bitfit/ansible_etalon
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

+ rhel9, - hardening

Browse Source
This commit is contained in:
ROTTLER Tamas 2025-04-27 11:05:03 +02:00
parent f59f72cac7
commit 635d63fb33
7 changed files with 537 additions and 393 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
files/etcbackup.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
BACKUPPATH=/var/backups
BACKUPFILE=etc.`hostname`.`date +%F`.tar.gz
tar -czf $BACKUPPATH/$BACKUPFILE -C / etc
chmod 0640 $BACKUPPATH/$BACKUPFILE
find $BACKUPPATH -name "etc.*.tar.gz" -mtime +28 -delete

6
files/history.sh
View File

@ -1,6 +0,0 @@
if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then
export HISTSIZE=2000
export HISTFILESIZE=2000
export HISTTIMEFORMAT='%F %T '
shopt -s histappend
fi

66
files/postfix_master.cf.patch.redhat9 Normal file
View File

@ -0,0 +1,66 @@
--- master.cf.orig 2025-01-11 03:03:36.486240098 +0100
+++ master.cf 2025-01-11 03:08:16.675586910 +0100
@@ -9,7 +9,8 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
-smtp inet n - n - - smtpd
+#smtp inet n - n - - smtpd
+localhost:smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
@@ -81,53 +82,3 @@
#maildrop unix - n n - - pipe
# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
-# ====================================================================
-#
-# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
-#
-# Specify in cyrus.conf:
-# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
-#
-# Specify in main.cf one or more of the following:
-# mailbox_transport = lmtp:inet:localhost
-# virtual_transport = lmtp:inet:localhost
-#
-# ====================================================================
-#
-# Cyrus 2.1.5 (Amos Gouaux)
-# Also specify in main.cf: cyrus_destination_recipient_limit=1
-#
-#cyrus unix - n n - - pipe
-# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
-#
-# ====================================================================
-#
-# Old example of delivery via Cyrus.
-#
-#old-cyrus unix - n n - - pipe
-# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
-#
-# ====================================================================
-#
-# See the Postfix UUCP_README file for configuration details.
-#
-#uucp unix - n n - - pipe
-# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
-#
-# ====================================================================
-#
-# Other external delivery methods.
-#
-#ifmail unix - n n - - pipe
-# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
-#
-#bsmtp unix - n n - - pipe
-# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-#
-#scalemail-backend unix - n n - 2 pipe
-# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
-# ${nexthop} ${user} ${extension}
-#
-#mailman unix - n n - - pipe
-# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
-# ${nexthop} ${user}

13
files/sysstat_minutely.patch
View File

@ -1,13 +0,0 @@
--- sysstat.ori 2017-09-18 00:57:17.685443243 +0200
+++ sysstat 2017-09-18 00:57:32.997442999 +0200
@@ -2,8 +2,8 @@
# script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
-# Activity reports every 10 minutes everyday
-5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
+# Activity reports
+* * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
# Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2

