecture'] == 'aarch64' else 'amd64' }}" +- name: finding platform architecture + shell: if [ $(uname -m) = "aarch64" ]; then echo "arm64"; else echo "amd64"; fi + register: platform_output tags: - update - update-only - when: - - (debpkg_mode or nixpkg_mode or stage2_nix) - -- name: execute tasks when )debpkg_mode or nixpkg_mode) - when: - - (debpkg_mode or nixpkg_mode) - block: - - name: create overrides dir - ansible.builtin.file: - group: 'root' - mode: '0700' - owner: 'root' - path: '/etc/systemd/system/systemd-resolved.service.d' - state: 'directory' - - - name: Custom systemd overrides for resolved - ansible.builtin.copy: - dest: '/etc/systemd/system/systemd-resolved.service.d/override.conf' - src: 'files/systemd-resolved.conf' - - - name: System - Create services.slice - ansible.builtin.template: - dest: '/etc/systemd/system/services.slice' - src: 'files/services.slice.j2' - - - - name: System - systemd reload - ansible.builtin.systemd_service: - daemon_reload: true - - - name: Configure journald - ansible.builtin.copy: - dest: '/etc/systemd/journald.conf' - src: 'files/journald.conf' - - - name: reload systemd-journald - ansible.builtin.systemd_service: - name: 'systemd-journald' - state: 'restarted' - - - name: Configure logind - ansible.builtin.copy: - dest: '/etc/systemd/logind.conf' - src: 'files/logind.conf' - - - name: reload systemd-logind - ansible.builtin.systemd_service: - name: 'systemd-logind' - state: 'restarted' - - - name: enable timestamps for shell history - ansible.builtin.lineinfile: - create: true - group: 'root' - line: "export HISTTIMEFORMAT='%d/%m/%y %T '" - mode: '0644' - owner: 'root' - path: '/etc/profile.d/09-history-timestamps.sh' - state: 'present' - - - name: configure systemd's pager - ansible.builtin.lineinfile: - create: true - dest: '/etc/profile.d/10-systemd-pager.sh' - line: 'export SYSTEMD_LESS=FRXMK' - mode: '0644' - owner: 'root' - group: 'root' - state: 'present' - - - name: set hosts file - ansible.builtin.lineinfile: - dest: '/etc/hosts' - group: 'root' - line: "{{ localhost_item }}" - mode: '0644' - owner: 'root' - state: 'present' - loop: - - '127.0.0.1 localhost' - - '::1 localhost' - loop_control: - loop_var: 'localhost_item' - - # Set Sysctl params for restarting the OS on oom after 10 - - name: Set {{ sysctl_item['name'] }}={{ sysctl_item['value'] }} - ansible.posix.sysctl: - name: "{{ sysctl_item['name'] }}" - reload: true - state: 'present' - value: "{{ sysctl_item['value'] }}" - loop: - - { name: 'kernel.panic', value: 10 } - - { name: 'net.ipv4.tcp_keepalive_intvl', value: 60 } - - { name: 'net.ipv4.tcp_keepalive_time', value 1800 } - - { name: 'vm.panic_on_oom', value: 1 } - loop_control: - loop_var: 'sysctl_item' +- set_fact: + platform: "{{ platform_output.stdout }}" + tags: + - update + - update-only + when: debpkg_mode or nixpkg_mode or stage2_nix + +- name: create overrides dir + file: + state: directory + owner: root + group: root + path: /etc/systemd/system/systemd-resolved.service.d + mode: '0700' + when: debpkg_mode or nixpkg_mode + +- name: Custom systemd overrides for resolved + copy: + src: files/systemd-resolved.conf + dest: /etc/systemd/system/systemd-resolved.service.d/override.conf + when: debpkg_mode or nixpkg_mode + +- name: System - Create services.slice + template: + src: files/services.slice.j2 + dest: /etc/systemd/system/services.slice + when: debpkg_mode or nixpkg_mode + + +- name: System - systemd reload + systemd: daemon_reload=yes + when: debpkg_mode or nixpkg_mode + +- name: Configure journald + copy: + src: files/journald.conf + dest: /etc/systemd/journald.conf + when: debpkg_mode or nixpkg_mode + +- name: reload systemd-journald + systemd: + name: systemd-journald + state: restarted + when: debpkg_mode or nixpkg_mode + +- name: Configure logind + copy: + src: files/logind.conf + dest: /etc/systemd/logind.conf + when: debpkg_mode or nixpkg_mode + +- name: reload systemd-logind + systemd: + name: systemd-logind + state: restarted + when: debpkg_mode or nixpkg_mode + +- name: enable timestamps for shell history + copy: + content: | + export HISTTIMEFORMAT='%d/%m/%y %T ' + dest: /etc/profile.d/09-history-timestamps.sh + mode: 0644 + owner: root + group: root + when: debpkg_mode or nixpkg_mode + +- name: configure systemd's pager + copy: + content: | + export