mash-playbook/docs/services/system.md
2023-12-09 18:58:15 +02:00

6.7 KiB

System-related configuration

This Ansible playbook can install and configure various system-related things for you. All the sections below relate to the host OS instead of the managed containers.

swap

To enable swap management (also read more in the Swap article in the Arch Linux Wiki), add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_swap_enabled: true

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################

A swap file will be created in /var/swap (configured using the system_swap_path variable) and enabled in your /etc/fstab file.

By default, the swap file will have 1GB size, but you can set the system_swap_size variable in megabytes, example (4gb):

system_swap_size: 4096

Warning: changing system_swap_size subsequently will not recreate the SWAP file with the new size. You will need to disable swap, re-run the playbook (to make it clean up), then enable it again with the new size.

ssh

Warning

: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers, you should use it with caution and verify everything before you apply the changes!

To enable ssh server config and authorized/unauthorized keys management, add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_security_ssh_enabled: true

system_security_ssh_port: 22

system_security_ssh_authorizedkeys_host: [] # list of authorized public keys
system_security_ssh_unauthorizedkeys_host: [] # list of unauthorized/revoked public keys

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################

The default configuration is good enough as-is, but we strongly suggest you to verify everything before applying any changes!, otherwise you may lock yourself out of the server.

With this configuration, the default /etc/ssh/sshd_config file on your server will be replaced by a new one, managed by the ssh role (see its templates/etc/ssh/sshd_config.j2 file).

There are various configuration options - check the defaults and adjust them to your needs.

cleanup

Playbook may perform some housekeeping automatically, cleaning up unused docker resources, logs, even kernels (debian-only) and packages (debian-only). Here is how to enable different housekeeping tasks that will run on setup-all, setup-cleanup, install-cleanup:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

# runs `docker system prune -a -f --volumes` to remove unused images and containers
system_cleanup_docker: true

# configures a systemd unit (and timer) that runs `journalctl --vacuum-time=7d` daily, you can control schedules using system_cleanup_logs_* vars
system_cleanup_logs: true

# list of arbitrary absolute paths to remove on each invocation
system_cleanup_paths: []

# The following options are Debian only, will have no effect on any other distro family

# runs safe-upgrade, apt autoclean, aptautoremove, etc.
system_cleanup_apt: true

# WARNING: very dangerous! Purges old linux kernels, and their modules
system_cleanup_kernels: false

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################

fail2ban

To enable fail2ban installation, management and integration with SSHd, add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_security_fail2ban_enabled: true

system_security_fail2ban_sshd_port: 22
# If you enabled playbook-managed ssh as described above,
# you can replace the line above with the following:
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################