From a27d981110e0912920de133839d0186c42286029 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 9 Feb 2020 12:20:22 -0600
Subject: Base is rpi specific.

---
 rpi-base/defaults/main.yaml               | 13 ++++++++++
 rpi-base/files/jail.local                 | 10 ++++++++
 rpi-base/tasks/main.yml                   | 42 +++++++++++++++++++++++++++++++
 rpi-base/templates/wpa_supplicant.conf.j2 | 14 +++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 rpi-base/defaults/main.yaml
 create mode 100644 rpi-base/files/jail.local
 create mode 100644 rpi-base/tasks/main.yml
 create mode 100644 rpi-base/templates/wpa_supplicant.conf.j2

(limited to 'rpi-base')

diff --git a/rpi-base/defaults/main.yaml b/rpi-base/defaults/main.yaml
new file mode 100644
index 0000000..b26755a
--- /dev/null
+++ b/rpi-base/defaults/main.yaml
@@ -0,0 +1,13 @@
+---
+
+rpi_base_enable_wifi: True
+rpi_base_timezone: "America/Chicago"
+rpi_base_apt_packages:
+  - "log2ram"
+  - "fail2ban"
+  - "unattended-upgrades"
+  - "emacs-nox"
+  - "htop"
+  - "jq"
+  - "tree"
+  - "iperf3"
diff --git a/rpi-base/files/jail.local b/rpi-base/files/jail.local
new file mode 100644
index 0000000..a5cabc4
--- /dev/null
+++ b/rpi-base/files/jail.local
@@ -0,0 +1,10 @@
+[ssh]
+
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+bantime = 900
+banaction = iptables-allports
+findtime = 900
+maxretry = 3
diff --git a/rpi-base/tasks/main.yml b/rpi-base/tasks/main.yml
new file mode 100644
index 0000000..85045a5
--- /dev/null
+++ b/rpi-base/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+
+- name: turn swap off
+  become: yes
+  command: "swapoff -a"
+  changed_when: false
+
+- name: remove swap apt package
+  become: yes
+  apt: state="absent" name="dphys-swapfile"
+
+- name: add log2ram apt key
+  become: yes
+  apt_key: url="https://azlux.fr/repo.gpg.key"
+
+- name: add log2ram apt repo
+  become: yes
+  apt_repository: repo="deb http://packages.azlux.fr/debian/ buster main"
+
+- name: set timezone
+  become: yes
+  timezone: name="{{rpi_base_timezone}}"
+
+- name: setup wifi
+  become: yes
+  template: src="wpa_supplicant.conf.j2" dest="/etc/wpa_supplicant/wpa_supplicant.conf" mode="0644"
+
+- name: update apt package cache
+  become: yes
+  apt: upgrade="dist" autoremove="yes" autoclean="yes" update_cache="yes" cache_valid_time="3600"
+
+- name: install extra apt packages
+  become: yes
+  apt: name="{{rpi_base_apt_packages}}" state="latest"
+
+- name: install fail2ban config
+  become: yes
+  copy: src="jail.local" dest="/etc/fail2ban/jail.local"
+
+- name: authorize admin ssh keys
+  become: yes
+  authorized_key: user="{{ansible_user}}" key="https://github.com/{{github_user}}.keys"
diff --git a/rpi-base/templates/wpa_supplicant.conf.j2 b/rpi-base/templates/wpa_supplicant.conf.j2
new file mode 100644
index 0000000..c1312d0
--- /dev/null
+++ b/rpi-base/templates/wpa_supplicant.conf.j2
@@ -0,0 +1,14 @@
+# {{ansible_managed}}
+
+country=US
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
+update_config=1
+{% for network in wpa_networks %}
+
+network={
+    ssid="{{network.ssid}}"
+    psk="{{network.psk}}"
+    disabled={% if rpi_base_enable_wifi %}0{% else %}1{% endif %}
+
+}
+{% endfor %}
-- 
cgit v1.2.3