Set of Ansible tasks to configure Gentoo-based workstations.
Intentionally none of the roles will install packages, and fail, if the binaries are not out there.
To apply defaults one can run localhost.yml
script.
python2 $(command -v virtualenv) venv . venv/bin/activate pip install -r requirements.txt ./default.yml
Secrets handling via separated repository is supported by the apply`
script. Check it's header comments for more information.
- Disables DNS proxy. I prefer to use dnsmasq.
- Disables NTP client. I prefer to use chrony.
- Disables hostname changes via DHCP.
- Disables timezone updates. It uses DBus, nothing listen here for the timezone changes. ¯\_(ツ)_/¯
- Allow wheel group to use
connmanctl
and in general talk with connman via DBus. - ensure
/var/run/connman
exists, opentmpfiles creates it, but unless triggered (like, reboot) it won't.
- Get
dnsmasq.conf
that either uses connman's/var/run/connman/resolv.conf
, directly Google DNS servers or OpenDNS, depending onupstream
set to eitherconnman
,google
,opendns
orcloudflare
.
- Set
/etc/resolv.conf
tonameserver 127.0.0.1
and apply immutable bit on the file.
- Allow root login with key-only auth.
- Disable password login all together, when
no_password_login
set toTrue
. - Change default port if
sshd_port
is set.
view_proc
gid50001
with_symlinksifownermatch
gid50002
with_audit
gid50003
without_tpe
gid50004
deny_client_socket
gid50006
deny_server_socket
gid50006
Create user with name as user
and group as group
. Optionally can get additional_groups
parameter with colon separated additional groups.
Set hostname to hostname
variable.
Set timezone to timezone
variable.
Set English UTF-8 locales with ISO-ish date format and Coreutils's long-iso time style.
Enable unscd as dns cache.
Install script that is executed every hour by cron that clean /tmp, /var/tmp as well as users' temporary directories. Users can exclude themselves by creating .skip-cleaning
file in $HOME/tmp
. Files and directories with mtime >= 24h will be removed from the temporary directories. Some excludes are added in script to not break Xorg etc.
Requires:
bash
in version 4chpst
frombusybox
tmpreaper
Disable 'power saving' for Wireless network interfaces. Useful for hosts that have WAN as wireless, to prevent inbound SSH connections from being lagish.
Takes users from users
list and deploy the configuration files from deploy
list for them.
Set pam_limits's configuration, max per-user processes to 4096
and max per-user file descriptors to 4096
.
Upon login, create ~/tmp and set $TMP and $TMPDIR to point that directory.
Login shells gets umask of 077
Set dispatch-conf to use colordiff.
Append --noclear to agetty so tty are not cleared at startup.
Tune dirty (background) bytes, swappiness and vfs pressure.
Common package.mask entries.
Make glibc's resolver prefer A entries over AAAA.