准备工作
创建roles目录
# mkdir -pv /data/apps/ansible/roles/ubuntu/{tasks,handlers,templates,vars,files}
hosts
[ubuntu]
172.16.18.31 ansible_ssh_port=22 ansible_ssh_user=ubuntu hostname=app-01
测试连通性
# ansible ubuntu -m ping
172.16.18.247 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
创建角色相关文件
main.yaml
- include: install_software.yaml
- include: init_ubuntu.yaml
- include: configs.yaml
- include: reboot.yaml
configs.yaml
- name: 内核优化参数
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: 设置文件限制数
copy: src=limits.conf dest=/etc/security/limits.conf
- name: 修改rsylog记录格式
copy: src=50-default.conf dest=/etc/rsyslog.d/50-default.conf
- name: 设置用户密码复杂度
copy: src=pwquality.conf dest=/etc/security/pwquality.conf
- name: 设置faillock
copy: src=faillock.conf dest=/etc/security/faillock.conf
init_ubuntu.yaml
- name: 系统时间12小时转为24小时制
lineinfile:
path: /etc/default/locale
line: LC_TIME=en_DK.UTF-8
- name: Set timezone to Asia/Shanghai
ansible.builtin.command: timedatectl set-timezone Asia/Shanghai
- name: 设置主机名称
hostname:
name: "{{ hostname }}"
- name: 修改密码过期时间
lineinfile:
path: /etc/login.defs
regexp: '^{{ item.name }}'
line: "{{ item.name }} {{ item.value }}"
with_items:
- { name: PASS_MAX_DAYS, value: 90 }
- { name: PASS_MIN_DAYS, value: 7 }
- { name: PASS_WARN_AGE, value: 14 }
- name: 设置sshd_config
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^{{ item.name }}'
line: "{{ item.value }}"
with_items:
- { name: '#ClientAliveInterval', value: ClientAliveInterval 3600 }
- { name: '#MaxAuthTries', value: MaxAuthTries 3 }
- { name: '#Port', value: Port 50202 }
- name: 设置登录失败策略 /etc/pam.d/common-auth
blockinfile:
path: /etc/pam.d/common-auth
insertbefore: "# here's the fallback if no module succeeds"
block: |
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsuc
- name: 设置登录失败策略 /etc/pam.d/common-account
lineinfile:
path: /etc/pam.d/common-account
insertafter: 'account required pam_permit.so'
line: account required pam_faillock.so
- name: history fromt
blockinfile:
path: /etc/profile
block: |
export HISTTIMEFORMAT="[%F %T] [`whoami`] [`who -u am i | awk '{print $1,$2,$3,$4,$7}'`] [`pwd`]"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; } );logger "$msg"; }'
export TMOUT=3600
install_software.yaml
- name: upgrade os software
apt: upgrade=yes update_cache=yes cache_valid_time=3600
- name: install software
apt: name=chrony,libpam-pwquality,auditd
- name: start chrony service
service: name=chrony state=started enabled=yes
- name: start auditd service
service: name=auditd state=started enabled=yes
reboot.yaml
- name: reboot ubuntu22.04
reboot:
reboot_timeout: 100
查看相关文件
# tree /data/apps/ansible/roles/ubuntu/
/data/apps/ansible/roles/ubuntu/
├── files
│ ├── 50-default.conf
│ ├── faillock.conf
│ ├── limits.conf
│ ├── pwquality.conf
│ └── sysctl.conf
├── handlers
├── tasks
│ ├── configs.yaml
│ ├── init_ubuntu.yaml
│ ├── install_software.yaml
│ ├── main.yaml
│ ├── reboot.yaml
│ └── upgrade_os.yaml
├── templates
└── vars
playbook调用角色
role-ubuntu.yaml
- hosts: ubuntu
remote_user: ubuntu
become: yes
roles:
- ubuntu
运行playbook
# ansible-playbook role_ubuntu.yaml
PLAY [ubuntu] ***********************************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] **************************************************************************************************************************************************************************************************************************************************************************
ok: [172.16.18.31]
TASK [ubuntu : upgrade os software] *************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : install chrony] ******************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 系统时间12小时转为24小时制] *****************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置主机名称] **************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 修改密码过期时间] ************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31] => (item={u'name': u'PASS_MAX_DAYS', u'value': 90})
changed: [172.16.18.31] => (item={u'name': u'PASS_MIN_DAYS', u'value': 7})
changed: [172.16.18.31] => (item={u'name': u'PASS_WARN_AGE', u'value': 14})
TASK [ubuntu : 设置登录空闲超时时间] **********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31] => (item={u'name': u'#ClientAliveInterval', u'value': u'ClientAliveInterval 3600'})
changed: [172.16.18.31] => (item={u'name': u'#MaxAuthTries', u'value': u'MaxAuthTries 3'})
changed: [172.16.18.31] => (item={u'name': u'#Port', u'value': u'Port 32323'})
TASK [ubuntu : 设置登录失败策略 /etc/pam.d/common-auth] *************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置登录失败策略 /etc/pam.d/common-account] **********************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : history fromt] ******************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 内核优化参数] **************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置文件限制数] *************************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 修改rsylog记录格式] ********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置用户密码复杂度] ***********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [ubuntu : 设置faillock] **********************************************************************************************************************************************************************************************************************************************************************
changed: [172.16.18.31]
TASK [reboot ubuntu22.04] ***********************************************************************************************************************************************************************************************************************************************************************
fatal: [172.16.18.31]: FAILED! => {"msg": "Failed to connect to the host via ssh: ssh: connect to host 172.16.18.31 port 22: Connection refused"}
PLAY RECAP **************************************************************************************************************************************************************************************************************************************************************************************
172.16.18.31 : ok=14 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
更新hosts文件
[ubuntu]
172.16.18.31 ansible_ssh_port=50202 ansible_ssh_user=ubuntu hostname=app-01
common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsuc
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
account required pam_faillock.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
代码仓库
https://github.com/wangguishe/ansible.git
