diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/common/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/common/templates/etc/apt/preferences.j2 | 2 | ||||
-rw-r--r-- | roles/common/templates/etc/apt/sources.list.j2 | 4 |
3 files changed, 4 insertions, 4 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index df609d3..470a6b2 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,27 +1,27 @@ --- - include: sysctl.yml tags=sysctl - include: hosts.yml - include: apt.yml tags=apt - name: Install intel-microcode apt: pkg=intel-microcode - when: "ansible_processor[0] | search('^Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" + when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain - include: auditd.yml tags=auditd - include: rkhunter.yml tags=rkhunter - include: clamav.yml tags=clamav - include: fail2ban.yml tags=fail2ban - include: smart.yml tags=smartmontools,smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" - include: haveged.yml tags=haveged,entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2 index 7774cba..ba10834 100644 --- a/roles/common/templates/etc/apt/preferences.j2 +++ b/roles/common/templates/etc/apt/preferences.j2 @@ -2,37 +2,37 @@ # Do NOT edit this file directly! # Install updates as soon as they're available Package: * Pin: release a={{ ansible_lsb.codename }}-updates Pin-Priority: 990 {% if 'backports' in group_names -%} # Automatically packages from backports (those manually installed) Package: * Pin: release a={{ ansible_lsb.codename }}-backports Pin-Priority: 200 {% endif %} {% if 'non-free' in group_names -%} # Automatically upgrade non-free firmwares (when manually installed) Package: firmware-linux-nonfree Pin-Priority: 200 {% endif %} -{% if ansible_processor[0] | search('^Intel.*') and +{% if ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') -%} # Automatically upgrade the microcode (when manually installed) Package: intel-microcode iucode-tool Pin: version * Pin-Priority: 200 {% endif %} # Never, ever install things from contrib or non-free unless they have been # whitelisted above Package: * Pin: release c=contrib Pin-Priority: -1 Package: * Pin: release c=non-free Pin-Priority: -1 diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2 index ee4f20d..5788ade 100644 --- a/roles/common/templates/etc/apt/sources.list.j2 +++ b/roles/common/templates/etc/apt/sources.list.j2 @@ -1,13 +1,13 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # vim: set filetype=debsources : -deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }} main{% if 'non-free' in group_names or (ansible_processor[0] | search("^Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} +deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }} main{% if 'non-free' in group_names or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} -deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or (ansible_processor[0] | search("^Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} +deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }}-updates main {% if 'backports' in group_names -%} deb http://ftp.debian.org/debian/ {{ ansible_lsb.codename }}-backports main {% endif %} |