340
tasks/debian.yml Normal file
View File

@ -0,0 +1,340 @@
---
##############################################################################
# debian / ubuntu
- name: apt.conf proxy
lineinfile:
dest: /etc/apt/apt.conf
regexp: '^Acquire::http::Proxy'
line: 'Acquire::http::Proxy "{{ aptproxy }}";'
create: yes
when:
- aptproxy is defined
- name: remove nano
tags: apt
apt:
name: nano
state: absent
purge: yes
- name: remove ubuntu cloud init, etc.
tags: apt
apt:
name:
- cloud-init
- cloud-guest-utils
- cloud-initramfs-dyn-netconf
- cloud-initramfs-copymods
- netplan.io
state: absent
purge: yes
when:
- ansible_distribution == "Ubuntu"
- name: disable systemd-networkd-wait-online.service on ubuntu
service:
name: systemd-networkd-wait-online.service
enabled: false
when:
- ansible_distribution == "Ubuntu"
- name: apt sources.list debian5
copy:
src: sources.list.lenny
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "5"
tags: apt
- name: apt.conf allow-unauthenticated debian5
lineinfile:
dest: /etc/apt/apt.conf
line: 'APT::Get::AllowUnauthenticated "true";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "5"
tags: apt
- name: apt sources.list debian6
copy:
src: sources.list.squeeze
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "6"
tags: apt
- name: apt.conf check-valid-until debian6
lineinfile:
dest: /etc/apt/apt.conf
line: 'Acquire::Check-Valid-Until "0";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "6"
tags: apt
- name: apt sources.list debian8
tags: apt
copy:
src: sources.list.jessie
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: apt sources.list debian9
tags: apt
copy:
src: sources.list.stretch
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "9"
- name: apt sources.list debian10
tags: apt
copy:
src: sources.list.buster
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- name: apt sources.list debian11
tags: apt
copy:
src: sources.list.bullseye
dest: /etc/apt/sources.list
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version == "11")
- name: apt sources.list debian12
tags: apt
copy:
src: sources.list.bookworm
dest: /etc/apt/sources.list
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 12)
- name: apt.conf allow unauthenticated debian8
tags: apt
lineinfile:
dest: /etc/apt/apt.conf
regexp: '^APT::Get::AllowUnauthenticated'
line: 'APT::Get::AllowUnauthenticated "1";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: apt.conf allow expired debian8
tags: apt
lineinfile:
dest: /etc/apt/apt.conf
regexp: '^Acquire::Check-Valid-Until'
line: 'Acquire::Check-Valid-Until "0";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
# ha veletlenul /dev/sdb lesz a bootdisk, elhasalna a grub-pc non-interacive
# upgrade-je a kovetkezo lepesben
- name: set debconf grub-pc/install_devices to /dev/sdb if needed
tags: apt
shell: 'mount | grep -q "/dev/sdb1 .* /boot" && (echo "set grub-pc/install_devices /dev/sdb" | debconf-communicate) || true'
- name: apt update
tags: apt
apt:
update_cache: yes
- name: install packages
tags: apt
apt:
name: aptitude
state: present
- name: apt full-upgrade
tags: apt
apt:
upgrade: full
- name: reset grub-pc/install_devices if changed 4 steps earlier
tags: apt
shell: 'mount | grep -q "/dev/sdb1 .* /boot" && (echo "set grub-pc/install_devices /dev/sda" | debconf-communicate) || true'
- name: install common packages for all opsys versions
tags: apt
apt:
name:
- bind9-host
- bzip2
- curl
- file
- git
- bsd-mailx
- iotop
- libpam-systemd
- locales
- lsof
- make
- mc
- mtr-tiny
- ngrep
- openssl
- parted
- patch
- postfix
- psmisc
- pwgen
- rename
- rsync
- screen
- strace
- subversion
- sysstat
- tcpdump
- telnet
- unzip
- vim
- w3m
- xz-utils
- zip
- libfile-slurp-perl
- libjson-perl
- net-tools
- man
- ifupdown
- mosh
- python3-redis
state: present
- name: install packages for debian0-11 ubuntu20
tags: apt
apt:
name:
- ntp
- ntpdate
- mlocate
state: present
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() <= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() == 20)
- name: install packages for debian0-10
tags: apt
apt:
name:
- dnsutils
state: present
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() <= 10
- name: install packages for debian11-99 ubuntu20-99
tags: apt
apt:
name:
- bind9-dnsutils
- rsyslog
- plocate
state: present
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: install packages for debian12-99 ubuntu22-99
tags: apt
apt:
name:
- ntpsec
- ntpsec-ntpdate
state: present
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 12) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 22)
- name: install packages for ubuntu22-99
tags: apt
apt:
name:
- iputils-ping
state: present
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 22)
- name: open-vm-tools
apt:
name: open-vm-tools
state: present
purge: yes
tags:
- vmware
- apt
- name: copy pf6 package
tags: pf6
copy:
src: pf6_1_all.deb
dest: /tmp
- name: install pf6 package
tags: pf6
apt:
deb: /tmp/pf6_1_all.deb
- name: grub defaults, debian8
tags: grub
patch:
src: default_grub.patch.jessie
dest: /etc/default/grub
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: grub defaults, debian9-11
tags: grub
patch:
src: default_grub.patch.stretch
dest: /etc/default/grub
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 9 and ansible_distribution_major_version|int() < 12)
- name: grub defaults, debian12-99
tags: grub
patch:
src: default_grub.patch.bookworm
dest: /etc/default/grub
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 12)
- name: grub defaults, ubuntu20-99
tags: grub
lineinfile:
path: /etc/default/grub
regexp: "^GRUB_CMDLINE_LINUX="
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"'
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: update-grub
tags: grub
command: update-grub
- name: edit locale.gen
tags: locales
replace:
dest: /etc/locale.gen
regexp: '^#\s*(hu_HU|en_US)'
replace: '\1'
- name: run locale-gen
tags: locales
command: locale-gen
# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

