blob: bfe80fa4693e8a128634ef6daf1b6d2a14d2a41c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
---
- name: sysctl.conf - accept RA (router advertisements)
lineinfile:
path: /etc/sysctl.conf
regexp: '^#?net.inet6.ip6.accept_rtadv'
line: "net.inet6.ip6.accept_rtadv=1"
tags: ipv6
- name: sysctl.conf - disable IPv6 forwarding
lineinfile:
path: /etc/sysctl.conf
regexp: '^#?net.inet6.ip6.forwarding'
line: "net.inet6.ip6.forwarding=0"
tags: ipv6
- name: sysctl.conf - reload
service:
name: sysctl
state: reloaded
tags: ipv6
- name: rc.conf - set static ipv6
blockinfile:
path: /etc/rc.conf
marker: "# {mark} ANSIBLE MANAGED - ipv6"
block: |
ipv6_enable="YES"
ipv6_ifconfig_vtnet0="2001:19f0:5:3166:5400:1ff:fe5d:df67 prefixlen 64"
rtsold_enable="YES"
tags: ipv6
- name: rc.conf - tune basic services
blockinfile:
path: /etc/rc.conf
marker: "# {mark} ANSIBLE MANAGED - basic"
block: |
nfs_reserved_port_only="YES"
nfs_client_enable="NO"
rpc_umntall_enable="NO"
mixer_enable="NO"
blanktime="NO"
- name: loader.conf - tune some variables
blockinfile:
path: /boot/loader.conf
marker: "# {mark} ANSIBLE MANAGED - basic"
block: |
vm.dma_reserved=16m
hw.x2apic_enable=1
hint.xhci.0.disabled=1
hint.ehci.0.disabled=1
hint.ahci.disabled=1
- name: syslog - tweak daemon flags
lineinfile:
path: /etc/rc.conf
regexp: '^#?\s*syslogd_flags'
line: 'syslogd_flags="-ss -vv"'
tags: syslog
- name: syslog - enable console log file (1/2)
lineinfile:
path: /etc/syslog.conf
regexp: '^#?\s*console.info'
line: "console.info /var/log/console.log"
tags: syslog
- name: syslog - enable console log file (2/2)
file:
path: /var/log/console.log
state: touch
mode: 0600
tags: syslog
- name: syslog - enable all log file (1/2)
lineinfile:
path: /etc/syslog.conf
regexp: '^#?\s*\*\.\*\s*/var/log/all.log'
line: "*.* /var/log/all.log"
tags: syslog
- name: syslog - enable all log file (2/2)
file:
path: /var/log/all.log
state: touch
mode: 0600
tags: syslog
- name: periodic - touch config file
file:
path: /etc/periodic.conf
state: touch
mode: 0644
- name: periodic - inline daily security status
lineinfile:
path: /etc/periodic.conf
regexp: '^#?\s*daily_status_security_inline'
line: "daily_status_security_inline=YES"
- name: csh - install /etc/csh.cshrc
copy:
src: csh.cshrc
dest: /etc/csh.cshrc
- name: pkg - disable repo auto update
lineinfile:
path: /usr/local/etc/pkg.conf
regexp: '^#?REPO_AUTOUPDATE'
line: "REPO_AUTOUPDATE = false;"
- name: pkg - update repos
command: pkg update
- name: pkg - install packages
pkgng:
name:
- tmux
- vim-console
- mosh
- rsync
- htop
state: present
- name: vim - add basic configurations
blockinfile:
path: /usr/local/etc/vim/vimrc
marker: '" {mark} ANSIBLE MANAGED - basic'
block: |
set background=dark
colorscheme desert
|