SYSTEMD_LESS=FRXMK + dest: /etc/profile.d/10-systemd-pager.sh + mode: 0644 + owner: root + group: root + when: debpkg_mode or nixpkg_mode + +- name: set hosts file + copy: + content: | + 127.0.0.1 localhost + ::1 localhost + dest: /etc/hosts + mode: 0644 + owner: root + group: root + when: debpkg_mode or stage2_nix + +#Set Sysctl params for restarting the OS on oom after 10 +- name: Set vm.panic_on_oom=1 + ansible.builtin.sysctl: + name: vm.panic_on_oom + value: '1' + state: present + reload: yes + when: debpkg_mode or nixpkg_mode + +- name: Set kernel.panic=10 + ansible.builtin.sysctl: + name: kernel.panic + value: '10' + state: present + reload: yes + when: debpkg_mode or nixpkg_mode - name: configure system ansible.posix.sysctl: - name: "{{ sysctl_item['name'] }}" - reload: true - state: 'present' - value: "{{ sysctl_item['value'] }}" - loop: - - { name: 'net.ipv4.ip_local_port_range', value: '1025 65000' } - - { name: 'net.core.somaxconn', value: 16834 } - loop_control: - loop_var: 'sysctl_item' + name: 'net.core.somaxconn' + value: 16834 +- name: configure system + ansible.posix.sysctl: + name: 'net.ipv4.ip_local_port_range' + value: '1025 65000' + +#Set Sysctl params specific to keepalives +- name: Set net.ipv4.tcp_keepalive_time=1800 + ansible.builtin.sysctl: + name: net.ipv4.tcp_keepalive_time + value: 1800 + state: present + when: debpkg_mode or nixpkg_mode +- name: Set net.ipv4.tcp_keepalive_intvl=60 + ansible.builtin.sysctl: + name: net.ipv4.tcp_keepalive_intvl + value: 60 + state: present + when: debpkg_mode or nixpkg_mode From bfb0a5dd294d814c14e129ad396edb072339a02b Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 26 Sep 2025 11:42:31 -0400 Subject: [PATCH 6/7] fix(finalize-ami.yml): noextraspaces -> no_extra_spaces --- ansible/tasks/finalize-ami.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/finalize-ami.yml b/ansible/tasks/finalize-ami.yml index e64d3a70e..1cc729fc0 100644 --- a/ansible/tasks/finalize-ami.yml +++ b/ansible/tasks/finalize-ami.yml @@ -77,7 +77,7 @@ community.general.ini_file: group: 'root' mode: '0644' - noextraspaces: true + no_extra_spaces: true option: 'OnCalendar' owner: 'root' path: '/etc/systemd/system/logrotate.timer.d/override.conf' From 73718527c870b7ad30b0f456fd1aeb699596604d Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 26 Sep 2025 15:02:03 -0400 Subject: [PATCH 7/7] refactor(ansible): bring our ansible up to modern ansible-lint standards --- ansible/tasks/fix-ipv6-ndisc.yml | 45 +++++++++++++++----------------- 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/ansible/tasks/fix-ipv6-ndisc.yml b/ansible/tasks/fix-ipv6-ndisc.yml index 8953fd880..1ea01bfb4 100644 --- a/ansible/tasks/fix-ipv6-ndisc.yml +++ b/ansible/tasks/fix-ipv6-ndisc.yml @@ -1,33 +1,30 @@ --- -- name: fix Network - systemd timer file - copy: - dest: /etc/systemd/system/systemd-networkd-check-and-fix.timer - src: "files/systemd-networkd/systemd-networkd-check-and-fix.timer" - owner: root - group: root - mode: 0644 - -- name: fix Network - systemd service file - copy: - dest: /etc/systemd/system/systemd-networkd-check-and-fix.service - src: "files/systemd-networkd/systemd-networkd-check-and-fix.service" - owner: root - group: root - mode: 0644 +- name: fix Network - systemd timer and service file + ansible.builtin.copy: + dest: "/etc/systemd/system/systemd-networkd-check-and-fix.{{ network_item }}" + group: 'root' + mode: '0644' + owner: 'root' + src: "files/systemd-networkd/systemd-networkd-check-and-fix.{{ network_item }}" + loop: + - service + - timer + loop_control: + loop_var: 'network_item' - name: fix Network - detect script - copy: - dest: /usr/local/bin/systemd-networkd-check-and-fix.sh - src: "files/systemd-networkd/systemd-networkd-check-and-fix.sh" - owner: root - group: root - mode: 0700 + ansible.builtin.copy: + dest: '/usr/local/bin/systemd-networkd-check-and-fix.sh' + src: 'files/systemd-networkd/systemd-networkd-check-and-fix.sh' + owner: 'root' + group: 'root' + mode: '0700' - name: fix Network - reload systemd - systemd: + ansible.builtin.systemd_service: daemon_reload: false - name: fix Network - ensure systemd timer is installed but disabled - systemd: - name: systemd-networkd-check-and-fix.timer + ansible.builtin.systemd_service: + name: 'systemd-networkd-check-and-fix.timer' enabled: false