414
tasks/main.yml
View File

@ -9,279 +9,18 @@
shell: 'mv /tmp/ /old-tmp; mkdir /tmp; mount /tmp; mv /old-tmp /tmp'
when: fstab_tmp.changed
- name: apt.conf proxy
lineinfile:
dest: /etc/apt/apt.conf
regexp: '^Acquire::http::Proxy'
line: 'Acquire::http::Proxy "{{ aptproxy }}";'
create: yes
when:
- aptproxy is defined
##############################################################################
# debian-ubuntu /redhat
- name: remove nano
tags: apt
apt:
name: nano
state: absent
purge: yes
- name: include debian/ubuntu specific
include_tasks: debian.yml
when: (ansible_distribution == "Debian" or ansible_distribution == "Ubuntu")
- name: remove ubuntu cloud init, etc.
tags: apt
apt:
name:
- cloud-init
- cloud-guest-utils
- cloud-initramfs-dyn-netconf
- cloud-initramfs-copymods
- netplan.io
state: absent
purge: yes
when:
- ansible_distribution == "Ubuntu"
- name: include redhat specific
include_tasks: redhat.yml
when: ansible_distribution == "RedHat"
- name: disable systemd-networkd-wait-online.service on ubuntu
service:
name: systemd-networkd-wait-online.service
enabled: false
when:
- ansible_distribution == "Ubuntu"
- name: apt sources.list debian5
copy:
src: sources.list.lenny
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "5"
tags: apt
- name: apt.conf allow-unauthenticated debian5
lineinfile:
dest: /etc/apt/apt.conf
line: 'APT::Get::AllowUnauthenticated "true";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "5"
tags: apt
- name: apt sources.list debian6
copy:
src: sources.list.squeeze
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "6"
tags: apt
- name: apt.conf check-valid-until debian6
lineinfile:
dest: /etc/apt/apt.conf
line: 'Acquire::Check-Valid-Until "0";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "6"
tags: apt
- name: apt sources.list debian8
tags: apt
copy:
src: sources.list.jessie
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: apt sources.list debian9
tags: apt
copy:
src: sources.list.stretch
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "9"
- name: apt sources.list debian10
tags: apt
copy:
src: sources.list.buster
dest: /etc/apt/sources.list
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- name: apt sources.list debian11
tags: apt
copy:
src: sources.list.bullseye
dest: /etc/apt/sources.list
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version == "11")
- name: apt sources.list debian12
tags: apt
copy:
src: sources.list.bookworm
dest: /etc/apt/sources.list
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 12)
- name: apt.conf allow unauthenticated debian8
tags: apt
lineinfile:
dest: /etc/apt/apt.conf
regexp: '^APT::Get::AllowUnauthenticated'
line: 'APT::Get::AllowUnauthenticated "1";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: apt.conf allow expired debian8
tags: apt
lineinfile:
dest: /etc/apt/apt.conf
regexp: '^Acquire::Check-Valid-Until'
line: 'Acquire::Check-Valid-Until "0";'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
# ha veletlenul /dev/sdb lesz a bootdisk, elhasalna a grub-pc non-interacive
# upgrade-je a kovetkezo lepesben
- name: set debconf grub-pc/install_devices to /dev/sdb if needed
tags: apt
shell: 'mount | grep -q "/dev/sdb1 .* /boot" && (echo "set grub-pc/install_devices /dev/sdb" | debconf-communicate) || true'
- name: apt update
tags: apt
apt:
update_cache: yes
- name: install packages
tags: apt
apt:
name: aptitude
state: present
- name: apt full-upgrade
tags: apt
apt:
upgrade: full
- name: reset grub-pc/install_devices if changed 4 steps earlier
tags: apt
shell: 'mount | grep -q "/dev/sdb1 .* /boot" && (echo "set grub-pc/install_devices /dev/sda" | debconf-communicate) || true'
- name: install common packages for all opsys versions
tags: apt
apt:
name:
- bind9-host
- bzip2
- curl
- file
- git
- bsd-mailx
- iotop
- libpam-systemd
- locales
- lsof
- make
- mc
- mtr-tiny
- ngrep
- openssl
- parted
- patch
- postfix
- psmisc
- pwgen
- rename
- rsync
- screen
- strace
- subversion
- sysstat
- tcpdump
- telnet
- unzip
- vim
- w3m
- xz-utils
- zip
- libfile-slurp-perl
- libjson-perl
- net-tools
- man
- ifupdown
- mosh
state: present
- name: install packages for debian0-11 ubuntu20
tags: apt
apt:
name:
- ntp
- ntpdate
- mlocate
state: present
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() <= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() == 20)
- name: install packages for debian0-10
tags: apt
apt:
name:
- dnsutils
state: present
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() <= 10
- name: install packages for debian11-99 ubuntu20-99
tags: apt
apt:
name:
- bind9-dnsutils
- rsyslog
- plocate
state: present
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: install packages for debian12-99 ubuntu22-99
tags: apt
apt:
name:
- ntpsec
- ntpsec-ntpdate
state: present
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 12) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 22)
- name: install packages for ubuntu22-99
tags: apt
apt:
name:
- iputils-ping
state: present
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 22)
- name: open-vm-tools
apt:
name: open-vm-tools
state: present
purge: yes
tags:
- vmware
- apt
##############################################################################
- name: remove install user
user:
@ -294,90 +33,12 @@
path: /home/install
state: absent
- name: "remove our key from root's authorized_keys"
- name: "remove our key from root's authorized_keys (will use ansible user in future)"
authorized_key:
user: root
state: absent
key: "{{ mgmt_ssh_key }}"
- name: "disable sshd X11Forwarding"
copy:
content: "X11Forwarding no"
dest: /etc/ssh/sshd_config.d/x11forwarding.conf
- name: copy pf6 package
tags: pf6
copy:
src: pf6_1_all.deb
dest: /tmp
- name: install pf6 package
tags: pf6
apt:
deb: /tmp/pf6_1_all.deb
- name: sysstat enable
tags: sysstat
lineinfile:
dest: /etc/default/sysstat
regexp: "^ENABLED="
line: 'ENABLED="true"'
- name: sysstat every minute
tags: sysstat
patch:
src: sysstat_minutely.patch
dest: /etc/cron.d/sysstat
- name: grub defaults, debian8
tags: grub
patch:
src: default_grub.patch.jessie
dest: /etc/default/grub
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: grub defaults, debian9-11
tags: grub
patch:
src: default_grub.patch.stretch
dest: /etc/default/grub
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 9 and ansible_distribution_major_version|int() < 12)
- name: grub defaults, debian12-99
tags: grub
patch:
src: default_grub.patch.bookworm
dest: /etc/default/grub
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 12)
- name: grub defaults, ubuntu20-99
tags: grub
lineinfile:
path: /etc/default/grub
regexp: "^GRUB_CMDLINE_LINUX="
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"'
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: update-grub
tags: grub
command: update-grub
- name: edit locale.gen
tags: locales
replace:
dest: /etc/locale.gen
regexp: '^#\s*(hu_HU|en_US)'
replace: '\1'
- name: run locale-gen
tags: locales
command: locale-gen
- name: find ntp.conf
tags: ntp
command: "find /etc -name ntp.conf"
@ -462,6 +123,40 @@
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 22)
- name: postfix master.cf redhat
tags: postfix
patch:
src: postfix_master.cf.patch.redhat9
dest: /etc/postfix/master.cf
when:
- ansible_distribution == "RedHat"
- name: enable postfix service on redhat
tags: postfix
systemd_service:
name: postfix
enabled: yes
when:
- ansible_distribution == "RedHat"
- name: postfix inet_protocols ipv4 (redhat)
tags: postfix
lineinfile:
dest: /etc/postfix/main.cf
regexp: '^inet_protocols\s'
line: "inet_protocols = ipv4"
when:
- ansible_distribution == "RedHat"
- name: postfix myhostname (redhat)
tags: postfix
lineinfile:
dest: /etc/postfix/main.cf
regexp: '^myhostname\s'
line: "myhostname = {{ hostname }}.{{ domain }}"
when:
- ansible_distribution == "RedHat"
- name: postfix relayhost
tags: postfix
lineinfile:
@ -515,24 +210,11 @@
mode: 0644
content: "export VTYSH_PAGER='less -F'\n"
- name: bash history
copy:
src: history.sh
dest: /etc/profile.d/history.sh
mode: 0644
- name: etcbackup
copy:
src: etcbackup.sh
dest: /usr/local/sbin/etcbackup.sh
mode: 0755
- name: etcbackup cron
- name: set vm swappiness
lineinfile:
dest: /etc/cron.d/etcbackup
regexp: "/usr/local/sbin/etcbackup.sh"
line: "50 22 * * * root /usr/local/sbin/etcbackup.sh"
dest: /etc/sysctl.d/swappiness.conf
regexp: '^vm.swappiness\s='
line: "vm.swappiness = 2"
create: yes
# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

