124 lines
3.4 KiB
YAML
124 lines
3.4 KiB
YAML
---
|
|
- name: System Maintenance with Admin Setup (Idempotent & Secure)
|
|
hosts: all
|
|
become: true
|
|
|
|
vars:
|
|
# ==== Customizable Variables ====
|
|
admin_user: "admin"
|
|
admin_group: "sysadmin"
|
|
admin_password: "$6$Z1rC2h...EncryptedPassword..." # ganti dengan hasil `mkpasswd --method=SHA-512`
|
|
ssh_key_path: "/home/{{ admin_user }}/.ssh/id_rsa"
|
|
health_report_path: "/var/log/system_health_report.txt"
|
|
cron_log_path: "/var/log/cron.log"
|
|
default_service: "cron"
|
|
|
|
tasks:
|
|
# ==== PACKAGE MAINTENANCE ====
|
|
- name: Update package repositories
|
|
apt:
|
|
update_cache: yes
|
|
register: update_result
|
|
changed_when: update_result.cache_updated
|
|
tags: update
|
|
|
|
- name: Upgrade security packages (dist-upgrade)
|
|
apt:
|
|
upgrade: dist
|
|
tags: upgrade
|
|
|
|
# ==== CLEANUP ====
|
|
- name: Clean all contents of /tmp directory
|
|
shell: "rm -rf /tmp/* || true"
|
|
tags: cleanup
|
|
|
|
- name: Ensure /tmp directory exists with correct permissions
|
|
file:
|
|
path: /tmp
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '1777'
|
|
tags: cleanup
|
|
|
|
# ==== SERVICE MAINTENANCE ====
|
|
- name: "Restart specific service (default: cron)"
|
|
service:
|
|
name: "{{ default_service }}"
|
|
state: restarted
|
|
tags: restart
|
|
|
|
# ==== ADMIN USER MANAGEMENT ====
|
|
- name: Ensure admin group exists
|
|
group:
|
|
name: "{{ admin_group }}"
|
|
state: present
|
|
tags: admin
|
|
|
|
- name: Ensure admin user exists
|
|
user:
|
|
name: "{{ admin_user }}"
|
|
group: "{{ admin_group }}"
|
|
password: "{{ admin_password }}"
|
|
shell: /bin/bash
|
|
create_home: yes
|
|
state: present
|
|
tags: admin
|
|
|
|
- name: Grant sudo privileges to admin user (NOPASSWD)
|
|
copy:
|
|
dest: "/etc/sudoers.d/{{ admin_user }}"
|
|
content: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
|
|
mode: '0440'
|
|
owner: root
|
|
group: root
|
|
tags: admin
|
|
|
|
- name: Ensure .ssh directory exists for admin
|
|
file:
|
|
path: "/home/{{ admin_user }}/.ssh"
|
|
state: directory
|
|
owner: "{{ admin_user }}"
|
|
group: "{{ admin_group }}"
|
|
mode: '0700'
|
|
tags: admin
|
|
|
|
- name: Generate SSH key pair (idempotent)
|
|
openssh_keypair:
|
|
path: "{{ ssh_key_path }}"
|
|
owner: "{{ admin_user }}"
|
|
group: "{{ admin_group }}"
|
|
mode: '0600'
|
|
type: rsa
|
|
size: 2048
|
|
tags: admin
|
|
|
|
# ==== SYSTEM REPORTING ====
|
|
- name: Generate system health report
|
|
shell: |
|
|
echo "===== SYSTEM HEALTH REPORT =====" > {{ health_report_path }}
|
|
echo -e "\n--- TOP ---" >> {{ health_report_path }}
|
|
top -b -n1 | head -n 20 >> {{ health_report_path }}
|
|
echo -e "\n--- DISK USAGE ---" >> {{ health_report_path }}
|
|
df -h >> {{ health_report_path }}
|
|
echo -e "\n--- MEMORY ---" >> {{ health_report_path }}
|
|
free -h >> {{ health_report_path }}
|
|
args:
|
|
executable: /bin/bash
|
|
tags: report
|
|
|
|
# ==== LOGGING CONFIGURATION ====
|
|
- name: Enable cron logging (if not already)
|
|
lineinfile:
|
|
path: /etc/rsyslog.d/50-default.conf
|
|
regexp: '^#?cron.\*'
|
|
line: 'cron.* {{ cron_log_path }}'
|
|
notify: Restart rsyslog
|
|
tags: logging
|
|
|
|
handlers:
|
|
- name: Restart rsyslog
|
|
service:
|
|
name: rsyslog
|
|
state: restarted
|