83
tasks/redhat.yml Normal file
View File

@ -0,0 +1,83 @@
---
##############################################################################
# redhat
- name: dnf update
tags: dnf
dnf:
state: latest
update_only: yes
- name: install packages
tags: dnf
dnf:
name:
- bind-utils
- bzip2
- git
- s-nail
- iotop
- lsof
- make
- mc
- mtr
- patch
- postfix
- rsync
- strace
- sysstat
- tcpdump
- telnet
- zip
- unzip
- vim-enhanced
- perl-File-Slurp
- perl-JSON
- perl-English
- net-tools
- mlocate
- glibc-langpack-hu
- setools-console
- setroubleshoot-server
state: present
- name: subscription-manager repo change for epel install
tags: dnf
shell: "subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms"
- name: install epel-release
tags: dnf
dnf:
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
disable_gpg_check: yes
- name: install packages, 2nd round
tags: dnf
dnf:
name:
- ntpsec
- ngrep
- pwgen
- screen
- mosh
- w3m
- prename
- python3-redis
- name: enable ntpd service
systemd_service:
name: ntpd
enabled: true
- name: remove motd.d/insights-client
file:
path: /etc/motd.d/insights-client
state: absent
- name: disable firewalld service
systemd_service:
name: firewalld
state: stopped
enabled: false
# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: